llvm-project/clang/lib/Analysis/ExprMutationAnalyzer.cpp

465 lines
20 KiB
C++
Raw Normal View History

//===---------- ExprMutationAnalyzer.cpp ----------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "clang/Analysis/Analyses/ExprMutationAnalyzer.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "llvm/ADT/STLExtras.h"
namespace clang {
using namespace ast_matchers;
namespace {
AST_MATCHER_P(LambdaExpr, hasCaptureInit, const Expr *, E) {
return llvm::is_contained(Node.capture_inits(), E);
}
AST_MATCHER_P(CXXForRangeStmt, hasRangeStmt,
ast_matchers::internal::Matcher<DeclStmt>, InnerMatcher) {
const DeclStmt *const Range = Node.getRangeStmt();
return InnerMatcher.matches(*Range, Finder, Builder);
}
AST_MATCHER_P(Expr, maybeEvalCommaExpr,
ast_matchers::internal::Matcher<Expr>, InnerMatcher) {
const Expr* Result = &Node;
while (const auto *BOComma =
dyn_cast_or_null<BinaryOperator>(Result->IgnoreParens())) {
if (!BOComma->isCommaOp())
break;
Result = BOComma->getRHS();
}
return InnerMatcher.matches(*Result, Finder, Builder);
}
const ast_matchers::internal::VariadicDynCastAllOfMatcher<Stmt, CXXTypeidExpr>
cxxTypeidExpr;
AST_MATCHER(CXXTypeidExpr, isPotentiallyEvaluated) {
return Node.isPotentiallyEvaluated();
}
const ast_matchers::internal::VariadicDynCastAllOfMatcher<Stmt, CXXNoexceptExpr>
cxxNoexceptExpr;
const ast_matchers::internal::VariadicDynCastAllOfMatcher<Stmt,
GenericSelectionExpr>
genericSelectionExpr;
AST_MATCHER_P(GenericSelectionExpr, hasControllingExpr,
ast_matchers::internal::Matcher<Expr>, InnerMatcher) {
return InnerMatcher.matches(*Node.getControllingExpr(), Finder, Builder);
}
const auto nonConstReferenceType = [] {
return hasUnqualifiedDesugaredType(
referenceType(pointee(unless(isConstQualified()))));
};
const auto nonConstPointerType = [] {
return hasUnqualifiedDesugaredType(
pointerType(pointee(unless(isConstQualified()))));
};
const auto isMoveOnly = [] {
return cxxRecordDecl(
hasMethod(cxxConstructorDecl(isMoveConstructor(), unless(isDeleted()))),
hasMethod(cxxMethodDecl(isMoveAssignmentOperator(), unless(isDeleted()))),
unless(anyOf(hasMethod(cxxConstructorDecl(isCopyConstructor(),
unless(isDeleted()))),
hasMethod(cxxMethodDecl(isCopyAssignmentOperator(),
unless(isDeleted()))))));
};
template <class T> struct NodeID;
template <> struct NodeID<Expr> { static const std::string value; };
template <> struct NodeID<Decl> { static const std::string value; };
const std::string NodeID<Expr>::value = "expr";
const std::string NodeID<Decl>::value = "decl";
template <class T, class F = const Stmt *(ExprMutationAnalyzer::*)(const T *)>
const Stmt *tryEachMatch(ArrayRef<ast_matchers::BoundNodes> Matches,
ExprMutationAnalyzer *Analyzer, F Finder) {
const StringRef ID = NodeID<T>::value;
for (const auto &Nodes : Matches) {
if (const Stmt *S = (Analyzer->*Finder)(Nodes.getNodeAs<T>(ID)))
return S;
}
return nullptr;
}
} // namespace
const Stmt *ExprMutationAnalyzer::findMutation(const Expr *Exp) {
return findMutationMemoized(Exp,
{&ExprMutationAnalyzer::findDirectMutation,
&ExprMutationAnalyzer::findMemberMutation,
&ExprMutationAnalyzer::findArrayElementMutation,
