clang-tools  14.0.0git
UseAfterMoveCheck.cpp
Go to the documentation of this file.
1 //===--- UseAfterMoveCheck.cpp - clang-tidy -------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
9 #include "UseAfterMoveCheck.h"
10 
11 #include "clang/AST/Expr.h"
12 #include "clang/AST/ExprCXX.h"
13 #include "clang/AST/ExprConcepts.h"
14 #include "clang/ASTMatchers/ASTMatchers.h"
15 #include "clang/Analysis/CFG.h"
16 #include "clang/Lex/Lexer.h"
17 
18 #include "../utils/ExprSequence.h"
19 
20 using namespace clang::ast_matchers;
21 using namespace clang::tidy::utils;
22 
23 
24 namespace clang {
25 namespace tidy {
26 namespace bugprone {
27 
28 namespace {
29 
30 AST_MATCHER(Expr, hasUnevaluatedContext) {
31  if (isa<CXXNoexceptExpr>(Node) || isa<RequiresExpr>(Node))
32  return true;
33  if (const auto *UnaryExpr = dyn_cast<UnaryExprOrTypeTraitExpr>(&Node)) {
34  switch (UnaryExpr->getKind()) {
35  case UETT_SizeOf:
36  case UETT_AlignOf:
37  return true;
38  default:
39  return false;
40  }
41  }
42  if (const auto *TypeIDExpr = dyn_cast<CXXTypeidExpr>(&Node))
43  return !TypeIDExpr->isPotentiallyEvaluated();
44  return false;
45 }
46 
47 /// Contains information about a use-after-move.
48 struct UseAfterMove {
49  // The DeclRefExpr that constituted the use of the object.
50  const DeclRefExpr *DeclRef;
51 
52  // Is the order in which the move and the use are evaluated undefined?
53  bool EvaluationOrderUndefined;
54 };
55 
56 /// Finds uses of a variable after a move (and maintains state required by the
57 /// various internal helper functions).
58 class UseAfterMoveFinder {
59 public:
60  UseAfterMoveFinder(ASTContext *TheContext);
61 
62  // Within the given function body, finds the first use of 'MovedVariable' that
63  // occurs after 'MovingCall' (the expression that performs the move). If a
64  // use-after-move is found, writes information about it to 'TheUseAfterMove'.
65  // Returns whether a use-after-move was found.
66  bool find(Stmt *FunctionBody, const Expr *MovingCall,
67  const ValueDecl *MovedVariable, UseAfterMove *TheUseAfterMove);
68 
69 private:
70  bool findInternal(const CFGBlock *Block, const Expr *MovingCall,
71  const ValueDecl *MovedVariable,
72  UseAfterMove *TheUseAfterMove);
73  void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
74  llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
75  llvm::SmallPtrSetImpl<const Stmt *> *Reinits);
76  void getDeclRefs(const CFGBlock *Block, const Decl *MovedVariable,
77  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
78  void getReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
79  llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
80  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
81 
82  ASTContext *Context;
83  std::unique_ptr<ExprSequence> Sequence;
84  std::unique_ptr<StmtToBlockMap> BlockMap;
85  llvm::SmallPtrSet<const CFGBlock *, 8> Visited;
86 };
87 
88 } // namespace
89 
90 
91 // Matches nodes that are
92 // - Part of a decltype argument or class template argument (we check this by
93 // seeing if they are children of a TypeLoc), or
94 // - Part of a function template argument (we check this by seeing if they are
95 // children of a DeclRefExpr that references a function template).
96 // DeclRefExprs that fulfill these conditions should not be counted as a use or
97 // move.
98 static StatementMatcher inDecltypeOrTemplateArg() {
99  return anyOf(hasAncestor(typeLoc()),
100  hasAncestor(declRefExpr(
101  to(functionDecl(ast_matchers::isTemplateInstantiation())))),
102  hasAncestor(expr(hasUnevaluatedContext())));
103 }
104 
105 UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)
106  : Context(TheContext) {}
107 
108 bool UseAfterMoveFinder::find(Stmt *FunctionBody, const Expr *MovingCall,
109  const ValueDecl *MovedVariable,
110  UseAfterMove *TheUseAfterMove) {
111  // Generate the CFG manually instead of through an AnalysisDeclContext because
112  // it seems the latter can't be used to generate a CFG for the body of a
113  // lambda.
114  //
115  // We include implicit and temporary destructors in the CFG so that
116  // destructors marked [[noreturn]] are handled correctly in the control flow
117  // analysis. (These are used in some styles of assertion macros.)
