AnalysisBasedWarnings.cpp revision af37061fea31f3f1d0638edb5486e8d72c701522
1//=- AnalysisBasedWarnings.cpp - Sema warnings based on libAnalysis -*- C++ -*-=// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines analysis_warnings::[Policy,Executor]. 11// Together they are used by Sema to issue warnings based on inexpensive 12// static analysis algorithms in libAnalysis. 13// 14//===----------------------------------------------------------------------===// 15 16#include "clang/Sema/AnalysisBasedWarnings.h" 17#include "clang/Sema/SemaInternal.h" 18#include "clang/Sema/ScopeInfo.h" 19#include "clang/Basic/SourceManager.h" 20#include "clang/Lex/Preprocessor.h" 21#include "clang/AST/DeclObjC.h" 22#include "clang/AST/DeclCXX.h" 23#include "clang/AST/ExprObjC.h" 24#include "clang/AST/ExprCXX.h" 25#include "clang/AST/StmtObjC.h" 26#include "clang/AST/StmtCXX.h" 27#include "clang/AST/EvaluatedExprVisitor.h" 28#include "clang/AST/StmtVisitor.h" 29#include "clang/Analysis/AnalysisContext.h" 30#include "clang/Analysis/CFG.h" 31#include "clang/Analysis/Analyses/ReachableCode.h" 32#include "clang/Analysis/Analyses/CFGReachabilityAnalysis.h" 33#include "clang/Analysis/CFGStmtMap.h" 34#include "clang/Analysis/Analyses/UninitializedValues.h" 35#include "llvm/ADT/BitVector.h" 36#include "llvm/ADT/FoldingSet.h" 37#include "llvm/ADT/ImmutableMap.h" 38#include "llvm/ADT/PostOrderIterator.h" 39#include "llvm/ADT/SmallVector.h" 40#include "llvm/Support/Casting.h" 41#include <algorithm> 42#include <vector> 43 44using namespace clang; 45 46//===----------------------------------------------------------------------===// 47// Unreachable code analysis. 48//===----------------------------------------------------------------------===// 49 50namespace { 51 class UnreachableCodeHandler : public reachable_code::Callback { 52 Sema &S; 53 public: 54 UnreachableCodeHandler(Sema &s) : S(s) {} 55 56 void HandleUnreachable(SourceLocation L, SourceRange R1, SourceRange R2) { 57 S.Diag(L, diag::warn_unreachable) << R1 << R2; 58 } 59 }; 60} 61 62/// CheckUnreachable - Check for unreachable code. 63static void CheckUnreachable(Sema &S, AnalysisContext &AC) { 64 UnreachableCodeHandler UC(S); 65 reachable_code::FindUnreachableCode(AC, UC); 66} 67 68//===----------------------------------------------------------------------===// 69// Check for missing return value. 70//===----------------------------------------------------------------------===// 71 72enum ControlFlowKind { 73 UnknownFallThrough, 74 NeverFallThrough, 75 MaybeFallThrough, 76 AlwaysFallThrough, 77 NeverFallThroughOrReturn 78}; 79 80/// CheckFallThrough - Check that we don't fall off the end of a 81/// Statement that should return a value. 82/// 83/// \returns AlwaysFallThrough iff we always fall off the end of the statement, 84/// MaybeFallThrough iff we might or might not fall off the end, 85/// NeverFallThroughOrReturn iff we never fall off the end of the statement or 86/// return. We assume NeverFallThrough iff we never fall off the end of the 87/// statement but we may return. We assume that functions not marked noreturn 88/// will return. 89static ControlFlowKind CheckFallThrough(AnalysisContext &AC) { 90 CFG *cfg = AC.getCFG(); 91 if (cfg == 0) return UnknownFallThrough; 92 93 // The CFG leaves in dead things, and we don't want the dead code paths to 94 // confuse us, so we mark all live things first. 