[LifetimeSafety] Implement a basic use-after-free diagnostic (#149731)

Implement use-after-free detection in the lifetime safety analysis with two warning levels. - Added a `LifetimeSafetyReporter` interface for reporting lifetime safety issues - Created two warning levels: - Definite errors (reported with `-Wexperimental-lifetime-safety-permissive`) - Potential errors (reported with `-Wexperimental-lifetime-safety-strict`) - Implemented a `LifetimeChecker` class that analyzes loan propagation and expired loans to detect use-after-free issues. - Added tracking of use sites through a new `UseFact` class. - Enhanced the `ExpireFact` to track the expressions where objects are destroyed. - Added test cases for both definite and potential use-after-free scenarios. The implementation now tracks pointer uses and can determine when a pointer is dereferenced after its loan has been expired, with appropriate diagnostics. The two warning levels provide flexibility - definite errors for high-confidence issues and potential errors for cases that depend on control flow.
2025-08-18 13:46:43 +02:00 · 2025-08-18 13:46:43 +02:00 · 673750feea
commit 673750feea
parent c1e2a9c66d
7 changed files with 592 additions and 61 deletions
--- a/clang/include/clang/Analysis/Analyses/LifetimeSafety.h
+++ b/clang/include/clang/Analysis/Analyses/LifetimeSafety.h
@ -19,14 +19,35 @@
 #define LLVM_CLANG_ANALYSIS_ANALYSES_LIFETIMESAFETY_H
 #include "clang/Analysis/AnalysisDeclContext.h"
 #include "clang/Analysis/CFG.h"
 #include "clang/Basic/SourceLocation.h"
 #include "llvm/ADT/DenseMapInfo.h"
 #include "llvm/ADT/ImmutableMap.h"
 #include "llvm/ADT/ImmutableSet.h"
 #include "llvm/ADT/StringMap.h"
 #include <memory>
 namespace clang::lifetimes {
 /// Enum to track the confidence level of a potential error.
 enum class Confidence {
  None,
  Maybe,   // Reported as a potential error (-Wlifetime-safety-strict)
  Definite // Reported as a definite error (-Wlifetime-safety-permissive)
 };
 class LifetimeSafetyReporter {
 public:
  LifetimeSafetyReporter() = default;
  virtual ~LifetimeSafetyReporter() = default;
  virtual void reportUseAfterFree(const Expr *IssueExpr, const Expr *UseExpr,
                                  SourceLocation FreeLoc,
                                  Confidence Confidence) {}
 };
 /// The main entry point for the analysis.
-void runLifetimeSafetyAnalysis(AnalysisDeclContext &AC);
+void runLifetimeSafetyAnalysis(AnalysisDeclContext &AC,
                               LifetimeSafetyReporter *Reporter);
 namespace internal {
 // Forward declarations of internal types.
@ -53,6 +74,7 @@ template <typename Tag> struct ID {
    IDBuilder.AddInteger(Value);
  }
 };
 template <typename Tag>
 inline llvm::raw_ostream &operator<<(llvm::raw_ostream &OS, ID<Tag> ID) {
  return OS << ID.Value;
@ -78,7 +100,8 @@ using ProgramPoint = const Fact *;
 /// encapsulates the various dataflow analyses.
 class LifetimeSafetyAnalysis {
 public:
-  LifetimeSafetyAnalysis(AnalysisDeclContext &AC);
+  LifetimeSafetyAnalysis(AnalysisDeclContext &AC,
                         LifetimeSafetyReporter *Reporter);
  ~LifetimeSafetyAnalysis();
  void run();
@ -87,7 +110,7 @@ public:
  LoanSet getLoansAtPoint(OriginID OID, ProgramPoint PP) const;
  /// Returns the set of loans that have expired at a specific program point.
-  LoanSet getExpiredLoansAtPoint(ProgramPoint PP) const;
+  std::vector<LoanID> getExpiredLoansAtPoint(ProgramPoint PP) const;
  /// Finds the OriginID for a given declaration.
  /// Returns a null optional if not found.
@ -110,6 +133,7 @@ public:
 private:
  AnalysisDeclContext &AC;
  LifetimeSafetyReporter *Reporter;
  std::unique_ptr<LifetimeFactory> Factory;
  std::unique_ptr<FactManager> FactMgr;
  std::unique_ptr<LoanPropagationAnalysis> LoanPropagation;
@ -118,4 +142,25 @@ private:
 } // namespace internal
 } // namespace clang::lifetimes
 namespace llvm {
 template <typename Tag>
 struct DenseMapInfo<clang::lifetimes::internal::ID<Tag>> {
  using ID = clang::lifetimes::internal::ID<Tag>;
  static inline ID getEmptyKey() {
    return {DenseMapInfo<uint32_t>::getEmptyKey()};
  }
  static inline ID getTombstoneKey() {
    return {DenseMapInfo<uint32_t>::getTombstoneKey()};
  }
  static unsigned getHashValue(const ID &Val) {
    return DenseMapInfo<uint32_t>::getHashValue(Val.Value);
  }
  static bool isEqual(const ID &LHS, const ID &RHS) { return LHS == RHS; }
 };
 } // namespace llvm
 #endif // LLVM_CLANG_ANALYSIS_ANALYSES_LIFETIMESAFETY_H
--- a/clang/include/clang/Basic/DiagnosticGroups.td
+++ b/clang/include/clang/Basic/DiagnosticGroups.td
@ -533,7 +533,14 @@ def Dangling : DiagGroup<"dangling", [DanglingAssignment,
                                      DanglingGsl,
                                      ReturnStackAddress]>;
-def LifetimeSafety : DiagGroup<"experimental-lifetime-safety">;
+def LifetimeSafetyPermissive : DiagGroup<"experimental-lifetime-safety-permissive">;
 def LifetimeSafetyStrict : DiagGroup<"experimental-lifetime-safety-strict">;
 def LifetimeSafety : DiagGroup<"experimental-lifetime-safety",
                               [LifetimeSafetyPermissive, LifetimeSafetyStrict]> {
  code Documentation = [{
    Experimental warnings to detect use-after-free and related temporal safety bugs based on lifetime safety analysis.
