1 //=== SemaFunctionEffects.cpp - Sema handling of function effects ---------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file implements Sema handling of function effects. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #include "clang/AST/Decl.h" 14 #include "clang/AST/DeclCXX.h" 15 #include "clang/AST/RecursiveASTVisitor.h" 16 #include "clang/AST/Stmt.h" 17 #include "clang/AST/Type.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/Sema/SemaInternal.h" 20 21 #define DEBUG_TYPE "effectanalysis" 22 23 using namespace clang; 24 25 namespace { 26 27 enum class ViolationID : uint8_t { 28 None = 0, // Sentinel for an empty Violation. 29 // These first 5 map to a %select{} in one of several FunctionEffects 30 // diagnostics, e.g. warn_func_effect_violation. 31 BaseDiagnosticIndex, 32 AllocatesMemory = BaseDiagnosticIndex, 33 ThrowsOrCatchesExceptions, 34 HasStaticLocalVariable, 35 AccessesThreadLocalVariable, 36 AccessesObjCMethodOrProperty, 37 38 // These only apply to callees, where the analysis stops at the Decl. 39 DeclDisallowsInference, 40 41 // These both apply to indirect calls. The difference is that sometimes 42 // we have an actual Decl (generally a variable) which is the function 43 // pointer being called, and sometimes, typically due to a cast, we only 44 // have an expression. 45 CallsDeclWithoutEffect, 46 CallsExprWithoutEffect, 47 }; 48 49 // Information about the AST context in which a violation was found, so 50 // that diagnostics can point to the correct source. 51 class ViolationSite { 52 public: 53 enum class Kind : uint8_t { 54 Default, // Function body. 55 MemberInitializer, 56 DefaultArgExpr 57 }; 58 59 private: 60 llvm::PointerIntPair<CXXDefaultArgExpr *, 2, Kind> Impl; 61 62 public: 63 ViolationSite() = default; 64 65 explicit ViolationSite(CXXDefaultArgExpr *E) 66 : Impl(E, Kind::DefaultArgExpr) {} 67 68 Kind kind() const { return static_cast<Kind>(Impl.getInt()); } 69 CXXDefaultArgExpr *defaultArgExpr() const { return Impl.getPointer(); } 70 71 void setKind(Kind K) { Impl.setPointerAndInt(nullptr, K); } 72 }; 73 74 // Represents a violation of the rules, potentially for the entire duration of 75 // the analysis phase, in order to refer to it when explaining why a caller has 76 // been made unsafe by a callee. Can be transformed into either a Diagnostic 77 // (warning or a note), depending on whether the violation pertains to a 78 // function failing to be verifed as holding an effect vs. a function failing to 79 // be inferred as holding that effect. 80 struct Violation { 81 FunctionEffect Effect; 82 std::optional<FunctionEffect> 83 CalleeEffectPreventingInference; // Only for certain IDs; can be nullopt. 84 ViolationID ID = ViolationID::None; 85 ViolationSite Site; 86 SourceLocation Loc; 87 const Decl *Callee = 88 nullptr; // Only valid for ViolationIDs Calls{Decl,Expr}WithoutEffect. 89 90 Violation(FunctionEffect Effect, ViolationID ID, ViolationSite VS, 91 SourceLocation Loc, const Decl *Callee = nullptr, 92 std::optional<FunctionEffect> CalleeEffect = std::nullopt) 93 : Effect(Effect), CalleeEffectPreventingInference(CalleeEffect), ID(ID), 94 Site(VS), Loc(Loc), Callee(Callee) {} 95 96 unsigned diagnosticSelectIndex() const { 97 return unsigned(ID) - unsigned(ViolationID::BaseDiagnosticIndex); 98 } 99 }; 100 101 enum class SpecialFuncType : uint8_t { None, OperatorNew, OperatorDelete }; 102 enum class CallableType : uint8_t { 103 // Unknown: probably function pointer. 104 Unknown, 105 Function, 106 Virtual, 107 Block 108 }; 109 110 // Return whether a function's effects CAN be verified. 111 // The question of whether it SHOULD be verified is independent. 112 static bool functionIsVerifiable(const FunctionDecl *FD) { 113 if (FD->isTrivial()) { 114 // Otherwise `struct x { int a; };` would have an unverifiable default 115 // constructor. 116 return true; 117 } 118 return FD->hasBody(); 119 } 120 121 static bool isNoexcept(const FunctionDecl *FD) { 122 const auto *FPT = FD->getType()->getAs<FunctionProtoType>(); 123 return FPT && (FPT->isNothrow() || FD->hasAttr<NoThrowAttr>()); 124 } 125 126 // This list is probably incomplete. 127 // FIXME: Investigate: 128 // __builtin_eh_return? 129 // __builtin_allow_runtime_check? 130 // __builtin_unwind_init and other similar things that sound exception-related. 131 // va_copy? 132 // coroutines? 133 static FunctionEffectKindSet getBuiltinFunctionEffects(unsigned BuiltinID) { 134 FunctionEffectKindSet Result; 135 136 switch (BuiltinID) { 137 case 0: // Not builtin. 138 default: // By default, builtins have no known effects. 139 break; 140 141 // These allocate/deallocate heap memory. 142 case Builtin::ID::BI__builtin_calloc: 143 case Builtin::ID::BI__builtin_malloc: 144 case Builtin::ID::BI__builtin_realloc: 145 case Builtin::ID::BI__builtin_free: 146 case Builtin::ID::BI__builtin_operator_delete: 147 case Builtin::ID::BI__builtin_operator_new: 148 case Builtin::ID::BIaligned_alloc: 149 case Builtin::ID::BIcalloc: 150 case Builtin::ID::BImalloc: 151 case Builtin::ID::BImemalign: 152 case Builtin::ID::BIrealloc: 153 case Builtin::ID::BIfree: 154 155 case Builtin::ID::BIfopen: 156 case Builtin::ID::BIpthread_create: 157 case Builtin::ID::BI_Block_object_dispose: 158 Result.insert(FunctionEffect(FunctionEffect::Kind::Allocating)); 159 break; 160 161 // These block in some other way than allocating memory. 162 // longjmp() and friends are presumed unsafe because they are the moral 163 // equivalent of throwing a C++ exception, which is unsafe. 164 case Builtin::ID::BIlongjmp: 165 case Builtin::ID::BI_longjmp: 166 case Builtin::ID::BIsiglongjmp: 167 case Builtin::ID::BI__builtin_longjmp: 168 case Builtin::ID::BIobjc_exception_throw: 169 170 // Objective-C runtime. 171 case Builtin::ID::BIobjc_msgSend: 172 case Builtin::ID::BIobjc_msgSend_fpret: 173 case Builtin::ID::BIobjc_msgSend_fp2ret: 174 case Builtin::ID::BIobjc_msgSend_stret: 175 case Builtin::ID::BIobjc_msgSendSuper: 176 case Builtin::ID::BIobjc_getClass: 177 case Builtin::ID::BIobjc_getMetaClass: 178 case Builtin::ID::BIobjc_enumerationMutation: 179 case Builtin::ID::BIobjc_assign_ivar: 180 case Builtin::ID::BIobjc_assign_global: 181 case Builtin::ID::BIobjc_sync_enter: 182 case Builtin::ID::BIobjc_sync_exit: 183 case Builtin::ID::BINSLog: 184 case Builtin::ID::BINSLogv: 185 186 // stdio.h 187 case Builtin::ID::BIfread: 188 case Builtin::ID::BIfwrite: 189 190 // stdio.h: printf family. 191 case Builtin::ID::BIprintf: 192 case Builtin::ID::BI__builtin_printf: 193 case Builtin::ID::BIfprintf: 194 case Builtin::ID::BIsnprintf: 195 case Builtin::ID::BIsprintf: 196 case Builtin::ID::BIvprintf: 197 case Builtin::ID::BIvfprintf: 198 case Builtin::ID::BIvsnprintf: 199 case Builtin::ID::BIvsprintf: 200 201 // stdio.h: scanf family. 202 case Builtin::ID::BIscanf: 203 case Builtin::ID::BIfscanf: 204 case Builtin::ID::BIsscanf: 205 case Builtin::ID::BIvscanf: 206 case Builtin::ID::BIvfscanf: 207 case Builtin::ID::BIvsscanf: 208 Result.insert(FunctionEffect(FunctionEffect::Kind::Blocking)); 209 break; 210 } 211 212 return Result; 213 } 214 215 // Transitory, more extended information about a callable, which can be a 216 // function, block, or function pointer. 