95 llvm::BitVector live(cfg->getNumBlockIDs()); 96 unsigned count = reachable_code::ScanReachableFromBlock(&cfg->getEntry(), 97 live); 98 99 bool AddEHEdges = AC.getAddEHEdges(); 100 if (!AddEHEdges && count != cfg->getNumBlockIDs()) 101 // When there are things remaining dead, and we didn't add EH edges 102 // from CallExprs to the catch clauses, we have to go back and 103 // mark them as live. 104 for (CFG::iterator I = cfg->begin(), E = cfg->end(); I != E; ++I) { 105 CFGBlock &b = **I; 106 if (!live[b.getBlockID()]) { 107 if (b.pred_begin() == b.pred_end()) { 108 if (b.getTerminator() && isa<CXXTryStmt>(b.getTerminator())) 109 // When not adding EH edges from calls, catch clauses 110 // can otherwise seem dead. Avoid noting them as dead. 111 count += reachable_code::ScanReachableFromBlock(&b, live); 112 continue; 113 } 114 } 115 } 116 117 // Now we know what is live, we check the live precessors of the exit block 118 // and look for fall through paths, being careful to ignore normal returns, 119 // and exceptional paths. 120 bool HasLiveReturn = false; 121 bool HasFakeEdge = false; 122 bool HasPlainEdge = false; 123 bool HasAbnormalEdge = false; 124 125 // Ignore default cases that aren't likely to be reachable because all 126 // enums in a switch(X) have explicit case statements. 127 CFGBlock::FilterOptions FO; 128 FO.IgnoreDefaultsWithCoveredEnums = 1; 129 130 for (CFGBlock::filtered_pred_iterator 131 I = cfg->getExit().filtered_pred_start_end(FO); I.hasMore(); ++I) { 132 const CFGBlock& B = **I; 133 if (!live[B.getBlockID()]) 134 continue; 135 136 // Destructors can appear after the 'return' in the CFG. This is 137 // normal. We need to look pass the destructors for the return 138 // statement (if it exists). 139 CFGBlock::const_reverse_iterator ri = B.rbegin(), re = B.rend(); 140 bool hasNoReturnDtor = false; 141 142 for ( ; ri != re ; ++ri) { 143 CFGElement CE = *ri; 144 145 // FIXME: The right solution is to just sever the edges in the 146 // CFG itself. 147 if (const CFGImplicitDtor *iDtor = ri->getAs<CFGImplicitDtor>()) 148 if (iDtor->isNoReturn(AC.getASTContext())) { 149 hasNoReturnDtor = true; 150 HasFakeEdge = true; 151 break; 152 } 153 154 if (isa<CFGStmt>(CE)) 155 break; 156 } 157 158 if (hasNoReturnDtor) 159 continue; 160 161 // No more CFGElements in the block? 162 if (ri == re) { 163 if (B.getTerminator() && isa<CXXTryStmt>(B.getTerminator())) { 164 HasAbnormalEdge = true; 165 continue; 166 } 167 // A labeled empty statement, or the entry block... 168 HasPlainEdge = true; 169 continue; 170 } 171 172 CFGStmt CS = cast<CFGStmt>(*ri); 173 const Stmt *S = CS.getStmt(); 174 if (isa<ReturnStmt>(S)) { 175 HasLiveReturn = true; 176 continue; 177 } 178 if (isa<ObjCAtThrowStmt>(S)) { 179 HasFakeEdge = true; 180 continue; 181 } 182 if (isa<CXXThrowExpr>(S)) { 183 HasFakeEdge = true; 184 continue; 185 } 186 if (const AsmStmt *AS = dyn_cast<AsmStmt>(S)) { 187 if (AS->isMSAsm()) { 188 HasFakeEdge = true; 189 HasLiveReturn = true; 190 continue; 191 } 192 } 193 if (isa<CXXTryStmt>(S)) { 194 HasAbnormalEdge = true; 195 continue; 196 } 197 198 bool NoReturnEdge = false; 199 if (const CallExpr *C = dyn_cast<CallExpr>(S)) { 200 if (std::find(B.succ_begin(), B.succ_end(), &cfg->getExit()) 201 == B.succ_end()) { 202 HasAbnormalEdge = true; 203 continue; 204 } 205 const Expr *CEE = C->getCallee()->IgnoreParenCasts(); 206 QualType calleeType = CEE->getType(); 207 if (calleeType == AC.getASTContext().BoundMemberTy) { 208 calleeType = Expr::findBoundMemberType(CEE); 209 assert(!calleeType.isNull() && "analyzing unresolved call?"); 210 } 211 if (getFunctionExtInfo(calleeType).getNoReturn()) { 212 NoReturnEdge = true; 213 HasFakeEdge = true; 214 } else if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(CEE)) { 215 const ValueDecl *VD = DRE->getDecl(); 216 if (VD->hasAttr<NoReturnAttr>()) { 217 NoReturnEdge = true; 218 HasFakeEdge = true; 219 } 220 } 221 } 222 // FIXME: Add noreturn message sends. 223 if (NoReturnEdge == false) 224 HasPlainEdge = true; 225 } 226 if (!HasPlainEdge) { 227 if (HasLiveReturn) 228 return NeverFallThrough; 229 return NeverFallThroughOrReturn; 230 } 231 if (HasAbnormalEdge || HasFakeEdge || HasLiveReturn) 232 return MaybeFallThrough; 233 // This says AlwaysFallThrough for calls to functions that are not marked 234 // noreturn, that don't return. If people would like this warning to be more 235 // accurate, such functions should be marked as noreturn. 