&ExprMutationAnalyzer::findCastMutation,
&ExprMutationAnalyzer::findRangeLoopMutation,
&ExprMutationAnalyzer::findReferenceMutation,
&ExprMutationAnalyzer::findFunctionArgMutation},
Results);
}
const Stmt *ExprMutationAnalyzer::findMutation(const Decl *Dec) {
return tryEachDeclRef(Dec, &ExprMutationAnalyzer::findMutation);
}
const Stmt *ExprMutationAnalyzer::findPointeeMutation(const Expr *Exp) {
return findMutationMemoized(Exp, {/*TODO*/}, PointeeResults);
}
const Stmt *ExprMutationAnalyzer::findPointeeMutation(const Decl *Dec) {
return tryEachDeclRef(Dec, &ExprMutationAnalyzer::findPointeeMutation);
}
const Stmt *ExprMutationAnalyzer::findMutationMemoized(
const Expr *Exp, llvm::ArrayRef<MutationFinder> Finders,
ResultMap &MemoizedResults) {
const auto Memoized = MemoizedResults.find(Exp);
if (Memoized != MemoizedResults.end())
return Memoized->second;
if (isUnevaluated(Exp))
return MemoizedResults[Exp] = nullptr;
for (const auto &Finder : Finders) {
if (const Stmt *S = (this->*Finder)(Exp))
return MemoizedResults[Exp] = S;
}
return MemoizedResults[Exp] = nullptr;
}
const Stmt *ExprMutationAnalyzer::tryEachDeclRef(const Decl *Dec,
MutationFinder Finder) {
const auto Refs =
match(findAll(declRefExpr(to(equalsNode(Dec))).bind(NodeID<Expr>::value)),
Stm, Context);
for (const auto &RefNodes : Refs) {
const auto *E = RefNodes.getNodeAs<Expr>(NodeID<Expr>::value);
if ((this->*Finder)(E))
return E;
}
return nullptr;
}
bool ExprMutationAnalyzer::isUnevaluated(const Expr *Exp) {
return selectFirst<Expr>(
NodeID<Expr>::value,
match(
findAll(
expr(equalsNode(Exp),
anyOf(
// `Exp` is part of the underlying expression of
// decltype/typeof if it has an ancestor of
// typeLoc.
hasAncestor(typeLoc(unless(
hasAncestor(unaryExprOrTypeTraitExpr())))),
hasAncestor(expr(anyOf(
// `UnaryExprOrTypeTraitExpr` is unevaluated
// unless it's sizeof on VLA.
unaryExprOrTypeTraitExpr(unless(sizeOfExpr(
hasArgumentOfType(variableArrayType())))),
// `CXXTypeidExpr` is unevaluated unless it's
// applied to an expression of glvalue of
// polymorphic class type.
cxxTypeidExpr(
unless(isPotentiallyEvaluated())),
// The controlling expression of
// `GenericSelectionExpr` is unevaluated.
genericSelectionExpr(hasControllingExpr(
hasDescendant(equalsNode(Exp)))),
cxxNoexceptExpr())))))
.bind(NodeID<Expr>::value)),
Stm, Context)) != nullptr;
}
const Stmt *
ExprMutationAnalyzer::findExprMutation(ArrayRef<BoundNodes> Matches) {
return tryEachMatch<Expr>(Matches, this, &ExprMutationAnalyzer::findMutation);
}
const Stmt *
ExprMutationAnalyzer::findDeclMutation(ArrayRef<BoundNodes> Matches) {
return tryEachMatch<Decl>(Matches, this, &ExprMutationAnalyzer::findMutation);
}
const Stmt *ExprMutationAnalyzer::findExprPointeeMutation(
ArrayRef<ast_matchers::BoundNodes> Matches) {
return tryEachMatch<Expr>(Matches, this,
&ExprMutationAnalyzer::findPointeeMutation);
}
const Stmt *ExprMutationAnalyzer::findDeclPointeeMutation(
ArrayRef<ast_matchers::BoundNodes> Matches) {
return tryEachMatch<Decl>(Matches, this,
&ExprMutationAnalyzer::findPointeeMutation);
}
const Stmt *ExprMutationAnalyzer::findDirectMutation(const Expr *Exp) {
// LHS of any assignment operators.