217 struct CallableInfo { 218 // CDecl holds the function's definition, if any. 219 // FunctionDecl if CallableType::Function or Virtual 220 // BlockDecl if CallableType::Block 221 const Decl *CDecl; 222 223 // Remember whether the callable is a function, block, virtual method, 224 // or (presumed) function pointer. 225 CallableType CType = CallableType::Unknown; 226 227 // Remember whether the callable is an operator new or delete function, 228 // so that calls to them are reported more meaningfully, as memory 229 // allocations. 230 SpecialFuncType FuncType = SpecialFuncType::None; 231 232 // We inevitably want to know the callable's declared effects, so cache them. 233 FunctionEffectKindSet Effects; 234 235 CallableInfo(const Decl &CD, SpecialFuncType FT = SpecialFuncType::None) 236 : CDecl(&CD), FuncType(FT) { 237 FunctionEffectsRef DeclEffects; 238 if (auto *FD = dyn_cast<FunctionDecl>(CDecl)) { 239 // Use the function's definition, if any. 240 if (const FunctionDecl *Def = FD->getDefinition()) 241 CDecl = FD = Def; 242 CType = CallableType::Function; 243 if (auto *Method = dyn_cast<CXXMethodDecl>(FD); 244 Method && Method->isVirtual()) 245 CType = CallableType::Virtual; 246 DeclEffects = FD->getFunctionEffects(); 247 } else if (auto *BD = dyn_cast<BlockDecl>(CDecl)) { 248 CType = CallableType::Block; 249 DeclEffects = BD->getFunctionEffects(); 250 } else if (auto *VD = dyn_cast<ValueDecl>(CDecl)) { 251 // ValueDecl is function, enum, or variable, so just look at its type. 252 DeclEffects = FunctionEffectsRef::get(VD->getType()); 253 } 254 Effects = FunctionEffectKindSet(DeclEffects); 255 } 256 257 CallableType type() const { return CType; } 258 259 bool isCalledDirectly() const { 260 return CType == CallableType::Function || CType == CallableType::Block; 261 } 262 263 bool isVerifiable() const { 264 switch (CType) { 265 case CallableType::Unknown: 266 case CallableType::Virtual: 267 return false; 268 case CallableType::Block: 269 return true; 270 case CallableType::Function: 271 return functionIsVerifiable(dyn_cast<FunctionDecl>(CDecl)); 272 } 273 llvm_unreachable("undefined CallableType"); 274 } 275 276 /// Generate a name for logging and diagnostics. 277 std::string getNameForDiagnostic(Sema &S) const { 278 std::string Name; 279 llvm::raw_string_ostream OS(Name); 280 281 if (auto *FD = dyn_cast<FunctionDecl>(CDecl)) 282 FD->getNameForDiagnostic(OS, S.getPrintingPolicy(), 283 /*Qualified=*/true); 284 else if (auto *BD = dyn_cast<BlockDecl>(CDecl)) 285 OS << "(block " << BD->getBlockManglingNumber() << ")"; 286 else if (auto *VD = dyn_cast<NamedDecl>(CDecl)) 287 VD->printQualifiedName(OS); 288 return Name; 289 } 290 }; 291 292 // ---------- 293 // Map effects to single Violations, to hold the first (of potentially many) 294 // violations pertaining to an effect, per function. 295 class EffectToViolationMap { 296 // Since we currently only have a tiny number of effects (typically no more 297 // than 1), use a SmallVector with an inline capacity of 1. Since it 298 // is often empty, use a unique_ptr to the SmallVector. 299 // Note that Violation itself contains a FunctionEffect which is the key. 300 // FIXME: Is there a way to simplify this using existing data structures? 301 using ImplVec = llvm::SmallVector<Violation, 1>; 302 std::unique_ptr<ImplVec> Impl; 303 304 public: 305 // Insert a new Violation if we do not already have one for its effect. 306 void maybeInsert(const Violation &Viol) { 307 if (Impl == nullptr) 308 Impl = std::make_unique<ImplVec>(); 309 else if (lookup(Viol.Effect) != nullptr) 310 return; 311 312 Impl->push_back(Viol); 313 } 314 315 const Violation *lookup(FunctionEffect Key) { 316 if (Impl == nullptr) 317 return nullptr; 318 319 auto *Iter = llvm::find_if( 320 *Impl, [&](const auto &Item) { return Item.Effect == Key; }); 321 return Iter != Impl->end() ? &*Iter : nullptr; 322 } 323 324 size_t size() const { return Impl ? Impl->size() : 0; } 325 }; 326 327 // ---------- 328 // State pertaining to a function whose AST is walked and whose effect analysis 329 // is dependent on a subsequent analysis of other functions. 330 class PendingFunctionAnalysis { 331 friend class CompleteFunctionAnalysis; 332 333 public: 334 struct DirectCall { 335 const Decl *Callee; 336 SourceLocation CallLoc; 337 // Not all recursive calls are detected, just enough 338 // to break cycles. 339 bool Recursed = false; 340 ViolationSite VSite; 341 342 DirectCall(const Decl *D, SourceLocation CallLoc, ViolationSite VSite) 343 : Callee(D), CallLoc(CallLoc), VSite(VSite) {} 344 }; 345 346 // We always have two disjoint sets of effects to verify: 347 // 1. Effects declared explicitly by this function. 348 // 2. All other inferrable effects needing verification. 349 FunctionEffectKindSet DeclaredVerifiableEffects; 350 FunctionEffectKindSet EffectsToInfer; 351 352 private: 353 // Violations pertaining to the function's explicit effects. 354 SmallVector<Violation, 0> ViolationsForExplicitEffects; 355 356 // Violations pertaining to other, non-explicit, inferrable effects. 357 EffectToViolationMap InferrableEffectToFirstViolation; 358 359 // These unverified direct calls are what keeps the analysis "pending", 360 // until the callees can be verified. 361 SmallVector<DirectCall, 0> UnverifiedDirectCalls; 362 363 public: 364 PendingFunctionAnalysis(Sema &S, const CallableInfo &CInfo, 365 FunctionEffectKindSet AllInferrableEffectsToVerify) 366 : DeclaredVerifiableEffects(CInfo.Effects) { 367 // Check for effects we are not allowed to infer. 368 FunctionEffectKindSet InferrableEffects; 369 370 for (FunctionEffect effect : AllInferrableEffectsToVerify) { 371 std::optional<FunctionEffect> ProblemCalleeEffect = 372 effect.effectProhibitingInference(*CInfo.CDecl, CInfo.Effects); 373 if (!ProblemCalleeEffect) 374 InferrableEffects.insert(effect); 375 else { 376 // Add a Violation for this effect if a caller were to 377 // try to infer it. 378 InferrableEffectToFirstViolation.maybeInsert(Violation( 379 effect, ViolationID::DeclDisallowsInference, ViolationSite{}, 380 CInfo.CDecl->getLocation(), nullptr, ProblemCalleeEffect)); 381 } 382 } 383 // InferrableEffects is now the set of inferrable effects which are not 384 // prohibited. 385 EffectsToInfer = FunctionEffectKindSet::difference( 386 InferrableEffects, DeclaredVerifiableEffects); 387 } 388 389 // Hide the way that Violations for explicitly required effects vs. inferred 390 // ones are handled differently. 391 void checkAddViolation(bool Inferring, const Violation &NewViol) { 392 if (!Inferring) 393 ViolationsForExplicitEffects.push_back(NewViol); 394 else 395 InferrableEffectToFirstViolation.maybeInsert(NewViol); 396 } 397 398 void addUnverifiedDirectCall(const Decl *D, SourceLocation CallLoc, 399 ViolationSite VSite) { 400 UnverifiedDirectCalls.emplace_back(D, CallLoc, VSite); 401 } 402 403 // Analysis is complete when there are no unverified direct calls. 