AnalysisBasedWarnings.cpp revision 940b97f524bfc9e43f9c27a7eb97816bbc5e9bf5
1//=- AnalysisBasedWarnings.cpp - Sema warnings based on libAnalysis -*- C++ -*-=// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines analysis_warnings::[Policy,Executor]. 11// Together they are used by Sema to issue warnings based on inexpensive 12// static analysis algorithms in libAnalysis. 13// 14//===----------------------------------------------------------------------===// 15 16#include "clang/Sema/AnalysisBasedWarnings.h" 17#include "clang/Sema/SemaInternal.h" 18#include "clang/Sema/ScopeInfo.h" 19#include "clang/Basic/SourceManager.h" 20#include "clang/Lex/Preprocessor.h" 21#include "clang/AST/DeclObjC.h" 22#include "clang/AST/DeclCXX.h" 23#include "clang/AST/ExprObjC.h" 24#include "clang/AST/ExprCXX.h" 25#include "clang/AST/StmtObjC.h" 26#include "clang/AST/StmtCXX.h" 27#include "clang/AST/EvaluatedExprVisitor.h" 28#include "clang/AST/StmtVisitor.h" 29#include "clang/Analysis/AnalysisContext.h" 30#include "clang/Analysis/CFG.h" 31#include "clang/Analysis/Analyses/ReachableCode.h" 32#include "clang/Analysis/Analyses/CFGReachabilityAnalysis.h" 33#include "clang/Analysis/CFGStmtMap.h" 34#include "clang/Analysis/Analyses/UninitializedValues.h" 35#include "llvm/ADT/BitVector.h" 36#include "llvm/ADT/FoldingSet.h" 37#include "llvm/ADT/ImmutableMap.h" 38#include "llvm/ADT/PostOrderIterator.h" 39#include "llvm/ADT/SmallVector.h" 40#include "llvm/Support/Casting.h" 41#include <algorithm> 42#include <vector> 43 44using namespace clang; 45 46//===----------------------------------------------------------------------===// 47// Unreachable code analysis. 48//===----------------------------------------------------------------------===// 49 50namespace { 51 class UnreachableCodeHandler : public reachable_code::Callback { 52 Sema &S; 53 public: 54 UnreachableCodeHandler(Sema &s) : S(s) {} 55 56 void HandleUnreachable(SourceLocation L, SourceRange R1, SourceRange R2) { 57 S.Diag(L, diag::warn_unreachable) << R1 << R2; 58 } 59 }; 60} 61 62/// CheckUnreachable - Check for unreachable code. 63static void CheckUnreachable(Sema &S, AnalysisContext &AC) { 64 UnreachableCodeHandler UC(S); 65 reachable_code::FindUnreachableCode(AC, UC); 66} 67 68//===----------------------------------------------------------------------===// 69// Check for missing return value. 70//===----------------------------------------------------------------------===// 71 72enum ControlFlowKind { 73 UnknownFallThrough, 74 NeverFallThrough, 75 MaybeFallThrough, 76 AlwaysFallThrough, 77 NeverFallThroughOrReturn 78}; 79 80/// CheckFallThrough - Check that we don't fall off the end of a 81/// Statement that should return a value. 82/// 83/// \returns AlwaysFallThrough iff we always fall off the end of the statement, 84/// MaybeFallThrough iff we might or might not fall off the end, 85/// NeverFallThroughOrReturn iff we never fall off the end of the statement or 86/// return. We assume NeverFallThrough iff we never fall off the end of the 87/// statement but we may return. We assume that functions not marked noreturn 88/// will return. 89static ControlFlowKind CheckFallThrough(AnalysisContext &AC) { 90 CFG *cfg = AC.getCFG(); 91 if (cfg == 0) return UnknownFallThrough; 92 93 // The CFG leaves in dead things, and we don't want the dead code paths to 94 // confuse us, so we mark all live things first. 95 llvm::BitVector live(cfg->getNumBlockIDs()); 96 unsigned count = reachable_code::ScanReachableFromBlock(&cfg->getEntry(), 97 live); 98 99 bool AddEHEdges = AC.getAddEHEdges(); 100 if (!AddEHEdges && count != cfg->getNumBlockIDs()) 101 // When there are things remaining dead, and we didn't add EH edges 102 // from CallExprs to the catch clauses, we have to go back and 103 // mark them as live. 104 for (CFG::iterator I = cfg->begin(), E = cfg->end(); I != E; ++I) { 105 CFGBlock &b = **I; 106 if (!live[b.getBlockID()]) { 107 if (b.pred_begin() == b.pred_end()) { 108 if (b.getTerminator() && isa<CXXTryStmt>(b.getTerminator())) 109 // When not adding EH edges from calls, catch clauses 110 // can otherwise seem dead. Avoid noting them as dead. 111 count += reachable_code::ScanReachableFromBlock(&b, live); 112 continue; 113 } 114 } 115 } 116 117 // Now we know what is live, we check the live precessors of the exit block 118 // and look for fall through paths, being careful to ignore normal returns, 119 // and exceptional paths. 120 bool HasLiveReturn = false; 121 bool HasFakeEdge = false; 122 bool HasPlainEdge = false; 123 bool HasAbnormalEdge = false; 124 125 // Ignore default cases that aren't likely to be reachable because all 126 // enums in a switch(X) have explicit case statements. 127 CFGBlock::FilterOptions FO; 128 FO.IgnoreDefaultsWithCoveredEnums = 1; 129 130 for (CFGBlock::filtered_pred_iterator 131 I = cfg->getExit().filtered_pred_start_end(FO); I.hasMore(); ++I) { 132 const CFGBlock& B = **I; 133 if (!live[B.getBlockID()]) 134 continue; 135 136 // Destructors can appear after the 'return' in the CFG. This is 137 // normal. We need to look pass the destructors for the return 138 // statement (if it exists). 139 CFGBlock::const_reverse_iterator ri = B.rbegin(), re = B.rend(); 140 bool hasNoReturnDtor = false; 141 142 for ( ; ri != re ; ++ri) { 143 CFGElement CE = *ri; 144 145 // FIXME: The right solution is to just sever the edges in the 146 // CFG itself. 147 if (const CFGImplicitDtor *iDtor = ri->getAs<CFGImplicitDtor>()) 148 if (iDtor->isNoReturn(AC.getASTContext())) { 149 hasNoReturnDtor = true; 150 HasFakeEdge = true; 151 break; 152 } 153 154 if (isa<CFGStmt>(CE)) 155 break; 156 } 157 158 if (hasNoReturnDtor) 159 continue; 160 161 // No more CFGElements in the block? 162 if (ri == re) { 163 if (B.getTerminator() && isa<CXXTryStmt>(B.getTerminator())) { 164 HasAbnormalEdge = true; 165 continue; 166 } 167 // A labeled empty statement, or the entry block... 