Yes, I think we should validate this by an assertion if we can. We can check this by walking the cleanup scope stack (walk from CurrentCleanupScopeDepth to EHScopeStack::stable_end()) and making sure that there is no "problematic" enclosing cleanup scope. Here, "problematic" would mean any scope other than an EHCleanupScope containing only CallLifetimeEnd cleanups.

Looking at the kinds of cleanups that we might encounter here, I think there may be a few more things that Sema needs to check in order to not get in the way of exception handling. In particular, I think we should reject if the callee is potentially-throwing and the musttail call is inside a try block or a function that's either noexcept or has a dynamic exception specification.

Oh, also, we should disallow musttail calls inside statement expressions, in order to defend against cleanups that exist transiently within an expression.

The more I think about this, the more it makes me nervous: if any of the Emit*CallExpr functions below incidentally emit a call on the way to producing their results via the CGCall machinery, and do so without recursing through this function, that incidental call will be emitted as a tail call instead of the intended one. Specifically:

• I could imagine a block call involving multiple function calls, depending on the blocks ABI.
• I could imagine a member call performing a function call to convert from derived to virtual base in some ABIs.
• A CUDA kernel call in general involves calling a setup function before the actual function call happens (and it doesn't make sense for a CUDA kernel call to be a tail call anyway...)
• A call to a builtin can result in any number of function calls.
• If any expression in the function arguments emits a call without calling back into this function, we'll emit that call as a tail call instead of this one. Eg, [[clang::musttail]] return f(dynamic_cast<T*>(p)); might emit the call to __cxa_dynamic_cast as the tail call instead of emitting the call to f as the tail call, depending on whether the CGCall machinery is used when emitting the __cxa_dynamic_cast call.

Is it feasible to sink this check into the CodeGenFunction::EmitCall overload that takes a CallExpr, CodeGenFunction::EmitCXXMemberOrOperatorCall, and CodeGenFunction::EmitCXXMemberPointerCallExpr, after we've emitted the callee and call args? It looks like we might be able to check this immediately before calling the CGCall overload of EmitCall, so we could pass in the 'musttail' information as a flag or similar instead of using global state in the CodeGenFunction object; if so, it'd be much easier to be confident that we're applying the attribute to the right call.

It's a bit awkward, but I think we should delay this check until after the others -- complaining about non-trivial destruction seems beside the point if the returned value isn't a function call.

Also, the diagnostic text for this error seems narrower than the cases it covers. For example:

void f(const char*);
void g(const char *s) {
  [[clang::musttail]] return f((s + "foo"s).c_str());
}

would be diagnosed as "attribute requires that the return type and all arguments are trivially destructible", and they are; the problem is that the return value creates a temporary object with non-trivial destruction.

For completeness, can we also get a CHECK-NEXT: ret void here too?

I'm having trouble implementing the check because there doesn't appear to be any discriminator in EHScopeStack::Cleanup that will let you test if it is a CallLifetimeEnd. (The actual code just does virtual dispatch through EHScopeStack::Cleanup::Emit().

I temporarily implemented this by adding an extra virtual function to act as discriminator. The check fires if a VLA is in scope:

int Func14(int x) {
  int vla[x];
  [[clang::musttail]] return Bar(x);
}

Do we need to forbid VLAs or do I need to refine the check?

It appears that JumpDiagnostics.cpp is already diagnosing statement expressions and try. However I could not get testing to work. I tried adding a test with try but even with -fexceptions I am getting:

cannot use 'try' with exceptions disabled

Done. It's feeling like IsMustTail, callOrInvoke, and Loc might want to get collapsed into an options struct, especially given the default parameters on the first two. Maybe could do as a follow up?

I turned on LLVM verification via opt so I think this should get verified by the IR verifier. Is that sufficient?

One thing I'd add:

If the callee is a virtual function that is implemented by a thunk, there is no guarantee in general that the thunk tail-calls the implementation of the virtual function, so such a call in a recursive cycle can still result in unbounded stack growth.

