1 //==- IdempotentOperationChecker.cpp - Idempotent Operations ----*- C++ -*-==// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines a set of path-sensitive checks for idempotent and/or 11 // tautological operations. Each potential operation is checked along all paths 12 // to see if every path results in a pointless operation. 13 // +-------------------------------------------+ 14 // |Table of idempotent/tautological operations| 15 // +-------------------------------------------+ 16 //+--------------------------------------------------------------------------+ 17 //|Operator | x op x | x op 1 | 1 op x | x op 0 | 0 op x | x op ~0 | ~0 op x | 18 //+--------------------------------------------------------------------------+ 19 // +, += | | | | x | x | | 20 // -, -= | | | | x | -x | | 21 // *, *= | | x | x | 0 | 0 | | 22 // /, /= | 1 | x | | N/A | 0 | | 23 // &, &= | x | | | 0 | 0 | x | x 24 // |, |= | x | | | x | x | ~0 | ~0 25 // ^, ^= | 0 | | | x | x | | 26 // <<, <<= | | | | x | 0 | | 27 // >>, >>= | | | | x | 0 | | 28 // || | 1 | 1 | 1 | x | x | 1 | 1 29 // && | 1 | x | x | 0 | 0 | x | x 30 // = | x | | | | | | 31 // == | 1 | | | | | | 32 // >= | 1 | | | | | | 33 // <= | 1 | | | | | | 34 // > | 0 | | | | | | 35 // < | 0 | | | | | | 36 // != | 0 | | | | | | 37 //===----------------------------------------------------------------------===// 38 // 39 // Things TODO: 40 // - Improved error messages 41 // - Handle mixed assumptions (which assumptions can belong together?) 42 // - Finer grained false positive control (levels) 43 // - Handling ~0 values 44 45 #include "ClangSACheckers.h" 46 #include "clang/AST/Stmt.h" 47 #include "clang/Analysis/Analyses/CFGReachabilityAnalysis.h" 48 #include "clang/Analysis/Analyses/PseudoConstantAnalysis.h" 49 #include "clang/Analysis/CFGStmtMap.h" 50 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 51 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 52 #include "clang/StaticAnalyzer/Core/Checker.h" 53 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 54 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 55 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 56 #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h" 57 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 58 #include "llvm/ADT/BitVector.h" 59 #include "llvm/ADT/DenseMap.h" 60 #include "llvm/ADT/SmallSet.h" 61 #include "llvm/ADT/SmallString.h" 62 #include "llvm/Support/ErrorHandling.h" 63 #include "llvm/Support/raw_ostream.h" 64 65 using namespace clang; 66 using namespace ento; 67 68 namespace { 69 class IdempotentOperationChecker 70 : public Checker<check::PreStmt<BinaryOperator>, 71 check::PostStmt<BinaryOperator>, 72 check::EndAnalysis> { 73 public: 74 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const; 75 void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const; 76 void checkEndAnalysis(ExplodedGraph &G, BugReporter &B,ExprEngine &Eng) const; 77 78 private: 79 // Our assumption about a particular operation. 