168 HasPlainEdge = true; 169 continue; 170 } 171 172 CFGStmt CS = cast<CFGStmt>(*ri); 173 const Stmt *S = CS.getStmt(); 174 if (isa<ReturnStmt>(S)) { 175 HasLiveReturn = true; 176 continue; 177 } 178 if (isa<ObjCAtThrowStmt>(S)) { 179 HasFakeEdge = true; 180 continue; 181 } 182 if (isa<CXXThrowExpr>(S)) { 183 HasFakeEdge = true; 184 continue; 185 } 186 if (const AsmStmt *AS = dyn_cast<AsmStmt>(S)) { 187 if (AS->isMSAsm()) { 188 HasFakeEdge = true; 189 HasLiveReturn = true; 190 continue; 191 } 192 } 193 if (isa<CXXTryStmt>(S)) { 194 HasAbnormalEdge = true; 195 continue; 196 } 197 198 bool NoReturnEdge = false; 199 if (const CallExpr *C = dyn_cast<CallExpr>(S)) { 200 if (std::find(B.succ_begin(), B.succ_end(), &cfg->getExit()) 201 == B.succ_end()) { 202 HasAbnormalEdge = true; 203 continue; 204 } 205 const Expr *CEE = C->getCallee()->IgnoreParenCasts(); 206 QualType calleeType = CEE->getType(); 207 if (calleeType == AC.getASTContext().BoundMemberTy) { 208 calleeType = Expr::findBoundMemberType(CEE); 209 assert(!calleeType.isNull() && "analyzing unresolved call?"); 210 } 211 if (getFunctionExtInfo(calleeType).getNoReturn()) { 212 NoReturnEdge = true; 213 HasFakeEdge = true; 214 } else if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(CEE)) { 215 const ValueDecl *VD = DRE->getDecl(); 216 if (VD->hasAttr<NoReturnAttr>()) { 217 NoReturnEdge = true; 218 HasFakeEdge = true; 219 } 220 } 221 } 222 // FIXME: Add noreturn message sends. 223 if (NoReturnEdge == false) 224 HasPlainEdge = true; 225 } 226 if (!HasPlainEdge) { 227 if (HasLiveReturn) 228 return NeverFallThrough; 229 return NeverFallThroughOrReturn; 230 } 231 if (HasAbnormalEdge || HasFakeEdge || HasLiveReturn) 232 return MaybeFallThrough; 233 // This says AlwaysFallThrough for calls to functions that are not marked 234 // noreturn, that don't return. If people would like this warning to be more 235 // accurate, such functions should be marked as noreturn. 236 return AlwaysFallThrough; 237} 238 239namespace { 240 241struct CheckFallThroughDiagnostics { 242 unsigned diag_MaybeFallThrough_HasNoReturn; 243 unsigned diag_MaybeFallThrough_ReturnsNonVoid; 244 unsigned diag_AlwaysFallThrough_HasNoReturn; 245 unsigned diag_AlwaysFallThrough_ReturnsNonVoid; 246 unsigned diag_NeverFallThroughOrReturn; 247 bool funMode; 248 SourceLocation FuncLoc; 249 250 static CheckFallThroughDiagnostics MakeForFunction(const Decl *Func) { 251 CheckFallThroughDiagnostics D; 252 D.FuncLoc = Func->getLocation(); 253 D.diag_MaybeFallThrough_HasNoReturn = 254 diag::warn_falloff_noreturn_function; 255 D.diag_MaybeFallThrough_ReturnsNonVoid = 256 diag::warn_maybe_falloff_nonvoid_function; 257 D.diag_AlwaysFallThrough_HasNoReturn = 258 diag::warn_falloff_noreturn_function; 259 D.diag_AlwaysFallThrough_ReturnsNonVoid = 260 diag::warn_falloff_nonvoid_function; 261 262 // Don't suggest that virtual functions be marked "noreturn", since they 263 // might be overridden by non-noreturn functions. 264 bool isVirtualMethod = false; 265 if (const CXXMethodDecl *Method = dyn_cast<CXXMethodDecl>(Func)) 266 isVirtualMethod = Method->isVirtual(); 267 268 if (!isVirtualMethod) 269 D.diag_NeverFallThroughOrReturn = 270 diag::warn_suggest_noreturn_function; 271 else 272 D.diag_NeverFallThroughOrReturn = 0; 273 274 D.funMode = true; 275 return D; 276 } 277 278 static CheckFallThroughDiagnostics MakeForBlock() { 279 CheckFallThroughDiagnostics D; 280 D.diag_MaybeFallThrough_HasNoReturn = 281 diag::err_noreturn_block_has_return_expr; 282 D.diag_MaybeFallThrough_ReturnsNonVoid = 283 diag::err_maybe_falloff_nonvoid_block; 284 D.diag_AlwaysFallThrough_HasNoReturn = 285 diag::err_noreturn_block_has_return_expr; 286 D.diag_AlwaysFallThrough_ReturnsNonVoid = 287 diag::err_falloff_nonvoid_block; 288 D.diag_NeverFallThroughOrReturn = 289 diag::warn_suggest_noreturn_block; 290 D.funMode = false; 291 return D; 292 } 293 294 bool checkDiagnostics(Diagnostic &D, bool ReturnsVoid, 295 bool HasNoReturn) const { 296 if (funMode) { 297 return (ReturnsVoid || 298 D.getDiagnosticLevel(diag::warn_maybe_falloff_nonvoid_function, 299 FuncLoc) == Diagnostic::Ignored) 300 && (!HasNoReturn || 301 D.getDiagnosticLevel(diag::warn_noreturn_function_has_return_expr, 302 FuncLoc) == Diagnostic::Ignored) 303 && (!ReturnsVoid || 304 D.getDiagnosticLevel(diag::warn_suggest_noreturn_block, FuncLoc) 305 == Diagnostic::Ignored); 306 } 307 308 // For blocks. 309 return ReturnsVoid && !HasNoReturn 310 && (!ReturnsVoid || 311 D.getDiagnosticLevel(diag::warn_suggest_noreturn_block, FuncLoc) 312 == Diagnostic::Ignored); 313 } 314}; 315 316} 317 318/// CheckFallThroughForFunctionDef - Check that we don't fall off the end of a 319/// function that should return a value. Check that we don't fall off the end 320/// of a noreturn function. We assume that functions and blocks not marked 321/// noreturn will return. 322static void CheckFallThroughForBody(Sema &S, const Decl *D, const Stmt *Body, 323 const BlockExpr *blkExpr, 324 const CheckFallThroughDiagnostics& CD, 325 AnalysisContext &AC) { 326 327 bool ReturnsVoid = false; 328 bool HasNoReturn = false; 329 330 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 331 ReturnsVoid = FD->getResultType()->isVoidType(); 332 HasNoReturn = FD->hasAttr<NoReturnAttr>() || 333 FD->getType()->getAs<FunctionType>()->getNoReturnAttr(); 334 } 335 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 336 ReturnsVoid = MD->getResultType()->isVoidType(); 337 HasNoReturn = MD->hasAttr<NoReturnAttr>(); 338 } 339 else if (isa<BlockDecl>(D)) { 340 QualType BlockTy = blkExpr->getType(); 341 if (const FunctionType *FT = 342 BlockTy->getPointeeType()->getAs<FunctionType>()) { 343 if (FT->getResultType()->isVoidType()) 344 ReturnsVoid = true; 345 if (FT->getNoReturnAttr()) 346 HasNoReturn = true; 347 } 348 } 349 350 Diagnostic &Diags = S.getDiagnostics(); 351 352 // Short circuit for compilation speed. 353 if (CD.checkDiagnostics(Diags, ReturnsVoid, HasNoReturn)) 354 return; 355 356 // FIXME: Function try block 357 if (const CompoundStmt *Compound = dyn_cast<CompoundStmt>(Body)) { 358 switch (CheckFallThrough(AC)) { 359 case UnknownFallThrough: 360 break; 361 362 case MaybeFallThrough: 363 if (HasNoReturn) 364 S.Diag(Compound->getRBracLoc(), 365 CD.diag_MaybeFallThrough_HasNoReturn); 366 else if (!ReturnsVoid) 367 S.Diag(Compound->getRBracLoc(), 368 CD.diag_MaybeFallThrough_ReturnsNonVoid); 369 break; 370 case AlwaysFallThrough: 371 if (HasNoReturn) 372 S.Diag(Compound->getRBracLoc(), 373 CD.diag_AlwaysFallThrough_HasNoReturn); 374 else if (!ReturnsVoid) 375 S.Diag(Compound->getRBracLoc(), 376 CD.diag_AlwaysFallThrough_ReturnsNonVoid); 377 break; 378 case NeverFallThroughOrReturn: 379 if (ReturnsVoid && !HasNoReturn && CD.diag_NeverFallThroughOrReturn) 380 S.Diag(Compound->getLBracLoc(), 381 CD.diag_NeverFallThroughOrReturn); 382 break; 383 case NeverFallThrough: 384 break; 385 } 386 } 387} 388 389//===----------------------------------------------------------------------===// 390// -Wuninitialized 391//===----------------------------------------------------------------------===// 392 393namespace { 394/// ContainsReference - A visitor class to search for references to 395/// a particular declaration (the needle) within any evaluated component of an 396/// expression (recursively). 