1 //=== SemaFunctionEffects.cpp - Sema handling of function effects ---------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file implements Sema handling of function effects. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #include "clang/AST/Decl.h" 14 #include "clang/AST/DeclCXX.h" 15 #include "clang/AST/DynamicRecursiveASTVisitor.h" 16 #include "clang/AST/ExprObjC.h" 17 #include "clang/AST/Stmt.h" 18 #include "clang/AST/StmtObjC.h" 19 #include "clang/AST/Type.h" 20 #include "clang/Basic/SourceManager.h" 21 #include "clang/Sema/SemaInternal.h" 22 23 #define DEBUG_TYPE "effectanalysis" 24 25 using namespace clang; 26 27 namespace { 28 29 enum class ViolationID : uint8_t { 30 None = 0, // Sentinel for an empty Violation. 31 // These first 5 map to a %select{} in one of several FunctionEffects 32 // diagnostics, e.g. warn_func_effect_violation. 33 BaseDiagnosticIndex, 34 AllocatesMemory = BaseDiagnosticIndex, 35 ThrowsOrCatchesExceptions, 36 HasStaticLocalVariable, 37 AccessesThreadLocalVariable, 38 AccessesObjCMethodOrProperty, 39 40 // These only apply to callees, where the analysis stops at the Decl. 41 DeclDisallowsInference, 42 43 // These both apply to indirect calls. The difference is that sometimes 44 // we have an actual Decl (generally a variable) which is the function 45 // pointer being called, and sometimes, typically due to a cast, we only 46 // have an expression. 47 CallsDeclWithoutEffect, 48 CallsExprWithoutEffect, 49 }; 50 51 // Information about the AST context in which a violation was found, so 52 // that diagnostics can point to the correct source. 53 class ViolationSite { 54 public: 55 enum class Kind : uint8_t { 56 Default, // Function body. 57 MemberInitializer, 58 DefaultArgExpr 59 }; 60 61 private: 62 llvm::PointerIntPair<CXXDefaultArgExpr *, 2, Kind> Impl; 63 64 public: 65 ViolationSite() = default; 66 67 explicit ViolationSite(CXXDefaultArgExpr *E) 68 : Impl(E, Kind::DefaultArgExpr) {} 69 70 Kind kind() const { return static_cast<Kind>(Impl.getInt()); } 71 CXXDefaultArgExpr *defaultArgExpr() const { return Impl.getPointer(); } 72 73 void setKind(Kind K) { Impl.setPointerAndInt(nullptr, K); } 74 }; 75 76 // Represents a violation of the rules, potentially for the entire duration of 77 // the analysis phase, in order to refer to it when explaining why a caller has 78 // been made unsafe by a callee. Can be transformed into either a Diagnostic 79 // (warning or a note), depending on whether the violation pertains to a 80 // function failing to be verifed as holding an effect vs. a function failing to 81 // be inferred as holding that effect. 82 struct Violation { 83 FunctionEffect Effect; 84 std::optional<FunctionEffect> 85 CalleeEffectPreventingInference; // Only for certain IDs; can be nullopt. 86 ViolationID ID = ViolationID::None; 87 ViolationSite Site; 88 SourceLocation Loc; 89 const Decl *Callee = 90 nullptr; // Only valid for ViolationIDs Calls{Decl,Expr}WithoutEffect. 91 92 Violation(FunctionEffect Effect, ViolationID ID, ViolationSite VS, 93 SourceLocation Loc, const Decl *Callee = nullptr, 94 std::optional<FunctionEffect> CalleeEffect = std::nullopt) 95 : Effect(Effect), CalleeEffectPreventingInference(CalleeEffect), ID(ID), 96 Site(VS), Loc(Loc), Callee(Callee) {} 97 98 unsigned diagnosticSelectIndex() const { 99 return unsigned(ID) - unsigned(ViolationID::BaseDiagnosticIndex); 100 } 101 }; 102 103 enum class SpecialFuncType : uint8_t { None, OperatorNew, OperatorDelete }; 104 enum class CallableType : uint8_t { 105 // Unknown: probably function pointer. 106 Unknown, 107 Function, 108 Virtual, 109 Block 110 }; 111 112 // Return whether a function's effects CAN be verified. 113 // The question of whether it SHOULD be verified is independent. 114 static bool functionIsVerifiable(const FunctionDecl *FD) { 115 if (FD->isTrivial()) { 116 // Otherwise `struct x { int a; };` would have an unverifiable default 117 // constructor. 118 return true; 119 } 120 return FD->hasBody(); 121 } 122 123 static bool isNoexcept(const FunctionDecl *FD) { 124 const auto *FPT = FD->getType()->getAs<FunctionProtoType>(); 125 return FPT && (FPT->isNothrow() || FD->hasAttr<NoThrowAttr>()); 126 } 127 128 // This list is probably incomplete. 129 // FIXME: Investigate: 130 // __builtin_eh_return? 131 // __builtin_allow_runtime_check? 132 // __builtin_unwind_init and other similar things that sound exception-related. 133 // va_copy? 134 // coroutines? 135 static FunctionEffectKindSet getBuiltinFunctionEffects(unsigned BuiltinID) { 136 FunctionEffectKindSet Result; 137 138 switch (BuiltinID) { 139 case 0: // Not builtin. 140 default: // By default, builtins have no known effects. 141 break; 142 143 // These allocate/deallocate heap memory. 144 case Builtin::ID::BI__builtin_calloc: 145 case Builtin::ID::BI__builtin_malloc: 146 case Builtin::ID::BI__builtin_realloc: 147 case Builtin::ID::BI__builtin_free: 148 case Builtin::ID::BI__builtin_operator_delete: 149 case Builtin::ID::BI__builtin_operator_new: 150 case Builtin::ID::BIaligned_alloc: 151 case Builtin::ID::BIcalloc: 152 case Builtin::ID::BImalloc: 153 case Builtin::ID::BImemalign: 154 case Builtin::ID::BIrealloc: 155 case Builtin::ID::BIfree: 156 157 case Builtin::ID::BIfopen: 158 case Builtin::ID::BIpthread_create: 159 case Builtin::ID::BI_Block_object_dispose: 160 Result.insert(FunctionEffect(FunctionEffect::Kind::Allocating)); 161 break; 162 163 // These block in some other way than allocating memory. 164 // longjmp() and friends are presumed unsafe because they are the moral 165 // equivalent of throwing a C++ exception, which is unsafe. 166 case Builtin::ID::BIlongjmp: 167 case Builtin::ID::BI_longjmp: 168 case Builtin::ID::BIsiglongjmp: 169 case Builtin::ID::BI__builtin_longjmp: 170 case Builtin::ID::BIobjc_exception_throw: 171 172 // Objective-C runtime. 173 case Builtin::ID::BIobjc_msgSend: 174 case Builtin::ID::BIobjc_msgSend_fpret: 175 case Builtin::ID::BIobjc_msgSend_fp2ret: 176 case Builtin::ID::BIobjc_msgSend_stret: 177 case Builtin::ID::BIobjc_msgSendSuper: 178 case Builtin::ID::BIobjc_getClass: 179 case Builtin::ID::BIobjc_getMetaClass: 180 case Builtin::ID::BIobjc_enumerationMutation: 181 case Builtin::ID::BIobjc_assign_ivar: 182 case Builtin::ID::BIobjc_assign_global: 183 case Builtin::ID::BIobjc_sync_enter: 184 case Builtin::ID::BIobjc_sync_exit: 185 case Builtin::ID::BINSLog: 186 case Builtin::ID::BINSLogv: 187 188 // stdio.h 189 case Builtin::ID::BIfread: 190 case Builtin::ID::BIfwrite: 191 192 // stdio.h: printf family. 193 case Builtin::ID::BIprintf: 194 case Builtin::ID::BI__builtin_printf: 195 case Builtin::ID::BIfprintf: 196 case Builtin::ID::BIsnprintf: 197 case Builtin::ID::BIsprintf: 198 case Builtin::ID::BIvprintf: 199 case Builtin::ID::BIvfprintf: 200 case Builtin::ID::BIvsnprintf: 201 case Builtin::ID::BIvsprintf: 202 203 // stdio.h: scanf family. 204 case Builtin::ID::BIscanf: 205 case Builtin::ID::BIfscanf: 206 case Builtin::ID::BIsscanf: 207 case Builtin::ID::BIvscanf: 208 case Builtin::ID::BIvfscanf: 209 case Builtin::ID::BIvsscanf: 210 Result.insert(FunctionEffect(FunctionEffect::Kind::Blocking)); 211 break; 212 } 213 214 return Result; 215 } 216 217 // Transitory, more extended information about a callable, which can be a 218 // function, block, or function pointer. 