1 //===---------- ExprMutationAnalyzer.cpp ----------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 #include "clang/Analysis/Analyses/ExprMutationAnalyzer.h" 9 #include "clang/AST/Expr.h" 10 #include "clang/AST/OperationKinds.h" 11 #include "clang/ASTMatchers/ASTMatchFinder.h" 12 #include "clang/ASTMatchers/ASTMatchers.h" 13 #include "llvm/ADT/STLExtras.h" 14 15 namespace clang { 16 using namespace ast_matchers; 17 18 // Check if result of Source expression could be a Target expression. 19 // Checks: 20 // - Implicit Casts 21 // - Binary Operators 22 // - ConditionalOperator 23 // - BinaryConditionalOperator canExprResolveTo(const Expr * Source,const Expr * Target)24 static bool canExprResolveTo(const Expr *Source, const Expr *Target) { 25 26 const auto IgnoreDerivedToBase = [](const Expr *E, auto Matcher) { 27 if (Matcher(E)) 28 return true; 29 if (const auto *Cast = dyn_cast<ImplicitCastExpr>(E)) { 30 if ((Cast->getCastKind() == CK_DerivedToBase || 31 Cast->getCastKind() == CK_UncheckedDerivedToBase) && 32 Matcher(Cast->getSubExpr())) 33 return true; 34 } 35 return false; 36 }; 37 38 const auto EvalCommaExpr = [](const Expr *E, auto Matcher) { 39 const Expr *Result = E; 40 while (const auto *BOComma = 41 dyn_cast_or_null<BinaryOperator>(Result->IgnoreParens())) { 42 if (!BOComma->isCommaOp()) 43 break; 44 Result = BOComma->getRHS(); 45 } 46 47 return Result != E && Matcher(Result); 48 }; 49 50 // The 'ConditionalOperatorM' matches on `<anything> ? <expr> : <expr>`. 51 // This matching must be recursive because `<expr>` can be anything resolving 52 // to the `InnerMatcher`, for example another conditional operator. 53 // The edge-case `BaseClass &b = <cond> ? DerivedVar1 : DerivedVar2;` 54 // is handled, too. The implicit cast happens outside of the conditional. 55 // This is matched by `IgnoreDerivedToBase(canResolveToExpr(InnerMatcher))` 56 // below. 57 const auto ConditionalOperatorM = [Target](const Expr *E) { 58 if (const auto *OP = dyn_cast<ConditionalOperator>(E)) { 59 if (const auto *TE = OP->getTrueExpr()->IgnoreParens()) 60 if (canExprResolveTo(TE, Target)) 61 return true; 62 if (const auto *FE = OP->getFalseExpr()->IgnoreParens()) 63 if (canExprResolveTo(FE, Target)) 64 return true; 65 } 66 return false; 67 }; 68 69 const auto ElvisOperator = [Target](const Expr *E) { 70 if (const auto *OP = dyn_cast<BinaryConditionalOperator>(E)) { 71 if (const auto *TE = OP->getTrueExpr()->IgnoreParens()) 72 if (canExprResolveTo(TE, Target)) 73 return true; 74 if (const auto *FE = OP->getFalseExpr()->IgnoreParens()) 75 if (canExprResolveTo(FE, Target)) 76 return true; 77 } 78 return false; 79 }; 80 81 const Expr *SourceExprP = Source->IgnoreParens(); 82 return IgnoreDerivedToBase(SourceExprP, 83 [&](const Expr *E) { 84 return E == Target || ConditionalOperatorM(E) || 85 ElvisOperator(E); 86 }) || 87 EvalCommaExpr(SourceExprP, [&](const Expr *E) { 88 return IgnoreDerivedToBase( 89 E->IgnoreParens(), [&](const Expr *EE) { return EE == Target; }); 90 }); 91 } 92 93 namespace { 94 AST_MATCHER_P(LambdaExpr,hasCaptureInit,const Expr *,E)95 AST_MATCHER_P(LambdaExpr, hasCaptureInit, const Expr *, E) { 96 return llvm::is_contained(Node.capture_inits(), E); 97 } 98 AST_MATCHER_P(CXXForRangeStmt,hasRangeStmt,ast_matchers::internal::Matcher<DeclStmt>,InnerMatcher)99 AST_MATCHER_P(CXXForRangeStmt, hasRangeStmt, 100 ast_matchers::internal::Matcher<DeclStmt>, InnerMatcher) { 101 const DeclStmt *const Range = Node.getRangeStmt(); 102 return InnerMatcher.matches(*Range, Finder, Builder); 103 } 104 AST_MATCHER_P(Stmt,canResolveToExpr,const Stmt *,Inner)105 