397class ContainsReference : public EvaluatedExprVisitor<ContainsReference> { 398 bool FoundReference; 399 const DeclRefExpr *Needle; 400 401public: 402 ContainsReference(ASTContext &Context, const DeclRefExpr *Needle) 403 : EvaluatedExprVisitor<ContainsReference>(Context), 404 FoundReference(false), Needle(Needle) {} 405 406 void VisitExpr(Expr *E) { 407 // Stop evaluating if we already have a reference. 408 if (FoundReference) 409 return; 410 411 EvaluatedExprVisitor<ContainsReference>::VisitExpr(E); 412 } 413 414 void VisitDeclRefExpr(DeclRefExpr *E) { 415 if (E == Needle) 416 FoundReference = true; 417 else 418 EvaluatedExprVisitor<ContainsReference>::VisitDeclRefExpr(E); 419 } 420 421 bool doesContainReference() const { return FoundReference; } 422}; 423} 424 425/// DiagnoseUninitializedUse -- Helper function for diagnosing uses of an 426/// uninitialized variable. This manages the different forms of diagnostic 427/// emitted for particular types of uses. Returns true if the use was diagnosed 428/// as a warning. If a pariticular use is one we omit warnings for, returns 429/// false. 430static bool DiagnoseUninitializedUse(Sema &S, const VarDecl *VD, 431 const Expr *E, bool isAlwaysUninit) { 432 bool isSelfInit = false; 433 434 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) { 435 if (isAlwaysUninit) { 436 // Inspect the initializer of the variable declaration which is 437 // being referenced prior to its initialization. We emit 438 // specialized diagnostics for self-initialization, and we 439 // specifically avoid warning about self references which take the 440 // form of: 441 // 442 // int x = x; 443 // 444 // This is used to indicate to GCC that 'x' is intentionally left 445 // uninitialized. Proven code paths which access 'x' in 446 // an uninitialized state after this will still warn. 447 // 448 // TODO: Should we suppress maybe-uninitialized warnings for 449 // variables initialized in this way? 450 if (const Expr *Initializer = VD->getInit()) { 451 if (DRE == Initializer->IgnoreParenImpCasts()) 452 return false; 453 454 ContainsReference CR(S.Context, DRE); 455 CR.Visit(const_cast<Expr*>(Initializer)); 456 isSelfInit = CR.doesContainReference(); 457 } 458 if (isSelfInit) { 459 S.Diag(DRE->getLocStart(), 460 diag::warn_uninit_self_reference_in_init) 461 << VD->getDeclName() << VD->getLocation() << DRE->getSourceRange(); 462 } else { 463 S.Diag(DRE->getLocStart(), diag::warn_uninit_var) 464 << VD->getDeclName() << DRE->getSourceRange(); 465 } 466 } else { 467 S.Diag(DRE->getLocStart(), diag::warn_maybe_uninit_var) 468 << VD->getDeclName() << DRE->getSourceRange(); 469 } 470 } else { 471 const BlockExpr *BE = cast<BlockExpr>(E); 472 S.Diag(BE->getLocStart(), 473 isAlwaysUninit ? diag::warn_uninit_var_captured_by_block 474 : diag::warn_maybe_uninit_var_captured_by_block) 475 << VD->getDeclName(); 476 } 477 478 // Report where the variable was declared when the use wasn't within 479 // the initializer of that declaration. 480 if (!isSelfInit) 481 S.Diag(VD->getLocStart(), diag::note_uninit_var_def) 482 << VD->getDeclName(); 483 484 return true; 485} 486 487static void SuggestInitializationFixit(Sema &S, const VarDecl *VD) { 488 // Don't issue a fixit if there is already an initializer. 489 if (VD->getInit()) 490 return; 491 492 // Suggest possible initialization (if any). 493 const char *initialization = 0; 494 QualType VariableTy = VD->getType().getCanonicalType(); 495 496 if (VariableTy->isObjCObjectPointerType() || 497 VariableTy->isBlockPointerType()) { 498 // Check if 'nil' is defined. 499 if (S.PP.getMacroInfo(&S.getASTContext().Idents.get("nil"))) 500 initialization = " = nil"; 501 else 502 initialization = " = 0"; 503 } 504 else if (VariableTy->isRealFloatingType()) 505 initialization = " = 0.0"; 506 else if (VariableTy->isBooleanType() && S.Context.getLangOptions().CPlusPlus) 507 initialization = " = false"; 508 else if (VariableTy->isEnumeralType()) 509 return; 510 else if (VariableTy->isPointerType() || VariableTy->isMemberPointerType()) { 511 // Check if 'NULL' is defined. 512 if (S.PP.getMacroInfo(&S.getASTContext().Idents.get("NULL"))) 513 initialization = " = NULL"; 514 else 515 initialization = " = 0"; 516 } 517 else if (VariableTy->isScalarType()) 518 initialization = " = 0"; 519 520 if (initialization) { 521 SourceLocation loc = S.PP.getLocForEndOfToken(VD->getLocEnd()); 522 S.Diag(loc, diag::note_var_fixit_add_initialization) 523 << FixItHint::CreateInsertion(loc, initialization); 524 } 525} 526 527typedef std::pair<const Expr*, bool> UninitUse; 528 529namespace { 530struct SLocSort { 531 bool operator()(const UninitUse &a, const UninitUse &b) { 532 SourceLocation aLoc = a.first->getLocStart(); 533 SourceLocation bLoc = b.first->getLocStart(); 534 return aLoc.getRawEncoding() < bLoc.getRawEncoding(); 535 } 536}; 537 538class UninitValsDiagReporter : public UninitVariablesHandler { 539 Sema &S; 540 typedef SmallVector<UninitUse, 2> UsesVec; 541 typedef llvm::DenseMap<const VarDecl *, UsesVec*> UsesMap; 542 UsesMap *uses; 543 544public: 545 UninitValsDiagReporter(Sema &S) : S(S), uses(0) {} 546 ~UninitValsDiagReporter() { 547 flushDiagnostics(); 548 } 549 550 void handleUseOfUninitVariable(const Expr *ex, const VarDecl *vd, 551 bool isAlwaysUninit) { 552 if (!uses) 553 uses = new UsesMap(); 554 555 UsesVec *&vec = (*uses)[vd]; 556 if (!vec) 557 vec = new UsesVec(); 558 559 vec->push_back(std::make_pair(ex, isAlwaysUninit)); 560 } 561 562 void flushDiagnostics() { 563 if (!uses) 564 return; 565 566 for (UsesMap::iterator i = uses->begin(), e = uses->end(); i != e; ++i) { 567 const VarDecl *vd = i->first; 568 UsesVec *vec = i->second; 569 570 // Sort the uses by their SourceLocations. While not strictly 571 // guaranteed to produce them in line/column order, this will provide 572 // a stable ordering. 