1 //===--- UseAfterMoveCheck.cpp - clang-tidy -------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8
9 #include "UseAfterMoveCheck.h"
10
11 #include "clang/Analysis/CFG.h"
12 #include "clang/Lex/Lexer.h"
13
14 #include "../utils/ExprSequence.h"
15
16 using namespace clang::ast_matchers;
17 using namespace clang::tidy::utils;
18
19
20 namespace clang {
21 namespace tidy {
22 namespace bugprone {
23
24 namespace {
25
26 /// Contains information about a use-after-move.
27 struct UseAfterMove {
28 // The DeclRefExpr that constituted the use of the object.
29 const DeclRefExpr *DeclRef;
30
31 // Is the order in which the move and the use are evaluated undefined?
32 bool EvaluationOrderUndefined;
33 };
34
35 /// Finds uses of a variable after a move (and maintains state required by the
36 /// various internal helper functions).
37 class UseAfterMoveFinder {
38 public:
39 UseAfterMoveFinder(ASTContext *TheContext);
40
41 // Within the given function body, finds the first use of 'MovedVariable' that
42 // occurs after 'MovingCall' (the expression that performs the move). If a
43 // use-after-move is found, writes information about it to 'TheUseAfterMove'.
44 // Returns whether a use-after-move was found.
45 bool find(Stmt *FunctionBody, const Expr *MovingCall,
46 const ValueDecl *MovedVariable, UseAfterMove *TheUseAfterMove);
47
48 private:
49 bool findInternal(const CFGBlock *Block, const Expr *MovingCall,
50 const ValueDecl *MovedVariable,
51 UseAfterMove *TheUseAfterMove);
52 void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
53 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
54 llvm::SmallPtrSetImpl<const Stmt *> *Reinits);
55 void getDeclRefs(const CFGBlock *Block, const Decl *MovedVariable,
56 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
57 void getReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
58 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
59 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
60
61 ASTContext *Context;
62 std::unique_ptr<ExprSequence> Sequence;
63 std::unique_ptr<StmtToBlockMap> BlockMap;
64 llvm::SmallPtrSet<const CFGBlock *, 8> Visited;
65 };
66
67 } // namespace
68
69
70 // Matches nodes that are
71 // - Part of a decltype argument or class template argument (we check this by
72 // seeing if they are children of a TypeLoc), or
73 // - Part of a function template argument (we check this by seeing if they are
74 // children of a DeclRefExpr that references a function template).
75 // DeclRefExprs that fulfill these conditions should not be counted as a use or
76 // move.
inDecltypeOrTemplateArg()77 static StatementMatcher inDecltypeOrTemplateArg() {
78 return anyOf(hasAncestor(typeLoc()),
79 hasAncestor(declRefExpr(
80 to(functionDecl(ast_matchers::isTemplateInstantiation())))));
81 }
82
UseAfterMoveFinder(ASTContext * TheContext)83 UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)
84 : Context(TheContext) {}
85
find(Stmt * FunctionBody,const Expr * MovingCall,const ValueDecl * MovedVariable,UseAfterMove * TheUseAfterMove)86 bool UseAfterMoveFinder::find(Stmt *FunctionBody, const Expr *MovingCall,
87 const ValueDecl *MovedVariable,
88 UseAfterMove *TheUseAfterMove) {
89 // Generate the CFG manually instead of through an AnalysisDeclContext because
90 // it seems the latter can't be used to generate a CFG for the body of a
91 // labmda.
92 //
93 // We include implicit and temporary destructors in the CFG so that
94 // destructors marked [[noreturn]] are handled correctly in the control flow
95 // analysis. (These are used in some styles of assertion macros.)
