1 //=- AnalysisBasedWarnings.cpp - Sema warnings based on libAnalysis -*- C++ -*-=// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines analysis_warnings::[Policy,Executor]. 11 // Together they are used by Sema to issue warnings based on inexpensive 12 // static analysis algorithms in libAnalysis. 13 // 14 //===----------------------------------------------------------------------===// 15 16 #include "clang/Sema/AnalysisBasedWarnings.h" 17 #include "clang/Sema/SemaInternal.h" 18 #include "clang/Sema/ScopeInfo.h" 19 #include "clang/Basic/SourceManager.h" 20 #include "clang/Basic/SourceLocation.h" 21 #include "clang/Lex/Preprocessor.h" 22 #include "clang/AST/DeclObjC.h" 23 #include "clang/AST/DeclCXX.h" 24 #include "clang/AST/ExprObjC.h" 25 #include "clang/AST/ExprCXX.h" 26 #include "clang/AST/StmtObjC.h" 27 #include "clang/AST/StmtCXX.h" 28 #include "clang/AST/EvaluatedExprVisitor.h" 29 #include "clang/AST/StmtVisitor.h" 30 #include "clang/Analysis/AnalysisContext.h" 31 #include "clang/Analysis/CFG.h" 32 #include "clang/Analysis/Analyses/ReachableCode.h" 33 #include "clang/Analysis/Analyses/CFGReachabilityAnalysis.h" 34 #include "clang/Analysis/Analyses/ThreadSafety.h" 35 #include "clang/Analysis/CFGStmtMap.h" 36 #include "clang/Analysis/Analyses/UninitializedValues.h" 37 #include "llvm/ADT/BitVector.h" 38 #include "llvm/ADT/FoldingSet.h" 39 #include "llvm/ADT/ImmutableMap.h" 40 #include "llvm/ADT/PostOrderIterator.h" 41 #include "llvm/ADT/SmallVector.h" 42 #include "llvm/ADT/StringRef.h" 43 #include "llvm/Support/Casting.h" 44 #include <algorithm> 45 #include <vector> 46 47 using namespace clang; 48 49 //===----------------------------------------------------------------------===// 50 // Unreachable code analysis. 51 //===----------------------------------------------------------------------===// 52 53 namespace { 54 class UnreachableCodeHandler : public reachable_code::Callback { 55 Sema &S; 56 public: 57 UnreachableCodeHandler(Sema &s) : S(s) {} 58 59 void HandleUnreachable(SourceLocation L, SourceRange R1, SourceRange R2) { 60 S.Diag(L, diag::warn_unreachable) << R1 << R2; 61 } 62 }; 63 } 64 65 /// CheckUnreachable - Check for unreachable code. 66 static void CheckUnreachable(Sema &S, AnalysisDeclContext &AC) { 67 UnreachableCodeHandler UC(S); 68 reachable_code::FindUnreachableCode(AC, UC); 69 } 70 71 //===----------------------------------------------------------------------===// 72 // Check for missing return value. 73 //===----------------------------------------------------------------------===// 74 75 enum ControlFlowKind { 76 UnknownFallThrough, 77 NeverFallThrough, 78 MaybeFallThrough, 79 AlwaysFallThrough, 80 NeverFallThroughOrReturn 81 }; 82 83 /// CheckFallThrough - Check that we don't fall off the end of a 84 /// Statement that should return a value. 85 /// 86 /// \returns AlwaysFallThrough iff we always fall off the end of the statement, 87 /// MaybeFallThrough iff we might or might not fall off the end, 88 /// NeverFallThroughOrReturn iff we never fall off the end of the statement or 89 /// return. We assume NeverFallThrough iff we never fall off the end of the 90 /// statement but we may return. We assume that functions not marked noreturn 91 /// will return. 92 static ControlFlowKind CheckFallThrough(AnalysisDeclContext &AC) { 93 CFG *cfg = AC.getCFG(); 94 if (cfg == 0) return UnknownFallThrough; 95 96 // The CFG leaves in dead things, and we don't want the dead code paths to 97 // confuse us, so we mark all live things first. 98 llvm::BitVector live(cfg->getNumBlockIDs()); 99 unsigned count = reachable_code::ScanReachableFromBlock(&cfg->getEntry(), 100 live); 101 102 bool AddEHEdges = AC.getAddEHEdges(); 103 if (!AddEHEdges && count != cfg->getNumBlockIDs()) 104 // When there are things remaining dead, and we didn't add EH edges 105 // from CallExprs to the catch clauses, we have to go back and 106 // mark them as live. 107 for (CFG::iterator I = cfg->begin(), E = cfg->end(); I != E; ++I) { 108 CFGBlock &b = **I; 109 if (!live[b.getBlockID()]) { 110 if (b.pred_begin() == b.pred_end()) { 111 if (b.getTerminator() && isa<CXXTryStmt>(b.getTerminator())) 112 // When not adding EH edges from calls, catch clauses 113 // can otherwise seem dead. Avoid noting them as dead. 114 count += reachable_code::ScanReachableFromBlock(&b, live); 115 continue; 116 } 117 } 118 } 119 120 // Now we know what is live, we check the live precessors of the exit block 121 // and look for fall through paths, being careful to ignore normal returns, 122 // and exceptional paths. 