| blob | 5b4fc24b6f0e2a557066dee417abd68d5aa3863f |
1 //===- CalledOnceCheck.cpp - Check 'called once' parameters ---------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
39 #include <memory>
40 #include <optional>
64 };
77 // Status kind is basically the main part of parameter's status.
78 // The kind represents our knowledge (so far) about a tracked parameter
79 // in the context of this analysis.
80 //
81 // Since we want to report on missing and extraneous calls, we need to
82 // track the fact whether paramater was called or not. This automatically
83 // decides two kinds: `NotCalled` and `Called`.
84 //
85 // One of the erroneous situations is the case when parameter is called only
86 // on some of the paths. We could've considered it `NotCalled`, but we want
87 // to report double call warnings even if these two calls are not guaranteed
88 // to happen in every execution. We also don't want to have it as `Called`
89 // because not calling tracked parameter on all of the paths is an error
90 // on its own. For these reasons, we need to have a separate kind,
91 // `MaybeCalled`, and change `Called` to `DefinitelyCalled` to avoid
92 // confusion.
93 //
94 // Two violations of calling parameter more than once and not calling it on
95 // every path are not, however, mutually exclusive. In situations where both
96 // violations take place, we prefer to report ONLY double call. It's always
97 // harder to pinpoint a bug that has arisen when a user neglects to take the
98 // right action (and therefore, no action is taken), than when a user takes
99 // the wrong action. And, in order to remember that we already reported
100 // a double call, we need another kind: `Reported`.
101 //
102 // Our analysis is intra-procedural and, while in the perfect world,
103 // developers only use tracked parameters to call them, in the real world,
104 // the picture might be different. Parameters can be stored in global
105 // variables or leaked into other functions that we know nothing about.
106 // We try to be lenient and trust users. Another kind `Escaped` reflects
107 // such situations. We don't know if it gets called there or not, but we
108 // should always think of `Escaped` as the best possible option.
109 //
110 // Some of the paths in the analyzed functions might end with a call
111 // to noreturn functions. Such paths are not required to have parameter
112 // calls and we want to track that. For the purposes of better diagnostics,
113 // we don't want to reuse `Escaped` and, thus, have another kind `NoReturn`.
114 //
115 // Additionally, we have `NotVisited` kind that tells us nothing about
116 // a tracked parameter, but is used for tracking analyzed (aka visited)
117 // basic blocks.
118 //
119 // If we consider `|` to be a JOIN operation of two kinds coming from
120 // two different paths, the following properties must hold:
121 //
122 // 1. for any Kind K: K | K == K
123 // Joining two identical kinds should result in the same kind.
124 //
125 // 2. for any Kind K: Reported | K == Reported
126 // Doesn't matter on which path it was reported, it still is.
127 //
128 // 3. for any Kind K: NoReturn | K == K
129 // We can totally ignore noreturn paths during merges.
130 //
131 // 4. DefinitelyCalled | NotCalled == MaybeCalled
132 // Called on one path, not called on another - that's simply
133 // a definition for MaybeCalled.
134 //
135 // 5. for any Kind K in [DefinitelyCalled, NotCalled, MaybeCalled]:
136 // Escaped | K == K
137 // Escaped mirrors other statuses after joins.
138 // Every situation, when we join any of the listed kinds K,
139 // is a violation. For this reason, in order to assume the
140 // best outcome for this escape, we consider it to be the
141 // same as the other path.
142 //
143 // 6. for any Kind K in [DefinitelyCalled, NotCalled]:
144 // MaybeCalled | K == MaybeCalled
145 // MaybeCalled should basically stay after almost every join.
147 // No-return paths should be absolutely transparent for the analysis.
148 // 0x0 is the identity element for selected join operation (binary or).
150 // Escaped marks situations when marked parameter escaped into
151 // another function (so we can assume that it was possibly called there).
153 // Parameter was definitely called once at this point.
155 // Kinds less or equal to NON_ERROR_STATUS are not considered errors.
157 // Parameter was not yet called.
159 // Parameter was not called at least on one path leading to this point,
160 // while there is also at least one path that it gets called.
162 // Parameter was not yet analyzed.
164 // We already reported a violation and stopped tracking calls for this
165 // parameter.
168 };
173 }
176 }
181 }
184 }
193 // If we have a pointer already, let's keep it.
194 // For the purposes of the analysis, it doesn't really matter
195 // which call we report.