  }];
 }
 def DistributedObjectModifiers : DiagGroup<"distributed-object-modifiers">;
 def DllexportExplicitInstantiationDecl : DiagGroup<"dllexport-explicit-instantiation-decl">;
--- a/clang/include/clang/Basic/DiagnosticSemaKinds.td
+++ b/clang/include/clang/Basic/DiagnosticSemaKinds.td
@ -10671,9 +10671,15 @@ def warn_dangling_reference_captured_by_unknown : Warning<
   "object whose reference is captured will be destroyed at the end of "
   "the full-expression">, InGroup<DanglingCapture>;
-def warn_experimental_lifetime_safety_dummy_warning : Warning<
+// Diagnostics based on the Lifetime safety analysis.
-   "todo: remove this warning after we have atleast one warning based on the lifetime analysis">, 
+def warn_lifetime_safety_loan_expires_permissive : Warning<
-   InGroup<LifetimeSafety>, DefaultIgnore;
+   "object whose reference is captured does not live long enough">, 
   InGroup<LifetimeSafetyPermissive>, DefaultIgnore;
 def warn_lifetime_safety_loan_expires_strict : Warning<
   "object whose reference is captured may not live long enough">,
   InGroup<LifetimeSafetyStrict>, DefaultIgnore;
 def note_lifetime_safety_used_here : Note<"later used here">;
 def note_lifetime_safety_destroyed_here : Note<"destroyed here">;
 // For non-floating point, expressions of the form x == x or x != x
 // should result in a warning, since these always evaluate to a constant.
--- a/clang/lib/Analysis/LifetimeSafety.cpp
+++ b/clang/lib/Analysis/LifetimeSafety.cpp
@ -45,10 +45,11 @@ struct Loan {
  /// is represented as empty LoanSet
  LoanID ID;
  AccessPath Path;
-  SourceLocation IssueLoc;
+  /// The expression that creates the loan, e.g., &x.
  const Expr *IssueExpr;
-  Loan(LoanID id, AccessPath path, SourceLocation loc)
+  Loan(LoanID id, AccessPath path, const Expr *IssueExpr)
-      : ID(id), Path(path), IssueLoc(loc) {}
+      : ID(id), Path(path), IssueExpr(IssueExpr) {}
 };
 /// An Origin is a symbolic identifier that represents the set of possible
@ -82,8 +83,8 @@ class LoanManager {
 public:
  LoanManager() = default;
-  Loan &addLoan(AccessPath Path, SourceLocation Loc) {
+  Loan &addLoan(AccessPath Path, const Expr *IssueExpr) {
-    AllLoans.emplace_back(getNextLoanID(), Path, Loc);
+    AllLoans.emplace_back(getNextLoanID(), Path, IssueExpr);
    return AllLoans.back();
  }
@ -199,6 +200,8 @@ public:
    AssignOrigin,
    /// An origin escapes the function by flowing into the return value.
    ReturnOfOrigin,
    /// An origin is used (eg. dereferencing a pointer).
    Use,
    /// A marker for a specific point in the code, for testing.
    TestPoint,
  };
@ -242,12 +245,17 @@ public:
 class ExpireFact : public Fact {
  LoanID LID;
  SourceLocation ExpiryLoc;
 public:
  static bool classof(const Fact *F) { return F->getKind() == Kind::Expire; }
-  ExpireFact(LoanID LID) : Fact(Kind::Expire), LID(LID) {}
+  ExpireFact(LoanID LID, SourceLocation ExpiryLoc)
      : Fact(Kind::Expire), LID(LID), ExpiryLoc(ExpiryLoc) {}
  LoanID getLoanID() const { return LID; }
  SourceLocation getExpiryLoc() const { return ExpiryLoc; }
  void dump(llvm::raw_ostream &OS) const override {
    OS << "Expire (LoanID: " << getLoanID() << ")\n";
  }
@ -287,6 +295,24 @@ public:
  }
 };
 class UseFact : public Fact {
  OriginID UsedOrigin;
  const Expr *UseExpr;
 public:
  static bool classof(const Fact *F) { return F->getKind() == Kind::Use; }
  UseFact(OriginID UsedOrigin, const Expr *UseExpr)
      : Fact(Kind::Use), UsedOrigin(UsedOrigin), UseExpr(UseExpr) {}
  OriginID getUsedOrigin() const { return UsedOrigin; }
  const Expr *getUseExpr() const { return UseExpr; }
  void dump(llvm::raw_ostream &OS) const override {
    OS << "Use (OriginID: " << UsedOrigin << ")\n";
  }
 };
 /// A dummy-fact used to mark a specific point in the code for testing.