Do we need to forbid VLAs or do I need to refine the check?

Assuming that LLVM supports musttail calls from functions where a dynamic alloca is in scope, I think we should allow VLAs. The musttail documentation doesn't mention this, so I think its OK, and I can't think of a good reason why you wouldn't be able to musttail call due to a variably-sized frame.

Perhaps a good model would be to add a virtual function to permit asking a cleanup whether it's optional / skippable.

I could not get testing to work.

You need -fcxx-exceptions to use try. At the -cc1 level, we have essentially-orthogonal settings for "it's valid for exceptions to unwind through this code" (-fexceptions) and "C++ exception handling syntax is permitted" (-fcxx-exceptions), and you usually need to enable both for CodeGen tests involving exceptions.

Given the potential for mismatch between the JumpDiagnostics checks and this one, especially as new more exotic kinds of cleanup are added, I wonder if we should use an ErrorUnsupported here instead of an assert.

I strongly suspect we can still reach the problematic case here for a tail call in a statement expression. I don't think it's feasible to check for all the ways that an arbitrary expression context can have pending cleanups, which we'd need in order to produce precise Sema diagnostics for that, so either we handle that here or we blanket reject all musttail returns in statement expressions. I think either approach is probably acceptable.

I would have thought this assert would fire for void f() { [[clang::musttail]] return; }. If so, we should reject this case with a diagnostic.

IgnoreUnlessSpelledInSource is a syntactic check that's only really intended for tooling use cases; I think we want something a bit more semantic here, so IgnoreImplicitAsWritten would be more appropriate.

I think it would be reasonable to also skip "parentheses" here (which we treat as also including things like C's _Generic). Would Ex->IgnoreImplicitAsWritten()->IgnoreParens() work?

If we're going to skip elidable copy construction of the result here (which I think we should), should we also reflect that in the AST? Perhaps we should strip the return value down to being just the call expression? I'm thinking in particular of things like building in C++14 or before with -fno-elide-constructors, where code generation for a by-value return of a class object will synthesize a local temporary to hold the result, with a final destination copy emitted after the call. (Testcase: struct A { A(const A&); }; A f(); A g() { [[clang::musttail]] return f(); } with -fno-elide-constructors.)

A call expression doesn't necessarily have a known callee declaration. I would expect this assert to fire on a case like:

void f() {
  void (*p)() = f;
  [[clang::musttail]] return p();
}

We should reject this with a diagnostic.

Please pass in a flag here so the diagnostic can %select and produce a more specific description of the problem.

There are a couple of other contexts that can include a return statement: the caller could also be an ObjCMethodDecl (an Objective-C method) or a CapturedDecl (the body of a #pragma omp parallel region). I'd probably use a specific diagnostic ("cannot be used from a block" / "cannot be used from an Objective-C function") for the block and ObjCMethod case, and a nonsepcific-but-correct "cannot be used from this context" for anything else.

We don't like Clang's tests depending on opt in general, but I think in this case it's an acceptable crutch until we fix Clang to run the verifier on its IR output again (as discussed offline, it looks like we lost that as part of the transition to the new pass manager). Please add a FIXME to remove the call to opt once that bug is fixed. Other than that, I'm fine with this approach.

Or maybe instead of "is optional / skippable", the right question is, "is this redundant if we're about to return?" That way we could potentially one day reuse the same mechanism to also skip emitting such cleanups when emitting a cleanup path into the return block.

Yes, I think ErrorUnsupported is a much better idea.

Blocks ought to be extremely straightforward to support. Just validate that the tail call is to a block pointer and then compare the underlying function types line up in the same way. You will need to be able to verify that there isn't a non-trivial conversion on the return types, even if the return type isn't known at this point in the function, but that's a problem in C++ as well due to lambdas and auto deduced return types.

Also, you can use isa<...> for checks like this instead of dyn_cast<...>.

It'd be nice if we could nail down "similar" somewhat. I don't know if int and short are similar (due to promotions) or const int and int are similar, etc.