const auto AsAssignmentLhs =
binaryOperator(isAssignmentOperator(),
hasLHS(maybeEvalCommaExpr(equalsNode(Exp))));
// Operand of increment/decrement operators.
const auto AsIncDecOperand =
unaryOperator(anyOf(hasOperatorName("++"), hasOperatorName("--")),
hasUnaryOperand(maybeEvalCommaExpr(equalsNode(Exp))));
// Invoking non-const member function.
// A member function is assumed to be non-const when it is unresolved.
const auto NonConstMethod = cxxMethodDecl(unless(isConst()));
const auto AsNonConstThis =
expr(anyOf(cxxMemberCallExpr(callee(NonConstMethod),
on(maybeEvalCommaExpr(equalsNode(Exp)))),
cxxOperatorCallExpr(callee(NonConstMethod),
hasArgument(0,
maybeEvalCommaExpr(equalsNode(Exp)))),
callExpr(callee(expr(anyOf(
unresolvedMemberExpr(
hasObjectExpression(maybeEvalCommaExpr(equalsNode(Exp)))),
cxxDependentScopeMemberExpr(
hasObjectExpression(maybeEvalCommaExpr(equalsNode(Exp))))))))));
// Taking address of 'Exp'.
// We're assuming 'Exp' is mutated as soon as its address is taken, though in
// theory we can follow the pointer and see whether it escaped `Stm` or is
// dereferenced and then mutated. This is left for future improvements.
const auto AsAmpersandOperand =
unaryOperator(hasOperatorName("&"),
// A NoOp implicit cast is adding const.
unless(hasParent(implicitCastExpr(hasCastKind(CK_NoOp)))),
hasUnaryOperand(maybeEvalCommaExpr(equalsNode(Exp))));
const auto AsPointerFromArrayDecay =
castExpr(hasCastKind(CK_ArrayToPointerDecay),
unless(hasParent(arraySubscriptExpr())),
has(maybeEvalCommaExpr(equalsNode(Exp))));
// Treat calling `operator->()` of move-only classes as taking address.
// These are typically smart pointers with unique ownership so we treat
// mutation of pointee as mutation of the smart pointer itself.
const auto AsOperatorArrowThis =
cxxOperatorCallExpr(hasOverloadedOperatorName("->"),
callee(cxxMethodDecl(ofClass(isMoveOnly()),
returns(nonConstPointerType()))),
argumentCountIs(1),
hasArgument(0, maybeEvalCommaExpr(equalsNode(Exp))));
// Used as non-const-ref argument when calling a function.
// An argument is assumed to be non-const-ref when the function is unresolved.
// Instantiated template functions are not handled here but in
// findFunctionArgMutation which has additional smarts for handling forwarding
// references.
const auto NonConstRefParam = forEachArgumentWithParam(
maybeEvalCommaExpr(equalsNode(Exp)),
parmVarDecl(hasType(nonConstReferenceType())));
const auto NotInstantiated = unless(hasDeclaration(isInstantiated()));
const auto AsNonConstRefArg = anyOf(
callExpr(NonConstRefParam, NotInstantiated),
cxxConstructExpr(NonConstRefParam, NotInstantiated),
callExpr(callee(expr(anyOf(unresolvedLookupExpr(), unresolvedMemberExpr(),
cxxDependentScopeMemberExpr(),
hasType(templateTypeParmType())))),
hasAnyArgument(maybeEvalCommaExpr(equalsNode(Exp)))),
cxxUnresolvedConstructExpr(hasAnyArgument(maybeEvalCommaExpr(equalsNode(Exp)))));
// Captured by a lambda by reference.
// If we're initializing a capture with 'Exp' directly then we're initializing
// a reference capture.
// For value captures there will be an ImplicitCastExpr <LValueToRValue>.
const auto AsLambdaRefCaptureInit = lambdaExpr(hasCaptureInit(Exp));
// Returned as non-const-ref.