96 CFG::BuildOptions Options;
97 Options.AddImplicitDtors = true;
98 Options.AddTemporaryDtors = true;
99 std::unique_ptr<CFG> TheCFG =
100 CFG::buildCFG(nullptr, FunctionBody, Context, Options);
101 if (!TheCFG)
102 return false;
103
104 Sequence =
105 std::make_unique<ExprSequence>(TheCFG.get(), FunctionBody, Context);
106 BlockMap = std::make_unique<StmtToBlockMap>(TheCFG.get(), Context);
107 Visited.clear();
108
109 const CFGBlock *Block = BlockMap->blockContainingStmt(MovingCall);
110 if (!Block)
111 return false;
112
113 return findInternal(Block, MovingCall, MovedVariable, TheUseAfterMove);
114 }
115
findInternal(const CFGBlock * Block,const Expr * MovingCall,const ValueDecl * MovedVariable,UseAfterMove * TheUseAfterMove)116 bool UseAfterMoveFinder::findInternal(const CFGBlock *Block,
117 const Expr *MovingCall,
118 const ValueDecl *MovedVariable,
119 UseAfterMove *TheUseAfterMove) {
120 if (Visited.count(Block))
121 return false;
122
123 // Mark the block as visited (except if this is the block containing the
124 // std::move() and it's being visited the first time).
125 if (!MovingCall)
126 Visited.insert(Block);
127
128 // Get all uses and reinits in the block.
129 llvm::SmallVector<const DeclRefExpr *, 1> Uses;
130 llvm::SmallPtrSet<const Stmt *, 1> Reinits;
131 getUsesAndReinits(Block, MovedVariable, &Uses, &Reinits);
132
133 // Ignore all reinitializations where the move potentially comes after the
134 // reinit.
135 llvm::SmallVector<const Stmt *, 1> ReinitsToDelete;
136 for (const Stmt *Reinit : Reinits) {
137 if (MovingCall && Sequence->potentiallyAfter(MovingCall, Reinit))
138 ReinitsToDelete.push_back(Reinit);
139 }
140 for (const Stmt *Reinit : ReinitsToDelete) {
141 Reinits.erase(Reinit);
142 }
143
144 // Find all uses that potentially come after the move.
145 for (const DeclRefExpr *Use : Uses) {
146 if (!MovingCall || Sequence->potentiallyAfter(Use, MovingCall)) {
147 // Does the use have a saving reinit? A reinit is saving if it definitely
148 // comes before the use, i.e. if there's no potential that the reinit is
149 // after the use.
150 bool HaveSavingReinit = false;
151 for (const Stmt *Reinit : Reinits) {
152 if (!Sequence->potentiallyAfter(Reinit, Use))
153 HaveSavingReinit = true;
154 }
155
156 if (!HaveSavingReinit) {
157 TheUseAfterMove->DeclRef = Use;
158
159 // Is this a use-after-move that depends on order of evaluation?
160 // This is the case if the move potentially comes after the use (and we
161 // already know that use potentially comes after the move, which taken
162 // together tells us that the ordering is unclear).
163 TheUseAfterMove->EvaluationOrderUndefined =
164 MovingCall != nullptr &&
165 Sequence->potentiallyAfter(MovingCall, Use);
166
167 return true;
168 }
169 }
170 }
171
172 // If the object wasn't reinitialized, call ourselves recursively on all
173 // successors.
174 if (Reinits.empty()) {
175 for (const auto &Succ : Block->succs()) {
176 if (Succ && findInternal(Succ, nullptr, MovedVariable, TheUseAfterMove))
177 return true;
178 }
179 }
180
181 return false;
182 }
183
getUsesAndReinits(const CFGBlock * Block,const ValueDecl * MovedVariable,llvm::SmallVectorImpl<const DeclRefExpr * > * Uses,llvm::SmallPtrSetImpl<const Stmt * > * Reinits)184 void UseAfterMoveFinder::getUsesAndReinits(
185 const CFGBlock *Block, const ValueDecl *MovedVariable,
186 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
187 llvm::SmallPtrSetImpl<const Stmt *> *Reinits) {
188 llvm::SmallPtrSet<const DeclRefExpr *, 1> DeclRefs;
189 llvm::SmallPtrSet<const DeclRefExpr *, 1> ReinitDeclRefs;
190
191 getDeclRefs(Block, MovedVariable, &DeclRefs);
192 getReinits(Block, MovedVariable, Reinits, &ReinitDeclRefs);
193
194 // All references to the variable that aren't reinitializations are uses.
