1 //===--- UseAfterMoveCheck.cpp - clang-tidy -------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8
9 #include "UseAfterMoveCheck.h"
10
11 #include "clang/AST/Expr.h"
12 #include "clang/AST/ExprCXX.h"
13 #include "clang/AST/ExprConcepts.h"
14 #include "clang/ASTMatchers/ASTMatchers.h"
15 #include "clang/Analysis/CFG.h"
16 #include "clang/Lex/Lexer.h"
17
18 #include "../utils/ExprSequence.h"
19
20 using namespace clang::ast_matchers;
21 using namespace clang::tidy::utils;
22
23
24 namespace clang {
25 namespace tidy {
26 namespace bugprone {
27
28 namespace {
29
AST_MATCHER(Expr,hasUnevaluatedContext)30 AST_MATCHER(Expr, hasUnevaluatedContext) {
31 if (isa<CXXNoexceptExpr>(Node) || isa<RequiresExpr>(Node))
32 return true;
33 if (const auto *UnaryExpr = dyn_cast<UnaryExprOrTypeTraitExpr>(&Node)) {
34 switch (UnaryExpr->getKind()) {
35 case UETT_SizeOf:
36 case UETT_AlignOf:
37 return true;
38 default:
39 return false;
40 }
41 }
42 if (const auto *TypeIDExpr = dyn_cast<CXXTypeidExpr>(&Node))
43 return !TypeIDExpr->isPotentiallyEvaluated();
44 return false;
45 }
46
47 /// Contains information about a use-after-move.
48 struct UseAfterMove {
49 // The DeclRefExpr that constituted the use of the object.
50 const DeclRefExpr *DeclRef;
51
52 // Is the order in which the move and the use are evaluated undefined?
53 bool EvaluationOrderUndefined;
54 };
55
56 /// Finds uses of a variable after a move (and maintains state required by the
57 /// various internal helper functions).
58 class UseAfterMoveFinder {
59 public:
60 UseAfterMoveFinder(ASTContext *TheContext);
61
62 // Within the given function body, finds the first use of 'MovedVariable' that
63 // occurs after 'MovingCall' (the expression that performs the move). If a
64 // use-after-move is found, writes information about it to 'TheUseAfterMove'.
65 // Returns whether a use-after-move was found.
66 bool find(Stmt *FunctionBody, const Expr *MovingCall,
67 const ValueDecl *MovedVariable, UseAfterMove *TheUseAfterMove);
68
69 private:
70 bool findInternal(const CFGBlock *Block, const Expr *MovingCall,
71 const ValueDecl *MovedVariable,
72 UseAfterMove *TheUseAfterMove);
73 void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
74 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
75 llvm::SmallPtrSetImpl<const Stmt *> *Reinits);
76 void getDeclRefs(const CFGBlock *Block, const Decl *MovedVariable,
77 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
78 void getReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
79 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
80 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
81
82 ASTContext *Context;
83 std::unique_ptr<ExprSequence> Sequence;
84 std::unique_ptr<StmtToBlockMap> BlockMap;
85 llvm::SmallPtrSet<const CFGBlock *, 8> Visited;
86 };
87
88 } // namespace
89
90
91 // Matches nodes that are
92 // - Part of a decltype argument or class template argument (we check this by
93 // seeing if they are children of a TypeLoc), or
94 // - Part of a function template argument (we check this by seeing if they are
95 // children of a DeclRefExpr that references a function template).
96 // DeclRefExprs that fulfill these conditions should not be counted as a use or
97 // move.
inDecltypeOrTemplateArg()98 static StatementMatcher inDecltypeOrTemplateArg() {
99 return anyOf(hasAncestor(typeLoc()),
100 hasAncestor(declRefExpr(
101 to(functionDecl(ast_matchers::isTemplateInstantiation())))),
102 hasAncestor(expr(hasUnevaluatedContext())));
103 }
104
UseAfterMoveFinder(ASTContext * TheContext)105 UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)
106 : Context(TheContext) {}
107
find(Stmt * FunctionBody,const Expr * MovingCall,const ValueDecl * MovedVariable,UseAfterMove * TheUseAfterMove)108 bool UseAfterMoveFinder::find(Stmt *FunctionBody, const Expr *MovingCall,
109 const ValueDecl *MovedVariable,
110 UseAfterMove *TheUseAfterMove) {
111 // Generate the CFG manually instead of through an AnalysisDeclContext because
112 // it seems the latter can't be used to generate a CFG for the body of a
113 // lambda.