219 struct CallableInfo { 220 // CDecl holds the function's definition, if any. 221 // FunctionDecl if CallableType::Function or Virtual 222 // BlockDecl if CallableType::Block 223 const Decl *CDecl; 224 225 // Remember whether the callable is a function, block, virtual method, 226 // or (presumed) function pointer. 227 CallableType CType = CallableType::Unknown; 228 229 // Remember whether the callable is an operator new or delete function, 230 // so that calls to them are reported more meaningfully, as memory 231 // allocations. 232 SpecialFuncType FuncType = SpecialFuncType::None; 233 234 // We inevitably want to know the callable's declared effects, so cache them. 235 FunctionEffectKindSet Effects; 236 237 CallableInfo(const Decl &CD, SpecialFuncType FT = SpecialFuncType::None) 238 : CDecl(&CD), FuncType(FT) { 239 FunctionEffectsRef DeclEffects; 240 if (auto *FD = dyn_cast<FunctionDecl>(CDecl)) { 241 // Use the function's definition, if any. 242 if (const FunctionDecl *Def = FD->getDefinition()) 243 CDecl = FD = Def; 244 CType = CallableType::Function; 245 if (auto *Method = dyn_cast<CXXMethodDecl>(FD); 246 Method && Method->isVirtual()) 247 CType = CallableType::Virtual; 248 DeclEffects = FD->getFunctionEffects(); 249 } else if (auto *BD = dyn_cast<BlockDecl>(CDecl)) { 250 CType = CallableType::Block; 251 DeclEffects = BD->getFunctionEffects(); 252 } else if (auto *VD = dyn_cast<ValueDecl>(CDecl)) { 253 // ValueDecl is function, enum, or variable, so just look at its type. 254 DeclEffects = FunctionEffectsRef::get(VD->getType()); 255 } 256 Effects = FunctionEffectKindSet(DeclEffects); 257 } 258 259 CallableType type() const { return CType; } 260 261 bool isCalledDirectly() const { 262 return CType == CallableType::Function || CType == CallableType::Block; 263 } 264 265 bool isVerifiable() const { 266 switch (CType) { 267 case CallableType::Unknown: 268 case CallableType::Virtual: 269 return false; 270 case CallableType::Block: 271 return true; 272 case CallableType::Function: 273 return functionIsVerifiable(dyn_cast<FunctionDecl>(CDecl)); 274 } 275 llvm_unreachable("undefined CallableType"); 276 } 277 278 /// Generate a name for logging and diagnostics. 279 std::string getNameForDiagnostic(Sema &S) const { 280 std::string Name; 281 llvm::raw_string_ostream OS(Name); 282 283 if (auto *FD = dyn_cast<FunctionDecl>(CDecl)) 284 FD->getNameForDiagnostic(OS, S.getPrintingPolicy(), 285 /*Qualified=*/true); 286 else if (auto *BD = dyn_cast<BlockDecl>(CDecl)) 287 OS << "(block " << BD->getBlockManglingNumber() << ")"; 288 else if (auto *VD = dyn_cast<NamedDecl>(CDecl)) 289 VD->printQualifiedName(OS); 290 return Name; 291 } 292 }; 293 294 // ---------- 295 // Map effects to single Violations, to hold the first (of potentially many) 296 // violations pertaining to an effect, per function. 297 class EffectToViolationMap { 298 // Since we currently only have a tiny number of effects (typically no more 299 // than 1), use a SmallVector with an inline capacity of 1. Since it 300 // is often empty, use a unique_ptr to the SmallVector. 301 // Note that Violation itself contains a FunctionEffect which is the key. 302 // FIXME: Is there a way to simplify this using existing data structures? 303 using ImplVec = llvm::SmallVector<Violation, 1>; 304 std::unique_ptr<ImplVec> Impl; 305 306 public: 307 // Insert a new Violation if we do not already have one for its effect. 308 void maybeInsert(const Violation &Viol) { 309 if (Impl == nullptr) 310 Impl = std::make_unique<ImplVec>(); 311 else if (lookup(Viol.Effect) != nullptr) 312 return; 313 314 Impl->push_back(Viol); 315 } 316 317 const Violation *lookup(FunctionEffect Key) { 318 if (Impl == nullptr) 319 return nullptr; 320 321 auto *Iter = llvm::find_if( 322 *Impl, [&](const auto &Item) { return Item.Effect == Key; }); 323 return Iter != Impl->end() ? &*Iter : nullptr; 324 } 325 326 size_t size() const { return Impl ? Impl->size() : 0; } 327 }; 328 329 // ---------- 330 // State pertaining to a function whose AST is walked and whose effect analysis 331 // is dependent on a subsequent analysis of other functions. 332 class PendingFunctionAnalysis { 333 friend class CompleteFunctionAnalysis; 334 335 public: 336 struct DirectCall { 337 const Decl *Callee; 338 SourceLocation CallLoc; 339 // Not all recursive calls are detected, just enough 340 // to break cycles. 341 bool Recursed = false; 342 ViolationSite VSite; 343 344 DirectCall(const Decl *D, SourceLocation CallLoc, ViolationSite VSite) 345 : Callee(D), CallLoc(CallLoc), VSite(VSite) {} 346 }; 347 348 // We always have two disjoint sets of effects to verify: 349 // 1. Effects declared explicitly by this function. 350 // 2. All other inferrable effects needing verification. 351 FunctionEffectKindSet DeclaredVerifiableEffects; 352 FunctionEffectKindSet EffectsToInfer; 353 354 private: 355 // Violations pertaining to the function's explicit effects. 356 SmallVector<Violation, 0> ViolationsForExplicitEffects; 357 358 // Violations pertaining to other, non-explicit, inferrable effects. 359 EffectToViolationMap InferrableEffectToFirstViolation; 360 361 // These unverified direct calls are what keeps the analysis "pending", 362 // until the callees can be verified. 363 SmallVector<DirectCall, 0> UnverifiedDirectCalls; 364 365 public: 366 PendingFunctionAnalysis(Sema &S, const CallableInfo &CInfo, 367 FunctionEffectKindSet AllInferrableEffectsToVerify) 368 : DeclaredVerifiableEffects(CInfo.Effects) { 369 // Check for effects we are not allowed to infer. 370 FunctionEffectKindSet InferrableEffects; 371 372 for (FunctionEffect effect : AllInferrableEffectsToVerify) { 373 std::optional<FunctionEffect> ProblemCalleeEffect = 374 effect.effectProhibitingInference(*CInfo.CDecl, CInfo.Effects); 375 if (!ProblemCalleeEffect) 376 InferrableEffects.insert(effect); 377 else { 378 // Add a Violation for this effect if a caller were to 379 // try to infer it. 380 InferrableEffectToFirstViolation.maybeInsert(Violation( 381 effect, ViolationID::DeclDisallowsInference, ViolationSite{}, 382 CInfo.CDecl->getLocation(), nullptr, ProblemCalleeEffect)); 383 } 384 } 385 // InferrableEffects is now the set of inferrable effects which are not 386 // prohibited. 387 EffectsToInfer = FunctionEffectKindSet::difference( 388 InferrableEffects, DeclaredVerifiableEffects); 389 } 390 391 // Hide the way that Violations for explicitly required effects vs. inferred 392 // ones are handled differently. 393 void checkAddViolation(bool Inferring, const Violation &NewViol) { 394 if (!Inferring) 395 ViolationsForExplicitEffects.push_back(NewViol); 396 else 397 InferrableEffectToFirstViolation.maybeInsert(NewViol); 398 } 399 400 void addUnverifiedDirectCall(const Decl *D, SourceLocation CallLoc, 401 ViolationSite VSite) { 402 UnverifiedDirectCalls.emplace_back(D, CallLoc, VSite); 403 } 404 405 // Analysis is complete when there are no unverified direct calls. 