Skip to content

[clang][analyzer] Extend lifetime of dynamic extent information #163562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 17, 2025
Merged

[clang][analyzer] Extend lifetime of dynamic extent information #163562

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8c8277f
[clang][analyzer] Extend lifetime of dynamic extent information
balazske Oct 10, 2025
b7d9cc0
make symbol live only if region is live
balazske Oct 20, 2025
0318773
updated test comment
balazske Oct 31, 2025
946fe1a
cleanup of test
balazske Nov 10, 2025
9b2d370
Merge branch 'main' into dynamicextent_keep_live
balazske Nov 17, 2025
d384997
remove unnecessary comment
balazske Nov 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ SVal getDynamicExtentWithOffset(ProgramStateRef State, SVal BufV);
DefinedOrUnknownSVal getDynamicElementCountWithOffset(ProgramStateRef State,
SVal BufV, QualType Ty);

void markAllDynamicExtentLive(ProgramStateRef State, SymbolReaper &SymReaper);

} // namespace ento
} // namespace clang

Expand Down
6 changes: 6 additions & 0 deletions clang/lib/StaticAnalyzer/Core/DynamicExtent.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,5 +128,11 @@ ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR,
return State->set<DynamicExtentMap>(MR->StripCasts(), Size);
}

void markAllDynamicExtentLive(ProgramStateRef State, SymbolReaper &SymReaper) {
Copy link
Contributor

@NagyDonat NagyDonat Oct 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps rename this to transferLivenessToDynamicExtent or something similar now that we no longer mark all the dynamic extent values as live?

for (const auto &I : State->get<DynamicExtentMap>())
if (SymbolRef Sym = I.second.getAsSymbol())
SymReaper.markLive(Sym);
}

} // namespace ento
} // namespace clang
2 changes: 2 additions & 0 deletions clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1064,6 +1064,8 @@ void ExprEngine::removeDead(ExplodedNode *Pred, ExplodedNodeSet &Out,
SymReaper.markLive(MR);
}

markAllDynamicExtentLive(CleanedState, SymReaper);

getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper);

// Create a state in which dead bindings are removed from the environment
Expand Down
18 changes: 0 additions & 18 deletions clang/test/Analysis/ArrayBound/verbose-tests.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,30 +381,12 @@ int *symbolicExtent(int arg) {
return 0;
int *mem = (int*)malloc(arg);

// TODO: without the following reference to 'arg', the analyzer would discard
// the range information about (the symbolic value of) 'arg'. This is
// incorrect because while the variable itself is inaccessible, it becomes
// the symbolic extent of 'mem', so we still want to reason about its
// potential values.
(void)arg;
Comment on lines -384 to -389
Copy link
Contributor

@steakhal steakhal Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there other similar void casts remaining int the test set that could be cleaned up?

Copy link
Collaborator Author

@balazske balazske Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not find more in the "ArrayBound" tests. Other tests may contain similar casts but this is more difficult to find.

Copy link
Contributor

@steakhal steakhal Nov 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. This is why I was curious to see how many of the casts in other test could be dropped after this change. This is not too simple, but with search and replacing with some regex might make it doable if you apply the replacement per file and add the change to the staging area if all the clang tests still pass. (And log what files didn't work out of the box so you could check them manually)
I'm pretty sure Cursor or even some simplified Bash script could automate this for you.

Copy link
Contributor

@steakhal steakhal Nov 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be done of course separately from this patch.

Copy link
Collaborator Author

@balazske balazske Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the Analysis tests but did not find similar casts (for purpose of keeping constraints of dynamic extent), just one place (that is changed in the last commit).


mem[8] = -2;
// expected-warning@-1 {{Out of bound access to memory after the end of the heap area}}
// expected-note@-2 {{Access of 'int' element in the heap area at index 8}}
return mem;
}

int *symbolicExtentDiscardedRangeInfo(int arg) {
// This is a copy of the case 'symbolicExtent' without the '(void)arg' hack.
// TODO: if the analyzer can detect the out-of-bounds access within this
// testcase, then remove this and the `(void)arg` hack from `symbolicExtent`.
if (arg >= 5)
return 0;
int *mem = (int*)malloc(arg);
mem[8] = -2;
return mem;
}

void symbolicIndex(int arg) {
// expected-note@+2 {{Assuming 'arg' is >= 12}}
// expected-note@+1 {{Taking true branch}}
Expand Down