[LifetimeSafety] Implement support for lifetimebound attribute (#158489)

Add support for `lifetimebound` attributes in the lifetime safety
analysis to track loans from function parameters to return values.

Implemented support for `lifetimebound` attributes on function
parameters

This change replaces the single `AssignOriginFact` with two separate
operations: `OriginFlowFact` and `KillOriginFact`. The key difference is
in semantics:

* Old `AssignOriginFact`: Replaced the destination origin's loans
entirely with the source origin's loans.
* New `OriginFlowFact`: Can now optionally merge the source origin's
loans to the destination's existing loans.
* New `KillOriginFact`: Clears all loans from an origin.

For function calls with `lifetimebound` parameters, we kill the the
return value' origin first then use `OriginFlowFact` to accumulate loans
from multiple parameters into the return value's origin - enabling
tracking multiple lifetimebound arguments.

- Added a new `LifetimeAnnotations.h/cpp` to provide helper functions
for inspecting and inferring lifetime annotations
- Moved several functions from `CheckExprLifetime.cpp` to the new file
to make them reusable

The `lifetimebound` attribute is a key mechanism for expressing lifetime
dependencies between function parameters and return values. This change
enables the lifetime safety analysis to properly track these
dependencies, allowing it to detect more potential dangling reference
issues.

Author: usx95

clang/include/clang/Analysis/Analyses/LifetimeAnnotations.h

@@ -0,0 +1,44 @@
+//===- LifetimeAnnotations.h -  -*--------------- C++--------------------*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Helper functions to inspect and infer lifetime annotations.
+//===----------------------------------------------------------------------===//
+#ifndef LLVM_CLANG_ANALYSIS_ANALYSES_LIFETIMEANNOTATIONS_H
+#define LLVM_CLANG_ANALYSIS_ANALYSES_LIFETIMEANNOTATIONS_H
+
+#include "clang/AST/DeclCXX.h"
+
+namespace clang {
+namespace lifetimes {
+
+/// Returns the most recent declaration of the method to ensure all
+/// lifetime-bound attributes from redeclarations are considered.
+const FunctionDecl *getDeclWithMergedLifetimeBoundAttrs(const FunctionDecl *FD);
+
+/// Returns the most recent declaration of the method to ensure all
+/// lifetime-bound attributes from redeclarations are considered.
+const CXXMethodDecl *
+getDeclWithMergedLifetimeBoundAttrs(const CXXMethodDecl *CMD);
+
+// Return true if this is an "normal" assignment operator.
+// We assume that a normal assignment operator always returns *this, that is,
+// an lvalue reference that is the same type as the implicit object parameter
+// (or the LHS for a non-member operator==).
+bool isNormalAssignmentOperator(const FunctionDecl *FD);
+
+/// Returns true if this is an assignment operator where the parameter
+/// has the lifetimebound attribute.
+bool isAssignmentOperatorLifetimeBound(const CXXMethodDecl *CMD);
+
+/// Returns true if the implicit object parameter (this) should be considered
+/// lifetimebound, either due to an explicit lifetimebound attribute on the
+/// method or because it's a normal assignment operator.
+bool implicitObjectParamIsLifetimeBound(const FunctionDecl *FD);
+} // namespace lifetimes
+} // namespace clang
+
+#endif // LLVM_CLANG_ANALYSIS_ANALYSES_LIFETIMEANNOTATIONS_H

clang/include/clang/Analysis/Analyses/LifetimeSafety.h

@@ -75,13 +75,14 @@ template <typename Tag> struct ID {
   }
 };
 
-template <typename Tag>
-inline llvm::raw_ostream &operator<<(llvm::raw_ostream &OS, ID<Tag> ID) {
-  return OS << ID.Value;
-}
-
 using LoanID = ID<struct LoanTag>;
 using OriginID = ID<struct OriginTag>;
+inline llvm::raw_ostream &operator<<(llvm::raw_ostream &OS, LoanID ID) {
+  return OS << ID.Value;
+}
+inline llvm::raw_ostream &operator<<(llvm::raw_ostream &OS, OriginID ID) {
+  return OS << ID.Value;
+}
 