406 bool isComplete() const { return UnverifiedDirectCalls.empty(); } 407 408 const Violation *violationForInferrableEffect(FunctionEffect effect) { 409 return InferrableEffectToFirstViolation.lookup(effect); 410 } 411 412 // Mutable because caller may need to set a DirectCall's Recursing flag. 413 MutableArrayRef<DirectCall> unverifiedCalls() { 414 assert(!isComplete()); 415 return UnverifiedDirectCalls; 416 } 417 418 ArrayRef<Violation> getSortedViolationsForExplicitEffects(SourceManager &SM) { 419 if (!ViolationsForExplicitEffects.empty()) 420 llvm::sort(ViolationsForExplicitEffects, 421 [&SM](const Violation &LHS, const Violation &RHS) { 422 return SM.isBeforeInTranslationUnit(LHS.Loc, RHS.Loc); 423 }); 424 return ViolationsForExplicitEffects; 425 } 426 427 void dump(Sema &SemaRef, llvm::raw_ostream &OS) const { 428 OS << "Pending: Declared "; 429 DeclaredVerifiableEffects.dump(OS); 430 OS << ", " << ViolationsForExplicitEffects.size() << " violations; "; 431 OS << " Infer "; 432 EffectsToInfer.dump(OS); 433 OS << ", " << InferrableEffectToFirstViolation.size() << " violations"; 434 if (!UnverifiedDirectCalls.empty()) { 435 OS << "; Calls: "; 436 for (const DirectCall &Call : UnverifiedDirectCalls) { 437 CallableInfo CI(*Call.Callee); 438 OS << " " << CI.getNameForDiagnostic(SemaRef); 439 } 440 } 441 OS << "\n"; 442 } 443 }; 444 445 // ---------- 446 class CompleteFunctionAnalysis { 447 // Current size: 2 pointers 448 public: 449 // Has effects which are both the declared ones -- not to be inferred -- plus 450 // ones which have been successfully inferred. These are all considered 451 // "verified" for the purposes of callers; any issue with verifying declared 452 // effects has already been reported and is not the problem of any caller. 453 FunctionEffectKindSet VerifiedEffects; 454 455 private: 456 // This is used to generate notes about failed inference. 457 EffectToViolationMap InferrableEffectToFirstViolation; 458 459 public: 460 // The incoming Pending analysis is consumed (member(s) are moved-from). 461 CompleteFunctionAnalysis(ASTContext &Ctx, PendingFunctionAnalysis &&Pending, 462 FunctionEffectKindSet DeclaredEffects, 463 FunctionEffectKindSet AllInferrableEffectsToVerify) 464 : VerifiedEffects(DeclaredEffects) { 465 for (FunctionEffect effect : AllInferrableEffectsToVerify) 466 if (Pending.violationForInferrableEffect(effect) == nullptr) 467 VerifiedEffects.insert(effect); 468 469 InferrableEffectToFirstViolation = 470 std::move(Pending.InferrableEffectToFirstViolation); 471 } 472 473 const Violation *firstViolationForEffect(FunctionEffect Effect) { 474 return InferrableEffectToFirstViolation.lookup(Effect); 475 } 476 477 void dump(llvm::raw_ostream &OS) const { 478 OS << "Complete: Verified "; 479 VerifiedEffects.dump(OS); 480 OS << "; Infer "; 481 OS << InferrableEffectToFirstViolation.size() << " violations\n"; 482 } 483 }; 484 485 // ========== 486 class Analyzer { 487 Sema &S; 488 489 // Subset of Sema.AllEffectsToVerify 490 FunctionEffectKindSet AllInferrableEffectsToVerify; 491 492 using FuncAnalysisPtr = 493 llvm::PointerUnion<PendingFunctionAnalysis *, CompleteFunctionAnalysis *>; 494 495 // Map all Decls analyzed to FuncAnalysisPtr. Pending state is larger 496 // than complete state, so use different objects to represent them. 497 // The state pointers are owned by the container. 498 class AnalysisMap : llvm::DenseMap<const Decl *, FuncAnalysisPtr> { 499 using Base = llvm::DenseMap<const Decl *, FuncAnalysisPtr>; 500 501 public: 502 ~AnalysisMap(); 503 504 // Use non-public inheritance in order to maintain the invariant 505 // that lookups and insertions are via the canonical Decls. 506 507 FuncAnalysisPtr lookup(const Decl *Key) const { 508 return Base::lookup(Key->getCanonicalDecl()); 509 } 510 511 FuncAnalysisPtr &operator[](const Decl *Key) { 512 return Base::operator[](Key->getCanonicalDecl()); 513 } 514 515 /// Shortcut for the case where we only care about completed analysis. 516 CompleteFunctionAnalysis *completedAnalysisForDecl(const Decl *D) const { 517 if (FuncAnalysisPtr AP = lookup(D); 518 isa_and_nonnull<CompleteFunctionAnalysis *>(AP)) 519 return AP.get<CompleteFunctionAnalysis *>(); 520 return nullptr; 521 } 522 523 void dump(Sema &SemaRef, llvm::raw_ostream &OS) { 524 OS << "\nAnalysisMap:\n"; 525 for (const auto &item : *this) { 526 CallableInfo CI(*item.first); 527 const auto AP = item.second; 528 OS << item.first << " " << CI.getNameForDiagnostic(SemaRef) << " : "; 529 if (AP.isNull()) { 530 OS << "null\n"; 531 } else if (isa<CompleteFunctionAnalysis *>(AP)) { 532 auto *CFA = AP.get<CompleteFunctionAnalysis *>(); 533 OS << CFA << " "; 534 CFA->dump(OS); 535 } else if (isa<PendingFunctionAnalysis *>(AP)) { 536 auto *PFA = AP.get<PendingFunctionAnalysis *>(); 537 OS << PFA << " "; 538 PFA->dump(SemaRef, OS); 539 } else 540 llvm_unreachable("never"); 541 } 542 OS << "---\n"; 543 } 544 }; 545 AnalysisMap DeclAnalysis; 546 547 public: 548 Analyzer(Sema &S) : S(S) {} 549 550 void run(const TranslationUnitDecl &TU) { 551 // Gather all of the effects to be verified to see what operations need to 552 // be checked, and to see which ones are inferrable. 553 for (FunctionEffect Effect : S.AllEffectsToVerify) { 554 const FunctionEffect::Flags Flags = Effect.flags(); 555 if (Flags & FunctionEffect::FE_InferrableOnCallees) 556 AllInferrableEffectsToVerify.insert(Effect); 557 } 558 LLVM_DEBUG(llvm::dbgs() << "AllInferrableEffectsToVerify: "; 559 AllInferrableEffectsToVerify.dump(llvm::dbgs()); 560 llvm::dbgs() << "\n";); 561 562 // We can use DeclsWithEffectsToVerify as a stack for a 563 // depth-first traversal; there's no need for a second container. But first, 564 // reverse it, so when working from the end, Decls are verified in the order 565 // they are declared. 566 SmallVector<const Decl *> &VerificationQueue = S.DeclsWithEffectsToVerify; 567 std::reverse(VerificationQueue.begin(), VerificationQueue.end()); 568 569 while (!VerificationQueue.empty()) { 570 const Decl *D = VerificationQueue.back(); 571 if (FuncAnalysisPtr AP = DeclAnalysis.lookup(D)) { 572 if (auto *Pending = AP.dyn_cast<PendingFunctionAnalysis *>()) { 573 // All children have been traversed; finish analysis. 574 finishPendingAnalysis(D, Pending); 575 } 576 VerificationQueue.pop_back(); 577 continue; 578 } 579 580 // Not previously visited; begin a new analysis for this Decl. 581 PendingFunctionAnalysis *Pending = verifyDecl(D); 582 if (Pending == nullptr) { 583 // Completed now. 584 VerificationQueue.pop_back(); 585 continue; 586 } 587 588 // Analysis remains pending because there are direct callees to be 589 // verified first. Push them onto the queue. 590 for (PendingFunctionAnalysis::DirectCall &Call : 591 Pending->unverifiedCalls()) { 592 FuncAnalysisPtr AP = DeclAnalysis.lookup(Call.Callee); 593 if (AP.isNull()) { 594 VerificationQueue.push_back(Call.Callee); 595 continue; 596 } 597 598 // This indicates recursion (not necessarily direct). For the 599 // purposes of effect analysis, we can just ignore it since 600 // no effects forbid recursion. 601 assert(isa<PendingFunctionAnalysis *>(AP)); 602 Call.Recursed = true; 603 } 604 } 605 } 606 607 private: 608 // Verify a single Decl. Return the pending structure if that was the result, 609 // else null. This method must not recurse. 610 PendingFunctionAnalysis *verifyDecl(const Decl *D) { 611 CallableInfo CInfo(*D); 612 bool isExternC = false; 613 614 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 615 isExternC = FD->getCanonicalDecl()->isExternCContext(); 616 617 // For C++, with non-extern "C" linkage only - if any of the Decl's declared 618 // effects forbid throwing (e.g. nonblocking) then the function should also 619 // be declared noexcept. 620 if (S.getLangOpts().CPlusPlus && !isExternC) { 621 for (FunctionEffect Effect : CInfo.Effects) { 622 if (!