[clang][analyzer] Extend lifetime of dynamic extent information (#163562)

Symbols used for dynamic extent information of memory regions are now
kept as live as long as the memory region exists.

Author: balazske

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h

@@ -58,6 +58,8 @@ SVal getDynamicExtentWithOffset(ProgramStateRef State, SVal BufV);
 DefinedOrUnknownSVal getDynamicElementCountWithOffset(ProgramStateRef State,
                                                       SVal BufV, QualType Ty);
 
+void markAllDynamicExtentLive(ProgramStateRef State, SymbolReaper &SymReaper);
+
 } // namespace ento
 } // namespace clang
 

clang/lib/StaticAnalyzer/Core/DynamicExtent.cpp

@@ -128,5 +128,12 @@ ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR,
   return State->set<DynamicExtentMap>(MR->StripCasts(), Size);
 }
 
+void markAllDynamicExtentLive(ProgramStateRef State, SymbolReaper &SymReaper) {
+  for (const auto &I : State->get<DynamicExtentMap>())
+    if (SymbolRef Sym = I.second.getAsSymbol())
+      if (SymReaper.isLiveRegion(I.first))
+        SymReaper.markLive(Sym);
+}
+
 } // namespace ento
 } // namespace clang

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

@@ -1079,6 +1079,11 @@ void ExprEngine::removeDead(ExplodedNode *Pred, ExplodedNodeSet &Out,
   getCheckerManager().runCheckersForDeadSymbols(CheckedSet, Pred, SymReaper,
                                                 DiagnosticStmt, *this, K);
 
+  // Extend lifetime of symbols used for dynamic extent while the parent region
+  // is live. In this way size information about memory allocations is not lost
+  // if the region remains live.
+  markAllDynamicExtentLive(CleanedState, SymReaper);
+
   // For each node in CheckedSet, generate CleanedNodes that have the
   // environment, the store, and the constraints cleaned up but have the
   // user-supplied states as the predecessors.

clang/test/Analysis/ArrayBound/verbose-tests.c

@@ -381,30 +381,12 @@ int *symbolicExtent(int arg) {
     return 0;
   int *mem = (int*)malloc(arg);
 
-  // TODO: without the following reference to 'arg', the analyzer would discard
-  // the range information about (the symbolic value of) 'arg'. This is
-  // incorrect because while the variable itself is inaccessible, it becomes
-  // the symbolic extent of 'mem', so we still want to reason about its
-  // potential values.
-  (void)arg;
-
   mem[8] = -2;
   // expected-warning@-1 {{Out of bound access to memory after the end of the heap area}}
   // expected-note@-2 {{Access of 'int' element in the heap area at index 8}}
   return mem;
 }
 
-int *symbolicExtentDiscardedRangeInfo(int arg) {
-  // This is a copy of the case 'symbolicExtent' without the '(void)arg' hack.
-  // TODO: if the analyzer can detect the out-of-bounds access within this
-  // testcase, then remove this and the `(void)arg` hack from `symbolicExtent`.
-  if (arg >= 5)
-    return 0;
-  int *mem = (int*)malloc(arg);
-  mem[8] = -2;
-  return mem;
-}
-
 void symbolicIndex(int arg) {
   // expected-note@+2 {{Assuming 'arg' is >= 12}}
   // expected-note@+1 {{Taking true branch}}
@@ -426,9 +408,5 @@ int *nothingIsCertain(int x, int y) {
   //   {{Access of 'int' element in the heap area at an overflowing index}}
   // but apparently the analyzer isn't smart enough to deduce this.
 
-  // Keep constraints alive. (Without this, the overeager garbage collection of
-  // constraints would _also_ prevent the intended behavior in this testcase.)
-  (void)x;
-
   return mem;
 }