123 bool HasLiveReturn = false; 124 bool HasFakeEdge = false; 125 bool HasPlainEdge = false; 126 bool HasAbnormalEdge = false; 127 128 // Ignore default cases that aren't likely to be reachable because all 129 // enums in a switch(X) have explicit case statements. 130 CFGBlock::FilterOptions FO; 131 FO.IgnoreDefaultsWithCoveredEnums = 1; 132 133 for (CFGBlock::filtered_pred_iterator 134 I = cfg->getExit().filtered_pred_start_end(FO); I.hasMore(); ++I) { 135 const CFGBlock& B = **I; 136 if (!live[B.getBlockID()]) 137 continue; 138 139 // Skip blocks which contain an element marked as no-return. They don't 140 // represent actually viable edges into the exit block, so mark them as 141 // abnormal. 142 if (B.hasNoReturnElement()) { 143 HasAbnormalEdge = true; 144 continue; 145 } 146 147 // Destructors can appear after the 'return' in the CFG. This is 148 // normal. We need to look pass the destructors for the return 149 // statement (if it exists). 150 CFGBlock::const_reverse_iterator ri = B.rbegin(), re = B.rend(); 151 152 for ( ; ri != re ; ++ri) 153 if (isa<CFGStmt>(*ri)) 154 break; 155 156 // No more CFGElements in the block? 157 if (ri == re) { 158 if (B.getTerminator() && isa<CXXTryStmt>(B.getTerminator())) { 159 HasAbnormalEdge = true; 160 continue; 161 } 162 // A labeled empty statement, or the entry block... 163 HasPlainEdge = true; 164 continue; 165 } 166 167 CFGStmt CS = cast<CFGStmt>(*ri); 168 const Stmt *S = CS.getStmt(); 169 if (isa<ReturnStmt>(S)) { 170 HasLiveReturn = true; 171 continue; 172 } 173 if (isa<ObjCAtThrowStmt>(S)) { 174 HasFakeEdge = true; 175 continue; 176 } 177 if (isa<CXXThrowExpr>(S)) { 178 HasFakeEdge = true; 179 continue; 180 } 181 if (const AsmStmt *AS = dyn_cast<AsmStmt>(S)) { 182 if (AS->isMSAsm()) { 183 HasFakeEdge = true; 184 HasLiveReturn = true; 185 continue; 186 } 187 } 188 if (isa<CXXTryStmt>(S)) { 189 HasAbnormalEdge = true; 190 continue; 191 } 192 if (std::find(B.succ_begin(), B.succ_end(), &cfg->getExit()) 193 == B.succ_end()) { 194 HasAbnormalEdge = true; 195 continue; 196 } 197 198 HasPlainEdge = true; 199 } 200 if (!HasPlainEdge) { 201 if (HasLiveReturn) 202 return NeverFallThrough; 203 return NeverFallThroughOrReturn; 204 } 205 if (HasAbnormalEdge || HasFakeEdge || HasLiveReturn) 206 return MaybeFallThrough; 207 // This says AlwaysFallThrough for calls to functions that are not marked 208 // noreturn, that don't return. If people would like this warning to be more 209 // accurate, such functions should be marked as noreturn. 210 return AlwaysFallThrough; 211 } 212 213 namespace { 214 215 struct CheckFallThroughDiagnostics { 216 unsigned diag_MaybeFallThrough_HasNoReturn; 217 unsigned diag_MaybeFallThrough_ReturnsNonVoid; 218 unsigned diag_AlwaysFallThrough_HasNoReturn; 219 unsigned diag_AlwaysFallThrough_ReturnsNonVoid; 220 unsigned diag_NeverFallThroughOrReturn; 221 enum { Function, Block, Lambda } funMode; 222 SourceLocation FuncLoc; 223 224 static CheckFallThroughDiagnostics MakeForFunction(const Decl *Func) { 225 CheckFallThroughDiagnostics D; 226 D.FuncLoc = Func->getLocation(); 227 D.diag_MaybeFallThrough_HasNoReturn = 228 diag::warn_falloff_noreturn_function; 229 D.diag_MaybeFallThrough_ReturnsNonVoid = 230 diag::warn_maybe_falloff_nonvoid_function; 231 D.diag_AlwaysFallThrough_HasNoReturn = 232 diag::warn_falloff_noreturn_function; 233 D.diag_AlwaysFallThrough_ReturnsNonVoid = 234 diag::warn_falloff_nonvoid_function; 235 236 // Don't suggest that virtual functions be marked "noreturn", since they 237 // might be overridden by non-noreturn functions. 238 bool isVirtualMethod = false; 239 if (const CXXMethodDecl *Method = dyn_cast<CXXMethodDecl>(Func)) 240 isVirtualMethod = Method->isVirtual(); 241 242 // Don't suggest that template instantiations be marked "noreturn" 243 bool isTemplateInstantiation = false; 244 if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(Func)) 245 isTemplateInstantiation = Function->isTemplateInstantiation(); 246 247 if (!isVirtualMethod && !isTemplateInstantiation) 248 D.diag_NeverFallThroughOrReturn = 249 diag::warn_suggest_noreturn_function; 250 else 251 D.diag_NeverFallThroughOrReturn = 0; 252 253 D.funMode = Function; 254 return D; 255 } 256 257 static CheckFallThroughDiagnostics MakeForBlock() { 258 CheckFallThroughDiagnostics D; 259 D.diag_MaybeFallThrough_HasNoReturn = 260 diag::err_noreturn_block_has_return_expr; 261 D.diag_MaybeFallThrough_ReturnsNonVoid = 262 diag::err_maybe_falloff_nonvoid_block; 263 D.diag_AlwaysFallThrough_HasNoReturn = 264 