1//===---------- ExprMutationAnalyzer.cpp ----------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8#include "clang/Analysis/Analyses/ExprMutationAnalyzer.h"
9#include "clang/AST/Expr.h"
10#include "clang/AST/OperationKinds.h"
11#include "clang/ASTMatchers/ASTMatchFinder.h"
12#include "clang/ASTMatchers/ASTMatchers.h"
13#include "llvm/ADT/STLExtras.h"
14
15namespace clang {
16using namespace ast_matchers;
17
18// Check if result of Source expression could be a Target expression.
19// Checks:
20// - Implicit Casts
21// - Binary Operators
22// - ConditionalOperator
23// - BinaryConditionalOperator
24static bool canExprResolveTo(const Expr *Source, const Expr *Target) {
25
26 const auto IgnoreDerivedToBase = [](const Expr *E, auto Matcher) {
27 if (Matcher(E))
28 return true;
29 if (const auto *Cast = dyn_cast<ImplicitCastExpr>(Val: E)) {
30 if ((Cast->getCastKind() == CK_DerivedToBase ||
31 Cast->getCastKind() == CK_UncheckedDerivedToBase) &&
32 Matcher(Cast->getSubExpr()))
33 return true;
34 }
35 return false;
36 };
37
38 const auto EvalCommaExpr = [](const Expr *E, auto Matcher) {
39 const Expr *Result = E;
40 while (const auto *BOComma =
41 dyn_cast_or_null<BinaryOperator>(Val: Result->IgnoreParens())) {
42 if (!BOComma->isCommaOp())
43 break;
44 Result = BOComma->getRHS();
45 }
46
47 return Result != E && Matcher(Result);
48 };
49
50 // The 'ConditionalOperatorM' matches on `<anything> ? <expr> : <expr>`.
51 // This matching must be recursive because `<expr>` can be anything resolving
52 // to the `InnerMatcher`, for example another conditional operator.
53 // The edge-case `BaseClass &b = <cond> ? DerivedVar1 : DerivedVar2;`
54 // is handled, too. The implicit cast happens outside of the conditional.
55 // This is matched by `IgnoreDerivedToBase(canResolveToExpr(InnerMatcher))`
56 // below.
57 const auto ConditionalOperatorM = [Target](const Expr *E) {
58 if (const auto *OP = dyn_cast<ConditionalOperator>(Val: E)) {
59 if (const auto *TE = OP->getTrueExpr()->IgnoreParens())
60 if (canExprResolveTo(Source: TE, Target))
61 return true;
62 if (const auto *FE = OP->getFalseExpr()->IgnoreParens())
63 if (canExprResolveTo(Source: FE, Target))
64 return true;
65 }
66 return false;
67 };
68
69 const auto ElvisOperator = [Target](const Expr *E) {
70 if (const auto *OP = dyn_cast<BinaryConditionalOperator>(Val: E)) {
71 if (const auto *TE = OP->getTrueExpr()->IgnoreParens())
72 if (canExprResolveTo(Source: TE, Target))
73 return true;
74 if (const auto *FE = OP->getFalseExpr()->IgnoreParens())
75 if (canExprResolveTo(Source: FE, Target))
76 return true;
77 }
78 return false;
79 };
80
81 const Expr *SourceExprP = Source->IgnoreParens();
82 return IgnoreDerivedToBase(SourceExprP,
83 [&](const Expr *E) {
84 return E == Target || ConditionalOperatorM(E) ||
85 ElvisOperator(E);
86 }) ||
87 EvalCommaExpr(SourceExprP, [&](const Expr *E) {
88 return IgnoreDerivedToBase(
89 E->IgnoreParens(), [&](const Expr *EE) { return EE == Target; });
90 });
91}
92
93namespace {
94
95AST_MATCHER_P(LambdaExpr, hasCaptureInit, const Expr *, E) {
96 return llvm::is_contained(Range: Node.capture_inits(), Element: E);
97}
98
99AST_MATCHER_P(CXXForRangeStmt, hasRangeStmt,
100 ast_matchers::internal::Matcher<DeclStmt>, InnerMatcher) {
101 const DeclStmt *const Range = Node.getRangeStmt();
102 return InnerMatcher.matches(Node: *Range, Finder, Builder);
103}
104
105AST_MATCHER_P(Stmt, canResolveToExpr, const Stmt *, Inner) {
106 auto *Exp = dyn_cast<Expr>(Val: &Node);
107 if (!Exp)
108 return true;
109 auto *Target = dyn_cast<Expr>(Val: Inner);
110 if (!Target)
111 return false;
112 return canExprResolveTo(Source: Exp, Target);
113}
114
115// Similar to 'hasAnyArgument', but does not work because 'InitListExpr' does
116// not have the 'arguments()' method.
