2018-05-04 13:58:24 +00:00
|
|
|
/*
|
|
|
|
|
This file is part of solidity.
|
|
|
|
|
|
|
|
|
|
solidity is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
solidity is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with solidity. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <libsolidity/analysis/ControlFlowAnalyzer.h>
|
2018-12-17 11:30:08 +00:00
|
|
|
|
2018-11-14 16:11:55 +00:00
|
|
|
#include <liblangutil/SourceLocation.h>
|
2019-01-08 18:33:46 +00:00
|
|
|
#include <libdevcore/Algorithms.h>
|
2018-12-07 17:20:35 +00:00
|
|
|
#include <boost/range/algorithm/sort.hpp>
|
2018-05-04 13:58:24 +00:00
|
|
|
|
|
|
|
|
using namespace std;
|
2018-11-14 16:11:55 +00:00
|
|
|
using namespace langutil;
|
2018-05-04 13:58:24 +00:00
|
|
|
using namespace dev::solidity;
|
|
|
|
|
|
|
|
|
|
bool ControlFlowAnalyzer::analyze(ASTNode const& _astRoot)
|
|
|
|
|
{
|
|
|
|
|
_astRoot.accept(*this);
|
|
|
|
|
return Error::containsOnlyWarnings(m_errorReporter.errors());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool ControlFlowAnalyzer::visit(FunctionDefinition const& _function)
|
|
|
|
|
{
|
2018-11-13 11:12:08 +00:00
|
|
|
if (_function.isImplemented())
|
|
|
|
|
{
|
|
|
|
|
auto const& functionFlow = m_cfg.functionFlow(_function);
|
2018-12-07 17:20:35 +00:00
|
|
|
checkUninitializedAccess(functionFlow.entry, functionFlow.exit);
|
2019-01-08 18:33:46 +00:00
|
|
|
checkUnreachable(functionFlow.entry, functionFlow.exit, functionFlow.revert);
|
2018-11-13 11:12:08 +00:00
|
|
|
}
|
2018-05-04 13:58:24 +00:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-07 17:20:35 +00:00
|
|
|
void ControlFlowAnalyzer::checkUninitializedAccess(CFGNode const* _entry, CFGNode const* _exit) const
|
2018-05-04 13:58:24 +00:00
|
|
|
{
|
2018-12-07 17:20:35 +00:00
|
|
|
struct NodeInfo
|
2018-05-04 13:58:24 +00:00
|
|
|
{
|
2018-12-07 17:20:35 +00:00
|
|
|
set<VariableDeclaration const*> unassignedVariablesAtEntry;
|
|
|
|
|
set<VariableDeclaration const*> unassignedVariablesAtExit;
|
|
|
|
|
set<VariableOccurrence const*> uninitializedVariableAccesses;
|
|
|
|
|
/// Propagate the information from another node to this node.
|
|
|
|
|
/// To be used to propagate information from a node to its exit nodes.
|
|
|
|
|
/// Returns true, if new variables were added and thus the current node has
|
|
|
|
|
/// to be traversed again.
|
|
|
|
|
bool propagateFrom(NodeInfo const& _entryNode)
|
2018-05-04 13:58:24 +00:00
|
|
|
{
|
2018-12-07 17:20:35 +00:00
|
|
|
size_t previousUnassignedVariablesAtEntry = unassignedVariablesAtEntry.size();
|
|
|
|
|
size_t previousUninitializedVariableAccessess = uninitializedVariableAccesses.size();
|
|
|
|
|
unassignedVariablesAtEntry += _entryNode.unassignedVariablesAtExit;
|
|
|
|
|
uninitializedVariableAccesses += _entryNode.uninitializedVariableAccesses;
|
|
|
|
|
return
|
|
|
|
|
unassignedVariablesAtEntry.size() > previousUnassignedVariablesAtEntry ||
|
|
|
|
|
uninitializedVariableAccesses.size() > previousUninitializedVariableAccessess
|
|
|
|
|
;
|
2018-05-04 13:58:24 +00:00
|
|
|
}
|
2018-12-07 17:20:35 +00:00
|
|
|
};
|
|
|
|
|
map<CFGNode const*, NodeInfo> nodeInfos;
|
|
|
|
|
set<CFGNode const*> nodesToTraverse;
|
|
|
|
|
nodesToTraverse.insert(_entry);
|
|
|
|
|
|
|
|
|
|
// Walk all paths starting from the nodes in ``nodesToTraverse`` until ``NodeInfo::propagateFrom``
|
|
|
|
|
// returns false for all exits, i.e. until all paths have been walked with maximal sets of unassigned
|
|
|
|
|
// variables and accesses.