404 bool isComplete() const { return UnverifiedDirectCalls.empty(); } 405 406 const Violation *violationForInferrableEffect(FunctionEffect effect) { 407 return InferrableEffectToFirstViolation.lookup(effect); 408 } 409 410 // Mutable because caller may need to set a DirectCall's Recursing flag. 411 MutableArrayRef<DirectCall> unverifiedCalls() { 412 assert(!isComplete()); 413 return UnverifiedDirectCalls; 414 } 415 416 ArrayRef<Violation> getSortedViolationsForExplicitEffects(SourceManager &SM) { 417 if (!ViolationsForExplicitEffects.empty()) 418 llvm::sort(ViolationsForExplicitEffects, 419 [&SM](const Violation &LHS, const Violation &RHS) { 420 return SM.isBeforeInTranslationUnit(LHS.Loc, RHS.Loc); 421 }); 422 return ViolationsForExplicitEffects; 423 } 424 425 void dump(Sema &SemaRef, llvm::raw_ostream &OS) const { 426 OS << "Pending: Declared "; 427 DeclaredVerifiableEffects.dump(OS); 428 OS << ", " << ViolationsForExplicitEffects.size() << " violations; "; 429 OS << " Infer "; 430 EffectsToInfer.dump(OS); 431 OS << ", " << InferrableEffectToFirstViolation.size() << " violations"; 432 if (!UnverifiedDirectCalls.empty()) { 433 OS << "; Calls: "; 434 for (const DirectCall &Call : UnverifiedDirectCalls) { 435 CallableInfo CI(*Call.Callee); 436 OS << " " << CI.getNameForDiagnostic(SemaRef); 437 } 438 } 439 OS << "\n"; 440 } 441 }; 442 443 // ---------- 444 class CompleteFunctionAnalysis { 445 // Current size: 2 pointers 446 public: 447 // Has effects which are both the declared ones -- not to be inferred -- plus 448 // ones which have been successfully inferred. These are all considered 449 // "verified" for the purposes of callers; any issue with verifying declared 450 // effects has already been reported and is not the problem of any caller. 451 FunctionEffectKindSet VerifiedEffects; 452 453 private: 454 // This is used to generate notes about failed inference. 455 EffectToViolationMap InferrableEffectToFirstViolation; 456 457 public: 458 // The incoming Pending analysis is consumed (member(s) are moved-from). 459 CompleteFunctionAnalysis(ASTContext &Ctx, PendingFunctionAnalysis &&Pending, 460 FunctionEffectKindSet DeclaredEffects, 461 FunctionEffectKindSet AllInferrableEffectsToVerify) 462 : VerifiedEffects(DeclaredEffects) { 463 for (FunctionEffect effect : AllInferrableEffectsToVerify) 464 if (Pending.violationForInferrableEffect(effect) == nullptr) 465 VerifiedEffects.insert(effect); 466 467 InferrableEffectToFirstViolation = 468 std::move(Pending.InferrableEffectToFirstViolation); 469 } 470 471 const Violation *firstViolationForEffect(FunctionEffect Effect) { 472 return InferrableEffectToFirstViolation.lookup(Effect); 473 } 474 475 void dump(llvm::raw_ostream &OS) const { 476 OS << "Complete: Verified "; 477 VerifiedEffects.dump(OS); 478 OS << "; Infer "; 479 OS << InferrableEffectToFirstViolation.size() << " violations\n"; 480 } 481 }; 482 483 // ========== 484 class Analyzer { 485 Sema &S; 486 487 // Subset of Sema.AllEffectsToVerify 488 FunctionEffectKindSet AllInferrableEffectsToVerify; 489 490 using FuncAnalysisPtr = 491 llvm::PointerUnion<PendingFunctionAnalysis *, CompleteFunctionAnalysis *>; 492 493 // Map all Decls analyzed to FuncAnalysisPtr. Pending state is larger 494 // than complete state, so use different objects to represent them. 495 // The state pointers are owned by the container. 496 class AnalysisMap : llvm::DenseMap<const Decl *, FuncAnalysisPtr> { 497 using Base = llvm::DenseMap<const Decl *, FuncAnalysisPtr>; 498 499 public: 500 ~AnalysisMap(); 501 502 // Use non-public inheritance in order to maintain the invariant 503 // that lookups and insertions are via the canonical Decls. 504 505 FuncAnalysisPtr lookup(const Decl *Key) const { 506 return Base::lookup(Key->getCanonicalDecl()); 507 } 508 509 FuncAnalysisPtr &operator[](const Decl *Key) { 510 return Base::operator[](Key->getCanonicalDecl()); 511 } 512 513 /// Shortcut for the case where we only care about completed analysis. 514 CompleteFunctionAnalysis *completedAnalysisForDecl(const Decl *D) const { 515 if (FuncAnalysisPtr AP = lookup(D); 516 isa_and_nonnull<CompleteFunctionAnalysis *>(AP)) 517 return AP.get<CompleteFunctionAnalysis *>(); 518 return nullptr; 519 } 520 521 void dump(Sema &SemaRef, llvm::raw_ostream &OS) { 522 OS << "\nAnalysisMap:\n"; 523 for (const auto &item : *this) { 524 CallableInfo CI(*item.first); 525 const auto AP = item.second; 526 OS << item.first << " " << CI.getNameForDiagnostic(SemaRef) << " : "; 527 if (AP.isNull()) { 528 OS << "null\n"; 529 } else if (isa<CompleteFunctionAnalysis *>(AP)) { 530 auto *CFA = AP.get<CompleteFunctionAnalysis *>(); 531 OS << CFA << " "; 532 CFA->dump(OS); 533 } else if (isa<PendingFunctionAnalysis *>(AP)) { 534 auto *PFA = AP.get<PendingFunctionAnalysis *>(); 535 OS << PFA << " "; 536 PFA->dump(SemaRef, OS); 537 } else 538 llvm_unreachable("never"); 539 } 540 OS << "---\n"; 541 } 542 }; 543 AnalysisMap DeclAnalysis; 544 545 public: 546 Analyzer(Sema &S) : S(S) {} 547 548 void run(const TranslationUnitDecl &TU) { 549 // Gather all of the effects to be verified to see what operations need to 550 // be checked, and to see which ones are inferrable. 551 for (FunctionEffect Effect : S.AllEffectsToVerify) { 552 const FunctionEffect::Flags Flags = Effect.flags(); 553 if (Flags & FunctionEffect::FE_InferrableOnCallees) 554 AllInferrableEffectsToVerify.insert(Effect); 555 } 556 LLVM_DEBUG(llvm::dbgs() << "AllInferrableEffectsToVerify: "; 557 AllInferrableEffectsToVerify.dump(llvm::dbgs()); 558 llvm::dbgs() << "\n";); 559 560 // We can use DeclsWithEffectsToVerify as a stack for a 561 // depth-first traversal; there's no need for a second container. But first, 562 // reverse it, so when working from the end, Decls are verified in the order 563 // they are declared. 564 SmallVector<const Decl *> &VerificationQueue = S.DeclsWithEffectsToVerify; 565 std::reverse(VerificationQueue.begin(), VerificationQueue.end()); 566 567 while (!VerificationQueue.empty()) { 568 const Decl *D = VerificationQueue.back(); 569 if (FuncAnalysisPtr AP = DeclAnalysis.lookup(D)) { 570 if (auto *Pending = AP.dyn_cast<PendingFunctionAnalysis *>()) { 571 // All children have been traversed; finish analysis. 572 finishPendingAnalysis(D, Pending); 573 } 574 VerificationQueue.pop_back(); 575 continue; 576 } 577 578 // Not previously visited; begin a new analysis for this Decl. 579 PendingFunctionAnalysis *Pending = verifyDecl(D); 580 if (Pending == nullptr) { 581 // Completed now. 582 VerificationQueue.pop_back(); 583 continue; 584 } 585 586 // Analysis remains pending because there are direct callees to be 587 // verified first. Push them onto the queue. 588 for (PendingFunctionAnalysis::DirectCall &Call : 589 Pending->unverifiedCalls()) { 590 FuncAnalysisPtr AP = DeclAnalysis.lookup(Call.Callee); 591 if (AP.isNull()) { 592 VerificationQueue.push_back(Call.Callee); 593 continue; 594 } 595 596 // This indicates recursion (not necessarily direct). For the 597 // purposes of effect analysis, we can just ignore it since 598 // no effects forbid recursion. 