114 //
115 // We include implicit and temporary destructors in the CFG so that
116 // destructors marked [[noreturn]] are handled correctly in the control flow
117 // analysis. (These are used in some styles of assertion macros.)
118 CFG::BuildOptions Options;
119 Options.AddImplicitDtors = true;
120 Options.AddTemporaryDtors = true;
121 std::unique_ptr<CFG> TheCFG =
122 CFG::buildCFG(nullptr, FunctionBody, Context, Options);
123 if (!TheCFG)
124 return false;
125
126 Sequence =
127 std::make_unique<ExprSequence>(TheCFG.get(), FunctionBody, Context);
128 BlockMap = std::make_unique<StmtToBlockMap>(TheCFG.get(), Context);
129 Visited.clear();
130
131 const CFGBlock *Block = BlockMap->blockContainingStmt(MovingCall);
132 if (!Block)
133 return false;
134
135 return findInternal(Block, MovingCall, MovedVariable, TheUseAfterMove);
136 }
137
findInternal(const CFGBlock * Block,const Expr * MovingCall,const ValueDecl * MovedVariable,UseAfterMove * TheUseAfterMove)138 bool UseAfterMoveFinder::findInternal(const CFGBlock *Block,
139 const Expr *MovingCall,
140 const ValueDecl *MovedVariable,
141 UseAfterMove *TheUseAfterMove) {
142 if (Visited.count(Block))
143 return false;
144
145 // Mark the block as visited (except if this is the block containing the
146 // std::move() and it's being visited the first time).
147 if (!MovingCall)
148 Visited.insert(Block);
149
150 // Get all uses and reinits in the block.
151 llvm::SmallVector<const DeclRefExpr *, 1> Uses;
152 llvm::SmallPtrSet<const Stmt *, 1> Reinits;
153 getUsesAndReinits(Block, MovedVariable, &Uses, &Reinits);
154
155 // Ignore all reinitializations where the move potentially comes after the
156 // reinit.
157 llvm::SmallVector<const Stmt *, 1> ReinitsToDelete;
158 for (const Stmt *Reinit : Reinits) {
159 if (MovingCall && Sequence->potentiallyAfter(MovingCall, Reinit))
160 ReinitsToDelete.push_back(Reinit);
161 }
162 for (const Stmt *Reinit : ReinitsToDelete) {
163 Reinits.erase(Reinit);
164 }
165
166 // Find all uses that potentially come after the move.
167 for (const DeclRefExpr *Use : Uses) {
168 if (!MovingCall || Sequence->potentiallyAfter(Use, MovingCall)) {
169 // Does the use have a saving reinit? A reinit is saving if it definitely
170 // comes before the use, i.e. if there's no potential that the reinit is
171 // after the use.
172 bool HaveSavingReinit = false;
173 for (const Stmt *Reinit : Reinits) {
174 if (!Sequence->potentiallyAfter(Reinit, Use))
175 HaveSavingReinit = true;
176 }
177
178 if (!HaveSavingReinit) {
179 TheUseAfterMove->DeclRef = Use;
180
181 // Is this a use-after-move that depends on order of evaluation?
182 // This is the case if the move potentially comes after the use (and we
183 // already know that use potentially comes after the move, which taken
184 // together tells us that the ordering is unclear).
185 TheUseAfterMove->EvaluationOrderUndefined =
186 MovingCall != nullptr &&
187 Sequence->potentiallyAfter(MovingCall, Use);
188
189 return true;
190 }
191 }
192 }
193
194 // If the object wasn't reinitialized, call ourselves recursively on all
195 // successors.