diag::err_noreturn_block_has_return_expr; 265 D.diag_AlwaysFallThrough_ReturnsNonVoid = 266 diag::err_falloff_nonvoid_block; 267 D.diag_NeverFallThroughOrReturn = 268 diag::warn_suggest_noreturn_block; 269 D.funMode = Block; 270 return D; 271 } 272 273 static CheckFallThroughDiagnostics MakeForLambda() { 274 CheckFallThroughDiagnostics D; 275 D.diag_MaybeFallThrough_HasNoReturn = 276 diag::err_noreturn_lambda_has_return_expr; 277 D.diag_MaybeFallThrough_ReturnsNonVoid = 278 diag::warn_maybe_falloff_nonvoid_lambda; 279 D.diag_AlwaysFallThrough_HasNoReturn = 280 diag::err_noreturn_lambda_has_return_expr; 281 D.diag_AlwaysFallThrough_ReturnsNonVoid = 282 diag::warn_falloff_nonvoid_lambda; 283 D.diag_NeverFallThroughOrReturn = 0; 284 D.funMode = Lambda; 285 return D; 286 } 287 288 bool checkDiagnostics(DiagnosticsEngine &D, bool ReturnsVoid, 289 bool HasNoReturn) const { 290 if (funMode == Function) { 291 return (ReturnsVoid || 292 D.getDiagnosticLevel(diag::warn_maybe_falloff_nonvoid_function, 293 FuncLoc) == DiagnosticsEngine::Ignored) 294 && (!HasNoReturn || 295 D.getDiagnosticLevel(diag::warn_noreturn_function_has_return_expr, 296 FuncLoc) == DiagnosticsEngine::Ignored) 297 && (!ReturnsVoid || 298 D.getDiagnosticLevel(diag::warn_suggest_noreturn_block, FuncLoc) 299 == DiagnosticsEngine::Ignored); 300 } 301 302 // For blocks / lambdas. 303 return ReturnsVoid && !HasNoReturn 304 && ((funMode == Lambda) || 305 D.getDiagnosticLevel(diag::warn_suggest_noreturn_block, FuncLoc) 306 == DiagnosticsEngine::Ignored); 307 } 308 }; 309 310 } 311 312 /// CheckFallThroughForFunctionDef - Check that we don't fall off the end of a 313 /// function that should return a value. Check that we don't fall off the end 314 /// of a noreturn function. We assume that functions and blocks not marked 315 /// noreturn will return. 316 static void CheckFallThroughForBody(Sema &S, const Decl *D, const Stmt *Body, 317 const BlockExpr *blkExpr, 318 const CheckFallThroughDiagnostics& CD, 319 AnalysisDeclContext &AC) { 320 321 bool ReturnsVoid = false; 322 bool HasNoReturn = false; 323 324 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 325 ReturnsVoid = FD->getResultType()->isVoidType(); 326 HasNoReturn = FD->hasAttr<NoReturnAttr>() || 327 FD->getType()->getAs<FunctionType>()->getNoReturnAttr(); 328 } 329 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 330 ReturnsVoid = MD->getResultType()->isVoidType(); 331 HasNoReturn = MD->hasAttr<NoReturnAttr>(); 332 } 333 else if (isa<BlockDecl>(D)) { 334 QualType BlockTy = blkExpr->getType(); 335 if (const FunctionType *FT = 336 BlockTy->getPointeeType()->getAs<FunctionType>()) { 337 if (FT->getResultType()->isVoidType()) 338 ReturnsVoid = true; 339 if (FT->getNoReturnAttr()) 340 HasNoReturn = true; 341 } 342 } 343 344 DiagnosticsEngine &Diags = S.getDiagnostics(); 345 346 // Short circuit for compilation speed. 347 if (CD.checkDiagnostics(Diags, ReturnsVoid, HasNoReturn)) 348 return; 349 350 // FIXME: Function try block 351 if (const CompoundStmt *Compound = dyn_cast<CompoundStmt>(Body)) { 352 switch (CheckFallThrough(AC)) { 353 case UnknownFallThrough: 354 break; 355 356 case MaybeFallThrough: 357 if (HasNoReturn) 358 S.Diag(Compound->getRBracLoc(), 359 CD.diag_MaybeFallThrough_HasNoReturn); 360 else if (!ReturnsVoid) 361 S.Diag(Compound->getRBracLoc(), 362 CD.diag_MaybeFallThrough_ReturnsNonVoid); 363 break; 364 case AlwaysFallThrough: 365 if (HasNoReturn) 366 S.Diag(Compound->getRBracLoc(), 367 CD.diag_AlwaysFallThrough_HasNoReturn); 368 else if (!ReturnsVoid) 369 S.Diag(Compound->getRBracLoc(), 370 CD.diag_AlwaysFallThrough_ReturnsNonVoid); 371 break; 372 case NeverFallThroughOrReturn: 373 if (ReturnsVoid && !HasNoReturn && CD.diag_NeverFallThroughOrReturn) { 374 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 375 S.Diag(Compound->getLBracLoc(), CD.diag_NeverFallThroughOrReturn) 376 << 0 << FD; 377 } else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 378 S.Diag(Compound->getLBracLoc(), CD.diag_NeverFallThroughOrReturn) 379 << 1 << MD; 380 } else { 381 S.Diag(Compound->getLBracLoc(), CD.diag_NeverFallThroughOrReturn); 382 } 383 } 384 break; 385 case NeverFallThrough: 386 break; 387 } 388 } 389 } 390 391 //===----------------------------------------------------------------------===// 392 // -Wuninitialized 393 //===----------------------------------------------------------------------===// 394 395 namespace { 396 /// ContainsReference - A visitor class to search for references to 397 /// a particular declaration (the needle) within any evaluated component of an 398 /// expression (recursively). 