195 Uses->clear();
196 for (const DeclRefExpr *DeclRef : DeclRefs) {
197 if (!ReinitDeclRefs.count(DeclRef))
198 Uses->push_back(DeclRef);
199 }
200
201 // Sort the uses by their occurrence in the source code.
202 std::sort(Uses->begin(), Uses->end(),
203 [](const DeclRefExpr *D1, const DeclRefExpr *D2) {
204 return D1->getExprLoc() < D2->getExprLoc();
205 });
206 }
207
isStandardSmartPointer(const ValueDecl * VD)208 bool isStandardSmartPointer(const ValueDecl *VD) {
209 const Type *TheType = VD->getType().getNonReferenceType().getTypePtrOrNull();
210 if (!TheType)
211 return false;
212
213 const CXXRecordDecl *RecordDecl = TheType->getAsCXXRecordDecl();
214 if (!RecordDecl)
215 return false;
216
217 const IdentifierInfo *ID = RecordDecl->getIdentifier();
218 if (!ID)
219 return false;
220
221 StringRef Name = ID->getName();
222 if (Name != "unique_ptr" && Name != "shared_ptr" && Name != "weak_ptr")
223 return false;
224
225 return RecordDecl->getDeclContext()->isStdNamespace();
226 }
227
getDeclRefs(const CFGBlock * Block,const Decl * MovedVariable,llvm::SmallPtrSetImpl<const DeclRefExpr * > * DeclRefs)228 void UseAfterMoveFinder::getDeclRefs(
229 const CFGBlock *Block, const Decl *MovedVariable,
230 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
231 DeclRefs->clear();
232 for (const auto &Elem : *Block) {
233 Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
234 if (!S)
235 continue;
236
237 auto addDeclRefs = [this, Block,
238 DeclRefs](const ArrayRef<BoundNodes> Matches) {
239 for (const auto &Match : Matches) {
240 const auto *DeclRef = Match.getNodeAs<DeclRefExpr>("declref");
241 const auto *Operator = Match.getNodeAs<CXXOperatorCallExpr>("operator");
242 if (DeclRef && BlockMap->blockContainingStmt(DeclRef) == Block) {
243 // Ignore uses of a standard smart pointer that don't dereference the
244 // pointer.
245 if (Operator || !isStandardSmartPointer(DeclRef->getDecl())) {
246 DeclRefs->insert(DeclRef);
247 }
248 }
249 }
250 };
251
252 auto DeclRefMatcher = declRefExpr(hasDeclaration(equalsNode(MovedVariable)),
253 unless(inDecltypeOrTemplateArg()))
254 .bind("declref");
255
256 addDeclRefs(match(findAll(DeclRefMatcher), *S->getStmt(), *Context));
257 addDeclRefs(match(
258 findAll(cxxOperatorCallExpr(anyOf(hasOverloadedOperatorName("*"),
259 hasOverloadedOperatorName("->"),
260 hasOverloadedOperatorName("[]")),
261 hasArgument(0, DeclRefMatcher))
262 .bind("operator")),
263 *S->getStmt(), *Context));
264 }
265 }
266
getReinits(const CFGBlock * Block,const ValueDecl * MovedVariable,llvm::SmallPtrSetImpl<const Stmt * > * Stmts,llvm::SmallPtrSetImpl<const DeclRefExpr * > * DeclRefs)267 void UseAfterMoveFinder::getReinits(
268 const CFGBlock *Block, const ValueDecl *MovedVariable,
269 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
270 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
271 auto DeclRefMatcher =
272 declRefExpr(hasDeclaration(equalsNode(MovedVariable))).bind("declref");
273
274 auto StandardContainerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
275 recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
276 "::std::basic_string", "::std::vector", "::std::deque",
277 "::std::forward_list", "::std::list", "::std::set", "::std::map",
278 "::std::multiset", "::std::multimap", "::std::unordered_set",
279 "::std::unordered_map", "::std::unordered_multiset",
280 "::std::unordered_multimap"))))));
281
282 auto StandardSmartPointerTypeMatcher = hasType(hasUnqualifiedDesugaredType(
283 recordType(hasDeclaration(cxxRecordDecl(hasAnyName(
284 "::std::unique_ptr", "::std::shared_ptr", "::std::weak_ptr"))))));
285
286 // Matches different types of reinitialization.
