[RFC] Perform lifetime bound checks for arguments to coroutine

[usx95]

This idea was introduced in RFC: Lifetime bound checks for parameters of coroutine

The plan here is to gather comments, and if the direction looks good, then introduce a formal clang annotation clang::lifetimebound_coroutine as part of this change.

[github-actions]

✅ With the latest revision this PR passed the C/C++ code formatter.

[ChuanqiXu9]

Thanks for bringing this! I didn't notice the post in discourse and I'll put higher level comments there.

[ChuanqiXu9]

How is this implemented? I mean how can we don't emit warnings to co_await foo_coro(1) but emit warnings to auto unsafe1 = foo_coro(1);? This is not showed in this patch itself.

I envision the reason may be that we will copy the parameters at the beginning of the coroutines. If it is indeed the reason, then it smells bad. Since the behavior depends that behavior implicitly.

For example, the behavior of co_await foo_coro(); depends on the implementation of the corresponding awaiter. It is completely possible that co_await foo_coro(); doing exactly the same thing with a standalone foo_coro();. But we may emit warnings for one place but not the other one.

[usx95]

This is because co_await expr is equivalent to auto x = SomeFunc(foo_coro(1));
(func is await_transform for co_await).
This is safe because temporary lives as long as the SomeFunc call. This same reasoning can be applied to co_await as the temporary lives in the coroutine frame as long as the coroutine co_awaits.

The only implementation of awaiter that could be problematic and go undetected is when it schedules the foo_coro on another thread and resumes the awaiting coroutine before foo_coro is finished.

[bcardosolopes]

I don't think you need this to find if a record is a "coroutine type", there are other ways, for example:

if (rec->getDeclName().isIdentifier() && rec->getName() == "promise_type") {
....

[usx95]

This was implemented in #72851 and #71945. Closing this.