236 return AlwaysFallThrough; 237} 238 239namespace { 240 241struct CheckFallThroughDiagnostics { 242 unsigned diag_MaybeFallThrough_HasNoReturn; 243 unsigned diag_MaybeFallThrough_ReturnsNonVoid; 244 unsigned diag_AlwaysFallThrough_HasNoReturn; 245 unsigned diag_AlwaysFallThrough_ReturnsNonVoid; 246 unsigned diag_NeverFallThroughOrReturn; 247 bool funMode; 248 SourceLocation FuncLoc; 249 250 static CheckFallThroughDiagnostics MakeForFunction(const Decl *Func) { 251 CheckFallThroughDiagnostics D; 252 D.FuncLoc = Func->getLocation(); 253 D.diag_MaybeFallThrough_HasNoReturn = 254 diag::warn_falloff_noreturn_function; 255 D.diag_MaybeFallThrough_ReturnsNonVoid = 256 diag::warn_maybe_falloff_nonvoid_function; 257 D.diag_AlwaysFallThrough_HasNoReturn = 258 diag::warn_falloff_noreturn_function; 259 D.diag_AlwaysFallThrough_ReturnsNonVoid = 260 diag::warn_falloff_nonvoid_function; 261 262 // Don't suggest that virtual functions be marked "noreturn", since they 263 // might be overridden by non-noreturn functions. 264 bool isVirtualMethod = false; 265 if (const CXXMethodDecl *Method = dyn_cast<CXXMethodDecl>(Func)) 266 isVirtualMethod = Method->isVirtual(); 267 268 if (!isVirtualMethod) 269 D.diag_NeverFallThroughOrReturn = 270 diag::warn_suggest_noreturn_function; 271 else 272 D.diag_NeverFallThroughOrReturn = 0; 273 274 D.funMode = true; 275 return D; 276 } 277 278 static CheckFallThroughDiagnostics MakeForBlock() { 279 CheckFallThroughDiagnostics D; 280 D.diag_MaybeFallThrough_HasNoReturn = 281 diag::err_noreturn_block_has_return_expr; 282 D.diag_MaybeFallThrough_ReturnsNonVoid = 283 diag::err_maybe_falloff_nonvoid_block; 284 D.diag_AlwaysFallThrough_HasNoReturn = 285 diag::err_noreturn_block_has_return_expr; 286 D.diag_AlwaysFallThrough_ReturnsNonVoid = 287 diag::err_falloff_nonvoid_block; 288 D.diag_NeverFallThroughOrReturn = 289 diag::warn_suggest_noreturn_block; 290 D.funMode = false; 291 return D; 292 } 293 294 bool checkDiagnostics(Diagnostic &D, bool ReturnsVoid, 295 bool HasNoReturn) const { 296 if (funMode) { 297 return (ReturnsVoid || 298 D.getDiagnosticLevel(diag::warn_maybe_falloff_nonvoid_function, 299 FuncLoc) == Diagnostic::Ignored) 300 && (!HasNoReturn || 301 D.getDiagnosticLevel(diag::warn_noreturn_function_has_return_expr, 302 FuncLoc) == Diagnostic::Ignored) 303 && (!ReturnsVoid || 304 D.getDiagnosticLevel(diag::warn_suggest_noreturn_block, FuncLoc) 305 == Diagnostic::Ignored); 306 } 307 308 // For blocks. 309 return ReturnsVoid && !HasNoReturn 310 && (!ReturnsVoid || 311 D.getDiagnosticLevel(diag::warn_suggest_noreturn_block, FuncLoc) 312 == Diagnostic::Ignored); 313 } 314}; 315 316} 317 318/// CheckFallThroughForFunctionDef - Check that we don't fall off the end of a 319/// function that should return a value. Check that we don't fall off the end 320/// of a noreturn function. We assume that functions and blocks not marked 321/// noreturn will return. 322static void CheckFallThroughForBody(Sema &S, const Decl *D, const Stmt *Body, 323 const BlockExpr *blkExpr, 324 const CheckFallThroughDiagnostics& CD, 325 AnalysisContext &AC) { 326 327 bool ReturnsVoid = false; 328 bool HasNoReturn = false; 329 330 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 331 ReturnsVoid = FD->getResultType()->isVoidType(); 332 HasNoReturn = FD->hasAttr<NoReturnAttr>() || 333 FD->getType()->getAs<FunctionType>()->getNoReturnAttr(); 334 } 335 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 336 ReturnsVoid = MD->getResultType()->isVoidType(); 337 HasNoReturn = MD->hasAttr<NoReturnAttr>(); 338 } 339 else if (isa<BlockDecl>(D)) { 340 QualType BlockTy = blkExpr->getType(); 341 if (const FunctionType *FT = 342 BlockTy->getPointeeType()->getAs<FunctionType>()) { 343 if (FT->getResultType()->isVoidType()) 344 ReturnsVoid = true; 345 if (FT->getNoReturnAttr()) 346 HasNoReturn = true; 347 } 348 } 349 350 Diagnostic &Diags = S.getDiagnostics(); 351 352 // Short circuit for compilation speed. 