fix: Handle multiple stores to same address for pointer-based access (#16)

mpyw · claude · web-flow · commit c995a1cf4c77 · 2025-12-26T12:08:50.000+09:00
Previously, findStoredValue only returned the first Store instruction found for a given address. This caused false negatives when multiple stores existed in different control flow paths (e.g., if/else branches). Changes: - Renamed findStoredValue to findAllStoredValues to return all stores - Added traceAllStoredValues to check ALL stored values have context (similar to Phi node semantics - all paths must have ctx) - Updated traceUnOp and traceAlloc to use the new functions Example that was previously missed: e := logger.Info().Ctx(ctx) ptr := &e if cond { *ptr = logger.Warn() // no ctx in this branch! } (*ptr).Msg("msg") // Now correctly reports missing ctx 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/internal/ssa/tracing.go b/internal/ssa/tracing.go
@@ -373,21 +373,36 @@ func edgeLeadsToImpl(v ssa.Value, target *ssa.Phi, seen map[ssa.Value]bool) bool
 // traceUnOp handles SSA unary operations, especially pointer dereferences.
 func (c *Checker) traceUnOp(unop *ssa.UnOp, visited map[ssa.Value]bool, t tracerType) bool {
 	if unop.Op == token.MUL {
-		if stored := findStoredValue(unop.X); stored != nil {
-			return c.traceValue(stored, t, visited)
+		storedValues := findAllStoredValues(unop.X)
+		if len(storedValues) > 0 {
+			return c.traceAllStoredValues(storedValues, visited, t)
 		}
 	}
 	return c.traceValue(unop.X, t, visited)
 }
 
 // traceAlloc handles SSA Alloc nodes (local variable allocation).
 func (c *Checker) traceAlloc(alloc *ssa.Alloc, visited map[ssa.Value]bool, t tracerType) bool {
-	if stored := findStoredValue(alloc); stored != nil {
-		return c.traceValue(stored, t, visited)
+	storedValues := findAllStoredValues(alloc)
+	if len(storedValues) > 0 {
+		return c.traceAllStoredValues(storedValues, visited, t)
 	}
 	return false
 }
 
+// traceAllStoredValues traces all stored values and returns true only if ALL have context.
+// This is similar to Phi node handling - all paths must have context.
+func (c *Checker) traceAllStoredValues(storedValues []ssa.Value, visited map[ssa.Value]bool, t tracerType) bool {
+	for _, stored := range storedValues {
+		// Clone visited for independent tracing of each store
+		storeVisited := maps.Clone(visited)
+		if !c.traceValue(stored, t, storeVisited) {
+			return false
+		}
+	}
+	return true
+}
+
 // traceFreeVar traces a FreeVar back to the value bound in MakeClosure.
 func (c *Checker) traceFreeVar(fv *ssa.FreeVar, visited map[ssa.Value]bool, t tracerType) bool {
 	fn := fv.Parent()
@@ -476,8 +491,17 @@ func (c *Checker) traceIIFEReturns(fn *ssa.Function, visited map[ssa.Value]bool,
 // Store Tracking
 // =============================================================================
 
-// findStoredValue finds the value that was stored at the given address.
-func findStoredValue(addr ssa.Value) ssa.Value {
+// findAllStoredValues finds all values that were stored at the given address.
+// Multiple stores can occur in different control flow paths (e.g., if/else branches).
+// All stored values must be checked for context to handle cases like:
+//
+//	e := logger.Info().Ctx(ctx)
+//	ptr := &e
+//	if cond {
+//	    *ptr = logger.Warn()  // no ctx in this branch!
+//	}
+//	(*ptr).Msg("msg")  // should report: one branch lacks ctx
+func findAllStoredValues(addr ssa.Value) []ssa.Value {
 	var fn *ssa.Function
 	switch v := addr.(type) {
 	case *ssa.FieldAddr:
@@ -495,18 +519,19 @@ func findStoredValue(addr ssa.Value) ssa.Value {
 		return nil
 	}
 
+	var storedValues []ssa.Value
 	for _, block := range fn.Blocks {
 		for _, instr := range block.Instrs {
 			store, ok := instr.(*ssa.Store)
 			if !ok {
 				continue
 			}
 			if addressesMatch(store.Addr, addr) {
-				return store.Val
+				storedValues = append(storedValues, store.Val)
 			}
 		}
 	}
-	return nil
+	return storedValues
 }
 
 // addressesMatch checks if two addresses refer to the same memory location.
diff --git a/testdata/src/zerolog/evil_ssa.go b/testdata/src/zerolog/evil_ssa.go
@@ -1062,3 +1062,36 @@ func badLoggerFromContextThenNew(ctx context.Context, logger zerolog.Logger) {
 	_ = zerolog.Ctx(ctx)                    // Get but don't use
 	logger.Info().Msg("ignored ctx logger") // want `zerolog call chain missing .Ctx\(ctx\)`
 }
+
+// ===== POINTER WITH CONDITIONAL STORE =====
+
+// Test case: Multiple stores to same pointer address - partial ctx
+// If only one branch has ctx, should report
+func badPointerConditionalStorePartialCtx(ctx context.Context, logger zerolog.Logger, cond bool) {
+	e := logger.Info() // no ctx
+	ptr := &e
+	if cond {
+		*ptr = logger.Warn().Ctx(ctx) // has ctx
+	}
+	(*ptr).Msg("ptr conditional partial") // want `zerolog call chain missing .Ctx\(ctx\)`
+}
+
+// Test case: Both stores have ctx - should be OK
+func goodPointerConditionalStoreAllCtx(ctx context.Context, logger zerolog.Logger, cond bool) {
+	e := logger.Info().Ctx(ctx) // has ctx
+	ptr := &e
+	if cond {
+		*ptr = logger.Warn().Ctx(ctx) // has ctx
+	}
+	(*ptr).Msg("ptr conditional all ctx") // OK - all paths have ctx
+}
+
+// Test case: Initial has ctx, conditional does not
+func badPointerConditionalStoreInitialCtx(ctx context.Context, logger zerolog.Logger, cond bool) {
+	e := logger.Info().Ctx(ctx) // has ctx
+	ptr := &e
+	if cond {
+		*ptr = logger.Warn() // no ctx
+	}
+	(*ptr).Msg("ptr initial ctx") // want `zerolog call chain missing .Ctx\(ctx\)`
+}