118  CFG::BuildOptions Options;
119  Options.AddImplicitDtors = true;
120  Options.AddTemporaryDtors = true;
121  std::unique_ptr<CFG> TheCFG =
122  CFG::buildCFG(nullptr, FunctionBody, Context, Options);
123  if (!TheCFG)
124  return false;
125 
126  Sequence =
127  std::make_unique<ExprSequence>(TheCFG.get(), FunctionBody, Context);
128  BlockMap = std::make_unique<StmtToBlockMap>(TheCFG.get(), Context);
129  Visited.clear();
130 
131  const CFGBlock *Block = BlockMap->blockContainingStmt(MovingCall);
132  if (!Block) {
133  // This can happen if MovingCall is in a constructor initializer, which is
134  // not included in the CFG because the CFG is built only from the function
135  // body.
136  Block = &TheCFG->getEntry();
137  }
138 
139  return findInternal(Block, MovingCall, MovedVariable, TheUseAfterMove);
140 }
141 
142 bool UseAfterMoveFinder::findInternal(const CFGBlock *Block,
143  const Expr *MovingCall,
144  const ValueDecl *MovedVariable,
145  UseAfterMove *TheUseAfterMove) {
146  if (Visited.count(Block))
147  return false;
148 
149  // Mark the block as visited (except if this is the block containing the
150  // std::move() and it's being visited the first time).
151  if (!MovingCall)
152  Visited.insert(Block);
153 
154  // Get all uses and reinits in the block.
155  llvm::SmallVector<const DeclRefExpr *, 1> Uses;
156  llvm::SmallPtrSet<const Stmt *, 1> Reinits;
157  getUsesAndReinits(Block, MovedVariable, &Uses, &Reinits);
158 
159  // Ignore all reinitializations where the move potentially comes after the
160  // reinit.
161  llvm::SmallVector<const Stmt *, 1> ReinitsToDelete;
162  for (const Stmt *Reinit : Reinits) {
163  if (MovingCall && Sequence->potentiallyAfter(MovingCall, Reinit))
164  ReinitsToDelete.push_back(Reinit);
165  }
166  for (const Stmt *Reinit : ReinitsToDelete) {
167  Reinits.erase(Reinit);
168  }
169 
170  // Find all uses that potentially come after the move.
171  for (const DeclRefExpr *Use : Uses) {
172  if (!MovingCall || Sequence->potentiallyAfter(Use, MovingCall)) {
173  // Does the use have a saving reinit? A reinit is saving if it definitely
174  // comes before the use, i.e. if there's no potential that the reinit is
175  // after the use.
176  bool HaveSavingReinit = false;
177  for (const Stmt *Reinit : Reinits) {
178  if (!Sequence->potentiallyAfter(Reinit, Use))
179  HaveSavingReinit = true;
180  }
181 
182  if (!HaveSavingReinit) {
183  TheUseAfterMove->DeclRef = Use;
184 
185  // Is this a use-after-move that depends on order of evaluation?
186  // This is the case if the move potentially comes after the use (and we
187  // already know that use potentially comes after the move, which taken
188  // together tells us that the ordering is unclear).
189  TheUseAfterMove->EvaluationOrderUndefined =
190  MovingCall != nullptr &&
191  Sequence->potentiallyAfter(MovingCall, Use);
192 
193  return true;
194  }
195  }
196  }
197 
198  // If the object wasn't reinitialized, call ourselves recursively on all
199  // successors.
200  if (Reinits.empty()) {
201  for (const auto &Succ : Block->succs()) {
202  if (Succ && findInternal(Succ, nullptr, MovedVariable, TheUseAfterMove))
203  return true;
204  }
205  }
206 
207  return false;
208 }
209 
210 void UseAfterMoveFinder::getUsesAndReinits(
211  const CFGBlock *Block, const ValueDecl *MovedVariable,
212  llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
213  llvm::SmallPtrSetImpl<const Stmt *> *Reinits) {
214  llvm::SmallPtrSet<const DeclRefExpr *, 1> DeclRefs;
215  llvm::SmallPtrSet<const DeclRefExpr *, 1> ReinitDeclRefs;
216 
217  getDeclRefs(Block, MovedVariable, &DeclRefs);
218  getReinits(Block, MovedVariable, Reinits, &ReinitDeclRefs);
219 
220  // All references to the variable that aren't reinitializations are uses.
