This is an archive of the discontinued LLVM Phabricator instance.

clang/lib/Analysis/CFG.cpp
1873–1874	I'm wondering if you should rename this accordingly.
1887–1889	Here I'd suggest to deduplicate `Ty->getAsCXXRecordDecl()`. Implicit conversion of pointers to bool is idiomatic in LLVM.
5305–5306	The unindent doesn't look right to me.
5846	Braces shouldn't be needed if you don't declare any variables.
clang/lib/Analysis/ThreadSafety.cpp
2429–2438 ↗	(On Diff #551131)	Should this be part of a follow-up? (For which you might revive D152504.)
clang/test/Analysis/scopes-cfg-output.cpp
1428–1429	For our purposes, a pure declaration might be enough.
1433	Ideas for more tests (apart from imitating destructor tests): A variable in a block, so that more statements run before the function returns. A function with multiple return paths, each of which has to run the cleanup.

tbaeder updated this revision to Diff 552018.Aug 21 2023, 7:58 AM

tbaeder marked 4 inline comments as done.

tbaeder added inline comments.

clang/lib/Analysis/ThreadSafety.cpp
2429–2438 ↗	(On Diff #551131)	Ah, yes, probably.

Harbormaster completed remote builds in B253848: Diff 552018.Aug 21 2023, 9:17 AM

aaronpuchert added inline comments.Aug 21 2023, 5:59 PM

clang/test/Analysis/scopes-cfg-output.cpp

1473–1474

Interesting test! But it seems CodeGen has them swapped: compiling this snippet with clang -c -S -emit-llvm I get

define dso_local void @_Z4testv() #0 personality ptr @__gxx_personality_v0 {
  %1 = alloca %class.F, align 1
  %2 = alloca ptr, align 8
  %3 = alloca i32, align 4
  invoke void @_Z9cleanup_FP1F(ptr noundef %1)
          to label %4 unwind label %5

4:                                                ; preds = %0
  call void @_ZN1FD2Ev(ptr noundef nonnull align 1 dereferenceable(1) %1) #3
  ret void

; ...
}

So first cleanup, then destructor. This is with 17.0.0-rc2.

1480

As with the cleanup function, a definition shouldn't be necessary.

tbaeder marked an inline comment as done.Aug 22 2023, 12:17 AM

tbaeder added inline comments.

clang/test/Analysis/scopes-cfg-output.cpp
1473–1474	Interesting, I thought I checked this and used the correct order. Will re-check, thanks.
1480	Is there a way to test whether the contents of the cleanup function are being checked as well? From these tests, I only know we consider them called, but not whether we (properly) analyze their bodies in the context as well. Or is that separate from this patch?

aaronpuchert added inline comments.Aug 22 2023, 2:47 PM

clang/test/Analysis/scopes-cfg-output.cpp
1480	For now we're just adding a new element to the CFG and adapting the respective tests. The CFG is generated on a per-function basis, and the generation of one function's CFG will never look into another function's body. It might use some (declaration) properties of course, like whether it has `[[noreturn]]` or `noexcept`. Of course we should also generate a CFG for the cleanup function, but that's independent of this change. Users of the CFG will naturally need to be taught about this new element type to “understand” it. Otherwise they should simply skip it. Since the CFG previously did not contain such elements, there should be no change for them. So we can also initially just add the element and not tell anybody about it. We could also add understanding of the new element type to other CFG users, but you don't have to do this. If you only care about Thread Safety Analysis, then it's totally fine to handle it only there. But let's move all changes to Thread Safety Analysis into a follow-up, so that we don't have to bother the CFG maintainers with that.

tbaeder updated this revision to Diff 552608.Aug 22 2023, 11:59 PM

tbaeder marked 2 inline comments as done.

Herald added subscribers: steakhal, martong. · View Herald TranscriptAug 22 2023, 11:59 PM

Harbormaster completed remote builds in B254263: Diff 552608.Aug 23 2023, 12:52 AM

Looks good to me, but let's wait for the CFG maintainers to approve it.

clang/lib/Analysis/ThreadSafety.cpp
2429 ↗	(On Diff #552608)	Could you remove the added line?

This is a great improvement. When I saw that clang now supports it and e.g. the CSA operates on the CFG, I also considered adding this.
Now I don't need to do it, so many thanks!

The code looks correct to me, except that the cleanup should be before the dtor if it has any. Other than that, the code coverage also looks great, thus I would not oppose.

clang/lib/Analysis/CFG.cpp
1899–1902	This condition looks new. Is it an orthogonal improvement?
1899–1903	Shouldn't the cleanup function run first, and then the dtor of the variable? This way the object is already "dead" even before reaching the cleanup handler. https://godbolt.org/z/sT65boooW
2111	Can't this accept `const VarDecl*` instead? That way we could get rid of that `const_cast` above.
clang/test/Analysis/scopes-cfg-output.cpp
1473–1474	I believe this demonstrates the wrong order I also spotted earlier.
1480	Speaking of `noreturn`, I think it is worth demonstrating that if the cleanup function has `noreturn` attribute, then the dtor is not called.

This revision now requires changes to proceed.Aug 23 2023, 7:47 AM

aaronpuchert added a child revision: D152504: [clang][ThreadSafety] Analyze cleanup functions.Aug 27 2023, 9:44 AM

tbaeder marked 2 inline comments as done.Aug 31 2023, 10:12 PM

tbaeder added inline comments.

clang/lib/Analysis/CFG.cpp
2111	Yes, I just didn't want to modify the existing function signature.
clang/test/Analysis/scopes-cfg-output.cpp
1473–1474	The current code generates the given CFG, i.e. the cleanup function comes first, followed by the dtor: [B1] 1: CFGScopeBegin(f) 2: (CXXConstructExpr, [B1.3], F) 3: F f __attribute__((cleanup(f_))); 4: CleanupFunction (f_) 5: [B1.3].~F() (Implicit destructor) 6: CFGScopeEnd(f) Preds (1): B2 Succs (1): B0 (The comment from Aaron is from before when I had the order swapped.)
1480	Yeah, that does not work correctly right now.

tbaeder updated this revision to Diff 555251.Aug 31 2023, 10:13 PM

tbaeder marked an inline comment as done.

