This is an archive of the discontinued LLVM Phabricator instance.

Differential D146288

clang-tidy: Detect use-after-move in CXXCtorInitializer
ClosedPublic

Authored by MarcoFalke on Mar 17 2023, 5:04 AM.

Details

Reviewers
njames93
aaron.ballman
carlosgalvezp
PiotrZSL
Commits
rG8c10256734cd: clang-tidy: Detect use-after-move in CXXCtorInitializer
Summary

Fixes https://github.com/llvm/llvm-project/issues/51844

Diff Detail

Event Timeline

MarcoFalke created this revision.Mar 17 2023, 5:04 AM
Herald added a reviewer: njames93. · View Herald TranscriptMar 17 2023, 5:04 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: PiotrZSL, carlosgalvezp. · View Herald Transcript
MarcoFalke requested review of this revision.Mar 17 2023, 5:04 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptMar 17 2023, 5:04 AM
Harbormaster completed remote builds in B220033: Diff 506043.Mar 17 2023, 5:27 AM
MarcoFalke updated this revision to Diff 506055.Mar 17 2023, 5:55 AM

clang-format+doc

Harbormaster completed remote builds in B220042: Diff 506055.Mar 17 2023, 6:22 AM
Eugene.Zelenko added a subscriber: Eugene.Zelenko.Mar 17 2023, 7:35 AM
Eugene.Zelenko added inline comments.
clang-tools-extra/docs/ReleaseNotes.rst
194

Please keep alphabetical order (by check name) in this section.

Eugene.Zelenko added reviewers: aaron.ballman, carlosgalvezp, PiotrZSL.Mar 17 2023, 7:35 AM
Eugene.Zelenko set the repository for this revision to rG LLVM Github Monorepo.
MarcoFalke updated this revision to Diff 506081.Mar 17 2023, 7:37 AM

sort doc

MarcoFalke marked an inline comment as done.Mar 17 2023, 7:38 AM
PiotrZSL added a comment.Mar 17 2023, 7:58 AM

I will check this more deeply during weekend.

Harbormaster completed remote builds in B220064: Diff 506081.Mar 17 2023, 8:17 AM
PiotrZSL requested changes to this revision.Mar 18 2023, 4:26 AM

Requesting changes due to lack of support for base class initializes & got some concerns related lambdas used in initializers.

clang-tools-extra/clang-tidy/bugprone/UseAfterMoveCheck.cpp
399–400

This is correct but consider this:

auto TryEmplaceMatcher = cxxMemberCallExpr(callee(cxxMethodDecl(hasName("try_emplace"))));

auto CallMoveMatcher =
callExpr(argumentCountIs(1), // because matching this will be faster than checking name.
             callee(functionDecl(hasName("::std::move"))),
             unless(inDecltypeOrTemplateArg()),
             expr().bind("call-move"),
             unless(hasParent(TryEmplaceMatcher)),
             anyOf(hasAncestor(compoundStmt(hasParent(lambdaExpr().bind("containing-lambda")))),
                        hasAncestor(functionDecl(anyOf(cxxConstructorDecl(hasAnyConstructorInitializer(
                                                                                                                   withInitializer(expr(
                                                                                                                          anyOf(equalsBounNode("call-move"), 
                                                                                                                                     hasDescendant(equalsBounNode("call-move")))
                                                                                                                     ).bind("containing-ctor-init-stmt")
                                                                                                              ))
                                                                                                             ).bind("containing-ctor"),
                                                                             functionDecl().bind("containing-func")))))
            );


473
consider using here ->IgnoreImplicit() == ContainingCtorInitStmt->IgnoreImplicit()


478–487
This won't work for std::move used to initialize base class. Assuming that Inits are in specific order, then you just should include all init's after one found, or use things like SourceManager::isBeforeInTranslationUnit, but still probably using something like:



bool PastMove = false;
for (CXXCtorInitializer *Init : ContainingCtor->inits()) {
if (!PastMove  && Init->getInit()->IgnoreImplicit() == ContainingCtorInitStmt->IgnoreImplicit()) {
    PastMove  = true;
}

if (PastMove && Init->getInit())
{
    CodeBlocks.push_back(Init->getInit());
}



would be better, as it should work for both field inits and base constructor calls


clang-tools-extra/test/clang-tidy/checkers/bugprone/use-after-move.cpp


1492
Missing tests:



    

  • Test with A derive from B, C, D, and argument is moved into C, but D initialization also uses it.
    • 

  • Test with lambda call inside init, and in lambda std::move of captured by reference constructor parameter, and lambda could be mutable, and lambda could be saved into member (or passed to base class), or called instantly (better both tests).
    • 

  • Test with lambda that takes argument into capture by move
    • 




In short:



struct Obj {};
struct D
{
    D(Obj b);
};

struct C
{
     C(Obj b);
};

struct B
{
     B(Obj& b);
}

struct A : B, C, D
{
    A(Obj b)
      : B(b), C(std::move(b)), D(b)
    {
    }
};

and second:

struct Base
{
    Base(Obj b) : bb(std::move(b)) {}
     template<typename T>
     Base(T&& b) : bb(b()) {};
   