AST_MATCHER_P(Stmt, canResolveToExpr, const Stmt *, Inner) { 106 auto *Exp = dyn_cast<Expr>(&Node); 107 if (!Exp) 108 return true; 109 auto *Target = dyn_cast<Expr>(Inner); 110 if (!Target) 111 return false; 112 return canExprResolveTo(Exp, Target); 113 } 114 115 // Similar to 'hasAnyArgument', but does not work because 'InitListExpr' does 116 // not have the 'arguments()' method. AST_MATCHER_P(InitListExpr,hasAnyInit,ast_matchers::internal::Matcher<Expr>,InnerMatcher)117 AST_MATCHER_P(InitListExpr, hasAnyInit, ast_matchers::internal::Matcher<Expr>, 118 InnerMatcher) { 119 for (const Expr *Arg : Node.inits()) { 120 ast_matchers::internal::BoundNodesTreeBuilder Result(*Builder); 121 if (InnerMatcher.matches(*Arg, Finder, &Result)) { 122 *Builder = std::move(Result); 123 return true; 124 } 125 } 126 return false; 127 } 128 129 const ast_matchers::internal::VariadicDynCastAllOfMatcher<Stmt, CXXTypeidExpr> 130 cxxTypeidExpr; 131 AST_MATCHER(CXXTypeidExpr,isPotentiallyEvaluated)132 AST_MATCHER(CXXTypeidExpr, isPotentiallyEvaluated) { 133 return Node.isPotentiallyEvaluated(); 134 } 135 AST_MATCHER(CXXMemberCallExpr,isConstCallee)136 AST_MATCHER(CXXMemberCallExpr, isConstCallee) { 137 const Decl *CalleeDecl = Node.getCalleeDecl(); 138 const auto *VD = dyn_cast_or_null<ValueDecl>(CalleeDecl); 139 if (!VD) 140 return false; 141 const QualType T = VD->getType().getCanonicalType(); 142 const auto *MPT = dyn_cast<MemberPointerType>(T); 143 const auto *FPT = MPT ? cast<FunctionProtoType>(MPT->getPointeeType()) 144 : dyn_cast<FunctionProtoType>(T); 145 if (!FPT) 146 return false; 147 return FPT->isConst(); 148 } 149 AST_MATCHER_P(GenericSelectionExpr,hasControllingExpr,ast_matchers::internal::Matcher<Expr>,InnerMatcher)150 AST_MATCHER_P(GenericSelectionExpr, hasControllingExpr, 151 ast_matchers::internal::Matcher<Expr>, InnerMatcher) { 152 if (Node.isTypePredicate()) 153 return false; 154 return InnerMatcher.matches(*Node.getControllingExpr(), Finder, Builder); 155 } 156 157 template <typename T> 158 ast_matchers::internal::Matcher<T> findFirst(const ast_matchers::internal::Matcher<T> & Matcher)159 findFirst(const ast_matchers::internal::Matcher<T> &Matcher) { 160 return anyOf(Matcher, hasDescendant(Matcher)); 161 } 162 __anon2875c4430902null163 const auto nonConstReferenceType = [] { 164 return hasUnqualifiedDesugaredType( 165 referenceType(pointee(unless(isConstQualified())))); 166 }; 167 __anon2875c4430a02null168 const auto nonConstPointerType = [] { 169 return hasUnqualifiedDesugaredType( 170 pointerType(pointee(unless(isConstQualified())))); 171 }; 172 __anon2875c4430b02null173 const auto isMoveOnly = [] { 174 return cxxRecordDecl( 175 hasMethod(cxxConstructorDecl(isMoveConstructor(), unless(isDeleted()))), 176 hasMethod(cxxMethodDecl(isMoveAssignmentOperator(), unless(isDeleted()))), 177 unless(anyOf(hasMethod(cxxConstructorDecl(isCopyConstructor(), 178 unless(isDeleted()))), 179 hasMethod(cxxMethodDecl(isCopyAssignmentOperator(), 180 unless(isDeleted())))))); 181 }; 182 183 template <class T> struct NodeID; 184 template <> struct NodeID<Expr> { static constexpr StringRef value = "expr"; }; 185 template <> struct NodeID<Decl> { static constexpr StringRef value = "decl"; }; 186 constexpr StringRef NodeID<Expr>::value; 187 constexpr StringRef NodeID<Decl>::value; 188 189 template <class T, 190 class F = const Stmt *(ExprMutationAnalyzer::Analyzer::*)(const T *)> tryEachMatch(ArrayRef<ast_matchers::BoundNodes> Matches,ExprMutationAnalyzer::Analyzer * Analyzer,F Finder)191 const Stmt *tryEachMatch(ArrayRef<ast_matchers::BoundNodes> Matches, 192 ExprMutationAnalyzer::Analyzer *Analyzer, F