 /// It is generated by recognizing a `void("__lifetime_test_point_...")` cast.
 class TestPointFact : public Fact {
@ -417,13 +443,17 @@ public:
          if (VD->hasLocalStorage()) {
            OriginID OID = FactMgr.getOriginMgr().getOrCreate(*UO);
            AccessPath AddrOfLocalVarPath(VD);
-            const Loan &L = FactMgr.getLoanMgr().addLoan(AddrOfLocalVarPath,
+            const Loan &L =
-                                                         UO->getOperatorLoc());
+                FactMgr.getLoanMgr().addLoan(AddrOfLocalVarPath, UO);
            CurrentBlockFacts.push_back(
                FactMgr.createFact<IssueFact>(L.ID, OID));
          }
        }
      }
    } else if (UO->getOpcode() == UO_Deref) {
      // This is a pointer use, like '*p'.
      OriginID OID = FactMgr.getOriginMgr().get(*UO->getSubExpr());
      CurrentBlockFacts.push_back(FactMgr.createFact<UseFact>(OID, UO));
    }
  }
@ -492,7 +522,8 @@ private:
      // Check if the loan is for a stack variable and if that variable
      // is the one being destructed.
      if (LoanPath.D == DestructedVD)
-        CurrentBlockFacts.push_back(FactMgr.createFact<ExpireFact>(L.ID));
+        CurrentBlockFacts.push_back(FactMgr.createFact<ExpireFact>(
            L.ID, DtorOpt.getTriggerStmt()->getEndLoc()));
    }
  }
@ -618,6 +649,7 @@ public:
    }
  }
 protected:
  Lattice getState(ProgramPoint P) const { return PerPointStates.lookup(P); }
  Lattice getInState(const CFGBlock *B) const { return InStates.lookup(B); }
@ -665,6 +697,8 @@ private:
      return D->transfer(In, *F->getAs<AssignOriginFact>());
    case Fact::Kind::ReturnOfOrigin:
      return D->transfer(In, *F->getAs<ReturnOfOriginFact>());
    case Fact::Kind::Use:
      return D->transfer(In, *F->getAs<UseFact>());
    case Fact::Kind::TestPoint:
      return D->transfer(In, *F->getAs<TestPointFact>());
    }
@ -676,6 +710,7 @@ public:
  Lattice transfer(Lattice In, const ExpireFact &) { return In; }
  Lattice transfer(Lattice In, const AssignOriginFact &) { return In; }
  Lattice transfer(Lattice In, const ReturnOfOriginFact &) { return In; }
  Lattice transfer(Lattice In, const UseFact &) { return In; }
  Lattice transfer(Lattice In, const TestPointFact &) { return In; }
 };
@ -693,6 +728,20 @@ static llvm::ImmutableSet<T> join(llvm::ImmutableSet<T> A,
  return A;
 }
 /// Checks if set A is a subset of set B.
 template <typename T>
 static bool isSubsetOf(const llvm::ImmutableSet<T> &A,
                       const llvm::ImmutableSet<T> &B) {
  // Empty set is a subset of all sets.
  if (A.isEmpty())
    return true;
  for (const T &Elem : A)
    if (!B.contains(Elem))
      return false;
  return true;
 }
 /// Computes the key-wise union of two ImmutableMaps.
 // TODO(opt): This key-wise join is a performance bottleneck. A more
 // efficient merge could be implemented using a Patricia Trie or HAMT
@ -700,7 +749,7 @@ static llvm::ImmutableSet<T> join(llvm::ImmutableSet<T> A,
 template <typename K, typename V, typename Joiner>
 static llvm::ImmutableMap<K, V>
 join(llvm::ImmutableMap<K, V> A, llvm::ImmutableMap<K, V> B,
-     typename llvm::ImmutableMap<K, V>::Factory &F, Joiner joinValues) {
+     typename llvm::ImmutableMap<K, V>::Factory &F, Joiner JoinValues) {
  if (A.getHeight() < B.getHeight())
    std::swap(A, B);
@ -710,7 +759,7 @@ join(llvm::ImmutableMap<K, V> A, llvm::ImmutableMap<K, V> B,
    const K &Key = Entry.first;
    const V &ValB = Entry.second;
    if (const V *ValA = A.lookup(Key))
-      A = F.add(A, Key, joinValues(*ValA, ValB));
+      A = F.add(A, Key, JoinValues(*ValA, ValB));
    else
      A = F.add(A, Key, ValB);
  }
@ -723,17 +772,14 @@ join(llvm::ImmutableMap<K, V> A, llvm::ImmutableMap<K, V> B,
 // ========================================================================= //
 using OriginLoanMap = llvm::ImmutableMap<OriginID, LoanSet>;
 using ExpiredLoanMap = llvm::ImmutableMap<LoanID, const ExpireFact *>;
 /// An object to hold the factories for immutable collections, ensuring
 /// that all created states share the same underlying memory management.
 struct LifetimeFactory {
  OriginLoanMap::Factory OriginMapFactory;
  LoanSet::Factory LoanSetFactory;
-
+  ExpiredLoanMap::Factory ExpiredLoanMapFactory;
  /// Creates a singleton set containing only the given loan ID.
  LoanSet createLoanSet(LoanID LID) {
    return LoanSetFactory.add(LoanSetFactory.getEmptySet(), LID);
  }
 };
 /// Represents the dataflow lattice for loan propagation.