     Obj bb;
};

struct Derived : Base, C
{
     Derived(Obj b) 
           : Base([&] mutable { return std::move(b); }()), C(b)
   {
   }
};

struct Derived2 : Base, C
{
     Derived2(Obj b) 
           : Base([&] mutable { return std::move(b); }), C(b)
   {
   }
};

struct Derived3 : Base, C
{
     Derived3(Obj b) 
           : Base([c = std::move(b)] mutable { return std::move(c); }), C(b)
   {
   }
};
This revision now requires changes to proceed.Mar 18 2023, 4:26 AM
MarcoFalke updated this revision to Diff 506586.Mar 20 2023, 7:54 AM
MarcoFalke marked an inline comment as done.
Took some review suggestions (Thanks!)
MarcoFalke added inline comments.Mar 20 2023, 7:56 AM
clang-tools-extra/clang-tidy/bugprone/UseAfterMoveCheck.cpp


399–400
I get:



error: no matching function for call to object of type 'const internal::ArgumentAdaptingMatcherFunc<clang::ast_matchers::internal::HasDescendantMatcher>'
                    anyOf(equalsBoundNode("call-move"),hasDescendant(equalsBoundNode("call-move")))
                                                       ^~~~~~~~~~~~~
./llvm-project/clang/include/clang/ASTMatchers/ASTMatchersInternal.h:1491:3: note: candidate template ignored: could not match 'Matcher' against 'PolymorphicMatcher'
  operator()(const Matcher<T> &InnerMatcher) const {
  ^
./llvm-project/clang/include/clang/ASTMatchers/ASTMatchersInternal.h:1498:3: note: candidate template ignored: could not match 'MapAnyOfHelper' against 'PolymorphicMatcher'
  operator()(const MapAnyOfHelper<T...> &InnerMatcher) const {
  ^
1 error generated.


clang-tools-extra/test/clang-tidy/checkers/bugprone/use-after-move.cpp


1492
I added the test Derived2, however, I wonder if it should throw a warning. In the general case, I don't think we can know whether Base(Call&&call) will actually call call and execute the std::move, no?
PiotrZSL added inline comments.Mar 20 2023, 8:30 AM
clang-tools-extra/clang-tidy/bugprone/UseAfterMoveCheck.cpp


399–400
yee, forgot type: hasDescendant(callExpr(equalsBoundNode("call-move"))))

+- something like this..
PiotrZSL added inline comments.Mar 20 2023, 8:36 AM
clang-tools-extra/test/clang-tidy/checkers/bugprone/use-after-move.cpp


1492
For me:

Derived - should throw a warning - same type used before C(b) (but questionable)

Derived 2 -> also should throw warning (but questionable)

Derived 3 -> also should throw warning



Note that Derived & Derived 2 could be considered different issue, like use after free (because we take reference to argument), it's safe to assume that it would be called anyway, because later that argument reference could become invalid. But it could be also fine to not throw issue. For is better to throw & nolint than ignore and crash.

But thats your call.
Harbormaster completed remote builds in B220440: Diff 506586.Mar 20 2023, 8:37 AM
MarcoFalke updated this revision to Diff 506632.Mar 20 2023, 10:02 AM
address feedback about matcher, clang-format
MarcoFalke marked 3 inline comments as done.Mar 20 2023, 10:07 AM
Thanks, addressed some more review comments.
clang-tools-extra/test/clang-tidy/checkers/bugprone/use-after-move.cpp


1492
Ok, maybe it can be done in a follow-up? This should be a separate and pre-existing issue on main already (see also my other added test case about lambdas).
Harbormaster completed remote builds in B220478: Diff 506632.Mar 20 2023, 10:52 AM
PiotrZSL added inline comments.Mar 20 2023, 1:00 PM
clang-tools-extra/test/clang-tidy/checkers/bugprone/use-after-move.cpp


1492
Yes it could be.
PiotrZSL accepted this revision.EditedMar 20 2023, 1:04 PM
Overall LGTM, give it few days, maybe something will pop up.

I will try to run this change on my project and check if it finds any false-positives or real-issues.

Edit: Windows build failed due to clangd, try rebasing this to newer main branch
This revision is now accepted and ready to land.Mar 20 2023, 1:04 PM
MarcoFalke updated this revision to Diff 507304.Mar 22 2023, 3:37 AM
NFC
MarcoFalke marked 2 inline comments as done.Mar 22 2023, 3:38 AM
Minor NFC, I plan to land this tomorrow or Friday
Harbormaster completed remote builds in B220980: Diff 507304.Mar 22 2023, 4:18 AM
PiotrZSL accepted this revision.Mar 22 2023, 4:43 AM
Closed by commit rG8c10256734cd: clang-tidy: Detect use-after-move in CXXCtorInitializer (authored by MarcoFalke).  ·  Explain WhyMar 23 2023, 2:23 AM
This revision was automatically updated to reflect the committed changes.
MarcoFalke added a commit: rG8c10256734cd: clang-tidy: Detect use-after-move in CXXCtorInitializer.
mboehme mentioned this in D145581: [clang-tidy] In C++17, callee is guaranteed to be sequenced before arguments..Apr 24 2023, 5:14 AM
Revision Contents
PathSize
clang-tools-extra/
clang-tidy/
bugprone/
102 lines
docs/
4 lines
test/
clang-tidy/
checkers/
bugprone/
126 lines
Diff 506586
clang-tools-extra/clang-tidy/bugprone/UseAfterMoveCheck.cpp
Show First 20 LinesShow All 52 Lines▼ Show 20 Lines
};
};