117AST_MATCHER_P(InitListExpr, hasAnyInit, ast_matchers::internal::Matcher<Expr>,
118 InnerMatcher) {
119 for (const Expr *Arg : Node.inits()) {
120 ast_matchers::internal::BoundNodesTreeBuilder Result(*Builder);
121 if (InnerMatcher.matches(Node: *Arg, Finder, Builder: &Result)) {
122 *Builder = std::move(Result);
123 return true;
124 }
125 }
126 return false;
127}
128
129const ast_matchers::internal::VariadicDynCastAllOfMatcher<Stmt, CXXTypeidExpr>
130 cxxTypeidExpr;
131
132AST_MATCHER(CXXTypeidExpr, isPotentiallyEvaluated) {
133 return Node.isPotentiallyEvaluated();
134}
135
136AST_MATCHER(CXXMemberCallExpr, isConstCallee) {
137 const Decl *CalleeDecl = Node.getCalleeDecl();
138 const auto *VD = dyn_cast_or_null<ValueDecl>(Val: CalleeDecl);
139 if (!VD)
140 return false;
141 const QualType T = VD->getType().getCanonicalType();
142 const auto *MPT = dyn_cast<MemberPointerType>(Val: T);
143 const auto *FPT = MPT ? cast<FunctionProtoType>(MPT->getPointeeType())
144 : dyn_cast<FunctionProtoType>(Val: T);
145 if (!FPT)
146 return false;
147 return FPT->isConst();
148}
149
150AST_MATCHER_P(GenericSelectionExpr, hasControllingExpr,
151 ast_matchers::internal::Matcher<Expr>, InnerMatcher) {
152 if (Node.isTypePredicate())
153 return false;
154 return InnerMatcher.matches(Node: *Node.getControllingExpr(), Finder, Builder);
155}
156
157template <typename T>
158ast_matchers::internal::Matcher<T>
159findFirst(const ast_matchers::internal::Matcher<T> &Matcher) {
160 return anyOf(Matcher, hasDescendant(Matcher));
161}
162
163const auto nonConstReferenceType = [] {
164 return hasUnqualifiedDesugaredType(
165 InnerMatcher: referenceType(pointee(unless(isConstQualified()))));
166};
167
168const auto nonConstPointerType = [] {
169 return hasUnqualifiedDesugaredType(
170 InnerMatcher: pointerType(pointee(unless(isConstQualified()))));
171};
172
173const auto isMoveOnly = [] {
174 return cxxRecordDecl(
175 hasMethod(InnerMatcher: cxxConstructorDecl(isMoveConstructor(), unless(isDeleted()))),
176 hasMethod(InnerMatcher: cxxMethodDecl(isMoveAssignmentOperator(), unless(isDeleted()))),
177 unless(anyOf(hasMethod(InnerMatcher: cxxConstructorDecl(isCopyConstructor(),
178 unless(isDeleted()))),
179 hasMethod(InnerMatcher: cxxMethodDecl(isCopyAssignmentOperator(),
180 unless(isDeleted()))))));
181};
182
183template <class T> struct NodeID;
184template <> struct NodeID<Expr> { static constexpr StringRef value = "expr"; };
185template <> struct NodeID<Decl> { static constexpr StringRef value = "decl"; };
186constexpr StringRef NodeID<Expr>::value;
187constexpr StringRef NodeID<Decl>::value;
188
189template <class T,
190 class F = const Stmt *(ExprMutationAnalyzer::Analyzer::*)(const T *)>
191const Stmt *tryEachMatch(ArrayRef<ast_matchers::BoundNodes> Matches,
192 ExprMutationAnalyzer::Analyzer *Analyzer, F Finder) {
193 const StringRef ID = NodeID<T>::value;
194 for (const auto &Nodes : Matches) {
195 if (const Stmt *S = (Analyzer->*Finder)(Nodes.getNodeAs<T>(ID)))
196 return S;
197 }
198 return nullptr;
199}
200
201} // namespace
202
203const Stmt *ExprMutationAnalyzer::Analyzer::findMutation(const Expr *Exp) {
204 return findMutationMemoized(
205 Exp,
