1
//=== SemaFunctionEffects.cpp - Sema handling of function effects ---------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This file implements Sema handling of function effects.
10
//
11
//===----------------------------------------------------------------------===//
12

13
#include "clang/AST/Decl.h"
14
#include "clang/AST/DeclCXX.h"
15
#include "clang/AST/DynamicRecursiveASTVisitor.h"
16
#include "clang/AST/ExprObjC.h"
17
#include "clang/AST/Stmt.h"
18
#include "clang/AST/StmtObjC.h"
19
#include "clang/AST/Type.h"
20
#include "clang/Basic/SourceManager.h"
21
#include "clang/Sema/SemaInternal.h"
22

23
#define DEBUG_TYPE "effectanalysis"
24

25
using namespace clang;
26

27
namespace {
28

29
enum class ViolationID : uint8_t {
30
  None = 0, // Sentinel for an empty Violation.
31
  // These first 5 map to a %select{} in one of several FunctionEffects
32
  // diagnostics, e.g. warn_func_effect_violation.
33
  BaseDiagnosticIndex,
34
  AllocatesMemory = BaseDiagnosticIndex,
35
  ThrowsOrCatchesExceptions,
36
  HasStaticLocalVariable,
37
  AccessesThreadLocalVariable,
38
  AccessesObjCMethodOrProperty,
39

40
  // These only apply to callees, where the analysis stops at the Decl.
41
  DeclDisallowsInference,
42

43
  // These both apply to indirect calls. The difference is that sometimes
44
  // we have an actual Decl (generally a variable) which is the function
45
  // pointer being called, and sometimes, typically due to a cast, we only
46
  // have an expression.
47
  CallsDeclWithoutEffect,
48
  CallsExprWithoutEffect,
49
};
50

51
// Information about the AST context in which a violation was found, so
52
// that diagnostics can point to the correct source.
53
class ViolationSite {
54
public:
55
  enum class Kind : uint8_t {
56
    Default, // Function body.
57
    MemberInitializer,
58
    DefaultArgExpr
59
  };
60

61
private:
62
  llvm::PointerIntPair<CXXDefaultArgExpr *, 2, Kind> Impl;
63

64
public:
65
  ViolationSite() = default;
66

67
  explicit ViolationSite(CXXDefaultArgExpr *E)
68
      : Impl(E, Kind::DefaultArgExpr) {}
69

70
  Kind kind() const { return static_cast<Kind>(Impl.getInt()); }
71
  CXXDefaultArgExpr *defaultArgExpr() const { return Impl.getPointer(); }
72

73
  void setKind(Kind K) { Impl.setPointerAndInt(nullptr, K); }
74
};
75

76
// Represents a violation of the rules, potentially for the entire duration of
77
// the analysis phase, in order to refer to it when explaining why a caller has
78
// been made unsafe by a callee. Can be transformed into either a Diagnostic
79
// (warning or a note), depending on whether the violation pertains to a
80
// function failing to be verifed as holding an effect vs. a function failing to
81
// be inferred as holding that effect.
82
struct Violation {
83
  FunctionEffect Effect;
84
  std::optional<FunctionEffect>
85
      CalleeEffectPreventingInference; // Only for certain IDs; can be nullopt.
86
  ViolationID ID = ViolationID::None;
87
  ViolationSite Site;
88
  SourceLocation Loc;
89
  const Decl *Callee =
90
      nullptr; // Only valid for ViolationIDs Calls{Decl,Expr}WithoutEffect.
91

92
  Violation(FunctionEffect Effect, ViolationID ID, ViolationSite VS,
93
            SourceLocation Loc, const Decl *Callee = nullptr,
94
            std::optional<FunctionEffect> CalleeEffect = std::nullopt)
95
      : Effect(Effect), CalleeEffectPreventingInference(CalleeEffect), ID(ID),
96
        Site(VS), Loc(Loc), Callee(Callee) {}
97

98
  unsigned diagnosticSelectIndex() const {
99
    return unsigned(ID) - unsigned(ViolationID::BaseDiagnosticIndex);
100
  }
101
};
102

103
enum class SpecialFuncType : uint8_t { None, OperatorNew, OperatorDelete };
104
enum class CallableType : uint8_t {
105
  // Unknown: probably function pointer.
106
  Unknown,
107
  Function,
108
  Virtual,
109
  Block
110
};
111

112
// Return whether a function's effects CAN be verified.
113
// The question of whether it SHOULD be verified is independent.
114
static bool functionIsVerifiable(const FunctionDecl *FD) {
115
  if (FD->isTrivial()) {
116
    // Otherwise `struct x { int a; };` would have an unverifiable default
117
    // constructor.
118
    return true;
119
  }
120
  return FD->hasBody();
121
}
122

123
static bool isNoexcept(const FunctionDecl *FD) {
124
  const auto *FPT = FD->getType()->getAs<FunctionProtoType>();
125
  return FPT && (FPT->isNothrow() || FD->hasAttr<NoThrowAttr>());
126
}
127

128
// This list is probably incomplete.
129
// FIXME: Investigate:
130
// __builtin_eh_return?
131
// __builtin_allow_runtime_check?
132
// __builtin_unwind_init and other similar things that sound exception-related.
133
// va_copy?
134
// coroutines?
135
static FunctionEffectKindSet getBuiltinFunctionEffects(unsigned BuiltinID) {
136
  FunctionEffectKindSet Result;
137

138
  switch (BuiltinID) {
139
  case 0:  // Not builtin.
140
  default: // By default, builtins have no known effects.
141
    break;
142

143
  // These allocate/deallocate heap memory.
144
  case Builtin::ID::BI__builtin_calloc:
145
  case Builtin::ID::BI__builtin_malloc:
146
  case Builtin::ID::BI__builtin_realloc:
147
  case Builtin::ID::BI__builtin_free:
148
  case Builtin::ID::BI__builtin_operator_delete:
149
  case Builtin::ID::BI__builtin_operator_new:
150
  case Builtin::ID::BIaligned_alloc:
151
  case Builtin::ID::BIcalloc:
152
  case Builtin::ID::BImalloc:
153
  case Builtin::ID::BImemalign:
154
  case Builtin::ID::BIrealloc:
155
  case Builtin::ID::BIfree:
156

157
  case Builtin::ID::BIfopen:
158
  case Builtin::ID::BIpthread_create:
159
  case Builtin::ID::BI_Block_object_dispose:
160
    Result.insert(FunctionEffect(FunctionEffect::Kind::Allocating));
161
    break;
162

163
  // These block in some other way than allocating memory.
164
  // longjmp() and friends are presumed unsafe because they are the moral
165
  // equivalent of throwing a C++ exception, which is unsafe.
166
  case Builtin::ID::BIlongjmp:
167
  case Builtin::ID::BI_longjmp:
168
  case Builtin::ID::BIsiglongjmp:
169
  case Builtin::ID::BI__builtin_longjmp:
170
  case Builtin::ID::BIobjc_exception_throw:
171

172
  // Objective-C runtime.
173
  case Builtin::ID::BIobjc_msgSend:
174
  case Builtin::ID::BIobjc_msgSend_fpret:
175
  case Builtin::ID::BIobjc_msgSend_fp2ret:
176
  case Builtin::ID::BIobjc_msgSend_stret:
177
  case Builtin::ID::BIobjc_msgSendSuper:
178
  case Builtin::ID::BIobjc_getClass:
179
  case Builtin::ID::BIobjc_getMetaClass:
180
  case Builtin::ID::BIobjc_enumerationMutation:
181
  case Builtin::ID::BIobjc_assign_ivar:
182
  case Builtin::ID::BIobjc_assign_global:
183
  case Builtin::ID::BIobjc_sync_enter:
184
  case Builtin::ID::BIobjc_sync_exit:
185
  case Builtin::ID::BINSLog:
186
  case Builtin::ID::BINSLogv:
187

188
  // stdio.h
189
  case Builtin::ID::BIfread:
190
  case Builtin::ID::BIfwrite:
191

192
  // stdio.h: printf family.
193
  case Builtin::ID::BIprintf:
194
  case Builtin::ID::BI__builtin_printf:
195
  case Builtin::ID::BIfprintf:
196
  case Builtin::ID::BIsnprintf:
197
  case Builtin::ID::BIsprintf:
198
  case Builtin::ID::BIvprintf:
199
  case Builtin::ID::BIvfprintf:
200
  case Builtin::ID::BIvsnprintf:
201
  case Builtin::ID::BIvsprintf:
202

203
  // stdio.h: scanf family.
204
  case Builtin::ID::BIscanf:
205
  case Builtin::ID::BIfscanf:
206
  case Builtin::ID::BIsscanf:
207
  case Builtin::ID::BIvscanf:
208
  case Builtin::ID::BIvfscanf:
209
  case Builtin::ID::BIvsscanf:
210
    Result.insert(FunctionEffect(FunctionEffect::Kind::Blocking));
211
    break;
212
  }
213

214
  return Result;
215
}
216

217
// Transitory, more extended information about a callable, which can be a
218
// function, block, or function pointer.
219
struct CallableInfo {
220
  // CDecl holds the function's definition, if any.
221
  // FunctionDecl if CallableType::Function or Virtual
222
  // BlockDecl if CallableType::Block
223
  const Decl *CDecl;
224