/// Finds uses of a variable after a move (and maintains state required by the
/// Finds uses of a variable after a move (and maintains state required by the

/// various internal helper functions).
/// various internal helper functions).

class UseAfterMoveFinder {
class UseAfterMoveFinder {

public:
public:

  UseAfterMoveFinder(ASTContext *TheContext);
  UseAfterMoveFinder(ASTContext *TheContext);




  // Within the given function body, finds the first use of 'MovedVariable' that
  // Within the given code block, finds the first use of 'MovedVariable' that

  // occurs after 'MovingCall' (the expression that performs the move). If a
  // occurs after 'MovingCall' (the expression that performs the move). If a

  // use-after-move is found, writes information about it to 'TheUseAfterMove'.
  // use-after-move is found, writes information about it to 'TheUseAfterMove'.

  // Returns whether a use-after-move was found.
  // Returns whether a use-after-move was found.

  bool find(Stmt *FunctionBody, const Expr *MovingCall,
  bool find(Stmt *CodeBlock, const Expr *MovingCall,

            const ValueDecl *MovedVariable, UseAfterMove *TheUseAfterMove);
            const ValueDecl *MovedVariable, UseAfterMove *TheUseAfterMove);




private:
private:

  bool findInternal(const CFGBlock *Block, const Expr *MovingCall,
  bool findInternal(const CFGBlock *Block, const Expr *MovingCall,

                    const ValueDecl *MovedVariable,
                    const ValueDecl *MovedVariable,

                    UseAfterMove *TheUseAfterMove);
                    UseAfterMove *TheUseAfterMove);

  void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,
  void getUsesAndReinits(const CFGBlock *Block, const ValueDecl *MovedVariable,

                         llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,
                         llvm::SmallVectorImpl<const DeclRefExpr *> *Uses,

Show All 25 Lines  return anyOf(hasAncestor(typeLoc()),

               hasAncestor(declRefExpr(
               hasAncestor(declRefExpr(

                   to(functionDecl(ast_matchers::isTemplateInstantiation())))),
                   to(functionDecl(ast_matchers::isTemplateInstantiation())))),

               hasAncestor(expr(hasUnevaluatedContext())));
               hasAncestor(expr(hasUnevaluatedContext())));

}
}




UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)
UseAfterMoveFinder::UseAfterMoveFinder(ASTContext *TheContext)

    : Context(TheContext) {}
    : Context(TheContext) {}




bool UseAfterMoveFinder::find(Stmt *FunctionBody, const Expr *MovingCall,
bool UseAfterMoveFinder::find(Stmt *CodeBlock, const Expr *MovingCall,

                              const ValueDecl *MovedVariable,
                              const ValueDecl *MovedVariable,

                              UseAfterMove *TheUseAfterMove) {
                              UseAfterMove *TheUseAfterMove) {

  // Generate the CFG manually instead of through an AnalysisDeclContext because
  // Generate the CFG manually instead of through an AnalysisDeclContext because

  // it seems the latter can't be used to generate a CFG for the body of a
  // it seems the latter can't be used to generate a CFG for the body of a

  // lambda.
  // lambda.

  //
  //

  // We include implicit and temporary destructors in the CFG so that
  // We include implicit and temporary destructors in the CFG so that

  // destructors marked [[noreturn]] are handled correctly in the control flow
  // destructors marked [[noreturn]] are handled correctly in the control flow

  // analysis. (These are used in some styles of assertion macros.)
  // analysis. (These are used in some styles of assertion macros.)

  CFG::BuildOptions Options;
  CFG::BuildOptions Options;

  Options.AddImplicitDtors = true;
  Options.AddImplicitDtors = true;

  Options.AddTemporaryDtors = true;
  Options.AddTemporaryDtors = true;

  std::unique_ptr<CFG> TheCFG =
  std::unique_ptr<CFG> TheCFG =

      CFG::buildCFG(nullptr, FunctionBody, Context, Options);
      CFG::buildCFG(nullptr, CodeBlock, Context, Options);

  if (!TheCFG)
  if (!TheCFG)

    return false;
    return false;




  Sequence =
  Sequence = std::make_unique<ExprSequence>(TheCFG.get(), CodeBlock, Context);

      std::make_unique<ExprSequence>(TheCFG.get(), FunctionBody, Context);

  BlockMap = std::make_unique<StmtToBlockMap>(TheCFG.get(), Context);
  BlockMap = std::make_unique<StmtToBlockMap>(TheCFG.get(), Context);

  Visited.clear();
  Visited.clear();




  const CFGBlock *Block = BlockMap->blockContainingStmt(MovingCall);
  const CFGBlock *Block = BlockMap->blockContainingStmt(MovingCall);

  if (!Block) {
  if (!Block) {

    // This can happen if MovingCall is in a constructor initializer, which is
    // This can happen if MovingCall is in a constructor initializer, which is

    // not included in the CFG because the CFG is built only from the function
    // not included in the CFG because the CFG is built only from the function

    // body.
    // body.

