llvm-project.git/clang/unittests, branch main Unnamed repository; edit this file 'description' to name the repository. [LifetimeSafety] Detect expiry of loans to trivially destructed types (#168855) 2025-11-21T13:21:21+00:00 Kashika Akhouri akhourik@google.com 2025-11-21T13:21:21+00:00 4fca7b05e397e381466d6943a56f8407349c7594 Handling Trivially Destructed Types This PR uses `AddLifetime` to handle expiry of loans to trivially destructed types. Example: ```cpp int * trivial_uar(){ int *ptr; int x = 1; ptr = &x; return ptr; } ``` The CFG created now has an Expire Fact for trivially destructed types: ``` Function: trivial_uar Block B2: End of Block Block B1: Issue (0 (Path: x), ToOrigin: 0 (Expr: DeclRefExpr)) OriginFlow (Dest: 1 (Expr: UnaryOperator), Src: 0 (Expr: DeclRefExpr)) Use (2 (Decl: ptr), Write) OriginFlow (Dest: 2 (Decl: ptr), Src: 1 (Expr: UnaryOperator)) Use (2 (Decl: ptr), Read) OriginFlow (Dest: 3 (Expr: ImplicitCastExpr), Src: 2 (Decl: ptr)) Expire (0 (Path: x)) OriginEscapes (3 (Expr: ImplicitCastExpr)) End of Block Block B0: End of Block ``` This Expire Fact issues UAR and UAF warnings. Fixes https://github.com/llvm/llvm-project/issues/162862 
Handling Trivially Destructed Types

This PR uses `AddLifetime` to handle expiry of loans to trivially
destructed types.

Example:
```cpp
int * trivial_uar(){
    int *ptr;
    int x = 1;
    ptr = &x;
    return ptr;
}
```

The CFG created now has an Expire Fact for trivially destructed types:
```
Function: trivial_uar
  Block B2:
  End of Block
  Block B1:
    Issue (0 (Path: x), ToOrigin: 0 (Expr: DeclRefExpr))
    OriginFlow (Dest: 1 (Expr: UnaryOperator), Src: 0 (Expr: DeclRefExpr))
    Use (2 (Decl: ptr), Write)
    OriginFlow (Dest: 2 (Decl: ptr), Src: 1 (Expr: UnaryOperator))
    Use (2 (Decl: ptr), Read)
    OriginFlow (Dest: 3 (Expr: ImplicitCastExpr), Src: 2 (Decl: ptr))
    Expire (0 (Path: x))
    OriginEscapes (3 (Expr: ImplicitCastExpr))
  End of Block
  Block B0:
  End of Block
```

This Expire Fact issues UAR and UAF warnings.

Fixes https://github.com/llvm/llvm-project/issues/162862
 [clang][TypePrinter] Replace AppendScope with printNestedNameSpecifier (#168534) 2025-11-21T10:31:35+00:00 Michael Buch michaelbuch12@gmail.com 2025-11-21T10:31:35+00:00 bb1b82af395fe4a717c9b10948312e260b5ca666 In debug-info we soon have the need to print names using the full scope of the entity (see discussion in https://github.com/llvm/llvm-project/pull/159592). Particularly, when a structure is scoped inside a function, we'd like to emit the name as `func()::foo`. `CGDebugInfo` uses the `TypePrinter` to print type names into debug-info. However, `TypePrinter` stops (and ignores) `DeclContext`s that are functions. I.e., it would just print `foo`. Ideally it would behave the same way `printNestedNameSpecifier` does. The FIXME in https://github.com/llvm/llvm-project/blob/47c1aa4cef638c97b74f3afb7bed60e92bba1f90/clang/lib/AST/TypePrinter.cpp#L1520-L1521 motivated this patch. See https://github.com/llvm/llvm-project/pull/168533 for how this will be used by `CGDebugInfo`. The plan is to introduce a new `PrintingPolicy` that prints anonymous entities using their full scope (including function/anonymous scopes) and the mangling number. 
In debug-info we soon have the need to print names using the full scope
of the entity (see discussion in
https://github.com/llvm/llvm-project/pull/159592). Particularly, when a
structure is scoped inside a function, we'd like to emit the name as
`func()::foo`. `CGDebugInfo` uses the `TypePrinter` to print type names
into debug-info. However, `TypePrinter` stops (and ignores)
`DeclContext`s that are functions. I.e., it would just print `foo`.
Ideally it would behave the same way `printNestedNameSpecifier` does.
The FIXME in
https://github.com/llvm/llvm-project/blob/47c1aa4cef638c97b74f3afb7bed60e92bba1f90/clang/lib/AST/TypePrinter.cpp#L1520-L1521
motivated this patch.