221  Uses->clear();
222  for (const DeclRefExpr *DeclRef : DeclRefs) {
223  if (!ReinitDeclRefs.count(DeclRef))
224  Uses->push_back(DeclRef);
225  }
226 
227  // Sort the uses by their occurrence in the source code.
228  std::sort(Uses->begin(), Uses->end(),
229  [](const DeclRefExpr *D1, const DeclRefExpr *D2) {
230  return D1->getExprLoc() < D2->getExprLoc();
231  });
232 }
233 
234 bool isStandardSmartPointer(const ValueDecl *VD) {
235  const Type *TheType = VD->getType().getNonReferenceType().getTypePtrOrNull();
236  if (!TheType)
237  return false;
238 
239  const CXXRecordDecl *RecordDecl = TheType->getAsCXXRecordDecl();
240  if (!RecordDecl)
241  return false;
242 
243  const IdentifierInfo *ID = RecordDecl->getIdentifier();
244  if (!ID)
245  return false;
246 
247  StringRef Name = ID->getName();
248  if (Name != "unique_ptr" && Name != "shared_ptr" && Name != "weak_ptr")
249  return false;
250 
251  return RecordDecl->getDeclContext()->isStdNamespace();
252 }
253 
254 void UseAfterMoveFinder::getDeclRefs(
255  const CFGBlock *Block, const Decl *MovedVariable,
256  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
257  DeclRefs->clear();
258  for (const auto &Elem : *Block) {
259  Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
260  if (!S)
261  continue;
262 
263  auto AddDeclRefs = [this, Block,
264  DeclRefs](const ArrayRef<BoundNodes> Matches) {
265  for (const auto &Match : Matches) {
266  const auto *DeclRef = Match.getNodeAs<DeclRefExpr>("declref");
267  const auto *Operator = Match.getNodeAs<CXXOperatorCallExpr>("operator");
268  if (DeclRef && BlockMap->blockContainingStmt(DeclRef) == Block) {
269  // Ignore uses of a standard smart pointer that don't dereference the
270  // pointer.
271  if (Operator || !isStandardSmartPointer(DeclRef->getDecl())) {
272  DeclRefs->insert(DeclRef);
273  }
274  }
275  }
276  };
277 
278  auto DeclRefMatcher = declRefExpr(hasDeclaration(equalsNode(MovedVariable)),
279  unless(inDecltypeOrTemplateArg()))
280  .bind("declref");
281 
282  AddDeclRefs(match(traverse(TK_AsIs, findAll(DeclRefMatcher)), *S->getStmt(),
283  *Context));
284  AddDeclRefs(match(findAll(cxxOperatorCallExpr(
285  hasAnyOverloadedOperatorName("*", "->", "[]"),
286  hasArgument(0, DeclRefMatcher))
287  .bind("operator")),
288  *S->getStmt(), *Context));
289  }
290 }
291 
292 void UseAfterMoveFinder::getReinits(
293  const CFGBlock *Block, const ValueDecl *MovedVariable,
294  llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
295  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
296  auto DeclRefMatcher =
297  declRefExpr(hasDeclaration(equalsNode(MovedVariable))).bind("declref");
298 
299  auto StandardContainerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
300  recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
301  "::std::basic_string", "::std::vector", "::std::deque",
302  "::std::forward_list", "::std::list", "::std::set", "::std::map",
303  "::std::multiset", "::std::multimap", "::std::unordered_set",
304  "::std::unordered_map", "::std::unordered_multiset",
305  "::std::unordered_multimap"))))));
306 
307  auto StandardSmartPointerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
308  recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
309  "::std::unique_ptr", "::std::shared_ptr", "::std::weak_ptr"))))));
310 
311  // Matches different types of reinitialization.
312  auto ReinitMatcher =
313  stmt(anyOf(
314  // Assignment. In addition to the overloaded assignment operator,
315  // test for built-in assignment as well, since template functions
316  // may be instantiated to use std::move() on built-in types.
317  binaryOperation(hasOperatorName("="), hasLHS(DeclRefMatcher)),
318  // Declaration. We treat this as a type of reinitialization too,
319  // so we don't need to treat it separately.
320  declStmt(hasDescendant(equalsNode(MovedVariable))),
321  // clear() and assign() on standard containers.
322  cxxMemberCallExpr(
323  on(expr(DeclRefMatcher, StandardContainerTypeMatcher)),
324  // To keep the matcher simple, we check for assign() calls
325  // on all standard containers, even though only vector,
326  // deque, forward_list and list have assign(). If assign()
327  // is called on any of the other containers, this will be
328  // flagged by a compile error anyway.
