[clang] 277bd13 - [analyzer] Fix logic in CallEvent::getReturnValueUnderConstruction (#187020)

via cfe-commits cfe-commits at lists.llvm.org
Fri Mar 20 03:48:01 PDT 2026 

Author: DonĂ¡t Nagy
Date: 2026-03-20T11:47:56+01:00
New Revision: 277bd13cc6fc9e6ffea59b1d4ea2c25ca64d7944

URL: https://github.com/llvm/llvm-project/commit/277bd13cc6fc9e6ffea59b1d4ea2c25ca64d7944
DIFF: https://github.com/llvm/llvm-project/commit/277bd13cc6fc9e6ffea59b1d4ea2c25ca64d7944.diff

LOG: [analyzer] Fix logic in CallEvent::getReturnValueUnderConstruction (#187020)

The `CallEvent` has data members that store the `LocationContext` and
the `CFGElementRef` (i.e. `CFGBlock` + index of statement within that
block); but the method `getReturnValueUnderConstruction` ignored these
and used the currently analyzed `LocationContext` and `CFGBlock` instead
of them.

This was logically incorrect and would have caused problems if the
`CallEvent` was used later when the "currently analyzed" things are
different. However, the lit tests do pass even if I assert that the
currently analyzed `LocationContext` and `CFGBlock` is the same as the
ones saved in the `CallEvent`, so I'm pretty sure that there was no
actual problem caused by this bad logic and this commit won't cause
functional changes.

I also evaluated this change on a set of open source projects (postgres,
tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, contour, openrct2)
and validated that it doesn't change the results of the analysis.

Added: 
    

Modified: 
    clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Removed: 
    


################################################################################
diff  --git a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
index 86ffd92cdf6f5..cd52083a278ae 100644
--- a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -562,13 +562,11 @@ std::optional<SVal> CallEvent::getReturnValueUnderConstruction() const {
 
   EvalCallOptions CallOpts;
   ExprEngine &Engine = getState()->getStateManager().getOwningEngine();
-  // FIXME: This code assumes that the _current_ location context and block is
-  // the location and block where this `CallExpr` is called. For a more stable
-  // solution `Engine.getNumVisitedCurrent()` should be replaced with a call to
-  // `Engine.getNumVisited(<CallerLCtx>, <CallerBlock>)`.
+  unsigned NumVisitedCall = Engine.getNumVisited(
+      getLocationContext(), getCFGElementRef().getParent());
   SVal RetVal = Engine.computeObjectUnderConstruction(
-      getOriginExpr(), getState(), Engine.getNumVisitedCurrent(),
-      getLocationContext(), CC, CallOpts);
+      getOriginExpr(), getState(), NumVisitedCall, getLocationContext(), CC,
+      CallOpts);
   return RetVal;
 }

More information about the cfe-commits mailing list