196 if (Reinits.empty()) {
197 for (const auto &Succ : Block->succs()) {
198 if (Succ && findInternal(Succ, nullptr, MovedVariable, TheUseAfterMove))
199 return true;
200 }
201 }
202
203 return false;
204 }
205
getUsesAndReinits(const CFGBlock * Block,const ValueDecl * MovedVariable,llvm::SmallVectorImpl<const DeclRefExpr * > * Uses,llvm::SmallPtrSetImpl<const Stmt * > * Reinits)206 void UseAfterMoveFinder::getUsesAndReinits(
207 const CFGBlock *Block, const ValueDecl *MovedVariable,
208 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
209 llvm::SmallPtrSetImpl<const Stmt *> *Reinits) {
210 llvm::SmallPtrSet<const DeclRefExpr *, 1> DeclRefs;
211 llvm::SmallPtrSet<const DeclRefExpr *, 1> ReinitDeclRefs;
212
213 getDeclRefs(Block, MovedVariable, &DeclRefs);
214 getReinits(Block, MovedVariable, Reinits, &ReinitDeclRefs);
215
216 // All references to the variable that aren't reinitializations are uses.
217 Uses->clear();
218 for (const DeclRefExpr *DeclRef : DeclRefs) {
219 if (!ReinitDeclRefs.count(DeclRef))
220 Uses->push_back(DeclRef);
221 }
222
223 // Sort the uses by their occurrence in the source code.
224 std::sort(Uses->begin(), Uses->end(),
225 [](const DeclRefExpr *D1, const DeclRefExpr *D2) {
226 return D1->getExprLoc() < D2->getExprLoc();
227 });
228 }
229
isStandardSmartPointer(const ValueDecl * VD)230 bool isStandardSmartPointer(const ValueDecl *VD) {
231 const Type *TheType = VD->getType().getNonReferenceType().getTypePtrOrNull();
232 if (!TheType)
233 return false;
234
235 const CXXRecordDecl *RecordDecl = TheType->getAsCXXRecordDecl();
236 if (!RecordDecl)
237 return false;
238
239 const IdentifierInfo *ID = RecordDecl->getIdentifier();
240 if (!ID)
241 return false;
242
243 StringRef Name = ID->getName();
244 if (Name != "unique_ptr" && Name != "shared_ptr" && Name != "weak_ptr")
245 return false;
246
247 return RecordDecl->getDeclContext()->isStdNamespace();
248 }
249
getDeclRefs(const CFGBlock * Block,const Decl * MovedVariable,llvm::SmallPtrSetImpl<const DeclRefExpr * > * DeclRefs)250 void UseAfterMoveFinder::getDeclRefs(
251 const CFGBlock *Block, const Decl *MovedVariable,
252 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
253 DeclRefs->clear();
254 for (const auto &Elem : *Block) {
255 Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
256 if (!S)
257 continue;
258
259 auto addDeclRefs = [this, Block,
260 DeclRefs](const ArrayRef<BoundNodes> Matches) {
261 for (const auto &Match : Matches) {
262 const auto *DeclRef = Match.getNodeAs<DeclRefExpr>("declref");
263 const auto *Operator = Match.getNodeAs<CXXOperatorCallExpr>("operator");
264 if (DeclRef && BlockMap->blockContainingStmt(DeclRef) == Block) {
265 // Ignore uses of a standard smart pointer that don't dereference the
266 // pointer.