573 std::sort(vec->begin(), vec->end(), SLocSort()); 574 575 for (UsesVec::iterator vi = vec->begin(), ve = vec->end(); vi != ve; 576 ++vi) { 577 if (!DiagnoseUninitializedUse(S, vd, vi->first, 578 /*isAlwaysUninit=*/vi->second)) 579 continue; 580 581 SuggestInitializationFixit(S, vd); 582 583 // Skip further diagnostics for this variable. We try to warn only on 584 // the first point at which a variable is used uninitialized. 585 break; 586 } 587 588 delete vec; 589 } 590 delete uses; 591 } 592}; 593} 594 595 596//===----------------------------------------------------------------------===// 597// -Wthread-safety 598//===----------------------------------------------------------------------===// 599 600namespace { 601/// \brief Implements a set of CFGBlocks using a BitVector. 602/// 603/// This class contains a minimal interface, primarily dictated by the SetType 604/// template parameter of the llvm::po_iterator template, as used with external 605/// storage. We also use this set to keep track of which CFGBlocks we visit 606/// during the analysis. 607class CFGBlockSet { 608 llvm::BitVector VisitedBlockIDs; 609 610public: 611 // po_iterator requires this iterator, but the only interface needed is the 612 // value_type typedef. 613 struct iterator { 614 typedef const CFGBlock *value_type; 615 }; 616 617 CFGBlockSet() {} 618 CFGBlockSet(const CFG *G) : VisitedBlockIDs(G->getNumBlockIDs(), false) {} 619 620 /// \brief Set the bit associated with a particular CFGBlock. 621 /// This is the important method for the SetType template parameter. 622 bool insert(const CFGBlock *Block) { 623 if (VisitedBlockIDs.test(Block->getBlockID())) 624 return false; 625 VisitedBlockIDs.set(Block->getBlockID()); 626 return true; 627 } 628 629 /// \brief Check if the bit for a CFGBlock has been already set. 630 /// This mehtod is for tracking visited blocks in the main threadsafety loop. 631 bool alreadySet(const CFGBlock *Block) { 632 return VisitedBlockIDs.test(Block->getBlockID()); 633 } 634}; 635 636/// \brief We create a helper class which we use to iterate through CFGBlocks in 637/// the topological order. 638class TopologicallySortedCFG { 639 typedef llvm::po_iterator<const CFG*, CFGBlockSet, true> po_iterator; 640 641 std::vector<const CFGBlock*> Blocks; 642 643public: 644 typedef std::vector<const CFGBlock*>::reverse_iterator iterator; 645 646 TopologicallySortedCFG(const CFG *CFGraph) { 647 Blocks.reserve(CFGraph->getNumBlockIDs()); 648 CFGBlockSet BSet(CFGraph); 649 650 for (po_iterator I = po_iterator::begin(CFGraph, BSet), 651 E = po_iterator::end(CFGraph, BSet); I != E; ++I) { 652 Blocks.push_back(*I); 653 } 654 } 655 656 iterator begin() { 657 return Blocks.rbegin(); 658 } 659 660 iterator end() { 661 return Blocks.rend(); 662 } 663}; 664 665/// \brief A LockID object uniquely identifies a particular lock acquired, and 666/// is built from an Expr* (i.e. calling a lock function). 667/// 668/// Thread-safety analysis works by comparing lock expressions. Within the 669/// body of a function, an expression such as "x->foo->bar.mu" will resolve to 670/// a particular lock object at run-time. Subsequent occurrences of the same 671/// expression (where "same" means syntactic equality) will refer to the same 672/// run-time object if three conditions hold: 673/// (1) Local variables in the expression, such as "x" have not changed. 674/// (2) Values on the heap that affect the expression have not changed. 675/// (3) The expression involves only pure function calls. 676/// The current implementation assumes, but does not verify, that multiple uses 677/// of the same lock expression satisfies these criteria. 678/// 679/// Clang introduces an additional wrinkle, which is that it is difficult to 680/// derive canonical expressions, or compare expressions directly for equality. 681/// Thus, we identify a lock not by an Expr, but by the set of named 682/// declarations that are referenced by the Expr. In other words, 683/// x->foo->bar.mu will be a four element vector with the Decls for 684/// mu, bar, and foo, and x. The vector will uniquely identify the expression 685/// for all practical purposes. 686/// 687/// Note we will need to perform substitution on "this" and function parameter 688/// names when constructing a lock expression. 689/// 690/// For example: 691/// class C { Mutex Mu; void lock() EXCLUSIVE_LOCK_FUNCTION(this->Mu); }; 692/// void myFunc(C *X) { ... X->lock() ... } 693/// The original expression for the lock acquired by myFunc is "this->Mu", but 694/// "X" is substituted for "this" so we get X->Mu(); 695/// 696/// For another example: 697/// foo(MyList *L) EXCLUSIVE_LOCKS_REQUIRED(L->Mu) { ... } 698/// MyList *MyL; 699/// foo(MyL); // requires lock MyL->Mu to be held 700/// 701/// FIXME: In C++0x Mutexes are the objects that control access to shared 702/// variables, while Locks are the objects that acquire and release Mutexes. We 703/// may want to switch to this new terminology soon, in which case we should 704/// rename this class "Mutex" and rename "LockId" to "MutexId", as well as 705/// making sure that the terms Lock and Mutex throughout this code are 706/// consistent with C++0x 707/// 708/// FIXME: We should also pick one and canonicalize all usage of lock vs acquire 709/// and unlock vs release as verbs. 710class LockID { 711 SmallVector<NamedDecl*, 2> DeclSeq; 712 713 /// Build a Decl sequence representing the lock from the given expression. 714 /// Recursive function that bottoms out when the final DeclRefExpr is reached. 715 void buildLock(Expr *Exp) { 716 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Exp)) { 717 NamedDecl *ND = cast<NamedDecl>(DRE->getDecl()->getCanonicalDecl()); 718 DeclSeq.push_back(ND); 719 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(Exp)) { 720 NamedDecl *ND = ME->getMemberDecl(); 721 DeclSeq.push_back(ND); 722 buildLock(ME->getBase()); 723 } else { 724 // FIXME: add diagnostic 725 llvm::report_fatal_error("Expected lock expression!"); 726 } 727 } 728 729public: 730 LockID(Expr *LExpr) { 731 buildLock(LExpr); 732 assert(!DeclSeq.empty()); 733 } 734 735 bool operator==(const LockID &other) const { 736 return DeclSeq == other.DeclSeq; 737 } 738 739 bool operator!