225
  // Remember whether the callable is a function, block, virtual method,
226
  // or (presumed) function pointer.
227
  CallableType CType = CallableType::Unknown;
228

229
  // Remember whether the callable is an operator new or delete function,
230
  // so that calls to them are reported more meaningfully, as memory
231
  // allocations.
232
  SpecialFuncType FuncType = SpecialFuncType::None;
233

234
  // We inevitably want to know the callable's declared effects, so cache them.
235
  FunctionEffectKindSet Effects;
236

237
  CallableInfo(const Decl &CD, SpecialFuncType FT = SpecialFuncType::None)
238
      : CDecl(&CD), FuncType(FT) {
239
    FunctionEffectsRef DeclEffects;
240
    if (auto *FD = dyn_cast<FunctionDecl>(CDecl)) {
241
      // Use the function's definition, if any.
242
      if (const FunctionDecl *Def = FD->getDefinition())
243
        CDecl = FD = Def;
244
      CType = CallableType::Function;
245
      if (auto *Method = dyn_cast<CXXMethodDecl>(FD);
246
          Method && Method->isVirtual())
247
        CType = CallableType::Virtual;
248
      DeclEffects = FD->getFunctionEffects();
249
    } else if (auto *BD = dyn_cast<BlockDecl>(CDecl)) {
250
      CType = CallableType::Block;
251
      DeclEffects = BD->getFunctionEffects();
252
    } else if (auto *VD = dyn_cast<ValueDecl>(CDecl)) {
253
      // ValueDecl is function, enum, or variable, so just look at its type.
254
      DeclEffects = FunctionEffectsRef::get(VD->getType());
255
    }
256
    Effects = FunctionEffectKindSet(DeclEffects);
257
  }
258

259
  CallableType type() const { return CType; }
260

261
  bool isCalledDirectly() const {
262
    return CType == CallableType::Function || CType == CallableType::Block;
263
  }
264

265
  bool isVerifiable() const {
266
    switch (CType) {
267
    case CallableType::Unknown:
268
    case CallableType::Virtual:
269
      return false;
270
    case CallableType::Block:
271
      return true;
272
    case CallableType::Function:
273
      return functionIsVerifiable(dyn_cast<FunctionDecl>(CDecl));
274
    }
275
    llvm_unreachable("undefined CallableType");
276
  }
277

278
  /// Generate a name for logging and diagnostics.
279
  std::string getNameForDiagnostic(Sema &S) const {
280
    std::string Name;
281
    llvm::raw_string_ostream OS(Name);
282

283
    if (auto *FD = dyn_cast<FunctionDecl>(CDecl))
284
      FD->getNameForDiagnostic(OS, S.getPrintingPolicy(),
285
                               /*Qualified=*/true);
286
    else if (auto *BD = dyn_cast<BlockDecl>(CDecl))
287
      OS << "(block " << BD->getBlockManglingNumber() << ")";
288
    else if (auto *VD = dyn_cast<NamedDecl>(CDecl))
289
      VD->printQualifiedName(OS);
290
    return Name;
291
  }
292
};
293

294
// ----------
295
// Map effects to single Violations, to hold the first (of potentially many)
296
// violations pertaining to an effect, per function.
297
class EffectToViolationMap {
298
  // Since we currently only have a tiny number of effects (typically no more
299
  // than 1), use a SmallVector with an inline capacity of 1. Since it
300
  // is often empty, use a unique_ptr to the SmallVector.
301
  // Note that Violation itself contains a FunctionEffect which is the key.
302
  // FIXME: Is there a way to simplify this using existing data structures?
303
  using ImplVec = llvm::SmallVector<Violation, 1>;
304
  std::unique_ptr<ImplVec> Impl;
305

306
public:
307
  // Insert a new Violation if we do not already have one for its effect.
308
  void maybeInsert(const Violation &Viol) {
309
    if (Impl == nullptr)
310
      Impl = std::make_unique<ImplVec>();
311
    else if (lookup(Viol.Effect) != nullptr)
312
      return;
313

314
    Impl->push_back(Viol);
315
  }
316

317
  const Violation *lookup(FunctionEffect Key) {
318
    if (Impl == nullptr)
319
      return nullptr;
320

321
    auto *Iter = llvm::find_if(
322
        *Impl, [&](const auto &Item) { return Item.Effect == Key; });
323
    return Iter != Impl->end() ? &*Iter : nullptr;
324
  }
325

326
  size_t size() const { return Impl ? Impl->size() : 0; }
327
};
328

329
// ----------
330
// State pertaining to a function whose AST is walked and whose effect analysis
331
// is dependent on a subsequent analysis of other functions.
332
class PendingFunctionAnalysis {
333
  friend class CompleteFunctionAnalysis;
334

335
public:
336
  struct DirectCall {
337
    const Decl *Callee;
338
    SourceLocation CallLoc;
339
    // Not all recursive calls are detected, just enough
340
    // to break cycles.
341
    bool Recursed = false;
342
    ViolationSite VSite;
343

344
    DirectCall(const Decl *D, SourceLocation CallLoc, ViolationSite VSite)
345
        : Callee(D), CallLoc(CallLoc), VSite(VSite) {}
346
  };
347

348
  // We always have two disjoint sets of effects to verify:
349
  // 1. Effects declared explicitly by this function.
350
  // 2. All other inferrable effects needing verification.
351
  FunctionEffectKindSet DeclaredVerifiableEffects;
352
  FunctionEffectKindSet EffectsToInfer;
353

354
private:
355
  // Violations pertaining to the function's explicit effects.
356
  SmallVector<Violation, 0> ViolationsForExplicitEffects;
357

358
  // Violations pertaining to other, non-explicit, inferrable effects.
359
  EffectToViolationMap InferrableEffectToFirstViolation;
360

361
  // These unverified direct calls are what keeps the analysis "pending",
362
  // until the callees can be verified.
363
  SmallVector<DirectCall, 0> UnverifiedDirectCalls;
364

365
public:
366
  PendingFunctionAnalysis(Sema &S, const CallableInfo &CInfo,
367
                          FunctionEffectKindSet AllInferrableEffectsToVerify)
368
      : DeclaredVerifiableEffects(CInfo.Effects) {
369
    // Check for effects we are not allowed to infer.
370
    FunctionEffectKindSet InferrableEffects;
371

372
    for (FunctionEffect effect : AllInferrableEffectsToVerify) {
373
      std::optional<FunctionEffect> ProblemCalleeEffect =
374
          effect.effectProhibitingInference(*CInfo.CDecl, CInfo.Effects);
375
      if (!ProblemCalleeEffect)
376
        InferrableEffects.insert(effect);
377
      else {
378
        // Add a Violation for this effect if a caller were to
379
        // try to infer it.
380
        InferrableEffectToFirstViolation.maybeInsert(Violation(
381
            effect, ViolationID::DeclDisallowsInference, ViolationSite{},
382
            CInfo.CDecl->getLocation(), nullptr, ProblemCalleeEffect));
383
      }
384
    }
385
    // InferrableEffects is now the set of inferrable effects which are not
386
    // prohibited.
387
    EffectsToInfer = FunctionEffectKindSet::difference(
388
        InferrableEffects, DeclaredVerifiableEffects);
389
  }
390

391
  // Hide the way that Violations for explicitly required effects vs. inferred
392
  // ones are handled differently.
393
  void checkAddViolation(bool Inferring, const Violation &NewViol) {
394
    if (!Inferring)
395
      ViolationsForExplicitEffects.push_back(NewViol);
396
    else
397
      InferrableEffectToFirstViolation.maybeInsert(NewViol);
398
  }
399

400
  void addUnverifiedDirectCall(const Decl *D, SourceLocation CallLoc,
401
                               ViolationSite VSite) {
402
    UnverifiedDirectCalls.emplace_back(D, CallLoc, VSite);
403
  }
404

405
  // Analysis is complete when there are no unverified direct calls.
406
  bool isComplete() const { return UnverifiedDirectCalls.empty(); }
407

408
  const Violation *violationForInferrableEffect(FunctionEffect effect) {
409
    return InferrableEffectToFirstViolation.lookup(effect);
410
  }
411

412
  // Mutable because caller may need to set a DirectCall's Recursing flag.
413
  MutableArrayRef<DirectCall> unverifiedCalls() {
414
    assert(!isComplete());
415
    return UnverifiedDirectCalls;
416
  }
417

418
  ArrayRef<Violation> getSortedViolationsForExplicitEffects(SourceManager &SM) {
419
    if (!ViolationsForExplicitEffects.empty())
420
      llvm::sort(ViolationsForExplicitEffects,
421
                 [&SM](const Violation &LHS, const Violation &RHS) {
422
                   return SM.isBeforeInTranslationUnit(LHS.Loc, RHS.Loc);
423
                 });
424
    return ViolationsForExplicitEffects;
425
  }
426