 // Using LLVM's immutable collections is efficient for dataflow analysis
 // as it avoids deep copies during state transitions.

clang/lib/Analysis/CMakeLists.txt

@@ -21,6 +21,7 @@ add_clang_library(clangAnalysis
   FixitUtil.cpp
   IntervalPartition.cpp
   IssueHash.cpp
+  LifetimeAnnotations.cpp
   LifetimeSafety.cpp
   LiveVariables.cpp
   MacroExpansionContext.cpp

clang/lib/Analysis/LifetimeAnnotations.cpp

@@ -0,0 +1,75 @@
+//===- LifetimeAnnotations.cpp -  -*--------------- C++------------------*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+#include "clang/Analysis/Analyses/LifetimeAnnotations.h"
+#include "clang/AST/ASTContext.h"
+#include "clang/AST/Attr.h"
+#include "clang/AST/Decl.h"
+#include "clang/AST/DeclCXX.h"
+#include "clang/AST/Type.h"
+#include "clang/AST/TypeLoc.h"
+
+namespace clang {
+namespace lifetimes {
+
+const FunctionDecl *
+getDeclWithMergedLifetimeBoundAttrs(const FunctionDecl *FD) {
+  return FD != nullptr ? FD->getMostRecentDecl() : nullptr;
+}
+
+const CXXMethodDecl *
+getDeclWithMergedLifetimeBoundAttrs(const CXXMethodDecl *CMD) {
+  const FunctionDecl *FD = CMD;
+  return cast_if_present<CXXMethodDecl>(
+      getDeclWithMergedLifetimeBoundAttrs(FD));
+}
+
+bool isNormalAssignmentOperator(const FunctionDecl *FD) {
+  OverloadedOperatorKind OO = FD->getDeclName().getCXXOverloadedOperator();
+  bool IsAssignment = OO == OO_Equal || isCompoundAssignmentOperator(OO);
+  if (!IsAssignment)
+    return false;
+  QualType RetT = FD->getReturnType();
+  if (!RetT->isLValueReferenceType())
+    return false;
+  ASTContext &Ctx = FD->getASTContext();
+  QualType LHST;
+  auto *MD = dyn_cast<CXXMethodDecl>(FD);
+  if (MD && MD->isCXXInstanceMember())
+    LHST = Ctx.getLValueReferenceType(MD->getFunctionObjectParameterType());
+  else
+    LHST = FD->getParamDecl(0)->getType();
+  return Ctx.hasSameType(RetT, LHST);
+}
+
+bool isAssignmentOperatorLifetimeBound(const CXXMethodDecl *CMD) {
+  CMD = getDeclWithMergedLifetimeBoundAttrs(CMD);
+  return CMD && isNormalAssignmentOperator(CMD) && CMD->param_size() == 1 &&
+         CMD->getParamDecl(0)->hasAttr<clang::LifetimeBoundAttr>();
+}
+
+bool implicitObjectParamIsLifetimeBound(const FunctionDecl *FD) {
+  FD = getDeclWithMergedLifetimeBoundAttrs(FD);
+  const TypeSourceInfo *TSI = FD->getTypeSourceInfo();
+  if (!TSI)
+    return false;
+  // Don't declare this variable in the second operand of the for-statement;
+  // GCC miscompiles that by ending its lifetime before evaluating the
+  // third operand. See gcc.gnu.org/PR86769.
+  AttributedTypeLoc ATL;
+  for (TypeLoc TL = TSI->getTypeLoc();
+       (ATL = TL.getAsAdjusted<AttributedTypeLoc>());
+       TL = ATL.getModifiedLoc()) {
+    if (ATL.getAttrAs<clang::LifetimeBoundAttr>())
+      return true;
+  }
+
+  return isNormalAssignmentOperator(FD);
+}
+
+} // namespace lifetimes
+} // namespace clang