clang-tools  14.0.0git
UseAfterMoveCheck.cpp
Go to the documentation of this file.
1 //===--- UseAfterMoveCheck.cpp - clang-tidy -------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
9 #include "UseAfterMoveCheck.h"
10 
11 #include "clang/AST/Expr.h"
12 #include "clang/AST/ExprCXX.h"
13 #include "clang/AST/ExprConcepts.h"
14 #include "clang/ASTMatchers/ASTMatchers.h"
15 #include "clang/Analysis/CFG.h"
16 #include "clang/Lex/Lexer.h"
17 
18 #include "../utils/ExprSequence.h"
19 
20 using namespace clang::ast_matchers;
21 using namespace clang::tidy::utils;
22 
23 
24 namespace clang {
25 namespace tidy {
26 namespace bugprone {
27 
28 namespace {
29 
30 AST_MATCHER(Expr, hasUnevaluatedContext) {
31  if (isa<CXXNoexceptExpr>(Node) || isa<RequiresExpr>(Node))
32  return true;
33  if (const auto *UnaryExpr = dyn_cast<UnaryExprOrTypeTraitExpr>(&Node)) {
34  switch (UnaryExpr->getKind()) {
35  case UETT_SizeOf:
36  case UETT_AlignOf:
37  return true;
38  default:
39  return false;
40  }
41  }
42  if (const auto *TypeIDExpr = dyn_cast<CXXTypeidExpr>(&Node))
43  return !TypeIDExpr->isPotentiallyEvaluated();
44  return false;
45 }
46 
47 /// Contains information about a use-after-move.
48 struct UseAfterMove {
49  // The DeclRefExpr that constituted the use of the object.
50  const DeclRefExpr *DeclRef;
51 
52  // Is the order in which the move and the use are evaluated undefined?
53  bool EvaluationOrderUndefined;
54 };
55 
56 /// Finds uses of a variable after a move (and maintains state required by the
57 /// various internal helper functions).
58 class UseAfterMoveFinder {
59 public:
60  UseAfterMoveFinder(ASTContext *TheContext);
61 
62  // Within the given function body, finds the first use of 'MovedVariable' that
63  // occurs after 'MovingCall' (the expression that performs the move). If a
64  // use-after-move is found, writes information about it to 'TheUseAfterMove'.
65  // Returns whether a use-after-move was found.
66  bool find(Stmt *FunctionBody, const Expr *MovingCall,
67  const ValueDecl *MovedVariable, UseAfterMove *TheUseAfterMove);
68 
69 private:
70  bool findInternal(const CFGBlock *Block, const Expr *MovingCall,
71  const ValueDecl *MovedVariable,
72  UseAfterMove *TheUseAfterMove);
73  void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
74  llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
75  llvm::SmallPtrSetImpl<const Stmt *> *Reinits);
76  void getDeclRefs(const CFGBlock *Block, const Decl *MovedVariable,
77  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
78  void getReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
79  llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
80  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
81 
82  ASTContext *Context;
83  std::unique_ptr<ExprSequence> Sequence;
84  std::unique_ptr<StmtToBlockMap> BlockMap;
85  llvm::SmallPtrSet<const CFGBlock *, 8> Visited;
86 };
87 
88 } // namespace
89 
90 
91 // Matches nodes that are
92 // - Part of a decltype argument or class template argument (we check this by
93 // seeing if they are children of a TypeLoc), or
94 // - Part of a function template argument (we check this by seeing if they are
95 // children of a DeclRefExpr that references a function template).
96 // DeclRefExprs that fulfill these conditions should not be counted as a use or
97 // move.
98 static StatementMatcher inDecltypeOrTemplateArg() {
99  return anyOf(hasAncestor(typeLoc()),
100  hasAncestor(declRefExpr(
101  to(functionDecl(ast_matchers::isTemplateInstantiation())))),
102  hasAncestor(expr(hasUnevaluatedContext())));
103 }
104 
105 UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)
106  : Context(TheContext) {}
107 
108 bool UseAfterMoveFinder::find(Stmt *FunctionBody, const Expr *MovingCall,
109  const ValueDecl *MovedVariable,
110  UseAfterMove *TheUseAfterMove) {
111  // Generate the CFG manually instead of through an AnalysisDeclContext because
112  // it seems the latter can't be used to generate a CFG for the body of a
113  // lambda.