(Effect.flags() & FunctionEffect::FE_ExcludeThrow)) 623 continue; 624 625 bool IsNoexcept = false; 626 if (auto *FD = D->getAsFunction()) { 627 IsNoexcept = isNoexcept(FD); 628 } else if (auto *BD = dyn_cast<BlockDecl>(D)) { 629 if (auto *TSI = BD->getSignatureAsWritten()) { 630 auto *FPT = TSI->getType()->getAs<FunctionProtoType>(); 631 IsNoexcept = FPT->isNothrow() || BD->hasAttr<NoThrowAttr>(); 632 } 633 } 634 if (!IsNoexcept) 635 S.Diag(D->getBeginLoc(), diag::warn_perf_constraint_implies_noexcept) 636 << GetCallableDeclKind(D, nullptr) << Effect.name(); 637 break; 638 } 639 } 640 641 // Build a PendingFunctionAnalysis on the stack. If it turns out to be 642 // complete, we'll have avoided a heap allocation; if it's incomplete, it's 643 // a fairly trivial move to a heap-allocated object. 644 PendingFunctionAnalysis FAnalysis(S, CInfo, AllInferrableEffectsToVerify); 645 646 LLVM_DEBUG(llvm::dbgs() 647 << "\nVerifying " << CInfo.getNameForDiagnostic(S) << " "; 648 FAnalysis.dump(S, llvm::dbgs());); 649 650 FunctionBodyASTVisitor Visitor(*this, FAnalysis, CInfo); 651 652 Visitor.run(); 653 if (FAnalysis.isComplete()) { 654 completeAnalysis(CInfo, std::move(FAnalysis)); 655 return nullptr; 656 } 657 // Move the pending analysis to the heap and save it in the map. 658 PendingFunctionAnalysis *PendingPtr = 659 new PendingFunctionAnalysis(std::move(FAnalysis)); 660 DeclAnalysis[D] = PendingPtr; 661 LLVM_DEBUG(llvm::dbgs() << "inserted pending " << PendingPtr << "\n"; 662 DeclAnalysis.dump(S, llvm::dbgs());); 663 return PendingPtr; 664 } 665 666 // Consume PendingFunctionAnalysis, create with it a CompleteFunctionAnalysis, 667 // inserted in the container. 668 void completeAnalysis(const CallableInfo &CInfo, 669 PendingFunctionAnalysis &&Pending) { 670 if (ArrayRef<Violation> Viols = 671 Pending.getSortedViolationsForExplicitEffects(S.getSourceManager()); 672 !Viols.empty()) 673 emitDiagnostics(Viols, CInfo); 674 675 CompleteFunctionAnalysis *CompletePtr = new CompleteFunctionAnalysis( 676 S.getASTContext(), std::move(Pending), CInfo.Effects, 677 AllInferrableEffectsToVerify); 678 DeclAnalysis[CInfo.CDecl] = CompletePtr; 679 LLVM_DEBUG(llvm::dbgs() << "inserted complete " << CompletePtr << "\n"; 680 DeclAnalysis.dump(S, llvm::dbgs());); 681 } 682 683 // Called after all direct calls requiring inference have been found -- or 684 // not. Repeats calls to FunctionBodyASTVisitor::followCall() but without 685 // the possibility of inference. Deletes Pending. 686 void finishPendingAnalysis(const Decl *D, PendingFunctionAnalysis *Pending) { 687 CallableInfo Caller(*D); 688 LLVM_DEBUG(llvm::dbgs() << "finishPendingAnalysis for " 689 << Caller.getNameForDiagnostic(S) << " : "; 690 Pending->dump(S, llvm::dbgs()); llvm::dbgs() << "\n";); 691 for (const PendingFunctionAnalysis::DirectCall &Call : 692 Pending->unverifiedCalls()) { 693 if (Call.Recursed) 694 continue; 695 696 CallableInfo Callee(*Call.Callee); 697 followCall(Caller, *Pending, Callee, Call.CallLoc, 698 /*AssertNoFurtherInference=*/true, Call.VSite); 699 } 700 completeAnalysis(Caller, std::move(*Pending)); 701 delete Pending; 702 } 703 704 // Here we have a call to a Decl, either explicitly via a CallExpr or some 705 // other AST construct. PFA pertains to the caller. 706 void followCall(const CallableInfo &Caller, PendingFunctionAnalysis &PFA, 707 const CallableInfo &Callee, SourceLocation CallLoc, 708 bool AssertNoFurtherInference, ViolationSite VSite) { 709 const bool DirectCall = Callee.isCalledDirectly(); 710 711 // Initially, the declared effects; inferred effects will be added. 712 FunctionEffectKindSet CalleeEffects = Callee.Effects; 713 714 bool IsInferencePossible = DirectCall; 715 716 if (DirectCall) 717 if (CompleteFunctionAnalysis *CFA = 718 DeclAnalysis.completedAnalysisForDecl(Callee.CDecl)) { 719 // Combine declared effects with those which may have been inferred. 720 CalleeEffects.insert(CFA->VerifiedEffects); 721 IsInferencePossible = false; // We've already traversed it. 722 } 723 724 if (AssertNoFurtherInference) { 725 assert(!IsInferencePossible); 726 } 727 728 if (!Callee.isVerifiable()) 729 IsInferencePossible = false; 730 731 LLVM_DEBUG(llvm::dbgs() 732 << "followCall from " << Caller.getNameForDiagnostic(S) 733 << " to " << Callee.getNameForDiagnostic(S) 734 << "; verifiable: " << Callee.isVerifiable() << "; callee "; 735 CalleeEffects.dump(llvm::dbgs()); llvm::dbgs() << "\n"; 736 llvm::dbgs() << " callee " << Callee.CDecl << " canonical " 737 << Callee.CDecl->getCanonicalDecl() << "\n";); 738 739 auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) { 740 if (!Effect.shouldDiagnoseFunctionCall(DirectCall, CalleeEffects)) 741 return; 742 743 // If inference is not allowed, or the target is indirect (virtual 744 // method/function ptr?), generate a Violation now. 745 if (!IsInferencePossible || 746 !(Effect.flags() & FunctionEffect::FE_InferrableOnCallees)) { 747 if (Callee.FuncType == SpecialFuncType::None) 748 PFA.checkAddViolation(Inferring, 749 {Effect, ViolationID::CallsDeclWithoutEffect, 750 VSite, CallLoc, Callee.CDecl}); 751 else 752 PFA.checkAddViolation( 753 Inferring, 754 {Effect, ViolationID::AllocatesMemory, VSite, CallLoc}); 755 } else { 756 // Inference is allowed and necessary; defer it. 757 PFA.addUnverifiedDirectCall(Callee.CDecl, CallLoc, VSite); 758 } 759 }; 760 761 for (FunctionEffect Effect : PFA.DeclaredVerifiableEffects) 762 Check1Effect(Effect, false); 763 764 for (FunctionEffect Effect : PFA.EffectsToInfer) 765 Check1Effect(Effect, true); 766 } 767 768 // Describe a callable Decl for a diagnostic. 769 // (Not an enum class because the value is always converted to an integer for 770 // use in a diagnostic.) 771 enum CallableDeclKind { 772 CDK_Function, 773 CDK_Constructor, 774 CDK_Destructor, 775 CDK_Lambda, 776 CDK_Block, 777 CDK_MemberInitializer, 778 }; 779 780 // Describe a call site or target using an enum mapping to a %select{} 781 // in a diagnostic, e.g. warn_func_effect_violation, 782 // warn_perf_constraint_implies_noexcept, and others. 783 static CallableDeclKind GetCallableDeclKind(const Decl *D, 784 const Violation *V) { 785 if (V != nullptr && 786 V->Site.kind() == ViolationSite::Kind::MemberInitializer) 787 return CDK_MemberInitializer; 788 if (isa<BlockDecl>(D)) 789 return CDK_Block; 790 if (auto *Method = dyn_cast<CXXMethodDecl>(D)) { 791 if (isa<CXXConstructorDecl>(D)) 792 return CDK_Constructor; 793 if (isa<CXXDestructorDecl>(D)) 794 return CDK_Destructor; 795 const CXXRecordDecl *Rec = Method->getParent(); 796 if (Rec->isLambda()) 797 return CDK_Lambda; 798 } 799 return CDK_Function; 800 }; 801 802 // Should only be called when function's analysis is determined to be 803 // complete. 804 void emitDiagnostics(ArrayRef<Violation> Viols, const CallableInfo &CInfo) { 805 if (Viols.empty()) 806 return; 807 808 auto MaybeAddTemplateNote = [&](const Decl *D) { 809 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 810 while (FD != nullptr && FD->isTemplateInstantiation()) { 811 S.Diag(FD->getPointOfInstantiation(), 812 diag::note_func_effect_from_template); 813 FD = FD->getTemplateInstantiationPattern(); 814 } 815 } 816 }; 817 818 // For note_func_effect_call_indirect. 819 enum { Indirect_VirtualMethod, Indirect_FunctionPtr }; 820 821 auto MaybeAddSiteContext = [&](const Decl *D, const Violation &V) { 822 // If a violation site is a member initializer, add a note pointing to 823 // the constructor which invoked it. 824 if (V.Site.kind() == ViolationSite::Kind::MemberInitializer) { 825 unsigned ImplicitCtor = 0; 826 if (auto *Ctor = dyn_cast<CXXConstructorDecl>(D); 827 Ctor && Ctor->isImplicit()) 828 ImplicitCtor = 1; 829 S.Diag(D->getLocation(), diag::note_func_effect_in_constructor) 830 << ImplicitCtor; 831 } 832 833 // If a violation site is a default argument expression, add a note 834 // pointing to the call site using the default argument. 