599 assert(isa<PendingFunctionAnalysis *>(AP)); 600 Call.Recursed = true; 601 } 602 } 603 } 604 605 private: 606 // Verify a single Decl. Return the pending structure if that was the result, 607 // else null. This method must not recurse. 608 PendingFunctionAnalysis *verifyDecl(const Decl *D) { 609 CallableInfo CInfo(*D); 610 bool isExternC = false; 611 612 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 613 isExternC = FD->getCanonicalDecl()->isExternCContext(); 614 615 // For C++, with non-extern "C" linkage only - if any of the Decl's declared 616 // effects forbid throwing (e.g. nonblocking) then the function should also 617 // be declared noexcept. 618 if (S.getLangOpts().CPlusPlus && !isExternC) { 619 for (FunctionEffect Effect : CInfo.Effects) { 620 if (!(Effect.flags() & FunctionEffect::FE_ExcludeThrow)) 621 continue; 622 623 bool IsNoexcept = false; 624 if (auto *FD = D->getAsFunction()) { 625 IsNoexcept = isNoexcept(FD); 626 } else if (auto *BD = dyn_cast<BlockDecl>(D)) { 627 if (auto *TSI = BD->getSignatureAsWritten()) { 628 auto *FPT = TSI->getType()->getAs<FunctionProtoType>(); 629 IsNoexcept = FPT->isNothrow() || BD->hasAttr<NoThrowAttr>(); 630 } 631 } 632 if (!IsNoexcept) 633 S.Diag(D->getBeginLoc(), diag::warn_perf_constraint_implies_noexcept) 634 << GetCallableDeclKind(D, nullptr) << Effect.name(); 635 break; 636 } 637 } 638 639 // Build a PendingFunctionAnalysis on the stack. If it turns out to be 640 // complete, we'll have avoided a heap allocation; if it's incomplete, it's 641 // a fairly trivial move to a heap-allocated object. 642 PendingFunctionAnalysis FAnalysis(S, CInfo, AllInferrableEffectsToVerify); 643 644 LLVM_DEBUG(llvm::dbgs() 645 << "\nVerifying " << CInfo.getNameForDiagnostic(S) << " "; 646 FAnalysis.dump(S, llvm::dbgs());); 647 648 FunctionBodyASTVisitor Visitor(*this, FAnalysis, CInfo); 649 650 Visitor.run(); 651 if (FAnalysis.isComplete()) { 652 completeAnalysis(CInfo, std::move(FAnalysis)); 653 return nullptr; 654 } 655 // Move the pending analysis to the heap and save it in the map. 656 PendingFunctionAnalysis *PendingPtr = 657 new PendingFunctionAnalysis(std::move(FAnalysis)); 658 DeclAnalysis[D] = PendingPtr; 659 LLVM_DEBUG(llvm::dbgs() << "inserted pending " << PendingPtr << "\n"; 660 DeclAnalysis.dump(S, llvm::dbgs());); 661 return PendingPtr; 662 } 663 664 // Consume PendingFunctionAnalysis, create with it a CompleteFunctionAnalysis, 665 // inserted in the container. 666 void completeAnalysis(const CallableInfo &CInfo, 667 PendingFunctionAnalysis &&Pending) { 668 if (ArrayRef<Violation> Viols = 669 Pending.getSortedViolationsForExplicitEffects(S.getSourceManager()); 670 !Viols.empty()) 671 emitDiagnostics(Viols, CInfo); 672 673 CompleteFunctionAnalysis *CompletePtr = new CompleteFunctionAnalysis( 674 S.getASTContext(), std::move(Pending), CInfo.Effects, 675 AllInferrableEffectsToVerify); 676 DeclAnalysis[CInfo.CDecl] = CompletePtr; 677 LLVM_DEBUG(llvm::dbgs() << "inserted complete " << CompletePtr << "\n"; 678 DeclAnalysis.dump(S, llvm::dbgs());); 679 } 680 681 // Called after all direct calls requiring inference have been found -- or 682 // not. Repeats calls to FunctionBodyASTVisitor::followCall() but without 683 // the possibility of inference. Deletes Pending. 684 void finishPendingAnalysis(const Decl *D, PendingFunctionAnalysis *Pending) { 685 CallableInfo Caller(*D); 686 LLVM_DEBUG(llvm::dbgs() << "finishPendingAnalysis for " 687 << Caller.getNameForDiagnostic(S) << " : "; 688 Pending->dump(S, llvm::dbgs()); llvm::dbgs() << "\n";); 689 for (const PendingFunctionAnalysis::DirectCall &Call : 690 Pending->unverifiedCalls()) { 691 if (Call.Recursed) 692 continue; 693 694 CallableInfo Callee(*Call.Callee); 695 followCall(Caller, *Pending, Callee, Call.CallLoc, 696 /*AssertNoFurtherInference=*/true, Call.VSite); 697 } 698 completeAnalysis(Caller, std::move(*Pending)); 699 delete Pending; 700 } 701 702 // Here we have a call to a Decl, either explicitly via a CallExpr or some 703 // other AST construct. PFA pertains to the caller. 704 void followCall(const CallableInfo &Caller, PendingFunctionAnalysis &PFA, 705 const CallableInfo &Callee, SourceLocation CallLoc, 706 bool AssertNoFurtherInference, ViolationSite VSite) { 707 const bool DirectCall = Callee.isCalledDirectly(); 708 709 // Initially, the declared effects; inferred effects will be added. 710 FunctionEffectKindSet CalleeEffects = Callee.Effects; 711 712 bool IsInferencePossible = DirectCall; 713 714 if (DirectCall) 715 if (CompleteFunctionAnalysis *CFA = 716 DeclAnalysis.completedAnalysisForDecl(Callee.CDecl)) { 717 // Combine declared effects with those which may have been inferred. 718 CalleeEffects.insert(CFA->VerifiedEffects); 719 IsInferencePossible = false; // We've already traversed it. 720 } 721 722 if (AssertNoFurtherInference) { 723 assert(!IsInferencePossible); 724 } 725 726 if (!Callee.isVerifiable()) 727 IsInferencePossible = false; 728 729 LLVM_DEBUG(llvm::dbgs() 730 << "followCall from " << Caller.getNameForDiagnostic(S) 731 << " to " << Callee.getNameForDiagnostic(S) 732 << "; verifiable: " << Callee.isVerifiable() << "; callee "; 733 CalleeEffects.dump(llvm::dbgs()); llvm::dbgs() << "\n"; 734 llvm::dbgs() << " callee " << Callee.CDecl << " canonical " 735 << Callee.CDecl->getCanonicalDecl() << "\n";); 736 737 auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) { 738 if (!Effect.shouldDiagnoseFunctionCall(DirectCall, CalleeEffects)) 739 return; 740 741 // If inference is not allowed, or the target is indirect (virtual 742 // method/function ptr?), generate a Violation now. 743 if (!IsInferencePossible || 744 !(Effect.flags() & FunctionEffect::FE_InferrableOnCallees)) { 745 if (Callee.FuncType == SpecialFuncType::None) 746 PFA.checkAddViolation(Inferring, 747 {Effect, ViolationID::CallsDeclWithoutEffect, 748 VSite, CallLoc, Callee.CDecl}); 749 else 750 PFA.checkAddViolation( 751 Inferring, 752 {Effect, ViolationID::AllocatesMemory, VSite, CallLoc}); 753 } else { 754 // Inference is allowed and necessary; defer it. 755 PFA.addUnverifiedDirectCall(Callee.CDecl, CallLoc, VSite); 756 } 757 }; 758 759 for (FunctionEffect Effect : PFA.DeclaredVerifiableEffects) 760 Check1Effect(Effect, false); 761 762 for (FunctionEffect Effect : PFA.EffectsToInfer) 763 Check1Effect(Effect, true); 764 } 765 766 // Describe a callable Decl for a diagnostic. 767 // (Not an enum class because the value is always converted to an integer for 768 // use in a diagnostic.) 769 enum CallableDeclKind { 770 CDK_Function, 771 CDK_Constructor, 772 CDK_Destructor, 773 CDK_Lambda, 774 CDK_Block, 775 CDK_MemberInitializer, 776 }; 777 778 // Describe a call site or target using an enum mapping to a %select{} 779 // in a diagnostic, e.g. warn_func_effect_violation, 780 // warn_perf_constraint_implies_noexcept, and others. 