https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106441
--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Andrew Pinski from comment #2)
> __analyzer_callee_test_3 (int a, int b, int (**out_fn) (int))
> {
> int square (int z) { return z * z; }
>
> *out_fn = square;
>
> This really should be warning that the assignment of the nested function is
> escaping the current scope because the chain value goes out of the scope at
> the end.
Sorry the FRAME (in this case FRAME.4).
If we look at the IR:
__builtin_init_trampoline (&FRAME.4.square, square, &FRAME.4);
_8 = __builtin_adjust_trampoline (&FRAME.4.square);
_9 = (int (*<T34d>) (int)) _8;
*out_fn_10(D) = _9;
__builtin_init_trampoline is setting up the trampoline (new function ptr) into
FRAME.4.square for the nested function square with the frame of FRAME.4.
__builtin_adjust_trampoline adjusts the trampoline if needed (usually just a
call to flush the icache) and will return a function pointer.
So _9/_8 will refer to the trampoline and/or frame that is an local variable
which goes out of scope when the function returns too.