▲ Show 20 LinesShow All 257 Lines▼ Show 20 Lines    Check->diag(UseLoc,

                DiagnosticIDs::Note);
                DiagnosticIDs::Note);

  } else if (UseLoc < MoveLoc || Use.DeclRef == MoveArg) {
  } else if (UseLoc < MoveLoc || Use.DeclRef == MoveArg) {

    Check->diag(UseLoc,
    Check->diag(UseLoc,

                "the use happens in a later loop iteration than the move",
                "the use happens in a later loop iteration than the move",

                DiagnosticIDs::Note);
                DiagnosticIDs::Note);

  }
  }

}
}




void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {
void UseAfterMoveCheck::registerMatchers(MatchFinder *Finder) {

  auto CallMoveMatcher =

      callExpr(callee(functionDecl(hasName("::std::move"))), argumentCountIs(1),

               hasArgument(0, declRefExpr().bind("arg")),

               anyOf(hasAncestor(compoundStmt(

                         hasParent(lambdaExpr().bind("containing-lambda")))),

                     hasAncestor(functionDecl().bind("containing-func"))),

               unless(inDecltypeOrTemplateArg()),

               // try_emplace is a common maybe-moving function that returns a
          // try_emplace is a common maybe-moving function that returns a

PiotrZSLUnsubmitted
Done
ReplyInline Actions
This is correct but consider this:



auto TryEmplaceMatcher = cxxMemberCallExpr(callee(cxxMethodDecl(hasName("try_emplace"))));

auto CallMoveMatcher =
callExpr(argumentCountIs(1), // because matching this will be faster than checking name.
             callee(functionDecl(hasName("::std::move"))),
             unless(inDecltypeOrTemplateArg()),
             expr().bind("call-move"),
             unless(hasParent(TryEmplaceMatcher)),
             anyOf(hasAncestor(compoundStmt(hasParent(lambdaExpr().bind("containing-lambda")))),
                        hasAncestor(functionDecl(anyOf(cxxConstructorDecl(hasAnyConstructorInitializer(
                                                                                                                   withInitializer(expr(
                                                                                                                          anyOf(equalsBounNode("call-move"), 
                                                                                                                                     hasDescendant(equalsBounNode("call-move")))
                                                                                                                     ).bind("containing-ctor-init-stmt")
                                                                                                              ))
                                                                                                             ).bind("containing-ctor"),
                                                                             functionDecl().bind("containing-func")))))
            );



PiotrZSL: This is correct but consider this:

```
auto TryEmplaceMatcher = cxxMemberCallExpr(callee…
MarcoFalkeAuthorUnsubmitted
Done
ReplyInline Actions
I get:



error: no matching function for call to object of type 'const internal::ArgumentAdaptingMatcherFunc<clang::ast_matchers::internal::HasDescendantMatcher>'
                    anyOf(equalsBoundNode("call-move"),hasDescendant(equalsBoundNode("call-move")))
                                                       ^~~~~~~~~~~~~
./llvm-project/clang/include/clang/ASTMatchers/ASTMatchersInternal.h:1491:3: note: candidate template ignored: could not match 'Matcher' against 'PolymorphicMatcher'
  operator()(const Matcher<T> &InnerMatcher) const {
  ^
./llvm-project/clang/include/clang/ASTMatchers/ASTMatchersInternal.h:1498:3: note: candidate template ignored: could not match 'MapAnyOfHelper' against 'PolymorphicMatcher'
  operator()(const MapAnyOfHelper<T...> &InnerMatcher) const {
  ^
1 error generated.
MarcoFalke: I get:

```
error: no matching function for call to object of type 'const internal…
PiotrZSLUnsubmitted
Done
ReplyInline Actions
yee, forgot type: hasDescendant(callExpr(equalsBoundNode("call-move"))))

+- something like this..
PiotrZSL: yee, forgot type: `hasDescendant(callExpr(equalsBoundNode("call-move"))))`
+- something like…
               // bool to tell callers whether it moved. Ignore std::move inside
          // bool to tell callers whether it moved. Ignore std::move inside

               // try_emplace to avoid false positives as we don't track uses of
          // try_emplace to avoid false positives as we don't track uses of

               // the bool.
          // the bool.

               unless(hasParent(cxxMemberCallExpr(
  auto TryEmplaceMatcher =

                   callee(cxxMethodDecl(hasName("try_emplace")))))))
      cxxMemberCallExpr(callee(cxxMethodDecl(hasName("try_emplace"))));

