Skip to content

[analyzer] Support pack indexing expressions #173186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lbonn wants to merge 1 commit into
base: main
Choose a base branch
from
+60 −1
Open

[analyzer] Support pack indexing expressions #173186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -506,6 +506,10 @@ class ExprEngine {
void VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
ExplodedNodeSet &Dst);

/// VisitPackIndexingExpr - Transfer function logic for C++26 pack indexing
void VisitPackIndexingExpr(const PackIndexingExpr *E, ExplodedNode *Pred,
ExplodedNodeSet &Dst);

/// VisitGuardedExpr - Transfer function logic for ?, __builtin_choose
void VisitGuardedExpr(const Expr *Ex, const Expr *L, const Expr *R,
ExplodedNode *Pred, ExplodedNodeSet &Dst);
Expand Down
32 changes: 31 additions & 1 deletion clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1740,7 +1740,6 @@ void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred,
case Stmt::RecoveryExprClass:
case Stmt::CXXNoexceptExprClass:
case Stmt::PackExpansionExprClass:
case Stmt::PackIndexingExprClass:
case Stmt::SubstNonTypeTemplateParmPackExprClass:
case Stmt::FunctionParmPackExprClass:
case Stmt::CoroutineBodyStmtClass:
Expand Down Expand Up @@ -2292,6 +2291,13 @@ void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred,
Bldr.addNodes(Dst);
break;

case Stmt::PackIndexingExprClass: {
Bldr.takeNodes(Pred);
VisitPackIndexingExpr(cast<PackIndexingExpr>(S), Pred, Dst);
Bldr.addNodes(Dst);
break;
}

case Stmt::ImplicitCastExprClass:
case Stmt::CStyleCastExprClass:
case Stmt::CXXStaticCastExprClass:
Expand Down Expand Up @@ -3296,6 +3302,14 @@ void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,

SVal V = UnknownVal();

// For pack indexing expressions. Binding is not available here but through
// the expanded expressions in the PackIndexingExpr node.
if (BD->isParameterPack()) {
Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
Copy link
Member

@isuckatcs isuckatcs Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably add a FIXME here instead of just binding UnknownVal to the bind expression. This should eventually be handled.

In this case the binding is a sub-region of the pack (e.g.: only the first/last N elements), right? Can't we model this somehow?

ProgramPoint::PostLValueKind);
return;
}

// Handle binding to data members
if (const auto *ME = dyn_cast<MemberExpr>(BD->getBinding())) {
const auto *Field = cast<FieldDecl>(ME->getMemberDecl());
Expand Down Expand Up @@ -3447,6 +3461,22 @@ void ExprEngine::VisitArrayInitLoopExpr(const ArrayInitLoopExpr *Ex,
getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, Ex, *this);
}

void ExprEngine::VisitPackIndexingExpr(const PackIndexingExpr *E,
ExplodedNode *Pred,
ExplodedNodeSet &Dst) {
if (!E->isFullySubstituted()) {
llvm_unreachable("Unsubstituted pack indexing expression");
}
Comment on lines +3467 to +3469
Copy link
Member

@isuckatcs isuckatcs Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (!E->isFullySubstituted()) {
llvm_unreachable("Unsubstituted pack indexing expression");
}
assert(E->isFullySubstituted() && "unsubstituted pack indexing expression");

WDYT?


if (const auto *DRE = dyn_cast<DeclRefExpr>(E->getSelectedExpr())) {
VisitCommonDeclRefExpr(E, DRE->getDecl(), Pred, Dst);
return;
}

StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateSink(E, Pred, Pred->getState());
Copy link
Member

@isuckatcs isuckatcs Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A sink node usually indicates an error. How about we add a SimpleProgramPointTag to the sink node that explains what the error was?

Also is it guaranteed that the selected expression is a DeclRefExpr? If it is, this sink should probably be an assertion, if it isn't we should indicate in a FIXME that other cases need to be handled as well.

}

/// VisitArraySubscriptExpr - Transfer function for array accesses
void ExprEngine::VisitArraySubscriptExpr(const ArraySubscriptExpr *A,
ExplodedNode *Pred,
Expand Down
25 changes: 25 additions & 0 deletions clang/test/Analysis/pack_indexing.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// RUN: %clang_analyze_cc1 -analyzer-checker=core -std=c++26 -verify %s

void clang_analyzer_eval(bool);

template <class T>
constexpr decltype(auto) get0(const T& val) noexcept {
auto& [...members] = val;
auto&& r = members...[0]; // no-crash
return r;
}

struct A {
int a;
};

void no_crash_negative() {
const int& x = get0(A{1});
clang_analyzer_eval(x == 1);
}

void uninitialized() {
A a;
const int& x = get0(a);
clang_analyzer_eval(x == 0); // expected-warning{{The left operand of '==' is a garbage value}}
}