427
  void dump(Sema &SemaRef, llvm::raw_ostream &OS) const {
428
    OS << "Pending: Declared ";
429
    DeclaredVerifiableEffects.dump(OS);
430
    OS << ", " << ViolationsForExplicitEffects.size() << " violations; ";
431
    OS << " Infer ";
432
    EffectsToInfer.dump(OS);
433
    OS << ", " << InferrableEffectToFirstViolation.size() << " violations";
434
    if (!UnverifiedDirectCalls.empty()) {
435
      OS << "; Calls: ";
436
      for (const DirectCall &Call : UnverifiedDirectCalls) {
437
        CallableInfo CI(*Call.Callee);
438
        OS << " " << CI.getNameForDiagnostic(SemaRef);
439
      }
440
    }
441
    OS << "\n";
442
  }
443
};
444

445
// ----------
446
class CompleteFunctionAnalysis {
447
  // Current size: 2 pointers
448
public:
449
  // Has effects which are both the declared ones -- not to be inferred -- plus
450
  // ones which have been successfully inferred. These are all considered
451
  // "verified" for the purposes of callers; any issue with verifying declared
452
  // effects has already been reported and is not the problem of any caller.
453
  FunctionEffectKindSet VerifiedEffects;
454

455
private:
456
  // This is used to generate notes about failed inference.
457
  EffectToViolationMap InferrableEffectToFirstViolation;
458

459
public:
460
  // The incoming Pending analysis is consumed (member(s) are moved-from).
461
  CompleteFunctionAnalysis(ASTContext &Ctx, PendingFunctionAnalysis &&Pending,
462
                           FunctionEffectKindSet DeclaredEffects,
463
                           FunctionEffectKindSet AllInferrableEffectsToVerify)
464
      : VerifiedEffects(DeclaredEffects) {
465
    for (FunctionEffect effect : AllInferrableEffectsToVerify)
466
      if (Pending.violationForInferrableEffect(effect) == nullptr)
467
        VerifiedEffects.insert(effect);
468

469
    InferrableEffectToFirstViolation =
470
        std::move(Pending.InferrableEffectToFirstViolation);
471
  }
472

473
  const Violation *firstViolationForEffect(FunctionEffect Effect) {
474
    return InferrableEffectToFirstViolation.lookup(Effect);
475
  }
476

477
  void dump(llvm::raw_ostream &OS) const {
478
    OS << "Complete: Verified ";
479
    VerifiedEffects.dump(OS);
480
    OS << "; Infer ";
481
    OS << InferrableEffectToFirstViolation.size() << " violations\n";
482
  }
483
};
484

485
// ==========
486
class Analyzer {
487
  Sema &S;
488

489
  // Subset of Sema.AllEffectsToVerify
490
  FunctionEffectKindSet AllInferrableEffectsToVerify;
491

492
  using FuncAnalysisPtr =
493
      llvm::PointerUnion<PendingFunctionAnalysis *, CompleteFunctionAnalysis *>;
494

495
  // Map all Decls analyzed to FuncAnalysisPtr. Pending state is larger
496
  // than complete state, so use different objects to represent them.
497
  // The state pointers are owned by the container.
498
  class AnalysisMap : llvm::DenseMap<const Decl *, FuncAnalysisPtr> {
499
    using Base = llvm::DenseMap<const Decl *, FuncAnalysisPtr>;
500

501
  public:
502
    ~AnalysisMap();
503

504
    // Use non-public inheritance in order to maintain the invariant
505
    // that lookups and insertions are via the canonical Decls.
506

507
    FuncAnalysisPtr lookup(const Decl *Key) const {
508
      return Base::lookup(Key->getCanonicalDecl());
509
    }
510

511
    FuncAnalysisPtr &operator[](const Decl *Key) {
512
      return Base::operator[](Key->getCanonicalDecl());
513
    }
514

515
    /// Shortcut for the case where we only care about completed analysis.
516
    CompleteFunctionAnalysis *completedAnalysisForDecl(const Decl *D) const {
517
      if (FuncAnalysisPtr AP = lookup(D);
518
          isa_and_nonnull<CompleteFunctionAnalysis *>(AP))
519
        return cast<CompleteFunctionAnalysis *>(AP);
520
      return nullptr;
521
    }
522

523
    void dump(Sema &SemaRef, llvm::raw_ostream &OS) {
524
      OS << "\nAnalysisMap:\n";
525
      for (const auto &item : *this) {
526
        CallableInfo CI(*item.first);
527
        const auto AP = item.second;
528
        OS << item.first << " " << CI.getNameForDiagnostic(SemaRef) << " : ";
529
        if (AP.isNull()) {
530
          OS << "null\n";
531
        } else if (auto *CFA = dyn_cast<CompleteFunctionAnalysis *>(AP)) {
532
          OS << CFA << " ";
533
          CFA->dump(OS);
534
        } else if (auto *PFA = dyn_cast<PendingFunctionAnalysis *>(AP)) {
535
          OS << PFA << " ";
536
          PFA->dump(SemaRef, OS);
537
        } else
538
          llvm_unreachable("never");
539
      }
540
      OS << "---\n";
541
    }
542
  };
543
  AnalysisMap DeclAnalysis;
544

545
public:
546
  Analyzer(Sema &S) : S(S) {}
547

548
  void run(const TranslationUnitDecl &TU) {
549
    // Gather all of the effects to be verified to see what operations need to
550
    // be checked, and to see which ones are inferrable.
551
    for (FunctionEffect Effect : S.AllEffectsToVerify) {
552
      const FunctionEffect::Flags Flags = Effect.flags();
553
      if (Flags & FunctionEffect::FE_InferrableOnCallees)
554
        AllInferrableEffectsToVerify.insert(Effect);
555
    }
556
    LLVM_DEBUG(llvm::dbgs() << "AllInferrableEffectsToVerify: ";
557
               AllInferrableEffectsToVerify.dump(llvm::dbgs());
558
               llvm::dbgs() << "\n";);
559

560
    // We can use DeclsWithEffectsToVerify as a stack for a
561
    // depth-first traversal; there's no need for a second container. But first,
562
    // reverse it, so when working from the end, Decls are verified in the order
563
    // they are declared.
564
    SmallVector<const Decl *> &VerificationQueue = S.DeclsWithEffectsToVerify;
565
    std::reverse(VerificationQueue.begin(), VerificationQueue.end());
566

567
    while (!VerificationQueue.empty()) {
568
      const Decl *D = VerificationQueue.back();
569
      if (FuncAnalysisPtr AP = DeclAnalysis.lookup(D)) {
570
        if (auto *Pending = dyn_cast<PendingFunctionAnalysis *>(AP)) {
571
          // All children have been traversed; finish analysis.
572
          finishPendingAnalysis(D, Pending);
573
        }
574
        VerificationQueue.pop_back();
575
        continue;
576
      }
577

578
      // Not previously visited; begin a new analysis for this Decl.
579
      PendingFunctionAnalysis *Pending = verifyDecl(D);
580
      if (Pending == nullptr) {
581
        // Completed now.
582
        VerificationQueue.pop_back();
583
        continue;
584
      }
585

586
      // Analysis remains pending because there are direct callees to be
587
      // verified first. Push them onto the queue.
588
      for (PendingFunctionAnalysis::DirectCall &Call :
589
           Pending->unverifiedCalls()) {
590
        FuncAnalysisPtr AP = DeclAnalysis.lookup(Call.Callee);
591
        if (AP.isNull()) {
592
          VerificationQueue.push_back(Call.Callee);
593
          continue;
594
        }
595

596
        // This indicates recursion (not necessarily direct). For the
597
        // purposes of effect analysis, we can just ignore it since
598
        // no effects forbid recursion.
599
        assert(isa<PendingFunctionAnalysis *>(AP));
600
        Call.Recursed = true;
601
      }
602
    }
603
  }
604

605
private:
606
  // Verify a single Decl. Return the pending structure if that was the result,
607
  // else null. This method must not recurse.
608
  PendingFunctionAnalysis *verifyDecl(const Decl *D) {
609
    CallableInfo CInfo(*D);
610
    bool isExternC = false;
611

612
    if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
613
      isExternC = FD->getCanonicalDecl()->isExternCContext();
614

615
    // For C++, with non-extern "C" linkage only - if any of the Decl's declared
616
    // effects forbid throwing (e.g. nonblocking) then the function should also
617
    // be declared noexcept.
618
    if (S.getLangOpts().CPlusPlus && !isExternC) {
619
      for (FunctionEffect Effect : CInfo.Effects) {
620
        if (!(Effect.flags() & FunctionEffect::FE_ExcludeThrow))
621
          continue;
622

623
        bool IsNoexcept = false;
624
        if (auto *FD = D->getAsFunction()) {
625
          IsNoexcept = isNoexcept(FD);
626
        } else if (auto *BD = dyn_cast<BlockDecl>(D)) {
627
          if (auto *TSI = BD->getSignatureAsWritten()) {
628
            auto *FPT = TSI->getType()->castAs<FunctionProtoType>();
629
            IsNoexcept = FPT->isNothrow() || BD->hasAttr<NoThrowAttr>();
630
          }
631
        }
632
        if (!IsNoexcept)
633
          S.Diag(D->getBeginLoc(), diag::warn_perf_constraint_implies_noexcept)
634
              << GetCallableDeclKind(D, nullptr) << Effect.name();
635
        break;
636
      }
637
    }
638

639
    // Build a PendingFunctionAnalysis on the stack. If it turns out to be
640
    // complete, we'll have avoided a heap allocation; if it's incomplete, it's
641
    // a fairly trivial move to a heap-allocated object.
642
    PendingFunctionAnalysis FAnalysis(S, CInfo, AllInferrableEffectsToVerify);
643