|
2018-05-04 13:58:24 +00:00
|
|
|
while (!nodesToTraverse.empty())
|
|
|
|
|
{
|
2018-12-07 17:20:35 +00:00
|
|
|
CFGNode const* currentNode = *nodesToTraverse.begin();
|
|
|
|
|
nodesToTraverse.erase(nodesToTraverse.begin());
|
2018-05-04 13:58:24 +00:00
|
|
|
|
2018-12-07 17:20:35 +00:00
|
|
|
auto& nodeInfo = nodeInfos[currentNode];
|
|
|
|
|
auto unassignedVariables = nodeInfo.unassignedVariablesAtEntry;
|
|
|
|
|
for (auto const& variableOccurrence: currentNode->variableOccurrences)
|
2018-05-04 13:58:24 +00:00
|
|
|
{
|
2018-12-07 17:20:35 +00:00
|
|
|
switch (variableOccurrence.kind())
|
|
|
|
|
{
|
|
|
|
|
case VariableOccurrence::Kind::Assignment:
|
|
|
|
|
unassignedVariables.erase(&variableOccurrence.declaration());
|
|
|
|
|
break;
|
|
|
|
|
case VariableOccurrence::Kind::InlineAssembly:
|
|
|
|
|
// We consider all variables referenced in inline assembly as accessed.
|
|
|
|
|
// So far any reference is enough, but we might want to actually analyze
|
|
|
|
|
// the control flow in the assembly at some point.
|
|
|
|
|
case VariableOccurrence::Kind::Access:
|
|
|
|
|
case VariableOccurrence::Kind::Return:
|
|
|
|
|
if (unassignedVariables.count(&variableOccurrence.declaration()))
|
|
|
|
|
{
|
|
|
|
|
if (variableOccurrence.declaration().type()->dataStoredIn(DataLocation::Storage))
|
|
|
|
|
// Merely store the unassigned access. We do not generate an error right away, since this
|
|
|
|
|
// path might still always revert. It is only an error if this is propagated to the exit
|
|
|
|
|
// node of the function (i.e. there is a path with an uninitialized access).
|
|
|
|
|
nodeInfo.uninitializedVariableAccesses.insert(&variableOccurrence);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case VariableOccurrence::Kind::Declaration:
|
|
|
|
|
unassignedVariables.insert(&variableOccurrence.declaration());
|
|
|
|
|
break;
|
|
|
|
|
}
|
2018-05-04 13:58:24 +00:00
|
|
|
}
|
2018-12-07 17:20:35 +00:00
|
|
|
nodeInfo.unassignedVariablesAtExit = std::move(unassignedVariables);
|
2018-05-04 13:58:24 +00:00
|
|
|
|
2018-12-07 17:20:35 +00:00
|
|
|
// Propagate changes to all exits and queue them for traversal, if needed.
