1//===--- UseAfterMoveCheck.cpp - clang-tidy -------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8
9#include "UseAfterMoveCheck.h"
10
11#include "clang/AST/Expr.h"
12#include "clang/AST/ExprCXX.h"
13#include "clang/ASTMatchers/ASTMatchers.h"
14#include "clang/Analysis/CFG.h"
15#include "clang/Lex/Lexer.h"
16#include "llvm/ADT/STLExtras.h"
17
18#include "../utils/ExprSequence.h"
19#include "../utils/Matchers.h"
20#include <optional>
21
22using namespace clang::ast_matchers;
23using namespace clang::tidy::utils;
24
25namespace clang::tidy::bugprone {
26
27using matchers::hasUnevaluatedContext;
28
29namespace {
30
31/// Contains information about a use-after-move.
32struct UseAfterMove {
33 // The DeclRefExpr that constituted the use of the object.
34 const DeclRefExpr *DeclRef;
35
36 // Is the order in which the move and the use are evaluated undefined?
37 bool EvaluationOrderUndefined;
38};
39
40/// Finds uses of a variable after a move (and maintains state required by the
41/// various internal helper functions).
42class UseAfterMoveFinder {
43public:
44 UseAfterMoveFinder(ASTContext *TheContext);
45
46 // Within the given code block, finds the first use of 'MovedVariable' that
47 // occurs after 'MovingCall' (the expression that performs the move). If a
48 // use-after-move is found, writes information about it to 'TheUseAfterMove'.
49 // Returns whether a use-after-move was found.
50 bool find(Stmt *CodeBlock, const Expr *MovingCall,
51 const ValueDecl *MovedVariable, UseAfterMove *TheUseAfterMove);
52
53private:
54 bool findInternal(const CFGBlock *Block, const Expr *MovingCall,
55 const ValueDecl *MovedVariable,
56 UseAfterMove *TheUseAfterMove);
57 void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
58 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
59 llvm::SmallPtrSetImpl<const Stmt *> *Reinits);
60 void getDeclRefs(const CFGBlock *Block, const Decl *MovedVariable,
61 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
62 void getReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
63 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
64 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs);
65
66 ASTContext *Context;
67 std::unique_ptr<ExprSequence> Sequence;
68 std::unique_ptr<StmtToBlockMap> BlockMap;
69 llvm::SmallPtrSet<const CFGBlock *, 8> Visited;
70};
71
72} // namespace
73
74// Matches nodes that are
75// - Part of a decltype argument or class template argument (we check this by
76// seeing if they are children of a TypeLoc), or
77// - Part of a function template argument (we check this by seeing if they are
78// children of a DeclRefExpr that references a function template).
79// DeclRefExprs that fulfill these conditions should not be counted as a use or
80// move.
81static StatementMatcher inDecltypeOrTemplateArg() {
82 return anyOf(hasAncestor(typeLoc()),
83 hasAncestor(declRefExpr(
84 to(InnerMatcher: functionDecl(ast_matchers::isTemplateInstantiation())))),
85 hasAncestor(expr(hasUnevaluatedContext())));
86}
87
88UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)
89 : Context(TheContext) {}
90
91bool UseAfterMoveFinder::find(Stmt *CodeBlock, const Expr *MovingCall,
92 const ValueDecl *MovedVariable,
93 UseAfterMove *TheUseAfterMove) {
94 // Generate the CFG manually instead of through an AnalysisDeclContext because
95 // it seems the latter can't be used to generate a CFG for the body of a
96 // lambda.
97 //
98 // We include implicit and temporary destructors in the CFG so that
99 // destructors marked [[noreturn]] are handled correctly in the control flow
100 // analysis. (These are used in some styles of assertion macros.)
101 CFG::BuildOptions Options;
102 Options.AddImplicitDtors = true;
103 Options.AddTemporaryDtors = true;
104 std::unique_ptr<CFG> TheCFG =
105 CFG::buildCFG(D: nullptr, AST: CodeBlock, C: Context, BO: Options);
106 if (!TheCFG)
107 return false;
108
109 Sequence = std::make_unique<ExprSequence>(args: TheCFG.get(), args&: CodeBlock, args&: Context);
110 BlockMap = std::make_unique<StmtToBlockMap>(args: TheCFG.get(), args&: Context);
111 Visited.clear();
112
113 const CFGBlock *Block = BlockMap->blockContainingStmt(MovingCall);
114 if (!Block) {
115 // This can happen if MovingCall is in a constructor initializer, which is
116 // not included in the CFG because the CFG is built only from the function
117 // body.