353 if (CD.checkDiagnostics(Diags, ReturnsVoid, HasNoReturn)) 354 return; 355 356 // FIXME: Function try block 357 if (const CompoundStmt *Compound = dyn_cast<CompoundStmt>(Body)) { 358 switch (CheckFallThrough(AC)) { 359 case UnknownFallThrough: 360 break; 361 362 case MaybeFallThrough: 363 if (HasNoReturn) 364 S.Diag(Compound->getRBracLoc(), 365 CD.diag_MaybeFallThrough_HasNoReturn); 366 else if (!ReturnsVoid) 367 S.Diag(Compound->getRBracLoc(), 368 CD.diag_MaybeFallThrough_ReturnsNonVoid); 369 break; 370 case AlwaysFallThrough: 371 if (HasNoReturn) 372 S.Diag(Compound->getRBracLoc(), 373 CD.diag_AlwaysFallThrough_HasNoReturn); 374 else if (!ReturnsVoid) 375 S.Diag(Compound->getRBracLoc(), 376 CD.diag_AlwaysFallThrough_ReturnsNonVoid); 377 break; 378 case NeverFallThroughOrReturn: 379 if (ReturnsVoid && !HasNoReturn && CD.diag_NeverFallThroughOrReturn) { 380 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 381 S.Diag(Compound->getLBracLoc(), CD.diag_NeverFallThroughOrReturn) 382 << FD; 383 } else { 384 S.Diag(Compound->getLBracLoc(), CD.diag_NeverFallThroughOrReturn); 385 } 386 } 387 break; 388 case NeverFallThrough: 389 break; 390 } 391 } 392} 393 394//===----------------------------------------------------------------------===// 395// -Wuninitialized 396//===----------------------------------------------------------------------===// 397 398namespace { 399/// ContainsReference - A visitor class to search for references to 400/// a particular declaration (the needle) within any evaluated component of an 401/// expression (recursively). 402class ContainsReference : public EvaluatedExprVisitor<ContainsReference> { 403 bool FoundReference; 404 const DeclRefExpr *Needle; 405 406public: 407 ContainsReference(ASTContext &Context, const DeclRefExpr *Needle) 408 : EvaluatedExprVisitor<ContainsReference>(Context), 409 FoundReference(false), Needle(Needle) {} 410 411 void VisitExpr(Expr *E) { 412 // Stop evaluating if we already have a reference. 413 if (FoundReference) 414 return; 415 416 EvaluatedExprVisitor<ContainsReference>::VisitExpr(E); 417 } 418 419 void VisitDeclRefExpr(DeclRefExpr *E) { 420 if (E == Needle) 421 FoundReference = true; 422 else 423 EvaluatedExprVisitor<ContainsReference>::VisitDeclRefExpr(E); 424 } 425 426 bool doesContainReference() const { return FoundReference; } 427}; 428} 429 430/// DiagnoseUninitializedUse -- Helper function for diagnosing uses of an 431/// uninitialized variable. This manages the different forms of diagnostic 432/// emitted for particular types of uses. Returns true if the use was diagnosed 433/// as a warning. If a pariticular use is one we omit warnings for, returns 434/// false. 435static bool DiagnoseUninitializedUse(Sema &S, const VarDecl *VD, 436 const Expr *E, bool isAlwaysUninit) { 437 bool isSelfInit = false; 438 439 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) { 440 if (isAlwaysUninit) { 441 // Inspect the initializer of the variable declaration which is 442 // being referenced prior to its initialization. We emit 443 // specialized diagnostics for self-initialization, and we 444 // specifically avoid warning about self references which take the 445 // form of: 446 // 447 // int x = x; 448 // 449 // This is used to indicate to GCC that 'x' is intentionally left 450 // uninitialized. Proven code paths which access 'x' in 451 // an uninitialized state after this will still warn. 452 // 453 // TODO: Should we suppress maybe-uninitialized warnings for 454 // variables initialized in this way? 455 if (const Expr *Initializer = VD->getInit()) { 456 if (DRE == Initializer->IgnoreParenImpCasts()) 457 return false; 458 459 ContainsReference CR(S.Context, DRE); 460 CR.Visit(const_cast<Expr*>(Initializer)); 461 isSelfInit = CR.doesContainReference(); 462 } 463 if (isSelfInit) { 464 S.Diag(DRE->getLocStart(), 465 diag::warn_uninit_self_reference_in_init) 466 << VD->getDeclName() << VD->getLocation() << DRE->getSourceRange(); 467 } else { 468 S.Diag(DRE->getLocStart(), diag::warn_uninit_var) 469 << VD->getDeclName() << DRE->getSourceRange(); 470 } 471 } else { 472 S.Diag(DRE->getLocStart(), diag::warn_maybe_uninit_var) 473 << VD->getDeclName() << DRE->getSourceRange(); 474 } 475 } else { 476 const BlockExpr *BE = cast<BlockExpr>(E); 477 S.Diag(BE->getLocStart(), 478 isAlwaysUninit ? diag::warn_uninit_var_captured_by_block 479 : diag::warn_maybe_uninit_var_captured_by_block) 480 << VD->getDeclName(); 481 } 482 483 // Report where the variable was declared when the use wasn't within 484 // the initializer of that declaration. 485 if (!isSelfInit) 486 S.Diag(VD->getLocStart(), diag::note_uninit_var_def) 487 << VD->getDeclName(); 488 489 return true; 490} 491 492static void SuggestInitializationFixit(Sema &S, const VarDecl *VD) { 493 // Don't issue a fixit if there is already an initializer. 494 if (VD->getInit()) 495 return; 496 497 // Suggest possible initialization (if any). 498 const char *initialization = 0; 499 QualType VariableTy = VD->getType().getCanonicalType(); 500 501 if (VariableTy->isObjCObjectPointerType() || 502 VariableTy->isBlockPointerType()) { 503 // Check if 'nil' is defined. 504 if (S.PP.getMacroInfo(&S.getASTContext().Idents.get("nil"))) 505 initialization = " = nil"; 506 else 507 initialization = " = 0"; 508 } 509 else if (VariableTy->isRealFloatingType()) 510 initialization = " = 0.0"; 511 else if (VariableTy->isBooleanType() && S.Context.getLangOptions().CPlusPlus) 512 initialization = " = false"; 513 else if (VariableTy->isEnumeralType()) 514 return; 515 else if (VariableTy->isPointerType() || VariableTy->isMemberPointerType()) { 516 if (S.Context.getLangOptions().CPlusPlus0x) 517 initialization = " = nullptr"; 518 // Check if 'NULL' is defined. 519 else if (S.PP.getMacroInfo(&S.getASTContext().Idents.get("NULL"))) 520 initialization = " = NULL"; 521 else 522 initialization = " = 0"; 523 } 524 else if (VariableTy->isScalarType()) 525 initialization = " = 0"; 526 527 if (initialization) { 528 SourceLocation loc = S.PP.getLocForEndOfToken(VD->getLocEnd()); 529 S.Diag(loc, diag::note_var_fixit_add_initialization) 530 << FixItHint::CreateInsertion(loc, initialization); 531 } 532} 533 534typedef std::pair<const Expr*, bool> UninitUse; 535 536namespace { 537struct SLocSort { 538 bool operator()(const UninitUse &a, const UninitUse &b) { 539 SourceLocation aLoc = a.first->getLocStart(); 540 SourceLocation bLoc = b.first->getLocStart(); 541 return aLoc.getRawEncoding() < bLoc.getRawEncoding(); 542 } 543}; 544 545class UninitValsDiagReporter : public UninitVariablesHandler { 546 Sema &S; 547 typedef SmallVector<UninitUse, 2> UsesVec; 548 typedef llvm::DenseMap<const VarDecl *, UsesVec*> UsesMap; 549 UsesMap *uses; 550 551public: 552 UninitValsDiagReporter(Sema &S) : S(S), uses(0) {} 553 ~UninitValsDiagReporter() { 554 flushDiagnostics(); 555 } 556 557 void handleUseOfUninitVariable(const Expr *ex, const VarDecl *vd, 558 bool isAlwaysUninit) { 559 if (!uses) 560 uses = new UsesMap(); 561 562 UsesVec *&vec = (*uses)[vd]; 563 if (!vec) 564 vec = new UsesVec(); 565 566 vec->push_back(std::make_pair(ex, isAlwaysUninit)); 567 } 568 569 void flushDiagnostics() { 570 if (!uses) 571 return; 572 573 for (UsesMap::iterator i = uses->begin(), e = uses->end(); i != e; ++i) { 574 const VarDecl *vd = i->first; 575 UsesVec *vec = i->second; 576 577 // Sort the uses by their SourceLocations. While not strictly 578 // guaranteed to produce them in line/column order, this will provide 579 // a stable ordering. 