114  //
115  // We include implicit and temporary destructors in the CFG so that
116  // destructors marked [[noreturn]] are handled correctly in the control flow
117  // analysis. (These are used in some styles of assertion macros.)
118  CFG::BuildOptions Options;
119  Options.AddImplicitDtors = true;
120  Options.AddTemporaryDtors = true;
121  std::unique_ptr<CFG> TheCFG =
122  CFG::buildCFG(nullptr, FunctionBody, Context, Options);
123  if (!TheCFG)
124  return false;
125 
126  Sequence =
127  std::make_unique<ExprSequence>(TheCFG.get(), FunctionBody, Context);
128  BlockMap = std::make_unique<StmtToBlockMap>(TheCFG.get(), Context);
129  Visited.clear();
130 
131  const CFGBlock *Block = BlockMap->blockContainingStmt(MovingCall);
132  if (!Block)
133  return false;
134 
135  return findInternal(Block, MovingCall, MovedVariable, TheUseAfterMove);
136 }
137 
138 bool UseAfterMoveFinder::findInternal(const CFGBlock *Block,
139  const Expr *MovingCall,
140  const ValueDecl *MovedVariable,
141  UseAfterMove *TheUseAfterMove) {
142  if (Visited.count(Block))
143  return false;
144 
145  // Mark the block as visited (except if this is the block containing the
146  // std::move() and it's being visited the first time).
147  if (!MovingCall)
148  Visited.insert(Block);
149 
150  // Get all uses and reinits in the block.
151  llvm::SmallVector<const DeclRefExpr *, 1> Uses;
152  llvm::SmallPtrSet<const Stmt *, 1> Reinits;
153  getUsesAndReinits(Block, MovedVariable, &Uses, &Reinits);
154 
155  // Ignore all reinitializations where the move potentially comes after the
156  // reinit.
157  llvm::SmallVector<const Stmt *, 1> ReinitsToDelete;
158  for (const Stmt *Reinit : Reinits) {
159  if (MovingCall && Sequence->potentiallyAfter(MovingCall, Reinit))
160  ReinitsToDelete.push_back(Reinit);
161  }
162  for (const Stmt *Reinit : ReinitsToDelete) {
163  Reinits.erase(Reinit);
164  }
165 
166  // Find all uses that potentially come after the move.
167  for (const DeclRefExpr *Use : Uses) {
168  if (!MovingCall || Sequence->potentiallyAfter(Use, MovingCall)) {
169  // Does the use have a saving reinit? A reinit is saving if it definitely
170  // comes before the use, i.e. if there's no potential that the reinit is
171  // after the use.
172  bool HaveSavingReinit = false;
173  for (const Stmt *Reinit : Reinits) {
174  if (!Sequence->potentiallyAfter(Reinit, Use))
175  HaveSavingReinit = true;
176  }
177 
178  if (!HaveSavingReinit) {
179  TheUseAfterMove->DeclRef = Use;
180 
181  // Is this a use-after-move that depends on order of evaluation?
182  // This is the case if the move potentially comes after the use (and we
183  // already know that use potentially comes after the move, which taken
184  // together tells us that the ordering is unclear).
185  TheUseAfterMove->EvaluationOrderUndefined =
186  MovingCall != nullptr &&
187  Sequence->potentiallyAfter(MovingCall, Use);
188 
189  return true;
190  }
191  }
192  }
193 
194  // If the object wasn't reinitialized, call ourselves recursively on all
195  // successors.
196  if (Reinits.empty()) {
197  for (const auto &Succ : Block->succs()) {
198  if (Succ && findInternal(Succ, nullptr, MovedVariable, TheUseAfterMove))
199  return true;
200  }
201  }
202 
203  return false;
204 }
205 
206 void UseAfterMoveFinder::getUsesAndReinits(
207  const CFGBlock *Block, const ValueDecl *MovedVariable,
208  llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
209  llvm::SmallPtrSetImpl<const Stmt *> *Reinits) {
210  llvm::SmallPtrSet<const DeclRefExpr *, 1> DeclRefs;
211  llvm::SmallPtrSet<const DeclRefExpr *, 1> ReinitDeclRefs;
212 
213  getDeclRefs(Block, MovedVariable, &DeclRefs);
214  getReinits(Block, MovedVariable, Reinits, &ReinitDeclRefs);
215 
216  // All references to the variable that aren't reinitializations are uses.