835 else if (V.Site.kind() == ViolationSite::Kind::DefaultArgExpr) 836 S.Diag(V.Site.defaultArgExpr()->getUsedLocation(), 837 diag::note_in_evaluating_default_argument); 838 }; 839 840 // Top-level violations are warnings. 841 for (const Violation &Viol1 : Viols) { 842 StringRef effectName = Viol1.Effect.name(); 843 switch (Viol1.ID) { 844 case ViolationID::None: 845 case ViolationID::DeclDisallowsInference: // Shouldn't happen 846 // here. 847 llvm_unreachable("Unexpected violation kind"); 848 break; 849 case ViolationID::AllocatesMemory: 850 case ViolationID::ThrowsOrCatchesExceptions: 851 case ViolationID::HasStaticLocalVariable: 852 case ViolationID::AccessesThreadLocalVariable: 853 case ViolationID::AccessesObjCMethodOrProperty: 854 S.Diag(Viol1.Loc, diag::warn_func_effect_violation) 855 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName 856 << Viol1.diagnosticSelectIndex(); 857 MaybeAddSiteContext(CInfo.CDecl, Viol1); 858 MaybeAddTemplateNote(CInfo.CDecl); 859 break; 860 case ViolationID::CallsExprWithoutEffect: 861 S.Diag(Viol1.Loc, diag::warn_func_effect_calls_expr_without_effect) 862 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName; 863 MaybeAddSiteContext(CInfo.CDecl, Viol1); 864 MaybeAddTemplateNote(CInfo.CDecl); 865 break; 866 867 case ViolationID::CallsDeclWithoutEffect: { 868 CallableInfo CalleeInfo(*Viol1.Callee); 869 std::string CalleeName = CalleeInfo.getNameForDiagnostic(S); 870 871 S.Diag(Viol1.Loc, diag::warn_func_effect_calls_func_without_effect) 872 << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName 873 << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << CalleeName; 874 MaybeAddSiteContext(CInfo.CDecl, Viol1); 875 MaybeAddTemplateNote(CInfo.CDecl); 876 877 // Emit notes explaining the transitive chain of inferences: Why isn't 878 // the callee safe? 879 for (const Decl *Callee = Viol1.Callee; Callee != nullptr;) { 880 std::optional<CallableInfo> MaybeNextCallee; 881 CompleteFunctionAnalysis *Completed = 882 DeclAnalysis.completedAnalysisForDecl(CalleeInfo.CDecl); 883 if (Completed == nullptr) { 884 // No result - could be 885 // - non-inline and extern 886 // - indirect (virtual or through function pointer) 887 // - effect has been explicitly disclaimed (e.g. "blocking") 888 889 CallableType CType = CalleeInfo.type(); 890 if (CType == CallableType::Virtual) 891 S.Diag(Callee->getLocation(), 892 diag::note_func_effect_call_indirect) 893 << Indirect_VirtualMethod << effectName; 894 else if (CType == CallableType::Unknown) 895 S.Diag(Callee->getLocation(), 896 diag::note_func_effect_call_indirect) 897 << Indirect_FunctionPtr << effectName; 898 else if (CalleeInfo.Effects.contains(Viol1.Effect.oppositeKind())) 899 S.Diag(Callee->getLocation(), 900 diag::note_func_effect_call_disallows_inference) 901 << GetCallableDeclKind(CInfo.CDecl, nullptr) << effectName 902 << FunctionEffect(Viol1.Effect.oppositeKind()).name(); 903 else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee); 904 FD == nullptr || FD->getBuiltinID() == 0) { 905 // A builtin callee generally doesn't have a useful source 906 // location at which to insert a note. 907 S.Diag(Callee->getLocation(), diag::note_func_effect_call_extern) 908 << effectName; 909 } 910 break; 911 } 912 const Violation *PtrViol2 = 913 Completed->firstViolationForEffect(Viol1.Effect); 914 if (PtrViol2 == nullptr) 915 break; 916 917 const Violation &Viol2 = *PtrViol2; 918 switch (Viol2.ID) { 919 case ViolationID::None: 920 llvm_unreachable("Unexpected violation kind"); 921 break; 922 case ViolationID::DeclDisallowsInference: 923 S.Diag(Viol2.Loc, diag::note_func_effect_call_disallows_inference) 924 << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << effectName 925 << Viol2.CalleeEffectPreventingInference->name(); 926 break; 927 case ViolationID::CallsExprWithoutEffect: 928 S.Diag(Viol2.Loc, diag::note_func_effect_call_indirect) 929 << Indirect_FunctionPtr << effectName; 930 break; 931 case ViolationID::AllocatesMemory: 932 case ViolationID::ThrowsOrCatchesExceptions: 933 case ViolationID::HasStaticLocalVariable: 934 case ViolationID::AccessesThreadLocalVariable: 935 case ViolationID::AccessesObjCMethodOrProperty: 936 S.Diag(Viol2.Loc, diag::note_func_effect_violation) 937 << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName 938 << Viol2.diagnosticSelectIndex(); 939 MaybeAddSiteContext(CalleeInfo.CDecl, Viol2); 940 break; 941 case ViolationID::CallsDeclWithoutEffect: 942 MaybeNextCallee.emplace(*Viol2.Callee); 943 S.Diag(Viol2.Loc, diag::note_func_effect_calls_func_without_effect) 944 << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName 945 << GetCallableDeclKind(Viol2.Callee, nullptr) 946 << MaybeNextCallee->getNameForDiagnostic(S); 947 break; 948 } 949 MaybeAddTemplateNote(Callee); 950 Callee = Viol2.Callee; 951 if (MaybeNextCallee) { 952 CalleeInfo = *MaybeNextCallee; 953 CalleeName = CalleeInfo.getNameForDiagnostic(S); 954 } 955 } 956 } break; 957 } 958 } 959 } 960 961 // ---------- 962 // This AST visitor is used to traverse the body of a function during effect 963 // verification. This happens in 2 situations: 964 // [1] The function has declared effects which need to be validated. 965 // [2] The function has not explicitly declared an effect in question, and is 966 // being checked for implicit conformance. 967 // 968 // Violations are always routed to a PendingFunctionAnalysis. 969 struct FunctionBodyASTVisitor : DynamicRecursiveASTVisitor { 970 Analyzer &Outer; 971 PendingFunctionAnalysis &CurrentFunction; 972 CallableInfo &CurrentCaller; 973 ViolationSite VSite; 974 const Expr *TrailingRequiresClause = nullptr; 975 const Expr *NoexceptExpr = nullptr; 976 977 FunctionBodyASTVisitor(Analyzer &Outer, 978 PendingFunctionAnalysis &CurrentFunction, 979 CallableInfo &CurrentCaller) 980 : Outer(Outer), CurrentFunction(CurrentFunction), 981 CurrentCaller(CurrentCaller) { 982 ShouldVisitImplicitCode = true; 983 ShouldWalkTypesOfTypeLocs = false; 984 } 985 986 // -- Entry point -- 987 void run() { 988 // The target function may have implicit code paths beyond the 989 // body: member and base destructors. Visit these first. 990 if (auto *Dtor = dyn_cast<CXXDestructorDecl>(CurrentCaller.CDecl)) 991 followDestructor(dyn_cast<CXXRecordDecl>(Dtor->getParent()), Dtor); 992 993 if (auto *FD = dyn_cast<FunctionDecl>(CurrentCaller.CDecl)) { 994 TrailingRequiresClause = FD->getTrailingRequiresClause(); 995 996 // Note that FD->getType->getAs<FunctionProtoType>() can yield a 997 // noexcept Expr which has been boiled down to a constant expression. 998 // Going through the TypeSourceInfo obtains the actual expression which 999 // will be traversed as part of the function -- unless we capture it 1000 // here and have TraverseStmt skip it. 1001 if (TypeSourceInfo *TSI = FD->getTypeSourceInfo()) { 1002 if (FunctionProtoTypeLoc TL = 1003 TSI->getTypeLoc().getAs<FunctionProtoTypeLoc>()) 1004 if (const FunctionProtoType *FPT = TL.getTypePtr()) 1005 NoexceptExpr = FPT->getNoexceptExpr(); 1006 } 1007 } 1008 1009 // Do an AST traversal of the function/block body 1010 TraverseDecl(const_cast<Decl *>(CurrentCaller.CDecl)); 1011 } 1012 1013 // -- Methods implementing common logic -- 1014 1015 // Handle a language construct forbidden by some effects. Only effects whose 1016 // flags include the specified flag receive a violation. \p Flag describes 1017 // the construct. 