[CIR][CodeGen] Emit RunCleanupsScope's dtor properly for ExprWithCleanups (llvm#1581)

bruteforceboy · lanza · commit 250c11042282 · 2025-08-10T20:25:35.000-07:00
The following code snippet crashes during CIR CodeGen using `clang tmp.cpp -Xclang -emit-cir -S -o -`: ``` #include <vector> void foo() { std::vector<int> v(1); } ``` The crash is: ``` mlir::Operation* mlir::Block::getTerminator(): Assertion `mightHaveTerminator()' failed. ``` What happens is the scope created [here](https://github.com/llvm/clangir/blob/c7b27ece0971c632f2ebec26bc855ee9b118ffcc/clang/lib/CIR/CodeGen/CIRGenExprScalar.cpp#L2370C1-L2381C10) is malformed. The operations inside the scope using `--mlir-print-assume-verified` looks something like: ``` %0 = cir.alloca !cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>, !cir.ptr<!cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>>, ["ref.tmp0"] {alignment = 1 : i64} %1 = cir.load <<UNKNOWN SSA VALUE>> : !cir.ptr<!cir.int<u, 64>>, !cir.int<u, 64> %2 = cir.load <<UNKNOWN SSA VALUE>> : !cir.ptr<!cir.ptr<!cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>>>, !cir.ptr<!cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>> cir.call @_ZNSaIiEC1ERKS_(%0, %2) : (!cir.ptr<!cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>>, !cir.ptr<!cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>>) -> () extra(#cir<extra({nothrow = #cir.nothrow})>) %3 = cir.call @_ZNSt6vectorIiSaIiEE11_S_max_sizeERKS0_(%0) : (!cir.ptr<!cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>>) -> !cir.int<u, 64> extra(#cir<extra({nothrow = #cir.nothrow})>) %4 = cir.cmp(gt, %1, %3) : !cir.int<u, 64>, !cir.bool cir.yield %4 : !cir.bool cir.call @_ZNSaIiED1Ev(%0) : (!cir.ptr<!cir.record<class "std::allocator<int>" padded {!cir.int<u, 8>} #cir.record.decl.ast>>) -> () extra(#cir<extra({nothrow = #cir.nothrow})>) ``` `_ZNSaIiED1Ev` is `std::allocator<int>::~allocator()`. So, the destructor comes after the YieldOp has been created, which is wrong. The destructor comes from the destruction of [`RunCleanupScope`](https://github.com/llvm/clangir/blob/c7b27ece0971c632f2ebec26bc855ee9b118ffcc/clang/lib/CIR/CodeGen/CIRGenFunction.h#L1369) since `LexicalScope` inherits from it. RunCleanupsScope's dtor should come before the yield is created! This PR fixes this by calling `ForceCleanup` before creating the yield, so the YieldOp becomes the last operation in the scope. I found this bug using the code snippet above, but I have added a reduced version, using [creduce](https://github.com/csmith-project/creduce), as a test, because [std-cxx.h](https://github.com/llvm/clangir/blob/main/clang/test/CIR/Inputs/std-cxx.h) doesn't quite replicate `std::vector` correctly.
diff --git a/clang/lib/CIR/CodeGen/CIRGenExprScalar.cpp b/clang/lib/CIR/CodeGen/CIRGenExprScalar.cpp
@@ -2375,14 +2375,15 @@ mlir::Value ScalarExprEmitter::VisitExprWithCleanups(ExprWithCleanups *E) {
                                               builder.getInsertionBlock()};
         auto scopeYieldVal = Visit(E->getSubExpr());
         if (scopeYieldVal) {
+          // Defend against dominance problems caused by jumps out of expression
+          // evaluation through the shared cleanup block. We do not pass {&V} to
+          // ForceCleanup, because the scope returns an rvalue.
+          lexScope.ForceCleanup();
           builder.create<cir::YieldOp>(loc, scopeYieldVal);
           yieldTy = scopeYieldVal.getType();
         }
       });
 
-  // Defend against dominance problems caused by jumps out of expression
-  // evaluation through the shared cleanup block.
-  // TODO(cir): Scope.ForceCleanup({&V});
   return scope.getNumResults() > 0 ? scope->getResult(0) : nullptr;
 }
 
diff --git a/clang/test/CIR/CodeGen/dtors.cpp b/clang/test/CIR/CodeGen/dtors.cpp
@@ -78,3 +78,48 @@ class B : public A
 // CHECK:   }
 
 void foo() { B(); }
+
+class A2 {
+public:
+  ~A2();
+};
+
+struct B2 {
+  template <typename> using C = A2;
+};
+
+struct E {
+  typedef B2::C<int> D;
+};
+
+struct F {
+  F(long, A2);
+};
+
+class G : F {
+public:
+  A2 h;
+  G(long) : F(i(), h) {}
+  long i() { k(E::D()); };
+  long k(E::D);
+};
+
+int j;
+void m() { G l(j); }
+
+// CHECK: cir.func private @_ZN1G1kE2A2(!cir.ptr<!rec_G>, !rec_A2) -> !s64i
+// CHECK: cir.func linkonce_odr @_ZN1G1iEv(%arg0: !cir.ptr<!rec_G>
+// CHECK:   %[[V0:.*]] = cir.alloca !cir.ptr<!rec_G>, !cir.ptr<!cir.ptr<!rec_G>>, ["this", init] {alignment = 8 : i64}
+// CHECK:   %[[V1:.*]] = cir.alloca !s64i, !cir.ptr<!s64i>, ["__retval"] {alignment = 8 : i64}
+// CHECK:   cir.store %arg0, %[[V0]] : !cir.ptr<!rec_G>, !cir.ptr<!cir.ptr<!rec_G>>
+// CHECK:   %[[V2:.*]] = cir.load %[[V0]] : !cir.ptr<!cir.ptr<!rec_G>>, !cir.ptr<!rec_G>
+// CHECK:   %[[V3:.*]] = cir.scope {
+// CHECK:     %[[V4:.*]] = cir.alloca !rec_A2, !cir.ptr<!rec_A2>, ["agg.tmp0"] {alignment = 1 : i64}
+// CHECK:     cir.call @_ZN2A2C2Ev(%[[V4]]) : (!cir.ptr<!rec_A2>) -> ()
+// CHECK:     %[[V5:.*]] = cir.load %[[V4]] : !cir.ptr<!rec_A2>, !rec_A2
+// CHECK:     %[[V6:.*]] = cir.call @_ZN1G1kE2A2(%[[V2]], %[[V5]]) : (!cir.ptr<!rec_G>, !rec_A2) -> !s64i
+// CHECK:     cir.call @_ZN2A2D1Ev(%[[V4]]) : (!cir.ptr<!rec_A2>) -> ()
+// CHECK:     cir.yield %[[V6]] : !s64i
+// CHECK:   } : !s64i
+// CHECK:   cir.trap
+// CHECK: }