Harbormaster completed remote builds in B256178: Diff 555251.Aug 31 2023, 10:58 PM

Not sure I have enough CFG knowledge. Do I just need to create another noreturn block for the cleanup function?

This is the CFG I get when both the cleanup function and the destructor are noreturn:

int main()
 [B4 (ENTRY)]
   Succs (1): B3

 [B1]
   1: CFGScopeEnd(f)
   Succs (1): B0

 [B2 (NORETURN)]
   1: [B3.3].~F() (Implicit destructor)
   Succs (1): B0

 [B3 (NORETURN)]
   1: CFGScopeBegin(f)
   2:  (CXXConstructExpr, [B3.3], F)
   3: F f __attribute__((cleanup(f_)));
   4: CleanupFunction (f_)
   Preds (1): B4
   Succs (1): B0

 [B0 (EXIT)]
   Preds (3): B1 B2 B3

tbaeder added inline comments.Sep 1 2023, 5:24 AM

clang/lib/Analysis/CFG.cpp
1899–1902	This check is needed because it's not implied anymore by the variable being in the list. It might be in there because it has a cleanup function.

When I added -analyzer-config cfg-lifetime=true to clang/test/Analysis/scopes-cfg-output.cpp, suddenly duplicated lifetime ends entries appeared where we have CleanupFunctions.
My output is:

void test_cleanup_functions()
 [B2 (ENTRY)]
   Succs (1): B1

 [B1]
   1: CFGScopeBegin(i)
   2: int i __attribute__((cleanup(cleanup_int)));
   3: CleanupFunction (cleanup_int)
   4: [B1.2] (Lifetime ends)
   5: [B1.2] (Lifetime ends)
   6: CFGScopeEnd(i)
   Preds (1): B2
   Succs (1): B0

 [B0 (EXIT)]
   Preds (1): B1

void test_cleanup_functions2(int m)
 [B4 (ENTRY)]
   Succs (1): B3

 [B1]
   1: 10
   2: i
   3: [B1.2] = [B1.1]
   4: return;
   5: CleanupFunction (cleanup_int)
   6: [B3.2] (Lifetime ends)
   7: [B3.2] (Lifetime ends)
   8: CFGScopeEnd(i)
   Preds (1): B3
   Succs (1): B0

 [B2]
   1: return;
   2: CleanupFunction (cleanup_int)
   3: [B3.2] (Lifetime ends)
   4: [B3.2] (Lifetime ends)
   5: CFGScopeEnd(i)
   Preds (1): B3
   Succs (1): B0

 [B3]
   1: CFGScopeBegin(i)
   2: int i __attribute__((cleanup(cleanup_int)));
   3: m
   4: [B3.3] (ImplicitCastExpr, LValueToRValue, int)
   5: 1
   6: [B3.4] == [B3.5]
   T: if [B3.6]
   Preds (1): B4
   Succs (2): B2 B1

 [B0 (EXIT)]
   Preds (2): B1 B2

void test()
 [B2 (ENTRY)]
   Succs (1): B1

 [B1]
   1: CFGScopeBegin(f)
   2:  (CXXConstructExpr, [B1.3], F)
   3: F f __attribute__((cleanup(cleanup_F)));
   4: CleanupFunction (cleanup_F)
   5: [B1.3].~F() (Implicit destructor)
   6: [B1.3] (Lifetime ends)
   7: CFGScopeEnd(f)
   Preds (1): B2
   Succs (1): B0

 [B0 (EXIT)]
   Preds (1): B1

Notice the [B3.2] (Lifetime ends) lines for example.

The order in which the Lifetime, Scope and Cleanup elements appear looks correct; my only concern is the duplicate Lifetime ends marker.

About the noreturn cleanup function, well, GCC says: It is undefined what happens if cleanup_function does not return normally. here, thus I'm not sure what to do in that case. GCC seems to optimize accordingly, but clang does not. See https://godbolt.org/z/z8s6bPPjv.

FYI Unfortunately, I don't have much experience with CFG either.

@steakhal Double lifetime ends should be fixed now.

In D157385#4634591, @tbaeder wrote:

@steakhal Double lifetime ends should be fixed now.

I haven't verified, but it should be good now.

This revision is now accepted and ready to land.Sep 1 2023, 9:29 AM

Harbormaster completed remote builds in B256281: Diff 555403.Sep 1 2023, 9:39 AM

aaronpuchert added inline comments.Sep 14 2023, 4:54 PM

clang/test/Analysis/scopes-cfg-output.cpp
1472	The test failure in D152504 suggests that this needs to be written as __attribute__((cleanup(cleanup_F))) F f Maybe something changed upstream?

tbaeder updated this revision to Diff 556836.Sep 15 2023, 2:33 AM

tbaeder marked an inline comment as done.

tbaeder added inline comments.

clang/test/Analysis/scopes-cfg-output.cpp
1472	Right, not sure what changed.

Harbormaster completed remote builds in B257264: Diff 556836.Sep 15 2023, 3:28 AM

Closed by commit rGad4a51302777: [clang][CFG] Cleanup functions (authored by tbaeder). · Explain WhySep 19 2023, 2:57 AM

This revision was automatically updated to reflect the committed changes.

tbaeder added a commit: rGad4a51302777: [clang][CFG] Cleanup functions.

