search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[TargetVersion] Only enable on RISC-V and AArch64 (#115991)
[llvm-project.git] / clang-tools-extra / clang-tidy / bugprone / UseAfterMoveCheck.cpp
blob960133159dbbf58e8d9522bb08739142b523daed
1 //===--- UseAfterMoveCheck.cpp - clang-tidy -------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8
9 #include "UseAfterMoveCheck.h"
10
11 #include "clang/AST/Expr.h"
12 #include "clang/AST/ExprCXX.h"
13 #include "clang/ASTMatchers/ASTMatchers.h"
14 #include "clang/Analysis/Analyses/CFGReachabilityAnalysis.h"
15 #include "clang/Analysis/CFG.h"
16 #include "clang/Lex/Lexer.h"
17 #include "llvm/ADT/STLExtras.h"
18 #include "llvm/ADT/SmallPtrSet.h"
19
20 #include "../utils/ExprSequence.h"
21 #include "../utils/Matchers.h"
22 #include <optional>
23
24 using namespace clang::ast_matchers;
25 using namespace clang::tidy::utils;
26
27 namespace clang::tidy::bugprone {
28
29 using matchers::hasUnevaluatedContext;
30
31 namespace {
32
33 /// Contains information about a use-after-move.
34 struct UseAfterMove {
35 // The DeclRefExpr that constituted the use of the object.
36 const DeclRefExpr *DeclRef;
37
38 // Is the order in which the move and the use are evaluated undefined?
39 bool EvaluationOrderUndefined = false;
40
41 // Does the use happen in a later loop iteration than the move?
42 //
43 // We default to false and change it to true if required in find().
44 bool UseHappensInLaterLoopIteration = false;
45 };
46
47 /// Finds uses of a variable after a move (and maintains state required by the
48 /// various internal helper functions).
49 class UseAfterMoveFinder {
50 public:
51 UseAfterMoveFinder(ASTContext *TheContext);
52
53 // Within the given code block, finds the first use of 'MovedVariable' that
54 // occurs after 'MovingCall' (the expression that performs the move). If a
55 // use-after-move is found, writes information about it to 'TheUseAfterMove'.
56 // Returns whether a use-after-move was found.
57 std::optional<UseAfterMove> find(Stmt *CodeBlock, const Expr *MovingCall,
58 const DeclRefExpr *MovedVariable);
59
60 private:
61 std::optional<UseAfterMove> findInternal(const CFGBlock *Block,
62 const Expr *MovingCall,
63 const ValueDecl *MovedVariable);
64 void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
65 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
66 llvm::SmallPtrSetImpl<const Stmt *> *Reinits);
67 void getDeclRefs(const CFGBlock *Block, const Decl *MovedVariable,
68 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
69 void getReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
70 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
71 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
72
73 ASTContext *Context;
74 std::unique_ptr<ExprSequence> Sequence;
75 std::unique_ptr<StmtToBlockMap> BlockMap;
76 llvm::SmallPtrSet<const CFGBlock *, 8> Visited;
77 };
78
79 } // namespace
80
81 // Matches nodes that are
82 // - Part of a decltype argument or class template argument (we check this by
83 // seeing if they are children of a TypeLoc), or
84 // - Part of a function template argument (we check this by seeing if they are
85 // children of a DeclRefExpr that references a function template).
86 // DeclRefExprs that fulfill these conditions should not be counted as a use or
87 // move.
88 static StatementMatcher inDecltypeOrTemplateArg() {
89 return anyOf(hasAncestor(typeLoc()),
90 hasAncestor(declRefExpr(
91 to(functionDecl(ast_matchers::isTemplateInstantiation())))),
92 hasAncestor(expr(hasUnevaluatedContext())));
93 }
94
95 UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)
96 : Context(TheContext) {}
97
98 std::optional<UseAfterMove>
99 UseAfterMoveFinder::find(Stmt *CodeBlock, const Expr *MovingCall,
100 const DeclRefExpr *MovedVariable) {
101 // Generate the CFG manually instead of through an AnalysisDeclContext because
102 // it seems the latter can't be used to generate a CFG for the body of a
103 // lambda.
104 //
105 // We include implicit and temporary destructors in the CFG so that
106 // destructors marked [[noreturn]] are handled correctly in the control flow
107 // analysis. (These are used in some styles of assertion macros.)