206 Finders: {&ExprMutationAnalyzer::Analyzer::findDirectMutation,
207 &ExprMutationAnalyzer::Analyzer::findMemberMutation,
208 &ExprMutationAnalyzer::Analyzer::findArrayElementMutation,
209 &ExprMutationAnalyzer::Analyzer::findCastMutation,
210 &ExprMutationAnalyzer::Analyzer::findRangeLoopMutation,
211 &ExprMutationAnalyzer::Analyzer::findReferenceMutation,
212 &ExprMutationAnalyzer::Analyzer::findFunctionArgMutation},
213 MemoizedResults&: Memorized.Results);
214}
215
216const Stmt *ExprMutationAnalyzer::Analyzer::findMutation(const Decl *Dec) {
217 return tryEachDeclRef(Dec, Finder: &ExprMutationAnalyzer::Analyzer::findMutation);
218}
219
220const Stmt *
221ExprMutationAnalyzer::Analyzer::findPointeeMutation(const Expr *Exp) {
222 return findMutationMemoized(Exp, Finders: {/*TODO*/}, MemoizedResults&: Memorized.PointeeResults);
223}
224
225const Stmt *
226ExprMutationAnalyzer::Analyzer::findPointeeMutation(const Decl *Dec) {
227 return tryEachDeclRef(Dec,
228 Finder: &ExprMutationAnalyzer::Analyzer::findPointeeMutation);
229}
230
231const Stmt *ExprMutationAnalyzer::Analyzer::findMutationMemoized(
232 const Expr *Exp, llvm::ArrayRef<MutationFinder> Finders,
233 Memoized::ResultMap &MemoizedResults) {
234 const auto Memoized = MemoizedResults.find(Val: Exp);
235 if (Memoized != MemoizedResults.end())
236 return Memoized->second;
237
238 if (isUnevaluated(Exp))
239 return MemoizedResults[Exp] = nullptr;
240
241 for (const auto &Finder : Finders) {
242 if (const Stmt *S = (this->*Finder)(Exp))
243 return MemoizedResults[Exp] = S;
244 }
245
246 return MemoizedResults[Exp] = nullptr;
247}
248
249const Stmt *
250ExprMutationAnalyzer::Analyzer::tryEachDeclRef(const Decl *Dec,
251 MutationFinder Finder) {
252 const auto Refs = match(
253 Matcher: findAll(
254 Matcher: declRefExpr(to(
255 // `Dec` or a binding if `Dec` is a decomposition.
256 InnerMatcher: anyOf(equalsNode(Other: Dec),
257 bindingDecl(forDecomposition(InnerMatcher: equalsNode(Other: Dec))))
258 //
259 ))
260 .bind(ID: NodeID<Expr>::value)),
261 Node: Stm, Context);
262 for (const auto &RefNodes : Refs) {
263 const auto *E = RefNodes.getNodeAs<Expr>(ID: NodeID<Expr>::value);
264 if ((this->*Finder)(E))
265 return E;
266 }
267 return nullptr;
268}
269
270bool ExprMutationAnalyzer::Analyzer::isUnevaluated(const Stmt *Exp,
271 const Stmt &Stm,
272 ASTContext &Context) {
273 return selectFirst<Stmt>(
274 BoundTo: NodeID<Expr>::value,
275 Results: match(
276 Matcher: findFirst(
277 Matcher: stmt(canResolveToExpr(Inner: Exp),
278 anyOf(
279 // `Exp` is part of the underlying expression of
280 // decltype/typeof if it has an ancestor of
281 // typeLoc.
282 hasAncestor(typeLoc(unless(
283 hasAncestor(unaryExprOrTypeTraitExpr())))),
284 hasAncestor(expr(anyOf(
285 // `UnaryExprOrTypeTraitExpr` is unevaluated
286 // unless it's sizeof on VLA.
287 unaryExprOrTypeTraitExpr(unless(sizeOfExpr(
288 InnerMatcher: hasArgumentOfType(InnerMatcher: variableArrayType())))),
289 // `CXXTypeidExpr` is unevaluated unless it's
290 // applied to an expression of glvalue of
291 // polymorphic class type.
292 cxxTypeidExpr(
293 unless(isPotentiallyEvaluated())),
294 // The controlling expression of
295 // `GenericSelectionExpr` is unevaluated.