@ -774,13 +820,15 @@ struct LoanPropagationLattice {
 class LoanPropagationAnalysis
    : public DataflowAnalysis<LoanPropagationAnalysis, LoanPropagationLattice,
                              Direction::Forward> {
-
+  OriginLoanMap::Factory &OriginLoanMapFactory;
-  LifetimeFactory &Factory;
+  LoanSet::Factory &LoanSetFactory;
 public:
  LoanPropagationAnalysis(const CFG &C, AnalysisDeclContext &AC, FactManager &F,
-                          LifetimeFactory &Factory)
+                          LifetimeFactory &LFactory)
-      : DataflowAnalysis(C, AC, F), Factory(Factory) {}
+      : DataflowAnalysis(C, AC, F),
        OriginLoanMapFactory(LFactory.OriginMapFactory),
        LoanSetFactory(LFactory.LoanSetFactory) {}
  using Base::transfer;
@ -792,9 +840,9 @@ public:
  // TODO(opt): Keep the state small by removing origins which become dead.
  Lattice join(Lattice A, Lattice B) {
    OriginLoanMap JoinedOrigins =
-        utils::join(A.Origins, B.Origins, Factory.OriginMapFactory,
+        utils::join(A.Origins, B.Origins, OriginLoanMapFactory,
-                    [this](LoanSet S1, LoanSet S2) {
+                    [&](LoanSet S1, LoanSet S2) {
-                      return utils::join(S1, S2, Factory.LoanSetFactory);
+                      return utils::join(S1, S2, LoanSetFactory);
                    });
    return Lattice(JoinedOrigins);
  }
@ -803,8 +851,9 @@ public:
  Lattice transfer(Lattice In, const IssueFact &F) {
    OriginID OID = F.getOriginID();
    LoanID LID = F.getLoanID();
-    return LoanPropagationLattice(Factory.OriginMapFactory.add(
+    return LoanPropagationLattice(OriginLoanMapFactory.add(
-        In.Origins, OID, Factory.createLoanSet(LID)));
+        In.Origins, OID,
        LoanSetFactory.add(LoanSetFactory.getEmptySet(), LID)));
  }
  /// The destination origin's loan set is replaced by the source's.
@ -814,7 +863,7 @@ public:
    OriginID SrcOID = F.getSrcOriginID();
    LoanSet SrcLoans = getLoans(In, SrcOID);
    return LoanPropagationLattice(
-        Factory.OriginMapFactory.add(In.Origins, DestOID, SrcLoans));
+        OriginLoanMapFactory.add(In.Origins, DestOID, SrcLoans));
  }
  LoanSet getLoans(OriginID OID, ProgramPoint P) {
@ -825,7 +874,7 @@ private:
  LoanSet getLoans(Lattice L, OriginID OID) {
    if (auto *Loans = L.Origins.lookup(OID))
      return *Loans;
-    return Factory.LoanSetFactory.getEmptySet();
+    return LoanSetFactory.getEmptySet();
  }
 };
@ -835,10 +884,11 @@ private:
 /// The dataflow lattice for tracking the set of expired loans.
 struct ExpiredLattice {
-  LoanSet Expired;
+  /// Map from an expired `LoanID` to the `ExpireFact` that made it expire.
  ExpiredLoanMap Expired;
  ExpiredLattice() : Expired(nullptr) {};
-  explicit ExpiredLattice(LoanSet S) : Expired(S) {}
+  explicit ExpiredLattice(ExpiredLoanMap M) : Expired(M) {}
  bool operator==(const ExpiredLattice &Other) const {
    return Expired == Other.Expired;
@ -851,8 +901,8 @@ struct ExpiredLattice {
    OS << "ExpiredLattice State:\n";
    if (Expired.isEmpty())
      OS << "  <empty>\n";
-    for (const LoanID &LID : Expired)
+    for (const auto &[ID, _] : Expired)
-      OS << "  Loan " << LID << " is expired\n";
+      OS << "  Loan " << ID << " is expired\n";
  }
 };
@ -861,26 +911,31 @@ class ExpiredLoansAnalysis
    : public DataflowAnalysis<ExpiredLoansAnalysis, ExpiredLattice,
                              Direction::Forward> {
-  LoanSet::Factory &Factory;
+  ExpiredLoanMap::Factory &Factory;
 public:
  ExpiredLoansAnalysis(const CFG &C, AnalysisDeclContext &AC, FactManager &F,
                       LifetimeFactory &Factory)
-      : DataflowAnalysis(C, AC, F), Factory(Factory.LoanSetFactory) {}
+      : DataflowAnalysis(C, AC, F), Factory(Factory.ExpiredLoanMapFactory) {}
  using Base::transfer;
  StringRef getAnalysisName() const { return "ExpiredLoans"; }
-  Lattice getInitialState() { return Lattice(Factory.getEmptySet()); }
+  Lattice getInitialState() { return Lattice(Factory.getEmptyMap()); }
-  /// Merges two lattices by taking the union of the expired loan sets.
+  /// Merges two lattices by taking the union of the two expired loans.
-  Lattice join(Lattice L1, Lattice L2) const {
+  Lattice join(Lattice L1, Lattice L2) {
-    return Lattice(utils::join(L1.Expired, L2.Expired, Factory));
+    return Lattice(
        utils::join(L1.Expired, L2.Expired, Factory,
                    // Take the last expiry fact to make this hermetic.