// If we're returning 'Exp' directly then it's returned as non-const-ref.
// For returning by value there will be an ImplicitCastExpr <LValueToRValue>.
// For returning by const-ref there will be an ImplicitCastExpr <NoOp> (for
// adding const.)
const auto AsNonConstRefReturn = returnStmt(hasReturnValue(
maybeEvalCommaExpr(equalsNode(Exp))));
const auto Matches =
match(findAll(stmt(anyOf(AsAssignmentLhs, AsIncDecOperand, AsNonConstThis,
AsAmpersandOperand, AsPointerFromArrayDecay,
AsOperatorArrowThis, AsNonConstRefArg,
AsLambdaRefCaptureInit, AsNonConstRefReturn))
.bind("stmt")),
Stm, Context);
return selectFirst<Stmt>("stmt", Matches);
}
const Stmt *ExprMutationAnalyzer::findMemberMutation(const Expr *Exp) {
// Check whether any member of 'Exp' is mutated.
const auto MemberExprs =
match(findAll(expr(anyOf(memberExpr(hasObjectExpression(equalsNode(Exp))),
cxxDependentScopeMemberExpr(
hasObjectExpression(equalsNode(Exp)))))
.bind(NodeID<Expr>::value)),
Stm, Context);
return findExprMutation(MemberExprs);
}
const Stmt *ExprMutationAnalyzer::findArrayElementMutation(const Expr *Exp) {
// Check whether any element of an array is mutated.
const auto SubscriptExprs = match(
findAll(arraySubscriptExpr(hasBase(ignoringImpCasts(equalsNode(Exp))))
.bind(NodeID<Expr>::value)),
Stm, Context);
return findExprMutation(SubscriptExprs);
}
const Stmt *ExprMutationAnalyzer::findCastMutation(const Expr *Exp) {
// If 'Exp' is casted to any non-const reference type, check the castExpr.
const auto Casts =
match(findAll(castExpr(hasSourceExpression(equalsNode(Exp)),
anyOf(explicitCastExpr(hasDestinationType(
nonConstReferenceType())),
implicitCastExpr(hasImplicitDestinationType(
nonConstReferenceType()))))
.bind(NodeID<Expr>::value)),
Stm, Context);
if (const Stmt *S = findExprMutation(Casts))
return S;
// Treat std::{move,forward} as cast.
const auto Calls =
match(findAll(callExpr(callee(namedDecl(
hasAnyName("::std::move", "::std::forward"))),
hasArgument(0, equalsNode(Exp)))
.bind("expr")),
Stm, Context);
return findExprMutation(Calls);
}
const Stmt *ExprMutationAnalyzer::findRangeLoopMutation(const Expr *Exp) {
// If range for looping over 'Exp' with a non-const reference loop variable,
// check all declRefExpr of the loop variable.
const auto LoopVars =
match(findAll(cxxForRangeStmt(
hasLoopVariable(varDecl(hasType(nonConstReferenceType()))
.bind(NodeID<Decl>::value)),
hasRangeInit(equalsNode(Exp)))),
Stm, Context);
return findDeclMutation(LoopVars);
}
const Stmt *ExprMutationAnalyzer::findReferenceMutation(const Expr *Exp) {
// Follow non-const reference returned by `operator*()` of move-only classes.
// These are typically smart pointers with unique ownership so we treat
// mutation of pointee as mutation of the smart pointer itself.
const auto Ref =
match(findAll(cxxOperatorCallExpr(
hasOverloadedOperatorName("*"),
callee(cxxMethodDecl(ofClass(isMoveOnly()),
returns(nonConstReferenceType()))),
argumentCountIs(1), hasArgument(0, equalsNode(Exp)))
.bind(NodeID<Expr>::value)),
Stm, Context);
if (const Stmt *S = findExprMutation(Ref))
return S;
// If 'Exp' is bound to a non-const reference, check all declRefExpr to that.