|
|
|
|
|
for (auto const& exit: currentNode->exits)
|
|
|
|
|
if (nodeInfos[exit].propagateFrom(nodeInfo))
|
|
|
|
|
nodesToTraverse.insert(exit);
|
2018-05-04 13:58:24 +00:00
|
|
|
}
|
|
|
|
|
|
2018-12-07 17:20:35 +00:00
|
|
|
auto const& exitInfo = nodeInfos[_exit];
|
|
|
|
|
if (!exitInfo.uninitializedVariableAccesses.empty())
|
2018-05-04 13:58:24 +00:00
|
|
|
{
|
2018-12-07 17:20:35 +00:00
|
|
|
vector<VariableOccurrence const*> uninitializedAccessesOrdered(
|
|
|
|
|
exitInfo.uninitializedVariableAccesses.begin(),
|
|
|
|
|
exitInfo.uninitializedVariableAccesses.end()
|
2019-02-13 15:56:46 +00:00
|
|
|
);
|
2018-12-07 17:20:35 +00:00
|
|
|
boost::range::sort(
|
|
|
|
|
uninitializedAccessesOrdered,
|
|
|
|
|
[](VariableOccurrence const* lhs, VariableOccurrence const* rhs) -> bool
|
|
|
|
|
{
|
|
|
|
|
return *lhs < *rhs;
|
2018-05-04 13:58:24 +00:00
|
|
|
}
|
|
|
|
|
);
|
2018-12-07 17:20:35 +00:00
|
|
|
|
|
|
|
|
for (auto const* variableOccurrence: uninitializedAccessesOrdered)
|
2018-05-04 13:58:24 +00:00
|
|
|
{
|
|
|
|
|
SecondarySourceLocation ssl;
|
2018-12-07 17:20:35 +00:00
|
|
|
if (variableOccurrence->occurrence())
|
|
|
|
|
ssl.append("The variable was declared here.", variableOccurrence->declaration().location());
|
2018-05-04 13:58:24 +00:00
|
|
|
|
2018-08-02 16:55:06 +00:00
|
|
|
m_errorReporter.typeError(
|
2018-12-07 17:20:35 +00:00
|
|
|
variableOccurrence->occurrence() ?
|
|
|
|
|
variableOccurrence->occurrence()->location() :
|
|
|
|
|
variableOccurrence->declaration().location(),
|
2018-08-02 16:55:06 +00:00
|
|
|
ssl,
|
2018-12-07 17:20:35 +00:00
|
|
|
string("This variable is of storage pointer type and can be ") +
|
|
|
|
|
(variableOccurrence->kind() == VariableOccurrence::Kind::Return ? "returned" : "accessed") +
|
2019-09-19 11:20:30 +00:00
|
|
|
" without prior assignment, which would lead to undefined behaviour."
|
2018-05-04 13:58:24 +00:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-01-08 18:33:46 +00:00
|
|
|
|
|
|
|
|
void ControlFlowAnalyzer::checkUnreachable(CFGNode const* _entry, CFGNode const* _exit, CFGNode const* _revert) const
|
|
|
|
|
{
|
|
|
|
|
// collect all nodes reachable from the entry point
|
2019-08-13 14:24:32 +00:00
|
|
|
std::set<CFGNode const*> reachable = BreadthFirstSearch<CFGNode const*>{{_entry}}.run(
|
|
|
|
|
[](CFGNode const* _node, auto&& _addChild) {
|
|
|
|
|
for (CFGNode const* exit: _node->exits)
|
|
|
|
|
_addChild(exit);
|
2019-01-08 18:33:46 +00:00
|
|
|
}
|
|
|
|
|
).visited;
|
|
|
|
|
|
|
|
|
|
// traverse all paths backwards from exit and revert
|
|
|
|
|
// and extract (valid) source locations of unreachable nodes into sorted set
|
|
|
|
|
std::set<SourceLocation> unreachable;
|
2019-08-13 14:24:32 +00:00
|
|
|
BreadthFirstSearch<CFGNode const*>{{_exit, _revert}}.run(
|
|
|
|
|
[&](CFGNode const* _node, auto&& _addChild) {
|
|
|
|
|
if (!reachable.count(_node) && !_node->location.isEmpty())
|
|
|
|
|
unreachable.insert(_node->location);
|
|
|
|
|
for (CFGNode const* entry: _node->entries)
|
|
|
|
|
_addChild(entry);
|
2019-01-08 18:33:46 +00:00
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
for (auto it = unreachable.begin(); it != unreachable.end();)
|
|
|
|
|
{
|
|
|
|
|
SourceLocation location = *it++;
|
|
|
|
|
// Extend the location, as long as the next location overlaps (unreachable is sorted).
|
|
|
|
|
for (; it != unreachable.end() && it->start <= location.end; ++it)
|
|
|
|
|
location.end = std::max(location.end, it->end);
|
|
|
|
|
m_errorReporter.warning(location, "Unreachable code.");
|
|
|
|
|
}
|
|
|
|
|
}
|