1018 void diagnoseLanguageConstruct(FunctionEffect::FlagBit Flag, 1019 ViolationID VID, SourceLocation Loc, 1020 const Decl *Callee = nullptr) { 1021 // If there are any declared verifiable effects which forbid the construct 1022 // represented by the flag, store just one violation. 1023 for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects) { 1024 if (Effect.flags() & Flag) { 1025 addViolation(/*inferring=*/false, Effect, VID, Loc, Callee); 1026 break; 1027 } 1028 } 1029 // For each inferred effect which forbids the construct, store a 1030 // violation, if we don't already have a violation for that effect. 1031 for (FunctionEffect Effect : CurrentFunction.EffectsToInfer) 1032 if (Effect.flags() & Flag) 1033 addViolation(/*inferring=*/true, Effect, VID, Loc, Callee); 1034 } 1035 1036 void addViolation(bool Inferring, FunctionEffect Effect, ViolationID VID, 1037 SourceLocation Loc, const Decl *Callee = nullptr) { 1038 CurrentFunction.checkAddViolation( 1039 Inferring, Violation(Effect, VID, VSite, Loc, Callee)); 1040 } 1041 1042 // Here we have a call to a Decl, either explicitly via a CallExpr or some 1043 // other AST construct. CallableInfo pertains to the callee. 1044 void followCall(CallableInfo &CI, SourceLocation CallLoc) { 1045 // Check for a call to a builtin function, whose effects are 1046 // handled specially. 1047 if (const auto *FD = dyn_cast<FunctionDecl>(CI.CDecl)) { 1048 if (unsigned BuiltinID = FD->getBuiltinID()) { 1049 CI.Effects = getBuiltinFunctionEffects(BuiltinID); 1050 if (CI.Effects.empty()) { 1051 // A builtin with no known effects is assumed safe. 1052 return; 1053 } 1054 // A builtin WITH effects doesn't get any special treatment for 1055 // being noreturn/noexcept, e.g. longjmp(), so we skip the check 1056 // below. 1057 } else { 1058 // If the callee is both `noreturn` and `noexcept`, it presumably 1059 // terminates. Ignore it for the purposes of effect analysis. 1060 // If not C++, `noreturn` alone is sufficient. 1061 if (FD->isNoReturn() && 1062 (!Outer.S.getLangOpts().CPlusPlus || isNoexcept(FD))) 1063 return; 1064 } 1065 } 1066 1067 Outer.followCall(CurrentCaller, CurrentFunction, CI, CallLoc, 1068 /*AssertNoFurtherInference=*/false, VSite); 1069 } 1070 1071 void checkIndirectCall(CallExpr *Call, QualType CalleeType) { 1072 FunctionEffectKindSet CalleeEffects; 1073 if (FunctionEffectsRef Effects = FunctionEffectsRef::get(CalleeType); 1074 !Effects.empty()) 1075 CalleeEffects.insert(Effects); 1076 1077 auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) { 1078 if (Effect.shouldDiagnoseFunctionCall( 1079 /*direct=*/false, CalleeEffects)) 1080 addViolation(Inferring, Effect, ViolationID::CallsExprWithoutEffect, 1081 Call->getBeginLoc()); 1082 }; 1083 1084 for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects) 1085 Check1Effect(Effect, false); 1086 1087 for (FunctionEffect Effect : CurrentFunction.EffectsToInfer) 1088 Check1Effect(Effect, true); 1089 } 1090 1091 // This destructor's body should be followed by the caller, but here we 1092 // follow the field and base destructors. 1093 void followDestructor(const CXXRecordDecl *Rec, 1094 const CXXDestructorDecl *Dtor) { 1095 SourceLocation DtorLoc = Dtor->getLocation(); 1096 for (const FieldDecl *Field : Rec->fields()) 1097 followTypeDtor(Field->getType(), DtorLoc); 1098 1099 if (const auto *Class = dyn_cast<CXXRecordDecl>(Rec)) 1100 for (const CXXBaseSpecifier &Base : Class->bases()) 1101 followTypeDtor(Base.getType(), DtorLoc); 1102 } 1103 1104 void followTypeDtor(QualType QT, SourceLocation CallSite) { 1105 const Type *Ty = QT.getTypePtr(); 1106 while (Ty->isArrayType()) { 1107 const ArrayType *Arr = Ty->getAsArrayTypeUnsafe(); 1108 QT = Arr->getElementType(); 1109 Ty = QT.getTypePtr(); 1110 } 1111 1112 if (Ty->isRecordType()) { 1113 if (const CXXRecordDecl *Class = Ty->getAsCXXRecordDecl()) { 1114 if (CXXDestructorDecl *Dtor = Class->getDestructor(); 1115 Dtor && !Dtor->isDeleted()) { 1116 CallableInfo CI(*Dtor); 1117 followCall(CI, CallSite); 1118 } 1119 } 1120 } 1121 } 1122 1123 // -- Methods for use of RecursiveASTVisitor -- 1124 1125 bool VisitCXXThrowExpr(CXXThrowExpr *Throw) override { 1126 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow, 1127 ViolationID::ThrowsOrCatchesExceptions, 1128 Throw->getThrowLoc()); 1129 return true; 1130 } 1131 1132 bool VisitCXXCatchStmt(CXXCatchStmt *Catch) override { 1133 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1134 ViolationID::ThrowsOrCatchesExceptions, 1135 Catch->getCatchLoc()); 1136 return true; 1137 } 1138 1139 bool VisitObjCAtThrowStmt(ObjCAtThrowStmt *Throw) override { 1140 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow, 1141 ViolationID::ThrowsOrCatchesExceptions, 1142 Throw->getThrowLoc()); 1143 return true; 1144 } 1145 1146 bool VisitObjCAtCatchStmt(ObjCAtCatchStmt *Catch) override { 1147 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1148 ViolationID::ThrowsOrCatchesExceptions, 1149 Catch->getAtCatchLoc()); 1150 return true; 1151 } 1152 1153 bool VisitObjCAtFinallyStmt(ObjCAtFinallyStmt *Finally) override { 1154 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1155 ViolationID::ThrowsOrCatchesExceptions, 1156 Finally->getAtFinallyLoc()); 1157 return true; 1158 } 1159 1160 bool VisitObjCMessageExpr(ObjCMessageExpr *Msg) override { 1161 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend, 1162 ViolationID::AccessesObjCMethodOrProperty, 1163 Msg->getBeginLoc()); 1164 return true; 1165 } 1166 1167 bool VisitObjCAutoreleasePoolStmt(ObjCAutoreleasePoolStmt *ARP) override { 1168 // Under the hood, @autorelease (potentially?) allocates memory and 1169 // invokes ObjC methods. We don't currently have memory allocation as 1170 // a "language construct" but we do have ObjC messaging, so diagnose that. 1171 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend, 1172 ViolationID::AccessesObjCMethodOrProperty, 1173 ARP->getBeginLoc()); 1174 return true; 1175 } 1176 1177 bool VisitObjCAtSynchronizedStmt(ObjCAtSynchronizedStmt *Sync) override { 1178 // Under the hood, this calls objc_sync_enter and objc_sync_exit, wrapped 1179 // in a @try/@finally block. Diagnose this generically as "ObjC 1180 // messaging". 