                    [](const ExpireFact *F1, const ExpireFact *F2) {
                      return F1->getExpiryLoc() > F2->getExpiryLoc() ? F1 : F2;
                    }));
  }
  Lattice transfer(Lattice In, const ExpireFact &F) {
-    return Lattice(Factory.add(In.Expired, F.getLoanID()));
+    return Lattice(Factory.add(In.Expired, F.getLoanID(), &F));
  }
  // Removes the loan from the set of expired loans.
@ -912,15 +967,116 @@ public:
  Lattice transfer(Lattice In, const IssueFact &F) {
    return Lattice(Factory.remove(In.Expired, F.getLoanID()));
  }
  ExpiredLoanMap getExpiredLoans(ProgramPoint P) { return getState(P).Expired; }
 };
 // ========================================================================= //
-//  TODO:
+//                       Lifetime checker and Error reporter
 // - Modify loan expiry analysis to answer `bool isExpired(Loan L, Point P)`
 // - Modify origin liveness analysis to answer `bool isLive(Origin O, Point P)`
 // - Using the above three to perform the final error reporting.
 // ========================================================================= //
 /// Struct to store the complete context for a potential lifetime violation.
 struct PendingWarning {
  SourceLocation ExpiryLoc; // Where the loan expired.
  const Expr *UseExpr;      // Where the origin holding this loan was used.
  Confidence ConfidenceLevel;
 };
 class LifetimeChecker {
 private:
  llvm::DenseMap<LoanID, PendingWarning> FinalWarningsMap;
  LoanPropagationAnalysis &LoanPropagation;
  ExpiredLoansAnalysis &ExpiredLoans;
  FactManager &FactMgr;
  AnalysisDeclContext &ADC;
  LifetimeSafetyReporter *Reporter;
 public:
  LifetimeChecker(LoanPropagationAnalysis &LPA, ExpiredLoansAnalysis &ELA,
                  FactManager &FM, AnalysisDeclContext &ADC,
                  LifetimeSafetyReporter *Reporter)
      : LoanPropagation(LPA), ExpiredLoans(ELA), FactMgr(FM), ADC(ADC),
        Reporter(Reporter) {}
  void run() {
    llvm::TimeTraceScope TimeProfile("LifetimeChecker");
    for (const CFGBlock *B : *ADC.getAnalysis<PostOrderCFGView>())
      for (const Fact *F : FactMgr.getFacts(B))
        if (const auto *UF = F->getAs<UseFact>())
          checkUse(UF);
    issuePendingWarnings();
  }
  /// Checks for use-after-free errors for a given use of an Origin.
  ///
  /// This method is called for each 'UseFact' identified in the control flow
  /// graph. It determines if the loans held by the used origin have expired
  /// at the point of use.
  void checkUse(const UseFact *UF) {
    OriginID O = UF->getUsedOrigin();
    // Get the set of loans that the origin might hold at this program point.
    LoanSet HeldLoans = LoanPropagation.getLoans(O, UF);
    // Get the set of all loans that have expired at this program point.
    ExpiredLoanMap AllExpiredLoans = ExpiredLoans.getExpiredLoans(UF);
    // If the pointer holds no loans or no loans have expired, there's nothing
    // to check.
    if (HeldLoans.isEmpty() || AllExpiredLoans.isEmpty())
      return;
    // Identify loans that which have expired but are held by the pointer. Using
    // them is a use-after-free.
    llvm::SmallVector<LoanID> DefaultedLoans;
    // A definite UaF error occurs if all loans the origin might hold have
    // expired.
    bool IsDefiniteError = true;
    for (LoanID L : HeldLoans) {
      if (AllExpiredLoans.contains(L))
        DefaultedLoans.push_back(L);
      else
        // If at least one loan is not expired, this use is not a definite UaF.
        IsDefiniteError = false;
    }
    // If there are no defaulted loans, the use is safe.
    if (DefaultedLoans.empty())
      return;
    // Determine the confidence level of the error (definite or maybe).
    Confidence CurrentConfidence =
        IsDefiniteError ? Confidence::Definite : Confidence::Maybe;
    // For each expired loan, create a pending warning.
    for (LoanID DefaultedLoan : DefaultedLoans) {
      // If we already have a warning for this loan with a higher or equal
      // confidence, skip this one.
      if (FinalWarningsMap.count(DefaultedLoan) &&
          CurrentConfidence <= FinalWarningsMap[DefaultedLoan].ConfidenceLevel)
        continue;
      auto *EF = AllExpiredLoans.lookup(DefaultedLoan);
      assert(EF && "Could not find ExpireFact for an expired loan.");
      FinalWarningsMap[DefaultedLoan] = {/*ExpiryLoc=*/(*EF)->getExpiryLoc(),
                                         /*UseExpr=*/UF->getUseExpr(),
                                         /*ConfidenceLevel=*/CurrentConfidence};
    }
  }
  void issuePendingWarnings() {
    if (!Reporter)
      return;
    for (const auto &[LID, Warning] : FinalWarningsMap) {
      const Loan &L = FactMgr.getLoanMgr().getLoan(LID);
      const Expr *IssueExpr = L.IssueExpr;
      Reporter->reportUseAfterFree(IssueExpr, Warning.UseExpr,
                                   Warning.ExpiryLoc, Warning.ConfidenceLevel);
    }
  }
 };
 // ========================================================================= //
 //                  LifetimeSafetyAnalysis Class Implementation
 // ========================================================================= //
@ -928,8 +1084,9 @@ public:
 // We need this here for unique_ptr with forward declared class.