=(const LockID &other) const { 740 return !(*this == other); 741 } 742 743 // SmallVector overloads Operator< to do lexicographic ordering. Note that 744 // we use pointer equality (and <) to compare NamedDecls. This means the order 745 // of LockIDs in a lockset is nondeterministic. In order to output 746 // diagnostics in a deterministic ordering, we must order all diagnostics to 747 // output by SourceLocation when iterating through this lockset. 748 bool operator<(const LockID &other) const { 749 return DeclSeq < other.DeclSeq; 750 } 751 752 /// \brief Returns the name of the first Decl in the list for a given LockID; 753 /// e.g. the lock expression foo.bar() has name "bar". 754 /// The caret will point unambiguously to the lock expression, so using this 755 /// name in diagnostics is a way to get simple, and consistent, lock names. 756 /// We do not want to output the entire expression text for security reasons. 757 StringRef getName() const { 758 return DeclSeq.front()->getName(); 759 } 760 761 void Profile(llvm::FoldingSetNodeID &ID) const { 762 for (SmallVectorImpl<NamedDecl*>::const_iterator I = DeclSeq.begin(), 763 E = DeclSeq.end(); I != E; ++I) { 764 ID.AddPointer(*I); 765 } 766 } 767}; 768 769/// \brief This is a helper class that stores info about the most recent 770/// accquire of a Lock. 771/// 772/// The main body of the analysis maps LockIDs to LockDatas. 773struct LockData { 774 SourceLocation AcquireLoc; 775 776 LockData(SourceLocation Loc) : AcquireLoc(Loc) {} 777 778 bool operator==(const LockData &other) const { 779 return AcquireLoc == other.AcquireLoc; 780 } 781 782 bool operator!=(const LockData &other) const { 783 return !(*this == other); 784 } 785 786 void Profile(llvm::FoldingSetNodeID &ID) const { 787 ID.AddInteger(AcquireLoc.getRawEncoding()); 788 } 789}; 790 791/// A Lockset maps each LockID (defined above) to information about how it has 792/// been locked. 793typedef llvm::ImmutableMap<LockID, LockData> Lockset; 794 795/// \brief We use this class to visit different types of expressions in 796/// CFGBlocks, and build up the lockset. 797/// An expression may cause us to add or remove locks from the lockset, or else 798/// output error messages related to missing locks. 799/// FIXME: In future, we may be able to not inherit from a visitor. 800class BuildLockset : public StmtVisitor<BuildLockset> { 801 Sema &S; 802 Lockset LSet; 803 Lockset::Factory &LocksetFactory; 804 805 // Helper functions 806 void removeLock(SourceLocation UnlockLoc, Expr *LockExp); 807 void addLock(SourceLocation LockLoc, Expr *LockExp); 808 809public: 810 BuildLockset(Sema &S, Lockset LS, Lockset::Factory &F) 811 : StmtVisitor<BuildLockset>(), S(S), LSet(LS), 812 LocksetFactory(F) {} 813 814 Lockset getLockset() { 815 return LSet; 816 } 817 818 void VisitDeclRefExpr(DeclRefExpr *Exp); 819 void VisitCXXMemberCallExpr(CXXMemberCallExpr *Exp); 820}; 821 822/// \brief Add a new lock to the lockset, warning if the lock is already there. 823/// \param LockExp The lock expression corresponding to the lock to be added 824/// \param LockLoc The source location of the acquire 825void BuildLockset::addLock(SourceLocation LockLoc, Expr *LockExp) { 826 LockID Lock(LockExp); 827 LockData NewLockData(LockLoc); 828 829 if (LSet.contains(Lock)) 830 S.Diag(LockLoc, diag::warn_double_lock) << Lock.getName(); 831 832 LSet = LocksetFactory.add(LSet, Lock, NewLockData); 833} 834 835/// \brief Remove a lock from the lockset, warning if the lock is not there. 836/// \param LockExp The lock expression corresponding to the lock to be removed 837/// \param UnlockLoc The source location of the unlock (only used in error msg) 838void BuildLockset::removeLock(SourceLocation UnlockLoc, Expr *LockExp) { 839 LockID Lock(LockExp); 840 841 Lockset NewLSet = LocksetFactory.remove(LSet, Lock); 842 if(NewLSet == LSet) 843 S.Diag(UnlockLoc, diag::warn_unlock_but_no_acquire) << Lock.getName(); 844 845 LSet = NewLSet; 846} 847 848void BuildLockset::VisitDeclRefExpr(DeclRefExpr *Exp) { 849 // FIXME: checking for guarded_by/var and pt_guarded_by/var 850} 851 852/// \brief When visiting CXXMemberCallExprs we need to examine the attributes on 853/// the method that is being called and add, remove or check locks in the 854/// lockset accordingly. 855void BuildLockset::VisitCXXMemberCallExpr(CXXMemberCallExpr *Exp) { 856 NamedDecl *D = dyn_cast<NamedDecl>(Exp->getCalleeDecl()); 857 SourceLocation ExpLocation = Exp->getExprLoc(); 858 Expr *Parent = Exp->getImplicitObjectArgument(); 859 860 if(!D || !D->hasAttrs()) 861 return; 862 863 AttrVec &ArgAttrs = D->getAttrs(); 864 for(unsigned i = 0; i < ArgAttrs.size(); ++i) { 865 Attr *Attr = ArgAttrs[i]; 866 switch (Attr->getKind()) { 867 // When we encounter an exclusive lock function, we need to add the lock 868 // to our lockset. 869 case attr::ExclusiveLockFunction: { 870 ExclusiveLockFunctionAttr *ELFAttr = 871 cast<ExclusiveLockFunctionAttr>(Attr); 872 873 if (ELFAttr->args_size() == 0) {// The lock held is the "this" object. 874 addLock(ExpLocation, Parent); 875 break; 876 } 877 878 for (ExclusiveLockFunctionAttr::args_iterator I = ELFAttr->args_begin(), 879 E = ELFAttr->args_end(); I != E; ++I) 880 addLock(ExpLocation, *I); 881 // FIXME: acquired_after/acquired_before annotations 882 break; 883 } 884 885 // When we encounter an unlock function, we need to remove unlocked locks 886 // from the lockset, and flag a warning if they are not there. 887 case attr::UnlockFunction: { 888 UnlockFunctionAttr *UFAttr = cast<UnlockFunctionAttr>(Attr); 889 890 if (UFAttr->args_size() == 0) { // The lock held is the "this" object. 891 removeLock(ExpLocation, Parent); 892 break; 893 } 894 895 for (UnlockFunctionAttr::args_iterator I = UFAttr->args_begin(), 896 E = UFAttr->args_end(); I != E; ++I) 897 removeLock(ExpLocation, *I); 898 break; 899 } 900 901 // Ignore other (non thread-safety) attributes 902 default: 903 break; 904 } 905 } 906} 907 908typedef std::pair<SourceLocation, PartialDiagnostic> DelayedDiag; 909typedef llvm::SmallVector<DelayedDiag, 4> DiagList; 910 911struct SortDiagBySourceLocation { 912 Sema &S; 913 914 SortDiagBySourceLocation(Sema &S) : S(S) {} 915 916 bool operator()(const DelayedDiag &left, const DelayedDiag &right) { 917 // Although this call will be slow, this is only called when outputting 918 // multiple warnings. 