118 Block = &TheCFG->getEntry();
119 }
120
121 return findInternal(Block, MovingCall, MovedVariable, TheUseAfterMove);
122}
123
124bool UseAfterMoveFinder::findInternal(const CFGBlock *Block,
125 const Expr *MovingCall,
126 const ValueDecl *MovedVariable,
127 UseAfterMove *TheUseAfterMove) {
128 if (Visited.count(Ptr: Block))
129 return false;
130
131 // Mark the block as visited (except if this is the block containing the
132 // std::move() and it's being visited the first time).
133 if (!MovingCall)
134 Visited.insert(Ptr: Block);
135
136 // Get all uses and reinits in the block.
137 llvm::SmallVector<const DeclRefExpr *, 1> Uses;
138 llvm::SmallPtrSet<const Stmt *, 1> Reinits;
139 getUsesAndReinits(Block, MovedVariable, Uses: &Uses, Reinits: &Reinits);
140
141 // Ignore all reinitializations where the move potentially comes after the
142 // reinit.
143 // If `Reinit` is identical to `MovingCall`, we're looking at a move-to-self
144 // (e.g. `a = std::move(a)`). Count these as reinitializations.
145 llvm::SmallVector<const Stmt *, 1> ReinitsToDelete;
146 for (const Stmt *Reinit : Reinits) {
147 if (MovingCall && Reinit != MovingCall &&
148 Sequence->potentiallyAfter(MovingCall, Reinit))
149 ReinitsToDelete.push_back(Elt: Reinit);
150 }
151 for (const Stmt *Reinit : ReinitsToDelete) {
152 Reinits.erase(Ptr: Reinit);
153 }
154
155 // Find all uses that potentially come after the move.
156 for (const DeclRefExpr *Use : Uses) {
157 if (!MovingCall || Sequence->potentiallyAfter(Use, MovingCall)) {
158 // Does the use have a saving reinit? A reinit is saving if it definitely
159 // comes before the use, i.e. if there's no potential that the reinit is
160 // after the use.
161 bool HaveSavingReinit = false;
162 for (const Stmt *Reinit : Reinits) {
163 if (!Sequence->potentiallyAfter(Reinit, Use))
164 HaveSavingReinit = true;
165 }
166
167 if (!HaveSavingReinit) {
168 TheUseAfterMove->DeclRef = Use;
169
170 // Is this a use-after-move that depends on order of evaluation?
171 // This is the case if the move potentially comes after the use (and we
172 // already know that use potentially comes after the move, which taken
173 // together tells us that the ordering is unclear).
174 TheUseAfterMove->EvaluationOrderUndefined =
175 MovingCall != nullptr &&
176 Sequence->potentiallyAfter(MovingCall, Use);
177
178 return true;
179 }
180 }
181 }
182
183 // If the object wasn't reinitialized, call ourselves recursively on all
184 // successors.
185 if (Reinits.empty()) {
186 for (const auto &Succ : Block->succs()) {
187 if (Succ && findInternal(Block: Succ, MovingCall: nullptr, MovedVariable, TheUseAfterMove))
188 return true;
189 }
190 }
191
192 return false;
193}
194
195void UseAfterMoveFinder::getUsesAndReinits(
196 const CFGBlock *Block, const ValueDecl *MovedVariable,
197 llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
198 llvm::SmallPtrSetImpl<const Stmt *> *Reinits) {
199 llvm::SmallPtrSet<const DeclRefExpr *, 1> DeclRefs;
200 llvm::SmallPtrSet<const DeclRefExpr *, 1> ReinitDeclRefs;
201
202 getDeclRefs(Block, MovedVariable, &DeclRefs);
203 getReinits(Block, MovedVariable, Stmts: Reinits, DeclRefs: &ReinitDeclRefs);
204
205 // All references to the variable that aren't reinitializations are uses.
206 Uses->clear();
207 for (const DeclRefExpr *DeclRef : DeclRefs) {
208 if (!ReinitDeclRefs.count(Ptr: DeclRef))
209 Uses->push_back(Elt: DeclRef);
210 }
211
212 // Sort the uses by their occurrence in the source code.