Finder) { 193 const StringRef ID = NodeID<T>::value; 194 for (const auto &Nodes : Matches) { 195 if (const Stmt *S = (Analyzer->*Finder)(Nodes.getNodeAs<T>(ID))) 196 return S; 197 } 198 return nullptr; 199 } 200 201 } // namespace 202 findMutation(const Expr * Exp)203 const Stmt *ExprMutationAnalyzer::Analyzer::findMutation(const Expr *Exp) { 204 return findMutationMemoized( 205 Exp, 206 {&ExprMutationAnalyzer::Analyzer::findDirectMutation, 207 &ExprMutationAnalyzer::Analyzer::findMemberMutation, 208 &ExprMutationAnalyzer::Analyzer::findArrayElementMutation, 209 &ExprMutationAnalyzer::Analyzer::findCastMutation, 210 &ExprMutationAnalyzer::Analyzer::findRangeLoopMutation, 211 &ExprMutationAnalyzer::Analyzer::findReferenceMutation, 212 &ExprMutationAnalyzer::Analyzer::findFunctionArgMutation}, 213 Memorized.Results); 214 } 215 findMutation(const Decl * Dec)216 const Stmt *ExprMutationAnalyzer::Analyzer::findMutation(const Decl *Dec) { 217 return tryEachDeclRef(Dec, &ExprMutationAnalyzer::Analyzer::findMutation); 218 } 219 220 const Stmt * findPointeeMutation(const Expr * Exp)221 ExprMutationAnalyzer::Analyzer::findPointeeMutation(const Expr *Exp) { 222 return findMutationMemoized(Exp, {/*TODO*/}, Memorized.PointeeResults); 223 } 224 225 const Stmt * findPointeeMutation(const Decl * Dec)226 ExprMutationAnalyzer::Analyzer::findPointeeMutation(const Decl *Dec) { 227 return tryEachDeclRef(Dec, 228 &ExprMutationAnalyzer::Analyzer::findPointeeMutation); 229 } 230 findMutationMemoized(const Expr * Exp,llvm::ArrayRef<MutationFinder> Finders,Memoized::ResultMap & MemoizedResults)231 const Stmt *ExprMutationAnalyzer::Analyzer::findMutationMemoized( 232 const Expr *Exp, llvm::ArrayRef<MutationFinder> Finders, 233 Memoized::ResultMap &MemoizedResults) { 234 const auto Memoized = MemoizedResults.find(Exp); 235 if (Memoized != MemoizedResults.end()) 236 return Memoized->second; 237 238 // Assume Exp is not mutated before analyzing Exp. 239 MemoizedResults[Exp] = nullptr; 240 if (isUnevaluated(Exp)) 241 return nullptr; 242 243 for (const auto &Finder : Finders) { 244 if (const Stmt *S = (this->*Finder)(Exp)) 245 return MemoizedResults[Exp] = S; 246 } 247 248 return nullptr; 249 } 250 251 const Stmt * tryEachDeclRef(const Decl * Dec,MutationFinder Finder)252 ExprMutationAnalyzer::Analyzer::tryEachDeclRef(const Decl *Dec, 253 MutationFinder Finder) { 254 const auto Refs = match( 255 findAll( 256 declRefExpr(to( 257 // `Dec` or a binding if `Dec` is a decomposition. 258 anyOf(equalsNode(Dec), 259 bindingDecl(forDecomposition(equalsNode(Dec)))) 260 // 261 )) 262 .bind(NodeID<Expr>::value)), 263 Stm, Context); 264 for (const auto &RefNodes : Refs) { 265 const auto *E = RefNodes.getNodeAs<Expr>(NodeID<Expr>::value); 266 if ((this->*Finder)(E)) 267 return E; 268 } 269 return nullptr; 270 } 271 isUnevaluated(const Stmt * Exp,const Stmt & Stm,ASTContext & Context)272 bool ExprMutationAnalyzer::Analyzer::isUnevaluated(const Stmt *Exp, 273 const Stmt &Stm, 274 ASTContext &Context) { 275 return selectFirst<Stmt>( 276 NodeID<Expr>::value, 277 match( 278 findFirst( 279 stmt(canResolveToExpr(Exp), 280 anyOf( 281 // `Exp` is part of the underlying expression of 282 // decltype/typeof if it has an ancestor of 283 // typeLoc. 284 hasAncestor(typeLoc(unless( 285 hasAncestor(unaryExprOrTypeTraitExpr())))), 286 hasAncestor(expr(anyOf( 287 // `UnaryExprOrTypeTraitExpr` is unevaluated 288 // unless it's sizeof on VLA. 289 unaryExprOrTypeTraitExpr(unless(sizeOfExpr( 290 hasArgumentOfType(variableArrayType())))), 291 // `CXXTypeidExpr` is unevaluated unless it's 292 // applied to an expression of glvalue of 293 // polymorphic class type. 294 cxxTypeidExpr( 295 unless(isPotentiallyEvaluated())), 296 // The controlling expression of 297 // `GenericSelectionExpr` is unevaluated. 