80 enum Assumption { Possible = 0, Impossible, Equal, LHSis1, RHSis1, LHSis0, 81 RHSis0 }; 82 83 static void UpdateAssumption(Assumption &A, const Assumption &New); 84 85 // False positive reduction methods 86 static bool isSelfAssign(const Expr *LHS, const Expr *RHS); 87 static bool isUnused(const Expr *E, AnalysisDeclContext *AC); 88 static bool isTruncationExtensionAssignment(const Expr *LHS, 89 const Expr *RHS); 90 static bool pathWasCompletelyAnalyzed(AnalysisDeclContext *AC, 91 const CFGBlock *CB, 92 const CoreEngine &CE); 93 static bool CanVary(const Expr *Ex, 94 AnalysisDeclContext *AC); 95 static bool isConstantOrPseudoConstant(const DeclRefExpr *DR, 96 AnalysisDeclContext *AC); 97 static bool containsNonLocalVarDecl(const Stmt *S); 98 99 // Hash table and related data structures 100 struct BinaryOperatorData { 101 BinaryOperatorData() : assumption(Possible) {} 102 103 Assumption assumption; 104 ExplodedNodeSet explodedNodes; // Set of ExplodedNodes that refer to a 105 // BinaryOperator 106 }; 107 typedef llvm::DenseMap<const BinaryOperator *, BinaryOperatorData> 108 AssumptionMap; 109 mutable AssumptionMap hash; 110 mutable OwningPtr<BugType> BT; 111 }; 112 } 113 114 void IdempotentOperationChecker::checkPreStmt(const BinaryOperator *B, 115 CheckerContext &C) const { 116 // Find or create an entry in the hash for this BinaryOperator instance. 117 // If we haven't done a lookup before, it will get default initialized to 118 // 'Possible'. At this stage we do not store the ExplodedNode, as it has not 119 // been created yet. 120 BinaryOperatorData &Data = hash[B]; 121 Assumption &A = Data.assumption; 122 AnalysisDeclContext *AC = C.getCurrentAnalysisDeclContext(); 123 124 // If we already have visited this node on a path that does not contain an 125 // idempotent operation, return immediately. 126 if (A == Impossible) 127 return; 128 129 // Retrieve both sides of the operator and determine if they can vary (which 130 // may mean this is a false positive. 131 const Expr *LHS = B->getLHS(); 132 const Expr *RHS = B->getRHS(); 133 134 // At this stage we can calculate whether each side contains a false positive 135 // that applies to all operators. We only need to calculate this the first 136 // time. 137 bool LHSContainsFalsePositive = false, RHSContainsFalsePositive = false; 138 if (A == Possible) { 139 // An expression contains a false positive if it can't vary, or if it 140 // contains a known false positive VarDecl. 141 LHSContainsFalsePositive = !CanVary(LHS, AC) 142 || containsNonLocalVarDecl(LHS); 143 RHSContainsFalsePositive = !CanVary(RHS, AC) 144 || containsNonLocalVarDecl(RHS); 145 } 146 147 ProgramStateRef state = C.getState(); 148 const LocationContext *LCtx = C.getLocationContext(); 149 SVal LHSVal = state->getSVal(LHS, LCtx); 150 SVal RHSVal = state->getSVal(RHS, LCtx); 151 152 // If either value is unknown, we can't be 100% sure of all paths. 153 if (LHSVal.isUnknownOrUndef() || RHSVal.isUnknownOrUndef()) { 154 A = Impossible; 155 return; 156 } 157 BinaryOperator::Opcode Op = B->getOpcode(); 158 159 // Dereference the LHS SVal if this is an assign operation 160 switch (Op) { 161 default: 162 break; 163 164 // Fall through intentional 165 case BO_AddAssign: 166 case BO_SubAssign: 167 case BO_MulAssign: 168 case BO_DivAssign: 169 case BO_AndAssign: 170 case BO_OrAssign: 171 case BO_XorAssign: 172 case BO_ShlAssign: 173 case BO_ShrAssign: 174 case BO_Assign: 175 // Assign statements have one extra level of indirection 176 if (!LHSVal.getAs<Loc>()) { 177 A = Impossible; 178 return; 179 } 180 LHSVal = state->getSVal(LHSVal.castAs<Loc>(), LHS->getType()); 181 } 182 183 184 // We now check for various cases which result in an idempotent operation. 