213 llvm::sort(C&: *Uses, Comp: [](const DeclRefExpr *D1, const DeclRefExpr *D2) {
214 return D1->getExprLoc() < D2->getExprLoc();
215 });
216}
217
218bool isStandardSmartPointer(const ValueDecl *VD) {
219 const Type *TheType = VD->getType().getNonReferenceType().getTypePtrOrNull();
220 if (!TheType)
221 return false;
222
223 const CXXRecordDecl *RecordDecl = TheType->getAsCXXRecordDecl();
224 if (!RecordDecl)
225 return false;
226
227 const IdentifierInfo *ID = RecordDecl->getIdentifier();
228 if (!ID)
229 return false;
230
231 StringRef Name = ID->getName();
232 if (Name != "unique_ptr" && Name != "shared_ptr" && Name != "weak_ptr")
233 return false;
234
235 return RecordDecl->getDeclContext()->isStdNamespace();
236}
237
238void UseAfterMoveFinder::getDeclRefs(
239 const CFGBlock *Block, const Decl *MovedVariable,
240 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
241 DeclRefs->clear();
242 for (const auto &Elem : *Block) {
243 std::optional<CFGStmt> S = Elem.getAs<CFGStmt>();
244 if (!S)
245 continue;
246
247 auto AddDeclRefs = [this, Block,
248 DeclRefs](const ArrayRef<BoundNodes> Matches) {
249 for (const auto &Match : Matches) {
250 const auto *DeclRef = Match.getNodeAs<DeclRefExpr>(ID: "declref");
251 const auto *Operator = Match.getNodeAs<CXXOperatorCallExpr>(ID: "operator");
252 if (DeclRef && BlockMap->blockContainingStmt(DeclRef) == Block) {
253 // Ignore uses of a standard smart pointer that don't dereference the
254 // pointer.
255 if (Operator || !isStandardSmartPointer(VD: DeclRef->getDecl())) {
256 DeclRefs->insert(Ptr: DeclRef);
257 }
258 }
259 }
260 };
261
262 auto DeclRefMatcher = declRefExpr(hasDeclaration(InnerMatcher: equalsNode(Other: MovedVariable)),
263 unless(inDecltypeOrTemplateArg()))
264 .bind(ID: "declref");
265
266 AddDeclRefs(match(Matcher: traverse(TK: TK_AsIs, InnerMatcher: findAll(Matcher: DeclRefMatcher)), Node: *S->getStmt(),
267 Context&: *Context));
268 AddDeclRefs(match(Matcher: findAll(Matcher: cxxOperatorCallExpr(
269 hasAnyOverloadedOperatorName("*", "->", "[]"),
270 hasArgument(N: 0, InnerMatcher: DeclRefMatcher))
271 .bind(ID: "operator")),
272 Node: *S->getStmt(), Context&: *Context));
273 }
274}
275
276void UseAfterMoveFinder::getReinits(
277 const CFGBlock *Block, const ValueDecl *MovedVariable,
278 llvm::SmallPtrSetImpl<const Stmt *> *Stmts,
279 llvm::SmallPtrSetImpl<const DeclRefExpr *> *DeclRefs) {
280 auto DeclRefMatcher =
281 declRefExpr(hasDeclaration(equalsNode(MovedVariable))).bind("declref");
282
283 auto StandardContainerTypeMatcher = hasType(InnerMatcher: hasUnqualifiedDesugaredType(
284 InnerMatcher: recordType(hasDeclaration(InnerMatcher: cxxRecordDecl(hasAnyName(
285 "::std::basic_string", "::std::vector", "::std::deque",
286 "::std::forward_list", "::std::list", "::std::set", "::std::map",
287 "::std::multiset", "::std::multimap", "::std::unordered_set",
288 "::std::unordered_map", "::std::unordered_multiset",
289 "::std::unordered_multimap"))))));
290
291 auto StandardSmartPointerTypeMatcher = hasType(InnerMatcher: hasUnqualifiedDesugaredType(
292 InnerMatcher: recordType(hasDeclaration(InnerMatcher: cxxRecordDecl(hasAnyName(
293 "::std::unique_ptr", "::std::shared_ptr", "::std::weak_ptr"))))));
294
295 // Matches different types of reinitialization.
296 auto ReinitMatcher =
297 stmt(anyOf(
298 // Assignment. In addition to the overloaded assignment operator,
299 // test for built-in assignment as well, since template functions
300 // may be instantiated to use std::move() on built-in types.
301 binaryOperation(hasOperatorName("="), hasLHS(DeclRefMatcher)),
302 // Declaration. We treat this as a type of reinitialization too,
303 // so we don't need to treat it separately.
304 declStmt(hasDescendant(equalsNode(MovedVariable))),
305 // clear() and assign() on standard containers.
306 cxxMemberCallExpr(
307 on(expr(DeclRefMatcher, StandardContainerTypeMatcher)),
308 // To keep the matcher simple, we check for assign() calls
309 // on all standard containers, even though only vector,
310 // deque, forward_list and list have assign(). If assign()
311 // is called on any of the other containers, this will be
312 // flagged by a compile error anyway.
313 callee(cxxMethodDecl(hasAnyName("clear", "assign")))),
314 // reset() on standard smart pointers.