919 return S.getSourceManager().isBeforeInTranslationUnit(left.first, 920 right.first); 921 } 922}; 923} // end anonymous namespace 924 925/// \brief Emit all buffered diagnostics in order of sourcelocation. 926/// We need to output diagnostics produced while iterating through 927/// the lockset in deterministic order, so this function orders diagnostics 928/// and outputs them. 929static void EmitDiagnostics(Sema &S, DiagList &D) { 930 SortDiagBySourceLocation SortDiagBySL(S); 931 sort(D.begin(), D.end(), SortDiagBySL); 932 for (DiagList::iterator I = D.begin(), E = D.end(); I != E; ++I) 933 S.Diag(I->first, I->second); 934} 935 936/// \brief Compute the intersection of two locksets and issue warnings for any 937/// locks in the symmetric difference. 938/// 939/// This function is used at a merge point in the CFG when comparing the lockset 940/// of each branch being merged. For example, given the following sequence: 941/// A; if () then B; else C; D; we need to check that the lockset after B and C 942/// are the same. In the event of a difference, we use the intersection of these 943/// two locksets at the start of D. 944static Lockset intersectAndWarn(Sema &S, Lockset LSet1, Lockset LSet2, 945 Lockset::Factory &Fact) { 946 Lockset Intersection = LSet1; 947 DiagList Warnings; 948 949 for (Lockset::iterator I = LSet2.begin(), E = LSet2.end(); I != E; ++I) { 950 if (!LSet1.contains(I.getKey())) { 951 const LockID &MissingLock = I.getKey(); 952 const LockData &MissingLockData = I.getData(); 953 PartialDiagnostic Warning = 954 S.PDiag(diag::warn_lock_not_released_in_scope) << MissingLock.getName(); 955 Warnings.push_back(DelayedDiag(MissingLockData.AcquireLoc, Warning)); 956 } 957 } 958 959 for (Lockset::iterator I = LSet1.begin(), E = LSet1.end(); I != E; ++I) { 960 if (!LSet2.contains(I.getKey())) { 961 const LockID &MissingLock = I.getKey(); 962 const LockData &MissingLockData = I.getData(); 963 PartialDiagnostic Warning = 964 S.PDiag(diag::warn_lock_not_released_in_scope) << MissingLock.getName(); 965 Warnings.push_back(DelayedDiag(MissingLockData.AcquireLoc, Warning)); 966 Intersection = Fact.remove(Intersection, MissingLock); 967 } 968 } 969 970 EmitDiagnostics(S, Warnings); 971 return Intersection; 972} 973 974/// \brief Returns the location of the first Stmt in a Block. 975static SourceLocation getFirstStmtLocation(CFGBlock *Block) { 976 for (CFGBlock::const_iterator BI = Block->begin(), BE = Block->end(); 977 BI != BE; ++BI) { 978 if (const CFGStmt *CfgStmt = dyn_cast<CFGStmt>(&(*BI))) 979 return CfgStmt->getStmt()->getLocStart(); 980 } 981 return SourceLocation(); 982} 983 984/// \brief Warn about different locksets along backedges of loops. 985/// This function is called when we encounter a back edge. At that point, 986/// we need to verify that the lockset before taking the backedge is the 987/// same as the lockset before entering the loop. 988/// 989/// \param LoopEntrySet Locks held before starting the loop 990/// \param LoopReentrySet Locks held in the last CFG block of the loop 991static void warnBackEdgeUnequalLocksets(Sema &S, const Lockset LoopReentrySet, 992 const Lockset LoopEntrySet, 993 SourceLocation FirstLocInLoop) { 994 assert(FirstLocInLoop.isValid()); 995 DiagList Warnings; 996 997 // Warn for locks held at the start of the loop, but not the end. 998 for (Lockset::iterator I = LoopEntrySet.begin(), E = LoopEntrySet.end(); 999 I != E; ++I) { 1000 if (!LoopReentrySet.contains(I.getKey())) { 1001 const LockID &MissingLock = I.getKey(); 1002 // We report this error at the location of the first statement in a loop 1003 PartialDiagnostic Warning = 1004 S.PDiag(diag::warn_expecting_lock_held_on_loop) 1005 << MissingLock.getName(); 1006 Warnings.push_back(DelayedDiag(FirstLocInLoop, Warning)); 1007 } 1008 } 1009 1010 // Warn for locks held at the end of the loop, but not at the start. 1011 for (Lockset::iterator I = LoopReentrySet.begin(), E = LoopReentrySet.end(); 1012 I != E; ++I) { 1013 if (!LoopEntrySet.contains(I.getKey())) { 1014 const LockID &MissingLock = I.getKey(); 1015 const LockData &MissingLockData = I.getData(); 1016 PartialDiagnostic Warning = 1017 S.PDiag(diag::warn_lock_not_released_in_scope) << MissingLock.getName(); 1018 Warnings.push_back(DelayedDiag(MissingLockData.AcquireLoc, Warning)); 1019 } 1020 } 1021 1022 EmitDiagnostics(S, Warnings); 1023} 1024 1025/// \brief Check a function's CFG for thread-safety violations. 1026/// 1027/// We traverse the blocks in the CFG, compute the set of locks that are held 1028/// at the end of each block, and issue warnings for thread safety violations. 1029/// Each block in the CFG is traversed exactly once. 1030static void checkThreadSafety(Sema &S, AnalysisContext &AC) { 1031 CFG *CFGraph = AC.getCFG(); 1032 if (!CFGraph) return; 1033 1034 StringRef FunName; 1035 if (const NamedDecl *ContextDecl = dyn_cast<NamedDecl>(AC.getDecl())) 1036 FunName = ContextDecl->getName(); 1037 1038 Lockset::Factory LocksetFactory; 1039 1040 // FIXME: Swith to SmallVector? Otherwise improve performance impact? 1041 std::vector<Lockset> EntryLocksets(CFGraph->getNumBlockIDs(), 1042 LocksetFactory.getEmptyMap()); 1043 std::vector<Lockset> ExitLocksets(CFGraph->getNumBlockIDs(), 1044 LocksetFactory.getEmptyMap()); 1045 1046 // We need to explore the CFG via a "topological" ordering. 1047 // That way, we will be guaranteed to have information about required 1048 // predecessor locksets when exploring a new block. 1049 TopologicallySortedCFG SortedGraph(CFGraph); 1050 CFGBlockSet VisitedBlocks(CFGraph); 1051 1052 for (TopologicallySortedCFG::iterator I = SortedGraph.begin(), 1053 E = SortedGraph.end(); I!= E; ++I) { 1054 const CFGBlock *CurrBlock = *I; 1055 int CurrBlockID = CurrBlock->getBlockID(); 1056 1057 VisitedBlocks.insert(CurrBlock); 1058 1059 // Use the default initial lockset in case there are no predecessors. 