185 186 // x op x 187 switch (Op) { 188 default: 189 break; // We don't care about any other operators. 190 191 // Fall through intentional 192 case BO_Assign: 193 // x Assign x can be used to silence unused variable warnings intentionally. 194 // If this is a self assignment and the variable is referenced elsewhere, 195 // and the assignment is not a truncation or extension, then it is a false 196 // positive. 197 if (isSelfAssign(LHS, RHS)) { 198 if (!isUnused(LHS, AC) && !isTruncationExtensionAssignment(LHS, RHS)) { 199 UpdateAssumption(A, Equal); 200 return; 201 } 202 else { 203 A = Impossible; 204 return; 205 } 206 } 207 208 case BO_SubAssign: 209 case BO_DivAssign: 210 case BO_AndAssign: 211 case BO_OrAssign: 212 case BO_XorAssign: 213 case BO_Sub: 214 case BO_Div: 215 case BO_And: 216 case BO_Or: 217 case BO_Xor: 218 case BO_LOr: 219 case BO_LAnd: 220 case BO_EQ: 221 case BO_NE: 222 if (LHSVal != RHSVal || LHSContainsFalsePositive 223 || RHSContainsFalsePositive) 224 break; 225 UpdateAssumption(A, Equal); 226 return; 227 } 228 229 // x op 1 230 switch (Op) { 231 default: 232 break; // We don't care about any other operators. 233 234 // Fall through intentional 235 case BO_MulAssign: 236 case BO_DivAssign: 237 case BO_Mul: 238 case BO_Div: 239 case BO_LOr: 240 case BO_LAnd: 241 if (!RHSVal.isConstant(1) || RHSContainsFalsePositive) 242 break; 243 UpdateAssumption(A, RHSis1); 244 return; 245 } 246 247 // 1 op x 248 switch (Op) { 249 default: 250 break; // We don't care about any other operators. 251 252 // Fall through intentional 253 case BO_MulAssign: 254 case BO_Mul: 255 case BO_LOr: 256 case BO_LAnd: 257 if (!LHSVal.isConstant(1) || LHSContainsFalsePositive) 258 break; 259 UpdateAssumption(A, LHSis1); 260 return; 261 } 262 263 // x op 0 264 switch (Op) { 265 default: 266 break; // We don't care about any other operators. 267 268 // Fall through intentional 269 case BO_AddAssign: 270 case BO_SubAssign: 271 case BO_MulAssign: 272 case BO_AndAssign: 273 case BO_OrAssign: 274 case BO_XorAssign: 275 case BO_Add: 276 case BO_Sub: 277 case BO_Mul: 278 case BO_And: 279 case BO_Or: 280 case BO_Xor: 281 case BO_Shl: 282 case BO_Shr: 283 case BO_LOr: 284 case BO_LAnd: 285 if (!RHSVal.isConstant(0) || RHSContainsFalsePositive) 286 break; 287 UpdateAssumption(A, RHSis0); 288 return; 289 } 290 291 // 0 op x 292 switch (Op) { 293 default: 294 break; // We don't care about any other operators. 295 296 // Fall through intentional 297 //case BO_AddAssign: // Common false positive 298 case BO_SubAssign: // Check only if unsigned 299 case BO_MulAssign: 300 case BO_DivAssign: 301 case BO_AndAssign: 302 //case BO_OrAssign: // Common false positive 303 //case BO_XorAssign: // Common false positive 304 case BO_ShlAssign: 305 case BO_ShrAssign: 306 case BO_Add: 307 case BO_Sub: 308 case BO_Mul: 309 case BO_Div: 310 case BO_And: 311 case BO_Or: 312 case BO_Xor: 313 case BO_Shl: 314 case BO_Shr: 315 case BO_LOr: 316 case BO_LAnd: 317 if (!LHSVal.isConstant(0) || LHSContainsFalsePositive) 318 break; 319 UpdateAssumption(A, LHSis0); 320 return; 321 } 322 323 // If we get to this point, there has been a valid use of this operation. 324 A = Impossible; 325 } 326 327 // At the post visit stage, the predecessor ExplodedNode will be the 328 // BinaryOperator that was just created. We use this hook to collect the 329 // ExplodedNode. 