Not only is this not usable with K&R C declarations, but it's also not usable with ... variadic functions either, right?

I disagree that ActOnAttributedStmt() is the correct place for this checking -- template checking should occur when the template is instantiated, same as happens for declaration attributes. I'd like to see this functionality moved to SemaStmtAttr.cpp. Keeping the attribute logic together and following the same patterns is what allows us to tablegenerate more of the attribute logic. Statement attributes are just starting to get more such automation.

Scratch the part about JumpDiagnostics, that was me failing to call S.setFunctionHasMustTail(). I added that and now the JumpDiagnostics tests pass.

But the template test cases still fail, and I can't find any hook point in SemaStmtAttr.cpp that will let me evaluate these checks at template instantiation time.

I think there's a bit of an architectural mixup, but I'm curious if @rsmith agrees before anyone starts doing work to make changes.

When transforming declarations, RebuildWhatever() calls the ActOnWhatever() function which calls ProcessDeclAttributeList() so that attributes are processed. RebuildAttributedStmt() similarly calls ActOnAttributedStmt(). However, ActOnAttributedStmt() doesn't call ProcessStmtAttributes() -- the logic is reversed so that ProcessStmtAttributes() is what calls ActOnAttributedStmt().

I think the correct answer is to switch the logic so that ActOnAttributedStmt() calls ProcessStmtAttributes(), then the template logic should automatically work.

I think the correct answer is to switch the logic so that ActOnAttributedStmt() calls ProcessStmtAttributes()

I think this would require ProcessStmtAttributes() to be split into two separate functions. Currently that function is doing two separate things:

1. Translation of ParsedAttr into various subclasses of Attr.
2. Validation that the attribute is semantically valid.

The function signature for ActOnAttributedStmt() uses Attr (not ParsedAttr), so (1) must happen during the parse, before ActOnAttributedStmt() is called. But (2) must be deferred until template instantiation time for some cases, like musttail.

I don't think the signature for ActOnAttributedStmt() is correct to use Attr instead of ParsedAttr. I think it should be StmtResult ActOnAttributedStmt(const ParsedAttributesViewWithRange &AttrList, Stmt *SubStmt); -- this likely requires a fair bit of surgery to make work though, which is why I'd like to hear from @rsmith if he agrees with the approach. In the meantime, I'll play around with this idea locally in more depth.

I think my suggestion wasn't quite right, but close. I've got a patch in progress that changes this the way I was thinking it should be changed, but it won't call ActOnAttributedStmt() when doing template instantiation. Instead, it will continue to instantiate attributes explicitly by calling TransformAttr() and any additional instantiation time checks will require you to add a TreeTransfor::TransformWhateverAttr() to do the actual instantiation work (which is similar to how the declaration attributes work in Sema::InstantiateAttrs()).

I hope to put up a patch for review for these changes today or tomorrow. It'd be interesting to know whether they make your life easier or harder though, if you don't mind taking a look and seeing how well (or poorly) they integrate with your changes here.

You can find that review at https://reviews.llvm.org/D99896.

I think the ideal model would be that we form a FooAttr from the user-supplied attribute description in an ActOn* function from the parser, and have a separate template instantiation mechanism to instantiate FooAttr objects, and those methods are unaware of the subject of the attribute. Then we have a separate mechanism to attach an attribute to its subjects that is used by both parsing and template instantiation. But I suspect there are reasons that doesn't work in practice -- where we need to know something about the subject in order to know how to form the FooAttr. That being the case, it probably makes most sense to model the formation and application of a FooAttr as a single process.

it won't call ActOnAttributedStmt() when doing template instantiation

Good -- not calling ActOn* during template instantiation is the right choice in general -- the ActOn* functions are only supposed to be called from parsing, with a Build* added if the parsing and template instantiation paths would share code (we sometimes shortcut that when the ActOn* and Build* would be identical, but I think that's turned out to be a mistake).

any additional instantiation time checks will require you to add a TreeTransform::TransformWhateverAttr() to do the actual instantiation work

That sounds appropriate to me in general. Are you expecting that this function would also be given the (transformed and perhaps original) subject of the attribute?