329  callee(cxxMethodDecl(hasAnyName("clear", "assign")))),
330  // reset() on standard smart pointers.
331  cxxMemberCallExpr(
332  on(expr(DeclRefMatcher, StandardSmartPointerTypeMatcher)),
333  callee(cxxMethodDecl(hasName("reset")))),
334  // Methods that have the [[clang::reinitializes]] attribute.
335  cxxMemberCallExpr(
336  on(DeclRefMatcher),
337  callee(cxxMethodDecl(hasAttr(clang::attr::Reinitializes)))),
338  // Passing variable to a function as a non-const pointer.
339  callExpr(forEachArgumentWithParam(
340  unaryOperator(hasOperatorName("&"),
341  hasUnaryOperand(DeclRefMatcher)),
342  unless(parmVarDecl(hasType(pointsTo(isConstQualified())))))),
343  // Passing variable to a function as a non-const lvalue reference
344  // (unless that function is std::move()).
345  callExpr(forEachArgumentWithParam(
346  traverse(TK_AsIs, DeclRefMatcher),
347  unless(parmVarDecl(hasType(
348  references(qualType(isConstQualified())))))),
349  unless(callee(functionDecl(hasName("::std::move")))))))
350  .bind("reinit");
351 
352  Stmts->clear();
353  DeclRefs->clear();
354  for (const auto &Elem : *Block) {
355  Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
356  if (!S)
357  continue;
358 
359  SmallVector<BoundNodes, 1> Matches =
360  match(findAll(ReinitMatcher), *S->getStmt(), *Context);
361 
362  for (const auto &Match : Matches) {
363  const auto *TheStmt = Match.getNodeAs<Stmt>("reinit");
364  const auto *TheDeclRef = Match.getNodeAs<DeclRefExpr>("declref");
365  if (TheStmt && BlockMap->blockContainingStmt(TheStmt) == Block) {
366  Stmts->insert(TheStmt);
367 
368  // We count DeclStmts as reinitializations, but they don't have a
369  // DeclRefExpr associated with them -- so we need to check 'TheDeclRef'
370  // before adding it to the set.
371  if (TheDeclRef)
372  DeclRefs->insert(TheDeclRef);
373  }
374  }
375  }
376 }
377 
378 static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg,
379  const UseAfterMove &Use, ClangTidyCheck *Check,
380  ASTContext *Context) {
381  SourceLocation UseLoc = Use.DeclRef->getExprLoc();
382  SourceLocation MoveLoc = MovingCall->getExprLoc();
383 
384  Check->diag(UseLoc, "'%0' used after it was moved")
385  << MoveArg->getDecl()->getName();
386  Check->diag(MoveLoc, "move occurred here", DiagnosticIDs::Note);
387  if (Use.EvaluationOrderUndefined) {
388  Check->diag(UseLoc,
389  "the use and move are unsequenced, i.e. there is no guarantee "
390  "about the order in which they are evaluated",
391  DiagnosticIDs::Note);
392  } else if (UseLoc < MoveLoc || Use.DeclRef == MoveArg) {
393  Check->diag(UseLoc,
394  "the use happens in a later loop iteration than the move",
395  DiagnosticIDs::Note);
396  }
397 }
398 
399 void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {
400  auto CallMoveMatcher =
401  callExpr(callee(functionDecl(hasName("::std::move"))), argumentCountIs(1),
402  hasArgument(0, declRefExpr().bind("arg")),
403  anyOf(hasAncestor(lambdaExpr().bind("containing-lambda")),
404  hasAncestor(functionDecl().bind("containing-func"))),
405  unless(inDecltypeOrTemplateArg()),
406  // try_emplace is a common maybe-moving function that returns a
407  // bool to tell callers whether it moved. Ignore std::move inside
408  // try_emplace to avoid false positives as we don't track uses of
409  // the bool.
410  unless(hasParent(cxxMemberCallExpr(
411  callee(cxxMethodDecl(hasName("try_emplace")))))))
412  .bind("call-move");
413 
414  Finder->addMatcher(
415  traverse(
416  TK_AsIs,
417  // To find the Stmt that we assume performs the actual move, we look
418  // for the direct ancestor of the std::move() that isn't one of the
419  // node types ignored by ignoringParenImpCasts().