Revision Contents

Path

Size

clang/

include/

clang/

Analysis/

CFG.h

38 lines

lib/

Analysis/

CFG.cpp

40 lines

PathDiagnostic.cpp

1 line

StaticAnalyzer/

Core/

ExprEngine.cpp

1 line

test/

Analysis/

scopes-cfg-output.cpp

65 lines

Diff 557019

clang/include/clang/Analysis/CFG.h

//===- CFG.h - Classes for representing and building CFGs -------- C++ --===//		//===- CFG.h - Classes for representing and building CFGs -------- C++ --===//
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
// This file defines the CFG and CFGBuilder classes for representing and		// This file defines the CFG and CFGBuilder classes for representing and
// building Control-Flow Graphs (CFGs) from ASTs.		// building Control-Flow Graphs (CFGs) from ASTs.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#ifndef LLVM_CLANG_ANALYSIS_CFG_H		#ifndef LLVM_CLANG_ANALYSIS_CFG_H
#define LLVM_CLANG_ANALYSIS_CFG_H		#define LLVM_CLANG_ANALYSIS_CFG_H

#include "clang/Analysis/Support/BumpVector.h"		#include "clang/AST/Attr.h"
#include "clang/Analysis/ConstructionContext.h"
#include "clang/AST/ExprCXX.h"		#include "clang/AST/ExprCXX.h"
#include "clang/AST/ExprObjC.h"		#include "clang/AST/ExprObjC.h"
		#include "clang/Analysis/ConstructionContext.h"
		#include "clang/Analysis/Support/BumpVector.h"
#include "clang/Basic/LLVM.h"		#include "clang/Basic/LLVM.h"
#include "llvm/ADT/DenseMap.h"		#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/GraphTraits.h"		#include "llvm/ADT/GraphTraits.h"
#include "llvm/ADT/PointerIntPair.h"		#include "llvm/ADT/PointerIntPair.h"
#include "llvm/ADT/iterator_range.h"		#include "llvm/ADT/iterator_range.h"
#include "llvm/Support/Allocator.h"		#include "llvm/Support/Allocator.h"
#include "llvm/Support/raw_ostream.h"		#include "llvm/Support/raw_ostream.h"
#include <bitset>		#include <bitset>
Show All 40 Lines	enum Kind {
STMT_END = CXXRecordTypedCall,		STMT_END = CXXRecordTypedCall,
// dtor kind		// dtor kind
AutomaticObjectDtor,		AutomaticObjectDtor,
DeleteDtor,		DeleteDtor,
BaseDtor,		BaseDtor,
MemberDtor,		MemberDtor,
TemporaryDtor,		TemporaryDtor,
DTOR_BEGIN = AutomaticObjectDtor,		DTOR_BEGIN = AutomaticObjectDtor,
DTOR_END = TemporaryDtor		DTOR_END = TemporaryDtor,
		CleanupFunction,
};		};

protected:		protected:
// The int bits are used to mark the kind.		// The int bits are used to mark the kind.
llvm::PointerIntPair<void *, 2> Data1;		llvm::PointerIntPair<void *, 2> Data1;
llvm::PointerIntPair<void *, 2> Data2;		llvm::PointerIntPair<void *, 2> Data2;

CFGElement(Kind kind, const void Ptr1, const void Ptr2 = nullptr)		CFGElement(Kind kind, const void Ptr1, const void Ptr2 = nullptr)
▲ Show 20 Lines • Show All 292 Lines • ▼ Show 20 Lines	private:
friend class CFGElement;		friend class CFGElement;

static bool isKind(const CFGElement &E) {		static bool isKind(const CFGElement &E) {
Kind kind = E.getKind();		Kind kind = E.getKind();
return kind >= DTOR_BEGIN && kind <= DTOR_END;		return kind >= DTOR_BEGIN && kind <= DTOR_END;
}		}
};		};

		class CFGCleanupFunction final : public CFGElement {
		public:
		CFGCleanupFunction() = default;
		CFGCleanupFunction(const VarDecl *VD)
		: CFGElement(Kind::CleanupFunction, VD) {
		assert(VD->hasAttr<CleanupAttr>());
		}

		const VarDecl *getVarDecl() const {
		return static_cast<VarDecl *>(Data1.getPointer());
		}

		/// Returns the function to be called when cleaning up the var decl.
		const FunctionDecl *getFunctionDecl() const {
		const CleanupAttr *A = getVarDecl()->getAttr<CleanupAttr>();
		return A->getFunctionDecl();
		}

		private:
		friend class CFGElement;

		static bool isKind(const CFGElement E) {
		return E.getKind() == Kind::CleanupFunction;
		}
		};

/// Represents C++ object destructor implicitly generated for automatic object		/// Represents C++ object destructor implicitly generated for automatic object
/// or temporary bound to const reference at the point of leaving its local		/// or temporary bound to const reference at the point of leaving its local
/// scope.		/// scope.
class CFGAutomaticObjDtor: public CFGImplicitDtor {		class CFGAutomaticObjDtor: public CFGImplicitDtor {
public:		public:
CFGAutomaticObjDtor(const VarDecl var, const Stmt stmt)		CFGAutomaticObjDtor(const VarDecl var, const Stmt stmt)
: CFGImplicitDtor(AutomaticObjectDtor, var, stmt) {}		: CFGImplicitDtor(AutomaticObjectDtor, var, stmt) {}