217  Uses->clear();
218  for (const DeclRefExpr *DeclRef : DeclRefs) {
219  if (!ReinitDeclRefs.count(DeclRef))
220  Uses->push_back(DeclRef);
221  }
222 
223  // Sort the uses by their occurrence in the source code.
224  std::sort(Uses->begin(), Uses->end(),
225  [](const DeclRefExpr *D1, const DeclRefExpr *D2) {
226  return D1->getExprLoc() < D2->getExprLoc();
227  });
228 }
229 
230 bool isStandardSmartPointer(const ValueDecl *VD) {
231  const Type *TheType = VD->getType().getNonReferenceType().getTypePtrOrNull();
232  if (!TheType)
233  return false;
234 
235  const CXXRecordDecl *RecordDecl = TheType->getAsCXXRecordDecl();
236  if (!RecordDecl)
237  return false;
238 
239  const IdentifierInfo *ID = RecordDecl->getIdentifier();
240  if (!ID)
241  return false;
242 
243  StringRef Name = ID->getName();
244  if (Name != "unique_ptr" && Name != "shared_ptr" && Name != "weak_ptr")
245  return false;
246 
247  return RecordDecl->getDeclContext()->isStdNamespace();
248 }
249 
250 void UseAfterMoveFinder::getDeclRefs(
251  const CFGBlock *Block, const Decl *MovedVariable,
252  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
253  DeclRefs->clear();
254  for (const auto &Elem : *Block) {
255  Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
256  if (!S)
257  continue;
258 
259  auto AddDeclRefs = [this, Block,
260  DeclRefs](const ArrayRef<BoundNodes> Matches) {
261  for (const auto &Match : Matches) {
262  const auto *DeclRef = Match.getNodeAs<DeclRefExpr>("declref");
263  const auto *Operator = Match.getNodeAs<CXXOperatorCallExpr>("operator");
264  if (DeclRef && BlockMap->blockContainingStmt(DeclRef) == Block) {
265  // Ignore uses of a standard smart pointer that don't dereference the
266  // pointer.
267  if (Operator || !isStandardSmartPointer(DeclRef->getDecl())) {
268  DeclRefs->insert(DeclRef);
269  }
270  }
271  }
272  };
273 
274  auto DeclRefMatcher = declRefExpr(hasDeclaration(equalsNode(MovedVariable)),
275  unless(inDecltypeOrTemplateArg()))
276  .bind("declref");
277 
278  AddDeclRefs(match(traverse(TK_AsIs, findAll(DeclRefMatcher)), *S->getStmt(),
279  *Context));
280  AddDeclRefs(match(findAll(cxxOperatorCallExpr(
281  hasAnyOverloadedOperatorName("*", "->", "[]"),
282  hasArgument(0, DeclRefMatcher))
283  .bind("operator")),
284  *S->getStmt(), *Context));
285  }
286 }
287 
288 void UseAfterMoveFinder::getReinits(
289  const CFGBlock *Block, const ValueDecl *MovedVariable,
290  llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
291  llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
292  auto DeclRefMatcher =
293  declRefExpr(hasDeclaration(equalsNode(MovedVariable))).bind("declref");
294 
295  auto StandardContainerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
296  recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
297  "::std::basic_string", "::std::vector", "::std::deque",
298  "::std::forward_list", "::std::list", "::std::set", "::std::map",
299  "::std::multiset", "::std::multimap", "::std::unordered_set",
300  "::std::unordered_map", "::std::unordered_multiset",
301  "::std::unordered_multimap"))))));
302 
303  auto StandardSmartPointerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
304  recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
305  "::std::unique_ptr", "::std::shared_ptr", "::std::weak_ptr"))))));
306 
307  // Matches different types of reinitialization.
308  auto ReinitMatcher =
309  stmt(anyOf(
310  // Assignment. In addition to the overloaded assignment operator,
311  // test for built-in assignment as well, since template functions
312  // may be instantiated to use std::move() on built-in types.
313  binaryOperation(hasOperatorName("="), hasLHS(DeclRefMatcher)),
314  // Declaration. We treat this as a type of reinitialization too,
315  // so we don't need to treat it separately.
316  declStmt(hasDescendant(equalsNode(MovedVariable))),
317  // clear() and assign() on standard containers.
318  cxxMemberCallExpr(
319  on(expr(DeclRefMatcher, StandardContainerTypeMatcher)),
320  // To keep the matcher simple, we check for assign() calls
321  // on all standard containers, even though only vector,
322  // deque, forward_list and list have assign(). If assign()
323  // is called on any of the other containers, this will be
324  // flagged by a compile error anyway.