644
    LLVM_DEBUG(llvm::dbgs()
645
                   << "\nVerifying " << CInfo.getNameForDiagnostic(S) << " ";
646
               FAnalysis.dump(S, llvm::dbgs()););
647

648
    FunctionBodyASTVisitor Visitor(*this, FAnalysis, CInfo);
649

650
    Visitor.run();
651
    if (FAnalysis.isComplete()) {
652
      completeAnalysis(CInfo, std::move(FAnalysis));
653
      return nullptr;
654
    }
655
    // Move the pending analysis to the heap and save it in the map.
656
    PendingFunctionAnalysis *PendingPtr =
657
        new PendingFunctionAnalysis(std::move(FAnalysis));
658
    DeclAnalysis[D] = PendingPtr;
659
    LLVM_DEBUG(llvm::dbgs() << "inserted pending " << PendingPtr << "\n";
660
               DeclAnalysis.dump(S, llvm::dbgs()););
661
    return PendingPtr;
662
  }
663

664
  // Consume PendingFunctionAnalysis, create with it a CompleteFunctionAnalysis,
665
  // inserted in the container.
666
  void completeAnalysis(const CallableInfo &CInfo,
667
                        PendingFunctionAnalysis &&Pending) {
668
    if (ArrayRef<Violation> Viols =
669
            Pending.getSortedViolationsForExplicitEffects(S.getSourceManager());
670
        !Viols.empty())
671
      emitDiagnostics(Viols, CInfo);
672

673
    CompleteFunctionAnalysis *CompletePtr = new CompleteFunctionAnalysis(
674
        S.getASTContext(), std::move(Pending), CInfo.Effects,
675
        AllInferrableEffectsToVerify);
676
    DeclAnalysis[CInfo.CDecl] = CompletePtr;
677
    LLVM_DEBUG(llvm::dbgs() << "inserted complete " << CompletePtr << "\n";
678
               DeclAnalysis.dump(S, llvm::dbgs()););
679
  }
680

681
  // Called after all direct calls requiring inference have been found -- or
682
  // not. Repeats calls to FunctionBodyASTVisitor::followCall() but without
683
  // the possibility of inference. Deletes Pending.
684
  void finishPendingAnalysis(const Decl *D, PendingFunctionAnalysis *Pending) {
685
    CallableInfo Caller(*D);
686
    LLVM_DEBUG(llvm::dbgs() << "finishPendingAnalysis for "
687
                            << Caller.getNameForDiagnostic(S) << " : ";
688
               Pending->dump(S, llvm::dbgs()); llvm::dbgs() << "\n";);
689
    for (const PendingFunctionAnalysis::DirectCall &Call :
690
         Pending->unverifiedCalls()) {
691
      if (Call.Recursed)
692
        continue;
693

694
      CallableInfo Callee(*Call.Callee);
695
      followCall(Caller, *Pending, Callee, Call.CallLoc,
696
                 /*AssertNoFurtherInference=*/true, Call.VSite);
697
    }
698
    completeAnalysis(Caller, std::move(*Pending));
699
    delete Pending;
700
  }
701

702
  // Here we have a call to a Decl, either explicitly via a CallExpr or some
703
  // other AST construct. PFA pertains to the caller.
704
  void followCall(const CallableInfo &Caller, PendingFunctionAnalysis &PFA,
705
                  const CallableInfo &Callee, SourceLocation CallLoc,
706
                  bool AssertNoFurtherInference, ViolationSite VSite) {
707
    const bool DirectCall = Callee.isCalledDirectly();
708

709
    // Initially, the declared effects; inferred effects will be added.
710
    FunctionEffectKindSet CalleeEffects = Callee.Effects;
711

712
    bool IsInferencePossible = DirectCall;
713

714
    if (DirectCall)
715
      if (CompleteFunctionAnalysis *CFA =
716
              DeclAnalysis.completedAnalysisForDecl(Callee.CDecl)) {
717
        // Combine declared effects with those which may have been inferred.
718
        CalleeEffects.insert(CFA->VerifiedEffects);
719
        IsInferencePossible = false; // We've already traversed it.
720
      }
721

722
    if (AssertNoFurtherInference) {
723
      assert(!IsInferencePossible);
724
    }
725

726
    if (!Callee.isVerifiable())
727
      IsInferencePossible = false;
728

729
    LLVM_DEBUG(llvm::dbgs()
730
                   << "followCall from " << Caller.getNameForDiagnostic(S)
731
                   << " to " << Callee.getNameForDiagnostic(S)
732
                   << "; verifiable: " << Callee.isVerifiable() << "; callee ";
733
               CalleeEffects.dump(llvm::dbgs()); llvm::dbgs() << "\n";
734
               llvm::dbgs() << "  callee " << Callee.CDecl << " canonical "
735
                            << Callee.CDecl->getCanonicalDecl() << "\n";);
736

737
    auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) {
738
      if (!Effect.shouldDiagnoseFunctionCall(DirectCall, CalleeEffects))
739
        return;
740

741
      // If inference is not allowed, or the target is indirect (virtual
742
      // method/function ptr?), generate a Violation now.
743
      if (!IsInferencePossible ||
744
          !(Effect.flags() & FunctionEffect::FE_InferrableOnCallees)) {
745
        if (Callee.FuncType == SpecialFuncType::None)
746
          PFA.checkAddViolation(Inferring,
747
                                {Effect, ViolationID::CallsDeclWithoutEffect,
748
                                 VSite, CallLoc, Callee.CDecl});
749
        else
750
          PFA.checkAddViolation(
751
              Inferring,
752
              {Effect, ViolationID::AllocatesMemory, VSite, CallLoc});
753
      } else {
754
        // Inference is allowed and necessary; defer it.
755
        PFA.addUnverifiedDirectCall(Callee.CDecl, CallLoc, VSite);
756
      }
757
    };
758

759
    for (FunctionEffect Effect : PFA.DeclaredVerifiableEffects)
760
      Check1Effect(Effect, false);
761

762
    for (FunctionEffect Effect : PFA.EffectsToInfer)
763
      Check1Effect(Effect, true);
764
  }
765

766
  // Describe a callable Decl for a diagnostic.
767
  // (Not an enum class because the value is always converted to an integer for
768
  // use in a diagnostic.)
769
  enum CallableDeclKind {
770
    CDK_Function,
771
    CDK_Constructor,
772
    CDK_Destructor,
773
    CDK_Lambda,
774
    CDK_Block,
775
    CDK_MemberInitializer,
776
  };
777

778
  // Describe a call site or target using an enum mapping to a %select{}
779
  // in a diagnostic, e.g. warn_func_effect_violation,
780
  // warn_perf_constraint_implies_noexcept, and others.
781
  static CallableDeclKind GetCallableDeclKind(const Decl *D,
782
                                              const Violation *V) {
783
    if (V != nullptr &&
784
        V->Site.kind() == ViolationSite::Kind::MemberInitializer)
785
      return CDK_MemberInitializer;
786
    if (isa<BlockDecl>(D))
787
      return CDK_Block;
788
    if (auto *Method = dyn_cast<CXXMethodDecl>(D)) {
789
      if (isa<CXXConstructorDecl>(D))
790
        return CDK_Constructor;
791
      if (isa<CXXDestructorDecl>(D))
792
        return CDK_Destructor;
793
      const CXXRecordDecl *Rec = Method->getParent();
794
      if (Rec->isLambda())
795
        return CDK_Lambda;
796
    }
797
    return CDK_Function;
798
  };
799

800
  // Should only be called when function's analysis is determined to be
801
  // complete.
802
  void emitDiagnostics(ArrayRef<Violation> Viols, const CallableInfo &CInfo) {
803
    if (Viols.empty())
804
      return;
805

806
    auto MaybeAddTemplateNote = [&](const Decl *D) {
807
      if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
808
        while (FD != nullptr && FD->isTemplateInstantiation() &&
809
               FD->getPointOfInstantiation().isValid()) {
810
          S.Diag(FD->getPointOfInstantiation(),
811
                 diag::note_func_effect_from_template);
812
          FD = FD->getTemplateInstantiationPattern();
813
        }
814
      }
815
    };
816

817
    // For note_func_effect_call_indirect.
818
    enum { Indirect_VirtualMethod, Indirect_FunctionPtr };
819

820
    auto MaybeAddSiteContext = [&](const Decl *D, const Violation &V) {
821
      // If a violation site is a member initializer, add a note pointing to
822
      // the constructor which invoked it.
823
      if (V.Site.kind() == ViolationSite::Kind::MemberInitializer) {
824
        unsigned ImplicitCtor = 0;
825
        if (auto *Ctor = dyn_cast<CXXConstructorDecl>(D);
826
            Ctor && Ctor->isImplicit())
827
          ImplicitCtor = 1;
828
        S.Diag(D->getLocation(), diag::note_func_effect_in_constructor)
829
            << ImplicitCtor;
830
      }
831

832
      // If a violation site is a default argument expression, add a note
833
      // pointing to the call site using the default argument.
834
      else if (V.Site.kind() == ViolationSite::Kind::DefaultArgExpr)
835
        S.Diag(V.Site.defaultArgExpr()->getUsedLocation(),
836
               diag::note_in_evaluating_default_argument);
837
    };
838