781 static CallableDeclKind GetCallableDeclKind(const Decl *D, 782 const Violation *V) { 783 if (V != nullptr && 784 V->Site.kind() == ViolationSite::Kind::MemberInitializer) 785 return CDK_MemberInitializer; 786 if (isa<BlockDecl>(D)) 787 return CDK_Block; 788 if (auto *Method = dyn_cast<CXXMethodDecl>(D)) { 789 if (isa<CXXConstructorDecl>(D)) 790 return CDK_Constructor; 791 if (isa<CXXDestructorDecl>(D)) 792 return CDK_Destructor; 793 const CXXRecordDecl *Rec = Method->getParent(); 794 if (Rec->isLambda()) 795 return CDK_Lambda; 796 } 797 return CDK_Function; 798 }; 799 800 // Should only be called when function's analysis is determined to be 801 // complete. 802 void emitDiagnostics(ArrayRef<Violation> Viols, const CallableInfo &CInfo) { 803 if (Viols.empty()) 804 return; 805 806 auto MaybeAddTemplateNote = [&](const Decl *D) { 807 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 808 while (FD != nullptr && FD->isTemplateInstantiation()) { 809 S.Diag(FD->getPointOfInstantiation(), 810 diag::note_func_effect_from_template); 811 FD = FD->getTemplateInstantiationPattern(); 812 } 813 } 814 }; 815 816 // For note_func_effect_call_indirect. 817 enum { Indirect_VirtualMethod, Indirect_FunctionPtr }; 818 819 auto MaybeAddSiteContext = [&](const Decl *D, const Violation &V) { 820 // If a violation site is a member initializer, add a note pointing to 821 // the constructor which invoked it. 822 if (V.Site.kind() == ViolationSite::Kind::MemberInitializer) { 823 unsigned ImplicitCtor = 0; 824 if (auto *Ctor = dyn_cast<CXXConstructorDecl>(D); 825 Ctor && Ctor->isImplicit()) 826 ImplicitCtor = 1; 827 S.Diag(D->getLocation(), diag::note_func_effect_in_constructor) 828 << ImplicitCtor; 829 } 830 831 // If a violation site is a default argument expression, add a note 832 // pointing to the call site using the default argument. 833 else if (V.Site.kind() == ViolationSite::Kind::DefaultArgExpr) 834 S.Diag(V.Site.defaultArgExpr()->getUsedLocation(), 835 diag::note_in_evaluating_default_argument); 836 }; 837 838 // Top-level violations are warnings. 839 for (const Violation &Viol1 : Viols) { 840 StringRef effectName = Viol1.Effect.name(); 841 switch (Viol1.ID) { 842 case ViolationID::None: 843 case ViolationID::DeclDisallowsInference: // Shouldn't happen 844 // here. 845 llvm_unreachable("Unexpected violation kind"); 846 break; 847 case ViolationID::AllocatesMemory: 848 case ViolationID::ThrowsOrCatchesExceptions: 849 case ViolationID::HasStaticLocalVariable: 850 case ViolationID::AccessesThreadLocalVariable: 851 case ViolationID::AccessesObjCMethodOrProperty: 852 S.Diag(Viol1.Loc, diag::warn_func_effect_violation) 853 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName 854 << Viol1.diagnosticSelectIndex(); 855 MaybeAddSiteContext(CInfo.CDecl, Viol1); 856 MaybeAddTemplateNote(CInfo.CDecl); 857 break; 858 case ViolationID::CallsExprWithoutEffect: 859 S.Diag(Viol1.Loc, diag::warn_func_effect_calls_expr_without_effect) 860 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName; 861 MaybeAddSiteContext(CInfo.CDecl, Viol1); 862 MaybeAddTemplateNote(CInfo.CDecl); 863 break; 864 865 case ViolationID::CallsDeclWithoutEffect: { 866 CallableInfo CalleeInfo(*Viol1.Callee); 867 std::string CalleeName = CalleeInfo.getNameForDiagnostic(S); 868 869 S.Diag(Viol1.Loc, diag::warn_func_effect_calls_func_without_effect) 870 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName 871 << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << CalleeName; 872 MaybeAddSiteContext(CInfo.CDecl, Viol1); 873 MaybeAddTemplateNote(CInfo.CDecl); 874 875 // Emit notes explaining the transitive chain of inferences: Why isn't 876 // the callee safe? 877 for (const Decl *Callee = Viol1.Callee; Callee != nullptr;) { 878 std::optional<CallableInfo> MaybeNextCallee; 879 CompleteFunctionAnalysis *Completed = 880 DeclAnalysis.completedAnalysisForDecl(CalleeInfo.CDecl); 881 if (Completed == nullptr) { 882 // No result - could be 883 // - non-inline and extern 884 // - indirect (virtual or through function pointer) 885 // - effect has been explicitly disclaimed (e.g. "blocking") 886 887 CallableType CType = CalleeInfo.type(); 888 if (CType == CallableType::Virtual) 889 S.Diag(Callee->getLocation(), 890 diag::note_func_effect_call_indirect) 891 << Indirect_VirtualMethod << effectName; 892 else if (CType == CallableType::Unknown) 893 S.Diag(Callee->getLocation(), 894 diag::note_func_effect_call_indirect) 895 << Indirect_FunctionPtr << effectName; 896 else if (CalleeInfo.Effects.contains(Viol1.Effect.oppositeKind())) 897 S.Diag(Callee->getLocation(), 898 diag::note_func_effect_call_disallows_inference) 899 << GetCallableDeclKind(CInfo.CDecl, nullptr) << effectName 900 << FunctionEffect(Viol1.Effect.oppositeKind()).name(); 901 else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee); 902 FD == nullptr || FD->getBuiltinID() == 0) { 903 // A builtin callee generally doesn't have a useful source 904 // location at which to insert a note. 905 S.Diag(Callee->getLocation(), diag::note_func_effect_call_extern) 906 << effectName; 907 } 908 break; 909 } 910 const Violation *PtrViol2 = 911 Completed->firstViolationForEffect(Viol1.Effect); 912 if (PtrViol2 == nullptr) 913 break; 914 915 const Violation &Viol2 = *PtrViol2; 916 switch (Viol2.ID) { 917 case ViolationID::None: 918 llvm_unreachable("Unexpected violation kind"); 919 break; 920 case ViolationID::DeclDisallowsInference: 921 S.Diag(Viol2.Loc, diag::note_func_effect_call_disallows_inference) 922 << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << effectName 923 << Viol2.CalleeEffectPreventingInference->name(); 924 break; 925 case ViolationID::CallsExprWithoutEffect: 926 S.Diag(Viol2.Loc, diag::note_func_effect_call_indirect) 927 << Indirect_FunctionPtr << effectName; 928 break; 929 case ViolationID::AllocatesMemory: 930 case ViolationID::ThrowsOrCatchesExceptions: 931 case ViolationID::HasStaticLocalVariable: 932 case ViolationID::AccessesThreadLocalVariable: 933 case ViolationID::AccessesObjCMethodOrProperty: 934 S.Diag(Viol2.Loc, diag::note_func_effect_violation) 935 << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName 936 << Viol2.diagnosticSelectIndex(); 937 MaybeAddSiteContext(CalleeInfo.CDecl, Viol2); 938 break; 939 case ViolationID::CallsDeclWithoutEffect: 940 MaybeNextCallee.emplace(*Viol2.Callee); 941 S.Diag(Viol2.Loc, diag::note_func_effect_calls_func_without_effect) 942 << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName 943 << GetCallableDeclKind(Viol2.Callee, nullptr) 944 << MaybeNextCallee->getNameForDiagnostic(S); 945 break; 946 } 947 MaybeAddTemplateNote(Callee); 948 Callee = Viol2.Callee; 949 if (MaybeNextCallee) { 950 CalleeInfo = *MaybeNextCallee; 951 CalleeName = CalleeInfo.getNameForDiagnostic(S); 952 } 953 } 954 } break; 955 } 956 } 957 } 958 959 // ---------- 960 // This AST visitor is used to traverse the body of a function during effect 961 // verification. This happens in 2 situations: 962 // [1] The function has declared effects which need to be validated. 963 // [2] The function has not explicitly declared an effect in question, and is 964 // being checked for implicit conformance. 965 // 966 // Violations are always routed to a PendingFunctionAnalysis. 