 LifetimeSafetyAnalysis::~LifetimeSafetyAnalysis() = default;
-LifetimeSafetyAnalysis::LifetimeSafetyAnalysis(AnalysisDeclContext &AC)
+LifetimeSafetyAnalysis::LifetimeSafetyAnalysis(AnalysisDeclContext &AC,
-    : AC(AC), Factory(std::make_unique<LifetimeFactory>()),
+                                               LifetimeSafetyReporter *Reporter)
    : AC(AC), Reporter(Reporter), Factory(std::make_unique<LifetimeFactory>()),
      FactMgr(std::make_unique<FactManager>()) {}
 void LifetimeSafetyAnalysis::run() {
@ -952,6 +1109,8 @@ void LifetimeSafetyAnalysis::run() {
  ///    blocks; only Decls are visible.  Therefore, loans in a block that
  ///    never reach an Origin associated with a Decl can be safely dropped by
  ///    the analysis.
  /// 3. Collapse ExpireFacts belonging to same source location into a single
  ///    Fact.
  LoanPropagation =
      std::make_unique<LoanPropagationAnalysis>(Cfg, AC, *FactMgr, *Factory);
  LoanPropagation->run();
@ -959,6 +1118,10 @@ void LifetimeSafetyAnalysis::run() {
  ExpiredLoans =
      std::make_unique<ExpiredLoansAnalysis>(Cfg, AC, *FactMgr, *Factory);
  ExpiredLoans->run();
  LifetimeChecker Checker(*LoanPropagation, *ExpiredLoans, *FactMgr, AC,
                          Reporter);
  Checker.run();
 }
 LoanSet LifetimeSafetyAnalysis::getLoansAtPoint(OriginID OID,
@ -967,9 +1130,13 @@ LoanSet LifetimeSafetyAnalysis::getLoansAtPoint(OriginID OID,
  return LoanPropagation->getLoans(OID, PP);
 }
-LoanSet LifetimeSafetyAnalysis::getExpiredLoansAtPoint(ProgramPoint PP) const {
+std::vector<LoanID>
 LifetimeSafetyAnalysis::getExpiredLoansAtPoint(ProgramPoint PP) const {
  assert(ExpiredLoans && "ExpiredLoansAnalysis has not been run.");
-  return ExpiredLoans->getState(PP).Expired;
+  std::vector<LoanID> Result;
  for (const auto &pair : ExpiredLoans->getExpiredLoans(PP))
    Result.push_back(pair.first);
  return Result;
 }
 std::optional<OriginID>
@ -1009,8 +1176,9 @@ llvm::StringMap<ProgramPoint> LifetimeSafetyAnalysis::getTestPoints() const {
 }
 } // namespace internal
-void runLifetimeSafetyAnalysis(AnalysisDeclContext &AC) {
+void runLifetimeSafetyAnalysis(AnalysisDeclContext &AC,
-  internal::LifetimeSafetyAnalysis Analysis(AC);
+                               LifetimeSafetyReporter *Reporter) {
  internal::LifetimeSafetyAnalysis Analysis(AC, Reporter);
  Analysis.run();
 }
 } // namespace clang::lifetimes
--- a/clang/lib/Sema/AnalysisBasedWarnings.cpp
+++ b/clang/lib/Sema/AnalysisBasedWarnings.cpp
@ -2780,6 +2780,31 @@ public:
  }
 };
 namespace clang::lifetimes {
 namespace {
 class LifetimeSafetyReporterImpl : public LifetimeSafetyReporter {
 public:
  LifetimeSafetyReporterImpl(Sema &S) : S(S) {}
  void reportUseAfterFree(const Expr *IssueExpr, const Expr *UseExpr,
                          SourceLocation FreeLoc, Confidence C) override {
    S.Diag(IssueExpr->getExprLoc(),
           C == Confidence::Definite
               ? diag::warn_lifetime_safety_loan_expires_permissive
               : diag::warn_lifetime_safety_loan_expires_strict)
        << IssueExpr->getEndLoc();
    S.Diag(FreeLoc, diag::note_lifetime_safety_destroyed_here);
    S.Diag(UseExpr->getExprLoc(), diag::note_lifetime_safety_used_here)
        << UseExpr->getEndLoc();
  }
 private:
  Sema &S;
 };
 } // namespace
 } // namespace clang::lifetimes
 void clang::sema::AnalysisBasedWarnings::IssueWarnings(
     TranslationUnitDecl *TU) {
  if (!TU)
@ -3029,8 +3054,10 @@ void clang::sema::AnalysisBasedWarnings::IssueWarnings(
  // TODO: Enable lifetime safety analysis for other languages once it is
  // stable.
  if (EnableLifetimeSafetyAnalysis && S.getLangOpts().CPlusPlus) {
-    if (AC.getCFG())
+    if (AC.getCFG()) {
-      lifetimes::runLifetimeSafetyAnalysis(AC);
+      lifetimes::LifetimeSafetyReporterImpl LifetimeSafetyReporter(S);
      lifetimes::runLifetimeSafetyAnalysis(AC, &LifetimeSafetyReporter);
    }
  }
  // Check for violations of "called once" parameter properties.