          .bind("call-move");
  auto CallMoveMatcher = callExpr(

      argumentCountIs(

          1), // Match count first, as it is faster than matching name

      callee(functionDecl(hasName("::std::move"))),

      hasArgument(0, declRefExpr().bind("arg")),

      unless(inDecltypeOrTemplateArg()), unless(hasParent(TryEmplaceMatcher)),

      expr().bind("call-move"),

      anyOf(hasAncestor(compoundStmt(

                hasParent(lambdaExpr().bind("containing-lambda")))),

            hasAncestor(

                expr(

                    // For some reason cxxCtorInitializer didn't

                    // match, so work around by matching the topmost

                    // Expr inside the CXXCtorInitializer.

                    hasParent(cxxConstructorDecl().bind("containing-ctor")))

                    .bind("containing-ctor-init")),

            hasAncestor(functionDecl().bind("containing-func"))));




  Finder->addMatcher(
  Finder->addMatcher(

      traverse(
      traverse(

          TK_AsIs,
          TK_AsIs,

          // To find the Stmt that we assume performs the actual move, we look
          // To find the Stmt that we assume performs the actual move, we look

          // for the direct ancestor of the std::move() that isn't one of the
          // for the direct ancestor of the std::move() that isn't one of the

          // node types ignored by ignoringParenImpCasts().
          // node types ignored by ignoringParenImpCasts().

          stmt(
          stmt(

              forEach(expr(ignoringParenImpCasts(CallMoveMatcher))),
              forEach(expr(ignoringParenImpCasts(CallMoveMatcher))),

              // Don't allow an InitListExpr to be the moving call. An
              // Don't allow an InitListExpr to be the moving call. An

              // InitListExpr has both a syntactic and a semantic form, and the
              // InitListExpr has both a syntactic and a semantic form, and the

              // parent-child relationships are different between the two. This
              // parent-child relationships are different between the two. This

              // could cause an InitListExpr to be analyzed as the moving call
              // could cause an InitListExpr to be analyzed as the moving call

              // in addition to the Expr that we actually want, resulting in two
              // in addition to the Expr that we actually want, resulting in two

              // diagnostics with different code locations for the same move.
              // diagnostics with different code locations for the same move.

              unless(initListExpr()),
              unless(initListExpr()),

              unless(expr(ignoringParenImpCasts(equalsBoundNode("call-move")))))
              unless(expr(ignoringParenImpCasts(equalsBoundNode("call-move")))))

              .bind("moving-call")),
              .bind("moving-call")),

      this);
      this);

}
}




void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {
void UseAfterMoveCheck::check(const MatchFinder::MatchResult &Result) {

  const auto *ContainingCtor =

      Result.Nodes.getNodeAs<CXXConstructorDecl>("containing-ctor");

  const auto *ContainingCtorInit =

      Result.Nodes.getNodeAs<Expr>("containing-ctor-init");

  const auto *ContainingLambda =
  const auto *ContainingLambda =

      Result.Nodes.getNodeAs<LambdaExpr>("containing-lambda");
      Result.Nodes.getNodeAs<LambdaExpr>("containing-lambda");

  const auto *ContainingFunc =
  const auto *ContainingFunc =

      Result.Nodes.getNodeAs<FunctionDecl>("containing-func");
      Result.Nodes.getNodeAs<FunctionDecl>("containing-func");

  const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>("call-move");
  const auto *CallMove = Result.Nodes.getNodeAs<CallExpr>("call-move");

  const auto *MovingCall = Result.Nodes.getNodeAs<Expr>("moving-call");
  const auto *MovingCall = Result.Nodes.getNodeAs<Expr>("moving-call");

  const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>("arg");
  const auto *Arg = Result.Nodes.getNodeAs<DeclRefExpr>("arg");




  if (!MovingCall || !MovingCall->getExprLoc().isValid())
  if (!MovingCall || !MovingCall->getExprLoc().isValid())

    MovingCall = CallMove;
    MovingCall = CallMove;




  Stmt *FunctionBody = nullptr;

  if (ContainingLambda)

    FunctionBody = ContainingLambda->getBody();

  else if (ContainingFunc)

    FunctionBody = ContainingFunc->getBody();

  else

    return;



  // Ignore the std::move if the variable that was passed to it isn't a local
  // Ignore the std::move if the variable that was passed to it isn't a local

  // variable.
  // variable.

  if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())
  if (!Arg->getDecl()->getDeclContext()->isFunctionOrMethod())

    return;
    return;




  // Collect all code blocks that could use the arg after move.

  llvm::SmallVector<Stmt *> CodeBlocks{};

  if (ContainingCtor) {

    CodeBlocks.push_back(ContainingCtor->getBody());

    if (ContainingCtorInit) {

      // Find the constructor initializer's member field.