▲ Show 20 Lines • Show All 743 Lines • ▼ Show 20 Lines	public:
void appendTemporaryDtor(CXXBindTemporaryExpr *E, BumpVectorContext &C) {		void appendTemporaryDtor(CXXBindTemporaryExpr *E, BumpVectorContext &C) {
Elements.push_back(CFGTemporaryDtor(E), C);		Elements.push_back(CFGTemporaryDtor(E), C);
}		}

void appendAutomaticObjDtor(VarDecl VD, Stmt S, BumpVectorContext &C) {		void appendAutomaticObjDtor(VarDecl VD, Stmt S, BumpVectorContext &C) {
Elements.push_back(CFGAutomaticObjDtor(VD, S), C);		Elements.push_back(CFGAutomaticObjDtor(VD, S), C);
}		}

		void appendCleanupFunction(const VarDecl *VD, BumpVectorContext &C) {
		Elements.push_back(CFGCleanupFunction(VD), C);
		}

void appendLifetimeEnds(VarDecl VD, Stmt S, BumpVectorContext &C) {		void appendLifetimeEnds(VarDecl VD, Stmt S, BumpVectorContext &C) {
Elements.push_back(CFGLifetimeEnds(VD, S), C);		Elements.push_back(CFGLifetimeEnds(VD, S), C);
}		}

void appendLoopExit(const Stmt *LoopStmt, BumpVectorContext &C) {		void appendLoopExit(const Stmt *LoopStmt, BumpVectorContext &C) {
Elements.push_back(CFGLoopExit(LoopStmt), C);		Elements.push_back(CFGLoopExit(LoopStmt), C);
}		}

▲ Show 20 Lines • Show All 391 Lines • Show Last 20 Lines

clang/lib/Analysis/CFG.cpp

Show First 20 Lines • Show All 875 Lines • ▼ Show 20 Lines private:

void appendTemporaryDtor(CFGBlock *B, CXXBindTemporaryExpr *E) { void appendTemporaryDtor(CFGBlock *B, CXXBindTemporaryExpr *E) {

B->appendTemporaryDtor(E, cfg->getBumpVectorContext()); B->appendTemporaryDtor(E, cfg->getBumpVectorContext());

} }

void appendAutomaticObjDtor(CFGBlock *B, VarDecl *VD, Stmt *S) { void appendAutomaticObjDtor(CFGBlock *B, VarDecl *VD, Stmt *S) {

B->appendAutomaticObjDtor(VD, S, cfg->getBumpVectorContext()); B->appendAutomaticObjDtor(VD, S, cfg->getBumpVectorContext());

} }

void appendCleanupFunction(CFGBlock *B, VarDecl *VD) {

B->appendCleanupFunction(VD, cfg->getBumpVectorContext());

}

void appendLifetimeEnds(CFGBlock *B, VarDecl *VD, Stmt *S) { void appendLifetimeEnds(CFGBlock *B, VarDecl *VD, Stmt *S) {

B->appendLifetimeEnds(VD, S, cfg->getBumpVectorContext()); B->appendLifetimeEnds(VD, S, cfg->getBumpVectorContext());

} }

void appendLoopExit(CFGBlock *B, const Stmt *LoopStmt) { void appendLoopExit(CFGBlock *B, const Stmt *LoopStmt) {

B->appendLoopExit(LoopStmt, cfg->getBumpVectorContext()); B->appendLoopExit(LoopStmt, cfg->getBumpVectorContext());

} }

▲ Show 20 Lines • Show All 449 Lines • ▼ Show 20 Lines TryResult evaluateAsBooleanConditionNoCache(Expr *E) {

bool Result; bool Result;

if (E->EvaluateAsBooleanCondition(Result, *Context)) if (E->EvaluateAsBooleanCondition(Result, *Context))

return Result; return Result;

return {}; return {};

} }

bool hasTrivialDestructor(VarDecl *VD); bool hasTrivialDestructor(const VarDecl *VD) const;

bool needsAutomaticDestruction(const VarDecl *VD) const;

}; };

} // namespace } // namespace

Expr * Expr *

clang::extractElementInitializerFromNestedAILE(const ArrayInitLoopExpr *AILE) { clang::extractElementInitializerFromNestedAILE(const ArrayInitLoopExpr *AILE) {

if (!AILE) if (!AILE)

return nullptr; return nullptr;

▲ Show 20 Lines • Show All 498 Lines • ▼ Show 20 Lines void CFGBuilder::addAutomaticObjDestruction(LocalScope::const_iterator B,

LocalScope::const_iterator E, LocalScope::const_iterator E,

Stmt *S) { Stmt *S) {

if (!BuildOpts.AddImplicitDtors && !BuildOpts.AddLifetime) if (!BuildOpts.AddImplicitDtors && !BuildOpts.AddLifetime)

return; return;

if (B == E) if (B == E)

return; return;

SmallVector<VarDecl *, 10> DeclsNonTrivial; SmallVector<VarDecl *, 10> DeclsNeedDestruction;

DeclsNonTrivial.reserve(B.distance(E)); DeclsNeedDestruction.reserve(B.distance(E));

for (VarDecl* D : llvm::make_range(B, E)) for (VarDecl* D : llvm::make_range(B, E))

if (!hasTrivialDestructor(D)) if (needsAutomaticDestruction(D))

DeclsNonTrivial.push_back(D); DeclsNeedDestruction.push_back(D);

aaronpuchertUnsubmitted

Done

I'm wondering if you should rename this accordingly.

aaronpuchert: I'm wondering if you should rename this accordingly.

for (VarDecl *VD : llvm::reverse(DeclsNonTrivial)) { for (VarDecl *VD : llvm::reverse(DeclsNeedDestruction)) {

if (BuildOpts.AddImplicitDtors) { if (BuildOpts.AddImplicitDtors) {

// If this destructor is marked as a no-return destructor, we need to // If this destructor is marked as a no-return destructor, we need to

// create a new block for the destructor which does not have as a // create a new block for the destructor which does not have as a

// successor anything built thus far: control won't flow out of this // successor anything built thus far: control won't flow out of this

// block. // block.