See https://github.com/llvm/llvm-project/pull/168533 for how this will
be used by `CGDebugInfo`. The plan is to introduce a new
`PrintingPolicy` that prints anonymous entities using their full scope
(including function/anonymous scopes) and the mangling number.
 [clang][deps] Enable calling `DepScanFile::getBuffer()` repeatedly (#168789) 2025-11-20T00:03:30+00:00 Jan Svoboda jan_svoboda@apple.com 2025-11-20T00:03:30+00:00 835951325ec7aaf3336b19b53c9978d986e260df This PR makes it possible to call `getBuffer()` on `DepScanFile` (a `llvm::vfs::File`) repeatedly. Previously, this function would return a moved-from `unique_ptr`. This doesn't fix any existing bugs, I discovered this while experimenting with the VFSs in the scanner. Note that the returned instances of `llvm::MemoryBuffer` are non-owning and share the underlying buffer storage. 
This PR makes it possible to call `getBuffer()` on `DepScanFile` (a
`llvm::vfs::File`) repeatedly. Previously, this function would return a
moved-from `unique_ptr`. This doesn't fix any existing bugs, I
discovered this while experimenting with the VFSs in the scanner. Note
that the returned instances of `llvm::MemoryBuffer` are non-owning and
share the underlying buffer storage.
 [LifetimeSafety] Detect use-after-return (#165370) 2025-11-19T12:08:02+00:00 Kashika Akhouri 77923634+kashika0112@users.noreply.github.com 2025-11-19T12:08:02+00:00 5343dd92303657dc15f4038a3843ddb778760242 Adding "use-after-return" in Lifetime Analysis. Detecting when a function returns a reference to its own stack memory: [UAR Design Doc](https://docs.google.com/document/d/1Wxjn_rJD_tuRdejP81dlb9VOckTkCq5-aE1nGcerb_o/edit?usp=sharing) Consider the following example: ```cpp std::string_view foo() { std::string_view a; std::string str = "small scoped string"; a = str; return a; } ``` The code adds a new Fact "OriginEscape" in the end of the CFG to determine any loan that is escaping the function as shown below: ``` Function: foo Block B2: End of Block Block B1: OriginFlow (Dest: 0 (Decl: a), Src: 1 (Expr: CXXConstructExpr)) OriginFlow (Dest: 2 (Expr: ImplicitCastExpr), Src: 3 (Expr: StringLiteral)) Issue (0 (Path: operator=), ToOrigin: 4 (Expr: DeclRefExpr)) OriginFlow (Dest: 5 (Expr: ImplicitCastExpr), Src: 4 (Expr: DeclRefExpr)) Use (0 (Decl: a), Write) Issue (1 (Path: str), ToOrigin: 6 (Expr: DeclRefExpr)) OriginFlow (Dest: 7 (Expr: ImplicitCastExpr), Src: 6 (Expr: DeclRefExpr)) OriginFlow (Dest: 8 (Expr: CXXMemberCallExpr), Src: 7 (Expr: ImplicitCastExpr)) OriginFlow (Dest: 9 (Expr: ImplicitCastExpr), Src: 8 (Expr: CXXMemberCallExpr)) OriginFlow (Dest: 10 (Expr: ImplicitCastExpr), Src: 9 (Expr: ImplicitCastExpr)) OriginFlow (Dest: 11 (Expr: MaterializeTemporaryExpr), Src: 10 (Expr: ImplicitCastExpr)) OriginFlow (Dest: 0 (Decl: a), Src: 11 (Expr: MaterializeTemporaryExpr)) Use (0 (Decl: a), Read) OriginFlow (Dest: 12 (Expr: ImplicitCastExpr), Src: 0 (Decl: a)) OriginFlow (Dest: 13 (Expr: CXXConstructExpr), Src: 12 (Expr: ImplicitCastExpr)) Expire (1 (Path: str)) OriginEscapes (13 (Expr: CXXConstructExpr)) End of Block Block B0: End of Block ``` The confidence of the report is determined by checking if at least one of the loans returned is not expired (strict). If all loans are expired it is considered permissive. More information [UAR Design Doc](https://docs.google.com/document/d/1Wxjn_rJD_tuRdejP81dlb9VOckTkCq5-aE1nGcerb_o/edit?usp=sharing) 
Adding "use-after-return" in Lifetime Analysis.