330 void IdempotentOperationChecker::checkPostStmt(const BinaryOperator *B, 331 CheckerContext &C) const { 332 // Add the ExplodedNode we just visited 333 BinaryOperatorData &Data = hash[B]; 334 335 const Stmt *predStmt = 336 C.getPredecessor()->getLocation().castAs<StmtPoint>().getStmt(); 337 338 // Ignore implicit calls to setters. 339 if (!isa<BinaryOperator>(predStmt)) 340 return; 341 342 Data.explodedNodes.Add(C.getPredecessor()); 343 } 344 345 void IdempotentOperationChecker::checkEndAnalysis(ExplodedGraph &G, 346 BugReporter &BR, 347 ExprEngine &Eng) const { 348 if (!BT) 349 BT.reset(new BugType("Idempotent operation", "Dead code")); 350 351 // Iterate over the hash to see if we have any paths with definite 352 // idempotent operations. 353 for (AssumptionMap::const_iterator i = hash.begin(); i != hash.end(); ++i) { 354 // Unpack the hash contents 355 const BinaryOperatorData &Data = i->second; 356 const Assumption &A = Data.assumption; 357 const ExplodedNodeSet &ES = Data.explodedNodes; 358 359 // If there are no nodes accosted with the expression, nothing to report. 360 // FIXME: This is possible because the checker does part of processing in 361 // checkPreStmt and part in checkPostStmt. 362 if (ES.begin() == ES.end()) 363 continue; 364 365 const BinaryOperator *B = i->first; 366 367 if (A == Impossible) 368 continue; 369 370 // If the analyzer did not finish, check to see if we can still emit this 371 // warning 372 if (Eng.hasWorkRemaining()) { 373 // If we can trace back 374 AnalysisDeclContext *AC = (*ES.begin())->getLocationContext() 375 ->getAnalysisDeclContext(); 376 if (!pathWasCompletelyAnalyzed(AC, 377 AC->getCFGStmtMap()->getBlock(B), 378 Eng.getCoreEngine())) 379 continue; 380 } 381 382 // Select the error message and SourceRanges to report. 383 SmallString<128> buf; 384 llvm::raw_svector_ostream os(buf); 385 bool LHSRelevant = false, RHSRelevant = false; 386 switch (A) { 387 case Equal: 388 LHSRelevant = true; 389 RHSRelevant = true; 390 if (B->getOpcode() == BO_Assign) 391 os << "Assigned value is always the same as the existing value"; 392 else 393 os << "Both operands to '" << B->getOpcodeStr() 394 << "' always have the same value"; 395 break; 396 case LHSis1: 397 LHSRelevant = true; 398 os << "The left operand to '" << B->getOpcodeStr() << "' is always 1"; 399 break; 400 case RHSis1: 401 RHSRelevant = true; 402 os << "The right operand to '" << B->getOpcodeStr() << "' is always 1"; 403 break; 404 case LHSis0: 405 LHSRelevant = true; 406 os << "The left operand to '" << B->getOpcodeStr() << "' is always 0"; 407 break; 408 case RHSis0: 409 RHSRelevant = true; 410 os << "The right operand to '" << B->getOpcodeStr() << "' is always 0"; 411 break; 412 case Possible: 413 llvm_unreachable("Operation was never marked with an assumption"); 414 case Impossible: 415 llvm_unreachable(0); 416 } 417 418 // Add a report for each ExplodedNode 419 for (ExplodedNodeSet::iterator I = ES.begin(), E = ES.end(); I != E; ++I) { 420 BugReport *report = new BugReport(*BT, os.str(), *I); 421 422 // Add source ranges and visitor hooks 423 if (LHSRelevant) { 424 const Expr *LHS = i->first->getLHS(); 425 report->addRange(LHS->getSourceRange()); 426 FindLastStoreBRVisitor::registerStatementVarDecls(*report, LHS, false); 427 } 428 if (RHSRelevant) { 429 const Expr *RHS = i->first->getRHS(); 430 report->addRange(i->first->getRHS()->getSourceRange()); 