298 genericSelectionExpr(hasControllingExpr( 299 hasDescendant(equalsNode(Exp)))), 300 cxxNoexceptExpr()))))) 301 .bind(NodeID<Expr>::value)), 302 Stm, Context)) != nullptr; 303 } 304 isUnevaluated(const Expr * Exp)305 bool ExprMutationAnalyzer::Analyzer::isUnevaluated(const Expr *Exp) { 306 return isUnevaluated(Exp, Stm, Context); 307 } 308 309 const Stmt * findExprMutation(ArrayRef<BoundNodes> Matches)310 ExprMutationAnalyzer::Analyzer::findExprMutation(ArrayRef<BoundNodes> Matches) { 311 return tryEachMatch<Expr>(Matches, this, 312 &ExprMutationAnalyzer::Analyzer::findMutation); 313 } 314 315 const Stmt * findDeclMutation(ArrayRef<BoundNodes> Matches)316 ExprMutationAnalyzer::Analyzer::findDeclMutation(ArrayRef<BoundNodes> Matches) { 317 return tryEachMatch<Decl>(Matches, this, 318 &ExprMutationAnalyzer::Analyzer::findMutation); 319 } 320 findExprPointeeMutation(ArrayRef<ast_matchers::BoundNodes> Matches)321 const Stmt *ExprMutationAnalyzer::Analyzer::findExprPointeeMutation( 322 ArrayRef<ast_matchers::BoundNodes> Matches) { 323 return tryEachMatch<Expr>( 324 Matches, this, &ExprMutationAnalyzer::Analyzer::findPointeeMutation); 325 } 326 findDeclPointeeMutation(ArrayRef<ast_matchers::BoundNodes> Matches)327 const Stmt *ExprMutationAnalyzer::Analyzer::findDeclPointeeMutation( 328 ArrayRef<ast_matchers::BoundNodes> Matches) { 329 return tryEachMatch<Decl>( 330 Matches, this, &ExprMutationAnalyzer::Analyzer::findPointeeMutation); 331 } 332 333 const Stmt * findDirectMutation(const Expr * Exp)334 ExprMutationAnalyzer::Analyzer::findDirectMutation(const Expr *Exp) { 335 // LHS of any assignment operators. 336 const auto AsAssignmentLhs = 337 binaryOperator(isAssignmentOperator(), hasLHS(canResolveToExpr(Exp))); 338 339 // Operand of increment/decrement operators. 340 const auto AsIncDecOperand = 341 unaryOperator(anyOf(hasOperatorName("++"), hasOperatorName("--")), 342 hasUnaryOperand(canResolveToExpr(Exp))); 343 344 // Invoking non-const member function. 345 // A member function is assumed to be non-const when it is unresolved. 346 const auto NonConstMethod = cxxMethodDecl(unless(isConst())); 347 348 const auto AsNonConstThis = expr(anyOf( 349 cxxMemberCallExpr(on(canResolveToExpr(Exp)), unless(isConstCallee())), 350 cxxOperatorCallExpr(callee(NonConstMethod), 351 hasArgument(0, canResolveToExpr(Exp))), 352 // In case of a templated type, calling overloaded operators is not 353 // resolved and modelled as `binaryOperator` on a dependent type. 354 // Such instances are considered a modification, because they can modify 355 // in different instantiations of the template. 356 binaryOperator(isTypeDependent(), 357 hasEitherOperand(ignoringImpCasts(canResolveToExpr(Exp)))), 358 // A fold expression may contain `Exp` as it's initializer. 359 // We don't know if the operator modifies `Exp` because the 360 // operator is type dependent due to the parameter pack. 361 cxxFoldExpr(hasFoldInit(ignoringImpCasts(canResolveToExpr(Exp)))), 362 // Within class templates and member functions the member expression might 363 // not be resolved. In that case, the `callExpr` is considered to be a 364 // modification. 365 callExpr(callee(expr(anyOf( 366 unresolvedMemberExpr(hasObjectExpression(canResolveToExpr(Exp))), 367 cxxDependentScopeMemberExpr( 368 hasObjectExpression(canResolveToExpr(Exp))))))), 369 // Match on a call to a known method, but the call itself is type 370 // dependent (e.g. `vector<T> v; v.push(T{});` in a templated function). 