420  stmt(
421  forEach(expr(ignoringParenImpCasts(CallMoveMatcher))),
422  // Don't allow an InitListExpr to be the moving call. An
423  // InitListExpr has both a syntactic and a semantic form, and the
424  // parent-child relationships are different between the two. This
425  // could cause an InitListExpr to be analyzed as the moving call
426  // in addition to the Expr that we actually want, resulting in two
427  // diagnostics with different code locations for the same move.
428  unless(initListExpr()),
429  unless(expr(ignoringParenImpCasts(equalsBoundNode("call-move")))))
430  .bind("moving-call")),
431  this);
432 }
433 
434 void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {
435  const auto *ContainingLambda =
436  Result.Nodes.getNodeAs<LambdaExpr>("containing-lambda");
437  const auto *ContainingFunc =
438  Result.Nodes.getNodeAs<FunctionDecl>("containing-func");
439  const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>("call-move");
440  const auto *MovingCall = Result.Nodes.getNodeAs<Expr>("moving-call");
441  const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>("arg");
442 
443  if (!MovingCall || !MovingCall->getExprLoc().isValid())
444  MovingCall = CallMove;
445 
446  Stmt *FunctionBody = nullptr;
447  if (ContainingLambda)
448  FunctionBody = ContainingLambda->getBody();
449  else if (ContainingFunc)
450  FunctionBody = ContainingFunc->getBody();
451  else
452  return;
453 
454  // Ignore the std::move if the variable that was passed to it isn't a local
455  // variable.
456  if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())
457  return;
458 
459  UseAfterMoveFinder Finder(Result.Context);
460  UseAfterMove Use;
461  if (Finder.find(FunctionBody, MovingCall, Arg->getDecl(), &Use))
462  emitDiagnostic(MovingCall, Arg, Use, this, Result.Context);
463 }
464 
465 } // namespace bugprone
466 } // namespace tidy
467 } // namespace clang
clang::tidy::bugprone::inDecltypeOrTemplateArg
static StatementMatcher inDecltypeOrTemplateArg()
Definition: UseAfterMoveCheck.cpp:98
clang::tidy::bugprone::emitDiagnostic
static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg, const UseAfterMove &Use, ClangTidyCheck *Check, ASTContext *Context)
Definition: UseAfterMoveCheck.cpp:378
Type
NodeType Type
Definition: HTMLGenerator.cpp:73
clang::tidy::ClangTidyCheck
Base class for all clang-tidy checks.
Definition: ClangTidyCheck.h:54
clang::ast_matchers
Definition: AbseilMatcher.h:14
clang::clangd::match
std::vector< std::string > match(const SymbolIndex &I, const FuzzyFindRequest &Req, bool *Incomplete)
Definition: TestIndex.cpp:98
Decl
const FunctionDecl * Decl
Definition: AvoidBindCheck.cpp:100
Name
static constexpr llvm::StringLiteral Name
Definition: UppercaseLiteralSuffixCheck.cpp:28
clang::tidy::ClangTidyCheck::diag
DiagnosticBuilder diag(SourceLocation Loc, StringRef Description, DiagnosticIDs::Level Level=DiagnosticIDs::Warning)
Add a diagnostic with the check's name.
Definition: ClangTidyCheck.cpp:25
clang::tidy::utils
Definition: Aliasing.cpp:16
clang::ast_matchers::AST_MATCHER
AST_MATCHER(Expr, isMacroID)
Definition: PreferIsaOrDynCastInConditionalsCheck.cpp:19
clang::clangd::check
bool check(llvm::StringRef File, llvm::function_ref< bool(const Position &)> ShouldCheckLine, const ThreadsafeFS &TFS, const ClangdLSPServer::Options &Opts, bool EnableCodeCompletion)
Definition: Check.cpp:258
DeclRef
const DeclRefExpr * DeclRef
Definition: UseAfterMoveCheck.cpp:50
UseAfterMoveCheck.h
ID
static char ID
Definition: Logger.cpp:74
EvaluationOrderUndefined
bool EvaluationOrderUndefined
Definition: UseAfterMoveCheck.cpp:53
clang
===– Representation.cpp - ClangDoc Representation --------—*- C++ -*-===//
Definition: ApplyReplacements.h:27
clang::tidy::bugprone::isStandardSmartPointer
bool isStandardSmartPointer(const ValueDecl *VD)
Definition: UseAfterMoveCheck.cpp:234
Generated on Mon Jan 17 2022 20:44:24 for clang-tools by   doxygen 1.8.17