431 FindLastStoreBRVisitor::registerStatementVarDecls(*report, RHS, false); 432 } 433 434 BR.emitReport(report); 435 } 436 } 437 438 hash.clear(); 439 } 440 441 // Updates the current assumption given the new assumption 442 inline void IdempotentOperationChecker::UpdateAssumption(Assumption &A, 443 const Assumption &New) { 444 // If the assumption is the same, there is nothing to do 445 if (A == New) 446 return; 447 448 switch (A) { 449 // If we don't currently have an assumption, set it 450 case Possible: 451 A = New; 452 return; 453 454 // If we have determined that a valid state happened, ignore the new 455 // assumption. 456 case Impossible: 457 return; 458 459 // Any other case means that we had a different assumption last time. We don't 460 // currently support mixing assumptions for diagnostic reasons, so we set 461 // our assumption to be impossible. 462 default: 463 A = Impossible; 464 return; 465 } 466 } 467 468 // Check for a statement where a variable is self assigned to possibly avoid an 469 // unused variable warning. 470 bool IdempotentOperationChecker::isSelfAssign(const Expr *LHS, const Expr *RHS) { 471 LHS = LHS->IgnoreParenCasts(); 472 RHS = RHS->IgnoreParenCasts(); 473 474 const DeclRefExpr *LHS_DR = dyn_cast<DeclRefExpr>(LHS); 475 if (!LHS_DR) 476 return false; 477 478 const VarDecl *VD = dyn_cast<VarDecl>(LHS_DR->getDecl()); 479 if (!VD) 480 return false; 481 482 const DeclRefExpr *RHS_DR = dyn_cast<DeclRefExpr>(RHS); 483 if (!RHS_DR) 484 return false; 485 486 if (VD != RHS_DR->getDecl()) 487 return false; 488 489 return true; 490 } 491 492 // Returns true if the Expr points to a VarDecl that is not read anywhere 493 // outside of self-assignments. 494 bool IdempotentOperationChecker::isUnused(const Expr *E, 495 AnalysisDeclContext *AC) { 496 if (!E) 497 return false; 498 499 const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E->IgnoreParenCasts()); 500 if (!DR) 501 return false; 502 503 const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl()); 504 if (!VD) 505 return false; 506 507 if (AC->getPseudoConstantAnalysis()->wasReferenced(VD)) 508 return false; 509 510 return true; 511 } 512 513 // Check for self casts truncating/extending a variable 514 bool IdempotentOperationChecker::isTruncationExtensionAssignment( 515 const Expr *LHS, 516 const Expr *RHS) { 517 518 const DeclRefExpr *LHS_DR = dyn_cast<DeclRefExpr>(LHS->IgnoreParenCasts()); 519 if (!LHS_DR) 520 return false; 521 522 const VarDecl *VD = dyn_cast<VarDecl>(LHS_DR->getDecl()); 523 if (!VD) 524 return false; 525 526 const DeclRefExpr *RHS_DR = dyn_cast<DeclRefExpr>(RHS->IgnoreParenCasts()); 527 if (!RHS_DR) 528 return false; 529 530 if (VD != RHS_DR->getDecl()) 531 return false; 532 533 return dyn_cast<DeclRefExpr>(RHS->IgnoreParenLValueCasts()) == NULL; 534 } 535 536 // Returns false if a path to this block was not completely analyzed, or true 537 // otherwise. 538 bool 539 IdempotentOperationChecker::pathWasCompletelyAnalyzed(AnalysisDeclContext *AC, 540 const CFGBlock *CB, 541 const CoreEngine &CE) { 542 543 CFGReverseBlockReachabilityAnalysis *CRA = AC->getCFGReachablityAnalysis(); 544 545 // Test for reachability from any aborted blocks to this block 546 typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator; 547 for (ExhaustedIterator I = CE.blocks_exhausted_begin(), 548 E = CE.blocks_exhausted_end(); I != E; ++I) { 549 const BlockEdge &BE = I->first; 550 551 // The destination block on the BlockEdge is the first block that was not 552 // analyzed. If we can reach this block from the aborted block, then this 553 // block was not completely analyzed. 