QualType Ty = VD->getType(); QualType Ty = VD->getType();

if (Ty->isReferenceType()) if (Ty->isReferenceType())

Ty = getReferenceInitTemporaryType(VD->getInit()); Ty = getReferenceInitTemporaryType(VD->getInit());

Ty = Context->getBaseElementType(Ty); Ty = Context->getBaseElementType(Ty);

if (Ty->getAsCXXRecordDecl()->isAnyDestructorNoReturn()) const CXXRecordDecl *CRD = Ty->getAsCXXRecordDecl();

if (CRD && CRD->isAnyDestructorNoReturn())

Block = createNoReturnBlock(); Block = createNoReturnBlock();

aaronpuchertUnsubmitted

Done

Ty = Context->getBaseElementType(Ty);

- bool IsCXXRecordType = (Ty->getAsCXXRecordDecl() != nullptr);

- if (IsCXXRecordType &&

- Ty->getAsCXXRecordDecl()->isAnyDestructorNoReturn())

+ const CXXRecordDecl *CRD = Ty->getAsCXXRecordDecl();

+ if (CRD && CRD->isAnyDestructorNoReturn())

Block = createNoReturnBlock();

Here I'd suggest to deduplicate Ty->getAsCXXRecordDecl(). Implicit conversion of pointers to bool is idiomatic in LLVM.

aaronpuchert: Here I'd suggest to deduplicate `Ty->getAsCXXRecordDecl()`. Implicit conversion of pointers to…

} }

autoCreateBlock(); autoCreateBlock();

// Add LifetimeEnd after automatic obj with non-trivial destructors, // Add LifetimeEnd after automatic obj with non-trivial destructors,

// as they end their lifetime when the destructor returns. For trivial // as they end their lifetime when the destructor returns. For trivial

// objects, we end lifetime with scope end. // objects, we end lifetime with scope end.

if (BuildOpts.AddLifetime) if (BuildOpts.AddLifetime)

appendLifetimeEnds(Block, VD, S); appendLifetimeEnds(Block, VD, S);

if (BuildOpts.AddImplicitDtors) if (BuildOpts.AddImplicitDtors && !hasTrivialDestructor(VD))

appendAutomaticObjDtor(Block, VD, S); appendAutomaticObjDtor(Block, VD, S);

if (VD->hasAttr<CleanupAttr>())

appendCleanupFunction(Block, VD);

steakhalUnsubmitted

Done

This condition looks new. Is it an orthogonal improvement?

steakhal: This condition looks new. Is it an orthogonal improvement?

tbaederAuthorUnsubmitted

Done

This check is needed because it's not implied anymore by the variable being in the list. It might be in there because it has a cleanup function.

tbaeder: This check is needed because it's not implied anymore by the variable being in the list. It…

} }

steakhalUnsubmitted

Not Done

Shouldn't the cleanup function run first, and then the dtor of the variable?
This way the object is already "dead" even before reaching the cleanup handler.
https://godbolt.org/z/sT65boooW

steakhal: Shouldn't the cleanup function run first, and then the dtor of the variable? This way the…

} }

/// Add CFG elements corresponding to leaving a scope. /// Add CFG elements corresponding to leaving a scope.

/// Assumes that range [B, E) corresponds to single scope. /// Assumes that range [B, E) corresponds to single scope.

/// This add following elements: /// This add following elements:

/// * LifetimeEnds for all variables with non-trivial destructor /// * LifetimeEnds for all variables with non-trivial destructor

/// * ScopeEnd for each scope left /// * ScopeEnd for each scope left

void CFGBuilder::addScopeExitHandling(LocalScope::const_iterator B, void CFGBuilder::addScopeExitHandling(LocalScope::const_iterator B,

Show All 13 Lines void CFGBuilder::addScopeExitHandling(LocalScope::const_iterator B,

// We need to perform the scope leaving in reverse order // We need to perform the scope leaving in reverse order

SmallVector<VarDecl *, 10> DeclsTrivial; SmallVector<VarDecl *, 10> DeclsTrivial;

DeclsTrivial.reserve(B.distance(E)); DeclsTrivial.reserve(B.distance(E));

// Objects with trivial destructor ends their lifetime when their storage // Objects with trivial destructor ends their lifetime when their storage

// is destroyed, for automatic variables, this happens when the end of the // is destroyed, for automatic variables, this happens when the end of the

// scope is added. // scope is added.

for (VarDecl* D : llvm::make_range(B, E)) for (VarDecl* D : llvm::make_range(B, E))

if (hasTrivialDestructor(D)) if (!needsAutomaticDestruction(D))

DeclsTrivial.push_back(D); DeclsTrivial.push_back(D);

if (DeclsTrivial.empty()) if (DeclsTrivial.empty())

return; return;

autoCreateBlock(); autoCreateBlock();

for (VarDecl *VD : llvm::reverse(DeclsTrivial)) for (VarDecl *VD : llvm::reverse(DeclsTrivial))

appendLifetimeEnds(Block, VD, S); appendLifetimeEnds(Block, VD, S);

▲ Show 20 Lines • Show All 156 Lines • ▼ Show 20 Lines if (!BuildOpts.AddImplicitDtors && !BuildOpts.AddLifetime &&

return Scope; return Scope;

for (auto *DI : DS->decls()) for (auto *DI : DS->decls())

if (VarDecl *VD = dyn_cast<VarDecl>(DI)) if (VarDecl *VD = dyn_cast<VarDecl>(DI))

Scope = addLocalScopeForVarDecl(VD, Scope); Scope = addLocalScopeForVarDecl(VD, Scope);

return Scope; return Scope;

} }

bool CFGBuilder::hasTrivialDestructor(VarDecl *VD) { bool CFGBuilder::needsAutomaticDestruction(const VarDecl *VD) const {

return !hasTrivialDestructor(VD) || VD->hasAttr<CleanupAttr>();

}

bool CFGBuilder::hasTrivialDestructor(const VarDecl *VD) const {

// Check for const references bound to temporary. Set type to pointee. // Check for const references bound to temporary. Set type to pointee.

steakhalUnsubmitted

Done

Can't this accept const VarDecl* instead? That way we could get rid of that const_cast above.

steakhal: Can't this accept `const VarDecl*` instead? That way we could get rid of that `const_cast`…

tbaederAuthorUnsubmitted

Done

Yes, I just didn't want to modify the existing function signature.

tbaeder: Yes, I just didn't want to modify the existing function signature.