Detecting when a function returns a reference to its own stack memory:
[UAR Design
Doc](https://docs.google.com/document/d/1Wxjn_rJD_tuRdejP81dlb9VOckTkCq5-aE1nGcerb_o/edit?usp=sharing)

Consider the following example:

```cpp
std::string_view foo() {
    std::string_view a;
    std::string str = "small scoped string";
    a = str;
    return a;
}
```

The code adds a new Fact "OriginEscape" in the end of the CFG to
determine any loan that is escaping the function as shown below:

```
Function: foo
  Block B2:
  End of Block
  Block B1:
    OriginFlow (Dest: 0 (Decl: a), Src: 1 (Expr: CXXConstructExpr))
    OriginFlow (Dest: 2 (Expr: ImplicitCastExpr), Src: 3 (Expr: StringLiteral))
    Issue (0 (Path: operator=), ToOrigin: 4 (Expr: DeclRefExpr))
    OriginFlow (Dest: 5 (Expr: ImplicitCastExpr), Src: 4 (Expr: DeclRefExpr))
    Use (0 (Decl: a), Write)
    Issue (1 (Path: str), ToOrigin: 6 (Expr: DeclRefExpr))
    OriginFlow (Dest: 7 (Expr: ImplicitCastExpr), Src: 6 (Expr: DeclRefExpr))
    OriginFlow (Dest: 8 (Expr: CXXMemberCallExpr), Src: 7 (Expr: ImplicitCastExpr))
    OriginFlow (Dest: 9 (Expr: ImplicitCastExpr), Src: 8 (Expr: CXXMemberCallExpr))
    OriginFlow (Dest: 10 (Expr: ImplicitCastExpr), Src: 9 (Expr: ImplicitCastExpr))
    OriginFlow (Dest: 11 (Expr: MaterializeTemporaryExpr), Src: 10 (Expr: ImplicitCastExpr))
    OriginFlow (Dest: 0 (Decl: a), Src: 11 (Expr: MaterializeTemporaryExpr))
    Use (0 (Decl: a), Read)
    OriginFlow (Dest: 12 (Expr: ImplicitCastExpr), Src: 0 (Decl: a))
    OriginFlow (Dest: 13 (Expr: CXXConstructExpr), Src: 12 (Expr: ImplicitCastExpr))
    Expire (1 (Path: str))
    OriginEscapes (13 (Expr: CXXConstructExpr))
  End of Block
  Block B0:
  End of Block
```

The confidence of the report is determined by checking if at least one
of the loans returned is not expired (strict). If all loans are expired
it is considered permissive.

More information [UAR Design
Doc](https://docs.google.com/document/d/1Wxjn_rJD_tuRdejP81dlb9VOckTkCq5-aE1nGcerb_o/edit?usp=sharing)
 [clang] Switch warning suppression multi-match rule to "last match takes precedence" 2025-11-14T22:00:38+00:00 Vitaly Buka vitalybuka@google.com 2025-10-06T23:01:34+00:00 ab08fbd92cb7557c198be1f9de0b59b23f8e92e1 The current "longest match takes precedence" rule for warning suppression mappings can be confusing, especially in long suppression files where tracking the length relationship between globs is difficult. For example, with the following rules, it's not immediately obvious why the first one should currently take precedence: ``` src:*test/* src:*lld/*=emit ``` This commit changes the multi-match behavior so the last match takes precedence. This rule is easier to understand and consistent with the approach used by sanitizers, simplifying the mechanism by providing a uniform experience across different tools. This is potentially breaking, but very unlikely. An investigation of known uses showed they do not rely on the length. Reviewers: thurstond, kadircet, fmayer Pull Request: https://github.com/llvm/llvm-project/pull/162237 
The current "longest match takes precedence" rule
for warning suppression mappings can be confusing,
especially in long suppression files where
tracking the length relationship between globs is
difficult.