108 CFG::BuildOptions Options;
109 Options.AddImplicitDtors = true;
110 Options.AddTemporaryDtors = true;
111 std::unique_ptr<CFG> TheCFG =
112 CFG::buildCFG(nullptr, CodeBlock, Context, Options);
113 if (!TheCFG)
114 return std::nullopt;
115
116 Sequence = std::make_unique<ExprSequence>(TheCFG.get(), CodeBlock, Context);
117 BlockMap = std::make_unique<StmtToBlockMap>(TheCFG.get(), Context);
118 Visited.clear();
119
120 const CFGBlock *MoveBlock = BlockMap->blockContainingStmt(MovingCall);
121 if (!MoveBlock) {
122 // This can happen if MovingCall is in a constructor initializer, which is
123 // not included in the CFG because the CFG is built only from the function
124 // body.
125 MoveBlock = &TheCFG->getEntry();
126 }
127
128 auto TheUseAfterMove =
129 findInternal(MoveBlock, MovingCall, MovedVariable->getDecl());
130
131 if (TheUseAfterMove) {
132 if (const CFGBlock *UseBlock =
133 BlockMap->blockContainingStmt(TheUseAfterMove->DeclRef)) {
134 // Does the use happen in a later loop iteration than the move?
135 // - If they are in the same CFG block, we know the use happened in a
136 // later iteration if we visited that block a second time.
137 // - Otherwise, we know the use happened in a later iteration if the
138 // move is reachable from the use.
139 CFGReverseBlockReachabilityAnalysis CFA(*TheCFG);
140 TheUseAfterMove->UseHappensInLaterLoopIteration =
141 UseBlock == MoveBlock ? Visited.contains(UseBlock)
142 : CFA.isReachable(UseBlock, MoveBlock);
143 }
144 }
145 return TheUseAfterMove;
146 }
147
148 std::optional<UseAfterMove>
149 UseAfterMoveFinder::findInternal(const CFGBlock *Block, const Expr *MovingCall,
150 const ValueDecl *MovedVariable) {
151 if (Visited.count(Block))
152 return std::nullopt;
153
154 // Mark the block as visited (except if this is the block containing the
155 // std::move() and it's being visited the first time).
156 if (!MovingCall)
157 Visited.insert(Block);
158
159 // Get all uses and reinits in the block.
160 llvm::SmallVector<const DeclRefExpr *, 1> Uses;
161 llvm::SmallPtrSet<const Stmt *, 1> Reinits;
162 getUsesAndReinits(Block, MovedVariable, &Uses, &Reinits);
163
164 // Ignore all reinitializations where the move potentially comes after the
165 // reinit.
166 // If `Reinit` is identical to `MovingCall`, we're looking at a move-to-self
167 // (e.g. `a = std::move(a)`). Count these as reinitializations.
168 llvm::SmallVector<const Stmt *, 1> ReinitsToDelete;
169 for (const Stmt *Reinit : Reinits) {
170 if (MovingCall && Reinit != MovingCall &&
171 Sequence->potentiallyAfter(MovingCall, Reinit))
172 ReinitsToDelete.push_back(Reinit);
173 }
174 for (const Stmt *Reinit : ReinitsToDelete) {
175 Reinits.erase(Reinit);
176 }
177
178 // Find all uses that potentially come after the move.
179 for (const DeclRefExpr *Use : Uses) {
180 if (!MovingCall || Sequence->potentiallyAfter(Use, MovingCall)) {
181 // Does the use have a saving reinit? A reinit is saving if it definitely
182 // comes before the use, i.e. if there's no potential that the reinit is
183 // after the use.
184 bool HaveSavingReinit = false;
185 for (const Stmt *Reinit : Reinits) {
186 if (!Sequence->potentiallyAfter(Reinit, Use))
187 HaveSavingReinit = true;
188 }
189
190 if (!HaveSavingReinit) {
191 UseAfterMove TheUseAfterMove;
192 TheUseAfterMove.DeclRef = Use;
193
194 // Is this a use-after-move that depends on order of evaluation?
195 // This is the case if the move potentially comes after the use (and we
196 // already know that use potentially comes after the move, which taken
197 // together tells us that the ordering is unclear).
198 TheUseAfterMove.EvaluationOrderUndefined =
199 MovingCall != nullptr &&
200 Sequence->potentiallyAfter(MovingCall, Use);
201
202 return TheUseAfterMove;
203 }
204 }
205 }
206
207 // If the object wasn't reinitialized, call ourselves recursively on all
208 // successors.