399 class ContainsReference : public EvaluatedExprVisitor<ContainsReference> { 400 bool FoundReference; 401 const DeclRefExpr *Needle; 402 403 public: 404 ContainsReference(ASTContext &Context, const DeclRefExpr *Needle) 405 : EvaluatedExprVisitor<ContainsReference>(Context), 406 FoundReference(false), Needle(Needle) {} 407 408 void VisitExpr(Expr *E) { 409 // Stop evaluating if we already have a reference. 410 if (FoundReference) 411 return; 412 413 EvaluatedExprVisitor<ContainsReference>::VisitExpr(E); 414 } 415 416 void VisitDeclRefExpr(DeclRefExpr *E) { 417 if (E == Needle) 418 FoundReference = true; 419 else 420 EvaluatedExprVisitor<ContainsReference>::VisitDeclRefExpr(E); 421 } 422 423 bool doesContainReference() const { return FoundReference; } 424 }; 425 } 426 427 static bool SuggestInitializationFixit(Sema &S, const VarDecl *VD) { 428 QualType VariableTy = VD->getType().getCanonicalType(); 429 if (VariableTy->isBlockPointerType() && 430 !VD->hasAttr<BlocksAttr>()) { 431 S.Diag(VD->getLocation(), diag::note_block_var_fixit_add_initialization) << VD->getDeclName() 432 << FixItHint::CreateInsertion(VD->getLocation(), "__block "); 433 return true; 434 } 435 436 // Don't issue a fixit if there is already an initializer. 437 if (VD->getInit()) 438 return false; 439 440 // Suggest possible initialization (if any). 441 const char *Init = S.getFixItZeroInitializerForType(VariableTy); 442 if (!Init) 443 return false; 444 SourceLocation Loc = S.PP.getLocForEndOfToken(VD->getLocEnd()); 445 446 S.Diag(Loc, diag::note_var_fixit_add_initialization) << VD->getDeclName() 447 << FixItHint::CreateInsertion(Loc, Init); 448 return true; 449 } 450 451 /// DiagnoseUninitializedUse -- Helper function for diagnosing uses of an 452 /// uninitialized variable. This manages the different forms of diagnostic 453 /// emitted for particular types of uses. Returns true if the use was diagnosed 454 /// as a warning. If a pariticular use is one we omit warnings for, returns 455 /// false. 456 static bool DiagnoseUninitializedUse(Sema &S, const VarDecl *VD, 457 const Expr *E, bool isAlwaysUninit, 458 bool alwaysReportSelfInit = false) { 459 bool isSelfInit = false; 460 461 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) { 462 if (isAlwaysUninit) { 463 // Inspect the initializer of the variable declaration which is 464 // being referenced prior to its initialization. We emit 465 // specialized diagnostics for self-initialization, and we 466 // specifically avoid warning about self references which take the 467 // form of: 468 // 469 // int x = x; 470 // 471 // This is used to indicate to GCC that 'x' is intentionally left 472 // uninitialized. Proven code paths which access 'x' in 473 // an uninitialized state after this will still warn. 474 // 475 // TODO: Should we suppress maybe-uninitialized warnings for 476 // variables initialized in this way? 477 if (const Expr *Initializer = VD->getInit()) { 478 if (!alwaysReportSelfInit && DRE == Initializer->IgnoreParenImpCasts()) 479 return false; 480 481 ContainsReference CR(S.Context, DRE); 482 CR.Visit(const_cast<Expr*>(Initializer)); 483 isSelfInit = CR.doesContainReference(); 484 } 485 if (isSelfInit) { 486 S.Diag(DRE->getLocStart(), 487 diag::warn_uninit_self_reference_in_init) 488 << VD->getDeclName() << VD->getLocation() << DRE->getSourceRange(); 489 } else { 490 S.Diag(DRE->getLocStart(), diag::warn_uninit_var) 491 << VD->getDeclName() << DRE->getSourceRange(); 492 } 493 } else { 494 S.Diag(DRE->getLocStart(), diag::warn_maybe_uninit_var) 495 << VD->getDeclName() << DRE->getSourceRange(); 496 } 497 } else { 498 const BlockExpr *BE = cast<BlockExpr>(E); 499 if (VD->getType()->isBlockPointerType() && 500 !VD->hasAttr<BlocksAttr>()) 501 S.Diag(BE->getLocStart(), diag::warn_uninit_byref_blockvar_captured_by_block) 502 << VD->getDeclName(); 503 else 504 S.Diag(BE->getLocStart(), 505 isAlwaysUninit ? diag::warn_uninit_var_captured_by_block 506 : diag::warn_maybe_uninit_var_captured_by_block) 507 << VD->getDeclName(); 508 } 509 510 // Report where the variable was declared when the use wasn't within 511 // the initializer of that declaration & we didn't already suggest 512 // an initialization fixit. 