chore: solidify len/cap impurity check for maps/chans and add tests

google-labs-jules[bot] · xkilldash9x · google-labs-jules[bot] · commit 3d85870beb11 · 2026-02-04T13:08:40.000Z
- Verify and solidify the impurity check for `len()` and `cap()` on maps and channels in `canonicalizer.go`.
- Replace "FIX" marker with "Note" to reflect that the logic is implemented and intentional.
- Add regression test `TestCanonicalizer_HoistSafety_Chan` in `ir_test.go` to ensure `len(chan)` and `cap(chan)` are not hoisted out of loops.

Co-authored-by: xkilldash9x &lt;223238109+xkilldash9x@users.noreply.github.com&gt;
diff --git a/pkg/analysis/ir/canonicalizer.go b/pkg/analysis/ir/canonicalizer.go
@@ -462,7 +462,7 @@ func (c *Canonicalizer) isPureBuiltin(call *ssa.Call) bool {
 		return false
 	}
 
-	// Security Fix: len() and cap() are impure for Maps and Channels
+	// Note: len() and cap() are impure for Maps and Channels
 	// because their length is volatile in concurrent/mutable contexts.
 	if name == "len" || name == "cap" {
 		if len(call.Call.Args) > 0 {
diff --git a/pkg/analysis/ir/ir_test.go b/pkg/analysis/ir/ir_test.go
@@ -564,3 +564,64 @@ func TestCanonicalizer_BlockOrderingStability(t *testing.T) {
 		}
 	}
 }
+
+func TestCanonicalizer_HoistSafety_Chan(t *testing.T) {
+	t.Parallel()
+
+	// Test len(chan) and cap(chan) are not hoisted.
+	src := `package main
+		func foo(c chan int) int {
+			sum := 0
+			for i := 0; i < 10; i++ {
+				c <- i
+				sum += len(c) // This must NOT be hoisted
+				sum += cap(c) // This must NOT be hoisted
+			}
+			return sum
+		}`
+
+	fn := testutil.CompileAndGetFunction(t, src, "foo")
+
+	c := ir.NewCanonicalizer(ir.DefaultLiteralPolicy)
+	defer ir.ReleaseCanonicalizer(c)
+
+	out := c.CanonicalizeFunction(fn)
+
+	lines := strings.Split(out, "\n")
+	var loopHeaderIdx int
+	var lenCallIdx int = -1
+	var capCallIdx int = -1
+	loopFound := false
+
+	for i, line := range lines {
+		if strings.Contains(line, "; LoopHeader") {
+			loopHeaderIdx = i
+			loopFound = true
+		}
+		if strings.Contains(line, "Call <builtin:len>") {
+			lenCallIdx = i
+		}
+		if strings.Contains(line, "Call <builtin:cap>") {
+			capCallIdx = i
+		}
+	}
+
+	if !loopFound {
+		t.Fatal("Failed to detect LoopHeader in canonical output")
+	}
+
+	if lenCallIdx == -1 {
+		t.Fatal("Failed to find len() call in canonical output")
+	}
+	if capCallIdx == -1 {
+		t.Fatal("Failed to find cap() call in canonical output")
+	}
+
+	// If len() or cap() was hoisted, it would appear in the pre-header (before loop header).
+	if lenCallIdx < loopHeaderIdx {
+		t.Errorf("Security Flaw: len(chan) was incorrectly hoisted out of the loop.")
+	}
+	if capCallIdx < loopHeaderIdx {
+		t.Errorf("Security Flaw: cap(chan) was incorrectly hoisted out of the loop.")
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -462,7 +462,7 @@ func (c Canonicalizer) isPureBuiltin(call ssa.Call) bool {`
`462`	`462`	`return false`
`463`	`463`	`}`
`464`	`464`
`465`		`- // Security Fix: len() and cap() are impure for Maps and Channels`
	`465`	`+ // Note: len() and cap() are impure for Maps and Channels`
`466`	`466`	`// because their length is volatile in concurrent/mutable contexts.`
`467`	`467`	`if name == "len" \|\| name == "cap" {`
`468`	`468`	`if len(call.Call.Args) > 0 {`