209 if (Reinits.empty()) {
210 for (const auto &Succ : Block->succs()) {
211 if (Succ) {
212 if (auto Found = findInternal(Succ, nullptr, MovedVariable)) {
213 return Found;
214 }
215 }
216 }
217 }
218
219 return std::nullopt;
220 }
221
222 void UseAfterMoveFinder::getUsesAndReinits(
223 const CFGBlock *Block, const ValueDecl *MovedVariable,
224 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
225 llvm::SmallPtrSetImpl<const Stmt *> *Reinits) {
226 llvm::SmallPtrSet<const DeclRefExpr *, 1> DeclRefs;
227 llvm::SmallPtrSet<const DeclRefExpr *, 1> ReinitDeclRefs;
228
229 getDeclRefs(Block, MovedVariable, &DeclRefs);
230 getReinits(Block, MovedVariable, Reinits, &ReinitDeclRefs);
231
232 // All references to the variable that aren't reinitializations are uses.
233 Uses->clear();
234 for (const DeclRefExpr *DeclRef : DeclRefs) {
235 if (!ReinitDeclRefs.count(DeclRef))
236 Uses->push_back(DeclRef);
237 }
238
239 // Sort the uses by their occurrence in the source code.
240 llvm::sort(*Uses, [](const DeclRefExpr *D1, const DeclRefExpr *D2) {
241 return D1->getExprLoc() < D2->getExprLoc();
242 });
243 }
244
245 bool isStandardSmartPointer(const ValueDecl *VD) {
246 const Type *TheType = VD->getType().getNonReferenceType().getTypePtrOrNull();
247 if (!TheType)
248 return false;
249
250 const CXXRecordDecl *RecordDecl = TheType->getAsCXXRecordDecl();
251 if (!RecordDecl)
252 return false;
253
254 const IdentifierInfo *ID = RecordDecl->getIdentifier();
255 if (!ID)
256 return false;
257
258 StringRef Name = ID->getName();
259 if (Name != "unique_ptr" && Name != "shared_ptr" && Name != "weak_ptr")
260 return false;
261
262 return RecordDecl->getDeclContext()->isStdNamespace();
263 }
264
265 void UseAfterMoveFinder::getDeclRefs(
266 const CFGBlock *Block, const Decl *MovedVariable,
267 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
268 DeclRefs->clear();
269 for (const auto &Elem : *Block) {
270 std::optional<CFGStmt> S = Elem.getAs<CFGStmt>();
271 if (!S)
272 continue;
273
274 auto AddDeclRefs = [this, Block,
275 DeclRefs](const ArrayRef<BoundNodes> Matches) {
276 for (const auto &Match : Matches) {
277 const auto *DeclRef = Match.getNodeAs<DeclRefExpr>("declref");
278 const auto *Operator = Match.getNodeAs<CXXOperatorCallExpr>("operator");
279 if (DeclRef && BlockMap->blockContainingStmt(DeclRef) == Block) {
280 // Ignore uses of a standard smart pointer that don't dereference the
281 // pointer.
282 if (Operator || !isStandardSmartPointer(DeclRef->getDecl())) {
283 DeclRefs->insert(DeclRef);
284 }
285 }
286 }
287 };
288
289 auto DeclRefMatcher = declRefExpr(hasDeclaration(equalsNode(MovedVariable)),
290 unless(inDecltypeOrTemplateArg()))
291 .bind("declref");
292
293 AddDeclRefs(match(traverse(TK_AsIs, findAll(DeclRefMatcher)), *S->getStmt(),
294 *Context));
295 AddDeclRefs(match(findAll(cxxOperatorCallExpr(
296 hasAnyOverloadedOperatorName("*", "->", "[]"),
297 hasArgument(0, DeclRefMatcher))
298 .bind("operator")),
299 *S->getStmt(), *Context));
300 }
301 }
302
303 void UseAfterMoveFinder::getReinits(
304 const CFGBlock *Block, const ValueDecl *MovedVariable,
305 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
306 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
307 auto DeclRefMatcher =
308 declRefExpr(hasDeclaration(equalsNode(MovedVariable))).bind("declref");
309
310 auto StandardContainerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
311 recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
312 "::std::basic_string", "::std::vector", "::std::deque",
313 "::std::forward_list", "::std::list", "::std::set", "::std::map",
314 "::std::multiset", "::std::multimap", "::std::unordered_set",
315 "::std::unordered_map", "::std::unordered_multiset",
316 "::std::unordered_multimap"))))));
317
318 auto StandardResettableOwnerTypeMatcher = hasType(
319 hasUnqualifiedDesugaredType(recordType(hasDeclaration(cxxRecordDecl(
320 hasAnyName("::std::unique_ptr", "::std::shared_ptr",
321 "::std::weak_ptr", "::std::optional", "::std::any"))))));
322
323 // Matches different types of reinitialization.
324 auto ReinitMatcher =
325 stmt(anyOf(
326 // Assignment. In addition to the overloaded assignment operator,
327 // test for built-in assignment as well, since template functions
328 // may be instantiated to use std::move() on built-in types.