513 if (!isSelfInit && !SuggestInitializationFixit(S, VD)) 514 S.Diag(VD->getLocStart(), diag::note_uninit_var_def) 515 << VD->getDeclName(); 516 517 return true; 518 } 519 520 typedef std::pair<const Expr*, bool> UninitUse; 521 522 namespace { 523 struct SLocSort { 524 bool operator()(const UninitUse &a, const UninitUse &b) { 525 SourceLocation aLoc = a.first->getLocStart(); 526 SourceLocation bLoc = b.first->getLocStart(); 527 return aLoc.getRawEncoding() < bLoc.getRawEncoding(); 528 } 529 }; 530 531 class UninitValsDiagReporter : public UninitVariablesHandler { 532 Sema &S; 533 typedef SmallVector<UninitUse, 2> UsesVec; 534 typedef llvm::DenseMap<const VarDecl *, std::pair<UsesVec*, bool> > UsesMap; 535 UsesMap *uses; 536 537 public: 538 UninitValsDiagReporter(Sema &S) : S(S), uses(0) {} 539 ~UninitValsDiagReporter() { 540 flushDiagnostics(); 541 } 542 543 std::pair<UsesVec*, bool> &getUses(const VarDecl *vd) { 544 if (!uses) 545 uses = new UsesMap(); 546 547 UsesMap::mapped_type &V = (*uses)[vd]; 548 UsesVec *&vec = V.first; 549 if (!vec) 550 vec = new UsesVec(); 551 552 return V; 553 } 554 555 void handleUseOfUninitVariable(const Expr *ex, const VarDecl *vd, 556 bool isAlwaysUninit) { 557 getUses(vd).first->push_back(std::make_pair(ex, isAlwaysUninit)); 558 } 559 560 void handleSelfInit(const VarDecl *vd) { 561 getUses(vd).second = true; 562 } 563 564 void flushDiagnostics() { 565 if (!uses) 566 return; 567 568 for (UsesMap::iterator i = uses->begin(), e = uses->end(); i != e; ++i) { 569 const VarDecl *vd = i->first; 570 const UsesMap::mapped_type &V = i->second; 571 572 UsesVec *vec = V.first; 573 bool hasSelfInit = V.second; 574 575 // Specially handle the case where we have uses of an uninitialized 576 // variable, but the root cause is an idiomatic self-init. We want 577 // to report the diagnostic at the self-init since that is the root cause. 578 if (!vec->empty() && hasSelfInit && hasAlwaysUninitializedUse(vec)) 579 DiagnoseUninitializedUse(S, vd, vd->getInit()->IgnoreParenCasts(), 580 /* isAlwaysUninit */ true, 581 /* alwaysReportSelfInit */ true); 582 else { 583 // Sort the uses by their SourceLocations. While not strictly 584 // guaranteed to produce them in line/column order, this will provide 585 // a stable ordering. 586 std::sort(vec->begin(), vec->end(), SLocSort()); 587 588 for (UsesVec::iterator vi = vec->begin(), ve = vec->end(); vi != ve; 589 ++vi) { 590 if (DiagnoseUninitializedUse(S, vd, vi->first, 591 /*isAlwaysUninit=*/vi->second)) 592 // Skip further diagnostics for this variable. We try to warn only 593 // on the first point at which a variable is used uninitialized. 594 break; 595 } 596 } 597 598 // Release the uses vector. 599 delete vec; 600 } 601 delete uses; 602 } 603 604 private: 605 static bool hasAlwaysUninitializedUse(const UsesVec* vec) { 606 for (UsesVec::const_iterator i = vec->begin(), e = vec->end(); i != e; ++i) { 607 if (i->second) { 608 return true; 609 } 610 } 611 return false; 612 } 613 }; 614 } 615 616 617 //===----------------------------------------------------------------------===// 618 // -Wthread-safety 619 //===----------------------------------------------------------------------===// 620 namespace clang { 621 namespace thread_safety { 622 typedef llvm::SmallVector<PartialDiagnosticAt, 1> OptionalNotes; 623 typedef std::pair<PartialDiagnosticAt, OptionalNotes> DelayedDiag; 624 typedef std::list<DelayedDiag> DiagList; 625 626 struct SortDiagBySourceLocation { 627 SourceManager &SM; 628 SortDiagBySourceLocation(SourceManager &SM) : SM(SM) {} 629 630 bool operator()(const DelayedDiag &left, const DelayedDiag &right) { 631 // Although this call will be slow, this is only called when outputting 632 // multiple warnings. 633 return SM.isBeforeInTranslationUnit(left.first.first, right.first.first); 634 } 635 }; 636 637 namespace { 638 class ThreadSafetyReporter : public clang::thread_safety::ThreadSafetyHandler { 639 Sema &S; 640 DiagList Warnings; 641 SourceLocation FunLocation, FunEndLocation; 642 643 // Helper functions 644 void warnLockMismatch(unsigned DiagID, Name LockName, SourceLocation Loc) { 645 // Gracefully handle rare cases when the analysis can't get a more 646 // precise source location. 647 if (!Loc.isValid()) 648 Loc = FunLocation; 649 PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID) << LockName); 650 Warnings.push_back(DelayedDiag(Warning, OptionalNotes())); 651 } 652 653 public: 654 ThreadSafetyReporter(Sema &S, SourceLocation FL, SourceLocation FEL) 655 : S(S), FunLocation(FL), FunEndLocation(FEL) {} 656 657 /// \brief Emit all buffered diagnostics in order of sourcelocation. 