196 //
197 // If we don't have a pointer, let's take whatever gets joined.
200 }
201 // Join kinds.
203 }
206 // We compare only kinds, pointers on their own is only additional
207 // information.
209 }
212 // It would've been a perfect place to use llvm::PointerIntPair, but
213 // unfortunately NumLowBitsAvailable for clang::Expr had been reduced to 2.
216 };
218 /// State aggregates statuses of all tracked parameters.
224 /// Return status of a parameter with the given index.
225 /// \{
229 }
230 /// \}
232 /// Return true if parameter with the given index can be called.
235 }
236 /// Return a reference that we consider a call.
237 ///
238 /// Should only be used for parameters that can be called.
241 }
242 /// Return status kind of parameter with the given index.
245 }
250 });
251 }
253 // Join other state into the current state.
259 }
260 }
273 }
277 };
279 /// A simple class that finds DeclRefExpr in the given expression.
280 ///
281 /// However, we don't want to find ANY nested DeclRefExpr skipping whatever
282 /// expressions on our way. Only certain expressions considered "no-op"
283 /// for our task are indeed skipped.
284 class DeclRefFinder
287 /// Find a DeclRefExpr in the given expression.
288 ///
289 /// In its most basic form (ShouldRetrieveFromComparisons == false),
290 /// this function can be simply reduced to the following question:
291 ///
292 /// - If expression E is used as a function argument, could we say
293 /// that DeclRefExpr nested in E is used as an argument?
294 ///
295 /// According to this rule, we can say that parens, casts and dereferencing
296 /// (dereferencing only applied to function pointers, but this is our case)
297 /// can be skipped.
298 ///
299 /// When we should look into comparisons the question changes to:
300 ///
301 /// - If expression E is used as a condition, could we say that
302 /// DeclRefExpr is being checked?
303 ///
304 /// And even though, these are two different questions, they have quite a lot
305 /// in common. Actually, we can say that whatever expression answers
306 /// positively the first question also fits the second question as well.
307 ///
308 /// In addition, we skip binary operators == and !=, and unary opeartor !.
312 }
319 // We care about logical not only if we care about comparisons.
323 // Function pointer/references can be dereferenced before a call.
324 // That doesn't make it, however, any different from a regular call.
325 // For this reason, dereference operation is a "no-op".
330 }
331 }
342 }
345 }
346 }
350 }
356 // We want to see through some of the boolean builtin functions
357 // that we are likely to see in conditions.
365 }
372 }
373 }
376 // It is a fallback method that gets called whenever the actual type
377 // of the given expression is not covered.
378 //
379 // We first check if we have anything to skip. And then repeat the whole
380 // procedure for a nested expression instead.
383 }
390 };
395 }
403 }
406 }
408 /// Return conditions expression of a statement if it has one.
412 }
416 }
419 }
422 }
424 /// A small helper class that collects all named identifiers in the given
425 /// expression. It traverses it recursively, so names from deeper levels
426 /// of the AST will end up in the results.
427 /// Results might have duplicate names, if this is a problem, convert to
428 /// string sets afterwards.
436 NamesCollector Impl;
439 }
444 }
455 }
462 }
466 }
470 NameCollection Result;
471 };
473 /// Check whether the given expression mentions any of conventional names.
479 CONVENTIONAL_CONDITIONS,
482 });
483 });
484 }
486 /// Clarification is a simple pair of a reason why parameter is not called
487 /// on every path and a statement to blame.
489 NeverCalledReason Reason;
491 };
493 /// A helper class that can produce a clarification based on the given pair
494 /// of basic blocks.
495 class NotCalledClarifier
499 /// The main entrypoint for the class, the function that tries to find the
500 /// clarification of how to explain which sub-path starts with a CFG edge
501 /// from Conditional to SuccWithoutCall.
502 ///
503 /// This means that this function has one precondition:
504 /// SuccWithoutCall should be a successor block for Conditional.
505 ///
506 /// Because clarification is not needed for non-trivial pairs of blocks
507 /// (i.e. SuccWithoutCall is not the only successor), it returns meaningful
508 /// results only for such cases. For this very reason, the parent basic
509 /// block, Conditional, is named that way, so it is clear what kind of
510 /// block is expected.
515 }
517 }
521 }
526 }
531 // If interesting basic block is not labeled, it means that this
532 // basic block does not represent any of the cases.
534 }
540 }
541 }
544 }
548 }
552 }
559 NeverCalledReason ActualReason =
562 }
565 // We don't want to report on short-curcuit logical operations.