  if (S.getLangOpts().ObjC && !S.getLangOpts().CPlusPlus &&
--- a/clang/test/Sema/warn-lifetime-safety.cpp
+++ b/clang/test/Sema/warn-lifetime-safety.cpp
@ -0,0 +1,273 @@
 // RUN: %clang_cc1 -fsyntax-only -fexperimental-lifetime-safety -Wexperimental-lifetime-safety -verify %s
 struct MyObj {
  int id;
  ~MyObj() {}  // Non-trivial destructor
  MyObj operator+(MyObj);
 };
 //===----------------------------------------------------------------------===//
 // Basic Definite Use-After-Free (-W...permissive)
 // These are cases where the pointer is guaranteed to be dangling at the use site.
 //===----------------------------------------------------------------------===//
 void definite_simple_case() {
  MyObj* p;
  {
    MyObj s;
    p = &s;     // expected-warning {{object whose reference is captured does not live long enough}}
  }             // expected-note {{destroyed here}}
  (void)*p;     // expected-note {{later used here}}
 }
 void no_use_no_error() {
  MyObj* p;
  {
    MyObj s;
    p = &s;
  }
 }
 void definite_pointer_chain() {
  MyObj* p;
  MyObj* q;
  {
    MyObj s;
    p = &s;     // expected-warning {{does not live long enough}}
    q = p;
  }             // expected-note {{destroyed here}}
  (void)*q;     // expected-note {{later used here}}
 }
 void definite_multiple_uses_one_warning() {
  MyObj* p;
  {
    MyObj s;
    p = &s;     // expected-warning {{does not live long enough}}
  }             // expected-note {{destroyed here}}
  (void)*p;     // expected-note {{later used here}}
  // No second warning for the same loan.
  p->id = 1;
  MyObj* q = p;
  (void)*q;
 }
 void definite_multiple_pointers() {
  MyObj *p, *q, *r;
  {
    MyObj s;
    p = &s;     // expected-warning {{does not live long enough}}
    q = &s;     // expected-warning {{does not live long enough}}
    r = &s;     // expected-warning {{does not live long enough}}
  }             // expected-note 3 {{destroyed here}}
  (void)*p;     // expected-note {{later used here}}
  (void)*q;     // expected-note {{later used here}}
  (void)*r;     // expected-note {{later used here}}
 }
 void definite_single_pointer_multiple_loans(bool cond) {
  MyObj *p;
  if (cond){
    MyObj s;
    p = &s;     // expected-warning {{does not live long enough}}
  }             // expected-note {{destroyed here}}
  else {
    MyObj t;
    p = &t;     // expected-warning {{does not live long enough}}
  }             // expected-note {{destroyed here}}
  (void)*p;     // expected-note 2  {{later used here}}
 }
 //===----------------------------------------------------------------------===//
 // Potential (Maybe) Use-After-Free (-W...strict)
 // These are cases where the pointer *may* become dangling, depending on the path taken.
 //===----------------------------------------------------------------------===//
 void potential_if_branch(bool cond) {
  MyObj safe;
  MyObj* p = &safe;
  if (cond) {
    MyObj temp;
    p = &temp;  // expected-warning {{object whose reference is captured may not live long enough}}
  }             // expected-note {{destroyed here}}
  (void)*p;     // expected-note {{later used here}}
 }
 // If all paths lead to a dangle, it becomes a definite error.
 void potential_becomes_definite(bool cond) {
  MyObj* p;
  if (cond) {
    MyObj temp1;
    p = &temp1; // expected-warning {{does not live long enough}}
  }             // expected-note {{destroyed here}}
  else {      
    MyObj temp2;
    p = &temp2; // expected-warning {{does not live long enough}}
  }             // expected-note {{destroyed here}}
  (void)*p;     // expected-note 2 {{later used here}}
 }
 void definite_potential_together(bool cond) {
  MyObj safe;
  MyObj* p_maybe = &safe;
  MyObj* p_definite = nullptr;
  {
    MyObj s;
    p_definite = &s;  // expected-warning {{does not live long enough}}
    if (cond) {
      p_maybe = &s;   // expected-warning {{may not live long enough}}
    }                 
  }                   // expected-note 2 {{destroyed here}}
  (void)*p_definite;  // expected-note {{later used here}}
  (void)*p_maybe;     // expected-note {{later used here}}
 }
 void definite_overrides_potential(bool cond) {
  MyObj safe;
  MyObj* p;
  MyObj* q;
  {
    MyObj s;
    q = &s;       // expected-warning {{does not live long enough}}
    p = q;
  }               // expected-note {{destroyed here}}
  if (cond) {
    // 'q' is conditionally "rescued". 'p' is not.
    q = &safe;
  }
  // The use of 'p' is a definite error because it was never rescued.
