<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/73830>73830</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            `MallocChecker::MallocMemAux()` uses `State::BindExpr` in a `PostCall` callback
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          DonatNagyE
      </td>
    </tr>
</table>

<pre>
    During the review of https://github.com/llvm/llvm-project/pull/72402 we discussed that `MallocChecker` is using `State::BindExpr` to assign `SVal`s to some call expressions within `checkPostCall` callbacks. This breaks the invariant that `BindExpr` should only be used within `evalCall` callbacks (where we won't assign contradicting values because it's guaranteed that only one evaluation will happen). I don't know about any concrete bugs that are caused by this invariant break, but it adds another complication to the already huge codebase of `MallocChecker`, so we should clean this up. 

I tried to create a quick fix commit, but it turns out that `BindExpr` is called in a helper function named `MallocMemAux` which is called from ~20 different locations, so instead of doing this immediately, I'm creating this ticket to track this issue. I may resolve this ticket if I have free time, but I don't have a concrete schedule for it and I'm not opposed to someone else doing it (in fact, I'd be grateful for it).

Also note that while the implementation of `MallocMemAux` claims that
```
// Bind the return value to the symbolic value from the heap region.     
// TODO: We could rewrite post visit to eval call; 'malloc' does not have
// side effects other than what we model here.                           
```
it is not limited to plain 'malloc' or other library functions: if a function is annotated with a "returns ownership" annotation, then the`checkPostCall` callback may use `MallocMemAux` to `BindExpr` a return value to its call.

However, the consequences of this invariant-breaking binding is limited by that `MallocChecker::checkPostCall` starts with the early return statement `if (C.wasInlined) return;` -- so at least it doesn't assign values to functions that were inlined.

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyUVk1v67oR_TX0ZhBDpv3seOFFPl7QLG5vgV606xE5sthQpC45suJNf3sxlBwnvcYFnhEkiDyaj3POHBJzdsdAdFB_PKo_nhc4cBvT4TkG5L_j8fznoo72fHgekgtH4JYg0cnRCLGBlrnPav2g9IvSL0fH7VAvTeyUfvH-dPlz16f4HzKs9Es_eK_0y05vKg0jgXXZDDmTBW6RQW2rb-h9NE8tmTdKaluByzBkKa221T8ZmaTe-uHRBfvne19COMI0RYn5F3q1rbI8zbEjMOg90HufKGcXQ4bRcetKrJEy_4iZn9DLSyW2RvOWl_CjdRnqRPiWy9QunDA5DPzR6ucWchsHbyEGf4aaYJCRrnXohP6XEqD0_dhSIgFijEHpHV_mMDFwQusMy-Qn9ANlqMngkAkcK73LcBwwYWC6gFdqx0Ag1QZkFwOMzntose8pKL1fwivYudBbiCNgHQcGDGcpaBIxQT0c85QPk2BXJqnPwALHFYMCjNJPUA8MjgGtzYAhcksJTOx678zUAscCH_pEaM_QDkcCEy3VmEk0dINzyZujwDLDajxhmFoY-iWo6llVD9PvV-DkBIIIJhEyAcLPwZk3aNy7dNIJXB998pBCBpn6FosuF3rIgguA0JLvKUEzBFNGCdiRvTb8jbqH4V3eG1tn2k9vNyl28F9dgXVNQ4kCg48THnkezoXMhFYQsHHaLAG468g6ZPJniXtVetdNc32EsDNvxAXWhOZtfi_ngYTeDs-QKEd_oi_hroFXaPFE0CQiYNfRBZWrJsr3eNVCNi3ZwRM0MRWSg51bCpEh9n3ME_KyZ0V5PtM8jmPRtwvQoOHLLFZ245iQqRn8nFV0-ZnQB5-j5KeJobF1nqYF7HpPHQWedPVZOlcmjEfXTQKek26r-Wf6tzgVCOmzl4kipg27SDWfuzp6Z-anhUx53hL2kOjoYliCfL6k_PH9-btaP8C_Rd4i2kRjckzQx8xwctkV0mQ5i0zU-hEEyzKA0juwkXIBVmj4kjo7S0BNQ4YzTCvGLQYYC0AEXbTkQaxk6uv25yYejkW2UtW7zvFEZ-9RfOtzczHNhb2rE6bzx1KI_Yu68LomTpwgRPHqyQQBQWk9QZ0hjoFSbl2vtL4EOlHgk6Asa06_s-YicbHBG-xz_P-Nxl8Ydjyt6RfR_S2OdKI09yAbkOnnQMFQFqF9Nb-7Yn4i8toFW8SeP-ArVnnrKCun1i9TZcbE05FUKhMmf770nAVCUbxkc40s1NNyxPwavAtkld7PkWr9KMnu7sRZkMET5mJ3oqkvB8t8lHC8EjjvmRxEbko8Q7Owh7Xdr_e4oMNqV630br_b6EV72K6M2a6xXt1vV-vNCm1T28Zs7tfNeruye1q4g670erXS-9Vuo7Ve7u43G6rMxtZNpTfrSm0q6tD5pdwPljEdF8XBDrv1_bpaeKzJ53Ih0TrQONmb0lruJ-lQ7hRyTqlN5V3mfM3Cjj0dbmP_RSz6Xum9YDZkyr-5WpRzQG2rW0pcDMkf_vIVqMyS5RIks_4vAAD___JqLTk">