For example, with the following rules, it's not
immediately obvious why the first one should
currently take precedence:

```
src:*test/*
src:*lld/*=emit
```

This commit changes the multi-match behavior so
the last match takes precedence. This rule is
easier to understand and consistent with the
approach used by sanitizers, simplifying the
mechanism by providing a uniform experience across
different tools.

This is potentially breaking, but very unlikely.
An investigation of known uses showed they do not
rely on the length.

Reviewers: thurstond, kadircet, fmayer

Pull Request: https://github.com/llvm/llvm-project/pull/162237
[clang-format] Recognize Verilog DPI export and import (#165595) 2025-11-13T23:52:35+00:00 sstwcw su3e8a96kzlver@posteo.net 2025-11-13T23:52:35+00:00 d719876c2059d821497fae70f4c6dc9dd9eaccd2 The directives should not change the indentation level. Previously the program erroneously added an indentation level when it saw the `function` keyword. 
The directives should not change the indentation level. Previously the
program erroneously added an indentation level when it saw the
`function` keyword.
[clang-format] Align trailing comments for function parameters (#164458) 2025-11-13T23:30:28+00:00 sstwcw su3e8a96kzlver@posteo.net 2025-11-13T23:30:28+00:00 3a2de951a40877e3d17aa87abb35565da1040612 before ```C++ void foo(int name, // name float name, // name int name) // name {} ``` after ```C++ void foo(int name, // name float name, // name int name) // name {} ``` Fixes #85123. As the bug report explained, the procedure for aligning the function parameters previously failed to update `StartOfTokenColumn`. 
before

```C++
void foo(int   name, // name
         float name, // name
         int   name)   // name
{}
```

after

```C++
void foo(int   name, // name
         float name, // name
         int   name) // name
{}
```

Fixes #85123.

As the bug report explained, the procedure for aligning the function
parameters previously failed to update `StartOfTokenColumn`.
[clang-format] Don't swap `(const override)` with QAS_Right (#167191) 2025-11-13T04:55:34+00:00 owenca owenpiano@gmail.com 2025-11-13T04:55:34+00:00 dfe9838f9c790aa632bed0a1b67976c2a7e95f76 Fixes #154846 
Fixes #154846
 [LifetimeSafety] Ignore parentheses when tracking expressions (#167245) 2025-11-12T23:13:57+00:00 Utkarsh Saxena usx@google.com 2025-11-12T23:13:57+00:00 342bf5736457109031671b833eed6baf42d57746 Add support for handling parenthesized expressions in lifetime safety analysis. Modified the `OriginManager::get` method to ignore parentheses when retrieving origins by recursively calling itself on the unparenthesized expression. This ensures that expressions with extra parentheses are properly analyzed for lifetime safety issues. 
Add support for handling parenthesized expressions in lifetime safety
analysis.

Modified the `OriginManager::get` method to ignore parentheses when
retrieving origins by recursively calling itself on the unparenthesized
expression. This ensures that expressions with extra parentheses are
properly analyzed for lifetime safety issues.
 [LifetimeSafety] Add support for conditional operators (#167240) 2025-11-12T15:58:16+00:00 Utkarsh Saxena usx@google.com 2025-11-12T15:58:16+00:00 7647fc8bde18d43d5e540d767ab876cf4eb24e79 Added support for conditional operators in the lifetime safety analysis. Added a `VisitConditionalOperator` method to the `FactsGenerator` class to handle the ternary operator (`?:`) in lifetime safety analysis. Fixes https://github.com/llvm/llvm-project/issues/157108 
Added support for conditional operators in the lifetime safety analysis.

Added a `VisitConditionalOperator` method to the `FactsGenerator` class
to handle the ternary operator (`?:`) in lifetime safety analysis.

Fixes https://github.com/llvm/llvm-project/issues/157108