580 std::sort(vec->begin(), vec->end(), SLocSort()); 581 582 for (UsesVec::iterator vi = vec->begin(), ve = vec->end(); vi != ve; 583 ++vi) { 584 if (!DiagnoseUninitializedUse(S, vd, vi->first, 585 /*isAlwaysUninit=*/vi->second)) 586 continue; 587 588 SuggestInitializationFixit(S, vd); 589 590 // Skip further diagnostics for this variable. We try to warn only on 591 // the first point at which a variable is used uninitialized. 592 break; 593 } 594 595 delete vec; 596 } 597 delete uses; 598 } 599}; 600} 601 602 603//===----------------------------------------------------------------------===// 604// -Wthread-safety 605//===----------------------------------------------------------------------===// 606 607namespace { 608/// \brief Implements a set of CFGBlocks using a BitVector. 609/// 610/// This class contains a minimal interface, primarily dictated by the SetType 611/// template parameter of the llvm::po_iterator template, as used with external 612/// storage. We also use this set to keep track of which CFGBlocks we visit 613/// during the analysis. 614class CFGBlockSet { 615 llvm::BitVector VisitedBlockIDs; 616 617public: 618 // po_iterator requires this iterator, but the only interface needed is the 619 // value_type typedef. 620 struct iterator { 621 typedef const CFGBlock *value_type; 622 }; 623 624 CFGBlockSet() {} 625 CFGBlockSet(const CFG *G) : VisitedBlockIDs(G->getNumBlockIDs(), false) {} 626 627 /// \brief Set the bit associated with a particular CFGBlock. 628 /// This is the important method for the SetType template parameter. 629 bool insert(const CFGBlock *Block) { 630 // Note that insert() is called by po_iterator, which doesn't check to make 631 // sure that Block is non-null. Moreover, the CFGBlock iterator will 632 // occasionally hand out null pointers for pruned edges, so we catch those 633 // here. 634 if (Block == 0) 635 return false; // if an edge is trivially false. 636 if (VisitedBlockIDs.test(Block->getBlockID())) 637 return false; 638 VisitedBlockIDs.set(Block->getBlockID()); 639 return true; 640 } 641 642 /// \brief Check if the bit for a CFGBlock has been already set. 643 /// This method is for tracking visited blocks in the main threadsafety loop. 644 /// Block must not be null. 645 bool alreadySet(const CFGBlock *Block) { 646 return VisitedBlockIDs.test(Block->getBlockID()); 647 } 648}; 649 650/// \brief We create a helper class which we use to iterate through CFGBlocks in 651/// the topological order. 652class TopologicallySortedCFG { 653 typedef llvm::po_iterator<const CFG*, CFGBlockSet, true> po_iterator; 654 655 std::vector<const CFGBlock*> Blocks; 656 657public: 658 typedef std::vector<const CFGBlock*>::reverse_iterator iterator; 659 660 TopologicallySortedCFG(const CFG *CFGraph) { 661 Blocks.reserve(CFGraph->getNumBlockIDs()); 662 CFGBlockSet BSet(CFGraph); 663 664 for (po_iterator I = po_iterator::begin(CFGraph, BSet), 665 E = po_iterator::end(CFGraph, BSet); I != E; ++I) { 666 Blocks.push_back(*I); 667 } 668 } 669 670 iterator begin() { 671 return Blocks.rbegin(); 672 } 673 674 iterator end() { 675 return Blocks.rend(); 676 } 677}; 678 679/// \brief A LockID object uniquely identifies a particular lock acquired, and 680/// is built from an Expr* (i.e. calling a lock function). 681/// 682/// Thread-safety analysis works by comparing lock expressions. Within the 683/// body of a function, an expression such as "x->foo->bar.mu" will resolve to 684/// a particular lock object at run-time. Subsequent occurrences of the same 685/// expression (where "same" means syntactic equality) will refer to the same 686/// run-time object if three conditions hold: 687/// (1) Local variables in the expression, such as "x" have not changed. 