QualType QT = VD->getType(); QualType QT = VD->getType();

if (QT->isReferenceType()) { if (QT->isReferenceType()) {

// Attempt to determine whether this declaration lifetime-extends a // Attempt to determine whether this declaration lifetime-extends a

// temporary. // temporary.

// //

// FIXME: This is incorrect. Non-reference declarations can lifetime-extend // FIXME: This is incorrect. Non-reference declarations can lifetime-extend

// temporaries, and a single declaration can extend multiple temporaries. // temporaries, and a single declaration can extend multiple temporaries.

// We should look at the storage duration on each nested // We should look at the storage duration on each nested

Show All 36 Lines if (!BuildOpts.AddImplicitDtors && !BuildOpts.AddLifetime &&

!BuildOpts.AddScopes) !BuildOpts.AddScopes)

return Scope; return Scope;

// Check if variable is local. // Check if variable is local.

if (!VD->hasLocalStorage()) if (!VD->hasLocalStorage())

return Scope; return Scope;

if (!BuildOpts.AddLifetime && !BuildOpts.AddScopes && if (!BuildOpts.AddLifetime && !BuildOpts.AddScopes &&

hasTrivialDestructor(VD)) { !needsAutomaticDestruction(VD)) {

assert(BuildOpts.AddImplicitDtors); assert(BuildOpts.AddImplicitDtors);

return Scope; return Scope;

} }

// Add the variable to scope // Add the variable to scope

Scope = createOrReuseLocalScope(Scope); Scope = createOrReuseLocalScope(Scope);

Scope->addVar(VD); Scope->addVar(VD);

ScopePos = Scope->begin(); ScopePos = Scope->begin();

▲ Show 20 Lines • Show All 3,121 Lines • ▼ Show 20 Lines switch (getKind()) {

case CFGElement::NewAllocator: case CFGElement::NewAllocator:

case CFGElement::LoopExit: case CFGElement::LoopExit:

case CFGElement::LifetimeEnds: case CFGElement::LifetimeEnds:

case CFGElement::Statement: case CFGElement::Statement:

case CFGElement::Constructor: case CFGElement::Constructor:

case CFGElement::CXXRecordTypedCall: case CFGElement::CXXRecordTypedCall:

case CFGElement::ScopeBegin: case CFGElement::ScopeBegin:

case CFGElement::ScopeEnd: case CFGElement::ScopeEnd:

case CFGElement::CleanupFunction:

llvm_unreachable("getDestructorDecl should only be used with " llvm_unreachable("getDestructorDecl should only be used with "

"ImplicitDtors"); "ImplicitDtors");

case CFGElement::AutomaticObjectDtor: { case CFGElement::AutomaticObjectDtor: {

const VarDecl *var = castAs<CFGAutomaticObjDtor>().getVarDecl(); const VarDecl *var = castAs<CFGAutomaticObjDtor>().getVarDecl();

aaronpuchertUnsubmitted

Done

The unindent doesn't look right to me.

aaronpuchert: The unindent doesn't look right to me.

QualType ty = var->getType(); QualType ty = var->getType();

// FIXME: See CFGBuilder::addLocalScopeForVarDecl. // FIXME: See CFGBuilder::addLocalScopeForVarDecl.

// //

// Lifetime-extending constructs are handled here. This works for a single // Lifetime-extending constructs are handled here. This works for a single

// temporary in an initializer expression. // temporary in an initializer expression.

if (ty->isReferenceType()) { if (ty->isReferenceType()) {

if (const Expr *Init = var->getInit()) { if (const Expr *Init = var->getInit()) {

▲ Show 20 Lines • Show All 523 Lines • ▼ Show 20 Lines if (T->isReferenceType())

T = getReferenceInitTemporaryType(VD->getInit(), nullptr); T = getReferenceInitTemporaryType(VD->getInit(), nullptr);

OS << ".~"; OS << ".~";

T.getUnqualifiedType().print(OS, PrintingPolicy(Helper.getLangOpts())); T.getUnqualifiedType().print(OS, PrintingPolicy(Helper.getLangOpts()));

OS << "() (Implicit destructor)\n"; OS << "() (Implicit destructor)\n";

break; break;

} }

case CFGElement::Kind::CleanupFunction:

aaronpuchertUnsubmitted

Done

Braces shouldn't be needed if you don't declare any variables.

aaronpuchert: Braces shouldn't be needed if you don't declare any variables.