658 /// We need to output diagnostics produced while iterating through 659 /// the lockset in deterministic order, so this function orders diagnostics 660 /// and outputs them. 661 void emitDiagnostics() { 662 Warnings.sort(SortDiagBySourceLocation(S.getSourceManager())); 663 for (DiagList::iterator I = Warnings.begin(), E = Warnings.end(); 664 I != E; ++I) { 665 S.Diag(I->first.first, I->first.second); 666 const OptionalNotes &Notes = I->second; 667 for (unsigned NoteI = 0, NoteN = Notes.size(); NoteI != NoteN; ++NoteI) 668 S.Diag(Notes[NoteI].first, Notes[NoteI].second); 669 } 670 } 671 672 void handleInvalidLockExp(SourceLocation Loc) { 673 PartialDiagnosticAt Warning(Loc, 674 S.PDiag(diag::warn_cannot_resolve_lock) << Loc); 675 Warnings.push_back(DelayedDiag(Warning, OptionalNotes())); 676 } 677 void handleUnmatchedUnlock(Name LockName, SourceLocation Loc) { 678 warnLockMismatch(diag::warn_unlock_but_no_lock, LockName, Loc); 679 } 680 681 void handleDoubleLock(Name LockName, SourceLocation Loc) { 682 warnLockMismatch(diag::warn_double_lock, LockName, Loc); 683 } 684 685 void handleMutexHeldEndOfScope(Name LockName, SourceLocation LocLocked, 686 SourceLocation LocEndOfScope, 687 LockErrorKind LEK){ 688 unsigned DiagID = 0; 689 switch (LEK) { 690 case LEK_LockedSomePredecessors: 691 DiagID = diag::warn_lock_some_predecessors; 692 break; 693 case LEK_LockedSomeLoopIterations: 694 DiagID = diag::warn_expecting_lock_held_on_loop; 695 break; 696 case LEK_LockedAtEndOfFunction: 697 DiagID = diag::warn_no_unlock; 698 break; 699 } 700 if (LocEndOfScope.isInvalid()) 701 LocEndOfScope = FunEndLocation; 702 703 PartialDiagnosticAt Warning(LocEndOfScope, S.PDiag(DiagID) << LockName); 704 PartialDiagnosticAt Note(LocLocked, S.PDiag(diag::note_locked_here)); 705 Warnings.push_back(DelayedDiag(Warning, OptionalNotes(1, Note))); 706 } 707 708 709 void handleExclusiveAndShared(Name LockName, SourceLocation Loc1, 710 SourceLocation Loc2) { 711 PartialDiagnosticAt Warning( 712 Loc1, S.PDiag(diag::warn_lock_exclusive_and_shared) << LockName); 713 PartialDiagnosticAt Note( 714 Loc2, S.PDiag(diag::note_lock_exclusive_and_shared) << LockName); 715 Warnings.push_back(DelayedDiag(Warning, OptionalNotes(1, Note))); 716 } 717 718 void handleNoMutexHeld(const NamedDecl *D, ProtectedOperationKind POK, 719 AccessKind AK, SourceLocation Loc) { 720 assert((POK == POK_VarAccess || POK == POK_VarDereference) 721 && "Only works for variables"); 722 unsigned DiagID = POK == POK_VarAccess? 723 diag::warn_variable_requires_any_lock: 724 diag::warn_var_deref_requires_any_lock; 725 PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID) 726 << D->getName() << getLockKindFromAccessKind(AK)); 727 Warnings.push_back(DelayedDiag(Warning, OptionalNotes())); 728 } 729 730 void handleMutexNotHeld(const NamedDecl *D, ProtectedOperationKind POK, 731 Name LockName, LockKind LK, SourceLocation Loc) { 732 unsigned DiagID = 0; 733 switch (POK) { 734 case POK_VarAccess: 735 DiagID = diag::warn_variable_requires_lock; 736 break; 737 case POK_VarDereference: 738 DiagID = diag::warn_var_deref_requires_lock; 739 break; 740 case POK_FunctionCall: 741 DiagID = diag::warn_fun_requires_lock; 742 break; 743 } 744 PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID) 745 << D->getName() << LockName << LK); 746 Warnings.push_back(DelayedDiag(Warning, OptionalNotes())); 747 } 748 749 void handleFunExcludesLock(Name FunName, Name LockName, SourceLocation Loc) { 750 PartialDiagnosticAt Warning(Loc, 751 S.PDiag(diag::warn_fun_excludes_mutex) << FunName << LockName); 752 Warnings.push_back(DelayedDiag(Warning, OptionalNotes())); 753 } 754 }; 755 } 756 } 757 } 758 759 //===----------------------------------------------------------------------===// 760 // AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based 761 // warnings on a function, method, or block. 762 //===----------------------------------------------------------------------===// 763 764 clang::sema::AnalysisBasedWarnings::Policy::Policy() { 765 enableCheckFallThrough = 1; 766 enableCheckUnreachable = 0; 767 enableThreadSafetyAnalysis = 0; 768 } 769 770 clang::sema::AnalysisBasedWarnings::AnalysisBasedWarnings(Sema &s) 771 : S(s), 772 NumFunctionsAnalyzed(0), 773 NumFunctionsWithBadCFGs(0), 774 NumCFGBlocks(0), 775 MaxCFGBlocksPerFunction(0), 776 NumUninitAnalysisFunctions(0), 777 NumUninitAnalysisVariables(0), 778 MaxUninitAnalysisVariablesPerFunction(0), 779 NumUninitAnalysisBlockVisits(0), 780 MaxUninitAnalysisBlockVisitsPerFunction(0) { 781 DiagnosticsEngine &D = S.getDiagnostics(); 782 DefaultPolicy.enableCheckUnreachable = (unsigned) 783 (D.getDiagnosticLevel(diag::warn_unreachable, SourceLocation()) != 784 DiagnosticsEngine::Ignored); 