[mlir] Dangling function object assigned to function_ref #71363
Description
/opt/homebrew/opt/llvm@17/include/mlir/IR/StorageUniquerSupport.h:134 returns a temporary object on stack:
133 static auto getWalkImmediateSubElementsFn() {
134 return [](auto instance, function_ref<void(Attribute)> walkAttrsFn,
135 function_ref<void(Type)> walkTypesFn) {
136 ::mlir::detail::walkImmediateSubElementsImpl(
137 llvm::cast<ConcreteT>(instance), walkAttrsFn, walkTypesFn);
138 };
139 }
/opt/homebrew/opt/llvm@17/include/mlir/IR/TypeSupport.h:46 has:
44 template <typename T>
45 static AbstractType get(Dialect &dialect) {
46 return AbstractType(dialect, T::getInterfaceMap(), T::getHasTraitFn(),
47 T::getWalkImmediateSubElementsFn(),
48 T::getReplaceImmediateSubElementsFn(), T::getTypeID());
49 }
...
104 AbstractType(Dialect &dialect, detail::InterfaceMap &&interfaceMap,
105 HasTraitFn &&hasTrait,
106 WalkImmediateSubElementsFn walkImmediateSubElementsFn,
107 ReplaceImmediateSubElementsFn replaceImmediateSubElementsFn,
108 TypeID typeID)
109 : dialect(dialect), interfaceMap(std::move(interfaceMap)),
110 hasTraitFn(std::move(hasTrait)),
111 walkImmediateSubElementsFn(walkImmediateSubElementsFn),
112 replaceImmediateSubElementsFn(replaceImmediateSubElementsFn),
113 typeID(typeID) {}
walkImmediateSubElementsFn is:
33 using WalkImmediateSubElementsFn = function_ref<void(
34 Type, function_ref<void(Attribute)>, function_ref<void(Type)>)>;
However, function_ref says:
/// An efficient, type-erasing, non-owning reference to a callable. This is
/// intended for use as the type of a function parameter that is not used
/// after the function in question returns.
///
/// This class does not own the callable, so it is not in general safe to store
/// a function_ref.
template<typename Fn> class function_ref;
Thus a temporary is stored into a reference object, which can lead to a crash.
Found by clang-tidy+clang-analyzer.