839
    // Top-level violations are warnings.
840
    for (const Violation &Viol1 : Viols) {
841
      StringRef effectName = Viol1.Effect.name();
842
      switch (Viol1.ID) {
843
      case ViolationID::None:
844
      case ViolationID::DeclDisallowsInference: // Shouldn't happen
845
                                                // here.
846
        llvm_unreachable("Unexpected violation kind");
847
        break;
848
      case ViolationID::AllocatesMemory:
849
      case ViolationID::ThrowsOrCatchesExceptions:
850
      case ViolationID::HasStaticLocalVariable:
851
      case ViolationID::AccessesThreadLocalVariable:
852
      case ViolationID::AccessesObjCMethodOrProperty:
853
        S.Diag(Viol1.Loc, diag::warn_func_effect_violation)
854
            << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName
855
            << Viol1.diagnosticSelectIndex();
856
        MaybeAddSiteContext(CInfo.CDecl, Viol1);
857
        MaybeAddTemplateNote(CInfo.CDecl);
858
        break;
859
      case ViolationID::CallsExprWithoutEffect:
860
        S.Diag(Viol1.Loc, diag::warn_func_effect_calls_expr_without_effect)
861
            << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName;
862
        MaybeAddSiteContext(CInfo.CDecl, Viol1);
863
        MaybeAddTemplateNote(CInfo.CDecl);
864
        break;
865

866
      case ViolationID::CallsDeclWithoutEffect: {
867
        CallableInfo CalleeInfo(*Viol1.Callee);
868
        std::string CalleeName = CalleeInfo.getNameForDiagnostic(S);
869

870
        S.Diag(Viol1.Loc, diag::warn_func_effect_calls_func_without_effect)
871
            << GetCallableDeclKind(CInfo.CDecl, &Viol1) << effectName
872
            << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << CalleeName;
873
        MaybeAddSiteContext(CInfo.CDecl, Viol1);
874
        MaybeAddTemplateNote(CInfo.CDecl);
875

876
        // Emit notes explaining the transitive chain of inferences: Why isn't
877
        // the callee safe?
878
        for (const Decl *Callee = Viol1.Callee; Callee != nullptr;) {
879
          std::optional<CallableInfo> MaybeNextCallee;
880
          CompleteFunctionAnalysis *Completed =
881
              DeclAnalysis.completedAnalysisForDecl(CalleeInfo.CDecl);
882
          if (Completed == nullptr) {
883
            // No result - could be
884
            // - non-inline and extern
885
            // - indirect (virtual or through function pointer)
886
            // - effect has been explicitly disclaimed (e.g. "blocking")
887

888
            CallableType CType = CalleeInfo.type();
889
            if (CType == CallableType::Virtual)
890
              S.Diag(Callee->getLocation(),
891
                     diag::note_func_effect_call_indirect)
892
                  << Indirect_VirtualMethod << effectName;
893
            else if (CType == CallableType::Unknown)
894
              S.Diag(Callee->getLocation(),
895
                     diag::note_func_effect_call_indirect)
896
                  << Indirect_FunctionPtr << effectName;
897
            else if (CalleeInfo.Effects.contains(Viol1.Effect.oppositeKind()))
898
              S.Diag(Callee->getLocation(),
899
                     diag::note_func_effect_call_disallows_inference)
900
                  << GetCallableDeclKind(CInfo.CDecl, nullptr) << effectName
901
                  << FunctionEffect(Viol1.Effect.oppositeKind()).name();
902
            else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
903
                     FD == nullptr || FD->getBuiltinID() == 0) {
904
              // A builtin callee generally doesn't have a useful source
905
              // location at which to insert a note.
906
              S.Diag(Callee->getLocation(), diag::note_func_effect_call_extern)
907
                  << effectName;
908
            }
909
            break;
910
          }
911
          const Violation *PtrViol2 =
912
              Completed->firstViolationForEffect(Viol1.Effect);
913
          if (PtrViol2 == nullptr)
914
            break;
915

916
          const Violation &Viol2 = *PtrViol2;
917
          switch (Viol2.ID) {
918
          case ViolationID::None:
919
            llvm_unreachable("Unexpected violation kind");
920
            break;
921
          case ViolationID::DeclDisallowsInference:
922
            S.Diag(Viol2.Loc, diag::note_func_effect_call_disallows_inference)
923
                << GetCallableDeclKind(CalleeInfo.CDecl, nullptr) << effectName
924
                << Viol2.CalleeEffectPreventingInference->name();
925
            break;
926
          case ViolationID::CallsExprWithoutEffect:
927
            S.Diag(Viol2.Loc, diag::note_func_effect_call_indirect)
928
                << Indirect_FunctionPtr << effectName;
929
            break;
930
          case ViolationID::AllocatesMemory:
931
          case ViolationID::ThrowsOrCatchesExceptions:
932
          case ViolationID::HasStaticLocalVariable:
933
          case ViolationID::AccessesThreadLocalVariable:
934
          case ViolationID::AccessesObjCMethodOrProperty:
935
            S.Diag(Viol2.Loc, diag::note_func_effect_violation)
936
                << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName
937
                << Viol2.diagnosticSelectIndex();
938
            MaybeAddSiteContext(CalleeInfo.CDecl, Viol2);
939
            break;
940
          case ViolationID::CallsDeclWithoutEffect:
941
            MaybeNextCallee.emplace(*Viol2.Callee);
942
            S.Diag(Viol2.Loc, diag::note_func_effect_calls_func_without_effect)
943
                << GetCallableDeclKind(CalleeInfo.CDecl, &Viol2) << effectName
944
                << GetCallableDeclKind(Viol2.Callee, nullptr)
945
                << MaybeNextCallee->getNameForDiagnostic(S);
946
            break;
947
          }
948
          MaybeAddTemplateNote(Callee);
949
          Callee = Viol2.Callee;
950
          if (MaybeNextCallee) {
951
            CalleeInfo = *MaybeNextCallee;
952
            CalleeName = CalleeInfo.getNameForDiagnostic(S);
953
          }
954
        }
955
      } break;
956
      }
957
    }
958
  }
959

960
  // ----------
961
  // This AST visitor is used to traverse the body of a function during effect
962
  // verification. This happens in 2 situations:
963
  //  [1] The function has declared effects which need to be validated.
964
  //  [2] The function has not explicitly declared an effect in question, and is
965
  //      being checked for implicit conformance.
966
  //
967
  // Violations are always routed to a PendingFunctionAnalysis.
968
  struct FunctionBodyASTVisitor : DynamicRecursiveASTVisitor {
969
    Analyzer &Outer;
970
    PendingFunctionAnalysis &CurrentFunction;
971
    CallableInfo &CurrentCaller;
972
    ViolationSite VSite;
973
    const Expr *TrailingRequiresClause = nullptr;
974
    const Expr *NoexceptExpr = nullptr;
975

976
    FunctionBodyASTVisitor(Analyzer &Outer,
977
                           PendingFunctionAnalysis &CurrentFunction,
978
                           CallableInfo &CurrentCaller)
979
        : Outer(Outer), CurrentFunction(CurrentFunction),
980
          CurrentCaller(CurrentCaller) {
981
      ShouldVisitImplicitCode = true;
982
      ShouldWalkTypesOfTypeLocs = false;
983
    }
984

985
    // -- Entry point --
986
    void run() {
987
      // The target function may have implicit code paths beyond the
988
      // body: member and base destructors. Visit these first.
989
      if (auto *Dtor = dyn_cast<CXXDestructorDecl>(CurrentCaller.CDecl))
990
        followDestructor(dyn_cast<CXXRecordDecl>(Dtor->getParent()), Dtor);
991

992
      if (auto *FD = dyn_cast<FunctionDecl>(CurrentCaller.CDecl)) {
993
        TrailingRequiresClause = FD->getTrailingRequiresClause().ConstraintExpr;
994

995
        // Note that FD->getType->getAs<FunctionProtoType>() can yield a
996
        // noexcept Expr which has been boiled down to a constant expression.
997
        // Going through the TypeSourceInfo obtains the actual expression which
998
        // will be traversed as part of the function -- unless we capture it
999
        // here and have TraverseStmt skip it.
1000
        if (TypeSourceInfo *TSI = FD->getTypeSourceInfo()) {
1001
          if (FunctionProtoTypeLoc TL =
1002
                  TSI->getTypeLoc().getAs<FunctionProtoTypeLoc>())
1003
            if (const FunctionProtoType *FPT = TL.getTypePtr())
1004
              NoexceptExpr = FPT->getNoexceptExpr();
1005
        }
1006
      }
1007

1008
      // Do an AST traversal of the function/block body
1009
      TraverseDecl(const_cast<Decl *>(CurrentCaller.CDecl));
1010
    }
1011

