mirror of
https://github.com/ethereum/solidity
synced 2023-10-03 13:03:40 +00:00
230 lines
8.3 KiB
C++
230 lines
8.3 KiB
C++
/*
|
|
This file is part of solidity.
|
|
|
|
solidity is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
solidity is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with solidity. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
// SPDX-License-Identifier: GPL-3.0
|
|
|
|
#include <libsolidity/analysis/ControlFlowAnalyzer.h>
|
|
|
|
#include <liblangutil/SourceLocation.h>
|
|
#include <libsolutil/Algorithms.h>
|
|
|
|
#include <range/v3/algorithm/sort.hpp>
|
|
|
|
#include <functional>
|
|
|
|
using namespace std;
|
|
using namespace std::placeholders;
|
|
using namespace solidity::langutil;
|
|
using namespace solidity::frontend;
|
|
|
|
|
|
bool ControlFlowAnalyzer::run()
|
|
{
|
|
for (auto& [pair, flow]: m_cfg.allFunctionFlows())
|
|
analyze(*pair.function, pair.contract, *flow);
|
|
|
|
return !Error::containsErrors(m_errorReporter.errors());
|
|
}
|
|
|
|
void ControlFlowAnalyzer::analyze(FunctionDefinition const& _function, ContractDefinition const* _contract, FunctionFlow const& _flow)
|
|
{
|
|
if (!_function.isImplemented())
|
|
return;
|
|
|
|
optional<string> mostDerivedContractName;
|
|
|
|
// The name of the most derived contract only required if it differs from
|
|
// the functions contract
|
|
if (_contract && _contract != _function.annotation().contract)
|
|
mostDerivedContractName = _contract->name();
|
|
|
|
checkUninitializedAccess(
|
|
_flow.entry,
|
|
_flow.exit,
|
|
_function.body().statements().empty(),
|
|
mostDerivedContractName
|
|
);
|
|
checkUnreachable(_flow.entry, _flow.exit, _flow.revert, _flow.transactionReturn);
|
|
}
|
|
|
|
|
|
void ControlFlowAnalyzer::checkUninitializedAccess(CFGNode const* _entry, CFGNode const* _exit, bool _emptyBody, optional<string> _contractName)
|
|
{
|
|
struct NodeInfo
|
|
{
|
|
set<VariableDeclaration const*> unassignedVariablesAtEntry;
|
|
set<VariableDeclaration const*> unassignedVariablesAtExit;
|
|
set<VariableOccurrence const*> uninitializedVariableAccesses;
|
|
/// Propagate the information from another node to this node.
|
|
/// To be used to propagate information from a node to its exit nodes.
|
|
/// Returns true, if new variables were added and thus the current node has
|
|
/// to be traversed again.
|
|
bool propagateFrom(NodeInfo const& _entryNode)
|
|
{
|
|
size_t previousUnassignedVariablesAtEntry = unassignedVariablesAtEntry.size();
|
|
size_t previousUninitializedVariableAccessess = uninitializedVariableAccesses.size();
|
|
unassignedVariablesAtEntry += _entryNode.unassignedVariablesAtExit;
|
|
uninitializedVariableAccesses += _entryNode.uninitializedVariableAccesses;
|
|
return
|
|
unassignedVariablesAtEntry.size() > previousUnassignedVariablesAtEntry ||
|
|
uninitializedVariableAccesses.size() > previousUninitializedVariableAccessess
|
|
;
|
|
}
|
|
};
|
|
map<CFGNode const*, NodeInfo> nodeInfos;
|
|
set<CFGNode const*> nodesToTraverse;
|
|
nodesToTraverse.insert(_entry);
|
|
|
|
// Walk all paths starting from the nodes in ``nodesToTraverse`` until ``NodeInfo::propagateFrom``
|
|
// returns false for all exits, i.e. until all paths have been walked with maximal sets of unassigned
|
|
// variables and accesses.
|
|
while (!nodesToTraverse.empty())
|
|
{
|
|
CFGNode const* currentNode = *nodesToTraverse.begin();
|
|
nodesToTraverse.erase(nodesToTraverse.begin());
|
|
|
|
auto& nodeInfo = nodeInfos[currentNode];
|
|
auto unassignedVariables = nodeInfo.unassignedVariablesAtEntry;
|
|
for (auto const& variableOccurrence: currentNode->variableOccurrences)
|
|
{
|
|
switch (variableOccurrence.kind())
|
|
{
|
|
case VariableOccurrence::Kind::Assignment:
|
|
unassignedVariables.erase(&variableOccurrence.declaration());
|
|
break;
|
|
case VariableOccurrence::Kind::InlineAssembly:
|
|
// We consider all variables referenced in inline assembly as accessed.
|
|
// So far any reference is enough, but we might want to actually analyze
|
|
// the control flow in the assembly at some point.
|
|
case VariableOccurrence::Kind::Access:
|
|
case VariableOccurrence::Kind::Return:
|
|
if (unassignedVariables.count(&variableOccurrence.declaration()))
|
|
{
|
|
// Merely store the unassigned access. We do not generate an error right away, since this
|
|
// path might still always revert. It is only an error if this is propagated to the exit
|
|
// node of the function (i.e. there is a path with an uninitialized access).