554 // 555 // Also explicitly check if the current block is the destination block. 556 // While technically reachable, it means we aborted the analysis on 557 // a path that included that block. 558 const CFGBlock *destBlock = BE.getDst(); 559 if (destBlock == CB || CRA->isReachable(destBlock, CB)) 560 return false; 561 } 562 563 // Test for reachability from blocks we just gave up on. 564 typedef CoreEngine::BlocksAborted::const_iterator AbortedIterator; 565 for (AbortedIterator I = CE.blocks_aborted_begin(), 566 E = CE.blocks_aborted_end(); I != E; ++I) { 567 const CFGBlock *destBlock = I->first; 568 if (destBlock == CB || CRA->isReachable(destBlock, CB)) 569 return false; 570 } 571 572 // For the items still on the worklist, see if they are in blocks that 573 // can eventually reach 'CB'. 574 class VisitWL : public WorkList::Visitor { 575 const CFGStmtMap *CBM; 576 const CFGBlock *TargetBlock; 577 CFGReverseBlockReachabilityAnalysis &CRA; 578 public: 579 VisitWL(const CFGStmtMap *cbm, const CFGBlock *targetBlock, 580 CFGReverseBlockReachabilityAnalysis &cra) 581 : CBM(cbm), TargetBlock(targetBlock), CRA(cra) {} 582 virtual bool visit(const WorkListUnit &U) { 583 ProgramPoint P = U.getNode()->getLocation(); 584 const CFGBlock *B = 0; 585 if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) { 586 B = CBM->getBlock(SP->getStmt()); 587 } else if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) { 588 B = BE->getDst(); 589 } else if (Optional<BlockEntrance> BEnt = P.getAs<BlockEntrance>()) { 590 B = BEnt->getBlock(); 591 } else if (Optional<BlockExit> BExit = P.getAs<BlockExit>()) { 592 B = BExit->getBlock(); 593 } 594 if (!B) 595 return true; 596 597 return B == TargetBlock || CRA.isReachable(B, TargetBlock); 598 } 599 }; 600 VisitWL visitWL(AC->getCFGStmtMap(), CB, *CRA); 601 // Were there any items in the worklist that could potentially reach 602 // this block? 603 if (CE.getWorkList()->visitItemsInWorkList(visitWL)) 604 return false; 605 606 // Verify that this block is reachable from the entry block 607 if (!CRA->isReachable(&AC->getCFG()->getEntry(), CB)) 608 return false; 609 610 // If we get to this point, there is no connection to the entry block or an 611 // aborted block. This path is unreachable and we can report the error. 612 return true; 613 } 614 615 // Recursive function that determines whether an expression contains any element 616 // that varies. This could be due to a compile-time constant like sizeof. An 617 // expression may also involve a variable that behaves like a constant. The 618 // function returns true if the expression varies, and false otherwise. 