      FieldDecl *ContainingCtorField{nullptr};

      for (CXXCtorInitializer *Init : ContainingCtor->inits()) {

        if (Init->getInit()->IgnoreImplicit() ==

PiotrZSLUnsubmitted
Done
ReplyInline Actions
consider using here ->IgnoreImplicit() == ContainingCtorInitStmt->IgnoreImplicit()
PiotrZSL: consider using here `->IgnoreImplicit() == ContainingCtorInitStmt->IgnoreImplicit()`
            ContainingCtorInit->IgnoreImplicit()) {

          ContainingCtorField = Init->getMember();

          break;

        }

      }

      if (ContainingCtorField || true) {

        // Collect the constructor initializer expressions.

        bool BeforeMove{true};

        for (CXXCtorInitializer *Init : ContainingCtor->inits()) {

          if (BeforeMove && Init->getInit()->IgnoreImplicit() ==

                                ContainingCtorInit->IgnoreImplicit())

            BeforeMove = false;

          if (!BeforeMove && Init->getInit())

            CodeBlocks.push_back(Init->getInit());

PiotrZSLUnsubmitted
Done
ReplyInline Actions
This won't work for std::move used to initialize base class. Assuming that Inits are in specific order, then you just should include all init's after one found, or use things like SourceManager::isBeforeInTranslationUnit, but still probably using something like:



bool PastMove = false;
for (CXXCtorInitializer *Init : ContainingCtor->inits()) {
if (!PastMove  && Init->getInit()->IgnoreImplicit() == ContainingCtorInitStmt->IgnoreImplicit()) {
    PastMove  = true;
}

if (PastMove && Init->getInit())
{
    CodeBlocks.push_back(Init->getInit());
}



would be better, as it should work for both field inits and base constructor calls
PiotrZSL: This won't work for std::move used to initialize base class. Assuming that Inits are in…
        }

      }

    }

  } else if (ContainingLambda)

    CodeBlocks.push_back(ContainingLambda->getBody());

  else if (ContainingFunc) {

    CodeBlocks.push_back(ContainingFunc->getBody());

  }



  for (Stmt *CodeBlock : CodeBlocks) {

  UseAfterMoveFinder Finder(Result.Context);
    UseAfterMoveFinder Finder(Result.Context);

  UseAfterMove Use;
    UseAfterMove Use;

  if (Finder.find(FunctionBody, MovingCall, Arg->getDecl(), &Use))
    if (Finder.find(CodeBlock, MovingCall, Arg->getDecl(), &Use))

    emitDiagnostic(MovingCall, Arg, Use, this, Result.Context);
      emitDiagnostic(MovingCall, Arg, Use, this, Result.Context);

}
  }

}




} // namespace clang::tidy::bugprone
} // namespace clang::tidy::bugprone

clang-tools-extra/docs/ReleaseNotes.rst
Show First 20 LinesShow All 156 Lines▼ Show 20 Lines- Deprecated check-local options `HeaderFileExtensions`

  <clang-tidy/checks/bugprone/dynamic-static-initializers>` check.
  <clang-tidy/checks/bugprone/dynamic-static-initializers>` check.

  Global options of the same name should be used instead.
  Global options of the same name should be used instead.




- Deprecated check-local options `HeaderFileExtensions` and `ImplementationFileExtensions`
- Deprecated check-local options `HeaderFileExtensions` and `ImplementationFileExtensions`

  in :doc:`bugprone-suspicious-include
  in :doc:`bugprone-suspicious-include

  <clang-tidy/checks/bugprone/suspicious-include>` check.
  <clang-tidy/checks/bugprone/suspicious-include>` check.

  Global options of the same name should be used instead.
  Global options of the same name should be used instead.




- Improved :doc:`bugprone-use-after-move

  <clang-tidy/checks/bugprone/use-after-move>` check to also cover constructor

  initializers.



- Deprecated check-local options `HeaderFileExtensions`
- Deprecated check-local options `HeaderFileExtensions`

  in :doc:`google-build-namespaces
  in :doc:`google-build-namespaces

  <clang-tidy/checks/google/build-namespaces>` check.
  <clang-tidy/checks/google/build-namespaces>` check.

  Global options of the same name should be used instead.
  Global options of the same name should be used instead.




- Deprecated check-local options `HeaderFileExtensions`
- Deprecated check-local options `HeaderFileExtensions`

  in :doc:`google-global-names-in-headers
  in :doc:`google-global-names-in-headers

  <clang-tidy/checks/google/global-names-in-headers>` check.
  <clang-tidy/checks/google/global-names-in-headers>` check.

Show All 9 Lines- Deprecated check-local options `HeaderFileExtensions`

  <clang-tidy/checks/misc/definitions-in-headers>` check.
  <clang-tidy/checks/misc/definitions-in-headers>` check.

  Global options of the same name should be used instead.
  Global options of the same name should be used instead.




- Deprecated check-local options `HeaderFileExtensions`
- Deprecated check-local options `HeaderFileExtensions`

  in :doc:`misc-unused-using-decls
  in :doc:`misc-unused-using-decls

  <clang-tidy/checks/misc/unused-using-decls>` check.
  <clang-tidy/checks/misc/unused-using-decls>` check.

  Global options of the same name should be used instead.
  Global options of the same name should be used instead.




- In :doc:`modernize-use-default-member-init
- In :doc:`modernize-use-default-member-init

Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions
Please keep alphabetical order (by check name) in this section.
Eugene.Zelenko: Please keep alphabetical order (by check name) in this section.
  <clang-tidy/checks/modernize/use-default-member-init>` count template
  <clang-tidy/checks/modernize/use-default-member-init>` count template

  constructors toward hand written constructors so that they are skipped if more
  constructors toward hand written constructors so that they are skipped if more

  than one exists.
  than one exists.