785 DefaultPolicy.enableThreadSafetyAnalysis = (unsigned) 786 (D.getDiagnosticLevel(diag::warn_double_lock, SourceLocation()) != 787 DiagnosticsEngine::Ignored); 788 789 } 790 791 static void flushDiagnostics(Sema &S, sema::FunctionScopeInfo *fscope) { 792 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 793 i = fscope->PossiblyUnreachableDiags.begin(), 794 e = fscope->PossiblyUnreachableDiags.end(); 795 i != e; ++i) { 796 const sema::PossiblyUnreachableDiag &D = *i; 797 S.Diag(D.Loc, D.PD); 798 } 799 } 800 801 void clang::sema:: 802 AnalysisBasedWarnings::IssueWarnings(sema::AnalysisBasedWarnings::Policy P, 803 sema::FunctionScopeInfo *fscope, 804 const Decl *D, const BlockExpr *blkExpr) { 805 806 // We avoid doing analysis-based warnings when there are errors for 807 // two reasons: 808 // (1) The CFGs often can't be constructed (if the body is invalid), so 809 // don't bother trying. 810 // (2) The code already has problems; running the analysis just takes more 811 // time. 812 DiagnosticsEngine &Diags = S.getDiagnostics(); 813 814 // Do not do any analysis for declarations in system headers if we are 815 // going to just ignore them. 816 if (Diags.getSuppressSystemWarnings() && 817 S.SourceMgr.isInSystemHeader(D->getLocation())) 818 return; 819 820 // For code in dependent contexts, we'll do this at instantiation time. 821 if (cast<DeclContext>(D)->isDependentContext()) 822 return; 823 824 if (Diags.hasErrorOccurred() || Diags.hasFatalErrorOccurred()) { 825 // Flush out any possibly unreachable diagnostics. 826 flushDiagnostics(S, fscope); 827 return; 828 } 829 830 const Stmt *Body = D->getBody(); 831 assert(Body); 832 833 AnalysisDeclContext AC(/* AnalysisDeclContextManager */ 0, D, 0); 834 835 // Don't generate EH edges for CallExprs as we'd like to avoid the n^2 836 // explosion for destrutors that can result and the compile time hit. 837 AC.getCFGBuildOptions().PruneTriviallyFalseEdges = true; 838 AC.getCFGBuildOptions().AddEHEdges = false; 839 AC.getCFGBuildOptions().AddInitializers = true; 840 AC.getCFGBuildOptions().AddImplicitDtors = true; 841 842 // Force that certain expressions appear as CFGElements in the CFG. This 843 // is used to speed up various analyses. 844 // FIXME: This isn't the right factoring. This is here for initial 845 // prototyping, but we need a way for analyses to say what expressions they 846 // expect to always be CFGElements and then fill in the BuildOptions 847 // appropriately. This is essentially a layering violation. 848 if (P.enableCheckUnreachable || P.enableThreadSafetyAnalysis) { 849 // Unreachable code analysis and thread safety require a linearized CFG. 850 AC.getCFGBuildOptions().setAllAlwaysAdd(); 851 } 852 else { 853 AC.getCFGBuildOptions() 854 .setAlwaysAdd(Stmt::BinaryOperatorClass) 855 .setAlwaysAdd(Stmt::BlockExprClass) 856 .setAlwaysAdd(Stmt::CStyleCastExprClass) 857 .setAlwaysAdd(Stmt::DeclRefExprClass) 858 .setAlwaysAdd(Stmt::ImplicitCastExprClass) 859 .setAlwaysAdd(Stmt::UnaryOperatorClass); 860 } 861 862 // Construct the analysis context with the specified CFG build options. 863 864 // Emit delayed diagnostics. 865 if (!fscope->PossiblyUnreachableDiags.empty()) { 866 bool analyzed = false; 867 868 // Register the expressions with the CFGBuilder. 869 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 870 i = fscope->PossiblyUnreachableDiags.begin(), 871 e = fscope->PossiblyUnreachableDiags.end(); 872 i != e; ++i) { 873 if (const Stmt *stmt = i->stmt) 874 AC.registerForcedBlockExpression(stmt); 875 } 876 877 if (AC.getCFG()) { 878 analyzed = true; 879 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 880 i = fscope->PossiblyUnreachableDiags.begin(), 881 e = fscope->PossiblyUnreachableDiags.end(); 882 i != e; ++i) 883 { 884 const sema::PossiblyUnreachableDiag &D = *i; 885 bool processed = false; 886 if (const Stmt *stmt = i->stmt) { 887 const CFGBlock *block = AC.getBlockForRegisteredExpression(stmt); 888 CFGReverseBlockReachabilityAnalysis *cra = 889 AC.getCFGReachablityAnalysis(); 890 // FIXME: We should be able to assert that block is non-null, but 891 // the CFG analysis can skip potentially-evaluated expressions in 892 // edge cases; see test/Sema/vla-2.c. 893 if (block && cra) { 894 // Can this block be reached from the entrance? 895 if (cra->isReachable(&AC.getCFG()->getEntry(), block)) 896 S.Diag(D.Loc, D.PD); 897 processed = true; 898 } 899 } 900 if (!processed) { 901 // Emit the warning anyway if we cannot map to a basic block. 