1181 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend, 1182 ViolationID::AccessesObjCMethodOrProperty, 1183 Sync->getBeginLoc()); 1184 return true; 1185 } 1186 1187 bool VisitSEHExceptStmt(SEHExceptStmt *Exc) override { 1188 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch, 1189 ViolationID::ThrowsOrCatchesExceptions, 1190 Exc->getExceptLoc()); 1191 return true; 1192 } 1193 1194 bool VisitCallExpr(CallExpr *Call) override { 1195 LLVM_DEBUG(llvm::dbgs() 1196 << "VisitCallExpr : " 1197 << Call->getBeginLoc().printToString(Outer.S.SourceMgr) 1198 << "\n";); 1199 1200 Expr *CalleeExpr = Call->getCallee(); 1201 if (const Decl *Callee = CalleeExpr->getReferencedDeclOfCallee()) { 1202 CallableInfo CI(*Callee); 1203 followCall(CI, Call->getBeginLoc()); 1204 return true; 1205 } 1206 1207 if (isa<CXXPseudoDestructorExpr>(CalleeExpr)) { 1208 // Just destroying a scalar, fine. 1209 return true; 1210 } 1211 1212 // No Decl, just an Expr. Just check based on its type. 1213 checkIndirectCall(Call, CalleeExpr->getType()); 1214 1215 return true; 1216 } 1217 1218 bool VisitVarDecl(VarDecl *Var) override { 1219 LLVM_DEBUG(llvm::dbgs() 1220 << "VisitVarDecl : " 1221 << Var->getBeginLoc().printToString(Outer.S.SourceMgr) 1222 << "\n";); 1223 1224 if (Var->isStaticLocal()) 1225 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeStaticLocalVars, 1226 ViolationID::HasStaticLocalVariable, 1227 Var->getLocation()); 1228 1229 const QualType::DestructionKind DK = 1230 Var->needsDestruction(Outer.S.getASTContext()); 1231 if (DK == QualType::DK_cxx_destructor) 1232 followTypeDtor(Var->getType(), Var->getLocation()); 1233 return true; 1234 } 1235 1236 bool VisitCXXNewExpr(CXXNewExpr *New) override { 1237 // RecursiveASTVisitor does not visit the implicit call to operator new. 1238 if (FunctionDecl *FD = New->getOperatorNew()) { 1239 CallableInfo CI(*FD, SpecialFuncType::OperatorNew); 1240 followCall(CI, New->getBeginLoc()); 1241 } 1242 1243 // It's a bit excessive to check operator delete here, since it's 1244 // just a fallback for operator new followed by a failed constructor. 1245 // We could check it via New->getOperatorDelete(). 1246 1247 // It DOES however visit the called constructor 1248 return true; 1249 } 1250 1251 bool VisitCXXDeleteExpr(CXXDeleteExpr *Delete) override { 1252 // RecursiveASTVisitor does not visit the implicit call to operator 1253 // delete. 1254 if (FunctionDecl *FD = Delete->getOperatorDelete()) { 1255 CallableInfo CI(*FD, SpecialFuncType::OperatorDelete); 1256 followCall(CI, Delete->getBeginLoc()); 1257 } 1258 1259 // It DOES however visit the called destructor 1260 1261 return true; 1262 } 1263 1264 bool VisitCXXConstructExpr(CXXConstructExpr *Construct) override { 1265 LLVM_DEBUG(llvm::dbgs() << "VisitCXXConstructExpr : " 1266 << Construct->getBeginLoc().printToString( 1267 Outer.S.SourceMgr) 1268 << "\n";); 1269 1270 // RecursiveASTVisitor does not visit the implicit call to the 1271 // constructor. 1272 const CXXConstructorDecl *Ctor = Construct->getConstructor(); 1273 CallableInfo CI(*Ctor); 1274 followCall(CI, Construct->getLocation()); 1275 1276 return true; 1277 } 1278 1279 bool TraverseStmt(Stmt *Statement) override { 1280 // If this statement is a `requires` clause from the top-level function 1281 // being traversed, ignore it, since it's not generating runtime code. 1282 // We skip the traversal of lambdas (beyond their captures, see 1283 // TraverseLambdaExpr below), so just caching this from our constructor 1284 // should suffice. 1285 if (Statement != TrailingRequiresClause && Statement != NoexceptExpr) 1286 return DynamicRecursiveASTVisitor::TraverseStmt(Statement); 1287 return true; 1288 } 1289 1290 bool TraverseConstructorInitializer(CXXCtorInitializer *Init) override { 1291 ViolationSite PrevVS = VSite; 1292 if (Init->isAnyMemberInitializer()) 1293 VSite.setKind(ViolationSite::Kind::MemberInitializer); 1294 bool Result = 1295 DynamicRecursiveASTVisitor::TraverseConstructorInitializer(Init); 1296 VSite = PrevVS; 1297 return Result; 1298 } 1299 1300 bool TraverseCXXDefaultArgExpr(CXXDefaultArgExpr *E) override { 1301 LLVM_DEBUG(llvm::dbgs() 1302 << "TraverseCXXDefaultArgExpr : " 1303 << E->getUsedLocation().printToString(Outer.S.SourceMgr) 1304 << "\n";); 1305 1306 ViolationSite PrevVS = VSite; 1307 if (VSite.kind() == ViolationSite::Kind::Default) 1308 VSite = ViolationSite{E}; 1309 1310 bool Result = DynamicRecursiveASTVisitor::TraverseCXXDefaultArgExpr(E); 1311 VSite = PrevVS; 1312 return Result; 1313 } 1314 1315 bool TraverseLambdaExpr(LambdaExpr *Lambda) override { 1316 // We override this so as to be able to skip traversal of the lambda's 1317 // body. We have to explicitly traverse the captures. Why not return 1318 // false from shouldVisitLambdaBody()? Because we need to visit a lambda's 1319 // body when we are verifying the lambda itself; we only want to skip it 1320 // in the context of the outer function. 1321 for (unsigned I = 0, N = Lambda->capture_size(); I < N; ++I) 1322 TraverseLambdaCapture(Lambda, Lambda->capture_begin() + I, 1323 Lambda->capture_init_begin()[I]); 1324 1325 return true; 1326 } 1327 1328 bool TraverseBlockExpr(BlockExpr * /*unused*/) override { 1329 // As with lambdas, don't traverse the block's body. 1330 // TODO: are the capture expressions (ctor call?) safe? 1331 return true; 1332 } 1333 1334 bool VisitDeclRefExpr(DeclRefExpr *E) override { 1335 const ValueDecl *Val = E->getDecl(); 1336 if (const auto *Var = dyn_cast<VarDecl>(Val)) { 1337 if (Var->getTLSKind() != VarDecl::TLS_None) { 1338 // At least on macOS, thread-local variables are initialized on 1339 // first access, including a heap allocation. 1340 diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThreadLocalVars, 1341 ViolationID::AccessesThreadLocalVariable, 1342 E->getLocation()); 1343 } 1344 } 1345 return true; 1346 } 1347 1348 bool TraverseGenericSelectionExpr(GenericSelectionExpr *Node) override { 1349 return TraverseStmt(Node->getResultExpr()); 1350 } 1351 bool 1352 TraverseUnaryExprOrTypeTraitExpr(UnaryExprOrTypeTraitExpr *Node) override { 1353 return true; 1354 } 1355 1356 bool TraverseTypeOfExprTypeLoc(TypeOfExprTypeLoc Node) override { 1357 return true; 1358 } 1359 1360 bool TraverseDecltypeTypeLoc(DecltypeTypeLoc Node) override { return true; } 1361 1362 bool TraverseCXXNoexceptExpr(CXXNoexceptExpr *Node) override { 1363 return true; 1364 } 1365 1366 bool TraverseCXXTypeidExpr(CXXTypeidExpr *Node) override { return true; } 1367 1368 // Skip concept requirements since they don't generate code. 1369 bool TraverseConceptRequirement(concepts::Requirement *R) override { 1370 return true; 1371 } 1372 }; 1373 }; 1374 1375 Analyzer::AnalysisMap::~AnalysisMap() { 1376 for (const auto &Item : *this) { 1377 FuncAnalysisPtr AP = Item.second; 1378 if (isa<PendingFunctionAnalysis *>(AP)) 1379 delete AP.get<PendingFunctionAnalysis *>(); 1380 else 1381 delete AP.get<CompleteFunctionAnalysis *>(); 1382 } 1383 } 1384 1385 } // anonymous namespace 1386 1387 namespace clang { 1388 1389 bool Sema::diagnoseConflictingFunctionEffect( 1390 const FunctionEffectsRef &FX, const FunctionEffectWithCondition &NewEC, 1391 SourceLocation NewAttrLoc) { 1392 // If the new effect has a condition, we can't detect conflicts until the 1393 // condition is resolved. 1394 if (NewEC.Cond.getCondition() != nullptr) 1395 return false; 1396 1397 // Diagnose the new attribute as incompatible with a previous one. 1398 auto Incompatible = [&](const FunctionEffectWithCondition &PrevEC) { 1399 Diag(NewAttrLoc, diag::err_attributes_are_not_compatible) 1400 << ("'" + NewEC.description() + "'") 1401 << ("'" + PrevEC.description() + "'") << false; 1402 // We don't necessarily have the location of the previous attribute, 1403 // so no note. 1404 return true; 1405 }; 1406 1407 // Compare against previous attributes. 1408 FunctionEffect::Kind NewKind = NewEC.Effect.kind(); 1409 1410 for (const FunctionEffectWithCondition &PrevEC : FX) { 1411 // Again, can't check yet when the effect is conditional. 1412 if (PrevEC.Cond.getCondition() != nullptr) 1413 continue; 1414 1415 FunctionEffect::Kind PrevKind = PrevEC.Effect.kind(); 1416 // Note that we allow PrevKind == NewKind; it's redundant and ignored. 1417 1418 if (PrevEC.Effect.oppositeKind() == NewKind) 1419 return Incompatible(PrevEC); 1420 1421 // A new allocating is incompatible with a previous nonblocking. 