- Fixed reading `HungarianNotation.CString.*` options in
- Fixed reading `HungarianNotation.CString.*` options in

  :doc:`readability-identifier-naming
  :doc:`readability-identifier-naming

  <clang-tidy/checks/readability/identifier-naming>` check.
  <clang-tidy/checks/readability/identifier-naming>` check.




▲ Show 20 LinesShow All 46 LinesShow Last 20 Lines
clang-tools-extra/test/clang-tidy/checkers/bugprone/use-after-move.cpp
Show First 20 LinesShow All 363 Lines▼ Show 20 Linesvoid lambdas() {

  // - we don't know when the lambda will get called anyway
  // - we don't know when the lambda will get called anyway

  {
  {

    A a;
    A a;

    auto lambda = [a] {
    auto lambda = [a] {

      std::move(a);
      std::move(a);

    };
    };

    a.foo();
    a.foo();

  }
  }

  // Don't warn if 'a' is a copy inside a synchronous lambda

  {

    A a;

    A copied{[a] mutable { return std::move(a); }()};

    a.foo();

  }

  // False negative (should warn if 'a' is a ref inside a synchronous lambda)

  {

    A a;

    A moved{[&a] mutable { return std::move(a); }()};

    a.foo();

  }

  // Warn if the use consists of a capture that happens after a move.
  // Warn if the use consists of a capture that happens after a move.

  {
  {

    A a;
    A a;

    std::move(a);
    std::move(a);

    auto lambda = [a]() { a.foo(); };
    auto lambda = [a]() { a.foo(); };

    // CHECK-NOTES: [[@LINE-1]]:20: warning: 'a' used after it was moved
    // CHECK-NOTES: [[@LINE-1]]:20: warning: 'a' used after it was moved

    // CHECK-NOTES: [[@LINE-3]]:5: note: move occurred here
    // CHECK-NOTES: [[@LINE-3]]:5: note: move occurred here

  }
  }

▲ Show 20 LinesShow All 968 Lines▼ Show 20 Lines
void typeId() {
void typeId() {

  Foo Bar;
  Foo Bar;

  // error: you need to include <typeinfo> before using the 'typeid' operator
  // error: you need to include <typeinfo> before using the 'typeid' operator

  // (void) typeid(Foo{std::move(Bar)}).name();
  // (void) typeid(Foo{std::move(Bar)}).name();

  Foo Other{std::move(Bar)};
  Foo Other{std::move(Bar)};

}
}

} // namespace UnevalContext
} // namespace UnevalContext




class CtorInit {

public:

  CtorInit(std::string val)

      : a{val.empty()},    // fine

        s{std::move(val)},

        b{val.empty()}

  // CHECK-NOTES: [[@LINE-1]]:11: warning: 'val' used after it was moved

  // CHECK-NOTES: [[@LINE-3]]:9: note: move occurred here

  {}



private:

  bool a;

  std::string s;

  bool b;

};



class CtorInitLambda {

public:

  CtorInitLambda(std::string val)

      : a{val.empty()},    // fine

        s{std::move(val)},

        b{[&] { return val.empty(); }()},

        // CHECK-NOTES: [[@LINE-1]]:12: warning: 'val' used after it was moved

        // CHECK-NOTES: [[@LINE-3]]:9: note: move occurred here

        c{[] {

          std::string str{};

          std::move(str);

          return str.empty();

          // CHECK-NOTES: [[@LINE-1]]:18: warning: 'str' used after it was moved

          // CHECK-NOTES: [[@LINE-3]]:11: note: move occurred here

        }()} {

    std::move(val);

    // CHECK-NOTES: [[@LINE-1]]:15: warning: 'val' used after it was moved

    // CHECK-NOTES: [[@LINE-13]]:9: note: move occurred here

    std::string val2{};

    std::move(val2);

    val2.empty();

    // CHECK-NOTES: [[@LINE-1]]:5: warning: 'val2' used after it was moved

    // CHECK-NOTES: [[@LINE-3]]:5: note: move occurred here

  }



private:

  bool a;

  std::string s;

  bool b;

  bool c;

  bool d{};

};



class CtorInitOrder {

public:

  CtorInitOrder(std::string val)

      : a{val.empty()}, // fine

        b{val.empty()},

        // CHECK-NOTES: [[@LINE-1]]:11: warning: 'val' used after it was moved

        s{std::move(val)} {} // wrong order

  // CHECK-NOTES: [[@LINE-1]]:9: note: move occurred here

  // CHECK-NOTES: [[@LINE-4]]:11: note: the use happens in a later loop iteration than the move



private:

  bool a;

  std::string s;

  bool b;

};



struct Obj {};

struct CtorD {

  CtorD(Obj b);

};



struct CtorC {

  CtorC(Obj b);

};



struct CtorB {

  CtorB(Obj &b);

};



struct CtorA : CtorB, CtorC, CtorD {

  CtorA(Obj b) : CtorB{b}, CtorC{std::move(b)}, CtorD{b} {}

  // CHECK-NOTES: [[@LINE-1]]:55: warning: 'b' used after it was moved

  // CHECK-NOTES: [[@LINE-2]]:34: note: move occurred here

};



struct Base {

  Base(Obj b) : bb{std::move(b)} {}

  template <typename Call> Base(Call &&c) : bb{c()} {};



  Obj bb;

};



// struct Derived : Base, CtorC {

//   Derived(Obj b) : Base{[&] mutable { return std::move(b); }()}, CtorC{b} {}

// };



struct Derived2 : Base, CtorC {

  Derived2(Obj b)

        // TODO? is this a false positive, considering that we don't know whether Base(Call &&c) will actually call 'c'?