267 if (Operator || !isStandardSmartPointer(DeclRef->getDecl())) {
268 DeclRefs->insert(DeclRef);
269 }
270 }
271 }
272 };
273
274 auto DeclRefMatcher = declRefExpr(hasDeclaration(equalsNode(MovedVariable)),
275 unless(inDecltypeOrTemplateArg()))
276 .bind("declref");
277
278 addDeclRefs(
279 match(traverse(ast_type_traits::TK_AsIs, findAll(DeclRefMatcher)),
280 *S->getStmt(), *Context));
281 addDeclRefs(match(findAll(cxxOperatorCallExpr(
282 hasAnyOverloadedOperatorName("*", "->", "[]"),
283 hasArgument(0, DeclRefMatcher))
284 .bind("operator")),
285 *S->getStmt(), *Context));
286 }
287 }
288
getReinits(const CFGBlock * Block,const ValueDecl * MovedVariable,llvm::SmallPtrSetImpl<const Stmt * > * Stmts,llvm::SmallPtrSetImpl<const DeclRefExpr * > * DeclRefs)289 void UseAfterMoveFinder::getReinits(
290 const CFGBlock *Block, const ValueDecl *MovedVariable,
291 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
292 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
293 auto DeclRefMatcher =
294 declRefExpr(hasDeclaration(equalsNode(MovedVariable))).bind("declref");
295
296 auto StandardContainerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
297 recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
298 "::std::basic_string", "::std::vector", "::std::deque",
299 "::std::forward_list", "::std::list", "::std::set", "::std::map",
300 "::std::multiset", "::std::multimap", "::std::unordered_set",
301 "::std::unordered_map", "::std::unordered_multiset",
302 "::std::unordered_multimap"))))));
303
304 auto StandardSmartPointerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
305 recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
306 "::std::unique_ptr", "::std::shared_ptr", "::std::weak_ptr"))))));
307
308 // Matches different types of reinitialization.
309 auto ReinitMatcher =
310 stmt(anyOf(
311 // Assignment. In addition to the overloaded assignment operator,
312 // test for built-in assignment as well, since template functions
313 // may be instantiated to use std::move() on built-in types.
314 binaryOperator(hasOperatorName("="), hasLHS(DeclRefMatcher)),
315 cxxOperatorCallExpr(hasOverloadedOperatorName("="),
316 hasArgument(0, DeclRefMatcher)),
317 // Declaration. We treat this as a type of reinitialization too,
318 // so we don't need to treat it separately.
319 declStmt(hasDescendant(equalsNode(MovedVariable))),
320 // clear() and assign() on standard containers.
321 cxxMemberCallExpr(
322 on(expr(DeclRefMatcher, StandardContainerTypeMatcher)),
323 // To keep the matcher simple, we check for assign() calls
324 // on all standard containers, even though only vector,
325 // deque, forward_list and list have assign(). If assign()
326 // is called on any of the other containers, this will be
327 // flagged by a compile error anyway.
328 callee(cxxMethodDecl(hasAnyName("clear", "assign")))),
329 // reset() on standard smart pointers.
330 cxxMemberCallExpr(
331 on(expr(DeclRefMatcher, StandardSmartPointerTypeMatcher)),
332 callee(cxxMethodDecl(hasName("reset")))),
333 // Methods that have the [[clang::reinitializes]] attribute.
334 cxxMemberCallExpr(
335 on(DeclRefMatcher),
336 callee(cxxMethodDecl(hasAttr(clang::attr::Reinitializes)))),
337 // Passing variable to a function as a non-const pointer.
338 callExpr(forEachArgumentWithParam(
339 unaryOperator(hasOperatorName("&"),
340 hasUnaryOperand(DeclRefMatcher)),
341 unless(parmVarDecl(hasType(pointsTo(isConstQualified())))))),
342 // Passing variable to a function as a non-const lvalue reference
343 // (unless that function is std::move()).
344 callExpr(forEachArgumentWithParam(
345 traverse(ast_type_traits::TK_AsIs, DeclRefMatcher),
346 unless(parmVarDecl(hasType(
347 references(qualType(isConstQualified())))))),
348 unless(callee(functionDecl(hasName("::std::move")))))))
349 .bind("reinit");
350
351 Stmts->clear();
352 DeclRefs->clear();
353 for (const auto &Elem : *Block) {
354 Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
355 if (!S)
356 continue;
357
358 SmallVector<BoundNodes, 1> Matches =
359 match(findAll(ReinitMatcher), *S->getStmt(), *Context);
360
361 for (const auto &Match : Matches) {
362 const auto *TheStmt = Match.getNodeAs<Stmt>("reinit");
363 const auto *TheDeclRef = Match.getNodeAs<DeclRefExpr>("declref");
364 if (TheStmt && BlockMap->blockContainingStmt(TheStmt) == Block) {
365 Stmts->insert(TheStmt);
366
367 // We count DeclStmts as reinitializations, but they don't have a
368 // DeclRefExpr associated with them -- so we need to check 'TheDeclRef'
369 // before adding it to the set.
