PreStmtPurgeDeadSymbols and LazyCompoundVal bindings

Hmm! I didn't quite understand what's going on in your case (perhaps some minimal code samples with state dumps could help), but in general i think i understand your point:

* If the origin region of a lazy compound value has symbolic base, then its base symbol must be kept alive for as long as the lazy compound value is present in the state *

I think that the following test (in the sense of test/Analysis/symbol-reaper.c) would expose the problem:

   struct S2 *conjure_S2();
   struct S2 global_S2;
   void test_lcv_base_symbol_lifetime() {
     struct S2 *Sp = conjure_S2();
     clang_analyzer_warnOnDeadSymbol((int)Sp);
     global_S2 = *Sp; // no-warning
   }

I agree that this test should pass (and now it fails), and your analysis of the problem seems correct at a glance :slight_smile:

In fact, this test doesn't even deal with temporary objects - it's a plain C test. Additionally, this test in fact tests the similar problem in Environment, rather than in RegionStore - there's a moment just before assigning to the global, when the LCV only exists in the Environment (as value of *Sp), and symbol death is announced at that particular moment. I think that both Store and Environment suffers from this problem.

I'd probably also throw in the following requirement:

* if the origin region of a lazy compound value has symbolic offset in its base region, then the offset symbol should also be kept alive *

Could you confirm that i understand your problem correctly? I'd make a patch for my understanding anyway, but perhaps there are more things that i've missed.