1012
    // -- Methods implementing common logic --
1013

1014
    // Handle a language construct forbidden by some effects. Only effects whose
1015
    // flags include the specified flag receive a violation. \p Flag describes
1016
    // the construct.
1017
    void diagnoseLanguageConstruct(FunctionEffect::FlagBit Flag,
1018
                                   ViolationID VID, SourceLocation Loc,
1019
                                   const Decl *Callee = nullptr) {
1020
      // If there are any declared verifiable effects which forbid the construct
1021
      // represented by the flag, store just one violation.
1022
      for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects) {
1023
        if (Effect.flags() & Flag) {
1024
          addViolation(/*inferring=*/false, Effect, VID, Loc, Callee);
1025
          break;
1026
        }
1027
      }
1028
      // For each inferred effect which forbids the construct, store a
1029
      // violation, if we don't already have a violation for that effect.
1030
      for (FunctionEffect Effect : CurrentFunction.EffectsToInfer)
1031
        if (Effect.flags() & Flag)
1032
          addViolation(/*inferring=*/true, Effect, VID, Loc, Callee);
1033
    }
1034

1035
    void addViolation(bool Inferring, FunctionEffect Effect, ViolationID VID,
1036
                      SourceLocation Loc, const Decl *Callee = nullptr) {
1037
      CurrentFunction.checkAddViolation(
1038
          Inferring, Violation(Effect, VID, VSite, Loc, Callee));
1039
    }
1040

1041
    // Here we have a call to a Decl, either explicitly via a CallExpr or some
1042
    // other AST construct. CallableInfo pertains to the callee.
1043
    void followCall(CallableInfo &CI, SourceLocation CallLoc) {
1044
      // Check for a call to a builtin function, whose effects are
1045
      // handled specially.
1046
      if (const auto *FD = dyn_cast<FunctionDecl>(CI.CDecl)) {
1047
        if (unsigned BuiltinID = FD->getBuiltinID()) {
1048
          CI.Effects = getBuiltinFunctionEffects(BuiltinID);
1049
          if (CI.Effects.empty()) {
1050
            // A builtin with no known effects is assumed safe.
1051
            return;
1052
          }
1053
          // A builtin WITH effects doesn't get any special treatment for
1054
          // being noreturn/noexcept, e.g. longjmp(), so we skip the check
1055
          // below.
1056
        } else {
1057
          // If the callee is both `noreturn` and `noexcept`, it presumably
1058
          // terminates. Ignore it for the purposes of effect analysis.
1059
          // If not C++, `noreturn` alone is sufficient.
1060
          if (FD->isNoReturn() &&
1061
              (!Outer.S.getLangOpts().CPlusPlus || isNoexcept(FD)))
1062
            return;
1063
        }
1064
      }
1065

1066
      Outer.followCall(CurrentCaller, CurrentFunction, CI, CallLoc,
1067
                       /*AssertNoFurtherInference=*/false, VSite);
1068
    }
1069

1070
    void checkIndirectCall(CallExpr *Call, QualType CalleeType) {
1071
      FunctionEffectKindSet CalleeEffects;
1072
      if (FunctionEffectsRef Effects = FunctionEffectsRef::get(CalleeType);
1073
          !Effects.empty())
1074
        CalleeEffects.insert(Effects);
1075

1076
      auto Check1Effect = [&](FunctionEffect Effect, bool Inferring) {
1077
        if (Effect.shouldDiagnoseFunctionCall(
1078
                /*direct=*/false, CalleeEffects))
1079
          addViolation(Inferring, Effect, ViolationID::CallsExprWithoutEffect,
1080
                       Call->getBeginLoc());
1081
      };
1082

1083
      for (FunctionEffect Effect : CurrentFunction.DeclaredVerifiableEffects)
1084
        Check1Effect(Effect, false);
1085

1086
      for (FunctionEffect Effect : CurrentFunction.EffectsToInfer)
1087
        Check1Effect(Effect, true);
1088
    }
1089

1090
    // This destructor's body should be followed by the caller, but here we
1091
    // follow the field and base destructors.
1092
    void followDestructor(const CXXRecordDecl *Rec,
1093
                          const CXXDestructorDecl *Dtor) {
1094
      SourceLocation DtorLoc = Dtor->getLocation();
1095
      for (const FieldDecl *Field : Rec->fields())
1096
        followTypeDtor(Field->getType(), DtorLoc);
1097

1098
      if (const auto *Class = dyn_cast<CXXRecordDecl>(Rec))
1099
        for (const CXXBaseSpecifier &Base : Class->bases())
1100
          followTypeDtor(Base.getType(), DtorLoc);
1101
    }
1102

1103
    void followTypeDtor(QualType QT, SourceLocation CallSite) {
1104
      const Type *Ty = QT.getTypePtr();
1105
      while (Ty->isArrayType()) {
1106
        const ArrayType *Arr = Ty->getAsArrayTypeUnsafe();
1107
        QT = Arr->getElementType();
1108
        Ty = QT.getTypePtr();
1109
      }
1110

1111
      if (Ty->isRecordType()) {
1112
        if (const CXXRecordDecl *Class = Ty->getAsCXXRecordDecl()) {
1113
          if (CXXDestructorDecl *Dtor = Class->getDestructor();
1114
              Dtor && !Dtor->isDeleted()) {
1115
            CallableInfo CI(*Dtor);
1116
            followCall(CI, CallSite);
1117
          }
1118
        }
1119
      }
1120
    }
1121

1122
    // -- Methods for use of RecursiveASTVisitor --
1123

1124
    bool VisitCXXThrowExpr(CXXThrowExpr *Throw) override {
1125
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow,
1126
                                ViolationID::ThrowsOrCatchesExceptions,
1127
                                Throw->getThrowLoc());
1128
      return true;
1129
    }
1130

1131
    bool VisitCXXCatchStmt(CXXCatchStmt *Catch) override {
1132
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch,
1133
                                ViolationID::ThrowsOrCatchesExceptions,
1134
                                Catch->getCatchLoc());
1135
      return true;
1136
    }
1137

1138
    bool VisitObjCAtThrowStmt(ObjCAtThrowStmt *Throw) override {
1139
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThrow,
1140
                                ViolationID::ThrowsOrCatchesExceptions,
1141
                                Throw->getThrowLoc());
1142
      return true;
1143
    }
1144

1145
    bool VisitObjCAtCatchStmt(ObjCAtCatchStmt *Catch) override {
1146
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch,
1147
                                ViolationID::ThrowsOrCatchesExceptions,
1148
                                Catch->getAtCatchLoc());
1149
      return true;
1150
    }
1151

1152
    bool VisitObjCAtFinallyStmt(ObjCAtFinallyStmt *Finally) override {
1153
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch,
1154
                                ViolationID::ThrowsOrCatchesExceptions,
1155
                                Finally->getAtFinallyLoc());
1156
      return true;
1157
    }
1158

1159
    bool VisitObjCMessageExpr(ObjCMessageExpr *Msg) override {
1160
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend,
1161
                                ViolationID::AccessesObjCMethodOrProperty,
1162
                                Msg->getBeginLoc());
1163
      return true;
1164
    }
1165

1166
    bool VisitObjCAutoreleasePoolStmt(ObjCAutoreleasePoolStmt *ARP) override {
1167
      // Under the hood, @autorelease (potentially?) allocates memory and
1168
      // invokes ObjC methods. We don't currently have memory allocation as
1169
      // a "language construct" but we do have ObjC messaging, so diagnose that.
1170
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend,
1171
                                ViolationID::AccessesObjCMethodOrProperty,
1172
                                ARP->getBeginLoc());
1173
      return true;
1174
    }
1175

1176
    bool VisitObjCAtSynchronizedStmt(ObjCAtSynchronizedStmt *Sync) override {
1177
      // Under the hood, this calls objc_sync_enter and objc_sync_exit, wrapped
1178
      // in a @try/@finally block. Diagnose this generically as "ObjC
1179
      // messaging".
1180
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeObjCMessageSend,
1181
                                ViolationID::AccessesObjCMethodOrProperty,
1182
                                Sync->getBeginLoc());
1183
      return true;
1184
    }
1185

1186
    bool VisitSEHExceptStmt(SEHExceptStmt *Exc) override {
1187
      diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeCatch,
1188
                                ViolationID::ThrowsOrCatchesExceptions,
1189
                                Exc->getExceptLoc());
1190
      return true;
1191
    }
1192

1193
    bool VisitCallExpr(CallExpr *Call) override {
1194
      LLVM_DEBUG(llvm::dbgs()
1195
                     << "VisitCallExpr : "
1196
                     << Call->getBeginLoc().printToString(Outer.S.SourceMgr)
1197
                     << "\n";);
1198

1199
      Expr *CalleeExpr = Call->getCallee();
1200
      if (const Decl *Callee = CalleeExpr->getReferencedDeclOfCallee()) {
1201
        CallableInfo CI(*Callee);
1202
        followCall(CI, Call->getBeginLoc());
1203
        return true;
1204
      }
1205

1206
      if (isa<CXXPseudoDestructorExpr>(CalleeExpr)) {
1207
        // Just destroying a scalar, fine.
1208
        return true;
1209
      }
1210

1211
      // No Decl, just an Expr. Just check based on its type.
1212
      checkIndirectCall(Call, CalleeExpr->getType());
1213

1214
      return true;
1215
    }
1216

1217
    bool VisitVarDecl(VarDecl *Var) override {
1218
      LLVM_DEBUG(llvm::dbgs()
1219
                     << "VisitVarDecl : "
1220
                     << Var->getBeginLoc().printToString(Outer.S.SourceMgr)
1221
                     << "\n";);
1222