371 callExpr(allOf( 372 isTypeDependent(), 373 callee(memberExpr(hasDeclaration(NonConstMethod), 374 hasObjectExpression(canResolveToExpr(Exp)))))))); 375 376 // Taking address of 'Exp'. 377 // We're assuming 'Exp' is mutated as soon as its address is taken, though in 378 // theory we can follow the pointer and see whether it escaped `Stm` or is 379 // dereferenced and then mutated. This is left for future improvements. 380 const auto AsAmpersandOperand = 381 unaryOperator(hasOperatorName("&"), 382 // A NoOp implicit cast is adding const. 383 unless(hasParent(implicitCastExpr(hasCastKind(CK_NoOp)))), 384 hasUnaryOperand(canResolveToExpr(Exp))); 385 const auto AsPointerFromArrayDecay = castExpr( 386 hasCastKind(CK_ArrayToPointerDecay), 387 unless(hasParent(arraySubscriptExpr())), has(canResolveToExpr(Exp))); 388 // Treat calling `operator->()` of move-only classes as taking address. 389 // These are typically smart pointers with unique ownership so we treat 390 // mutation of pointee as mutation of the smart pointer itself. 391 const auto AsOperatorArrowThis = cxxOperatorCallExpr( 392 hasOverloadedOperatorName("->"), 393 callee( 394 cxxMethodDecl(ofClass(isMoveOnly()), returns(nonConstPointerType()))), 395 argumentCountIs(1), hasArgument(0, canResolveToExpr(Exp))); 396 397 // Used as non-const-ref argument when calling a function. 398 // An argument is assumed to be non-const-ref when the function is unresolved. 399 // Instantiated template functions are not handled here but in 400 // findFunctionArgMutation which has additional smarts for handling forwarding 401 // references. 402 const auto NonConstRefParam = forEachArgumentWithParamType( 403 anyOf(canResolveToExpr(Exp), 404 memberExpr(hasObjectExpression(canResolveToExpr(Exp)))), 405 nonConstReferenceType()); 406 const auto NotInstantiated = unless(hasDeclaration(isInstantiated())); 407 408 const auto AsNonConstRefArg = 409 anyOf(callExpr(NonConstRefParam, NotInstantiated), 410 cxxConstructExpr(NonConstRefParam, NotInstantiated), 411 // If the call is type-dependent, we can't properly process any 412 // argument because required type conversions and implicit casts 413 // will be inserted only after specialization. 414 callExpr(isTypeDependent(), hasAnyArgument(canResolveToExpr(Exp))), 415 cxxUnresolvedConstructExpr(hasAnyArgument(canResolveToExpr(Exp))), 416 // Previous False Positive in the following Code: 417 // `template <typename T> void f() { int i = 42; new Type<T>(i); }` 418 // Where the constructor of `Type` takes its argument as reference. 419 // The AST does not resolve in a `cxxConstructExpr` because it is 420 // type-dependent. 421 parenListExpr(hasDescendant(expr(canResolveToExpr(Exp)))), 422 // If the initializer is for a reference type, there is no cast for 423 // the variable. Values are cast to RValue first. 424 initListExpr(hasAnyInit(expr(canResolveToExpr(Exp))))); 425 426 // Captured by a lambda by reference. 427 // If we're initializing a capture with 'Exp' directly then we're initializing 428 // a reference capture. 429 // For value captures there will be an ImplicitCastExpr <LValueToRValue>. 430 const auto AsLambdaRefCaptureInit = lambdaExpr(hasCaptureInit(Exp)); 431 432 // Returned as non-const-ref. 433 // If we're returning 'Exp' directly then it's returned as non-const-ref. 434 // For returning by value there will be an ImplicitCastExpr <LValueToRValue>. 435 // For returning by const-ref there will be an ImplicitCastExpr <NoOp> (for 436 // adding const.) 