1060 Lockset &Entryset = EntryLocksets[CurrBlockID]; 1061 Lockset &Exitset = ExitLocksets[CurrBlockID]; 1062 1063 // Iterate through the predecessor blocks and warn if the lockset for all 1064 // predecessors is not the same. We take the entry lockset of the current 1065 // block to be the intersection of all previous locksets. 1066 // FIXME: By keeping the intersection, we may output more errors in future 1067 // for a lock which is not in the intersection, but was in the union. We 1068 // may want to also keep the union in future. As an example, let's say 1069 // the intersection contains Lock L, and the union contains L and M. 1070 // Later we unlock M. At this point, we would output an error because we 1071 // never locked M; although the real error is probably that we forgot to 1072 // lock M on all code paths. Conversely, let's say that later we lock M. 1073 // In this case, we should compare against the intersection instead of the 1074 // union because the real error is probably that we forgot to unlock M on 1075 // all code paths. 1076 bool LocksetInitialized = false; 1077 for (CFGBlock::const_pred_iterator PI = CurrBlock->pred_begin(), 1078 PE = CurrBlock->pred_end(); PI != PE; ++PI) { 1079 1080 // if *PI -> CurrBlock is a back edge 1081 if (!VisitedBlocks.alreadySet(*PI)) 1082 continue; 1083 1084 int PrevBlockID = (*PI)->getBlockID(); 1085 if (!LocksetInitialized) { 1086 Entryset = ExitLocksets[PrevBlockID]; 1087 LocksetInitialized = true; 1088 } else { 1089 Entryset = intersectAndWarn(S, Entryset, ExitLocksets[PrevBlockID], 1090 LocksetFactory); 1091 } 1092 } 1093 1094 BuildLockset LocksetBuilder(S, Entryset, LocksetFactory); 1095 for (CFGBlock::const_iterator BI = CurrBlock->begin(), 1096 BE = CurrBlock->end(); BI != BE; ++BI) { 1097 if (const CFGStmt *CfgStmt = dyn_cast<CFGStmt>(&*BI)) { 1098 LocksetBuilder.Visit(const_cast<Stmt*>(CfgStmt->getStmt())); 1099 } 1100 } 1101 Exitset = LocksetBuilder.getLockset(); 1102 1103 // For every back edge from CurrBlock (the end of the loop) to another block 1104 // (FirstLoopBlock) we need to check that the Lockset of Block is equal to 1105 // the one held at the beginning of FirstLoopBlock. We can look up the 1106 // Lockset held at the beginning of FirstLoopBlock in the EntryLockSets map. 1107 for (CFGBlock::const_succ_iterator SI = CurrBlock->succ_begin(), 1108 SE = CurrBlock->succ_end(); SI != SE; ++SI) { 1109 1110 // if CurrBlock -> *SI is *not* a back edge 1111 if (!VisitedBlocks.alreadySet(*SI)) 1112 continue; 1113 1114 CFGBlock *FirstLoopBlock = *SI; 1115 SourceLocation FirstLoopLocation = getFirstStmtLocation(FirstLoopBlock); 1116 1117 Lockset PreLoop = EntryLocksets[FirstLoopBlock->getBlockID()]; 1118 Lockset LoopEnd = ExitLocksets[CurrBlockID]; 1119 warnBackEdgeUnequalLocksets(S, LoopEnd, PreLoop, FirstLoopLocation); 1120 } 1121 } 1122 1123 Lockset FinalLockset = ExitLocksets[CFGraph->getExit().getBlockID()]; 1124 if (!FinalLockset.isEmpty()) { 1125 DiagList Warnings; 1126 for (Lockset::iterator I=FinalLockset.begin(), E=FinalLockset.end(); 1127 I != E; ++I) { 1128 const LockID &MissingLock = I.getKey(); 1129 const LockData &MissingLockData = I.getData(); 1130 PartialDiagnostic Warning = 1131 S.PDiag(diag::warn_locks_not_released) 1132 << MissingLock.getName() << FunName; 1133 Warnings.push_back(DelayedDiag(MissingLockData.AcquireLoc, Warning)); 1134 } 1135 EmitDiagnostics(S, Warnings); 1136 } 1137} 1138 1139 1140//===----------------------------------------------------------------------===// 1141// AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based 1142// warnings on a function, method, or block. 1143//===----------------------------------------------------------------------===// 1144 1145clang::sema::AnalysisBasedWarnings::Policy::Policy() { 1146 enableCheckFallThrough = 1; 1147 enableCheckUnreachable = 0; 1148 enableThreadSafetyAnalysis = 0; 1149} 1150 1151clang::sema::AnalysisBasedWarnings::AnalysisBasedWarnings(Sema &s) 1152 : S(s), 1153 NumFunctionsAnalyzed(0), 1154 NumFunctionsWithBadCFGs(0), 1155 NumCFGBlocks(0), 1156 MaxCFGBlocksPerFunction(0), 1157 NumUninitAnalysisFunctions(0), 1158 NumUninitAnalysisVariables(0), 1159 MaxUninitAnalysisVariablesPerFunction(0), 1160 NumUninitAnalysisBlockVisits(0), 1161 MaxUninitAnalysisBlockVisitsPerFunction(0) { 1162 Diagnostic &D = S.getDiagnostics(); 1163 DefaultPolicy.enableCheckUnreachable = (unsigned) 1164 (D.getDiagnosticLevel(diag::warn_unreachable, SourceLocation()) != 1165 Diagnostic::Ignored); 1166 DefaultPolicy.enableThreadSafetyAnalysis = (unsigned) 1167 (D.getDiagnosticLevel(diag::warn_double_lock, SourceLocation()) != 1168 Diagnostic::Ignored); 1169 1170} 1171 1172static void flushDiagnostics(Sema &S, sema::FunctionScopeInfo *fscope) { 1173 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 1174 i = fscope->PossiblyUnreachableDiags.begin(), 1175 e = fscope->PossiblyUnreachableDiags.end(); 1176 i != e; ++i) { 1177 const sema::PossiblyUnreachableDiag &D = *i; 1178 S.Diag(D.Loc, D.PD); 1179 } 1180} 1181 1182void clang::sema:: 1183AnalysisBasedWarnings::IssueWarnings(sema::AnalysisBasedWarnings::Policy P, 1184 sema::FunctionScopeInfo *fscope, 1185 const Decl *D, const BlockExpr *blkExpr) { 1186 1187 // We avoid doing analysis-based warnings when there are errors for 1188 // two reasons: 1189 // (1) The CFGs often can't be constructed (if the body is invalid), so 1190 // don't bother trying. 1191 // (2) The code already has problems; running the analysis just takes more 1192 // time. 1193 Diagnostic &Diags = S.getDiagnostics(); 1194 1195 // Do not do any analysis for declarations in system headers if we are 1196 // going to just ignore them. 1197 if (Diags.getSuppressSystemWarnings() && 1198 S.SourceMgr.isInSystemHeader(D->getLocation())) 1199 return; 1200 1201 // For code in dependent contexts, we'll do this at instantiation time. 1202 if (cast<DeclContext>(D)->isDependentContext()) 1203 return; 1204 1205 if (Diags.hasErrorOccurred() || Diags.hasFatalErrorOccurred()) { 1206 // Flush out any possibly unreachable diagnostics. 