370 if (TheDeclRef)
371 DeclRefs->insert(TheDeclRef);
372 }
373 }
374 }
375 }
376
emitDiagnostic(const Expr * MovingCall,const DeclRefExpr * MoveArg,const UseAfterMove & Use,ClangTidyCheck * Check,ASTContext * Context)377 static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg,
378 const UseAfterMove &Use, ClangTidyCheck *Check,
379 ASTContext *Context) {
380 SourceLocation UseLoc = Use.DeclRef->getExprLoc();
381 SourceLocation MoveLoc = MovingCall->getExprLoc();
382
383 Check->diag(UseLoc, "'%0' used after it was moved")
384 << MoveArg->getDecl()->getName();
385 Check->diag(MoveLoc, "move occurred here", DiagnosticIDs::Note);
386 if (Use.EvaluationOrderUndefined) {
387 Check->diag(UseLoc,
388 "the use and move are unsequenced, i.e. there is no guarantee "
389 "about the order in which they are evaluated",
390 DiagnosticIDs::Note);
391 } else if (UseLoc < MoveLoc || Use.DeclRef == MoveArg) {
392 Check->diag(UseLoc,
393 "the use happens in a later loop iteration than the move",
394 DiagnosticIDs::Note);
395 }
396 }
397
registerMatchers(MatchFinder * Finder)398 void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {
399 auto CallMoveMatcher =
400 callExpr(callee(functionDecl(hasName("::std::move"))), argumentCountIs(1),
401 hasArgument(0, declRefExpr().bind("arg")),
402 anyOf(hasAncestor(lambdaExpr().bind("containing-lambda")),
403 hasAncestor(functionDecl().bind("containing-func"))),
404 unless(inDecltypeOrTemplateArg()))
405 .bind("call-move");
406
407 Finder->addMatcher(
408 traverse(
409 ast_type_traits::TK_AsIs,
410 // To find the Stmt that we assume performs the actual move, we look
411 // for the direct ancestor of the std::move() that isn't one of the
412 // node types ignored by ignoringParenImpCasts().
413 stmt(
414 forEach(expr(ignoringParenImpCasts(CallMoveMatcher))),
415 // Don't allow an InitListExpr to be the moving call. An
416 // InitListExpr has both a syntactic and a semantic form, and the
417 // parent-child relationships are different between the two. This
418 // could cause an InitListExpr to be analyzed as the moving call
419 // in addition to the Expr that we actually want, resulting in two
420 // diagnostics with different code locations for the same move.
421 unless(initListExpr()),
422 unless(expr(ignoringParenImpCasts(equalsBoundNode("call-move")))))
423 .bind("moving-call")),
424 this);
425 }
426
check(const MatchFinder::MatchResult & Result)427 void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {
428 const auto *ContainingLambda =
429 Result.Nodes.getNodeAs<LambdaExpr>("containing-lambda");
430 const auto *ContainingFunc =
431 Result.Nodes.getNodeAs<FunctionDecl>("containing-func");
432 const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>("call-move");
433 const auto *MovingCall = Result.Nodes.getNodeAs<Expr>("moving-call");
434 const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>("arg");
435
436 if (!MovingCall || !MovingCall->getExprLoc().isValid())
437 MovingCall = CallMove;
438
439 Stmt *FunctionBody = nullptr;
440 if (ContainingLambda)
441 FunctionBody = ContainingLambda->getBody();
442 else if (ContainingFunc)
443 FunctionBody = ContainingFunc->getBody();
444 else
445 return;
446
447 // Ignore the std::move if the variable that was passed to it isn't a local
448 // variable.
449 if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())
450 return;
451
452 UseAfterMoveFinder finder(Result.Context);
453 UseAfterMove Use;
454 if (finder.find(FunctionBody, MovingCall, Arg->getDecl(), &Use))
455 emitDiagnostic(MovingCall, Arg, Use, this, Result.Context);
456 }
457
458 } // namespace bugprone
459 } // namespace tidy
460 } // namespace clang
461