287 auto ReinitMatcher =
288 stmt(anyOf(
289 // Assignment. In addition to the overloaded assignment operator,
290 // test for built-in assignment as well, since template functions
291 // may be instantiated to use std::move() on built-in types.
292 binaryOperator(hasOperatorName("="), hasLHS(DeclRefMatcher)),
293 cxxOperatorCallExpr(hasOverloadedOperatorName("="),
294 hasArgument(0, DeclRefMatcher)),
295 // Declaration. We treat this as a type of reinitialization too,
296 // so we don't need to treat it separately.
297 declStmt(hasDescendant(equalsNode(MovedVariable))),
298 // clear() and assign() on standard containers.
299 cxxMemberCallExpr(
300 on(expr(DeclRefMatcher, StandardContainerTypeMatcher)),
301 // To keep the matcher simple, we check for assign() calls
302 // on all standard containers, even though only vector,
303 // deque, forward_list and list have assign(). If assign()
304 // is called on any of the other containers, this will be
305 // flagged by a compile error anyway.
306 callee(cxxMethodDecl(hasAnyName("clear", "assign")))),
307 // reset() on standard smart pointers.
308 cxxMemberCallExpr(
309 on(expr(DeclRefMatcher, StandardSmartPointerTypeMatcher)),
310 callee(cxxMethodDecl(hasName("reset")))),
311 // Methods that have the [[clang::reinitializes]] attribute.
312 cxxMemberCallExpr(
313 on(DeclRefMatcher),
314 callee(cxxMethodDecl(hasAttr(clang::attr::Reinitializes)))),
315 // Passing variable to a function as a non-const pointer.
316 callExpr(forEachArgumentWithParam(
317 unaryOperator(hasOperatorName("&"),
318 hasUnaryOperand(DeclRefMatcher)),
319 unless(parmVarDecl(hasType(pointsTo(isConstQualified())))))),
320 // Passing variable to a function as a non-const lvalue reference
321 // (unless that function is std::move()).
322 callExpr(forEachArgumentWithParam(
323 DeclRefMatcher,
324 unless(parmVarDecl(hasType(
325 references(qualType(isConstQualified())))))),
326 unless(callee(functionDecl(hasName("::std::move")))))))
327 .bind("reinit");
328
329 Stmts->clear();
330 DeclRefs->clear();
331 for (const auto &Elem : *Block) {
332 Optional<CFGStmt> S = Elem.getAs<CFGStmt>();
333 if (!S)
334 continue;
335
336 SmallVector<BoundNodes, 1> Matches =
337 match(findAll(ReinitMatcher), *S->getStmt(), *Context);
338
339 for (const auto &Match : Matches) {
340 const auto *TheStmt = Match.getNodeAs<Stmt>("reinit");
341 const auto *TheDeclRef = Match.getNodeAs<DeclRefExpr>("declref");
342 if (TheStmt && BlockMap->blockContainingStmt(TheStmt) == Block) {
343 Stmts->insert(TheStmt);
344
345 // We count DeclStmts as reinitializations, but they don't have a
346 // DeclRefExpr associated with them -- so we need to check 'TheDeclRef'
347 // before adding it to the set.