1207 flushDiagnostics(S, fscope); 1208 return; 1209 } 1210 1211 const Stmt *Body = D->getBody(); 1212 assert(Body); 1213 1214 AnalysisContext AC(D, 0); 1215 1216 // Don't generate EH edges for CallExprs as we'd like to avoid the n^2 1217 // explosion for destrutors that can result and the compile time hit. 1218 AC.getCFGBuildOptions().PruneTriviallyFalseEdges = true; 1219 AC.getCFGBuildOptions().AddEHEdges = false; 1220 AC.getCFGBuildOptions().AddInitializers = true; 1221 AC.getCFGBuildOptions().AddImplicitDtors = true; 1222 1223 // Force that certain expressions appear as CFGElements in the CFG. This 1224 // is used to speed up various analyses. 1225 // FIXME: This isn't the right factoring. This is here for initial 1226 // prototyping, but we need a way for analyses to say what expressions they 1227 // expect to always be CFGElements and then fill in the BuildOptions 1228 // appropriately. This is essentially a layering violation. 1229 if (P.enableCheckUnreachable) { 1230 // Unreachable code analysis requires a linearized CFG. 1231 AC.getCFGBuildOptions().setAllAlwaysAdd(); 1232 } 1233 else { 1234 AC.getCFGBuildOptions() 1235 .setAlwaysAdd(Stmt::BinaryOperatorClass) 1236 .setAlwaysAdd(Stmt::BlockExprClass) 1237 .setAlwaysAdd(Stmt::CStyleCastExprClass) 1238 .setAlwaysAdd(Stmt::DeclRefExprClass) 1239 .setAlwaysAdd(Stmt::ImplicitCastExprClass) 1240 .setAlwaysAdd(Stmt::UnaryOperatorClass); 1241 } 1242 1243 // Construct the analysis context with the specified CFG build options. 1244 1245 // Emit delayed diagnostics. 1246 if (!fscope->PossiblyUnreachableDiags.empty()) { 1247 bool analyzed = false; 1248 1249 // Register the expressions with the CFGBuilder. 1250 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 1251 i = fscope->PossiblyUnreachableDiags.begin(), 1252 e = fscope->PossiblyUnreachableDiags.end(); 1253 i != e; ++i) { 1254 if (const Stmt *stmt = i->stmt) 1255 AC.registerForcedBlockExpression(stmt); 1256 } 1257 1258 if (AC.getCFG()) { 1259 analyzed = true; 1260 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 1261 i = fscope->PossiblyUnreachableDiags.begin(), 1262 e = fscope->PossiblyUnreachableDiags.end(); 1263 i != e; ++i) 1264 { 1265 const sema::PossiblyUnreachableDiag &D = *i; 1266 bool processed = false; 1267 if (const Stmt *stmt = i->stmt) { 1268 const CFGBlock *block = AC.getBlockForRegisteredExpression(stmt); 1269 assert(block); 1270 if (CFGReverseBlockReachabilityAnalysis *cra = AC.getCFGReachablityAnalysis()) { 1271 // Can this block be reached from the entrance? 1272 if (cra->isReachable(&AC.getCFG()->getEntry(), block)) 1273 S.Diag(D.Loc, D.PD); 1274 processed = true; 1275 } 1276 } 1277 if (!processed) { 1278 // Emit the warning anyway if we cannot map to a basic block. 1279 S.Diag(D.Loc, D.PD); 1280 } 1281 } 1282 } 1283 1284 if (!analyzed) 1285 flushDiagnostics(S, fscope); 1286 } 1287 1288 1289 // Warning: check missing 'return' 1290 if (P.enableCheckFallThrough) { 1291 const CheckFallThroughDiagnostics &CD = 1292 (isa<BlockDecl>(D) ? CheckFallThroughDiagnostics::MakeForBlock() 1293 : CheckFallThroughDiagnostics::MakeForFunction(D)); 1294 CheckFallThroughForBody(S, D, Body, blkExpr, CD, AC); 1295 } 1296 1297 // Warning: check for unreachable code 1298 if (P.enableCheckUnreachable) 1299 CheckUnreachable(S, AC); 1300 1301 // Check for thread safety violations 1302 if (P.enableThreadSafetyAnalysis) 1303 checkThreadSafety(S, AC); 1304 1305 if (Diags.getDiagnosticLevel(diag::warn_uninit_var, D->getLocStart()) 1306 != Diagnostic::Ignored || 1307 Diags.getDiagnosticLevel(diag::warn_maybe_uninit_var, D->getLocStart()) 1308 != Diagnostic::Ignored) { 1309 if (CFG *cfg = AC.getCFG()) { 1310 UninitValsDiagReporter reporter(S); 1311 UninitVariablesAnalysisStats stats; 1312 std::memset(&stats, 0, sizeof(UninitVariablesAnalysisStats)); 1313 runUninitializedVariablesAnalysis(*cast<DeclContext>(D), *cfg, AC, 1314 reporter, stats); 1315 1316 if (S.CollectStats && stats.NumVariablesAnalyzed > 0) { 1317 ++NumUninitAnalysisFunctions; 1318 NumUninitAnalysisVariables += stats.NumVariablesAnalyzed; 1319 NumUninitAnalysisBlockVisits += stats.NumBlockVisits; 1320 MaxUninitAnalysisVariablesPerFunction = 1321 std::max(MaxUninitAnalysisVariablesPerFunction, 1322 stats.NumVariablesAnalyzed); 1323 MaxUninitAnalysisBlockVisitsPerFunction = 1324 std::max(MaxUninitAnalysisBlockVisitsPerFunction, 1325 stats.NumBlockVisits); 1326 } 1327 } 1328 } 1329 1330 // Collect statistics about the CFG if it was built. 1331 if (S.CollectStats && AC.isCFGBuilt()) { 1332 ++NumFunctionsAnalyzed; 1333 if (CFG *cfg = AC.getCFG()) { 1334 // If we successfully built a CFG for this context, record some more 1335 // detail information about it. 1336 NumCFGBlocks += cfg->getNumBlockIDs(); 1337 MaxCFGBlocksPerFunction = std::max(MaxCFGBlocksPerFunction, 1338 cfg->getNumBlockIDs()); 1339 } else { 1340 ++NumFunctionsWithBadCFGs; 1341 } 1342 } 1343} 1344 1345void clang::sema::AnalysisBasedWarnings::PrintStats() const { 1346 llvm::errs() << "\n*** Analysis Based Warnings Stats:\n"; 1347 1348 unsigned NumCFGsBuilt = NumFunctionsAnalyzed - NumFunctionsWithBadCFGs; 1349 unsigned AvgCFGBlocksPerFunction = 1350 !NumCFGsBuilt ? 0 : NumCFGBlocks/NumCFGsBuilt; 1351 llvm::errs() << NumFunctionsAnalyzed << " functions analyzed (" 1352 << NumFunctionsWithBadCFGs << " w/o CFGs).\n" 1353 << " " << NumCFGBlocks << " CFG blocks built.\n" 1354 << " " << AvgCFGBlocksPerFunction 1355 << " average CFG blocks per function.\n" 1356 << " " << MaxCFGBlocksPerFunction 1357 << " max CFG blocks per function.\n"; 1358 1359 unsigned AvgUninitVariablesPerFunction = !NumUninitAnalysisFunctions ? 0 1360 : NumUninitAnalysisVariables/NumUninitAnalysisFunctions; 1361 unsigned AvgUninitBlockVisitsPerFunction = !NumUninitAnalysisFunctions ? 0 1362 : NumUninitAnalysisBlockVisits/NumUninitAnalysisFunctions; 1363 llvm::errs() << NumUninitAnalysisFunctions 1364 << " functions analyzed for uninitialiazed variables\n" 1365 << " " << NumUninitAnalysisVariables << " variables analyzed.\n" 1366 << " " << AvgUninitVariablesPerFunction 1367 << " average variables per function.\n" 1368 << " " << MaxUninitAnalysisVariablesPerFunction 1369 << " max variables per function.\n" 1370 << " " << NumUninitAnalysisBlockVisits << " block visits.\n" 1371 << " " << AvgUninitBlockVisitsPerFunction 1372 << " average block visits per function.\n" 1373 << " " << MaxUninitAnalysisBlockVisitsPerFunction 1374 << " max block visits per function.\n"; 1375} 1376