325  callee(cxxMethodDecl(hasAnyName("clear", "assign")))),
326  // reset() on standard smart pointers.
327  cxxMemberCallExpr(
328  on(expr(DeclRefMatcher, StandardSmartPointerTypeMatcher)),
329  callee(cxxMethodDecl(hasName("reset")))),
330  // Methods that have the [[clang::reinitializes]] attribute.
331  cxxMemberCallExpr(
332  on(DeclRefMatcher),
333  callee(cxxMethodDecl(hasAttr(clang::attr::Reinitializes)))),
334  // Passing variable to a function as a non-const pointer.
335  callExpr(forEachArgumentWithParam(
336  unaryOperator(hasOperatorName("&"),
337  hasUnaryOperand(DeclRefMatcher)),
338  unless(parmVarDecl(hasType(pointsTo(isConstQualified())))))),
339  // Passing variable to a function as a non-const lvalue reference
340  // (unless that function is std::move()).
341  callExpr(forEachArgumentWithParam(
342  traverse(TK_AsIs, DeclRefMatcher),
343  unless(parmVarDecl(hasType(
344  references(qualType(isConstQualified())))))),
345  unless(callee(functionDecl(hasName("::std::move")))))))
346  .bind("reinit");
347 
348  Stmts->clear();
349  DeclRefs->clear();
350  for (const auto &Elem : *Block) {
351  Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
352  if (!S)
353  continue;
354 
355  SmallVector<BoundNodes, 1> Matches =
356  match(findAll(ReinitMatcher), *S->getStmt(), *Context);
357 
358  for (const auto &Match : Matches) {
359  const auto *TheStmt = Match.getNodeAs<Stmt>("reinit");
360  const auto *TheDeclRef = Match.getNodeAs<DeclRefExpr>("declref");
361  if (TheStmt && BlockMap->blockContainingStmt(TheStmt) == Block) {
362  Stmts->insert(TheStmt);
363 
364  // We count DeclStmts as reinitializations, but they don't have a
365  // DeclRefExpr associated with them -- so we need to check 'TheDeclRef'
366  // before adding it to the set.
367  if (TheDeclRef)
368  DeclRefs->insert(TheDeclRef);
369  }
370  }
371  }
372 }
373 
374 static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg,
375  const UseAfterMove &Use, ClangTidyCheck *Check,
376  ASTContext *Context) {
377  SourceLocation UseLoc = Use.DeclRef->getExprLoc();
378  SourceLocation MoveLoc = MovingCall->getExprLoc();
379 
380  Check->diag(UseLoc, "'%0' used after it was moved")
381  << MoveArg->getDecl()->getName();
382  Check->diag(MoveLoc, "move occurred here", DiagnosticIDs::Note);
383  if (Use.EvaluationOrderUndefined) {
384  Check->diag(UseLoc,
385  "the use and move are unsequenced, i.e. there is no guarantee "
386  "about the order in which they are evaluated",
387  DiagnosticIDs::Note);
388  } else if (UseLoc < MoveLoc || Use.DeclRef == MoveArg) {
389  Check->diag(UseLoc,
390  "the use happens in a later loop iteration than the move",
391  DiagnosticIDs::Note);
392  }
393 }
394 
395 void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {
396  auto CallMoveMatcher =
397  callExpr(callee(functionDecl(hasName("::std::move"))), argumentCountIs(1),
398  hasArgument(0, declRefExpr().bind("arg")),
399  anyOf(hasAncestor(lambdaExpr().bind("containing-lambda")),
400  hasAncestor(functionDecl().bind("containing-func"))),
401  unless(inDecltypeOrTemplateArg()),
402  // try_emplace is a common maybe-moving function that returns a
403  // bool to tell callers whether it moved. Ignore std::move inside
404  // try_emplace to avoid false positives as we don't track uses of
405  // the bool.
406  unless(hasParent(cxxMemberCallExpr(
407  callee(cxxMethodDecl(hasName("try_emplace")))))))
408  .bind("call-move");
409 
410  Finder->addMatcher(
411  traverse(
412  TK_AsIs,
413  // To find the Stmt that we assume performs the actual move, we look
414  // for the direct ancestor of the std::move() that isn't one of the
415  // node types ignored by ignoringParenImpCasts().