const auto Refs = match(
stmt(forEachDescendant(
varDecl(
hasType(nonConstReferenceType()),
hasInitializer(anyOf(equalsNode(Exp),
conditionalOperator(anyOf(
hasTrueExpression(equalsNode(Exp)),
hasFalseExpression(equalsNode(Exp)))))),
hasParent(declStmt().bind("stmt")),
// Don't follow the reference in range statement, we've handled
// that separately.
unless(hasParent(declStmt(hasParent(
cxxForRangeStmt(hasRangeStmt(equalsBoundNode("stmt"))))))))
.bind(NodeID<Decl>::value))),
Stm, Context);
return findDeclMutation(Refs);
}
const Stmt *ExprMutationAnalyzer::findFunctionArgMutation(const Expr *Exp) {
const auto NonConstRefParam = forEachArgumentWithParam(
equalsNode(Exp),
parmVarDecl(hasType(nonConstReferenceType())).bind("parm"));
const auto IsInstantiated = hasDeclaration(isInstantiated());
const auto FuncDecl = hasDeclaration(functionDecl().bind("func"));
const auto Matches = match(
findAll(expr(anyOf(callExpr(NonConstRefParam, IsInstantiated, FuncDecl,
unless(callee(namedDecl(hasAnyName(
"::std::move", "::std::forward"))))),
cxxConstructExpr(NonConstRefParam, IsInstantiated,
FuncDecl)))
.bind(NodeID<Expr>::value)),
Stm, Context);
for (const auto &Nodes : Matches) {
const auto *Exp = Nodes.getNodeAs<Expr>(NodeID<Expr>::value);
const auto *Func = Nodes.getNodeAs<FunctionDecl>("func");
if (!Func->getBody() || !Func->getPrimaryTemplate())
return Exp;
const auto *Parm = Nodes.getNodeAs<ParmVarDecl>("parm");
const ArrayRef<ParmVarDecl *> AllParams =
Func->getPrimaryTemplate()->getTemplatedDecl()->parameters();
QualType ParmType =
AllParams[std::min<size_t>(Parm->getFunctionScopeIndex(),
AllParams.size() - 1)]
->getType();
if (const auto *T = ParmType->getAs<PackExpansionType>())
ParmType = T->getPattern();
// If param type is forwarding reference, follow into the function
// definition and see whether the param is mutated inside.
if (const auto *RefType = ParmType->getAs<RValueReferenceType>()) {
if (!RefType->getPointeeType().getQualifiers() &&
RefType->getPointeeType()->getAs<TemplateTypeParmType>()) {
std::unique_ptr<FunctionParmMutationAnalyzer> &Analyzer =
FuncParmAnalyzer[Func];
if (!Analyzer)
Analyzer.reset(new FunctionParmMutationAnalyzer(*Func, Context));
if (Analyzer->findMutation(Parm))
return Exp;
continue;
}
}
// Not forwarding reference.
return Exp;
}
return nullptr;
}
FunctionParmMutationAnalyzer::FunctionParmMutationAnalyzer(
const FunctionDecl &Func, ASTContext &Context)
: BodyAnalyzer(*Func.getBody(), Context) {
if (const auto *Ctor = dyn_cast<CXXConstructorDecl>(&Func)) {
// CXXCtorInitializer might also mutate Param but they're not part of
// function body, check them eagerly here since they're typically trivial.
for (const CXXCtorInitializer *Init : Ctor->inits()) {
ExprMutationAnalyzer InitAnalyzer(*Init->getInit(), Context);
for (const ParmVarDecl *Parm : Ctor->parameters()) {
if (Results.find(Parm) != Results.end())
continue;
if (const Stmt *S = InitAnalyzer.findMutation(Parm))
Results[Parm] = S;
}
}
}
}
const Stmt *
FunctionParmMutationAnalyzer::findMutation(const ParmVarDecl *Parm) {
const auto Memoized = Results.find(Parm);
if (Memoized != Results.end())
return Memoized->second;
if (const Stmt *S = BodyAnalyzer.findMutation(Parm))
return Results[Parm] = S;
return Results[Parm] = nullptr;
}
} // namespace clang