IgnoreImplicitAsWritten() doesn't skip ExprWithCleanups

That sounds like a bug. Are you sure? It looks like IgnoreImplicitAsWrittenSingleStep calls IgnoreImplicitSingleStep which calls IgnoreImplicitCastsSingleStep which skips FullExpr, and ExprWithCleanups is a kind of FullExpr.

To clarify, are you suggesting that we allow musttail through elidable copy constructors on the return value, even if -fno-elide-constructors is set? ie. we consider that musttail overrides the -fno-elide-constructors option on the command line?

Yes, I think the musttail attribute should override -fno-elide-constructors, because that's necessary in order to provide the tail call the user requested (and the local setting should override the global one). This is probably worth adding to the documentation.

(Also, -fno-elide-constructors is only supposed to affect code generation, not language semantics or program validity, so I think either we should always reject if a constructor call is required for the return value, regardless of whether it's elidable, or we should never reject in that case, and either way this determination should be made independent of the setting of -fno-elide-constructors. Given that choice, it seems more useful to bias towards the common case (-felide-constructors).)

Would it be possible to defer that refactoring until after this change is in? There are a lot of other issues to resolve on this review as it is, and throwing a potential refactoring into the mix is making it a lot harder to get this into a state where it can be landed.

Once it's in I'm happy to collaborate on the other review.

I'm fine with that -- my suggestion would be to ignore the template instantiation validation for the moment (add tests with FIXME comments where the behavior isn't what you want) and then when I get you the functionality you need to have more unified checking, you can refactor it at that time.

Done. I tried to summarize the C++ concept of "similar" types as defined in https://eel.is/c++draft/conv.qual#2 and implemented in https://clang.llvm.org/doxygen/classclang_1_1ASTContext.html#a1b1b3b7a67a30fd817ba85454780d8ad

I would strongly prefer to submit correct code (that validates templates) and leave a FIXME to make it pretty, rather than submit pretty code and leave a FIXME to make it correct.

I think this case will work actually, the callee decl in this case is just the function pointer, which seems appropriate and type checks correctly.

I added a test for this.

Tail calls to a block are indeed straightforward and are handled below. This check is for tail calls from a block, which I tried to add support for but didn't have much luck (in particular, during parsing of a block I wasn't able to get good type information for the block).

I'd probably use a specific diagnostic ("cannot be used from a block" / "cannot be used from an Objective-C function") for the block and ObjCMethod case, and a nonsepcific-but-correct "cannot be used from this context" for anything else.

I implemented this as requested. I wasn't able to test OpenMP as you apparently can't return from an OpenMP block.

I'm okay with that so long as the follow-up work actually happens (not to suggest that you plan to ignore the request!). "This is functional but not pretty" has a risk of becoming enshrined behavior as priorities shift, whereas "this is incomplete" generally does not.

Please add a FIXME comment here just to make sure it's clear we want the code to move in the future.

I added a FIXME. Just to set expectations, I'm happy to work with you on updating this code to fit your planned refactoring (either by offering comments/suggestions on a review by you or creating my own follow-up review per your suggestions). But I'll need a fair amount of input from you, since I don't fully grok what you find objectionable about the current code or what your desired end state is.

Thanks for the FIXME. I'm totally happy to iterate with you on the refactoring. Mostly, it involves testing whether https://reviews.llvm.org/D99983 provides you with enough contextual information when performing template instantiation for you to be able to put the attribute checking logic into the right places.

The objectionable bit about the current approach is that ActOnAttributedStmt()/BuildAttributedStmt() are general functions for attributed statements that should not be doing per-attribute diagnostic work (this won't scale well as more statement attributes get added). My preferred approach based on what you have already is to call checkMustTailAttr() from handleMustTailAttr(), and call it from TreeTransform.h in a new TransformMustTailAttr() function when doing template instantiation (this part is what requires the other patch to land first).