315 cxxMemberCallExpr(
316 on(expr(DeclRefMatcher, StandardSmartPointerTypeMatcher)),
317 callee(cxxMethodDecl(hasName("reset")))),
318 // Methods that have the [[clang::reinitializes]] attribute.
319 cxxMemberCallExpr(
320 on(DeclRefMatcher),
321 callee(cxxMethodDecl(hasAttr(clang::attr::Reinitializes)))),
322 // Passing variable to a function as a non-const pointer.
323 callExpr(forEachArgumentWithParam(
324 unaryOperator(hasOperatorName("&"),
325 hasUnaryOperand(DeclRefMatcher)),
326 unless(parmVarDecl(hasType(pointsTo(isConstQualified())))))),
327 // Passing variable to a function as a non-const lvalue reference
328 // (unless that function is std::move()).
329 callExpr(forEachArgumentWithParam(
330 traverse(TK_AsIs, DeclRefMatcher),
331 unless(parmVarDecl(hasType(
332 references(qualType(isConstQualified())))))),
333 unless(callee(functionDecl(
334 hasAnyName("::std::move", "::std::forward")))))))
335 .bind("reinit");
336
337 Stmts->clear();
338 DeclRefs->clear();
339 for (const auto &Elem : *Block) {
340 std::optional<CFGStmt> S = Elem.getAs<CFGStmt>();
341 if (!S)
342 continue;
343
344 SmallVector<BoundNodes, 1> Matches =
345 match(findAll(ReinitMatcher), *S->getStmt(), *Context);
346
347 for (const auto &Match : Matches) {
348 const auto *TheStmt = Match.getNodeAs<Stmt>("reinit");
349 const auto *TheDeclRef = Match.getNodeAs<DeclRefExpr>("declref");
350 if (TheStmt && BlockMap->blockContainingStmt(TheStmt) == Block) {
351 Stmts->insert(TheStmt);
352
353 // We count DeclStmts as reinitializations, but they don't have a
354 // DeclRefExpr associated with them -- so we need to check 'TheDeclRef'
355 // before adding it to the set.
356 if (TheDeclRef)
357 DeclRefs->insert(TheDeclRef);
358 }
359 }
360 }
361}
362
363enum class MoveType {
364 Move, // std::move
365 Forward, // std::forward
366};
367
368static MoveType determineMoveType(const FunctionDecl *FuncDecl) {
369 if (FuncDecl->getName() == "move")
370 return MoveType::Move;
371 if (FuncDecl->getName() == "forward")
372 return MoveType::Forward;
373
374 llvm_unreachable("Invalid move type");
375}
376
377static void emitDiagnostic(const Expr *MovingCall, const DeclRefExpr *MoveArg,
378 const UseAfterMove &Use, ClangTidyCheck *Check,
379 ASTContext *Context, MoveType Type) {
380 const SourceLocation UseLoc = Use.DeclRef->getExprLoc();
381 const SourceLocation MoveLoc = MovingCall->getExprLoc();
382
383 const bool IsMove = (Type == MoveType::Move);
384
385 Check->diag(Loc: UseLoc, Description: "'%0' used after it was %select{forwarded|moved}1")
386 << MoveArg->getDecl()->getName() << IsMove;
387 Check->diag(Loc: MoveLoc, Description: "%select{forward|move}0 occurred here",
388 Level: DiagnosticIDs::Note)
389 << IsMove;
390 if (Use.EvaluationOrderUndefined) {
391 Check->diag(
392 Loc: UseLoc,
393 Description: "the use and %select{forward|move}0 are unsequenced, i.e. "
394 "there is no guarantee about the order in which they are evaluated",
395 Level: DiagnosticIDs::Note)
396 << IsMove;
397 } else if (UseLoc < MoveLoc || Use.DeclRef == MoveArg) {
398 Check->diag(Loc: UseLoc,
399 Description: "the use happens in a later loop iteration than the "
400 "%select{forward|move}0",
401 Level: DiagnosticIDs::Note)
402 << IsMove;
403 }
404}
405
406void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {
407 // try_emplace is a common maybe-moving function that returns a
408 // bool to tell callers whether it moved. Ignore std::move inside
409 // try_emplace to avoid false positives as we don't track uses of
410 // the bool.