567 }
570 // If we got here, we didn't have a visit function for more derived
571 // classes of statement that this terminator actually belongs to.
572 //
573 // This is not a good scenario and should not happen in practice, but
574 // at least we'll warn the user.
576 }
584 }
586 static NeverCalledReason
595 }
602 };
609 }
620 }
622 //===----------------------------------------------------------------------===//
623 // Initializing functions
624 //===----------------------------------------------------------------------===//
636 }
638 // Have something to track, let's init states for every block from the CFG.
640 States =
642 }
643 }
648 // Parameter DeclContext is its owning function or method.
652 }
653 }
654 }
655 }
662 }
663 }
664 }
666 //===----------------------------------------------------------------------===//
667 // Main logic 'check' functions
668 //===----------------------------------------------------------------------===//
671 // Nothing to check here: we don't have marked parameters.
679 // For our task, both backward and forward approaches suite well.
680 // However, in order to report better diagnostics, we decided to go with
681 // backward analysis.
682 //
683 // Let's consider the following CFG and how forward and backward analyses
684 // will work for it.
685 //
686 // FORWARD: | BACKWARD:
687 // #1 | #1
688 // +---------+ | +-----------+
689 // | if | | |MaybeCalled|
690 // +---------+ | +-----------+
691 // |NotCalled| | | if |
692 // +---------+ | +-----------+
693 // / \ | / \
694 // #2 / \ #3 | #2 / \ #3
695 // +----------------+ +---------+ | +----------------+ +---------+
696 // | foo() | | ... | | |DefinitelyCalled| |NotCalled|
697 // +----------------+ +---------+ | +----------------+ +---------+
698 // |DefinitelyCalled| |NotCalled| | | foo() | | ... |
699 // +----------------+ +---------+ | +----------------+ +---------+
700 // \ / | \ /
701 // \ #4 / | \ #4 /
702 // +-----------+ | +---------+
703 // | ... | | |NotCalled|
704 // +-----------+ | +---------+
705 // |MaybeCalled| | | ... |
706 // +-----------+ | +---------+
707 //
708 // The most natural way to report lacking call in the block #3 would be to
709 // message that the false branch of the if statement in the block #1 doesn't
710 // have a call. And while with the forward approach we'll need to find a
711 // least common ancestor or something like that to find the 'if' to blame,
712 // backward analysis gives it to us out of the box.
715 // Let's visit EXIT.
726 // Traverse successor basic blocks if the status of this block
727 // has changed.
730 }
731 }
733 // Check that we have all tracked parameters at the last block.
734 // As we are performing a backward version of the analysis,
735 // it should be the ENTRY block.
737 }
740 // We start with a state 'inherited' from all the successors.
745 // This is the 'exit' situation, broken promises are probably OK
746 // in such scenarios.
749 // This block still can have calls (even multiple calls) and
750 // for this reason there is no early return here.
751 }
753 // We use a backward dataflow propagation and for this reason we
754 // should traverse basic blocks bottom-up.
758 }
759 }
760 }
764 // We finalize this algorithm with the ENTRY block because
765 // we use a backward version of the analysis. This is where
766 // we can judge that some of the tracked parameters are not called on
767 // every path from ENTRY to EXIT.
773 // Check if there are no calls of the marked parameter at all
779 // If there were places where this parameter escapes (aka being used),
780 // we can provide a more useful diagnostic by pointing at the exact
781 // branches where it is not even mentioned.
783 // This parameter is was not used at all, so we should report the
784 // most generic version of the warning.
786 // We want to specify that it was captured by the block.
792 }
794 // Mark it as 'interesting' to figure out which paths don't even
795 // have escapes.
797 }
801 // If we have 'maybe called' at this point, we have an error
802 // that there is at least one path where this parameter
803 // is not called.
804 //
805 // However, reporting the warning with only that information can be
806 // too vague for the users. For this reason, we mark such parameters
807 // as "interesting" for further analysis.
812 }
813 }
815 // Early exit if we don't have parameters for extra analysis...
817 // ... or if we've seen variables with cleanup functions.
818 // We can't reason that we've seen every path in this case,
819 // and thus abandon reporting any warnings that imply that.
823 // We are looking for a pair of blocks A, B so that the following is true:
824 // * A is a predecessor of B
825 // * B is marked as NotCalled
826 // * A has at least one successor marked as either
827 // Escaped or DefinitelyCalled
828 //
829 // In that situation, it is guaranteed that B is the first block of the path
830 // where the user doesn't call or use parameter in question.