437 const auto AsNonConstRefReturn = 438 returnStmt(hasReturnValue(canResolveToExpr(Exp))); 439 440 // It is used as a non-const-reference for initializing a range-for loop. 441 const auto AsNonConstRefRangeInit = cxxForRangeStmt(hasRangeInit(declRefExpr( 442 allOf(canResolveToExpr(Exp), hasType(nonConstReferenceType()))))); 443 444 const auto Matches = match( 445 traverse( 446 TK_AsIs, 447 findFirst(stmt(anyOf(AsAssignmentLhs, AsIncDecOperand, AsNonConstThis, 448 AsAmpersandOperand, AsPointerFromArrayDecay, 449 AsOperatorArrowThis, AsNonConstRefArg, 450 AsLambdaRefCaptureInit, AsNonConstRefReturn, 451 AsNonConstRefRangeInit)) 452 .bind("stmt"))), 453 Stm, Context); 454 return selectFirst<Stmt>("stmt", Matches); 455 } 456 457 const Stmt * findMemberMutation(const Expr * Exp)458 ExprMutationAnalyzer::Analyzer::findMemberMutation(const Expr *Exp) { 459 // Check whether any member of 'Exp' is mutated. 460 const auto MemberExprs = match( 461 findAll(expr(anyOf(memberExpr(hasObjectExpression(canResolveToExpr(Exp))), 462 cxxDependentScopeMemberExpr( 463 hasObjectExpression(canResolveToExpr(Exp))), 464 binaryOperator(hasOperatorName(".*"), 465 hasLHS(equalsNode(Exp))))) 466 .bind(NodeID<Expr>::value)), 467 Stm, Context); 468 return findExprMutation(MemberExprs); 469 } 470 471 const Stmt * findArrayElementMutation(const Expr * Exp)472 ExprMutationAnalyzer::Analyzer::findArrayElementMutation(const Expr *Exp) { 473 // Check whether any element of an array is mutated. 474 const auto SubscriptExprs = match( 475 findAll(arraySubscriptExpr( 476 anyOf(hasBase(canResolveToExpr(Exp)), 477 hasBase(implicitCastExpr(allOf( 478 hasCastKind(CK_ArrayToPointerDecay), 479 hasSourceExpression(canResolveToExpr(Exp))))))) 480 .bind(NodeID<Expr>::value)), 481 Stm, Context); 482 return findExprMutation(SubscriptExprs); 483 } 484 findCastMutation(const Expr * Exp)485 const Stmt *ExprMutationAnalyzer::Analyzer::findCastMutation(const Expr *Exp) { 486 // If the 'Exp' is explicitly casted to a non-const reference type the 487 // 'Exp' is considered to be modified. 488 const auto ExplicitCast = 489 match(findFirst(stmt(castExpr(hasSourceExpression(canResolveToExpr(Exp)), 490 explicitCastExpr(hasDestinationType( 491 nonConstReferenceType())))) 492 .bind("stmt")), 493 Stm, Context); 494 495 if (const auto *CastStmt = selectFirst<Stmt>("stmt", ExplicitCast)) 496 return CastStmt; 497 498 // If 'Exp' is casted to any non-const reference type, check the castExpr. 499 const auto Casts = match( 500 findAll(expr(castExpr(hasSourceExpression(canResolveToExpr(Exp)), 501 anyOf(explicitCastExpr(hasDestinationType( 502 nonConstReferenceType())), 503 implicitCastExpr(hasImplicitDestinationType( 504 nonConstReferenceType()))))) 505 .bind(NodeID<Expr>::value)), 506 Stm, Context); 507 508 if (const Stmt *S = findExprMutation(Casts)) 509 return S; 510 // Treat std::{move,forward} as cast. 511 const auto Calls = 512 match(findAll(callExpr(callee(namedDecl( 513 hasAnyName("::std::move", "::std::forward"))), 514 hasArgument(0, canResolveToExpr(Exp))) 515 .bind("expr")), 516 Stm, Context); 517 return findExprMutation(Calls); 518 } 519 520 const Stmt * findRangeLoopMutation(const Expr * Exp)521 ExprMutationAnalyzer::Analyzer::findRangeLoopMutation(const Expr *Exp) { 522 // Keep the ordering for the specific initialization matches to happen first, 523 // because it is cheaper to match all potential modifications of the loop 524 // variable. 525 526 // The range variable is a reference to a builtin array. In that case the 527 // array is considered modified if the loop-variable is a non-const reference. 