411 auto TryEmplaceMatcher =
412 cxxMemberCallExpr(callee(InnerMatcher: cxxMethodDecl(hasName(Name: "try_emplace"))));
413 auto CallMoveMatcher =
414 callExpr(argumentCountIs(N: 1),
415 callee(InnerMatcher: functionDecl(hasAnyName("::std::move", "::std::forward"))
416 .bind(ID: "move-decl")),
417 hasArgument(N: 0, InnerMatcher: declRefExpr().bind(ID: "arg")),
418 unless(inDecltypeOrTemplateArg()),
419 unless(hasParent(TryEmplaceMatcher)), expr().bind(ID: "call-move"),
420 anyOf(hasAncestor(compoundStmt(
421 hasParent(lambdaExpr().bind(ID: "containing-lambda")))),
422 hasAncestor(functionDecl(anyOf(
423 cxxConstructorDecl(
424 hasAnyConstructorInitializer(InnerMatcher: withInitializer(
425 InnerMatcher: expr(anyOf(equalsBoundNode(ID: "call-move"),
426 hasDescendant(expr(
427 equalsBoundNode(ID: "call-move")))))
428 .bind(ID: "containing-ctor-init"))))
429 .bind(ID: "containing-ctor"),
430 functionDecl().bind(ID: "containing-func"))))));
431
432 Finder->addMatcher(
433 NodeMatch: traverse(
434 TK: TK_AsIs,
435 // To find the Stmt that we assume performs the actual move, we look
436 // for the direct ancestor of the std::move() that isn't one of the
437 // node types ignored by ignoringParenImpCasts().
438 InnerMatcher: stmt(
439 forEach(expr(ignoringParenImpCasts(InnerMatcher: CallMoveMatcher))),
440 // Don't allow an InitListExpr to be the moving call. An
441 // InitListExpr has both a syntactic and a semantic form, and the
442 // parent-child relationships are different between the two. This
443 // could cause an InitListExpr to be analyzed as the moving call
444 // in addition to the Expr that we actually want, resulting in two
445 // diagnostics with different code locations for the same move.
446 unless(initListExpr()),
447 unless(expr(ignoringParenImpCasts(InnerMatcher: equalsBoundNode(ID: "call-move")))))
448 .bind(ID: "moving-call")),
449 Action: this);
450}
451
452void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {
453 const auto *ContainingCtor =
454 Result.Nodes.getNodeAs<CXXConstructorDecl>(ID: "containing-ctor");
455 const auto *ContainingCtorInit =
456 Result.Nodes.getNodeAs<Expr>(ID: "containing-ctor-init");
457 const auto *ContainingLambda =
458 Result.Nodes.getNodeAs<LambdaExpr>(ID: "containing-lambda");
459 const auto *ContainingFunc =
460 Result.Nodes.getNodeAs<FunctionDecl>(ID: "containing-func");
461 const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>(ID: "call-move");
462 const auto *MovingCall = Result.Nodes.getNodeAs<Expr>(ID: "moving-call");
463 const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>(ID: "arg");
464 const auto *MoveDecl = Result.Nodes.getNodeAs<FunctionDecl>(ID: "move-decl");
465
466 if (!MovingCall || !MovingCall->getExprLoc().isValid())
467 MovingCall = CallMove;
468
469 // Ignore the std::move if the variable that was passed to it isn't a local
470 // variable.
471 if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())
472 return;
473
474 // Collect all code blocks that could use the arg after move.
475 llvm::SmallVector<Stmt *> CodeBlocks{};
476 if (ContainingCtor) {
477 CodeBlocks.push_back(Elt: ContainingCtor->getBody());
478 if (ContainingCtorInit) {
479 // Collect the constructor initializer expressions.
480 bool BeforeMove{true};
481 for (CXXCtorInitializer *Init : ContainingCtor->inits()) {
482 if (BeforeMove && Init->getInit()->IgnoreImplicit() ==
483 ContainingCtorInit->IgnoreImplicit())
484 BeforeMove = false;
485 if (!BeforeMove)
486 CodeBlocks.push_back(Init->getInit());
487 }
488 }
489 } else if (ContainingLambda) {
490 CodeBlocks.push_back(Elt: ContainingLambda->getBody());
491 } else if (ContainingFunc) {
492 CodeBlocks.push_back(Elt: ContainingFunc->getBody());
493 }
494
495 for (Stmt *CodeBlock : CodeBlocks) {
496 UseAfterMoveFinder Finder(Result.Context);
497 UseAfterMove Use;
498 if (Finder.find(CodeBlock, MovingCall, MovedVariable: Arg->getDecl(), TheUseAfterMove: &Use))
499 emitDiagnostic(MovingCall, MoveArg: Arg, Use, Check: this, Context: Result.Context,
500 Type: determineMoveType(FuncDecl: MoveDecl));
501 }
502}
503
504} // namespace clang::tidy::bugprone
505

source code of clang-tools-extra/clang-tidy/bugprone/UseAfterMoveCheck.cpp