619 bool IdempotentOperationChecker::CanVary(const Expr *Ex, 620 AnalysisDeclContext *AC) { 621 // Parentheses and casts are irrelevant here 622 Ex = Ex->IgnoreParenCasts(); 623 624 if (Ex->getLocStart().isMacroID()) 625 return false; 626 627 switch (Ex->getStmtClass()) { 628 // Trivially true cases 629 case Stmt::ArraySubscriptExprClass: 630 case Stmt::MemberExprClass: 631 case Stmt::StmtExprClass: 632 case Stmt::CallExprClass: 633 case Stmt::VAArgExprClass: 634 case Stmt::ShuffleVectorExprClass: 635 return true; 636 default: 637 return true; 638 639 // Trivially false cases 640 case Stmt::IntegerLiteralClass: 641 case Stmt::CharacterLiteralClass: 642 case Stmt::FloatingLiteralClass: 643 case Stmt::PredefinedExprClass: 644 case Stmt::ImaginaryLiteralClass: 645 case Stmt::StringLiteralClass: 646 case Stmt::OffsetOfExprClass: 647 case Stmt::CompoundLiteralExprClass: 648 case Stmt::AddrLabelExprClass: 649 case Stmt::BinaryTypeTraitExprClass: 650 case Stmt::GNUNullExprClass: 651 case Stmt::InitListExprClass: 652 case Stmt::DesignatedInitExprClass: 653 case Stmt::BlockExprClass: 654 return false; 655 656 // Cases requiring custom logic 657 case Stmt::UnaryExprOrTypeTraitExprClass: { 658 const UnaryExprOrTypeTraitExpr *SE = 659 cast<const UnaryExprOrTypeTraitExpr>(Ex); 660 if (SE->getKind() != UETT_SizeOf) 661 return false; 662 return SE->getTypeOfArgument()->isVariableArrayType(); 663 } 664 case Stmt::DeclRefExprClass: 665 // Check for constants/pseudoconstants 666 return !isConstantOrPseudoConstant(cast<DeclRefExpr>(Ex), AC); 667 668 // The next cases require recursion for subexpressions 669 case Stmt::BinaryOperatorClass: { 670 const BinaryOperator *B = cast<const BinaryOperator>(Ex); 671 672 // Exclude cases involving pointer arithmetic. These are usually 673 // false positives. 674 if (B->getOpcode() == BO_Sub || B->getOpcode() == BO_Add) 675 if (B->getLHS()->getType()->getAs<PointerType>()) 676 return false; 677 678 return CanVary(B->getRHS(), AC) 679 || CanVary(B->getLHS(), AC); 680 } 681 case Stmt::UnaryOperatorClass: 682 return CanVary(cast<UnaryOperator>(Ex)->getSubExpr(), AC); 683 case Stmt::ConditionalOperatorClass: 684 case Stmt::BinaryConditionalOperatorClass: 685 return CanVary(cast<AbstractConditionalOperator>(Ex)->getCond(), AC); 686 } 687 } 688 689 // Returns true if a DeclRefExpr is or behaves like a constant. 690 bool IdempotentOperationChecker::isConstantOrPseudoConstant( 691 const DeclRefExpr *DR, 692 AnalysisDeclContext *AC) { 693 // Check if the type of the Decl is const-qualified 694 if (DR->getType().isConstQualified()) 695 return true; 696 697 // Check for an enum 698 if (isa<EnumConstantDecl>(DR->getDecl())) 699 return true; 700 701 const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl()); 702 if (!VD) 703 return true; 704 705 // Check if the Decl behaves like a constant. This check also takes care of 706 // static variables, which can only change between function calls if they are 707 // modified in the AST. 708 PseudoConstantAnalysis *PCA = AC->getPseudoConstantAnalysis(); 709 if (PCA->isPseudoConstant(VD)) 710 return true; 711 712 return false; 713 } 714 715 // Recursively find any substatements containing VarDecl's with storage other 716 // than local 717 bool IdempotentOperationChecker::containsNonLocalVarDecl(const Stmt *S) { 718 const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(S); 719 720 if (DR) 721 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) 722 if (!VD->hasLocalStorage()) 723 return true; 724 725 for (Stmt::const_child_iterator I = S->child_begin(); I != S->child_end(); 726 ++I) 727 if (const Stmt *child = *I) 728 if (containsNonLocalVarDecl(child)) 729 return true; 730 731 return false; 732 } 733 734 735 void ento::registerIdempotentOperationChecker(CheckerManager &mgr) { 736 mgr.registerChecker<IdempotentOperationChecker>(); 737 } 738