348 if (TheDeclRef)
349 DeclRefs->insert(TheDeclRef);
350 }
351 }
352 }
353 }
354
emitDiagnostic(const Expr * MovingCall,const DeclRefExpr * MoveArg,const UseAfterMove & Use,ClangTidyCheck * Check,ASTContext * Context)355 static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg,
356 const UseAfterMove &Use, ClangTidyCheck *Check,
357 ASTContext *Context) {
358 SourceLocation UseLoc = Use.DeclRef->getExprLoc();
359 SourceLocation MoveLoc = MovingCall->getExprLoc();
360
361 Check->diag(UseLoc, "'%0' used after it was moved")
362 << MoveArg->getDecl()->getName();
363 Check->diag(MoveLoc, "move occurred here", DiagnosticIDs::Note);
364 if (Use.EvaluationOrderUndefined) {
365 Check->diag(UseLoc,
366 "the use and move are unsequenced, i.e. there is no guarantee "
367 "about the order in which they are evaluated",
368 DiagnosticIDs::Note);
369 } else if (UseLoc < MoveLoc || Use.DeclRef == MoveArg) {
370 Check->diag(UseLoc,
371 "the use happens in a later loop iteration than the move",
372 DiagnosticIDs::Note);
373 }
374 }
375
registerMatchers(MatchFinder * Finder)376 void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {
377 if (!getLangOpts().CPlusPlus11)
378 return;
379
380 auto CallMoveMatcher =
381 callExpr(callee(functionDecl(hasName("::std::move"))), argumentCountIs(1),
382 hasArgument(0, declRefExpr().bind("arg")),
383 anyOf(hasAncestor(lambdaExpr().bind("containing-lambda")),
384 hasAncestor(functionDecl().bind("containing-func"))),
385 unless(inDecltypeOrTemplateArg()))
386 .bind("call-move");
387
388 Finder->addMatcher(
389 // To find the Stmt that we assume performs the actual move, we look for
390 // the direct ancestor of the std::move() that isn't one of the node
391 // types ignored by ignoringParenImpCasts().
392 stmt(forEach(expr(ignoringParenImpCasts(CallMoveMatcher))),
393 // Don't allow an InitListExpr to be the moving call. An InitListExpr
394 // has both a syntactic and a semantic form, and the parent-child
395 // relationships are different between the two. This could cause an
396 // InitListExpr to be analyzed as the moving call in addition to the
397 // Expr that we actually want, resulting in two diagnostics with
398 // different code locations for the same move.
399 unless(initListExpr()),
400 unless(expr(ignoringParenImpCasts(equalsBoundNode("call-move")))))
401 .bind("moving-call"),
402 this);
403 }
404
check(const MatchFinder::MatchResult & Result)405 void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {
406 const auto *ContainingLambda =
407 Result.Nodes.getNodeAs<LambdaExpr>("containing-lambda");
408 const auto *ContainingFunc =
409 Result.Nodes.getNodeAs<FunctionDecl>("containing-func");
410 const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>("call-move");
411 const auto *MovingCall = Result.Nodes.getNodeAs<Expr>("moving-call");
412 const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>("arg");
413
414 if (!MovingCall || !MovingCall->getExprLoc().isValid())
415 MovingCall = CallMove;
416
417 Stmt *FunctionBody = nullptr;
418 if (ContainingLambda)
419 FunctionBody = ContainingLambda->getBody();
420 else if (ContainingFunc)
421 FunctionBody = ContainingFunc->getBody();
422 else
423 return;
424
425 // Ignore the std::move if the variable that was passed to it isn't a local
426 // variable.
427 if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())
428 return;
429
430 UseAfterMoveFinder finder(Result.Context);
431 UseAfterMove Use;
432 if (finder.find(FunctionBody, MovingCall, Arg->getDecl(), &Use))
433 emitDiagnostic(MovingCall, Arg, Use, this, Result.Context);
434 }
435
436 } // namespace bugprone
437 } // namespace tidy
438 } // namespace clang
439