831 //
832 // For this reason, branch A -> B can be used for reporting.
833 //
834 // This part of the algorithm is guarded by a condition that the function
835 // does indeed have a violation of contract. For this reason, we can
836 // spend more time to find a good spot to place the warning.
837 //
838 // The following algorithm has the worst case complexity of O(V + E),
839 // where V is the number of basic blocks in FunctionCFG,
840 // E is the number of edges between blocks in FunctionCFG.
848 // We don't want to use 'isLosingCall' here because we want to report
849 // the following situation as well:
850 //
851 // MaybeCalled
852 // | ... |
853 // MaybeCalled NotCalled
854 //
855 // Even though successor is not 'DefinitelyCalled', it is still useful
856 // to report it, it is still a path without a call.
865 }
866 }
867 }
868 }
870 /// Check potential call of a tracked parameter.
874 }
875 }
877 /// Check the call expression for being an indirect call of one of the tracked
878 /// parameters. It is indirect in the sense that this particular call is not
879 /// calling the parameter itself, but rather uses it as the argument.
882 // CallExpr::arguments does not interact nicely with llvm::enumerate.
886 // Let's check if any of the call arguments is a point of interest.
890 // If the corresponding parameter is marked as 'called_once' we should
891 // consider it as a call.
894 // Otherwise, we mark this parameter as escaped, which can be
895 // interpreted both as called or not called depending on the context.
897 }
898 // Otherwise, let's keep the state as it is.
899 }
900 }
901 }
903 /// Process call of the parameter with the given index
909 // At this point, this parameter was called, so this is a second call.
914 // We are sure that the second call is definitely
915 // going to happen if the status is 'DefinitelyCalled'.
918 // Mark this parameter as already reported on, so we don't repeat
919 // warnings.
923 // If we didn't report anything yet, let's mark this parameter
924 // as called.
927 }
928 }
930 /// Process escape of the parameter with the given index
934 // Escape overrides whatever error we think happened.
937 }
938 }
954 }
955 }
956 }
957 }
959 //===----------------------------------------------------------------------===//
960 // Predicate functions to check parameters
961 //===----------------------------------------------------------------------===//
963 /// Return true if parameter is explicitly marked as 'called_once'.
966 }
968 /// Return true if the given name matches conventional pattens.
971 }
973 /// Return true if the given name has conventional suffixes.
977 });
978 }
980 /// Return true if the given type can be used for conventional parameters.
984 }
987 // Completion handlers should have a block type with void return type.
989 }
991 /// Return true if the only parameter of the function is conventional.
996 }
998 /// Return true/false if 'swift_async' attribute states that the given
999 /// parameter is conventionally called once.
1000 /// Return std::nullopt if the given declaration doesn't have 'swift_async'
1001 /// attribute.
1007 }
1010 }
1012 }
1014 /// Return true if the specified selector represents init method.
1017 }
1019 /// Return true if the specified selector piece matches conventions.
1022 QualType PieceType) {
1025 }
1030 }
1034 }
1042 }
1049 }
1052 }
1054 }
1058 }
1064 }
1065 // 'swift_async' goes first and overrides anything else.
1069 }
1074 }
1081 }
1083 // 'swift_async' goes first and overrides anything else.
1086 }
1093 }
1098 }
1105 }
1107 //===----------------------------------------------------------------------===//
1108 // Utility methods
1109 //===----------------------------------------------------------------------===//
1114 }
1116 }
1118 // Return a call site where the block is called exactly once or null otherwise
1122 // We don't want to track the block through assignments and so on, instead
1123 // we simply see how the block used and if it's used directly in a call,
1124 // we decide based on call to what it is.
1125 //
1126 // In order to do this, we go up the parents of the block looking for
1127 // a call or a message expressions. These might not be immediate parents
1128 // of the actual block expression due to casts and parens, so we skip them.
1131 // Skip no-op (for our case) operations.
1135 // At this point, Prev represents our block as an immediate child of the
1136 // call.
1138 // It might be the call of the Block itself...
1142 // ...or it can be an indirect call of the block.
1144 }
1148 }
1151 }
1154 }
1159 // CallExpr::arguments does not interact nicely with llvm::enumerate.
1166 }
1167 }
1170 }
1177 }
1181 // At the moment, we don't have any Obj-C methods we want to specifically
1182 // check in here.