1223
      if (Var->isStaticLocal())
1224
        diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeStaticLocalVars,
1225
                                  ViolationID::HasStaticLocalVariable,
1226
                                  Var->getLocation());
1227

1228
      const QualType::DestructionKind DK =
1229
          Var->needsDestruction(Outer.S.getASTContext());
1230
      if (DK == QualType::DK_cxx_destructor)
1231
        followTypeDtor(Var->getType(), Var->getLocation());
1232
      return true;
1233
    }
1234

1235
    bool VisitCXXNewExpr(CXXNewExpr *New) override {
1236
      // RecursiveASTVisitor does not visit the implicit call to operator new.
1237
      if (FunctionDecl *FD = New->getOperatorNew()) {
1238
        CallableInfo CI(*FD, SpecialFuncType::OperatorNew);
1239
        followCall(CI, New->getBeginLoc());
1240
      }
1241

1242
      // It's a bit excessive to check operator delete here, since it's
1243
      // just a fallback for operator new followed by a failed constructor.
1244
      // We could check it via New->getOperatorDelete().
1245

1246
      // It DOES however visit the called constructor
1247
      return true;
1248
    }
1249

1250
    bool VisitCXXDeleteExpr(CXXDeleteExpr *Delete) override {
1251
      // RecursiveASTVisitor does not visit the implicit call to operator
1252
      // delete.
1253
      if (FunctionDecl *FD = Delete->getOperatorDelete()) {
1254
        CallableInfo CI(*FD, SpecialFuncType::OperatorDelete);
1255
        followCall(CI, Delete->getBeginLoc());
1256
      }
1257

1258
      // It DOES however visit the called destructor
1259

1260
      return true;
1261
    }
1262

1263
    bool VisitCXXConstructExpr(CXXConstructExpr *Construct) override {
1264
      LLVM_DEBUG(llvm::dbgs() << "VisitCXXConstructExpr : "
1265
                              << Construct->getBeginLoc().printToString(
1266
                                     Outer.S.SourceMgr)
1267
                              << "\n";);
1268

1269
      // RecursiveASTVisitor does not visit the implicit call to the
1270
      // constructor.
1271
      const CXXConstructorDecl *Ctor = Construct->getConstructor();
1272
      CallableInfo CI(*Ctor);
1273
      followCall(CI, Construct->getLocation());
1274

1275
      return true;
1276
    }
1277

1278
    bool TraverseStmt(Stmt *Statement) override {
1279
      // If this statement is a `requires` clause from the top-level function
1280
      // being traversed, ignore it, since it's not generating runtime code.
1281
      // We skip the traversal of lambdas (beyond their captures, see
1282
      // TraverseLambdaExpr below), so just caching this from our constructor
1283
      // should suffice.
1284
      if (Statement != TrailingRequiresClause && Statement != NoexceptExpr)
1285
        return DynamicRecursiveASTVisitor::TraverseStmt(Statement);
1286
      return true;
1287
    }
1288

1289
    bool TraverseConstructorInitializer(CXXCtorInitializer *Init) override {
1290
      ViolationSite PrevVS = VSite;
1291
      if (Init->isAnyMemberInitializer())
1292
        VSite.setKind(ViolationSite::Kind::MemberInitializer);
1293
      bool Result =
1294
          DynamicRecursiveASTVisitor::TraverseConstructorInitializer(Init);
1295
      VSite = PrevVS;
1296
      return Result;
1297
    }
1298

1299
    bool TraverseCXXDefaultArgExpr(CXXDefaultArgExpr *E) override {
1300
      LLVM_DEBUG(llvm::dbgs()
1301
                     << "TraverseCXXDefaultArgExpr : "
1302
                     << E->getUsedLocation().printToString(Outer.S.SourceMgr)
1303
                     << "\n";);
1304

1305
      ViolationSite PrevVS = VSite;
1306
      if (VSite.kind() == ViolationSite::Kind::Default)
1307
        VSite = ViolationSite{E};
1308

1309
      bool Result = DynamicRecursiveASTVisitor::TraverseCXXDefaultArgExpr(E);
1310
      VSite = PrevVS;
1311
      return Result;
1312
    }
1313

1314
    bool TraverseLambdaExpr(LambdaExpr *Lambda) override {
1315
      // We override this so as to be able to skip traversal of the lambda's
1316
      // body. We have to explicitly traverse the captures. Why not return
1317
      // false from shouldVisitLambdaBody()? Because we need to visit a lambda's
1318
      // body when we are verifying the lambda itself; we only want to skip it
1319
      // in the context of the outer function.
1320
      for (unsigned I = 0, N = Lambda->capture_size(); I < N; ++I)
1321
        TraverseLambdaCapture(Lambda, Lambda->capture_begin() + I,
1322
                              Lambda->capture_init_begin()[I]);
1323

1324
      return true;
1325
    }
1326

1327
    bool TraverseBlockExpr(BlockExpr * /*unused*/) override {
1328
      // As with lambdas, don't traverse the block's body.
1329
      // TODO: are the capture expressions (ctor call?) safe?
1330
      return true;
1331
    }
1332

1333
    bool VisitDeclRefExpr(DeclRefExpr *E) override {
1334
      const ValueDecl *Val = E->getDecl();
1335
      if (const auto *Var = dyn_cast<VarDecl>(Val)) {
1336
        if (Var->getTLSKind() != VarDecl::TLS_None) {
1337
          // At least on macOS, thread-local variables are initialized on
1338
          // first access, including a heap allocation.
1339
          diagnoseLanguageConstruct(FunctionEffect::FE_ExcludeThreadLocalVars,
1340
                                    ViolationID::AccessesThreadLocalVariable,
1341
                                    E->getLocation());
1342
        }
1343
      }
1344
      return true;
1345
    }
1346

1347
    bool TraverseGenericSelectionExpr(GenericSelectionExpr *Node) override {
1348
      return TraverseStmt(Node->getResultExpr());
1349
    }
1350
    bool
1351
    TraverseUnaryExprOrTypeTraitExpr(UnaryExprOrTypeTraitExpr *Node) override {
1352
      return true;
1353
    }
1354

1355
    bool TraverseTypeOfExprTypeLoc(TypeOfExprTypeLoc Node) override {
1356
      return true;
1357
    }
1358

1359
    bool TraverseDecltypeTypeLoc(DecltypeTypeLoc Node) override { return true; }
1360

1361
    bool TraverseCXXNoexceptExpr(CXXNoexceptExpr *Node) override {
1362
      return true;
1363
    }
1364

1365
    bool TraverseCXXTypeidExpr(CXXTypeidExpr *Node) override { return true; }
1366

1367
    // Skip concept requirements since they don't generate code.
1368
    bool TraverseConceptRequirement(concepts::Requirement *R) override {
1369
      return true;
1370
    }
1371
  };
1372
};
1373

1374
Analyzer::AnalysisMap::~AnalysisMap() {
1375
  for (const auto &Item : *this) {
1376
    FuncAnalysisPtr AP = Item.second;
1377
    if (auto *PFA = dyn_cast<PendingFunctionAnalysis *>(AP))
1378
      delete PFA;
1379
    else
1380
      delete cast<CompleteFunctionAnalysis *>(AP);
1381
  }
1382
}
1383

1384
} // anonymous namespace
1385

1386
namespace clang {
1387

1388
bool Sema::diagnoseConflictingFunctionEffect(
1389
    const FunctionEffectsRef &FX, const FunctionEffectWithCondition &NewEC,
1390
    SourceLocation NewAttrLoc) {
1391
  // If the new effect has a condition, we can't detect conflicts until the
1392
  // condition is resolved.
1393
  if (NewEC.Cond.getCondition() != nullptr)
1394
    return false;
1395

1396
  // Diagnose the new attribute as incompatible with a previous one.
1397
  auto Incompatible = [&](const FunctionEffectWithCondition &PrevEC) {
1398
    Diag(NewAttrLoc, diag::err_attributes_are_not_compatible)
1399
        << ("'" + NewEC.description() + "'")
1400
        << ("'" + PrevEC.description() + "'") << false;
1401
    // We don't necessarily have the location of the previous attribute,
1402
    // so no note.
1403
    return true;
1404
  };
1405

1406
  // Compare against previous attributes.
1407
  FunctionEffect::Kind NewKind = NewEC.Effect.kind();
1408

1409
  for (const FunctionEffectWithCondition &PrevEC : FX) {
1410
    // Again, can't check yet when the effect is conditional.
1411
    if (PrevEC.Cond.getCondition() != nullptr)
1412
      continue;
1413

1414
    FunctionEffect::Kind PrevKind = PrevEC.Effect.kind();
1415
    // Note that we allow PrevKind == NewKind; it's redundant and ignored.
1416

1417
    if (PrevEC.Effect.oppositeKind() == NewKind)
1418
      return Incompatible(PrevEC);
1419

1420
    // A new allocating is incompatible with a previous nonblocking.
1421
    if (PrevKind == FunctionEffect::Kind::NonBlocking &&
1422
        NewKind == FunctionEffect::Kind::Allocating)
1423
      return Incompatible(PrevEC);
1424