1422 if (PrevKind == FunctionEffect::Kind::NonBlocking && 1423 NewKind == FunctionEffect::Kind::Allocating) 1424 return Incompatible(PrevEC); 1425 1426 // A new nonblocking is incompatible with a previous allocating. 1427 if (PrevKind == FunctionEffect::Kind::Allocating && 1428 NewKind == FunctionEffect::Kind::NonBlocking) 1429 return Incompatible(PrevEC); 1430 } 1431 1432 return false; 1433 } 1434 1435 void Sema::diagnoseFunctionEffectMergeConflicts( 1436 const FunctionEffectSet::Conflicts &Errs, SourceLocation NewLoc, 1437 SourceLocation OldLoc) { 1438 for (const FunctionEffectSet::Conflict &Conflict : Errs) { 1439 Diag(NewLoc, diag::warn_conflicting_func_effects) 1440 << Conflict.Kept.description() << Conflict.Rejected.description(); 1441 Diag(OldLoc, diag::note_previous_declaration); 1442 } 1443 } 1444 1445 // Decl should be a FunctionDecl or BlockDecl. 1446 void Sema::maybeAddDeclWithEffects(const Decl *D, 1447 const FunctionEffectsRef &FX) { 1448 if (!D->hasBody()) { 1449 if (const auto *FD = D->getAsFunction(); FD && !FD->willHaveBody()) 1450 return; 1451 } 1452 1453 if (Diags.getIgnoreAllWarnings() || 1454 (Diags.getSuppressSystemWarnings() && 1455 SourceMgr.isInSystemHeader(D->getLocation()))) 1456 return; 1457 1458 if (hasUncompilableErrorOccurred()) 1459 return; 1460 1461 // For code in dependent contexts, we'll do this at instantiation time. 1462 // Without this check, we would analyze the function based on placeholder 1463 // template parameters, and potentially generate spurious diagnostics. 1464 if (cast<DeclContext>(D)->isDependentContext()) 1465 return; 1466 1467 addDeclWithEffects(D, FX); 1468 } 1469 1470 void Sema::addDeclWithEffects(const Decl *D, const FunctionEffectsRef &FX) { 1471 // To avoid the possibility of conflict, don't add effects which are 1472 // not FE_InferrableOnCallees and therefore not verified; this removes 1473 // blocking/allocating but keeps nonblocking/nonallocating. 1474 // Also, ignore any conditions when building the list of effects. 1475 bool AnyVerifiable = false; 1476 for (const FunctionEffectWithCondition &EC : FX) 1477 if (EC.Effect.flags() & FunctionEffect::FE_InferrableOnCallees) { 1478 AllEffectsToVerify.insert(EC.Effect); 1479 AnyVerifiable = true; 1480 } 1481 1482 // Record the declaration for later analysis. 1483 if (AnyVerifiable) 1484 DeclsWithEffectsToVerify.push_back(D); 1485 } 1486 1487 void Sema::performFunctionEffectAnalysis(TranslationUnitDecl *TU) { 1488 if (hasUncompilableErrorOccurred() || Diags.getIgnoreAllWarnings()) 1489 return; 1490 if (TU == nullptr) 1491 return; 1492 Analyzer{*this}.run(*TU); 1493 } 1494 1495 Sema::FunctionEffectDiffVector::FunctionEffectDiffVector( 1496 const FunctionEffectsRef &Old, const FunctionEffectsRef &New) { 1497 1498 FunctionEffectsRef::iterator POld = Old.begin(); 1499 FunctionEffectsRef::iterator OldEnd = Old.end(); 1500 FunctionEffectsRef::iterator PNew = New.begin(); 1501 FunctionEffectsRef::iterator NewEnd = New.end(); 1502 1503 while (true) { 1504 int cmp = 0; 1505 if (POld == OldEnd) { 1506 if (PNew == NewEnd) 1507 break; 1508 cmp = 1; 1509 } else if (PNew == NewEnd) 1510 cmp = -1; 1511 else { 1512 FunctionEffectWithCondition Old = *POld; 1513 FunctionEffectWithCondition New = *PNew; 1514 if (Old.Effect.kind() < New.Effect.kind()) 1515 cmp = -1; 1516 else if (New.Effect.kind() < Old.Effect.kind()) 1517 cmp = 1; 1518 else { 1519 cmp = 0; 1520 if (Old.Cond.getCondition() != New.Cond.getCondition()) { 1521 // FIXME: Cases where the expressions are equivalent but 1522 // don't have the same identity. 1523 push_back(FunctionEffectDiff{ 1524 Old.Effect.kind(), FunctionEffectDiff::Kind::ConditionMismatch, 1525 Old, New}); 1526 } 1527 } 1528 } 1529 1530 if (cmp < 0) { 1531 // removal 1532 FunctionEffectWithCondition Old = *POld; 1533 push_back(FunctionEffectDiff{Old.Effect.kind(), 1534 FunctionEffectDiff::Kind::Removed, Old, 1535 std::nullopt}); 1536 ++POld; 1537 } else if (cmp > 0) { 1538 // addition 1539 FunctionEffectWithCondition New = *PNew; 1540 push_back(FunctionEffectDiff{New.Effect.kind(), 1541 FunctionEffectDiff::Kind::Added, 1542 std::nullopt, New}); 1543 ++PNew; 1544 } else { 1545 ++POld; 1546 ++PNew; 1547 } 1548 } 1549 } 1550 1551 bool Sema::FunctionEffectDiff::shouldDiagnoseConversion( 1552 QualType SrcType, const FunctionEffectsRef &SrcFX, QualType DstType, 1553 const FunctionEffectsRef &DstFX) const { 1554 1555 switch (EffectKind) { 1556 case FunctionEffect::Kind::NonAllocating: 1557 // nonallocating can't be added (spoofed) during a conversion, unless we 1558 // have nonblocking. 1559 if (DiffKind == Kind::Added) { 1560 for (const auto &CFE : SrcFX) { 1561 if (CFE.Effect.kind() == FunctionEffect::Kind::NonBlocking) 1562 return false; 1563 } 1564 } 1565 [[fallthrough]]; 1566 case FunctionEffect::Kind::NonBlocking: 1567 // nonblocking can't be added (spoofed) during a conversion. 1568 switch (DiffKind) { 1569 case Kind::Added: 1570 return true; 1571 case Kind::Removed: 1572 return false; 1573 case Kind::ConditionMismatch: 1574 // FIXME: Condition mismatches are too coarse right now -- expressions 1575 // which are equivalent but don't have the same identity are detected as 1576 // mismatches. We're going to diagnose those anyhow until expression 1577 // matching is better. 1578 return true; 1579 } 1580 break; 1581 case FunctionEffect::Kind::Blocking: 1582 case FunctionEffect::Kind::Allocating: 1583 return false; 1584 } 1585 llvm_unreachable("unknown effect kind"); 1586 } 1587 1588 bool Sema::FunctionEffectDiff::shouldDiagnoseRedeclaration( 1589 const FunctionDecl &OldFunction, const FunctionEffectsRef &OldFX, 1590 const FunctionDecl &NewFunction, const FunctionEffectsRef &NewFX) const { 1591 switch (EffectKind) { 1592 case FunctionEffect::Kind::NonAllocating: 1593 case FunctionEffect::Kind::NonBlocking: 1594 // nonblocking/nonallocating can't be removed in a redeclaration. 1595 switch (DiffKind) { 1596 case Kind::Added: 1597 return false; // No diagnostic. 1598 case Kind::Removed: 1599 return true; // Issue diagnostic. 1600 case Kind::ConditionMismatch: 1601 // All these forms of mismatches are diagnosed. 1602 return true; 1603 } 1604 break; 1605 case FunctionEffect::Kind::Blocking: 1606 case FunctionEffect::Kind::Allocating: 1607 return false; 1608 } 1609 llvm_unreachable("unknown effect kind"); 1610 } 1611 1612 Sema::FunctionEffectDiff::OverrideResult 1613 Sema::FunctionEffectDiff::shouldDiagnoseMethodOverride( 1614 const CXXMethodDecl &OldMethod, const FunctionEffectsRef &OldFX, 1615 const CXXMethodDecl &NewMethod, const FunctionEffectsRef &NewFX) const { 1616 switch (EffectKind) { 1617 case FunctionEffect::Kind::NonAllocating: 1618 case FunctionEffect::Kind::NonBlocking: 1619 switch (DiffKind) { 1620 1621 // If added on an override, that's fine and not diagnosed. 1622 case Kind::Added: 1623 return OverrideResult::NoAction; 1624 1625 // If missing from an override (removed), propagate from base to derived. 1626 case Kind::Removed: 1627 return OverrideResult::Merge; 1628 1629 // If there's a mismatch involving the effect's polarity or condition, 1630 // issue a warning. 1631 case Kind::ConditionMismatch: 1632 return OverrideResult::Warn; 1633 } 1634 break; 1635 case FunctionEffect::Kind::Blocking: 1636 case FunctionEffect::Kind::Allocating: 1637 return OverrideResult::NoAction; 1638 } 1639 llvm_unreachable("unknown effect kind"); 1640 } 1641 1642 } // namespace clang 1643