688/// (2) Values on the heap that affect the expression have not changed. 689/// (3) The expression involves only pure function calls. 690/// The current implementation assumes, but does not verify, that multiple uses 691/// of the same lock expression satisfies these criteria. 692/// 693/// Clang introduces an additional wrinkle, which is that it is difficult to 694/// derive canonical expressions, or compare expressions directly for equality. 695/// Thus, we identify a lock not by an Expr, but by the set of named 696/// declarations that are referenced by the Expr. In other words, 697/// x->foo->bar.mu will be a four element vector with the Decls for 698/// mu, bar, and foo, and x. The vector will uniquely identify the expression 699/// for all practical purposes. 700/// 701/// Note we will need to perform substitution on "this" and function parameter 702/// names when constructing a lock expression. 703/// 704/// For example: 705/// class C { Mutex Mu; void lock() EXCLUSIVE_LOCK_FUNCTION(this->Mu); }; 706/// void myFunc(C *X) { ... X->lock() ... } 707/// The original expression for the lock acquired by myFunc is "this->Mu", but 708/// "X" is substituted for "this" so we get X->Mu(); 709/// 710/// For another example: 711/// foo(MyList *L) EXCLUSIVE_LOCKS_REQUIRED(L->Mu) { ... } 712/// MyList *MyL; 713/// foo(MyL); // requires lock MyL->Mu to be held 714/// 715/// FIXME: In C++0x Mutexes are the objects that control access to shared 716/// variables, while Locks are the objects that acquire and release Mutexes. We 717/// may want to switch to this new terminology soon, in which case we should 718/// rename this class "Mutex" and rename "LockId" to "MutexId", as well as 719/// making sure that the terms Lock and Mutex throughout this code are 720/// consistent with C++0x 721/// 722/// FIXME: We should also pick one and canonicalize all usage of lock vs acquire 723/// and unlock vs release as verbs. 724class LockID { 725 SmallVector<NamedDecl*, 2> DeclSeq; 726 727 /// Build a Decl sequence representing the lock from the given expression. 728 /// Recursive function that bottoms out when the final DeclRefExpr is reached. 729 void buildLock(Expr *Exp) { 730 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Exp)) { 731 NamedDecl *ND = cast<NamedDecl>(DRE->getDecl()->getCanonicalDecl()); 732 DeclSeq.push_back(ND); 733 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(Exp)) { 734 NamedDecl *ND = ME->getMemberDecl(); 735 DeclSeq.push_back(ND); 736 buildLock(ME->getBase()); 737 } else if (isa<CXXThisExpr>(Exp)) { 738 return; 739 } else { 740 // FIXME: add diagnostic 741 llvm::report_fatal_error("Expected lock expression!"); 742 } 743 } 744 745public: 746 LockID(Expr *LExpr) { 747 buildLock(LExpr); 748 assert(!DeclSeq.empty()); 749 } 750 751 bool operator==(const LockID &other) const { 752 return DeclSeq == other.DeclSeq; 753 } 754 755 bool operator!=(const LockID &other) const { 756 return !(*this == other); 757 } 758 759 // SmallVector overloads Operator< to do lexicographic ordering. Note that 760 // we use pointer equality (and <) to compare NamedDecls. This means the order 761 // of LockIDs in a lockset is nondeterministic. In order to output 762 // diagnostics in a deterministic ordering, we must order all diagnostics to 763 // output by SourceLocation when iterating through this lockset. 764 bool operator<(const LockID &other) const { 765 return DeclSeq < other.DeclSeq; 766 } 767 768 /// \brief Returns the name of the first Decl in the list for a given LockID; 769 /// e.g. the lock expression foo.bar() has name "bar". 