416  stmt(
417  forEach(expr(ignoringParenImpCasts(CallMoveMatcher))),
418  // Don't allow an InitListExpr to be the moving call. An
419  // InitListExpr has both a syntactic and a semantic form, and the
420  // parent-child relationships are different between the two. This
421  // could cause an InitListExpr to be analyzed as the moving call
422  // in addition to the Expr that we actually want, resulting in two
423  // diagnostics with different code locations for the same move.
424  unless(initListExpr()),
425  unless(expr(ignoringParenImpCasts(equalsBoundNode("call-move")))))
426  .bind("moving-call")),
427  this);
428 }
429 
430 void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {
431  const auto *ContainingLambda =
432  Result.Nodes.getNodeAs<LambdaExpr>("containing-lambda");
433  const auto *ContainingFunc =
434  Result.Nodes.getNodeAs<FunctionDecl>("containing-func");
435  const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>("call-move");
436  const auto *MovingCall = Result.Nodes.getNodeAs<Expr>("moving-call");
437  const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>("arg");
438 
439  if (!MovingCall || !MovingCall->getExprLoc().isValid())
440  MovingCall = CallMove;
441 
442  Stmt *FunctionBody = nullptr;
443  if (ContainingLambda)
444  FunctionBody = ContainingLambda->getBody();
445  else if (ContainingFunc)
446  FunctionBody = ContainingFunc->getBody();
447  else
448  return;
449 
450  // Ignore the std::move if the variable that was passed to it isn't a local
451  // variable.
452  if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())
453  return;
454 
455  UseAfterMoveFinder Finder(Result.Context);
456  UseAfterMove Use;
457  if (Finder.find(FunctionBody, MovingCall, Arg->getDecl(), &Use))
458  emitDiagnostic(MovingCall, Arg, Use, this, Result.Context);
459 }
460 
461 } // namespace bugprone
462 } // namespace tidy
463 } // namespace clang
clang::tidy::bugprone::inDecltypeOrTemplateArg
static StatementMatcher inDecltypeOrTemplateArg()
Definition: UseAfterMoveCheck.cpp:98
clang::tidy::bugprone::emitDiagnostic
static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg, const UseAfterMove &Use, ClangTidyCheck *Check, ASTContext *Context)
Definition: UseAfterMoveCheck.cpp:374
Type
NodeType Type
Definition: HTMLGenerator.cpp:73
clang::tidy::ClangTidyCheck
Base class for all clang-tidy checks.
Definition: ClangTidyCheck.h:54
clang::ast_matchers
Definition: AbseilMatcher.h:14
clang::clangd::match
std::vector< std::string > match(const SymbolIndex &I, const FuzzyFindRequest &Req, bool *Incomplete)
Definition: TestIndex.cpp:94
Decl
const FunctionDecl * Decl
Definition: AvoidBindCheck.cpp:100
Name
static constexpr llvm::StringLiteral Name
Definition: UppercaseLiteralSuffixCheck.cpp:28
clang::tidy::ClangTidyCheck::diag
DiagnosticBuilder diag(SourceLocation Loc, StringRef Description, DiagnosticIDs::Level Level=DiagnosticIDs::Warning)
Add a diagnostic with the check's name.
Definition: ClangTidyCheck.cpp:25
clang::tidy::utils
Definition: Aliasing.cpp:16
clang::ast_matchers::AST_MATCHER
AST_MATCHER(Expr, isMacroID)
Definition: PreferIsaOrDynCastInConditionalsCheck.cpp:19
clang::clangd::check
bool check(llvm::StringRef File, llvm::function_ref< bool(const Position &)> ShouldCheckLine, const ThreadsafeFS &TFS, const ClangdLSPServer::Options &Opts, bool EnableCodeCompletion)
Definition: Check.cpp:253
DeclRef
const DeclRefExpr * DeclRef
Definition: UseAfterMoveCheck.cpp:50
UseAfterMoveCheck.h
ID
static char ID
Definition: Logger.cpp:74
EvaluationOrderUndefined
bool EvaluationOrderUndefined
Definition: UseAfterMoveCheck.cpp:53
clang
===– Representation.cpp - ClangDoc Representation --------—*- C++ -*-===//
Definition: ApplyReplacements.h:27
clang::tidy::bugprone::isStandardSmartPointer
bool isStandardSmartPointer(const ValueDecl *VD)
Definition: UseAfterMoveCheck.cpp:230
Generated on Thu Oct 21 2021 03:13:55 for clang-tools by   doxygen 1.8.17