OS << "CleanupFunction ("

<< E.castAs<CFGCleanupFunction>().getFunctionDecl()->getName() << ")\n";

break;

case CFGElement::Kind::LifetimeEnds: case CFGElement::Kind::LifetimeEnds:

Helper.handleDecl(E.castAs<CFGLifetimeEnds>().getVarDecl(), OS); Helper.handleDecl(E.castAs<CFGLifetimeEnds>().getVarDecl(), OS);

OS << " (Lifetime ends)\n"; OS << " (Lifetime ends)\n";

break; break;

case CFGElement::Kind::LoopExit: case CFGElement::Kind::LoopExit:

OS << E.castAs<CFGLoopExit>().getLoopStmt()->getStmtClassName() << " (LoopExit)\n"; OS << E.castAs<CFGLoopExit>().getLoopStmt()->getStmtClassName() << " (LoopExit)\n";

break; break;

▲ Show 20 Lines • Show All 511 Lines • Show Last 20 Lines

clang/lib/Analysis/PathDiagnostic.cpp

Show First 20 Lines • Show All 561 Lines • ▼ Show 20 Lines	case CFGElement::TemporaryDtor: {
// the location of CXXBindTemporaryExpr. If they are lifetime-extended,		// the location of CXXBindTemporaryExpr. If they are lifetime-extended,
// they'd be dealt with via an AutomaticObjectDtor instead.		// they'd be dealt with via an AutomaticObjectDtor instead.
const auto &Dtor = Source.castAs<CFGTemporaryDtor>();		const auto &Dtor = Source.castAs<CFGTemporaryDtor>();
return PathDiagnosticLocation::createEnd(Dtor.getBindTemporaryExpr(), SM,		return PathDiagnosticLocation::createEnd(Dtor.getBindTemporaryExpr(), SM,
CallerCtx);		CallerCtx);
}		}
case CFGElement::ScopeBegin:		case CFGElement::ScopeBegin:
case CFGElement::ScopeEnd:		case CFGElement::ScopeEnd:
		case CFGElement::CleanupFunction:
llvm_unreachable("not yet implemented!");		llvm_unreachable("not yet implemented!");
case CFGElement::LifetimeEnds:		case CFGElement::LifetimeEnds:
case CFGElement::LoopExit:		case CFGElement::LoopExit:
llvm_unreachable("CFGElement kind should not be on callsite!");		llvm_unreachable("CFGElement kind should not be on callsite!");
}		}

llvm_unreachable("Unknown CFGElement kind");		llvm_unreachable("Unknown CFGElement kind");
}		}
▲ Show 20 Lines • Show All 662 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 Lines • Show All 987 Lines • ▼ Show 20 Lines	switch (E.getKind()) {
case CFGElement::MemberDtor:		case CFGElement::MemberDtor:
case CFGElement::TemporaryDtor:		case CFGElement::TemporaryDtor:
ProcessImplicitDtor(E.castAs<CFGImplicitDtor>(), Pred);		ProcessImplicitDtor(E.castAs<CFGImplicitDtor>(), Pred);
return;		return;
case CFGElement::LoopExit:		case CFGElement::LoopExit:
ProcessLoopExit(E.castAs<CFGLoopExit>().getLoopStmt(), Pred);		ProcessLoopExit(E.castAs<CFGLoopExit>().getLoopStmt(), Pred);
return;		return;
case CFGElement::LifetimeEnds:		case CFGElement::LifetimeEnds:
		case CFGElement::CleanupFunction:
case CFGElement::ScopeBegin:		case CFGElement::ScopeBegin:
case CFGElement::ScopeEnd:		case CFGElement::ScopeEnd:
return;		return;
}		}
}		}

static bool shouldRemoveDeadBindings(AnalysisManager &AMgr,		static bool shouldRemoveDeadBindings(AnalysisManager &AMgr,
const Stmt *S,		const Stmt *S,
▲ Show 20 Lines • Show All 2,941 Lines • Show Last 20 Lines

clang/test/Analysis/scopes-cfg-output.cpp

Show First 20 Lines • Show All 1,413 Lines • ▼ Show 20 Lines	if (UV) goto label;
if (UV) goto label;		if (UV) goto label;
{		{
int n2t;		int n2t;
if (UV) goto label;		if (UV) goto label;
label:		label:
}		}
}		}
}		}

		// CHECK: [B1]
		// CHECK-NEXT: 1: CFGScopeBegin(i)
		// CHECK-NEXT: 2: int i __attribute__((cleanup(cleanup_int)));
		// CHECK-NEXT: 3: CleanupFunction (cleanup_int)
		// CHECK-NEXT: 4: CFGScopeEnd(i)
		void cleanup_int(int *i);
		void test_cleanup_functions() {
		aaronpuchertUnsubmitted Done Reply Inline Actions For our purposes, a pure declaration might be enough. aaronpuchert: For our purposes, a pure declaration might be enough.
		int i __attribute__((cleanup(cleanup_int)));
		}

		// CHECK: [B1]
		aaronpuchertUnsubmitted Not Done Reply Inline Actions Ideas for more tests (apart from imitating destructor tests): A variable in a block, so that more statements run before the function returns. A function with multiple return paths, each of which has to run the cleanup. aaronpuchert: Ideas for more tests (apart from imitating destructor tests): * A variable in a block, so that…
		// CHECK-NEXT: 1: 10
		// CHECK-NEXT: 2: i
		// CHECK-NEXT: 3: [B1.2] = [B1.1]
		// CHECK-NEXT: 4: return;
		// CHECK-NEXT: 5: CleanupFunction (cleanup_int)
		// CHECK-NEXT: 6: CFGScopeEnd(i)
		// CHECK-NEXT: Preds (1): B3
		// CHECK-NEXT: Succs (1): B0
		// CHECK: [B2]
		// CHECK-NEXT: 1: return;
		// CHECK-NEXT: 2: CleanupFunction (cleanup_int)
		// CHECK-NEXT: 3: CFGScopeEnd(i)
		// CHECK-NEXT: Preds (1): B3
		// CHECK-NEXT: Succs (1): B0
		// CHECK: [B3]
		// CHECK-NEXT: 1: CFGScopeBegin(i)
		// CHECK-NEXT: 2: int i __attribute__((cleanup(cleanup_int)));
		// CHECK-NEXT: 3: m
		// CHECK-NEXT: 4: [B3.3] (ImplicitCastExpr, LValueToRValue, int)
		// CHECK-NEXT: 5: 1
		// CHECK-NEXT: 6: [B3.4] == [B3.5]
		// CHECK-NEXT: T: if [B3.6]
		// CHECK-NEXT: Preds (1): B4
		// CHECK-NEXT: Succs (2): B2 B1
		void test_cleanup_functions2(int m) {
		int i __attribute__((cleanup(cleanup_int)));