296 genericSelectionExpr(hasControllingExpr(
297 InnerMatcher: hasDescendant(equalsNode(Other: Exp)))),
298 cxxNoexceptExpr())))))
299 .bind(ID: NodeID<Expr>::value)),
300 Node: Stm, Context)) != nullptr;
301}
302
303bool ExprMutationAnalyzer::Analyzer::isUnevaluated(const Expr *Exp) {
304 return isUnevaluated(Exp, Stm, Context);
305}
306
307const Stmt *
308ExprMutationAnalyzer::Analyzer::findExprMutation(ArrayRef<BoundNodes> Matches) {
309 return tryEachMatch<Expr>(Matches, Analyzer: this,
310 Finder: &ExprMutationAnalyzer::Analyzer::findMutation);
311}
312
313const Stmt *
314ExprMutationAnalyzer::Analyzer::findDeclMutation(ArrayRef<BoundNodes> Matches) {
315 return tryEachMatch<Decl>(Matches, Analyzer: this,
316 Finder: &ExprMutationAnalyzer::Analyzer::findMutation);
317}
318
319const Stmt *ExprMutationAnalyzer::Analyzer::findExprPointeeMutation(
320 ArrayRef<ast_matchers::BoundNodes> Matches) {
321 return tryEachMatch<Expr>(
322 Matches, Analyzer: this, Finder: &ExprMutationAnalyzer::Analyzer::findPointeeMutation);
323}
324
325const Stmt *ExprMutationAnalyzer::Analyzer::findDeclPointeeMutation(
326 ArrayRef<ast_matchers::BoundNodes> Matches) {
327 return tryEachMatch<Decl>(
328 Matches, Analyzer: this, Finder: &ExprMutationAnalyzer::Analyzer::findPointeeMutation);
329}
330
331const Stmt *
332ExprMutationAnalyzer::Analyzer::findDirectMutation(const Expr *Exp) {
333 // LHS of any assignment operators.
334 const auto AsAssignmentLhs =
335 binaryOperator(isAssignmentOperator(), hasLHS(InnerMatcher: canResolveToExpr(Exp)));
336
337 // Operand of increment/decrement operators.
338 const auto AsIncDecOperand =
339 unaryOperator(anyOf(hasOperatorName(Name: "++"), hasOperatorName(Name: "--")),
340 hasUnaryOperand(InnerMatcher: canResolveToExpr(Exp)));
341
342 // Invoking non-const member function.
343 // A member function is assumed to be non-const when it is unresolved.
344 const auto NonConstMethod = cxxMethodDecl(unless(isConst()));
345
346 const auto AsNonConstThis = expr(anyOf(
347 cxxMemberCallExpr(on(InnerMatcher: canResolveToExpr(Exp)), unless(isConstCallee())),
348 cxxOperatorCallExpr(callee(InnerMatcher: NonConstMethod),
349 hasArgument(N: 0, InnerMatcher: canResolveToExpr(Exp))),
350 // In case of a templated type, calling overloaded operators is not
351 // resolved and modelled as `binaryOperator` on a dependent type.
352 // Such instances are considered a modification, because they can modify
353 // in different instantiations of the template.
354 binaryOperator(isTypeDependent(),
355 hasEitherOperand(InnerMatcher: ignoringImpCasts(InnerMatcher: canResolveToExpr(Exp)))),
356 // A fold expression may contain `Exp` as it's initializer.
357 // We don't know if the operator modifies `Exp` because the
358 // operator is type dependent due to the parameter pack.
359 cxxFoldExpr(hasFoldInit(InnerMacher: ignoringImpCasts(InnerMatcher: canResolveToExpr(Exp)))),
360 // Within class templates and member functions the member expression might
361 // not be resolved. In that case, the `callExpr` is considered to be a
362 // modification.
363 callExpr(callee(InnerMatcher: expr(anyOf(
364 unresolvedMemberExpr(hasObjectExpression(InnerMatcher: canResolveToExpr(Exp))),
365 cxxDependentScopeMemberExpr(
366 hasObjectExpression(InnerMatcher: canResolveToExpr(Exp))))))),
367 // Match on a call to a known method, but the call itself is type
368 // dependent (e.g. `vector<T> v; v.push(T{});` in a templated function).
369 callExpr(allOf(
370 isTypeDependent(),
371 callee(InnerMatcher: memberExpr(hasDeclaration(InnerMatcher: NonConstMethod),
372 hasObjectExpression(InnerMatcher: canResolveToExpr(Exp))))))));
373
374 // Taking address of 'Exp'.
375 // We're assuming 'Exp' is mutated as soon as its address is taken, though in
376 // theory we can follow the pointer and see whether it escaped `Stm` or is
377 // dereferenced and then mutated. This is left for future improvements.
378 const auto AsAmpersandOperand =
379 unaryOperator(hasOperatorName(Name: "&"),
380 // A NoOp implicit cast is adding const.