Sounds good. I will follow up with you on https://reviews.llvm.org/D99983.

Can we somehow avoid talking about ARC where it's not relevant? While it'd be nice to be more precise here, my main concern is that we shouldn't be mentioning ARC to people for whom it's not a meaningful term (eg, when not compiling Objective-C or Objective-C++). Perhaps the simplest approach would be to only mention ARC if getLangOpts().ObjCAutoRefCount is set?

IgnoreImplicitAsWritten should already skip over implicit elidable constructors, so I would imagine this is skipping over elidable explicit constructor calls (eg, [[musttail]] return T(make()); would perform a tail-call to make()). Is that what we want?

In the case where we're forcibly eliding a constructor, we'll need to emit a return statement that returns musttail call expression here rather than emitting the original substatement. Otherwise the tail call we emit will be initializing a local temporary rather than initializing our return slot. Eg, given:

struct A {
  A(const A&);
  ~A();
  char data[32];
};
A f();
A g() {
  [[clang::musttail]] return f();
}

under -fno-elide-constructors when targeting C++11, say, we'll normally lower that into something like:

void f(A *return_slot);
void g(A *return_slot) {
  A temporary; //uninitialized
  f(&temporary); // call f
  A::A(return_slot, temporary); // call copy constructor to copy into return slot
}

... and with the current patch, it looks like we'll add a 'ret void' after the call to f, leaving g's return slot uninitialized and passing an address into f that refers to a variable that will no longer exist once f is called. We need to instead lower to:

void f(A *return_slot);
void g(A *return_slot) {
  f(return_slot); // call f
}

Probably the easiest way to do this would be to change the return value on the ReturnStmt to be the tail-called CallExpr when attaching the attribute.

This worries me slightly -- not all CallExpr objects have a callee declaration (https://github.com/llvm/llvm-project/blob/main/clang/lib/AST/Expr.cpp#L1367). That said, I'm struggling to come up with an example that isn't covered so this may be fine.

It'd be better not to go through the cast machinery twice -- you cast to the MemberPointerType and then cast to the same thing again (but in a different way).

This can be removed entirely.

I'm not certain if I should take a shower after writing that code or not, but it's one potential way not to perform the cast twice.

If that code is too odious for others, we should at least change the dyn_cast<> in the else if to be an isa<>.

I changed dyn_cast<> to isa<>. If @rsmith concurs about the dyn_cast_or_null<> variant I'll switch to that.

I think this would be clearer, assuming it's equivalent (and if it's not equivalent, I think it'd be useful to include a comment explaining why).

This loop is problematic: it's generally not safe to modify an expression that is used as a subexpression of another expression. (Modifying the ReturnStmt is, by contrast, much less problematic because the properties of a statement have less complex dependencies on the properties of its subexpressions.) In particular, if there were any implicit conversions here that changed the type or value category or similar, the enclosing parentheses would have the wrong type / value category / similar. Also there are possibilities here other than CallExpr and ParenExpr, such as anything else that we consider to be "parentheses" (such as a GenericSelectionExpr).

But I think this loop should never be necessary, because all implicit conversions should always be on the outside of the parentheses. Do you have a testcase that needs it?

... would be more in line with our normal idioms.

This assert is incorrect. It would fail for a case like:

using T = int();
T *f();
int g() { [[clang::musttail]] return f()(); }

... where there is no declaration associated with the function pointer returned by f().

I think instead of looking for a callee declaration, you should instead inspect the callee expression. You can distinguish between a member function call and a non-member call by looking at the type of the callee. Perhaps the simplest way would be to distinguish between three cases:

(1) There is a callee declaration, which is a member function: this is a direct call to a member function; you can use the type of the callee declaration for your check.
(2) The callee expression is (after skipping parens) a pointer-to-member access operator (BinaryOperator::isPtrMemOp); you can use the type of the RHS operand (which will be a pointer to member function) for your check.
(3) Anything else: this is a non-member-function call, and you can directly inspect the type of the callee without caring about the callee declaration. (You might still find the type is not a function type at this stage, which indicates this is some kind of special form. In particular, it could be a BuiltinType::BoundMember for a pseudo-destructor call. I'm not sure if there are currently any other special cases that make it this far; there might not be, because most such cases are dependent.)