902 S.Diag(D.Loc, D.PD); 903 } 904 } 905 } 906 907 if (!analyzed) 908 flushDiagnostics(S, fscope); 909 } 910 911 912 // Warning: check missing 'return' 913 if (P.enableCheckFallThrough) { 914 const CheckFallThroughDiagnostics &CD = 915 (isa<BlockDecl>(D) ? CheckFallThroughDiagnostics::MakeForBlock() 916 : (isa<CXXMethodDecl>(D) && 917 cast<CXXMethodDecl>(D)->getOverloadedOperator() == OO_Call && 918 cast<CXXMethodDecl>(D)->getParent()->isLambda()) 919 ? CheckFallThroughDiagnostics::MakeForLambda() 920 : CheckFallThroughDiagnostics::MakeForFunction(D)); 921 CheckFallThroughForBody(S, D, Body, blkExpr, CD, AC); 922 } 923 924 // Warning: check for unreachable code 925 if (P.enableCheckUnreachable) { 926 // Only check for unreachable code on non-template instantiations. 927 // Different template instantiations can effectively change the control-flow 928 // and it is very difficult to prove that a snippet of code in a template 929 // is unreachable for all instantiations. 930 bool isTemplateInstantiation = false; 931 if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(D)) 932 isTemplateInstantiation = Function->isTemplateInstantiation(); 933 if (!isTemplateInstantiation) 934 CheckUnreachable(S, AC); 935 } 936 937 // Check for thread safety violations 938 if (P.enableThreadSafetyAnalysis) { 939 SourceLocation FL = AC.getDecl()->getLocation(); 940 SourceLocation FEL = AC.getDecl()->getLocEnd(); 941 thread_safety::ThreadSafetyReporter Reporter(S, FL, FEL); 942 thread_safety::runThreadSafetyAnalysis(AC, Reporter); 943 Reporter.emitDiagnostics(); 944 } 945 946 if (Diags.getDiagnosticLevel(diag::warn_uninit_var, D->getLocStart()) 947 != DiagnosticsEngine::Ignored || 948 Diags.getDiagnosticLevel(diag::warn_maybe_uninit_var, D->getLocStart()) 949 != DiagnosticsEngine::Ignored) { 950 if (CFG *cfg = AC.getCFG()) { 951 UninitValsDiagReporter reporter(S); 952 UninitVariablesAnalysisStats stats; 953 std::memset(&stats, 0, sizeof(UninitVariablesAnalysisStats)); 954 runUninitializedVariablesAnalysis(*cast<DeclContext>(D), *cfg, AC, 955 reporter, stats); 956 957 if (S.CollectStats && stats.NumVariablesAnalyzed > 0) { 958 ++NumUninitAnalysisFunctions; 959 NumUninitAnalysisVariables += stats.NumVariablesAnalyzed; 960 NumUninitAnalysisBlockVisits += stats.NumBlockVisits; 961 MaxUninitAnalysisVariablesPerFunction = 962 std::max(MaxUninitAnalysisVariablesPerFunction, 963 stats.NumVariablesAnalyzed); 964 MaxUninitAnalysisBlockVisitsPerFunction = 965 std::max(MaxUninitAnalysisBlockVisitsPerFunction, 966 stats.NumBlockVisits); 967 } 968 } 969 } 970 971 // Collect statistics about the CFG if it was built. 972 if (S.CollectStats && AC.isCFGBuilt()) { 973 ++NumFunctionsAnalyzed; 974 if (CFG *cfg = AC.getCFG()) { 975 // If we successfully built a CFG for this context, record some more 976 // detail information about it. 977 NumCFGBlocks += cfg->getNumBlockIDs(); 978 MaxCFGBlocksPerFunction = std::max(MaxCFGBlocksPerFunction, 979 cfg->getNumBlockIDs()); 980 } else { 981 ++NumFunctionsWithBadCFGs; 982 } 983 } 984 } 985 986 void clang::sema::AnalysisBasedWarnings::PrintStats() const { 987 llvm::errs() << "\n*** Analysis Based Warnings Stats:\n"; 988 989 unsigned NumCFGsBuilt = NumFunctionsAnalyzed - NumFunctionsWithBadCFGs; 990 unsigned AvgCFGBlocksPerFunction = 991 !NumCFGsBuilt ? 0 : NumCFGBlocks/NumCFGsBuilt; 992 llvm::errs() << NumFunctionsAnalyzed << " functions analyzed (" 993 << NumFunctionsWithBadCFGs << " w/o CFGs).\n" 994 << " " << NumCFGBlocks << " CFG blocks built.\n" 995 << " " << AvgCFGBlocksPerFunction 996 << " average CFG blocks per function.\n" 997 << " " << MaxCFGBlocksPerFunction 998 << " max CFG blocks per function.\n"; 999 1000 unsigned AvgUninitVariablesPerFunction = !NumUninitAnalysisFunctions ? 0 1001 : NumUninitAnalysisVariables/NumUninitAnalysisFunctions; 1002 unsigned AvgUninitBlockVisitsPerFunction = !NumUninitAnalysisFunctions ? 0 1003 : NumUninitAnalysisBlockVisits/NumUninitAnalysisFunctions; 1004 llvm::errs() << NumUninitAnalysisFunctions 1005 << " functions analyzed for uninitialiazed variables\n" 1006 << " " << NumUninitAnalysisVariables << " variables analyzed.\n" 1007 << " " << AvgUninitVariablesPerFunction 1008 << " average variables per function.\n" 1009 << " " << MaxUninitAnalysisVariablesPerFunction 1010 << " max variables per function.\n" 1011 << " " << NumUninitAnalysisBlockVisits << " block visits.\n" 1012 << " " << AvgUninitBlockVisitsPerFunction 1013 << " average block visits per function.\n" 1014 << " " << MaxUninitAnalysisBlockVisitsPerFunction 1015 << " max block visits per function.\n"; 1016 } 1017