381 unless(hasParent(implicitCastExpr(hasCastKind(Kind: CK_NoOp)))),
382 hasUnaryOperand(InnerMatcher: canResolveToExpr(Exp)));
383 const auto AsPointerFromArrayDecay = castExpr(
384 hasCastKind(Kind: CK_ArrayToPointerDecay),
385 unless(hasParent(arraySubscriptExpr())), has(canResolveToExpr(Exp)));
386 // Treat calling `operator->()` of move-only classes as taking address.
387 // These are typically smart pointers with unique ownership so we treat
388 // mutation of pointee as mutation of the smart pointer itself.
389 const auto AsOperatorArrowThis = cxxOperatorCallExpr(
390 hasOverloadedOperatorName(Name: "->"),
391 callee(
392 InnerMatcher: cxxMethodDecl(ofClass(InnerMatcher: isMoveOnly()), returns(InnerMatcher: nonConstPointerType()))),
393 argumentCountIs(N: 1), hasArgument(N: 0, InnerMatcher: canResolveToExpr(Exp)));
394
395 // Used as non-const-ref argument when calling a function.
396 // An argument is assumed to be non-const-ref when the function is unresolved.
397 // Instantiated template functions are not handled here but in
398 // findFunctionArgMutation which has additional smarts for handling forwarding
399 // references.
400 const auto NonConstRefParam = forEachArgumentWithParamType(
401 ArgMatcher: anyOf(canResolveToExpr(Exp),
402 memberExpr(hasObjectExpression(InnerMatcher: canResolveToExpr(Exp)))),
403 ParamMatcher: nonConstReferenceType());
404 const auto NotInstantiated = unless(hasDeclaration(InnerMatcher: isInstantiated()));
405 const auto TypeDependentCallee =
406 callee(InnerMatcher: expr(anyOf(unresolvedLookupExpr(), unresolvedMemberExpr(),
407 cxxDependentScopeMemberExpr(),
408 hasType(InnerMatcher: templateTypeParmType()), isTypeDependent())));
409
410 const auto AsNonConstRefArg = anyOf(
411 callExpr(NonConstRefParam, NotInstantiated),
412 cxxConstructExpr(NonConstRefParam, NotInstantiated),
413 callExpr(TypeDependentCallee, hasAnyArgument(InnerMatcher: canResolveToExpr(Exp))),
414 cxxUnresolvedConstructExpr(hasAnyArgument(InnerMatcher: canResolveToExpr(Exp))),
415 // Previous False Positive in the following Code:
416 // `template <typename T> void f() { int i = 42; new Type<T>(i); }`
417 // Where the constructor of `Type` takes its argument as reference.
418 // The AST does not resolve in a `cxxConstructExpr` because it is
419 // type-dependent.
420 parenListExpr(hasDescendant(expr(canResolveToExpr(Exp)))),
421 // If the initializer is for a reference type, there is no cast for
422 // the variable. Values are cast to RValue first.
423 initListExpr(hasAnyInit(InnerMatcher: expr(canResolveToExpr(Exp)))));
424
425 // Captured by a lambda by reference.
426 // If we're initializing a capture with 'Exp' directly then we're initializing
427 // a reference capture.
428 // For value captures there will be an ImplicitCastExpr <LValueToRValue>.
429 const auto AsLambdaRefCaptureInit = lambdaExpr(hasCaptureInit(E: Exp));
430
431 // Returned as non-const-ref.
432 // If we're returning 'Exp' directly then it's returned as non-const-ref.
433 // For returning by value there will be an ImplicitCastExpr <LValueToRValue>.
434 // For returning by const-ref there will be an ImplicitCastExpr <NoOp> (for
435 // adding const.)
436 const auto AsNonConstRefReturn =
437 returnStmt(hasReturnValue(InnerMatcher: canResolveToExpr(Exp)));
438
439 // It is used as a non-const-reference for initializing a range-for loop.
440 const auto AsNonConstRefRangeInit = cxxForRangeStmt(hasRangeInit(InnerMatcher: declRefExpr(
441 allOf(canResolveToExpr(Exp), hasType(InnerMatcher: nonConstReferenceType())))));
442
443 const auto Matches = match(
444 traverse(
445 TK_AsIs,
446 findFirst(stmt(anyOf(AsAssignmentLhs, AsIncDecOperand, AsNonConstThis,
447 AsAmpersandOperand, AsPointerFromArrayDecay,
448 AsOperatorArrowThis, AsNonConstRefArg,
449 AsLambdaRefCaptureInit, AsNonConstRefReturn,
450 AsNonConstRefRangeInit))
451 .bind("stmt"))),
452 Stm, Context);
453 return selectFirst<Stmt>("stmt", Matches);
454}
455
456const Stmt *
457ExprMutationAnalyzer::Analyzer::findMemberMutation(const Expr *Exp) {
458 // Check whether any member of 'Exp' is mutated.
459 const auto MemberExprs = match(
460 findAll(expr(anyOf(memberExpr(hasObjectExpression(InnerMatcher: canResolveToExpr(Exp))),
461 cxxDependentScopeMemberExpr(
462 hasObjectExpression(InnerMatcher: canResolveToExpr(Exp))),
463 binaryOperator(hasOperatorName(Name: ".*"),
464 hasLHS(equalsNode(Exp)))))
465 .bind(NodeID<Expr>::value)),
466 Stm, Context);
467 return findExprMutation(Matches: MemberExprs);
468}
469
470const Stmt *
471ExprMutationAnalyzer::Analyzer::findArrayElementMutation(const Expr *Exp) {
472 // Check whether any element of an array is mutated.
473 const auto SubscriptExprs = match(
474 Matcher: findAll(Matcher: arraySubscriptExpr(
475 anyOf(hasBase(InnerMatcher: canResolveToExpr(Exp)),
476 hasBase(InnerMatcher: implicitCastExpr(allOf(
477 hasCastKind(Kind: CK_ArrayToPointerDecay),
478 hasSourceExpression(InnerMatcher: canResolveToExpr(Exp)))))))
479 .bind(ID: NodeID<Expr>::value)),
480 Node: Stm, Context);
481 return findExprMutation(Matches: SubscriptExprs);
482}
483
484const Stmt *ExprMutationAnalyzer::Analyzer::findCastMutation(const Expr *Exp) {
485 // If the 'Exp' is explicitly casted to a non-const reference type the
486 // 'Exp' is considered to be modified.
487 const auto ExplicitCast =
488 match(Matcher: findFirst(Matcher: stmt(castExpr(hasSourceExpression(InnerMatcher: canResolveToExpr(Exp)),
489 explicitCastExpr(hasDestinationType(
490 InnerMatcher: nonConstReferenceType()))))
491 .bind(ID: "stmt")),
492 Node: Stm, Context);
493
494 if (const auto *CastStmt = selectFirst<Stmt>("stmt", ExplicitCast))
495 return CastStmt;
496
497 // If 'Exp' is casted to any non-const reference type, check the castExpr.
498 const auto Casts = match(
499 Matcher: findAll(Matcher: expr(castExpr(hasSourceExpression(InnerMatcher: canResolveToExpr(Exp)),
500 anyOf(explicitCastExpr(hasDestinationType(
501 InnerMatcher: nonConstReferenceType())),
502 implicitCastExpr(hasImplicitDestinationType(
503 InnerMatcher: nonConstReferenceType())))))
504 .bind(ID: NodeID<Expr>::value)),
505 Node: Stm, Context);
506
507 if (const Stmt *S = findExprMutation(Matches: Casts))
508 return S;
509 // Treat std::{move,forward} as cast.
510 const auto Calls =
511 match(Matcher: findAll(Matcher: callExpr(callee(InnerMatcher: namedDecl(
512 hasAnyName("::std::move", "::std::forward"))),
513 hasArgument(N: 0, InnerMatcher: canResolveToExpr(Exp)))
514 .bind(ID: "expr")),
515 Node: Stm, Context);
516 return findExprMutation(Matches: Calls);
517}
518
519const Stmt *
520ExprMutationAnalyzer::Analyzer::findRangeLoopMutation(const Expr *Exp) {
521 // Keep the ordering for the specific initialization matches to happen first,
522 // because it is cheaper to match all potential modifications of the loop
523 // variable.
524
525 // The range variable is a reference to a builtin array. In that case the
526 // array is considered modified if the loop-variable is a non-const reference.
527 const auto DeclStmtToNonRefToArray = declStmt(hasSingleDecl(InnerMatcher: varDecl(hasType(
528 InnerMatcher: hasUnqualifiedDesugaredType(InnerMatcher: referenceType(pointee(arrayType())))))));
529 const auto RefToArrayRefToElements = match(
530 Matcher: findFirst(Matcher: stmt(cxxForRangeStmt(
531 hasLoopVariable(
532 InnerMatcher: varDecl(anyOf(hasType(InnerMatcher: nonConstReferenceType()),
533 hasType(InnerMatcher: nonConstPointerType())))
534 .bind(ID: NodeID<Decl>::value)),
535 hasRangeStmt(InnerMatcher: DeclStmtToNonRefToArray),
536 hasRangeInit(InnerMatcher: canResolveToExpr(Exp))))
537 .bind(ID: "stmt")),
538 Node: Stm, Context);
539
540 if (const auto *BadRangeInitFromArray =
541 selectFirst<Stmt>("stmt", RefToArrayRefToElements))
542 return BadRangeInitFromArray;
543
544 // Small helper to match special cases in range-for loops.
545 //
546 // It is possible that containers do not provide a const-overload for their
547 // iterator accessors. If this is the case, the variable is used non-const
548 // no matter what happens in the loop. This requires special detection as it
549 // is then faster to find all mutations of the loop variable.
550 // It aims at a different modification as well.
551 const auto HasAnyNonConstIterator =
552 anyOf(allOf(hasMethod(InnerMatcher: allOf(hasName(Name: "begin"), unless(isConst()))),
553 unless(hasMethod(InnerMatcher: allOf(hasName(Name: "begin"), isConst())))),
554 allOf(hasMethod(InnerMatcher: allOf(hasName(Name: "end"), unless(isConst()))),
555 unless(hasMethod(InnerMatcher: allOf(hasName(Name: "end"), isConst())))));
556
557 const auto DeclStmtToNonConstIteratorContainer = declStmt(
558 hasSingleDecl(InnerMatcher: varDecl(hasType(InnerMatcher: hasUnqualifiedDesugaredType(InnerMatcher: referenceType(
559 pointee(hasDeclaration(InnerMatcher: cxxRecordDecl(HasAnyNonConstIterator)))))))));
560
561 const auto RefToContainerBadIterators = match(
562 Matcher: findFirst(Matcher: stmt(cxxForRangeStmt(allOf(
563 hasRangeStmt(InnerMatcher: DeclStmtToNonConstIteratorContainer),
564 hasRangeInit(InnerMatcher: canResolveToExpr(Exp)))))
565 .bind(ID: "stmt")),
566 Node: Stm, Context);
567
568 if (const auto *BadIteratorsContainer =
569 selectFirst<Stmt>("stmt", RefToContainerBadIterators))
570 return BadIteratorsContainer;
571
572 // If range for looping over 'Exp' with a non-const reference loop variable,
573 // check all declRefExpr of the loop variable.
574 const auto LoopVars =
575 match(Matcher: findAll(Matcher: cxxForRangeStmt(
576 hasLoopVariable(InnerMatcher: varDecl(hasType(InnerMatcher: nonConstReferenceType()))
577 .bind(ID: NodeID<Decl>::value)),
578 hasRangeInit(InnerMatcher: canResolveToExpr(Exp)))),
579 Node: Stm, Context);
580 return findDeclMutation(Matches: LoopVars);
581}
582
583const Stmt *
584ExprMutationAnalyzer::Analyzer::findReferenceMutation(const Expr *Exp) {
585 // Follow non-const reference returned by `operator*()` of move-only classes.
586 // These are typically smart pointers with unique ownership so we treat
587 // mutation of pointee as mutation of the smart pointer itself.
588 const auto Ref = match(
589 Matcher: findAll(Matcher: cxxOperatorCallExpr(
590 hasOverloadedOperatorName(Name: "*"),
591 callee(InnerMatcher: cxxMethodDecl(ofClass(InnerMatcher: isMoveOnly()),
592 returns(InnerMatcher: nonConstReferenceType()))),
593 argumentCountIs(N: 1), hasArgument(N: 0, InnerMatcher: canResolveToExpr(Exp)))
594 .bind(ID: NodeID<Expr>::value)),
595 Node: Stm, Context);
596 if (const Stmt *S = findExprMutation(Matches: Ref))
597 return S;
598
599 // If 'Exp' is bound to a non-const reference, check all declRefExpr to that.
600 const auto Refs = match(
601 Matcher: stmt(forEachDescendant(
602 varDecl(hasType(InnerMatcher: nonConstReferenceType()),
603 hasInitializer(InnerMatcher: anyOf(
604 canResolveToExpr(Exp),
605 memberExpr(hasObjectExpression(InnerMatcher: canResolveToExpr(Exp))))),
606 hasParent(declStmt().bind(ID: "stmt")),
607 // Don't follow the reference in range statement, we've
608 // handled that separately.
609 unless(hasParent(declStmt(hasParent(cxxForRangeStmt(
610 hasRangeStmt(InnerMatcher: equalsBoundNode(ID: "stmt"))))))))
611 .bind(ID: NodeID<Decl>::value))),
612 Node: Stm, Context);
613 return findDeclMutation(Matches: Refs);
614}
615
616const Stmt *
617ExprMutationAnalyzer::Analyzer::findFunctionArgMutation(const Expr *Exp) {
618 const auto NonConstRefParam = forEachArgumentWithParam(
619 ArgMatcher: canResolveToExpr(Exp),
620 ParamMatcher: parmVarDecl(hasType(InnerMatcher: nonConstReferenceType())).bind(ID: "parm"));
621 const auto IsInstantiated = hasDeclaration(InnerMatcher: isInstantiated());
622 const auto FuncDecl = hasDeclaration(InnerMatcher: functionDecl().bind(ID: "func"));
623 const auto Matches = match(
624 traverse(
625 TK_AsIs,
626 findAll(
627 expr(anyOf(callExpr(NonConstRefParam, IsInstantiated, FuncDecl,
628 unless(callee(InnerMatcher: namedDecl(hasAnyName(
629 "::std::move", "::std::forward"))))),
630 cxxConstructExpr(NonConstRefParam, IsInstantiated,
631 FuncDecl)))
632 .bind(NodeID<Expr>::value))),
633 Stm, Context);
634 for (const auto &Nodes : Matches) {
635 const auto *Exp = Nodes.getNodeAs<Expr>(NodeID<Expr>::value);
636 const auto *Func = Nodes.getNodeAs<FunctionDecl>("func");
637 if (!Func->getBody() || !Func->getPrimaryTemplate())
638 return Exp;
639
640 const auto *Parm = Nodes.getNodeAs<ParmVarDecl>("parm");
641 const ArrayRef<ParmVarDecl *> AllParams =
642 Func->getPrimaryTemplate()->getTemplatedDecl()->parameters();
643 QualType ParmType =
644 AllParams[std::min<size_t>(Parm->getFunctionScopeIndex(),
645 AllParams.size() - 1)]
646 ->getType();
647 if (const auto *T = ParmType->getAs<PackExpansionType>())
648 ParmType = T->getPattern();
649
650 // If param type is forwarding reference, follow into the function
651 // definition and see whether the param is mutated inside.
652 if (const auto *RefType = ParmType->getAs<RValueReferenceType>()) {
653 if (!RefType->getPointeeType().getQualifiers() &&
654 RefType->getPointeeType()->getAs<TemplateTypeParmType>()) {
655 FunctionParmMutationAnalyzer *Analyzer =
656 FunctionParmMutationAnalyzer::getFunctionParmMutationAnalyzer(
657 *Func, Context, Memorized);
658 if (Analyzer->findMutation(Parm))
659 return Exp;
660 continue;
661 }
662 }
663 // Not forwarding reference.
664 return Exp;
665 }
666 return nullptr;
667}
668
669FunctionParmMutationAnalyzer::FunctionParmMutationAnalyzer(
670 const FunctionDecl &Func, ASTContext &Context,
671 ExprMutationAnalyzer::Memoized &Memorized)
672 : BodyAnalyzer(*Func.getBody(), Context, Memorized) {
673 if (const auto *Ctor = dyn_cast<CXXConstructorDecl>(Val: &Func)) {
674 // CXXCtorInitializer might also mutate Param but they're not part of
675 // function body, check them eagerly here since they're typically trivial.
676 for (const CXXCtorInitializer *Init : Ctor->inits()) {
677 ExprMutationAnalyzer::Analyzer InitAnalyzer(*Init->getInit(), Context,
678 Memorized);
679 for (const ParmVarDecl *Parm : Ctor->parameters()) {
680 if (Results.contains(Parm))
681 continue;
682 if (const Stmt *S = InitAnalyzer.findMutation(Parm))
683 Results[Parm] = S;
684 }
685 }
686 }
687}
688
689const Stmt *
690FunctionParmMutationAnalyzer::findMutation(const ParmVarDecl *Parm) {
691 const auto Memoized = Results.find(Val: Parm);
692 if (Memoized != Results.end())
693 return Memoized->second;
694 // To handle call A -> call B -> call A. Assume parameters of A is not mutated
695 // before analyzing parameters of A. Then when analyzing the second "call A",
696 // FunctionParmMutationAnalyzer can use this memoized value to avoid infinite
697 // recursion.
698 Results[Parm] = nullptr;
699 if (const Stmt *S = BodyAnalyzer.findMutation(Parm))
700 return Results[Parm] = S;
701 return Results[Parm];
702}
703
704} // namespace clang
705

source code of clang/lib/Analysis/ExprMutationAnalyzer.cpp