Use getAs rather than dyn_cast to look through type sugar. For example, in

void (f)() { [[clang::musttail]] return f(); }

... the type of f is a ParenType, not a FunctionProtoType.

You need to use getAs<MemberPointerType> here not isa in order to look through type sugar (eg, typedefs).

However, as noted above, a call via a member pointer doesn't necessarily have a CalleeDecl, so you'll need to do this check by looking for a callee expression that's the right kind of BinaryOperator instead.

This is a C++ test so it should be in CodeGenCXX.

It turns out that we consider p to be the callee decl in this case, so we'll need a better example :)

This doesn't include enough of the output to be able to tell if we've generated correct code. Can you also include the define ... line, showing that %agg.result is the name of the first parameter?

This should be in SemaCXX.

Please add a FIXME to this; it seems like a bug that we can't tell the difference between needing to run a destructor for the return value and needing to run a destructor for some other temporary created in the return statement.

The "is a member of different class (expected void" seems surprising here. Can we customize the diagnostic to instead say that we can't musttail from a non-member to a member (and vice versa for the other case)?

Please also test the pseudo-destructor case:

void f() {
  int n;
  using T = int;
  [[clang::musttail]] return n.~T();
}

I agree, that sounds like a nice cleanup. Delaying this to a future change makes sense to me.

You shouldn't need the const in the argument to cast, and we generally omit it; cast copies the pointer/referenceness and qualifiers from its argument anyway, and the explicit const in the type of R seems sufficient for readers. (I'm not even sure if cast intends to permit explicit qualfiiers here.)

I think this isa<CapturedDecl> check is redundant, because a CapturedDecl is not a FunctionDecl, so CallerDecl will always be null when CurContext is a CapturedDecl.

Even in invalid code we should never see a CallExpr whose callee has a null type; if Sema can't form an Expr that meets the normal expression invariants during error recovery, it doesn't build one at all. I think you can remove this if.

Given that we don't care about differences in qualifiers, it might be clearer to not include them in the diagnostics.

Without this if(), I crash on this test case. What do you think?

struct TestBadPMF {
  int (TestBadPMF::*pmf)();
  void BadPMF() {
    [[clang::musttail]] return ((*this)->*pmf)(); // expected-error {{left hand operand to ->* must be a pointer to class compatible with the right hand operand, but is 'TestBadPMF'}}
  }
};

Dump of CalleeExpr is:

RecoveryExpr 0x106671e8 '<dependent type>' contains-errors lvalue
|-ParenExpr 0x10667020 'struct TestBadPMF' lvalue
| `-UnaryOperator 0x10667008 'struct TestBadPMF' lvalue prefix '*' cannot overflow
|   `-CXXThisExpr 0x10666ff8 'struct TestBadPMF *' this
`-MemberExpr 0x10667050 'int (struct TestBadPMF::*)(void)' lvalue ->pmf 0x10666ed0
  `-CXXThisExpr 0x10667040 'struct TestBadPMF *' implicit this

Ah, right, while the callee will always have a non-null type, that type might not be a pointer type.

I think what we're missing here is a check for a dependent callee; checking for a dependent context isn't enough to check for error-dependent constructs. Probably the simplest thing would be to change the isDependentContext() checks to also check if the return expression isInstantiationDependent(). (That would only help with the error-dependent cases for now, but we'd also need that extra check in the future if anything like http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2021/p2277r0.html goes forward, allowing dependent constructs in non-dependent contexts, especially in combination with http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1306r1.pdf.)

I reported a related issue. I wander if this is easy to fix. https://github.com/llvm/llvm-project/issues/53087.