528 const auto DeclStmtToNonRefToArray = declStmt(hasSingleDecl(varDecl(hasType( 529 hasUnqualifiedDesugaredType(referenceType(pointee(arrayType()))))))); 530 const auto RefToArrayRefToElements = match( 531 findFirst(stmt(cxxForRangeStmt( 532 hasLoopVariable( 533 varDecl(anyOf(hasType(nonConstReferenceType()), 534 hasType(nonConstPointerType()))) 535 .bind(NodeID<Decl>::value)), 536 hasRangeStmt(DeclStmtToNonRefToArray), 537 hasRangeInit(canResolveToExpr(Exp)))) 538 .bind("stmt")), 539 Stm, Context); 540 541 if (const auto *BadRangeInitFromArray = 542 selectFirst<Stmt>("stmt", RefToArrayRefToElements)) 543 return BadRangeInitFromArray; 544 545 // Small helper to match special cases in range-for loops. 546 // 547 // It is possible that containers do not provide a const-overload for their 548 // iterator accessors. If this is the case, the variable is used non-const 549 // no matter what happens in the loop. This requires special detection as it 550 // is then faster to find all mutations of the loop variable. 551 // It aims at a different modification as well. 552 const auto HasAnyNonConstIterator = 553 anyOf(allOf(hasMethod(allOf(hasName("begin"), unless(isConst()))), 554 unless(hasMethod(allOf(hasName("begin"), isConst())))), 555 allOf(hasMethod(allOf(hasName("end"), unless(isConst()))), 556 unless(hasMethod(allOf(hasName("end"), isConst()))))); 557 558 const auto DeclStmtToNonConstIteratorContainer = declStmt( 559 hasSingleDecl(varDecl(hasType(hasUnqualifiedDesugaredType(referenceType( 560 pointee(hasDeclaration(cxxRecordDecl(HasAnyNonConstIterator))))))))); 561 562 const auto RefToContainerBadIterators = match( 563 findFirst(stmt(cxxForRangeStmt(allOf( 564 hasRangeStmt(DeclStmtToNonConstIteratorContainer), 565 hasRangeInit(canResolveToExpr(Exp))))) 566 .bind("stmt")), 567 Stm, Context); 568 569 if (const auto *BadIteratorsContainer = 570 selectFirst<Stmt>("stmt", RefToContainerBadIterators)) 571 return BadIteratorsContainer; 572 573 // If range for looping over 'Exp' with a non-const reference loop variable, 574 // check all declRefExpr of the loop variable. 575 const auto LoopVars = 576 match(findAll(cxxForRangeStmt( 577 hasLoopVariable(varDecl(hasType(nonConstReferenceType())) 578 .bind(NodeID<Decl>::value)), 579 hasRangeInit(canResolveToExpr(Exp)))), 580 Stm, Context); 581 return findDeclMutation(LoopVars); 582 } 583 584 const Stmt * findReferenceMutation(const Expr * Exp)585 ExprMutationAnalyzer::Analyzer::findReferenceMutation(const Expr *Exp) { 586 // Follow non-const reference returned by `operator*()` of move-only classes. 587 // These are typically smart pointers with unique ownership so we treat 588 // mutation of pointee as mutation of the smart pointer itself. 589 const auto Ref = match( 590 findAll(cxxOperatorCallExpr( 591 hasOverloadedOperatorName("*"), 592 callee(cxxMethodDecl(ofClass(isMoveOnly()), 593 returns(nonConstReferenceType()))), 594 argumentCountIs(1), hasArgument(0, canResolveToExpr(Exp))) 595 .bind(NodeID<Expr>::value)), 596 Stm, Context); 597 if (const Stmt *S = findExprMutation(Ref)) 598 return S; 599 600 // If 'Exp' is bound to a non-const reference, check all declRefExpr to that. 601 const auto Refs = match( 602 stmt(forEachDescendant( 603 varDecl(hasType(nonConstReferenceType()), 604 hasInitializer(anyOf( 605 canResolveToExpr(Exp), 606 memberExpr(hasObjectExpression(canResolveToExpr(Exp))))), 607 hasParent(declStmt().bind("stmt")), 608 // Don't follow the reference in range statement, we've 609 // handled that separately. 