329 binaryOperation(hasOperatorName("="), hasLHS(DeclRefMatcher)),
330 // Declaration. We treat this as a type of reinitialization too,
331 // so we don't need to treat it separately.
332 declStmt(hasDescendant(equalsNode(MovedVariable))),
333 // clear() and assign() on standard containers.
334 cxxMemberCallExpr(
335 on(expr(DeclRefMatcher, StandardContainerTypeMatcher)),
336 // To keep the matcher simple, we check for assign() calls
337 // on all standard containers, even though only vector,
338 // deque, forward_list and list have assign(). If assign()
339 // is called on any of the other containers, this will be
340 // flagged by a compile error anyway.
341 callee(cxxMethodDecl(hasAnyName("clear", "assign")))),
342 // reset() on standard smart pointers.
343 cxxMemberCallExpr(
344 on(expr(DeclRefMatcher, StandardResettableOwnerTypeMatcher)),
345 callee(cxxMethodDecl(hasName("reset")))),
346 // Methods that have the [[clang::reinitializes]] attribute.
347 cxxMemberCallExpr(
348 on(DeclRefMatcher),
349 callee(cxxMethodDecl(hasAttr(clang::attr::Reinitializes)))),
350 // Passing variable to a function as a non-const pointer.
351 callExpr(forEachArgumentWithParam(
352 unaryOperator(hasOperatorName("&"),
353 hasUnaryOperand(DeclRefMatcher)),
354 unless(parmVarDecl(hasType(pointsTo(isConstQualified())))))),
355 // Passing variable to a function as a non-const lvalue reference
356 // (unless that function is std::move()).
357 callExpr(forEachArgumentWithParam(
358 traverse(TK_AsIs, DeclRefMatcher),
359 unless(parmVarDecl(hasType(
360 references(qualType(isConstQualified())))))),
361 unless(callee(functionDecl(
362 hasAnyName("::std::move", "::std::forward")))))))
363 .bind("reinit");
364
365 Stmts->clear();
366 DeclRefs->clear();
367 for (const auto &Elem : *Block) {
368 std::optional<CFGStmt> S = Elem.getAs<CFGStmt>();
369 if (!S)
370 continue;
371
372 SmallVector<BoundNodes, 1> Matches =
373 match(findAll(ReinitMatcher), *S->getStmt(), *Context);
374
375 for (const auto &Match : Matches) {
376 const auto *TheStmt = Match.getNodeAs<Stmt>("reinit");
377 const auto *TheDeclRef = Match.getNodeAs<DeclRefExpr>("declref");
378 if (TheStmt && BlockMap->blockContainingStmt(TheStmt) == Block) {
379 Stmts->insert(TheStmt);
380
381 // We count DeclStmts as reinitializations, but they don't have a
382 // DeclRefExpr associated with them -- so we need to check 'TheDeclRef'
383 // before adding it to the set.
384 if (TheDeclRef)
385 DeclRefs->insert(TheDeclRef);
386 }
387 }
388 }
389 }
390
391 enum class MoveType {
392 Move, // std::move
393 Forward, // std::forward
394 };
395
396 static MoveType determineMoveType(const FunctionDecl *FuncDecl) {
397 if (FuncDecl->getName() == "move")
398 return MoveType::Move;
399 if (FuncDecl->getName() == "forward")
400 return MoveType::Forward;
401
402 llvm_unreachable("Invalid move type");
403 }
404
405 static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg,
406 const UseAfterMove &Use, ClangTidyCheck *Check,
407 ASTContext *Context, MoveType Type) {
408 const SourceLocation UseLoc = Use.DeclRef->getExprLoc();
409 const SourceLocation MoveLoc = MovingCall->getExprLoc();
410
411 const bool IsMove = (Type == MoveType::Move);
412
413 Check->diag(UseLoc, "'%0' used after it was %select{forwarded|moved}1")
414 << MoveArg->getDecl()->getName() << IsMove;
415 Check->diag(MoveLoc, "%select{forward|move}0 occurred here",
416 DiagnosticIDs::Note)
417 << IsMove;
418 if (Use.EvaluationOrderUndefined) {
419 Check->diag(
420 UseLoc,
421 "the use and %select{forward|move}0 are unsequenced, i.e. "
422 "there is no guarantee about the order in which they are evaluated",
423 DiagnosticIDs::Note)
424 << IsMove;
425 } else if (Use.UseHappensInLaterLoopIteration) {
426 Check->diag(UseLoc,
427 "the use happens in a later loop iteration than the "
428 "%select{forward|move}0",
429 DiagnosticIDs::Note)
430 << IsMove;
431 }
432 }
433
434 void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {
435 // try_emplace is a common maybe-moving function that returns a
436 // bool to tell callers whether it moved. Ignore std::move inside
437 // try_emplace to avoid false positives as we don't track uses of
438 // the bool.