|
|
nodeInfo.uninitializedVariableAccesses.insert(&variableOccurrence);
|
|
}
|
|
break;
|
|
case VariableOccurrence::Kind::Declaration:
|
|
unassignedVariables.insert(&variableOccurrence.declaration());
|
|
break;
|
|
}
|
|
}
|
|
nodeInfo.unassignedVariablesAtExit = std::move(unassignedVariables);
|
|
|
|
// Propagate changes to all exits and queue them for traversal, if needed.
|
|
for (auto const& exit: currentNode->exits)
|
|
if (
|
|
auto exists = valueOrNullptr(nodeInfos, exit);
|
|
nodeInfos[exit].propagateFrom(nodeInfo) || !exists
|
|
)
|
|
nodesToTraverse.insert(exit);
|
|
}
|
|
|
|
auto const& exitInfo = nodeInfos[_exit];
|
|
if (!exitInfo.uninitializedVariableAccesses.empty())
|
|
{
|
|
vector<VariableOccurrence const*> uninitializedAccessesOrdered(
|
|
exitInfo.uninitializedVariableAccesses.begin(),
|
|
exitInfo.uninitializedVariableAccesses.end()
|
|
);
|
|
ranges::sort(
|
|
uninitializedAccessesOrdered,
|
|
[](VariableOccurrence const* lhs, VariableOccurrence const* rhs) -> bool
|
|
{
|
|
return *lhs < *rhs;
|
|
}
|
|
);
|
|
|
|
for (auto const* variableOccurrence: uninitializedAccessesOrdered)
|
|
{
|
|
VariableDeclaration const& varDecl = variableOccurrence->declaration();
|
|
|
|
SecondarySourceLocation ssl;
|
|
if (variableOccurrence->occurrence())
|
|
ssl.append("The variable was declared here.", varDecl.location());
|
|
|
|
bool isStorage = varDecl.type()->dataStoredIn(DataLocation::Storage);
|
|
bool isCalldata = varDecl.type()->dataStoredIn(DataLocation::CallData);
|
|
if (isStorage || isCalldata)
|
|
m_errorReporter.typeError(
|
|
3464_error,
|
|
variableOccurrence->occurrence() ?
|
|
*variableOccurrence->occurrence() :
|
|
varDecl.location(),
|
|
ssl,
|
|
"This variable is of " +
|
|
string(isStorage ? "storage" : "calldata") +
|
|
" pointer type and can be " +
|
|
(variableOccurrence->kind() == VariableOccurrence::Kind::Return ? "returned" : "accessed") +
|
|
" without prior assignment, which would lead to undefined behaviour."
|
|
);
|
|
else if (!_emptyBody && varDecl.name().empty())
|
|
{
|
|
if (!m_unassignedReturnVarsAlreadyWarnedFor.emplace(&varDecl).second)
|
|
continue;
|
|
|
|
m_errorReporter.warning(
|
|
6321_error,
|
|
varDecl.location(),
|
|
"Unnamed return variable can remain unassigned" +
|
|
(
|
|
_contractName.has_value() ?
|
|
" when the function is called when \"" + _contractName.value() + "\" is the most derived contract." :
|
|
"."
|
|
) +
|
|
" Add an explicit return with value to all non-reverting code paths or name the variable."
|
|
);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
void ControlFlowAnalyzer::checkUnreachable(CFGNode const* _entry, CFGNode const* _exit, CFGNode const* _revert, CFGNode const* _transactionReturn)
|
|
{
|
|
// collect all nodes reachable from the entry point
|
|
std::set<CFGNode const*> reachable = util::BreadthFirstSearch<CFGNode const*>{{_entry}}.run(
|
|
[](CFGNode const* _node, auto&& _addChild) {
|
|
for (CFGNode const* exit: _node->exits)
|
|
_addChild(exit);
|
|
}
|
|
).visited;
|
|
|
|
// traverse all paths backwards from exit, revert and transaction return
|
|
// and extract (valid) source locations of unreachable nodes into sorted set
|
|
std::set<SourceLocation> unreachable;
|
|
util::BreadthFirstSearch<CFGNode const*>{{_exit, _revert, _transactionReturn}}.run(
|
|
[&](CFGNode const* _node, auto&& _addChild) {
|
|
if (!reachable.count(_node) && _node->location.isValid())
|
|
unreachable.insert(_node->location);
|
|
for (CFGNode const* entry: _node->entries)
|
|
_addChild(entry);
|
|
}
|
|
);
|
|
|
|
for (auto it = unreachable.begin(); it != unreachable.end();)
|
|
{
|
|
SourceLocation location = *it++;
|
|
// Extend the location, as long as the next location overlaps (unreachable is sorted).
|
|
for (; it != unreachable.end() && it->start <= location.end; ++it)
|
|
location.end = std::max(location.end, it->end);
|
|
|
|
if (m_unreachableLocationsAlreadyWarnedFor.emplace(location).second)
|
|
m_errorReporter.warning(5740_error, location, "Unreachable code.");
|
|
}
|
|
}
|