610 unless(hasParent(declStmt(hasParent(cxxForRangeStmt( 611 hasRangeStmt(equalsBoundNode("stmt")))))))) 612 .bind(NodeID<Decl>::value))), 613 Stm, Context); 614 return findDeclMutation(Refs); 615 } 616 617 const Stmt * findFunctionArgMutation(const Expr * Exp)618 ExprMutationAnalyzer::Analyzer::findFunctionArgMutation(const Expr *Exp) { 619 const auto NonConstRefParam = forEachArgumentWithParam( 620 canResolveToExpr(Exp), 621 parmVarDecl(hasType(nonConstReferenceType())).bind("parm")); 622 const auto IsInstantiated = hasDeclaration(isInstantiated()); 623 const auto FuncDecl = hasDeclaration(functionDecl().bind("func")); 624 const auto Matches = match( 625 traverse( 626 TK_AsIs, 627 findAll( 628 expr(anyOf(callExpr(NonConstRefParam, IsInstantiated, FuncDecl, 629 unless(callee(namedDecl(hasAnyName( 630 "::std::move", "::std::forward"))))), 631 cxxConstructExpr(NonConstRefParam, IsInstantiated, 632 FuncDecl))) 633 .bind(NodeID<Expr>::value))), 634 Stm, Context); 635 for (const auto &Nodes : Matches) { 636 const auto *Exp = Nodes.getNodeAs<Expr>(NodeID<Expr>::value); 637 const auto *Func = Nodes.getNodeAs<FunctionDecl>("func"); 638 if (!Func->getBody() || !Func->getPrimaryTemplate()) 639 return Exp; 640 641 const auto *Parm = Nodes.getNodeAs<ParmVarDecl>("parm"); 642 const ArrayRef<ParmVarDecl *> AllParams = 643 Func->getPrimaryTemplate()->getTemplatedDecl()->parameters(); 644 QualType ParmType = 645 AllParams[std::min<size_t>(Parm->getFunctionScopeIndex(), 646 AllParams.size() - 1)] 647 ->getType(); 648 if (const auto *T = ParmType->getAs<PackExpansionType>()) 649 ParmType = T->getPattern(); 650 651 // If param type is forwarding reference, follow into the function 652 // definition and see whether the param is mutated inside. 653 if (const auto *RefType = ParmType->getAs<RValueReferenceType>()) { 654 if (!RefType->getPointeeType().getQualifiers() && 655 RefType->getPointeeType()->getAs<TemplateTypeParmType>()) { 656 FunctionParmMutationAnalyzer *Analyzer = 657 FunctionParmMutationAnalyzer::getFunctionParmMutationAnalyzer( 658 *Func, Context, Memorized); 659 if (Analyzer->findMutation(Parm)) 660 return Exp; 661 continue; 662 } 663 } 664 // Not forwarding reference. 665 return Exp; 666 } 667 return nullptr; 668 } 669 FunctionParmMutationAnalyzer(const FunctionDecl & Func,ASTContext & Context,ExprMutationAnalyzer::Memoized & Memorized)670 FunctionParmMutationAnalyzer::FunctionParmMutationAnalyzer( 671 const FunctionDecl &Func, ASTContext &Context, 672 ExprMutationAnalyzer::Memoized &Memorized) 673 : BodyAnalyzer(*Func.getBody(), Context, Memorized) { 674 if (const auto *Ctor = dyn_cast<CXXConstructorDecl>(&Func)) { 675 // CXXCtorInitializer might also mutate Param but they're not part of 676 // function body, check them eagerly here since they're typically trivial. 677 for (const CXXCtorInitializer *Init : Ctor->inits()) { 678 ExprMutationAnalyzer::Analyzer InitAnalyzer(*Init->getInit(), Context, 679 Memorized); 680 for (const ParmVarDecl *Parm : Ctor->parameters()) { 681 if (Results.contains(Parm)) 682 continue; 683 if (const Stmt *S = InitAnalyzer.findMutation(Parm)) 684 Results[Parm] = S; 685 } 686 } 687 } 688 } 689 690 const Stmt * findMutation(const ParmVarDecl * Parm)691 FunctionParmMutationAnalyzer::findMutation(const ParmVarDecl *Parm) { 692 const auto Memoized = Results.find(Parm); 693 if (Memoized != Results.end()) 694 return Memoized->second; 695 // To handle call A -> call B -> call A. Assume parameters of A is not mutated 696 // before analyzing parameters of A. Then when analyzing the second "call A", 697 // FunctionParmMutationAnalyzer can use this memoized value to avoid infinite 698 // recursion. 699 Results[Parm] = nullptr; 700 if (const Stmt *S = BodyAnalyzer.findMutation(Parm)) 701 return Results[Parm] = S; 702 return Results[Parm]; 703 } 704 705 } // namespace clang 706