967 struct FunctionBodyASTVisitor : RecursiveASTVisitor<FunctionBodyASTVisitor> { 968 using Base = RecursiveASTVisitor<FunctionBodyASTVisitor>; 969 970 Analyzer &Outer; 971 PendingFunctionAnalysis &CurrentFunction; 972 CallableInfo &CurrentCaller; 973 ViolationSite VSite; 974 975 FunctionBodyASTVisitor(Analyzer &Outer, 976 PendingFunctionAnalysis &CurrentFunction, 977 CallableInfo &CurrentCaller) 978 : Outer(Outer), CurrentFunction(CurrentFunction), 979 CurrentCaller(CurrentCaller) {} 980 981 // -- Entry point -- 982 void run() { 983 // The target function may have implicit code paths beyond the 984 // body: member and base destructors. Visit these first. 985 if (auto *Dtor = dyn_cast<CXXDestructorDecl>(CurrentCaller.CDecl)) 986 followDestructor(dyn_cast<CXXRecordDecl>(Dtor->getParent()), Dtor); 987 988 // Do an AST traversal of the function/block body 989 TraverseDecl(const_cast<Decl *>(CurrentCaller.CDecl)); 990 } 991 992 // -- Methods implementing common logic -- 993 994 // Handle a language construct forbidden by some effects. Only effects whose 995 // flags include the specified flag receive a violation. \p Flag describes 996 // the construct. 997 void diagnoseLanguageConstruct(FunctionEffect::FlagBit Flag, 998 ViolationID VID, SourceLocation Loc, 999 const Decl *Callee = nullptr) { 1000 // If there are any declared verifiable effects which forbid the construct 1001 // represented by the flag, store just one violation. 1002 for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects) { 1003 if (Effect.flags() & Flag) { 1004 addViolation(/*inferring=*/false, Effect, VID, Loc, Callee); 1005 break; 1006 } 1007 } 1008 // For each inferred effect which forbids the construct, store a 1009 // violation, if we don't already have a violation for that effect. 1010 for (FunctionEffect Effect : CurrentFunction.EffectsToInfer) 1011 if (Effect.flags() & Flag) 1012 addViolation(/*inferring=*/true, Effect, VID, Loc, Callee); 1013 } 1014 1015 void addViolation(bool Inferring, FunctionEffect Effect, ViolationID VID, 1016 SourceLocation Loc, const Decl *Callee = nullptr) { 1017 CurrentFunction.checkAddViolation( 1018 Inferring, Violation(Effect, VID, VSite, Loc, Callee)); 1019 } 1020 1021 // Here we have a call to a Decl, either explicitly via a CallExpr or some 1022 // other AST construct. CallableInfo pertains to the callee. 1023 void followCall(CallableInfo &CI, SourceLocation CallLoc) { 1024 // Check for a call to a builtin function, whose effects are 1025 // handled specially. 1026 if (const auto *FD = dyn_cast<FunctionDecl>(CI.CDecl)) { 1027 if (unsigned BuiltinID = FD->getBuiltinID()) { 1028 CI.Effects = getBuiltinFunctionEffects(BuiltinID); 1029 if (CI.Effects.empty()) { 1030 // A builtin with no known effects is assumed safe. 1031 return; 1032 } 1033 // A builtin WITH effects doesn't get any special treatment for 1034 // being noreturn/noexcept, e.g. longjmp(), so we skip the check 1035 // below. 1036 } else { 1037 // If the callee is both `noreturn` and `noexcept`, it presumably 1038 // terminates. Ignore it for the purposes of effect analysis. 1039 // If not C++, `noreturn` alone is sufficient. 1040 if (FD->isNoReturn() && 1041 (!Outer.S.getLangOpts().CPlusPlus || isNoexcept(FD))) 1042 return; 1043 } 1044 } 1045 1046 Outer.followCall(CurrentCaller, CurrentFunction, CI, CallLoc, 1047 /*AssertNoFurtherInference=*/false, VSite); 1048 } 1049 1050 void checkIndirectCall(CallExpr *Call, QualType CalleeType) { 1051 FunctionEffectKindSet CalleeEffects; 1052 if (FunctionEffectsRef Effects = FunctionEffectsRef::get(CalleeType); 1053 !Effects.empty()) 1054 CalleeEffects.insert(Effects); 1055 1056 auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) { 1057 if (Effect.shouldDiagnoseFunctionCall( 1058 /*direct=*/false, CalleeEffects)) 1059 addViolation(Inferring, Effect, ViolationID::CallsExprWithoutEffect, 1060 Call->getBeginLoc()); 1061 }; 1062 1063 for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects) 1064 Check1Effect(Effect, false); 1065 1066 for (FunctionEffect Effect : CurrentFunction.EffectsToInfer) 1067 Check1Effect(Effect, true); 1068 } 1069 1070 // This destructor's body should be followed by the caller, but here we 1071 // follow the field and base destructors. 1072 void followDestructor(const CXXRecordDecl *Rec, 1073 const CXXDestructorDecl *Dtor) { 1074 SourceLocation DtorLoc = Dtor->getLocation(); 1075 for (const FieldDecl *Field : Rec->fields()) 1076 followTypeDtor(Field->getType(), DtorLoc); 1077 1078 if (const auto *Class = dyn_cast<CXXRecordDecl>(Rec)) 1079 for (const CXXBaseSpecifier &Base : Class->bases()) 1080 followTypeDtor(Base.getType(), DtorLoc); 1081 } 1082 1083 void followTypeDtor(QualType QT, SourceLocation CallSite) { 1084 const Type *Ty = QT.getTypePtr(); 1085 while (Ty->isArrayType()) { 1086 const ArrayType *Arr = Ty->getAsArrayTypeUnsafe(); 1087 QT = Arr->getElementType(); 1088 Ty = QT.getTypePtr(); 1089 } 1090 1091 if (Ty->isRecordType()) { 1092 if (const CXXRecordDecl *Class = Ty->getAsCXXRecordDecl()) { 1093 if (CXXDestructorDecl *Dtor = Class->getDestructor(); 1094 Dtor && !Dtor->isDeleted()) { 1095 CallableInfo CI(*Dtor); 1096 followCall(CI, CallSite); 1097 } 1098 } 1099 } 1100 } 1101 1102 // -- Methods for use of RecursiveASTVisitor -- 1103 1104 bool shouldVisitImplicitCode() const { return true; } 1105 1106 bool shouldWalkTypesOfTypeLocs() const { return false; } 1107 1108 bool VisitCXXThrowExpr(CXXThrowExpr *Throw) { 1109 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow, 1110 ViolationID::ThrowsOrCatchesExceptions, 1111 Throw->getThrowLoc()); 1112 return true; 1113 } 1114 1115 bool VisitCXXCatchStmt(CXXCatchStmt *Catch) { 1116 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1117 ViolationID::ThrowsOrCatchesExceptions, 1118 Catch->getCatchLoc()); 1119 return true; 1120 } 1121 1122 bool VisitObjCAtThrowStmt(ObjCAtThrowStmt *Throw) { 1123 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow, 1124 ViolationID::ThrowsOrCatchesExceptions, 1125 Throw->getThrowLoc()); 1126 return true; 1127 } 1128 1129 bool VisitObjCAtCatchStmt(ObjCAtCatchStmt *Catch) { 1130 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1131 ViolationID::ThrowsOrCatchesExceptions, 1132 Catch->getAtCatchLoc()); 1133 return true; 1134 } 1135 1136 bool VisitObjCMessageExpr(ObjCMessageExpr *Msg) { 1137 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend, 1138 ViolationID::AccessesObjCMethodOrProperty, 1139 Msg->getBeginLoc()); 1140 return true; 1141 } 1142 1143 bool VisitSEHExceptStmt(SEHExceptStmt *Exc) { 1144 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1145 ViolationID::ThrowsOrCatchesExceptions, 1146 Exc->getExceptLoc()); 1147 return true; 1148 } 1149 1150 bool VisitCallExpr(CallExpr *Call) { 1151 LLVM_DEBUG(llvm::dbgs() 1152 << "VisitCallExpr : " 1153 << Call->getBeginLoc().printToString(Outer.S.SourceMgr) 1154 << "\n";); 1155 1156 Expr *CalleeExpr = Call->getCallee(); 1157 if (const Decl *Callee = CalleeExpr->getReferencedDeclOfCallee()) { 1158 CallableInfo CI(*Callee); 1159 followCall(CI, Call->getBeginLoc()); 1160 return true; 1161 } 1162 1163 if (isa<CXXPseudoDestructorExpr>(CalleeExpr)) { 1164 // Just destroying a scalar, fine. 1165 return true; 1166 } 1167 1168 // No Decl, just an Expr. Just check based on its type. 1169 checkIndirectCall(Call, CalleeExpr->getType()); 1170 1171 return true; 1172 } 1173 1174 bool VisitVarDecl(VarDecl *Var) { 1175 LLVM_DEBUG(llvm::dbgs() 1176 << "VisitVarDecl : " 1177 << Var->getBeginLoc().printToString(Outer.S.SourceMgr) 1178 << "\n";); 1179 1180 if (Var->isStaticLocal()) 1181 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeStaticLocalVars, 1182 ViolationID::HasStaticLocalVariable, 1183 Var->getLocation()); 1184 1185 const QualType::DestructionKind DK = 1186 Var->needsDestruction(Outer.S.getASTContext()); 1187 if (DK == QualType::DK_cxx_destructor) 1188 followTypeDtor(Var->getType(), Var->getLocation()); 1189 return true; 1190 } 1191 1192 bool VisitCXXNewExpr(CXXNewExpr *New) { 1193 // RecursiveASTVisitor does not visit the implicit call to operator new. 1194 if (FunctionDecl *FD = New->getOperatorNew()) { 1195 CallableInfo CI(*FD, SpecialFuncType::OperatorNew); 1196 followCall(CI, New->getBeginLoc()); 1197 } 1198 1199 // It's a bit excessive to check operator delete here, since it's 1200 // just a fallback for operator new followed by a failed constructor. 1201 // We could check it via New->getOperatorDelete(). 1202 1203 // It DOES however visit the called constructor 1204 return true; 1205 } 1206 1207 bool VisitCXXDeleteExpr(CXXDeleteExpr *Delete) { 1208 // RecursiveASTVisitor does not visit the implicit call to operator 1209 // delete. 1210 if (FunctionDecl *FD = Delete->getOperatorDelete()) { 1211 CallableInfo CI(*FD, SpecialFuncType::OperatorDelete); 1212 followCall(CI, Delete->getBeginLoc()); 1213 } 1214 1215 // It DOES however visit the called destructor 1216 1217 return true; 1218 } 1219 1220 bool VisitCXXConstructExpr(CXXConstructExpr *Construct) { 1221 LLVM_DEBUG(llvm::dbgs() << "VisitCXXConstructExpr : " 1222 << Construct->getBeginLoc().printToString( 1223 Outer.S.SourceMgr) 1224 << "\n";); 1225 1226 // RecursiveASTVisitor does not visit the implicit call to the 1227 // constructor. 1228 const CXXConstructorDecl *Ctor = Construct->getConstructor(); 1229 CallableInfo CI(*Ctor); 1230 followCall(CI, Construct->getLocation()); 1231 1232 return true; 1233 } 1234 1235 bool TraverseConstructorInitializer(CXXCtorInitializer *Init) { 1236 ViolationSite PrevVS = VSite; 1237 if (Init->isAnyMemberInitializer()) 1238 VSite.setKind(ViolationSite::Kind::MemberInitializer); 1239 bool Result = Base::TraverseConstructorInitializer(Init); 1240 VSite = PrevVS; 1241 return Result; 1242 } 1243 1244 bool TraverseCXXDefaultArgExpr(CXXDefaultArgExpr *E) { 1245 LLVM_DEBUG(llvm::dbgs() 1246 << "TraverseCXXDefaultArgExpr : " 1247 << E->getUsedLocation().printToString(Outer.S.SourceMgr) 1248 << "\n";); 1249 1250 ViolationSite PrevVS = VSite; 1251 if (VSite.kind() == ViolationSite::Kind::Default) 1252 VSite = ViolationSite{E}; 1253 1254 bool Result = Base::TraverseCXXDefaultArgExpr(E); 1255 VSite = PrevVS; 1256 return Result; 1257 } 1258 1259 bool TraverseLambdaExpr(LambdaExpr *Lambda) { 1260 // We override this so as to be able to skip traversal of the lambda's 1261 // body. We have to explicitly traverse the captures. Why not return 1262 // false from shouldVisitLambdaBody()? Because we need to visit a lambda's 1263 // body when we are verifying the lambda itself; we only want to skip it 1264 // in the context of the outer function. 1265 for (unsigned I = 0, N = Lambda->capture_size(); I < N; ++I) 1266 TraverseLambdaCapture(Lambda, Lambda->capture_begin() + I, 1267 Lambda->capture_init_begin()[I]); 1268 1269 return true; 1270 } 1271 1272 bool TraverseBlockExpr(BlockExpr * /*unused*/) { 1273 // TODO: are the capture expressions (ctor call?) safe? 1274 return true; 1275 } 1276 1277 bool VisitDeclRefExpr(const DeclRefExpr *E) { 1278 const ValueDecl *Val = E->getDecl(); 1279 if (const auto *Var = dyn_cast<VarDecl>(Val)) { 1280 if (Var->getTLSKind() != VarDecl::TLS_None) { 1281 // At least on macOS, thread-local variables are initialized on 1282 // first access, including a heap allocation. 1283 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThreadLocalVars, 1284 ViolationID::AccessesThreadLocalVariable, 1285 E->getLocation()); 1286 } 1287 } 1288 return true; 1289 } 1290 1291 bool TraverseGenericSelectionExpr(GenericSelectionExpr *Node) { 1292 return TraverseStmt(Node->getResultExpr()); 1293 } 1294 bool TraverseUnaryExprOrTypeTraitExpr(UnaryExprOrTypeTraitExpr *Node) { 1295 return true; 1296 } 1297 1298 bool TraverseTypeOfExprTypeLoc(TypeOfExprTypeLoc Node) { return true; } 1299 1300 bool TraverseDecltypeTypeLoc(DecltypeTypeLoc Node) { return true; } 1301 1302 bool TraverseCXXNoexceptExpr(CXXNoexceptExpr *Node) { return true; } 1303 1304 bool TraverseCXXTypeidExpr(CXXTypeidExpr *Node) { return true; } 1305 1306 // Skip concept requirements since they don't generate code. 1307 bool TraverseConceptRequirement(concepts::Requirement *R) { return true; } 1308 }; 1309 }; 1310 1311 Analyzer::AnalysisMap::~AnalysisMap() { 1312 for (const auto &Item : *this) { 1313 FuncAnalysisPtr AP = Item.second; 1314 if (isa<PendingFunctionAnalysis *>(AP)) 1315 delete AP.get<PendingFunctionAnalysis *>(); 1316 else 1317 delete AP.get<CompleteFunctionAnalysis *>(); 1318 } 1319 } 1320 1321 } // anonymous namespace 1322 1323 namespace clang { 1324 1325 bool Sema::diagnoseConflictingFunctionEffect( 1326 const FunctionEffectsRef &FX, const FunctionEffectWithCondition &NewEC, 1327 SourceLocation NewAttrLoc) { 1328 // If the new effect has a condition, we can't detect conflicts until the 1329 // condition is resolved. 1330 if (NewEC.Cond.getCondition() != nullptr) 1331 return false; 1332 1333 // Diagnose the new attribute as incompatible with a previous one. 1334 auto Incompatible = [&](const FunctionEffectWithCondition &PrevEC) { 1335 Diag(NewAttrLoc, diag::err_attributes_are_not_compatible) 1336 << ("'" + NewEC.description() + "'") 1337 << ("'" + PrevEC.description() + "'") << false; 1338 // We don't necessarily have the location of the previous attribute, 1339 // so no note. 1340 return true; 1341 }; 1342 1343 // Compare against previous attributes. 1344 FunctionEffect::Kind NewKind = NewEC.Effect.kind(); 1345 1346 for (const FunctionEffectWithCondition &PrevEC : FX) { 1347 // Again, can't check yet when the effect is conditional. 1348 if (PrevEC.Cond.getCondition() != nullptr) 1349 continue; 1350 1351 FunctionEffect::Kind PrevKind = PrevEC.Effect.kind(); 1352 // Note that we allow PrevKind == NewKind; it's redundant and ignored. 1353 1354 if (PrevEC.Effect.oppositeKind() == NewKind) 1355 return Incompatible(PrevEC); 1356 1357 // A new allocating is incompatible with a previous nonblocking. 1358 if (PrevKind == FunctionEffect::Kind::NonBlocking && 1359 NewKind == FunctionEffect::Kind::Allocating) 1360 return Incompatible(PrevEC); 1361 1362 // A new nonblocking is incompatible with a previous allocating. 