[clang] [LifetimeSafety] Model GNU statement expressions (PR #204841)

Fri, 19 Jun 2026 07:42:49 -0700 

llvmorg-github-actions[bot] wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-clang

Author: Gábor Horváth (Xazax-hun)

<details>
<summary>Changes</summary>

A statement expression `({ ...; e; })` carried none of its final expression's 
loans, so a borrow used through it was silently dropped. Forward the statement 
expression's origins to `e` (sharing, so the loan `e` produces sits in this 
origin before the body's locals expire), and mark the value used in a new 
VisitStmtExpr. That use lands at the statement expression's program point, 
which the CFG places after the body's locals expire, keeping the borrow live 
across those expiries: a borrow of a body-local is reported as use-after-scope, 
and a borrow forwarded from an outer object propagates to its consumer.

Assisted-by: Claude Opus 4.8

---
Full diff: https://github.com/llvm/llvm-project/pull/204841.diff


4 Files Affected:

- (modified) 
clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h (+1) 
- (modified) clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp (+9) 
- (modified) clang/lib/Analysis/LifetimeSafety/Origins.cpp (+11) 
- (added) clang/test/Sema/LifetimeSafety/statement-expression.cpp (+55) 


``````````diff
diff --git 
a/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h 
b/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h
index 5ac67263681ac..8dc5213dd8de2 100644
--- a/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h
+++ b/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h
@@ -57,6 +57,7 @@ class FactsGenerator : public 
ConstStmtVisitor<FactsGenerator> {
   void VisitArraySubscriptExpr(const ArraySubscriptExpr *ASE);
   void VisitCXXNewExpr(const CXXNewExpr *NE);
   void VisitCXXDeleteExpr(const CXXDeleteExpr *DE);
+  void VisitStmtExpr(const StmtExpr *SE);
 
 private:
   OriginList *getOriginsList(const ValueDecl &D);
diff --git a/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp 
b/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp
index 3861117005752..e054c38971c7f 100644
--- a/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp
+++ b/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp
@@ -780,6 +780,15 @@ void FactsGenerator::VisitCXXDeleteExpr(const 
CXXDeleteExpr *DE) {
       FactMgr.createFact<InvalidateOriginFact>(List->getOuterOriginID(), DE));
 }
 
+void FactsGenerator::VisitStmtExpr(const StmtExpr *SE) {
+  // Mark the value used here (its origins are shared with the final 
expression;
+  // see getOrCreateList). The CFG runs this point after the body's locals
+  // expire, so the use keeps that origin live across a body-local's expiry --
+  // the only way to catch such a borrow, since liveness comes only from a
+  // direct use, never backward through the flow that later delivers the value.
+  handleUse(SE);
+}
+
 bool FactsGenerator::escapesViaReturn(OriginID OID) const {
   return llvm::any_of(EscapesInCurrentBlock, [OID](const Fact *F) {
     if (const auto *EF = F->getAs<ReturnEscapeFact>())
diff --git a/clang/lib/Analysis/LifetimeSafety/Origins.cpp 
b/clang/lib/Analysis/LifetimeSafety/Origins.cpp
index c837f246fa17b..f8cb4c60f6773 100644
--- a/clang/lib/Analysis/LifetimeSafety/Origins.cpp
+++ b/clang/lib/Analysis/LifetimeSafety/Origins.cpp
@@ -243,6 +243,17 @@ OriginList *OriginManager::getOrCreateList(const Expr *E) {
   if (It != ExprToList.end())
     return It->second;
 
+  // A statement expression (`({ ...; e; })`) yields `e`'s value: share `e`'s
+  // origins rather than flowing into a fresh one. The flow would run at the
+  // statement expression's program point, which the CFG places after the 
body's
+  // locals expire; sharing instead keeps the loan `e` produced in this origin
+  // from before those expiries. VisitStmtExpr adds the matching use.
+  if (const auto *SE = dyn_cast<StmtExpr>(E))
+    if (const CompoundStmt *CS = SE->getSubStmt(); CS && !CS->body_empty())
+      if (const auto *Last = dyn_cast<Expr>(CS->body_back()))
+        if (OriginList *List = getOrCreateList(Last))
+          return ExprToList[E] = List;
+
   QualType Type = E->getType();
   // Special handling for 'this' expressions to share origins with the method's
   // implicit object parameter.
diff --git a/clang/test/Sema/LifetimeSafety/statement-expression.cpp 
b/clang/test/Sema/LifetimeSafety/statement-expression.cpp
new file mode 100644
index 0000000000000..85792e51cb113
--- /dev/null
+++ b/clang/test/Sema/LifetimeSafety/statement-expression.cpp
@@ -0,0 +1,55 @@
+// RUN: %clang_cc1 -fsyntax-only -Wlifetime-safety 
-Wno-gnu-statement-expression -verify %s
+
+// A GNU statement expression (`({ ...; e; })`) yields the value of its final
+// expression `e`. Its origins forward to `e`, and the value is used at the
+// statement expression's program point (after the body's locals expire), so a
+// borrow `e` carries is tracked: a borrow of a body-local is a 
use-after-scope,
+// and a borrow forwarded from an outer object propagates.
+
+void use(int *p);
+
+// A borrow of a statement-expression-local escaping via the value.
+void borrow_of_local() {
+  int *p = ({ int x = 7; &x; }); // expected-warning {{local variable 'x' does 
not live long enough}} expected-note {{destroyed here}} expected-note {{later 
used here}}
+  use(p);
+}
+
+// Forwarding an outer borrow that dangles.
+void forward_outer_borrow() {
+  int *p;
+  {
+    int local = 0;
+    p = ({ (void)0; &local; }); // expected-warning {{local variable 'local' 
does not live long enough}}
+  } // expected-note {{destroyed here}}
+  use(p); // expected-note {{later used here}}
+}
+
+// The statement-expression result carries the borrow, so a `?:` sibling
+// supplying a valid loan no longer hides it via the merge.
+void masked(bool c) {
+  static int valid;
+  int *keep = &valid;
+  int *r;
+  {
+    int local = 0;
+    r = c ? keep : ({ &local; }); // expected-warning {{local variable 'local' 
does not live long enough}}
+  } // expected-note {{destroyed here}}
+  use(r); // expected-note {{later used here}}
+}
+
+// Negative: a statement expression yielding a long-lived borrow stays silent.
+void ok() {
+  static int s;
+  int *p = ({ int unused = 0; (void)unused; &s; });
+  use(p); // no-warning
+}
+
+// FIXME: A discarded statement expression over-reports. The value is marked
+// used at the statement expression's program point regardless of whether it is
+// consumed, so a borrow of a body-local is flagged even though the address is
+// discarded and never read. Gating the injected use on the result being
+// consumed would fix this.
+void discarded_body_local() {
+  (void)({ int x = 7; &x; }); // expected-warning {{local variable 'x' does 
not live long enough}} expected-note {{destroyed here}} expected-note {{later 
used here}}
+}
+

``````````

</details>


https://github.com/llvm/llvm-project/pull/204841
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to