		if (m == 1) {
		return;
		}

		i = 10;
		return;
		}

		// CHECK: [B1]
		// CHECK-NEXT: 1: CFGScopeBegin(f)
		// CHECK-NEXT: 2: (CXXConstructExpr, [B1.3], F)
		// CHECK-NEXT: 3: __attribute__((cleanup(cleanup_F))) F f;
		aaronpuchertUnsubmitted Done Reply Inline Actions The test failure in D152504 suggests that this needs to be written as __attribute__((cleanup(cleanup_F))) F f Maybe something changed upstream? aaronpuchert: The test failure in D152504 suggests that this needs to be written as ``` __attribute__…
		tbaederAuthorUnsubmitted Done Reply Inline Actions Right, not sure what changed. tbaeder: Right, not sure what changed.
		// CHECK-NEXT: 4: CleanupFunction (cleanup_F)
		// CHECK-NEXT: 5: [B1.3].~F() (Implicit destructor)
		aaronpuchertUnsubmitted Not Done Reply Inline Actions Interesting test! But it seems CodeGen has them swapped: compiling this snippet with `clang -c -S -emit-llvm` I get define dso_local void @_Z4testv() #0 personality ptr @__gxx_personality_v0 { %1 = alloca %class.F, align 1 %2 = alloca ptr, align 8 %3 = alloca i32, align 4 invoke void @_Z9cleanup_FP1F(ptr noundef %1) to label %4 unwind label %5 4: ; preds = %0 call void @_ZN1FD2Ev(ptr noundef nonnull align 1 dereferenceable(1) %1) #3 ret void ; ... } So first cleanup, then destructor. This is with 17.0.0-rc2. aaronpuchert: Interesting test! But it seems CodeGen has them swapped: compiling this snippet with `clang -c…
		tbaederAuthorUnsubmitted Done Reply Inline Actions Interesting, I thought I checked this and used the correct order. Will re-check, thanks. tbaeder: Interesting, I thought I checked this and used the correct order. Will re-check, thanks.
		steakhalUnsubmitted Not Done Reply Inline Actions I believe this demonstrates the wrong order I also spotted earlier. steakhal: I believe this demonstrates the wrong order I also spotted earlier.
		tbaederAuthorUnsubmitted Done Reply Inline Actions The current code generates the given CFG, i.e. the cleanup function comes first, followed by the dtor: [B1] 1: CFGScopeBegin(f) 2: (CXXConstructExpr, [B1.3], F) 3: F f __attribute__((cleanup(f_))); 4: CleanupFunction (f_) 5: [B1.3].~F() (Implicit destructor) 6: CFGScopeEnd(f) Preds (1): B2 Succs (1): B0 (The comment from Aaron is from before when I had the order swapped.) tbaeder: The current code generates the given CFG, i.e. the cleanup function comes first, followed by…
		// CHECK-NEXT: 6: CFGScopeEnd(f)
		// CHECK-NEXT: Preds (1): B2
		// CHECK-NEXT: Succs (1): B0
		class F {
		public:
		~F();
		aaronpuchertUnsubmitted Done Reply Inline Actions As with the cleanup function, a definition shouldn't be necessary. aaronpuchert: As with the cleanup function, a definition shouldn't be necessary.
		tbaederAuthorUnsubmitted Done Reply Inline Actions Is there a way to test whether the contents of the cleanup function are being checked as well? From these tests, I only know we consider them called, but not whether we (properly) analyze their bodies in the context as well. Or is that separate from this patch? tbaeder: Is there a way to test whether the contents of the cleanup function are being checked as well?
		aaronpuchertUnsubmitted Done Reply Inline Actions For now we're just adding a new element to the CFG and adapting the respective tests. The CFG is generated on a per-function basis, and the generation of one function's CFG will never look into another function's body. It might use some (declaration) properties of course, like whether it has `[[noreturn]]` or `noexcept`. Of course we should also generate a CFG for the cleanup function, but that's independent of this change. Users of the CFG will naturally need to be taught about this new element type to “understand” it. Otherwise they should simply skip it. Since the CFG previously did not contain such elements, there should be no change for them. So we can also initially just add the element and not tell anybody about it. We could also add understanding of the new element type to other CFG users, but you don't have to do this. If you only care about Thread Safety Analysis, then it's totally fine to handle it only there. But let's move all changes to Thread Safety Analysis into a follow-up, so that we don't have to bother the CFG maintainers with that. aaronpuchert: For now we're just adding a new element to the CFG and adapting the respective tests. The CFG…
		steakhalUnsubmitted Not Done Reply Inline Actions Speaking of `noreturn`, I think it is worth demonstrating that if the cleanup function has `noreturn` attribute, then the dtor is not called. steakhal: Speaking of `noreturn`, I think it is worth demonstrating that if the cleanup function has…
		tbaederAuthorUnsubmitted Done Reply Inline Actions Yeah, that does not work correctly right now. tbaeder: Yeah, that does not work correctly right now.
		};
		void cleanup_F(F *f);

		void test() {
		F f __attribute((cleanup(cleanup_F)));
		}

This is an archive of the discontinued LLVM Phabricator instance.

[clang][CFG] Cleanup functionsClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 557019

clang/include/clang/Analysis/CFG.h

clang/lib/Analysis/CFG.cpp

clang/lib/Analysis/PathDiagnostic.cpp

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

clang/test/Analysis/scopes-cfg-output.cpp

[clang][CFG] Cleanup functions
ClosedPublic