1184 }
1188 // There is a list of important API functions that while not following
1189 // conventions nor being directly annotated, still guarantee that the
1190 // callback parameter will be called exactly once.
1191 //
1192 // Here we check if this is the case.
1200 });
1201 }
1203 /// Return true if the analyzed function is actually a default implementation
1204 /// of the method that has to be overriden.
1205 ///
1206 /// These functions can have tracked parameters, but wouldn't call them
1207 /// because they are not designed to perform any meaningful actions.
1208 ///
1209 /// There are a couple of flavors of such default implementations:
1210 /// 1. Empty methods or methods with a single return statement
1211 /// 2. Methods that have one block with a call to no return function
1212 /// 3. Methods with only assertion-like operations
1215 // We care only about functions that are not supposed to be called.
1216 // Only methods can be overriden.
1218 }
1220 // Case #1 (without return statements)
1222 // Method has only two blocks: ENTRY and EXIT.
1223 // This is equivalent to empty function.
1225 }
1227 // Case #2
1232 }
1235 // Method has only one block, let's see if it has a no-return
1236 // element.
1239 }
1240 // Fallthrough, CFGs with only one block can fall into #1 and #3 as well.
1241 }
1243 // Cases #1 (return statements) and #3.
1244 //
1245 // It is hard to detect that something is an assertion or came
1246 // from assertion. Here we use a simple heuristic:
1247 //
1248 // - If it came from a macro, it can be an assertion.
1249 //
1250 // Additionally, we can't assume a number of basic blocks or the CFG's
1251 // structure because assertions might include loops and conditions.
1254 // Unreachable blocks are totally fine.
1256 }
1258 // Return statements can have sub-expressions that are represented as
1259 // separate statements of a basic block. We should allow this.
1260 // This parent map will be initialized with a parent tree for all
1261 // subexpressions of the block's return statement (if it has one).
1266 // have any, i.e. from the bottom of the block
1272 // Let's initialize this structure to test whether
1273 // some further statement is a part of this return.
1276 // Return statements are allowed as part of #1.
1278 }
1283 }
1285 });
1286 });
1287 }
1289 /// Check if parameter with the given index has ever escaped.
1293 });
1294 }
1296 /// Return status stored for the given basic block.
1297 /// \{
1301 }
1305 }
1306 /// \}
1308 /// Assign status to the given basic block.
1309 ///
1310 /// Returns true when the stored status changed.
1315 }
1319 }
1321 /// Join all incoming statuses for the given basic block.
1326 });
1327 // We came to this block from somewhere after all.
1335 }
1339 }
1342 }
1349 }
1350 }
1354 // In this function, we try to deal with the following pattern:
1355 //
1356 // if (parameter)
1357 // parameter(...);
1358 //
1359 // It's not good to show a warning here because clearly 'parameter'
1360 // couldn't and shouldn't be called on the 'else' path.
1361 //
1362 // Let's check if this if statement has a check involving one of
1363 // the tracked parameters.
1365 Condition,
1370 // We don't want to deep dive into semantics of the check and
1371 // figure out if that check was for null or something else.
1372 // We simply trust the user that they know what they are doing.
1373 //
1374 // For this reason, in the following loop we look for the
1375 // best-looking option.
1385 }
1387 // Let's use this status instead.
1391 // This is the best option to have and we already found it.
1393 }
1395 // If we found 'Escaped' first, we still might find 'DefinitelyCalled'
1396 // on the other branch. And we prefer the latter.
1397 }
1398 }
1399 }
1400 }
1404 // Even when the analysis is technically correct, it is a widespread pattern
1405 // not to call completion handlers in some scenarios. These usually have
1406 // typical conditional names, such as 'error' or 'cancel'.
1409 }
1413 // Conventions do not apply to explicitly marked parameters.
1416 }
1419 // If we did find that on one of the branches the user uses the callback
1420 // and doesn't on the other path, we believe that they know what they are
1421 // doing and trust them.
1422 //
1423 // There are two possible scenarios for that:
1424 // 1. Current status is 'MaybeCalled' and one of the branches is
1425 // 'DefinitelyCalled'
1426 // 2. Current status is 'NotCalled' and one of the branches is 'Escaped'
1430 }
1431 }
1432 }
1436 // Let's check if the block represents DefinitelyCalled -> MaybeCalled
1437 // transition.