1363 if (PrevKind == FunctionEffect::Kind::Allocating && 1364 NewKind == FunctionEffect::Kind::NonBlocking) 1365 return Incompatible(PrevEC); 1366 } 1367 1368 return false; 1369 } 1370 1371 void Sema::diagnoseFunctionEffectMergeConflicts( 1372 const FunctionEffectSet::Conflicts &Errs, SourceLocation NewLoc, 1373 SourceLocation OldLoc) { 1374 for (const FunctionEffectSet::Conflict &Conflict : Errs) { 1375 Diag(NewLoc, diag::warn_conflicting_func_effects) 1376 << Conflict.Kept.description() << Conflict.Rejected.description(); 1377 Diag(OldLoc, diag::note_previous_declaration); 1378 } 1379 } 1380 1381 // Decl should be a FunctionDecl or BlockDecl. 1382 void Sema::maybeAddDeclWithEffects(const Decl *D, 1383 const FunctionEffectsRef &FX) { 1384 if (!D->hasBody()) { 1385 if (const auto *FD = D->getAsFunction(); FD && !FD->willHaveBody()) 1386 return; 1387 } 1388 1389 if (Diags.getIgnoreAllWarnings() || 1390 (Diags.getSuppressSystemWarnings() && 1391 SourceMgr.isInSystemHeader(D->getLocation()))) 1392 return; 1393 1394 if (hasUncompilableErrorOccurred()) 1395 return; 1396 1397 // For code in dependent contexts, we'll do this at instantiation time. 1398 // Without this check, we would analyze the function based on placeholder 1399 // template parameters, and potentially generate spurious diagnostics. 1400 if (cast<DeclContext>(D)->isDependentContext()) 1401 return; 1402 1403 addDeclWithEffects(D, FX); 1404 } 1405 1406 void Sema::addDeclWithEffects(const Decl *D, const FunctionEffectsRef &FX) { 1407 // To avoid the possibility of conflict, don't add effects which are 1408 // not FE_InferrableOnCallees and therefore not verified; this removes 1409 // blocking/allocating but keeps nonblocking/nonallocating. 1410 // Also, ignore any conditions when building the list of effects. 1411 bool AnyVerifiable = false; 1412 for (const FunctionEffectWithCondition &EC : FX) 1413 if (EC.Effect.flags() & FunctionEffect::FE_InferrableOnCallees) { 1414 AllEffectsToVerify.insert(EC.Effect); 1415 AnyVerifiable = true; 1416 } 1417 1418 // Record the declaration for later analysis. 1419 if (AnyVerifiable) 1420 DeclsWithEffectsToVerify.push_back(D); 1421 } 1422 1423 void Sema::performFunctionEffectAnalysis(TranslationUnitDecl *TU) { 1424 if (hasUncompilableErrorOccurred() || Diags.getIgnoreAllWarnings()) 1425 return; 1426 if (TU == nullptr) 1427 return; 1428 Analyzer{*this}.run(*TU); 1429 } 1430 1431 Sema::FunctionEffectDiffVector::FunctionEffectDiffVector( 1432 const FunctionEffectsRef &Old, const FunctionEffectsRef &New) { 1433 1434 FunctionEffectsRef::iterator POld = Old.begin(); 1435 FunctionEffectsRef::iterator OldEnd = Old.end(); 1436 FunctionEffectsRef::iterator PNew = New.begin(); 1437 FunctionEffectsRef::iterator NewEnd = New.end(); 1438 1439 while (true) { 1440 int cmp = 0; 1441 if (POld == OldEnd) { 1442 if (PNew == NewEnd) 1443 break; 1444 cmp = 1; 1445 } else if (PNew == NewEnd) 1446 cmp = -1; 1447 else { 1448 FunctionEffectWithCondition Old = *POld; 1449 FunctionEffectWithCondition New = *PNew; 1450 if (Old.Effect.kind() < New.Effect.kind()) 1451 cmp = -1; 1452 else if (New.Effect.kind() < Old.Effect.kind()) 1453 cmp = 1; 1454 else { 1455 cmp = 0; 1456 if (Old.Cond.getCondition() != New.Cond.getCondition()) { 1457 // FIXME: Cases where the expressions are equivalent but 1458 // don't have the same identity. 1459 push_back(FunctionEffectDiff{ 1460 Old.Effect.kind(), FunctionEffectDiff::Kind::ConditionMismatch, 1461 Old, New}); 1462 } 1463 } 1464 } 1465 1466 if (cmp < 0) { 1467 // removal 1468 FunctionEffectWithCondition Old = *POld; 1469 push_back(FunctionEffectDiff{Old.Effect.kind(), 1470 FunctionEffectDiff::Kind::Removed, Old, 1471 std::nullopt}); 1472 ++POld; 1473 } else if (cmp > 0) { 1474 // addition 1475 FunctionEffectWithCondition New = *PNew; 1476 push_back(FunctionEffectDiff{New.Effect.kind(), 1477 FunctionEffectDiff::Kind::Added, 1478 std::nullopt, New}); 1479 ++PNew; 1480 } else { 1481 ++POld; 1482 ++PNew; 1483 } 1484 } 1485 } 1486 1487 bool Sema::FunctionEffectDiff::shouldDiagnoseConversion( 1488 QualType SrcType, const FunctionEffectsRef &SrcFX, QualType DstType, 1489 const FunctionEffectsRef &DstFX) const { 1490 1491 switch (EffectKind) { 1492 case FunctionEffect::Kind::NonAllocating: 1493 // nonallocating can't be added (spoofed) during a conversion, unless we 1494 // have nonblocking. 1495 if (DiffKind == Kind::Added) { 1496 for (const auto &CFE : SrcFX) { 1497 if (CFE.Effect.kind() == FunctionEffect::Kind::NonBlocking) 1498 return false; 1499 } 1500 } 1501 [[fallthrough]]; 1502 case FunctionEffect::Kind::NonBlocking: 1503 // nonblocking can't be added (spoofed) during a conversion. 1504 switch (DiffKind) { 1505 case Kind::Added: 1506 return true; 1507 case Kind::Removed: 1508 return false; 1509 case Kind::ConditionMismatch: 1510 // FIXME: Condition mismatches are too coarse right now -- expressions 1511 // which are equivalent but don't have the same identity are detected as 1512 // mismatches. We're going to diagnose those anyhow until expression 1513 // matching is better. 1514 return true; 1515 } 1516 case FunctionEffect::Kind::Blocking: 1517 case FunctionEffect::Kind::Allocating: 1518 return false; 1519 } 1520 llvm_unreachable("unknown effect kind"); 1521 } 1522 1523 bool Sema::FunctionEffectDiff::shouldDiagnoseRedeclaration( 1524 const FunctionDecl &OldFunction, const FunctionEffectsRef &OldFX, 1525 const FunctionDecl &NewFunction, const FunctionEffectsRef &NewFX) const { 1526 switch (EffectKind) { 1527 case FunctionEffect::Kind::NonAllocating: 1528 case FunctionEffect::Kind::NonBlocking: 1529 // nonblocking/nonallocating can't be removed in a redeclaration. 1530 switch (DiffKind) { 1531 case Kind::Added: 1532 return false; // No diagnostic. 1533 case Kind::Removed: 1534 return true; // Issue diagnostic. 1535 case Kind::ConditionMismatch: 1536 // All these forms of mismatches are diagnosed. 1537 return true; 1538 } 1539 case FunctionEffect::Kind::Blocking: 1540 case FunctionEffect::Kind::Allocating: 1541 return false; 1542 } 1543 llvm_unreachable("unknown effect kind"); 1544 } 1545 1546 Sema::FunctionEffectDiff::OverrideResult 1547 Sema::FunctionEffectDiff::shouldDiagnoseMethodOverride( 1548 const CXXMethodDecl &OldMethod, const FunctionEffectsRef &OldFX, 1549 const CXXMethodDecl &NewMethod, const FunctionEffectsRef &NewFX) const { 1550 switch (EffectKind) { 1551 case FunctionEffect::Kind::NonAllocating: 1552 case FunctionEffect::Kind::NonBlocking: 1553 switch (DiffKind) { 1554 1555 // If added on an override, that's fine and not diagnosed. 1556 case Kind::Added: 1557 return OverrideResult::NoAction; 1558 1559 // If missing from an override (removed), propagate from base to derived. 1560 case Kind::Removed: 1561 return OverrideResult::Merge; 1562 1563 // If there's a mismatch involving the effect's polarity or condition, 1564 // issue a warning. 1565 case Kind::ConditionMismatch: 1566 return OverrideResult::Warn; 1567 } 1568 1569 case FunctionEffect::Kind::Blocking: 1570 case FunctionEffect::Kind::Allocating: 1571 return OverrideResult::NoAction; 1572 } 1573 llvm_unreachable("unknown effect kind"); 1574 } 1575 1576 } // namespace clang 1577