1425
    // A new nonblocking is incompatible with a previous allocating.
1426
    if (PrevKind == FunctionEffect::Kind::Allocating &&
1427
        NewKind == FunctionEffect::Kind::NonBlocking)
1428
      return Incompatible(PrevEC);
1429
  }
1430

1431
  return false;
1432
}
1433

1434
void Sema::diagnoseFunctionEffectMergeConflicts(
1435
    const FunctionEffectSet::Conflicts &Errs, SourceLocation NewLoc,
1436
    SourceLocation OldLoc) {
1437
  for (const FunctionEffectSet::Conflict &Conflict : Errs) {
1438
    Diag(NewLoc, diag::warn_conflicting_func_effects)
1439
        << Conflict.Kept.description() << Conflict.Rejected.description();
1440
    Diag(OldLoc, diag::note_previous_declaration);
1441
  }
1442
}
1443

1444
// Decl should be a FunctionDecl or BlockDecl.
1445
void Sema::maybeAddDeclWithEffects(const Decl *D,
1446
                                   const FunctionEffectsRef &FX) {
1447
  if (!D->hasBody()) {
1448
    if (const auto *FD = D->getAsFunction(); FD && !FD->willHaveBody())
1449
      return;
1450
  }
1451

1452
  if (Diags.getIgnoreAllWarnings() ||
1453
      (Diags.getSuppressSystemWarnings() &&
1454
       SourceMgr.isInSystemHeader(D->getLocation())))
1455
    return;
1456

1457
  if (hasUncompilableErrorOccurred())
1458
    return;
1459

1460
  // For code in dependent contexts, we'll do this at instantiation time.
1461
  // Without this check, we would analyze the function based on placeholder
1462
  // template parameters, and potentially generate spurious diagnostics.
1463
  if (cast<DeclContext>(D)->isDependentContext())
1464
    return;
1465

1466
  addDeclWithEffects(D, FX);
1467
}
1468

1469
void Sema::addDeclWithEffects(const Decl *D, const FunctionEffectsRef &FX) {
1470
  // To avoid the possibility of conflict, don't add effects which are
1471
  // not FE_InferrableOnCallees and therefore not verified; this removes
1472
  // blocking/allocating but keeps nonblocking/nonallocating.
1473
  // Also, ignore any conditions when building the list of effects.
1474
  bool AnyVerifiable = false;
1475
  for (const FunctionEffectWithCondition &EC : FX)
1476
    if (EC.Effect.flags() & FunctionEffect::FE_InferrableOnCallees) {
1477
      AllEffectsToVerify.insert(EC.Effect);
1478
      AnyVerifiable = true;
1479
    }
1480

1481
  // Record the declaration for later analysis.
1482
  if (AnyVerifiable)
1483
    DeclsWithEffectsToVerify.push_back(D);
1484
}
1485

1486
void Sema::performFunctionEffectAnalysis(TranslationUnitDecl *TU) {
1487
  if (hasUncompilableErrorOccurred() || Diags.getIgnoreAllWarnings())
1488
    return;
1489
  if (TU == nullptr)
1490
    return;
1491
  Analyzer{*this}.run(*TU);
1492
}
1493

1494
Sema::FunctionEffectDiffVector::FunctionEffectDiffVector(
1495
    const FunctionEffectsRef &Old, const FunctionEffectsRef &New) {
1496

1497
  FunctionEffectsRef::iterator POld = Old.begin();
1498
  FunctionEffectsRef::iterator OldEnd = Old.end();
1499
  FunctionEffectsRef::iterator PNew = New.begin();
1500
  FunctionEffectsRef::iterator NewEnd = New.end();
1501

1502
  while (true) {
1503
    int cmp = 0;
1504
    if (POld == OldEnd) {
1505
      if (PNew == NewEnd)
1506
        break;
1507
      cmp = 1;
1508
    } else if (PNew == NewEnd)
1509
      cmp = -1;
1510
    else {
1511
      FunctionEffectWithCondition Old = *POld;
1512
      FunctionEffectWithCondition New = *PNew;
1513
      if (Old.Effect.kind() < New.Effect.kind())
1514
        cmp = -1;
1515
      else if (New.Effect.kind() < Old.Effect.kind())
1516
        cmp = 1;
1517
      else {
1518
        cmp = 0;
1519
        if (Old.Cond.getCondition() != New.Cond.getCondition()) {
1520
          // FIXME: Cases where the expressions are equivalent but
1521
          // don't have the same identity.
1522
          push_back(FunctionEffectDiff{
1523
              Old.Effect.kind(), FunctionEffectDiff::Kind::ConditionMismatch,
1524
              Old, New});
1525
        }
1526
      }
1527
    }
1528

1529
    if (cmp < 0) {
1530
      // removal
1531
      FunctionEffectWithCondition Old = *POld;
1532
      push_back(FunctionEffectDiff{Old.Effect.kind(),
1533
                                   FunctionEffectDiff::Kind::Removed, Old,
1534
                                   std::nullopt});
1535
      ++POld;
1536
    } else if (cmp > 0) {
1537
      // addition
1538
      FunctionEffectWithCondition New = *PNew;
1539
      push_back(FunctionEffectDiff{New.Effect.kind(),
1540
                                   FunctionEffectDiff::Kind::Added,
1541
                                   std::nullopt, New});
1542
      ++PNew;
1543
    } else {
1544
      ++POld;
1545
      ++PNew;
1546
    }
1547
  }
1548
}
1549

1550
bool Sema::FunctionEffectDiff::shouldDiagnoseConversion(
1551
    QualType SrcType, const FunctionEffectsRef &SrcFX, QualType DstType,
1552
    const FunctionEffectsRef &DstFX) const {
1553

1554
  switch (EffectKind) {
1555
  case FunctionEffect::Kind::NonAllocating:
1556
    // nonallocating can't be added (spoofed) during a conversion, unless we
1557
    // have nonblocking.
1558
    if (DiffKind == Kind::Added) {
1559
      for (const auto &CFE : SrcFX) {
1560
        if (CFE.Effect.kind() == FunctionEffect::Kind::NonBlocking)
1561
          return false;
1562
      }
1563
    }
1564
    [[fallthrough]];
1565
  case FunctionEffect::Kind::NonBlocking:
1566
    // nonblocking can't be added (spoofed) during a conversion.
1567
    switch (DiffKind) {
1568
    case Kind::Added:
1569
      return true;
1570
    case Kind::Removed:
1571
      return false;
1572
    case Kind::ConditionMismatch:
1573
      // FIXME: Condition mismatches are too coarse right now -- expressions
1574
      // which are equivalent but don't have the same identity are detected as
1575
      // mismatches. We're going to diagnose those anyhow until expression
1576
      // matching is better.
1577
      return true;
1578
    }
1579
    break;
1580
  case FunctionEffect::Kind::Blocking:
1581
  case FunctionEffect::Kind::Allocating:
1582
    return false;
1583
  }
1584
  llvm_unreachable("unknown effect kind");
1585
}
1586

1587
bool Sema::FunctionEffectDiff::shouldDiagnoseRedeclaration(
1588
    const FunctionDecl &OldFunction, const FunctionEffectsRef &OldFX,
1589
    const FunctionDecl &NewFunction, const FunctionEffectsRef &NewFX) const {
1590
  switch (EffectKind) {
1591
  case FunctionEffect::Kind::NonAllocating:
1592
  case FunctionEffect::Kind::NonBlocking:
1593
    // nonblocking/nonallocating can't be removed in a redeclaration.
1594
    switch (DiffKind) {
1595
    case Kind::Added:
1596
      return false; // No diagnostic.
1597
    case Kind::Removed:
1598
      return true; // Issue diagnostic.
1599
    case Kind::ConditionMismatch:
1600
      // All these forms of mismatches are diagnosed.
1601
      return true;
1602
    }
1603
    break;
1604
  case FunctionEffect::Kind::Blocking:
1605
  case FunctionEffect::Kind::Allocating:
1606
    return false;
1607
  }
1608
  llvm_unreachable("unknown effect kind");
1609
}
1610

1611
Sema::FunctionEffectDiff::OverrideResult
1612
Sema::FunctionEffectDiff::shouldDiagnoseMethodOverride(
1613
    const CXXMethodDecl &OldMethod, const FunctionEffectsRef &OldFX,
1614
    const CXXMethodDecl &NewMethod, const FunctionEffectsRef &NewFX) const {
1615
  switch (EffectKind) {
1616
  case FunctionEffect::Kind::NonAllocating:
1617
  case FunctionEffect::Kind::NonBlocking:
1618
    switch (DiffKind) {
1619

1620
    // If added on an override, that's fine and not diagnosed.
1621
    case Kind::Added:
1622
      return OverrideResult::NoAction;
1623

1624
    // If missing from an override (removed), propagate from base to derived.
1625
    case Kind::Removed:
1626
      return OverrideResult::Merge;
1627

1628
    // If there's a mismatch involving the effect's polarity or condition,
1629
    // issue a warning.
1630
    case Kind::ConditionMismatch:
1631
      return OverrideResult::Warn;
1632
    }
1633
    break;
1634
  case FunctionEffect::Kind::Blocking:
1635
  case FunctionEffect::Kind::Allocating:
1636
    return OverrideResult::NoAction;
1637
  }
1638
  llvm_unreachable("unknown effect kind");
1639
}
1640

1641
} // namespace clang
1642

1643