1441 }
1445 // Let's check if the block represents Escaped -> NotCalled transition.
1448 }
1455 "It's not a losing join if statuses do not represent "
1463 }
1465 /// Return true if any of the successors of the given basic block has
1466 /// a specified status for the given parameter.
1472 });
1473 }
1475 /// Check given expression that was discovered to escape.
1479 }
1480 }
1482 /// Check given parameter that was discovered to escape.
1486 }
1487 }
1489 /// Mark all parameters in the current state as 'no-return'.
1493 }
1494 }
1496 /// Check if the given assignment represents suppression and act on it.
1498 // Suppression has the following form:
1499 // parameter = 0;
1500 // 0 can be of any form (NULL, nil, etc.)
1503 // We don't care what is written in the RHS, it could be whatever
1504 // we can interpret as 0.
1512 // Even though this suppression mechanism is introduced to tackle
1513 // false positives for multiple calls, the fact that the user has
1514 // to use suppression can also tell us that we couldn't figure out
1515 // how different paths cancel each other out. And if that is true,
1516 // we will most certainly have false positives about parameters not
1517 // being called on certain paths.
1518 //
1519 // For this reason, we abandon tracking this parameter altogether.
1521 }
1522 }
1523 }
1524 }
1527 //===----------------------------------------------------------------------===//
1528 // Tree traversal methods
1529 //===----------------------------------------------------------------------===//
1532 // This call might be a direct call, i.e. a parameter call...
1534 // ... or an indirect call, i.e. when parameter is an argument.
1536 }
1539 // The most common situation that we are defending against here is
1540 // copying a tracked parameter.
1543 }
1544 // Message expressions unlike calls, could not be direct.
1546 }
1549 // Block expressions are tricky. It is a very common practice to capture
1550 // completion handlers by blocks and use them there.
1551 // For this reason, it is important to analyze blocks and report warnings
1552 // for completion handler misuse in blocks.
1553 //
1554 // However, it can be quite difficult to track how the block itself is being
1555 // used. The full precise anlysis of that will be similar to alias analysis
1556 // for completion handlers and can be too heavyweight for a compile-time
1557 // diagnostic. Instead, we judge about the immediate use of the block.
1558 //
1559 // Here, we try to find a call expression where we know due to conventions,
1560 // annotations, or other reasons that the block is called once and only
1561 // once.
1564 // We need to report this information to the handler because in the
1565 // situation when we know that the block is called exactly once, we can be
1566 // stricter in terms of reported diagnostics.
1571 }
1577 // The call site of a block can be considered a call site of the
1578 // captured parameter we track.
1581 // We still should consider this block as an escape for parameter,
1582 // if we don't know about its call site or the number of time it
1583 // can be invoked.
1585 }
1586 }
1587 }
1588 }
1589 }
1593 // Let's check if one of the tracked parameters is assigned into
1594 // something, and if it is we don't want to track extra variables, so we
1595 // consider it as an escapee.
1598 // Let's check whether this assignment is a suppression.
1600 }
1601 }
1604 // Variable initialization is not assignment and should be handled
1605 // separately.
1606 //
1607 // Multiple declarations can be a part of declaration statement.
1612 }
1616 }
1617 }
1618 }
1619 }
1622 // We consider '(void)parameter' as a manual no-op escape.
1623 // It should be used to explicitly tell the analysis that this parameter
1624 // is intentionally not called on this path.
1627 }
1628 }
1631 // It is OK not to call marked parameters on exceptional paths.
1633 }
1640 }
1645 }
1648 }
1651 // Expected number of parameters that we actually track is 1.
1652 //
1653 // Also, the maximum number of declared parameters could not be on a scale
1654 // of hundreds of thousands.
1655 //
1656 // In this setting, linear search seems reasonable and even performs better
1657 // than bisection.
1663 }
1666 }
1671 }
1677 // As of now, we turn this behavior off. So, we still are going to report
1678 // missing calls on paths that look like it was intentional.
1679 // Technically such reports are true positives, but they can make some users
1680 // grumpy because of the sheer number of warnings.
1681 // It can be turned back on if we decide that we want to have the other way
1682 // around.
1685 // The user can annotate variable declarations with cleanup functions, which
1686 // essentially imposes a custom destructor logic on that variable.
1687 // It is possible to use it, however, to call tracked parameters on all exits
1688 // from the function. For this reason, we track the fact that the function
1689 // actually has these.
1692 State CurrentState;
1695 };
1704 }