  (void)*q;
  (void)*p;       // expected-note {{later used here}}
  (void)*q;
 }
 //===----------------------------------------------------------------------===//
 // Control Flow Tests
 //===----------------------------------------------------------------------===//
 void potential_for_loop_use_after_loop_body(MyObj safe) {
  MyObj* p = &safe;
  for (int i = 0; i < 1; ++i) {
    MyObj s;
    p = &s;     // expected-warning {{may not live long enough}}
  }             // expected-note {{destroyed here}}
  (void)*p;     // expected-note {{later used here}}
 }
 void potential_for_loop_use_before_loop_body(MyObj safe) {
  MyObj* p = &safe;
  for (int i = 0; i < 1; ++i) {
    (void)*p;   // expected-note {{later used here}}
    MyObj s;
    p = &s;     // expected-warning {{may not live long enough}}
  }             // expected-note {{destroyed here}}
  (void)*p;
 }
 void potential_loop_with_break(bool cond) {
  MyObj safe;
  MyObj* p = &safe;
  for (int i = 0; i < 10; ++i) {
    if (cond) {
      MyObj temp;
      p = &temp; // expected-warning {{may not live long enough}}
      break;     // expected-note {{destroyed here}}
    }           
  } 
  (void)*p;     // expected-note {{later used here}}
 }
 void potential_multiple_expiry_of_same_loan(bool cond) {
  // Choose the last expiry location for the loan.
  MyObj safe;
  MyObj* p = &safe;
  for (int i = 0; i < 10; ++i) {
    MyObj unsafe;
    if (cond) {
      p = &unsafe; // expected-warning {{may not live long enough}}
      break;
    }
  }               // expected-note {{destroyed here}} 
  (void)*p;       // expected-note {{later used here}}
  p = &safe;
  for (int i = 0; i < 10; ++i) {
    MyObj unsafe;
    if (cond) {
      p = &unsafe;    // expected-warning {{may not live long enough}}
      if (cond)
        break;
    }
  }                   // expected-note {{destroyed here}}
  (void)*p;           // expected-note {{later used here}}
  p = &safe;
  for (int i = 0; i < 10; ++i) {
    if (cond) {
      MyObj unsafe2;
      p = &unsafe2;   // expected-warning {{may not live long enough}}
      break;          // expected-note {{destroyed here}}
    }
  }
  (void)*p;           // expected-note {{later used here}}
 }
 void potential_switch(int mode) {
  MyObj safe;
  MyObj* p = &safe;
  switch (mode) {
  case 1: {
    MyObj temp;
    p = &temp;  // expected-warning {{object whose reference is captured may not live long enough}}
    break;      // expected-note {{destroyed here}}
  }
  case 2: {
    p = &safe;  // This path is okay.
    break;
  }
  }
  (void)*p;     // expected-note {{later used here}}
 }
 void definite_switch(int mode) {
  MyObj safe;
  MyObj* p = &safe;
  // All cases are UaF --> Definite error.
  switch (mode) {
  case 1: {
    MyObj temp1;
    p = &temp1; // expected-warning {{does not live long enough}}
    break;      // expected-note {{destroyed here}}
  }
  case 2: {
    MyObj temp2;
    p = &temp2; // expected-warning {{does not live long enough}}
    break;      // expected-note {{destroyed here}}
  }
  default: {
    MyObj temp2;
    p = &temp2; // expected-warning {{does not live long enough}}
    break;      // expected-note {{destroyed here}}
  }
  }
  (void)*p;     // expected-note 3 {{later used here}}
 }
 //===----------------------------------------------------------------------===//
 // No-Error Cases
 //===----------------------------------------------------------------------===//
 void no_error_if_dangle_then_rescue() {
  MyObj safe;
  MyObj* p;
  {
    MyObj temp;
    p = &temp;  // p is temporarily dangling.
  }
  p = &safe;    // p is "rescued" before use.
  (void)*p;     // This is safe.
 }
--- a/clang/unittests/Analysis/LifetimeSafetyTest.cpp
+++ b/clang/unittests/Analysis/LifetimeSafetyTest.cpp
@ -33,7 +33,9 @@ public:
    )";
    FullCode += Code.str();
-    AST = std::make_unique<clang::TestAST>(FullCode);
+    Inputs = TestInputs(FullCode);
    Inputs.Language = TestLanguage::Lang_CXX20;
    AST = std::make_unique<clang::TestAST>(Inputs);
    ASTCtx = &AST->context();
    // Find the target function using AST matchers.
@ -51,7 +53,7 @@ public:
    BuildOptions.AddTemporaryDtors = true;
    // Run the main analysis.
-    Analysis = std::make_unique<LifetimeSafetyAnalysis>(*AnalysisCtx);
+    Analysis = std::make_unique<LifetimeSafetyAnalysis>(*AnalysisCtx, nullptr);
    Analysis->run();
    AnnotationToPointMap = Analysis->getTestPoints();
@ -70,6 +72,7 @@ public:
  }
 private:
  TestInputs Inputs;
  std::unique_ptr<TestAST> AST;
  ASTContext *ASTCtx = nullptr;
  std::unique_ptr<AnalysisDeclContext> AnalysisCtx;
@ -118,11 +121,13 @@ public:
    return Analysis.getLoansAtPoint(OID, PP);
  }
-  std::optional<LoanSet> getExpiredLoansAtPoint(llvm::StringRef Annotation) {
+  std::optional<llvm::DenseSet<LoanID>>
  getExpiredLoansAtPoint(llvm::StringRef Annotation) {
    ProgramPoint PP = Runner.getProgramPoint(Annotation);
    if (!PP)
      return std::nullopt;
-    return Analysis.getExpiredLoansAtPoint(PP);
+    auto Expired = Analysis.getExpiredLoansAtPoint(PP);
    return llvm::DenseSet<LoanID>{Expired.begin(), Expired.end()};
  }
 private: