1 //=== SemaFunctionEffects.cpp - Sema handling of function effects ---------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file implements Sema handling of function effects. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #include "clang/AST/Decl.h" 14 #include "clang/AST/DeclCXX.h" 15 #include "clang/AST/DynamicRecursiveASTVisitor.h" 16 #include "clang/AST/ExprObjC.h" 17 #include "clang/AST/Stmt.h" 18 #include "clang/AST/StmtObjC.h" 19 #include "clang/AST/Type.h" 20 #include "clang/Basic/SourceManager.h" 21 #include "clang/Sema/SemaInternal.h" 22 23 #define DEBUG_TYPE "effectanalysis" 24 25 using namespace clang; 26 27 namespace { 28 29 enum class ViolationID : uint8_t { 30 None = 0, // Sentinel for an empty Violation. 31 // These first 5 map to a %select{} in one of several FunctionEffects 32 // diagnostics, e.g. warn_func_effect_violation. 33 BaseDiagnosticIndex, 34 AllocatesMemory = BaseDiagnosticIndex, 35 ThrowsOrCatchesExceptions, 36 HasStaticLocalVariable, 37 AccessesThreadLocalVariable, 38 AccessesObjCMethodOrProperty, 39 40 // These only apply to callees, where the analysis stops at the Decl. 41 DeclDisallowsInference, 42 43 // These both apply to indirect calls. The difference is that sometimes 44 // we have an actual Decl (generally a variable) which is the function 45 // pointer being called, and sometimes, typically due to a cast, we only 46 // have an expression. 47 CallsDeclWithoutEffect, 48 CallsExprWithoutEffect, 49 }; 50 51 // Information about the AST context in which a violation was found, so 52 // that diagnostics can point to the correct source. 53 class ViolationSite { 54 public: 55 enum class Kind : uint8_t { 56 Default, // Function body. 57 MemberInitializer, 58 DefaultArgExpr 59 }; 60 61 private: 62 llvm::PointerIntPair<CXXDefaultArgExpr *, 2, Kind> Impl; 63 64 public: 65 ViolationSite() = default; 66 67 explicit ViolationSite(CXXDefaultArgExpr *E) 68 : Impl(E, Kind::DefaultArgExpr) {} 69 70 Kind kind() const { return static_cast<Kind>(Impl.getInt()); } 71 CXXDefaultArgExpr *defaultArgExpr() const { return Impl.getPointer(); } 72 73 void setKind(Kind K) { Impl.setPointerAndInt(nullptr, K); } 74 }; 75 76 // Represents a violation of the rules, potentially for the entire duration of 77 // the analysis phase, in order to refer to it when explaining why a caller has 78 // been made unsafe by a callee. Can be transformed into either a Diagnostic 79 // (warning or a note), depending on whether the violation pertains to a 80 // function failing to be verifed as holding an effect vs. a function failing to 81 // be inferred as holding that effect. 82 struct Violation { 83 FunctionEffect Effect; 84 std::optional<FunctionEffect> 85 CalleeEffectPreventingInference; // Only for certain IDs; can be nullopt. 86 ViolationID ID = ViolationID::None; 87 ViolationSite Site; 88 SourceLocation Loc; 89 const Decl *Callee = 90 nullptr; // Only valid for ViolationIDs Calls{Decl,Expr}WithoutEffect. 91 92 Violation(FunctionEffect Effect, ViolationID ID, ViolationSite VS, 93 SourceLocation Loc, const Decl *Callee = nullptr, 94 std::optional<FunctionEffect> CalleeEffect = std::nullopt) 95 : Effect(Effect), CalleeEffectPreventingInference(CalleeEffect), ID(ID), 96 Site(VS), Loc(Loc), Callee(Callee) {} 97 98 unsigned diagnosticSelectIndex() const { 99 return unsigned(ID) - unsigned(ViolationID::BaseDiagnosticIndex); 100 } 101 }; 102 103 enum class SpecialFuncType : uint8_t { None, OperatorNew, OperatorDelete }; 104 enum class CallableType : uint8_t { 105 // Unknown: probably function pointer. 106 Unknown, 107 Function, 108 Virtual, 109 Block 110 }; 111 112 // Return whether a function's effects CAN be verified. 113 // The question of whether it SHOULD be verified is independent. 114 static bool functionIsVerifiable(const FunctionDecl *FD) { 115 if (FD->isTrivial()) { 116 // Otherwise `struct x { int a; };` would have an unverifiable default 117 // constructor. 118 return true; 119 } 120 return FD->hasBody(); 121 } 122 123 static bool isNoexcept(const FunctionDecl *FD) { 124 const auto *FPT = FD->getType()->getAs<FunctionProtoType>(); 125 return FPT && (FPT->isNothrow() || FD->hasAttr<NoThrowAttr>()); 126 } 127 128 // This list is probably incomplete. 129 // FIXME: Investigate: 130 // __builtin_eh_return? 131 // __builtin_allow_runtime_check? 132 // __builtin_unwind_init and other similar things that sound exception-related. 133 // va_copy? 134 // coroutines? 135 static FunctionEffectKindSet getBuiltinFunctionEffects(unsigned BuiltinID) { 136 FunctionEffectKindSet Result; 137 138 switch (BuiltinID) { 139 case 0: // Not builtin. 140 default: // By default, builtins have no known effects. 141 break; 142 143 // These allocate/deallocate heap memory. 144 case Builtin::ID::BI__builtin_calloc: 145 case Builtin::ID::BI__builtin_malloc: 146 case Builtin::ID::BI__builtin_realloc: 147 case Builtin::ID::BI__builtin_free: 148 case Builtin::ID::BI__builtin_operator_delete: 149 case Builtin::ID::BI__builtin_operator_new: 150 case Builtin::ID::BIaligned_alloc: 151 case Builtin::ID::BIcalloc: 152 case Builtin::ID::BImalloc: 153 case Builtin::ID::BImemalign: 154 case Builtin::ID::BIrealloc: 155 case Builtin::ID::BIfree: 156 157 case Builtin::ID::BIfopen: 158 case Builtin::ID::BIpthread_create: 159 case Builtin::ID::BI_Block_object_dispose: 160 Result.insert(FunctionEffect(FunctionEffect::Kind::Allocating)); 161 break; 162 163 // These block in some other way than allocating memory. 164 // longjmp() and friends are presumed unsafe because they are the moral 165 // equivalent of throwing a C++ exception, which is unsafe. 166 case Builtin::ID::BIlongjmp: 167 case Builtin::ID::BI_longjmp: 168 case Builtin::ID::BIsiglongjmp: 169 case Builtin::ID::BI__builtin_longjmp: 170 case Builtin::ID::BIobjc_exception_throw: 171 172 // Objective-C runtime. 173 case Builtin::ID::BIobjc_msgSend: 174 case Builtin::ID::BIobjc_msgSend_fpret: 175 case Builtin::ID::BIobjc_msgSend_fp2ret: 176 case Builtin::ID::BIobjc_msgSend_stret: 177 case Builtin::ID::BIobjc_msgSendSuper: 178 case Builtin::ID::BIobjc_getClass: 179 case Builtin::ID::BIobjc_getMetaClass: 180 case Builtin::ID::BIobjc_enumerationMutation: 181 case Builtin::ID::BIobjc_assign_ivar: 182 case Builtin::ID::BIobjc_assign_global: 183 case Builtin::ID::BIobjc_sync_enter: 184 case Builtin::ID::BIobjc_sync_exit: 185 case Builtin::ID::BINSLog: 186 case Builtin::ID::BINSLogv: 187 188 // stdio.h 189 case Builtin::ID::BIfread: 190 case Builtin::ID::BIfwrite: 191 192 // stdio.h: printf family. 193 case Builtin::ID::BIprintf: 194 case Builtin::ID::BI__builtin_printf: 195 case Builtin::ID::BIfprintf: 196 case Builtin::ID::BIsnprintf: 197 case Builtin::ID::BIsprintf: 198 case Builtin::ID::BIvprintf: 199 case Builtin::ID::BIvfprintf: 200 case Builtin::ID::BIvsnprintf: 201 case Builtin::ID::BIvsprintf: 202 203 // stdio.h: scanf family. 204 case Builtin::ID::BIscanf: 205 case Builtin::ID::BIfscanf: 206 case Builtin::ID::BIsscanf: 207 case Builtin::ID::BIvscanf: 208 case Builtin::ID::BIvfscanf: 209 case Builtin::ID::BIvsscanf: 210 Result.insert(FunctionEffect(FunctionEffect::Kind::Blocking)); 211 break; 212 } 213 214 return Result; 215 } 216 217 // Transitory, more extended information about a callable, which can be a 218 // function, block, or function pointer. 219 struct CallableInfo { 220 // CDecl holds the function's definition, if any. 221 // FunctionDecl if CallableType::Function or Virtual 222 // BlockDecl if CallableType::Block 223 const Decl *CDecl; 224 225 // Remember whether the callable is a function, block, virtual method, 226 // or (presumed) function pointer. 227 CallableType CType = CallableType::Unknown; 228 229 // Remember whether the callable is an operator new or delete function, 230 // so that calls to them are reported more meaningfully, as memory 231 // allocations. 232 SpecialFuncType FuncType = SpecialFuncType::None; 233 234 // We inevitably want to know the callable's declared effects, so cache them. 235 FunctionEffectKindSet Effects; 236 237 CallableInfo(const Decl &CD, SpecialFuncType FT = SpecialFuncType::None) 238 : CDecl(&CD), FuncType(FT) { 239 FunctionEffectsRef DeclEffects; 240 if (auto *FD = dyn_cast<FunctionDecl>(CDecl)) { 241 // Use the function's definition, if any. 242 if (const FunctionDecl *Def = FD->getDefinition()) 243 CDecl = FD = Def; 244 CType = CallableType::Function; 245 if (auto *Method = dyn_cast<CXXMethodDecl>(FD); 246 Method && Method->isVirtual()) 247 CType = CallableType::Virtual; 248 DeclEffects = FD->getFunctionEffects(); 249 } else if (auto *BD = dyn_cast<BlockDecl>(CDecl)) { 250 CType = CallableType::Block; 251 DeclEffects = BD->getFunctionEffects(); 252 } else if (auto *VD = dyn_cast<ValueDecl>(CDecl)) { 253 // ValueDecl is function, enum, or variable, so just look at its type. 254 DeclEffects = FunctionEffectsRef::get(VD->getType()); 255 } 256 Effects = FunctionEffectKindSet(DeclEffects); 257 } 258 259 CallableType type() const { return CType; } 260 261 bool isCalledDirectly() const { 262 return CType == CallableType::Function || CType == CallableType::Block; 263 } 264 265 bool isVerifiable() const { 266 switch (CType) { 267 case CallableType::Unknown: 268 case CallableType::Virtual: 269 return false; 270 case CallableType::Block: 271 return true; 272 case CallableType::Function: 273 return functionIsVerifiable(dyn_cast<FunctionDecl>(CDecl)); 274 } 275 llvm_unreachable("undefined CallableType"); 276 } 277 278 /// Generate a name for logging and diagnostics. 279 std::string getNameForDiagnostic(Sema &S) const { 280 std::string Name; 281 llvm::raw_string_ostream OS(Name); 282 283 if (auto *FD = dyn_cast<FunctionDecl>(CDecl)) 284 FD->getNameForDiagnostic(OS, S.getPrintingPolicy(), 285 /*Qualified=*/true); 286 else if (auto *BD = dyn_cast<BlockDecl>(CDecl)) 287 OS << "(block " << BD->getBlockManglingNumber() << ")"; 288 else if (auto *VD = dyn_cast<NamedDecl>(CDecl)) 289 VD->printQualifiedName(OS); 290 return Name; 291 } 292 }; 293 294 // ---------- 295 // Map effects to single Violations, to hold the first (of potentially many) 296 // violations pertaining to an effect, per function. 297 class EffectToViolationMap { 298 // Since we currently only have a tiny number of effects (typically no more 299 // than 1), use a SmallVector with an inline capacity of 1. Since it 300 // is often empty, use a unique_ptr to the SmallVector. 301 // Note that Violation itself contains a FunctionEffect which is the key. 302 // FIXME: Is there a way to simplify this using existing data structures? 303 using ImplVec = llvm::SmallVector<Violation, 1>; 304 std::unique_ptr<ImplVec> Impl; 305 306 public: 307 // Insert a new Violation if we do not already have one for its effect. 308 void maybeInsert(const Violation &Viol) { 309 if (Impl == nullptr) 310 Impl = std::make_unique<ImplVec>(); 311 else if (lookup(Viol.Effect) != nullptr) 312 return; 313 314 Impl->push_back(Viol); 315 } 316 317 const Violation *lookup(FunctionEffect Key) { 318 if (Impl == nullptr) 319 return nullptr; 320 321 auto *Iter = llvm::find_if( 322 *Impl, [&](const auto &Item) { return Item.Effect == Key; }); 323 return Iter != Impl->end() ? &*Iter : nullptr; 324 } 325 326 size_t size() const { return Impl ? Impl->size() : 0; } 327 }; 328 329 // ---------- 330 // State pertaining to a function whose AST is walked and whose effect analysis 331 // is dependent on a subsequent analysis of other functions. 332 class PendingFunctionAnalysis { 333 friend class CompleteFunctionAnalysis; 334 335 public: 336 struct DirectCall { 337 const Decl *Callee; 338 SourceLocation CallLoc; 339 // Not all recursive calls are detected, just enough 340 // to break cycles. 341 bool Recursed = false; 342 ViolationSite VSite; 343 344 DirectCall(const Decl *D, SourceLocation CallLoc, ViolationSite VSite) 345 : Callee(D), CallLoc(CallLoc), VSite(VSite) {} 346 }; 347 348 // We always have two disjoint sets of effects to verify: 349 // 1. Effects declared explicitly by this function. 350 // 2. All other inferrable effects needing verification. 351 FunctionEffectKindSet DeclaredVerifiableEffects; 352 FunctionEffectKindSet EffectsToInfer; 353 354 private: 355 // Violations pertaining to the function's explicit effects. 356 SmallVector<Violation, 0> ViolationsForExplicitEffects; 357 358 // Violations pertaining to other, non-explicit, inferrable effects. 359 EffectToViolationMap InferrableEffectToFirstViolation; 360 361 // These unverified direct calls are what keeps the analysis "pending", 362 // until the callees can be verified. 363 SmallVector<DirectCall, 0> UnverifiedDirectCalls; 364 365 public: 366 PendingFunctionAnalysis(Sema &S, const CallableInfo &CInfo, 367 FunctionEffectKindSet AllInferrableEffectsToVerify) 368 : DeclaredVerifiableEffects(CInfo.Effects) { 369 // Check for effects we are not allowed to infer. 370 FunctionEffectKindSet InferrableEffects; 371 372 for (FunctionEffect effect : AllInferrableEffectsToVerify) { 373 std::optional<FunctionEffect> ProblemCalleeEffect = 374 effect.effectProhibitingInference(*CInfo.CDecl, CInfo.Effects); 375 if (!ProblemCalleeEffect) 376 InferrableEffects.insert(effect); 377 else { 378 // Add a Violation for this effect if a caller were to 379 // try to infer it. 380 InferrableEffectToFirstViolation.maybeInsert(Violation( 381 effect, ViolationID::DeclDisallowsInference, ViolationSite{}, 382 CInfo.CDecl->getLocation(), nullptr, ProblemCalleeEffect)); 383 } 384 } 385 // InferrableEffects is now the set of inferrable effects which are not 386 // prohibited. 387 EffectsToInfer = FunctionEffectKindSet::difference( 388 InferrableEffects, DeclaredVerifiableEffects); 389 } 390 391 // Hide the way that Violations for explicitly required effects vs. inferred 392 // ones are handled differently. 393 void checkAddViolation(bool Inferring, const Violation &NewViol) { 394 if (!Inferring) 395 ViolationsForExplicitEffects.push_back(NewViol); 396 else 397 InferrableEffectToFirstViolation.maybeInsert(NewViol); 398 } 399 400 void addUnverifiedDirectCall(const Decl *D, SourceLocation CallLoc, 401 ViolationSite VSite) { 402 UnverifiedDirectCalls.emplace_back(D, CallLoc, VSite); 403 } 404 405 // Analysis is complete when there are no unverified direct calls. 406 bool isComplete() const { return UnverifiedDirectCalls.empty(); } 407 408 const Violation *violationForInferrableEffect(FunctionEffect effect) { 409 return InferrableEffectToFirstViolation.lookup(effect); 410 } 411 412 // Mutable because caller may need to set a DirectCall's Recursing flag. 413 MutableArrayRef<DirectCall> unverifiedCalls() { 414 assert(!isComplete()); 415 return UnverifiedDirectCalls; 416 } 417 418 ArrayRef<Violation> getSortedViolationsForExplicitEffects(SourceManager &SM) { 419 if (!ViolationsForExplicitEffects.empty()) 420 llvm::sort(ViolationsForExplicitEffects, 421 [&SM](const Violation &LHS, const Violation &RHS) { 422 return SM.isBeforeInTranslationUnit(LHS.Loc, RHS.Loc); 423 }); 424 return ViolationsForExplicitEffects; 425 } 426 427 void dump(Sema &SemaRef, llvm::raw_ostream &OS) const { 428 OS << "Pending: Declared "; 429 DeclaredVerifiableEffects.dump(OS); 430 OS << ", " << ViolationsForExplicitEffects.size() << " violations; "; 431 OS << " Infer "; 432 EffectsToInfer.dump(OS); 433 OS << ", " << InferrableEffectToFirstViolation.size() << " violations"; 434 if (!UnverifiedDirectCalls.empty()) { 435 OS << "; Calls: "; 436 for (const DirectCall &Call : UnverifiedDirectCalls) { 437 CallableInfo CI(*Call.Callee); 438 OS << " " << CI.getNameForDiagnostic(SemaRef); 439 } 440 } 441 OS << "\n"; 442 } 443 }; 444 445 // ---------- 446 class CompleteFunctionAnalysis { 447 // Current size: 2 pointers 448 public: 449 // Has effects which are both the declared ones -- not to be inferred -- plus 450 // ones which have been successfully inferred. These are all considered 451 // "verified" for the purposes of callers; any issue with verifying declared 452 // effects has already been reported and is not the problem of any caller. 453 FunctionEffectKindSet VerifiedEffects; 454 455 private: 456 // This is used to generate notes about failed inference. 457 EffectToViolationMap InferrableEffectToFirstViolation; 458 459 public: 460 // The incoming Pending analysis is consumed (member(s) are moved-from). 461 CompleteFunctionAnalysis(ASTContext &Ctx, PendingFunctionAnalysis &&Pending, 462 FunctionEffectKindSet DeclaredEffects, 463 FunctionEffectKindSet AllInferrableEffectsToVerify) 464 : VerifiedEffects(DeclaredEffects) { 465 for (FunctionEffect effect : AllInferrableEffectsToVerify) 466 if (Pending.violationForInferrableEffect(effect) == nullptr) 467 VerifiedEffects.insert(effect); 468 469 InferrableEffectToFirstViolation = 470 std::move(Pending.InferrableEffectToFirstViolation); 471 } 472 473 const Violation *firstViolationForEffect(FunctionEffect Effect) { 474 return InferrableEffectToFirstViolation.lookup(Effect); 475 } 476 477 void dump(llvm::raw_ostream &OS) const { 478 OS << "Complete: Verified "; 479 VerifiedEffects.dump(OS); 480 OS << "; Infer "; 481 OS << InferrableEffectToFirstViolation.size() << " violations\n"; 482 } 483 }; 484 485 // ========== 486 class Analyzer { 487 Sema &S; 488 489 // Subset of Sema.AllEffectsToVerify 490 FunctionEffectKindSet AllInferrableEffectsToVerify; 491 492 using FuncAnalysisPtr = 493 llvm::PointerUnion<PendingFunctionAnalysis *, CompleteFunctionAnalysis *>; 494 495 // Map all Decls analyzed to FuncAnalysisPtr. Pending state is larger 496 // than complete state, so use different objects to represent them. 497 // The state pointers are owned by the container. 498 class AnalysisMap : llvm::DenseMap<const Decl *, FuncAnalysisPtr> { 499 using Base = llvm::DenseMap<const Decl *, FuncAnalysisPtr>; 500 501 public: 502 ~AnalysisMap(); 503 504 // Use non-public inheritance in order to maintain the invariant 505 // that lookups and insertions are via the canonical Decls. 506 507 FuncAnalysisPtr lookup(const Decl *Key) const { 508 return Base::lookup(Key->getCanonicalDecl()); 509 } 510 511 FuncAnalysisPtr &operator[](const Decl *Key) { 512 return Base::operator[](Key->getCanonicalDecl()); 513 } 514 515 /// Shortcut for the case where we only care about completed analysis. 516 CompleteFunctionAnalysis *completedAnalysisForDecl(const Decl *D) const { 517 if (FuncAnalysisPtr AP = lookup(D); 518 isa_and_nonnull<CompleteFunctionAnalysis *>(AP)) 519 return AP.get<CompleteFunctionAnalysis *>(); 520 return nullptr; 521 } 522 523 void dump(Sema &SemaRef, llvm::raw_ostream &OS) { 524 OS << "\nAnalysisMap:\n"; 525 for (const auto &item : *this) { 526 CallableInfo CI(*item.first); 527 const auto AP = item.second; 528 OS << item.first << " " << CI.getNameForDiagnostic(SemaRef) << " : "; 529 if (AP.isNull()) { 530 OS << "null\n"; 531 } else if (isa<CompleteFunctionAnalysis *>(AP)) { 532 auto *CFA = AP.get<CompleteFunctionAnalysis *>(); 533 OS << CFA << " "; 534 CFA->dump(OS); 535 } else if (isa<PendingFunctionAnalysis *>(AP)) { 536 auto *PFA = AP.get<PendingFunctionAnalysis *>(); 537 OS << PFA << " "; 538 PFA->dump(SemaRef, OS); 539 } else 540 llvm_unreachable("never"); 541 } 542 OS << "---\n"; 543 } 544 }; 545 AnalysisMap DeclAnalysis; 546 547 public: 548 Analyzer(Sema &S) : S(S) {} 549 550 void run(const TranslationUnitDecl &TU) { 551 // Gather all of the effects to be verified to see what operations need to 552 // be checked, and to see which ones are inferrable. 553 for (FunctionEffect Effect : S.AllEffectsToVerify) { 554 const FunctionEffect::Flags Flags = Effect.flags(); 555 if (Flags & FunctionEffect::FE_InferrableOnCallees) 556 AllInferrableEffectsToVerify.insert(Effect); 557 } 558 LLVM_DEBUG(llvm::dbgs() << "AllInferrableEffectsToVerify: "; 559 AllInferrableEffectsToVerify.dump(llvm::dbgs()); 560 llvm::dbgs() << "\n";); 561 562 // We can use DeclsWithEffectsToVerify as a stack for a 563 // depth-first traversal; there's no need for a second container. But first, 564 // reverse it, so when working from the end, Decls are verified in the order 565 // they are declared. 566 SmallVector<const Decl *> &VerificationQueue = S.DeclsWithEffectsToVerify; 567 std::reverse(VerificationQueue.begin(), VerificationQueue.end()); 568 569 while (!VerificationQueue.empty()) { 570 const Decl *D = VerificationQueue.back(); 571 if (FuncAnalysisPtr AP = DeclAnalysis.lookup(D)) { 572 if (auto *Pending = AP.dyn_cast<PendingFunctionAnalysis *>()) { 573 // All children have been traversed; finish analysis. 574 finishPendingAnalysis(D, Pending); 575 } 576 VerificationQueue.pop_back(); 577 continue; 578 } 579 580 // Not previously visited; begin a new analysis for this Decl. 581 PendingFunctionAnalysis *Pending = verifyDecl(D); 582 if (Pending == nullptr) { 583 // Completed now. 584 VerificationQueue.pop_back(); 585 continue; 586 } 587 588 // Analysis remains pending because there are direct callees to be 589 // verified first. Push them onto the queue. 590 for (PendingFunctionAnalysis::DirectCall &Call : 591 Pending->unverifiedCalls()) { 592 FuncAnalysisPtr AP = DeclAnalysis.lookup(Call.Callee); 593 if (AP.isNull()) { 594 VerificationQueue.push_back(Call.Callee); 595 continue; 596 } 597 598 // This indicates recursion (not necessarily direct). For the 599 // purposes of effect analysis, we can just ignore it since 600 // no effects forbid recursion. 601 assert(isa<PendingFunctionAnalysis *>(AP)); 602 Call.Recursed = true; 603 } 604 } 605 } 606 607 private: 608 // Verify a single Decl. Return the pending structure if that was the result, 609 // else null. This method must not recurse. 610 PendingFunctionAnalysis *verifyDecl(const Decl *D) { 611 CallableInfo CInfo(*D); 612 bool isExternC = false; 613 614 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 615 isExternC = FD->getCanonicalDecl()->isExternCContext(); 616 617 // For C++, with non-extern "C" linkage only - if any of the Decl's declared 618 // effects forbid throwing (e.g. nonblocking) then the function should also 619 // be declared noexcept. 620 if (S.getLangOpts().CPlusPlus && !isExternC) { 621 for (FunctionEffect Effect : CInfo.Effects) { 622 if (!(Effect.flags() & FunctionEffect::FE_ExcludeThrow)) 623 continue; 624 625 bool IsNoexcept = false; 626 if (auto *FD = D->getAsFunction()) { 627 IsNoexcept = isNoexcept(FD); 628 } else if (auto *BD = dyn_cast<BlockDecl>(D)) { 629 if (auto *TSI = BD->getSignatureAsWritten()) { 630 auto *FPT = TSI->getType()->getAs<FunctionProtoType>(); 631 IsNoexcept = FPT->isNothrow() || BD->hasAttr<NoThrowAttr>(); 632 } 633 } 634 if (!IsNoexcept) 635 S.Diag(D->getBeginLoc(), diag::warn_perf_constraint_implies_noexcept) 636 << GetCallableDeclKind(D, nullptr) << Effect.name(); 637 break; 638 } 639 } 640 641 // Build a PendingFunctionAnalysis on the stack. If it turns out to be 642 // complete, we'll have avoided a heap allocation; if it's incomplete, it's 643 // a fairly trivial move to a heap-allocated object. 644 PendingFunctionAnalysis FAnalysis(S, CInfo, AllInferrableEffectsToVerify); 645 646 LLVM_DEBUG(llvm::dbgs() 647 << "\nVerifying " << CInfo.getNameForDiagnostic(S) << " "; 648 FAnalysis.dump(S, llvm::dbgs());); 649 650 FunctionBodyASTVisitor Visitor(*this, FAnalysis, CInfo); 651 652 Visitor.run(); 653 if (FAnalysis.isComplete()) { 654 completeAnalysis(CInfo, std::move(FAnalysis)); 655 return nullptr; 656 } 657 // Move the pending analysis to the heap and save it in the map. 658 PendingFunctionAnalysis *PendingPtr = 659 new PendingFunctionAnalysis(std::move(FAnalysis)); 660 DeclAnalysis[D] = PendingPtr; 661 LLVM_DEBUG(llvm::dbgs() << "inserted pending " << PendingPtr << "\n"; 662 DeclAnalysis.dump(S, llvm::dbgs());); 663 return PendingPtr; 664 } 665 666 // Consume PendingFunctionAnalysis, create with it a CompleteFunctionAnalysis, 667 // inserted in the container. 668 void completeAnalysis(const CallableInfo &CInfo, 669 PendingFunctionAnalysis &&Pending) { 670 if (ArrayRef<Violation> Viols = 671 Pending.getSortedViolationsForExplicitEffects(S.getSourceManager()); 672 !Viols.empty()) 673 emitDiagnostics(Viols, CInfo); 674 675 CompleteFunctionAnalysis *CompletePtr = new CompleteFunctionAnalysis( 676 S.getASTContext(), std::move(Pending), CInfo.Effects, 677 AllInferrableEffectsToVerify); 678 DeclAnalysis[CInfo.CDecl] = CompletePtr; 679 LLVM_DEBUG(llvm::dbgs() << "inserted complete " << CompletePtr << "\n"; 680 DeclAnalysis.dump(S, llvm::dbgs());); 681 } 682 683 // Called after all direct calls requiring inference have been found -- or 684 // not. Repeats calls to FunctionBodyASTVisitor::followCall() but without 685 // the possibility of inference. Deletes Pending. 686 void finishPendingAnalysis(const Decl *D, PendingFunctionAnalysis *Pending) { 687 CallableInfo Caller(*D); 688 LLVM_DEBUG(llvm::dbgs() << "finishPendingAnalysis for " 689 << Caller.getNameForDiagnostic(S) << " : "; 690 Pending->dump(S, llvm::dbgs()); llvm::dbgs() << "\n";); 691 for (const PendingFunctionAnalysis::DirectCall &Call : 692 Pending->unverifiedCalls()) { 693 if (Call.Recursed) 694 continue; 695 696 CallableInfo Callee(*Call.Callee); 697 followCall(Caller, *Pending, Callee, Call.CallLoc, 698 /*AssertNoFurtherInference=*/true, Call.VSite); 699 } 700 completeAnalysis(Caller, std::move(*Pending)); 701 delete Pending; 702 } 703 704 // Here we have a call to a Decl, either explicitly via a CallExpr or some 705 // other AST construct. PFA pertains to the caller. 706 void followCall(const CallableInfo &Caller, PendingFunctionAnalysis &PFA, 707 const CallableInfo &Callee, SourceLocation CallLoc, 708 bool AssertNoFurtherInference, ViolationSite VSite) { 709 const bool DirectCall = Callee.isCalledDirectly(); 710 711 // Initially, the declared effects; inferred effects will be added. 712 FunctionEffectKindSet CalleeEffects = Callee.Effects; 713 714 bool IsInferencePossible = DirectCall; 715 716 if (DirectCall) 717 if (CompleteFunctionAnalysis *CFA = 718 DeclAnalysis.completedAnalysisForDecl(Callee.CDecl)) { 719 // Combine declared effects with those which may have been inferred. 720 CalleeEffects.insert(CFA->VerifiedEffects); 721 IsInferencePossible = false; // We've already traversed it. 722 } 723 724 if (AssertNoFurtherInference) { 725 assert(!IsInferencePossible); 726 } 727 728 if (!Callee.isVerifiable()) 729 IsInferencePossible = false; 730 731 LLVM_DEBUG(llvm::dbgs() 732 << "followCall from " << Caller.getNameForDiagnostic(S) 733 << " to " << Callee.getNameForDiagnostic(S) 734 << "; verifiable: " << Callee.isVerifiable() << "; callee "; 735 CalleeEffects.dump(llvm::dbgs()); llvm::dbgs() << "\n"; 736 llvm::dbgs() << " callee " << Callee.CDecl << " canonical " 737 << Callee.CDecl->getCanonicalDecl() << "\n";); 738 739 auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) { 740 if (!Effect.shouldDiagnoseFunctionCall(DirectCall, CalleeEffects)) 741 return; 742 743 // If inference is not allowed, or the target is indirect (virtual 744 // method/function ptr?), generate a Violation now. 745 if (!IsInferencePossible || 746 !(Effect.flags() & FunctionEffect::FE_InferrableOnCallees)) { 747 if (Callee.FuncType == SpecialFuncType::None) 748 PFA.checkAddViolation(Inferring, 749 {Effect, ViolationID::CallsDeclWithoutEffect, 750 VSite, CallLoc, Callee.CDecl}); 751 else 752 PFA.checkAddViolation( 753 Inferring, 754 {Effect, ViolationID::AllocatesMemory, VSite, CallLoc}); 755 } else { 756 // Inference is allowed and necessary; defer it. 757 PFA.addUnverifiedDirectCall(Callee.CDecl, CallLoc, VSite); 758 } 759 }; 760 761 for (FunctionEffect Effect : PFA.DeclaredVerifiableEffects) 762 Check1Effect(Effect, false); 763 764 for (FunctionEffect Effect : PFA.EffectsToInfer) 765 Check1Effect(Effect, true); 766 } 767 768 // Describe a callable Decl for a diagnostic. 769 // (Not an enum class because the value is always converted to an integer for 770 // use in a diagnostic.) 771 enum CallableDeclKind { 772 CDK_Function, 773 CDK_Constructor, 774 CDK_Destructor, 775 CDK_Lambda, 776 CDK_Block, 777 CDK_MemberInitializer, 778 }; 779 780 // Describe a call site or target using an enum mapping to a %select{} 781 // in a diagnostic, e.g. warn_func_effect_violation, 782 // warn_perf_constraint_implies_noexcept, and others. 783 static CallableDeclKind GetCallableDeclKind(const Decl *D, 784 const Violation *V) { 785 if (V != nullptr && 786 V->Site.kind() == ViolationSite::Kind::MemberInitializer) 787 return CDK_MemberInitializer; 788 if (isa<BlockDecl>(D)) 789 return CDK_Block; 790 if (auto *Method = dyn_cast<CXXMethodDecl>(D)) { 791 if (isa<CXXConstructorDecl>(D)) 792 return CDK_Constructor; 793 if (isa<CXXDestructorDecl>(D)) 794 return CDK_Destructor; 795 const CXXRecordDecl *Rec = Method->getParent(); 796 if (Rec->isLambda()) 797 return CDK_Lambda; 798 } 799 return CDK_Function; 800 }; 801 802 // Should only be called when function's analysis is determined to be 803 // complete. 804 void emitDiagnostics(ArrayRef<Violation> Viols, const CallableInfo &CInfo) { 805 if (Viols.empty()) 806 return; 807 808 auto MaybeAddTemplateNote = [&](const Decl *D) { 809 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 810 while (FD != nullptr && FD->isTemplateInstantiation() && 811 FD->getPointOfInstantiation().isValid()) { 812 S.Diag(FD->getPointOfInstantiation(), 813 diag::note_func_effect_from_template); 814 FD = FD->getTemplateInstantiationPattern(); 815 } 816 } 817 }; 818 819 // For note_func_effect_call_indirect. 820 enum { Indirect_VirtualMethod, Indirect_FunctionPtr }; 821 822 auto MaybeAddSiteContext = [&](const Decl *D, const Violation &V) { 823 // If a violation site is a member initializer, add a note pointing to 824 // the constructor which invoked it. 825 if (V.Site.kind() == ViolationSite::Kind::MemberInitializer) { 826 unsigned ImplicitCtor = 0; 827 if (auto *Ctor = dyn_cast<CXXConstructorDecl>(D); 828 Ctor && Ctor->isImplicit()) 829 ImplicitCtor = 1; 830 S.Diag(D->getLocation(), diag::note_func_effect_in_constructor) 831 << ImplicitCtor; 832 } 833 834 // If a violation site is a default argument expression, add a note 835 // pointing to the call site using the default argument. 836 else if (V.Site.kind() == ViolationSite::Kind::DefaultArgExpr) 837 S.Diag(V.Site.defaultArgExpr()->getUsedLocation(), 838 diag::note_in_evaluating_default_argument); 839 }; 840 841 // Top-level violations are warnings. 842 for (const Violation &Viol1 : Viols) { 843 StringRef effectName = Viol1.Effect.name(); 844 switch (Viol1.ID) { 845 case ViolationID::None: 846 case ViolationID::DeclDisallowsInference: // Shouldn't happen 847 // here. 848 llvm_unreachable("Unexpected violation kind"); 849 break; 850 case ViolationID::AllocatesMemory: 851 case ViolationID::ThrowsOrCatchesExceptions: 852 case ViolationID::HasStaticLocalVariable: 853 case ViolationID::AccessesThreadLocalVariable: 854 case ViolationID::AccessesObjCMethodOrProperty: 855 S.Diag(Viol1.Loc, diag::warn_func_effect_violation) 856 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName 857 << Viol1.diagnosticSelectIndex(); 858 MaybeAddSiteContext(CInfo.CDecl, Viol1); 859 MaybeAddTemplateNote(CInfo.CDecl); 860 break; 861 case ViolationID::CallsExprWithoutEffect: 862 S.Diag(Viol1.Loc, diag::warn_func_effect_calls_expr_without_effect) 863 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName; 864 MaybeAddSiteContext(CInfo.CDecl, Viol1); 865 MaybeAddTemplateNote(CInfo.CDecl); 866 break; 867 868 case ViolationID::CallsDeclWithoutEffect: { 869 CallableInfo CalleeInfo(*Viol1.Callee); 870 std::string CalleeName = CalleeInfo.getNameForDiagnostic(S); 871 872 S.Diag(Viol1.Loc, diag::warn_func_effect_calls_func_without_effect) 873 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName 874 << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << CalleeName; 875 MaybeAddSiteContext(CInfo.CDecl, Viol1); 876 MaybeAddTemplateNote(CInfo.CDecl); 877 878 // Emit notes explaining the transitive chain of inferences: Why isn't 879 // the callee safe? 880 for (const Decl *Callee = Viol1.Callee; Callee != nullptr;) { 881 std::optional<CallableInfo> MaybeNextCallee; 882 CompleteFunctionAnalysis *Completed = 883 DeclAnalysis.completedAnalysisForDecl(CalleeInfo.CDecl); 884 if (Completed == nullptr) { 885 // No result - could be 886 // - non-inline and extern 887 // - indirect (virtual or through function pointer) 888 // - effect has been explicitly disclaimed (e.g. "blocking") 889 890 CallableType CType = CalleeInfo.type(); 891 if (CType == CallableType::Virtual) 892 S.Diag(Callee->getLocation(), 893 diag::note_func_effect_call_indirect) 894 << Indirect_VirtualMethod << effectName; 895 else if (CType == CallableType::Unknown) 896 S.Diag(Callee->getLocation(), 897 diag::note_func_effect_call_indirect) 898 << Indirect_FunctionPtr << effectName; 899 else if (CalleeInfo.Effects.contains(Viol1.Effect.oppositeKind())) 900 S.Diag(Callee->getLocation(), 901 diag::note_func_effect_call_disallows_inference) 902 << GetCallableDeclKind(CInfo.CDecl, nullptr) << effectName 903 << FunctionEffect(Viol1.Effect.oppositeKind()).name(); 904 else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee); 905 FD == nullptr || FD->getBuiltinID() == 0) { 906 // A builtin callee generally doesn't have a useful source 907 // location at which to insert a note. 908 S.Diag(Callee->getLocation(), diag::note_func_effect_call_extern) 909 << effectName; 910 } 911 break; 912 } 913 const Violation *PtrViol2 = 914 Completed->firstViolationForEffect(Viol1.Effect); 915 if (PtrViol2 == nullptr) 916 break; 917 918 const Violation &Viol2 = *PtrViol2; 919 switch (Viol2.ID) { 920 case ViolationID::None: 921 llvm_unreachable("Unexpected violation kind"); 922 break; 923 case ViolationID::DeclDisallowsInference: 924 S.Diag(Viol2.Loc, diag::note_func_effect_call_disallows_inference) 925 << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << effectName 926 << Viol2.CalleeEffectPreventingInference->name(); 927 break; 928 case ViolationID::CallsExprWithoutEffect: 929 S.Diag(Viol2.Loc, diag::note_func_effect_call_indirect) 930 << Indirect_FunctionPtr << effectName; 931 break; 932 case ViolationID::AllocatesMemory: 933 case ViolationID::ThrowsOrCatchesExceptions: 934 case ViolationID::HasStaticLocalVariable: 935 case ViolationID::AccessesThreadLocalVariable: 936 case ViolationID::AccessesObjCMethodOrProperty: 937 S.Diag(Viol2.Loc, diag::note_func_effect_violation) 938 << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName 939 << Viol2.diagnosticSelectIndex(); 940 MaybeAddSiteContext(CalleeInfo.CDecl, Viol2); 941 break; 942 case ViolationID::CallsDeclWithoutEffect: 943 MaybeNextCallee.emplace(*Viol2.Callee); 944 S.Diag(Viol2.Loc, diag::note_func_effect_calls_func_without_effect) 945 << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName 946 << GetCallableDeclKind(Viol2.Callee, nullptr) 947 << MaybeNextCallee->getNameForDiagnostic(S); 948 break; 949 } 950 MaybeAddTemplateNote(Callee); 951 Callee = Viol2.Callee; 952 if (MaybeNextCallee) { 953 CalleeInfo = *MaybeNextCallee; 954 CalleeName = CalleeInfo.getNameForDiagnostic(S); 955 } 956 } 957 } break; 958 } 959 } 960 } 961 962 // ---------- 963 // This AST visitor is used to traverse the body of a function during effect 964 // verification. This happens in 2 situations: 965 // [1] The function has declared effects which need to be validated. 966 // [2] The function has not explicitly declared an effect in question, and is 967 // being checked for implicit conformance. 968 // 969 // Violations are always routed to a PendingFunctionAnalysis. 970 struct FunctionBodyASTVisitor : DynamicRecursiveASTVisitor { 971 Analyzer &Outer; 972 PendingFunctionAnalysis &CurrentFunction; 973 CallableInfo &CurrentCaller; 974 ViolationSite VSite; 975 const Expr *TrailingRequiresClause = nullptr; 976 const Expr *NoexceptExpr = nullptr; 977 978 FunctionBodyASTVisitor(Analyzer &Outer, 979 PendingFunctionAnalysis &CurrentFunction, 980 CallableInfo &CurrentCaller) 981 : Outer(Outer), CurrentFunction(CurrentFunction), 982 CurrentCaller(CurrentCaller) { 983 ShouldVisitImplicitCode = true; 984 ShouldWalkTypesOfTypeLocs = false; 985 } 986 987 // -- Entry point -- 988 void run() { 989 // The target function may have implicit code paths beyond the 990 // body: member and base destructors. Visit these first. 991 if (auto *Dtor = dyn_cast<CXXDestructorDecl>(CurrentCaller.CDecl)) 992 followDestructor(dyn_cast<CXXRecordDecl>(Dtor->getParent()), Dtor); 993 994 if (auto *FD = dyn_cast<FunctionDecl>(CurrentCaller.CDecl)) { 995 TrailingRequiresClause = FD->getTrailingRequiresClause(); 996 997 // Note that FD->getType->getAs<FunctionProtoType>() can yield a 998 // noexcept Expr which has been boiled down to a constant expression. 999 // Going through the TypeSourceInfo obtains the actual expression which 1000 // will be traversed as part of the function -- unless we capture it 1001 // here and have TraverseStmt skip it. 1002 if (TypeSourceInfo *TSI = FD->getTypeSourceInfo()) { 1003 if (FunctionProtoTypeLoc TL = 1004 TSI->getTypeLoc().getAs<FunctionProtoTypeLoc>()) 1005 if (const FunctionProtoType *FPT = TL.getTypePtr()) 1006 NoexceptExpr = FPT->getNoexceptExpr(); 1007 } 1008 } 1009 1010 // Do an AST traversal of the function/block body 1011 TraverseDecl(const_cast<Decl *>(CurrentCaller.CDecl)); 1012 } 1013 1014 // -- Methods implementing common logic -- 1015 1016 // Handle a language construct forbidden by some effects. Only effects whose 1017 // flags include the specified flag receive a violation. \p Flag describes 1018 // the construct. 1019 void diagnoseLanguageConstruct(FunctionEffect::FlagBit Flag, 1020 ViolationID VID, SourceLocation Loc, 1021 const Decl *Callee = nullptr) { 1022 // If there are any declared verifiable effects which forbid the construct 1023 // represented by the flag, store just one violation. 1024 for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects) { 1025 if (Effect.flags() & Flag) { 1026 addViolation(/*inferring=*/false, Effect, VID, Loc, Callee); 1027 break; 1028 } 1029 } 1030 // For each inferred effect which forbids the construct, store a 1031 // violation, if we don't already have a violation for that effect. 1032 for (FunctionEffect Effect : CurrentFunction.EffectsToInfer) 1033 if (Effect.flags() & Flag) 1034 addViolation(/*inferring=*/true, Effect, VID, Loc, Callee); 1035 } 1036 1037 void addViolation(bool Inferring, FunctionEffect Effect, ViolationID VID, 1038 SourceLocation Loc, const Decl *Callee = nullptr) { 1039 CurrentFunction.checkAddViolation( 1040 Inferring, Violation(Effect, VID, VSite, Loc, Callee)); 1041 } 1042 1043 // Here we have a call to a Decl, either explicitly via a CallExpr or some 1044 // other AST construct. CallableInfo pertains to the callee. 1045 void followCall(CallableInfo &CI, SourceLocation CallLoc) { 1046 // Check for a call to a builtin function, whose effects are 1047 // handled specially. 1048 if (const auto *FD = dyn_cast<FunctionDecl>(CI.CDecl)) { 1049 if (unsigned BuiltinID = FD->getBuiltinID()) { 1050 CI.Effects = getBuiltinFunctionEffects(BuiltinID); 1051 if (CI.Effects.empty()) { 1052 // A builtin with no known effects is assumed safe. 1053 return; 1054 } 1055 // A builtin WITH effects doesn't get any special treatment for 1056 // being noreturn/noexcept, e.g. longjmp(), so we skip the check 1057 // below. 1058 } else { 1059 // If the callee is both `noreturn` and `noexcept`, it presumably 1060 // terminates. Ignore it for the purposes of effect analysis. 1061 // If not C++, `noreturn` alone is sufficient. 1062 if (FD->isNoReturn() && 1063 (!Outer.S.getLangOpts().CPlusPlus || isNoexcept(FD))) 1064 return; 1065 } 1066 } 1067 1068 Outer.followCall(CurrentCaller, CurrentFunction, CI, CallLoc, 1069 /*AssertNoFurtherInference=*/false, VSite); 1070 } 1071 1072 void checkIndirectCall(CallExpr *Call, QualType CalleeType) { 1073 FunctionEffectKindSet CalleeEffects; 1074 if (FunctionEffectsRef Effects = FunctionEffectsRef::get(CalleeType); 1075 !Effects.empty()) 1076 CalleeEffects.insert(Effects); 1077 1078 auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) { 1079 if (Effect.shouldDiagnoseFunctionCall( 1080 /*direct=*/false, CalleeEffects)) 1081 addViolation(Inferring, Effect, ViolationID::CallsExprWithoutEffect, 1082 Call->getBeginLoc()); 1083 }; 1084 1085 for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects) 1086 Check1Effect(Effect, false); 1087 1088 for (FunctionEffect Effect : CurrentFunction.EffectsToInfer) 1089 Check1Effect(Effect, true); 1090 } 1091 1092 // This destructor's body should be followed by the caller, but here we 1093 // follow the field and base destructors. 1094 void followDestructor(const CXXRecordDecl *Rec, 1095 const CXXDestructorDecl *Dtor) { 1096 SourceLocation DtorLoc = Dtor->getLocation(); 1097 for (const FieldDecl *Field : Rec->fields()) 1098 followTypeDtor(Field->getType(), DtorLoc); 1099 1100 if (const auto *Class = dyn_cast<CXXRecordDecl>(Rec)) 1101 for (const CXXBaseSpecifier &Base : Class->bases()) 1102 followTypeDtor(Base.getType(), DtorLoc); 1103 } 1104 1105 void followTypeDtor(QualType QT, SourceLocation CallSite) { 1106 const Type *Ty = QT.getTypePtr(); 1107 while (Ty->isArrayType()) { 1108 const ArrayType *Arr = Ty->getAsArrayTypeUnsafe(); 1109 QT = Arr->getElementType(); 1110 Ty = QT.getTypePtr(); 1111 } 1112 1113 if (Ty->isRecordType()) { 1114 if (const CXXRecordDecl *Class = Ty->getAsCXXRecordDecl()) { 1115 if (CXXDestructorDecl *Dtor = Class->getDestructor(); 1116 Dtor && !Dtor->isDeleted()) { 1117 CallableInfo CI(*Dtor); 1118 followCall(CI, CallSite); 1119 } 1120 } 1121 } 1122 } 1123 1124 // -- Methods for use of RecursiveASTVisitor -- 1125 1126 bool VisitCXXThrowExpr(CXXThrowExpr *Throw) override { 1127 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow, 1128 ViolationID::ThrowsOrCatchesExceptions, 1129 Throw->getThrowLoc()); 1130 return true; 1131 } 1132 1133 bool VisitCXXCatchStmt(CXXCatchStmt *Catch) override { 1134 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1135 ViolationID::ThrowsOrCatchesExceptions, 1136 Catch->getCatchLoc()); 1137 return true; 1138 } 1139 1140 bool VisitObjCAtThrowStmt(ObjCAtThrowStmt *Throw) override { 1141 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow, 1142 ViolationID::ThrowsOrCatchesExceptions, 1143 Throw->getThrowLoc()); 1144 return true; 1145 } 1146 1147 bool VisitObjCAtCatchStmt(ObjCAtCatchStmt *Catch) override { 1148 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1149 ViolationID::ThrowsOrCatchesExceptions, 1150 Catch->getAtCatchLoc()); 1151 return true; 1152 } 1153 1154 bool VisitObjCAtFinallyStmt(ObjCAtFinallyStmt *Finally) override { 1155 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1156 ViolationID::ThrowsOrCatchesExceptions, 1157 Finally->getAtFinallyLoc()); 1158 return true; 1159 } 1160 1161 bool VisitObjCMessageExpr(ObjCMessageExpr *Msg) override { 1162 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend, 1163 ViolationID::AccessesObjCMethodOrProperty, 1164 Msg->getBeginLoc()); 1165 return true; 1166 } 1167 1168 bool VisitObjCAutoreleasePoolStmt(ObjCAutoreleasePoolStmt *ARP) override { 1169 // Under the hood, @autorelease (potentially?) allocates memory and 1170 // invokes ObjC methods. We don't currently have memory allocation as 1171 // a "language construct" but we do have ObjC messaging, so diagnose that. 1172 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend, 1173 ViolationID::AccessesObjCMethodOrProperty, 1174 ARP->getBeginLoc()); 1175 return true; 1176 } 1177 1178 bool VisitObjCAtSynchronizedStmt(ObjCAtSynchronizedStmt *Sync) override { 1179 // Under the hood, this calls objc_sync_enter and objc_sync_exit, wrapped 1180 // in a @try/@finally block. Diagnose this generically as "ObjC 1181 // messaging". 1182 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend, 1183 ViolationID::AccessesObjCMethodOrProperty, 1184 Sync->getBeginLoc()); 1185 return true; 1186 } 1187 1188 bool VisitSEHExceptStmt(SEHExceptStmt *Exc) override { 1189 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1190 ViolationID::ThrowsOrCatchesExceptions, 1191 Exc->getExceptLoc()); 1192 return true; 1193 } 1194 1195 bool VisitCallExpr(CallExpr *Call) override { 1196 LLVM_DEBUG(llvm::dbgs() 1197 << "VisitCallExpr : " 1198 << Call->getBeginLoc().printToString(Outer.S.SourceMgr) 1199 << "\n";); 1200 1201 Expr *CalleeExpr = Call->getCallee(); 1202 if (const Decl *Callee = CalleeExpr->getReferencedDeclOfCallee()) { 1203 CallableInfo CI(*Callee); 1204 followCall(CI, Call->getBeginLoc()); 1205 return true; 1206 } 1207 1208 if (isa<CXXPseudoDestructorExpr>(CalleeExpr)) { 1209 // Just destroying a scalar, fine. 1210 return true; 1211 } 1212 1213 // No Decl, just an Expr. Just check based on its type. 1214 checkIndirectCall(Call, CalleeExpr->getType()); 1215 1216 return true; 1217 } 1218 1219 bool VisitVarDecl(VarDecl *Var) override { 1220 LLVM_DEBUG(llvm::dbgs() 1221 << "VisitVarDecl : " 1222 << Var->getBeginLoc().printToString(Outer.S.SourceMgr) 1223 << "\n";); 1224 1225 if (Var->isStaticLocal()) 1226 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeStaticLocalVars, 1227 ViolationID::HasStaticLocalVariable, 1228 Var->getLocation()); 1229 1230 const QualType::DestructionKind DK = 1231 Var->needsDestruction(Outer.S.getASTContext()); 1232 if (DK == QualType::DK_cxx_destructor) 1233 followTypeDtor(Var->getType(), Var->getLocation()); 1234 return true; 1235 } 1236 1237 bool VisitCXXNewExpr(CXXNewExpr *New) override { 1238 // RecursiveASTVisitor does not visit the implicit call to operator new. 1239 if (FunctionDecl *FD = New->getOperatorNew()) { 1240 CallableInfo CI(*FD, SpecialFuncType::OperatorNew); 1241 followCall(CI, New->getBeginLoc()); 1242 } 1243 1244 // It's a bit excessive to check operator delete here, since it's 1245 // just a fallback for operator new followed by a failed constructor. 1246 // We could check it via New->getOperatorDelete(). 1247 1248 // It DOES however visit the called constructor 1249 return true; 1250 } 1251 1252 bool VisitCXXDeleteExpr(CXXDeleteExpr *Delete) override { 1253 // RecursiveASTVisitor does not visit the implicit call to operator 1254 // delete. 1255 if (FunctionDecl *FD = Delete->getOperatorDelete()) { 1256 CallableInfo CI(*FD, SpecialFuncType::OperatorDelete); 1257 followCall(CI, Delete->getBeginLoc()); 1258 } 1259 1260 // It DOES however visit the called destructor 1261 1262 return true; 1263 } 1264 1265 bool VisitCXXConstructExpr(CXXConstructExpr *Construct) override { 1266 LLVM_DEBUG(llvm::dbgs() << "VisitCXXConstructExpr : " 1267 << Construct->getBeginLoc().printToString( 1268 Outer.S.SourceMgr) 1269 << "\n";); 1270 1271 // RecursiveASTVisitor does not visit the implicit call to the 1272 // constructor. 1273 const CXXConstructorDecl *Ctor = Construct->getConstructor(); 1274 CallableInfo CI(*Ctor); 1275 followCall(CI, Construct->getLocation()); 1276 1277 return true; 1278 } 1279 1280 bool TraverseStmt(Stmt *Statement) override { 1281 // If this statement is a `requires` clause from the top-level function 1282 // being traversed, ignore it, since it's not generating runtime code. 1283 // We skip the traversal of lambdas (beyond their captures, see 1284 // TraverseLambdaExpr below), so just caching this from our constructor 1285 // should suffice. 1286 if (Statement != TrailingRequiresClause && Statement != NoexceptExpr) 1287 return DynamicRecursiveASTVisitor::TraverseStmt(Statement); 1288 return true; 1289 } 1290 1291 bool TraverseConstructorInitializer(CXXCtorInitializer *Init) override { 1292 ViolationSite PrevVS = VSite; 1293 if (Init->isAnyMemberInitializer()) 1294 VSite.setKind(ViolationSite::Kind::MemberInitializer); 1295 bool Result = 1296 DynamicRecursiveASTVisitor::TraverseConstructorInitializer(Init); 1297 VSite = PrevVS; 1298 return Result; 1299 } 1300 1301 bool TraverseCXXDefaultArgExpr(CXXDefaultArgExpr *E) override { 1302 LLVM_DEBUG(llvm::dbgs() 1303 << "TraverseCXXDefaultArgExpr : " 1304 << E->getUsedLocation().printToString(Outer.S.SourceMgr) 1305 << "\n";); 1306 1307 ViolationSite PrevVS = VSite; 1308 if (VSite.kind() == ViolationSite::Kind::Default) 1309 VSite = ViolationSite{E}; 1310 1311 bool Result = DynamicRecursiveASTVisitor::TraverseCXXDefaultArgExpr(E); 1312 VSite = PrevVS; 1313 return Result; 1314 } 1315 1316 bool TraverseLambdaExpr(LambdaExpr *Lambda) override { 1317 // We override this so as to be able to skip traversal of the lambda's 1318 // body. We have to explicitly traverse the captures. Why not return 1319 // false from shouldVisitLambdaBody()? Because we need to visit a lambda's 1320 // body when we are verifying the lambda itself; we only want to skip it 1321 // in the context of the outer function. 1322 for (unsigned I = 0, N = Lambda->capture_size(); I < N; ++I) 1323 TraverseLambdaCapture(Lambda, Lambda->capture_begin() + I, 1324 Lambda->capture_init_begin()[I]); 1325 1326 return true; 1327 } 1328 1329 bool TraverseBlockExpr(BlockExpr * /*unused*/) override { 1330 // As with lambdas, don't traverse the block's body. 1331 // TODO: are the capture expressions (ctor call?) safe? 1332 return true; 1333 } 1334 1335 bool VisitDeclRefExpr(DeclRefExpr *E) override { 1336 const ValueDecl *Val = E->getDecl(); 1337 if (const auto *Var = dyn_cast<VarDecl>(Val)) { 1338 if (Var->getTLSKind() != VarDecl::TLS_None) { 1339 // At least on macOS, thread-local variables are initialized on 1340 // first access, including a heap allocation. 1341 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThreadLocalVars, 1342 ViolationID::AccessesThreadLocalVariable, 1343 E->getLocation()); 1344 } 1345 } 1346 return true; 1347 } 1348 1349 bool TraverseGenericSelectionExpr(GenericSelectionExpr *Node) override { 1350 return TraverseStmt(Node->getResultExpr()); 1351 } 1352 bool 1353 TraverseUnaryExprOrTypeTraitExpr(UnaryExprOrTypeTraitExpr *Node) override { 1354 return true; 1355 } 1356 1357 bool TraverseTypeOfExprTypeLoc(TypeOfExprTypeLoc Node) override { 1358 return true; 1359 } 1360 1361 bool TraverseDecltypeTypeLoc(DecltypeTypeLoc Node) override { return true; } 1362 1363 bool TraverseCXXNoexceptExpr(CXXNoexceptExpr *Node) override { 1364 return true; 1365 } 1366 1367 bool TraverseCXXTypeidExpr(CXXTypeidExpr *Node) override { return true; } 1368 1369 // Skip concept requirements since they don't generate code. 1370 bool TraverseConceptRequirement(concepts::Requirement *R) override { 1371 return true; 1372 } 1373 }; 1374 }; 1375 1376 Analyzer::AnalysisMap::~AnalysisMap() { 1377 for (const auto &Item : *this) { 1378 FuncAnalysisPtr AP = Item.second; 1379 if (isa<PendingFunctionAnalysis *>(AP)) 1380 delete AP.get<PendingFunctionAnalysis *>(); 1381 else 1382 delete AP.get<CompleteFunctionAnalysis *>(); 1383 } 1384 } 1385 1386 } // anonymous namespace 1387 1388 namespace clang { 1389 1390 bool Sema::diagnoseConflictingFunctionEffect( 1391 const FunctionEffectsRef &FX, const FunctionEffectWithCondition &NewEC, 1392 SourceLocation NewAttrLoc) { 1393 // If the new effect has a condition, we can't detect conflicts until the 1394 // condition is resolved. 1395 if (NewEC.Cond.getCondition() != nullptr) 1396 return false; 1397 1398 // Diagnose the new attribute as incompatible with a previous one. 1399 auto Incompatible = [&](const FunctionEffectWithCondition &PrevEC) { 1400 Diag(NewAttrLoc, diag::err_attributes_are_not_compatible) 1401 << ("'" + NewEC.description() + "'") 1402 << ("'" + PrevEC.description() + "'") << false; 1403 // We don't necessarily have the location of the previous attribute, 1404 // so no note. 1405 return true; 1406 }; 1407 1408 // Compare against previous attributes. 1409 FunctionEffect::Kind NewKind = NewEC.Effect.kind(); 1410 1411 for (const FunctionEffectWithCondition &PrevEC : FX) { 1412 // Again, can't check yet when the effect is conditional. 1413 if (PrevEC.Cond.getCondition() != nullptr) 1414 continue; 1415 1416 FunctionEffect::Kind PrevKind = PrevEC.Effect.kind(); 1417 // Note that we allow PrevKind == NewKind; it's redundant and ignored. 1418 1419 if (PrevEC.Effect.oppositeKind() == NewKind) 1420 return Incompatible(PrevEC); 1421 1422 // A new allocating is incompatible with a previous nonblocking. 1423 if (PrevKind == FunctionEffect::Kind::NonBlocking && 1424 NewKind == FunctionEffect::Kind::Allocating) 1425 return Incompatible(PrevEC); 1426 1427 // A new nonblocking is incompatible with a previous allocating. 1428 if (PrevKind == FunctionEffect::Kind::Allocating && 1429 NewKind == FunctionEffect::Kind::NonBlocking) 1430 return Incompatible(PrevEC); 1431 } 1432 1433 return false; 1434 } 1435 1436 void Sema::diagnoseFunctionEffectMergeConflicts( 1437 const FunctionEffectSet::Conflicts &Errs, SourceLocation NewLoc, 1438 SourceLocation OldLoc) { 1439 for (const FunctionEffectSet::Conflict &Conflict : Errs) { 1440 Diag(NewLoc, diag::warn_conflicting_func_effects) 1441 << Conflict.Kept.description() << Conflict.Rejected.description(); 1442 Diag(OldLoc, diag::note_previous_declaration); 1443 } 1444 } 1445 1446 // Decl should be a FunctionDecl or BlockDecl. 1447 void Sema::maybeAddDeclWithEffects(const Decl *D, 1448 const FunctionEffectsRef &FX) { 1449 if (!D->hasBody()) { 1450 if (const auto *FD = D->getAsFunction(); FD && !FD->willHaveBody()) 1451 return; 1452 } 1453 1454 if (Diags.getIgnoreAllWarnings() || 1455 (Diags.getSuppressSystemWarnings() && 1456 SourceMgr.isInSystemHeader(D->getLocation()))) 1457 return; 1458 1459 if (hasUncompilableErrorOccurred()) 1460 return; 1461 1462 // For code in dependent contexts, we'll do this at instantiation time. 1463 // Without this check, we would analyze the function based on placeholder 1464 // template parameters, and potentially generate spurious diagnostics. 1465 if (cast<DeclContext>(D)->isDependentContext()) 1466 return; 1467 1468 addDeclWithEffects(D, FX); 1469 } 1470 1471 void Sema::addDeclWithEffects(const Decl *D, const FunctionEffectsRef &FX) { 1472 // To avoid the possibility of conflict, don't add effects which are 1473 // not FE_InferrableOnCallees and therefore not verified; this removes 1474 // blocking/allocating but keeps nonblocking/nonallocating. 1475 // Also, ignore any conditions when building the list of effects. 1476 bool AnyVerifiable = false; 1477 for (const FunctionEffectWithCondition &EC : FX) 1478 if (EC.Effect.flags() & FunctionEffect::FE_InferrableOnCallees) { 1479 AllEffectsToVerify.insert(EC.Effect); 1480 AnyVerifiable = true; 1481 } 1482 1483 // Record the declaration for later analysis. 1484 if (AnyVerifiable) 1485 DeclsWithEffectsToVerify.push_back(D); 1486 } 1487 1488 void Sema::performFunctionEffectAnalysis(TranslationUnitDecl *TU) { 1489 if (hasUncompilableErrorOccurred() || Diags.getIgnoreAllWarnings()) 1490 return; 1491 if (TU == nullptr) 1492 return; 1493 Analyzer{*this}.run(*TU); 1494 } 1495 1496 Sema::FunctionEffectDiffVector::FunctionEffectDiffVector( 1497 const FunctionEffectsRef &Old, const FunctionEffectsRef &New) { 1498 1499 FunctionEffectsRef::iterator POld = Old.begin(); 1500 FunctionEffectsRef::iterator OldEnd = Old.end(); 1501 FunctionEffectsRef::iterator PNew = New.begin(); 1502 FunctionEffectsRef::iterator NewEnd = New.end(); 1503 1504 while (true) { 1505 int cmp = 0; 1506 if (POld == OldEnd) { 1507 if (PNew == NewEnd) 1508 break; 1509 cmp = 1; 1510 } else if (PNew == NewEnd) 1511 cmp = -1; 1512 else { 1513 FunctionEffectWithCondition Old = *POld; 1514 FunctionEffectWithCondition New = *PNew; 1515 if (Old.Effect.kind() < New.Effect.kind()) 1516 cmp = -1; 1517 else if (New.Effect.kind() < Old.Effect.kind()) 1518 cmp = 1; 1519 else { 1520 cmp = 0; 1521 if (Old.Cond.getCondition() != New.Cond.getCondition()) { 1522 // FIXME: Cases where the expressions are equivalent but 1523 // don't have the same identity. 1524 push_back(FunctionEffectDiff{ 1525 Old.Effect.kind(), FunctionEffectDiff::Kind::ConditionMismatch, 1526 Old, New}); 1527 } 1528 } 1529 } 1530 1531 if (cmp < 0) { 1532 // removal 1533 FunctionEffectWithCondition Old = *POld; 1534 push_back(FunctionEffectDiff{Old.Effect.kind(), 1535 FunctionEffectDiff::Kind::Removed, Old, 1536 std::nullopt}); 1537 ++POld; 1538 } else if (cmp > 0) { 1539 // addition 1540 FunctionEffectWithCondition New = *PNew; 1541 push_back(FunctionEffectDiff{New.Effect.kind(), 1542 FunctionEffectDiff::Kind::Added, 1543 std::nullopt, New}); 1544 ++PNew; 1545 } else { 1546 ++POld; 1547 ++PNew; 1548 } 1549 } 1550 } 1551 1552 bool Sema::FunctionEffectDiff::shouldDiagnoseConversion( 1553 QualType SrcType, const FunctionEffectsRef &SrcFX, QualType DstType, 1554 const FunctionEffectsRef &DstFX) const { 1555 1556 switch (EffectKind) { 1557 case FunctionEffect::Kind::NonAllocating: 1558 // nonallocating can't be added (spoofed) during a conversion, unless we 1559 // have nonblocking. 1560 if (DiffKind == Kind::Added) { 1561 for (const auto &CFE : SrcFX) { 1562 if (CFE.Effect.kind() == FunctionEffect::Kind::NonBlocking) 1563 return false; 1564 } 1565 } 1566 [[fallthrough]]; 1567 case FunctionEffect::Kind::NonBlocking: 1568 // nonblocking can't be added (spoofed) during a conversion. 1569 switch (DiffKind) { 1570 case Kind::Added: 1571 return true; 1572 case Kind::Removed: 1573 return false; 1574 case Kind::ConditionMismatch: 1575 // FIXME: Condition mismatches are too coarse right now -- expressions 1576 // which are equivalent but don't have the same identity are detected as 1577 // mismatches. We're going to diagnose those anyhow until expression 1578 // matching is better. 1579 return true; 1580 } 1581 break; 1582 case FunctionEffect::Kind::Blocking: 1583 case FunctionEffect::Kind::Allocating: 1584 return false; 1585 } 1586 llvm_unreachable("unknown effect kind"); 1587 } 1588 1589 bool Sema::FunctionEffectDiff::shouldDiagnoseRedeclaration( 1590 const FunctionDecl &OldFunction, const FunctionEffectsRef &OldFX, 1591 const FunctionDecl &NewFunction, const FunctionEffectsRef &NewFX) const { 1592 switch (EffectKind) { 1593 case FunctionEffect::Kind::NonAllocating: 1594 case FunctionEffect::Kind::NonBlocking: 1595 // nonblocking/nonallocating can't be removed in a redeclaration. 1596 switch (DiffKind) { 1597 case Kind::Added: 1598 return false; // No diagnostic. 1599 case Kind::Removed: 1600 return true; // Issue diagnostic. 1601 case Kind::ConditionMismatch: 1602 // All these forms of mismatches are diagnosed. 1603 return true; 1604 } 1605 break; 1606 case FunctionEffect::Kind::Blocking: 1607 case FunctionEffect::Kind::Allocating: 1608 return false; 1609 } 1610 llvm_unreachable("unknown effect kind"); 1611 } 1612 1613 Sema::FunctionEffectDiff::OverrideResult 1614 Sema::FunctionEffectDiff::shouldDiagnoseMethodOverride( 1615 const CXXMethodDecl &OldMethod, const FunctionEffectsRef &OldFX, 1616 const CXXMethodDecl &NewMethod, const FunctionEffectsRef &NewFX) const { 1617 switch (EffectKind) { 1618 case FunctionEffect::Kind::NonAllocating: 1619 case FunctionEffect::Kind::NonBlocking: 1620 switch (DiffKind) { 1621 1622 // If added on an override, that's fine and not diagnosed. 1623 case Kind::Added: 1624 return OverrideResult::NoAction; 1625 1626 // If missing from an override (removed), propagate from base to derived. 1627 case Kind::Removed: 1628 return OverrideResult::Merge; 1629 1630 // If there's a mismatch involving the effect's polarity or condition, 1631 // issue a warning. 1632 case Kind::ConditionMismatch: 1633 return OverrideResult::Warn; 1634 } 1635 break; 1636 case FunctionEffect::Kind::Blocking: 1637 case FunctionEffect::Kind::Allocating: 1638 return OverrideResult::NoAction; 1639 } 1640 llvm_unreachable("unknown effect kind"); 1641 } 1642 1643 } // namespace clang 1644