      : Base{[&] mutable { return std::move(b); }},

        // CHECK-NOTES: [[@LINE-1]]:15: warning: 'b' used after it was moved

        // CHECK-NOTES: [[@LINE-2]]:35: note: move occurred here

        // CHECK-NOTES: [[@LINE-3]]:15: note: the use and move are unsequenced, i.e. there is no guarantee about the order in which they are evaluated

        CtorC{b} {}

  // CHECK-NOTES: [[@LINE-1]]:15: warning: 'b' used after it was moved

  // CHECK-NOTES: [[@LINE-6]]:35: note: move occurred here

};



struct Derived3 : Base, CtorC {

  Derived3(Obj b)

      : Base{[c = std::move(b)] mutable { return std::move(c); }}, CtorC{b} {}

  // CHECK-NOTES: [[@LINE-1]]:74: warning: 'b' used after it was moved

  // CHECK-NOTES: [[@LINE-2]]:19: note: move occurred here

};



class PR38187 {
class PR38187 {

public:
public:

  PR38187(std::string val) : val_(std::move(val)) {
  PR38187(std::string val) : val_(std::move(val)) {

    val.empty();
    val.empty();

    // CHECK-NOTES: [[@LINE-1]]:5: warning: 'val' used after it was moved
    // CHECK-NOTES: [[@LINE-1]]:5: warning: 'val' used after it was moved

    // CHECK-NOTES: [[@LINE-3]]:30: note: move occurred here
    // CHECK-NOTES: [[@LINE-3]]:30: note: move occurred here

  }
  }




private:
private:

  std::string val_;
  std::string val_;

};
};

PiotrZSLUnsubmitted
Done
ReplyInline Actions
Missing tests:



    

  • Test with A derive from B, C, D, and argument is moved into C, but D initialization also uses it.
    • 

  • Test with lambda call inside init, and in lambda std::move of captured by reference constructor parameter, and lambda could be mutable, and lambda could be saved into member (or passed to base class), or called instantly (better both tests).
    • 

  • Test with lambda that takes argument into capture by move
    • 




In short:



struct Obj {};
struct D
{
    D(Obj b);
};

struct C
{
     C(Obj b);
};

struct B
{
     B(Obj& b);
}

struct A : B, C, D
{
    A(Obj b)
      : B(b), C(std::move(b)), D(b)
    {
    }
};

and second:

struct Base
{
    Base(Obj b) : bb(std::move(b)) {}
     template<typename T>
     Base(T&& b) : bb(b()) {};
   
     Obj bb;
};

struct Derived : Base, C
{
     Derived(Obj b) 
           : Base([&] mutable { return std::move(b); }()), C(b)
   {
   }
};

struct Derived2 : Base, C
{
     Derived2(Obj b) 
           : Base([&] mutable { return std::move(b); }), C(b)
   {
   }
};

struct Derived3 : Base, C
{
     Derived3(Obj b) 
           : Base([c = std::move(b)] mutable { return std::move(c); }), C(b)
   {
   }
};
PiotrZSL: Missing tests:
- Test with A derive from B, C, D, and argument is moved into C, but D…
MarcoFalkeAuthorUnsubmitted
Done
ReplyInline Actions
I added the test Derived2, however, I wonder if it should throw a warning. In the general case, I don't think we can know whether Base(Call&&call) will actually call call and execute the std::move, no?
MarcoFalke: I added the test `Derived2`, however, I wonder if it should throw a warning. In the general…
PiotrZSLUnsubmitted
Done
ReplyInline Actions
For me:

Derived - should throw a warning - same type used before C(b) (but questionable)

Derived 2 -> also should throw warning (but questionable)

Derived 3 -> also should throw warning



Note that Derived & Derived 2 could be considered different issue, like use after free (because we take reference to argument), it's safe to assume that it would be called anyway, because later that argument reference could become invalid. But it could be also fine to not throw issue. For is better to throw & nolint than ignore and crash.

But thats your call.
PiotrZSL: For me:
Derived - should throw a warning - same type used before C(b) (but questionable)…
MarcoFalkeAuthorUnsubmitted
Done
ReplyInline Actions
Ok, maybe it can be done in a follow-up? This should be a separate and pre-existing issue on main already (see also my other added test case about lambdas).
MarcoFalke: Ok, maybe it can be done in a follow-up? This should be a separate and pre-existing issue on…
PiotrZSLUnsubmitted
Not Done
ReplyInline Actions
Yes it could be.
PiotrZSL: Yes it could be.