439 auto TryEmplaceMatcher =
440 cxxMemberCallExpr(callee(cxxMethodDecl(hasName("try_emplace"))));
441 auto CallMoveMatcher =
442 callExpr(argumentCountIs(1),
443 callee(functionDecl(hasAnyName("::std::move", "::std::forward"))
444 .bind("move-decl")),
445 hasArgument(0, declRefExpr().bind("arg")),
446 unless(inDecltypeOrTemplateArg()),
447 unless(hasParent(TryEmplaceMatcher)), expr().bind("call-move"),
448 anyOf(hasAncestor(compoundStmt(
449 hasParent(lambdaExpr().bind("containing-lambda")))),
450 hasAncestor(functionDecl(anyOf(
451 cxxConstructorDecl(
452 hasAnyConstructorInitializer(withInitializer(
453 expr(anyOf(equalsBoundNode("call-move"),
454 hasDescendant(expr(
455 equalsBoundNode("call-move")))))
456 .bind("containing-ctor-init"))))
457 .bind("containing-ctor"),
458 functionDecl().bind("containing-func"))))));
459
460 Finder->addMatcher(
461 traverse(
462 TK_AsIs,
463 // To find the Stmt that we assume performs the actual move, we look
464 // for the direct ancestor of the std::move() that isn't one of the
465 // node types ignored by ignoringParenImpCasts().
466 stmt(
467 forEach(expr(ignoringParenImpCasts(CallMoveMatcher))),
468 // Don't allow an InitListExpr to be the moving call. An
469 // InitListExpr has both a syntactic and a semantic form, and the
470 // parent-child relationships are different between the two. This
471 // could cause an InitListExpr to be analyzed as the moving call
472 // in addition to the Expr that we actually want, resulting in two
473 // diagnostics with different code locations for the same move.
474 unless(initListExpr()),
475 unless(expr(ignoringParenImpCasts(equalsBoundNode("call-move")))))
476 .bind("moving-call")),
477 this);
478 }
479
480 void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {
481 const auto *ContainingCtor =
482 Result.Nodes.getNodeAs<CXXConstructorDecl>("containing-ctor");
483 const auto *ContainingCtorInit =
484 Result.Nodes.getNodeAs<Expr>("containing-ctor-init");
485 const auto *ContainingLambda =
486 Result.Nodes.getNodeAs<LambdaExpr>("containing-lambda");
487 const auto *ContainingFunc =
488 Result.Nodes.getNodeAs<FunctionDecl>("containing-func");
489 const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>("call-move");
490 const auto *MovingCall = Result.Nodes.getNodeAs<Expr>("moving-call");
491 const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>("arg");
492 const auto *MoveDecl = Result.Nodes.getNodeAs<FunctionDecl>("move-decl");
493
494 if (!MovingCall || !MovingCall->getExprLoc().isValid())
495 MovingCall = CallMove;
496
497 // Ignore the std::move if the variable that was passed to it isn't a local
498 // variable.
499 if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())
500 return;
501
502 // Collect all code blocks that could use the arg after move.
503 llvm::SmallVector<Stmt *> CodeBlocks{};
504 if (ContainingCtor) {
505 CodeBlocks.push_back(ContainingCtor->getBody());
506 if (ContainingCtorInit) {
507 // Collect the constructor initializer expressions.
508 bool BeforeMove{true};
509 for (CXXCtorInitializer *Init : ContainingCtor->inits()) {
510 if (BeforeMove && Init->getInit()->IgnoreImplicit() ==
511 ContainingCtorInit->IgnoreImplicit())
512 BeforeMove = false;
513 if (!BeforeMove)
514 CodeBlocks.push_back(Init->getInit());
515 }
516 }
517 } else if (ContainingLambda) {
518 CodeBlocks.push_back(ContainingLambda->getBody());
519 } else if (ContainingFunc) {
520 CodeBlocks.push_back(ContainingFunc->getBody());
521 }
522
523 for (Stmt *CodeBlock : CodeBlocks) {
524 UseAfterMoveFinder Finder(Result.Context);
525 if (auto Use = Finder.find(CodeBlock, MovingCall, Arg))
526 emitDiagnostic(MovingCall, Arg, *Use, this, Result.Context,
527 determineMoveType(MoveDecl));
528 }
529 }
530
531 } // namespace clang::tidy::bugprone
LLVM monorepo