770 /// The caret will point unambiguously to the lock expression, so using this 771 /// name in diagnostics is a way to get simple, and consistent, lock names. 772 /// We do not want to output the entire expression text for security reasons. 773 StringRef getName() const { 774 return DeclSeq.front()->getName(); 775 } 776 777 void Profile(llvm::FoldingSetNodeID &ID) const { 778 for (SmallVectorImpl<NamedDecl*>::const_iterator I = DeclSeq.begin(), 779 E = DeclSeq.end(); I != E; ++I) { 780 ID.AddPointer(*I); 781 } 782 } 783}; 784 785enum LockKind { 786 LK_Shared, 787 LK_Exclusive 788}; 789 790enum AccessKind { 791 AK_Read, 792 AK_Written 793}; 794 795/// \brief This is a helper class that stores info about the most recent 796/// accquire of a Lock. 797/// 798/// The main body of the analysis maps LockIDs to LockDatas. 799struct LockData { 800 SourceLocation AcquireLoc; 801 802 /// \brief LKind stores whether a lock is held shared or exclusively. 803 /// Note that this analysis does not currently support either re-entrant 804 /// locking or lock "upgrading" and "downgrading" between exclusive and 805 /// shared. 806 /// 807 /// FIXME: add support for re-entrant locking and lock up/downgrading 808 LockKind LKind; 809 810 LockData(SourceLocation AcquireLoc, LockKind LKind) 811 : AcquireLoc(AcquireLoc), LKind(LKind) {} 812 813 bool operator==(const LockData &other) const { 814 return AcquireLoc == other.AcquireLoc && LKind == other.LKind; 815 } 816 817 bool operator!=(const LockData &other) const { 818 return !(*this == other); 819 } 820 821 void Profile(llvm::FoldingSetNodeID &ID) const { 822 ID.AddInteger(AcquireLoc.getRawEncoding()); 823 ID.AddInteger(LKind); 824 } 825}; 826 827/// A Lockset maps each LockID (defined above) to information about how it has 828/// been locked. 829typedef llvm::ImmutableMap<LockID, LockData> Lockset; 830 831/// \brief We use this class to visit different types of expressions in 832/// CFGBlocks, and build up the lockset. 833/// An expression may cause us to add or remove locks from the lockset, or else 834/// output error messages related to missing locks. 835/// FIXME: In future, we may be able to not inherit from a visitor. 836class BuildLockset : public StmtVisitor<BuildLockset> { 837 Sema &S; 838 Lockset LSet; 839 Lockset::Factory &LocksetFactory; 840 841 // Helper functions 842 void removeLock(SourceLocation UnlockLoc, Expr *LockExp); 843 void addLock(SourceLocation LockLoc, Expr *LockExp, LockKind LK); 844 const ValueDecl *getValueDecl(Expr *Exp); 845 void warnIfLockNotHeld (const NamedDecl *D, Expr *Exp, AccessKind AK, 846 LockID &Lock, unsigned DiagID); 847 void checkAccess(Expr *Exp, AccessKind AK); 848 void checkDereference(Expr *Exp, AccessKind AK); 849 850 template <class AttrType> 851 void addLocksToSet(LockKind LK, Attr *Attr, CXXMemberCallExpr *Exp); 852 853 /// \brief Returns true if the lockset contains a lock, regardless of whether 854 /// the lock is held exclusively or shared. 855 bool locksetContains(LockID Lock) { 856 return LSet.lookup(Lock); 857 } 858 859 /// \brief Returns true if the lockset contains a lock with the passed in 860 /// locktype. 861 bool locksetContains(LockID Lock, LockKind KindRequested) const { 862 const LockData *LockHeld = LSet.lookup(Lock); 863 return (LockHeld && KindRequested == LockHeld->LKind); 864 } 865 866public: 867 BuildLockset(Sema &S, Lockset LS, Lockset::Factory &F) 868 : StmtVisitor<BuildLockset>(), S(S), LSet(LS), 869 LocksetFactory(F) {} 870 871 Lockset getLockset() { 872 return LSet; 873 } 874 875 void VisitUnaryOperator(UnaryOperator *UO); 876 void VisitBinaryOperator(BinaryOperator *BO); 877 void VisitCastExpr(CastExpr *CE); 878 void VisitCXXMemberCallExpr(CXXMemberCallExpr *Exp); 879}; 880 881/// \brief Add a new lock to the lockset, warning if the lock is already there. 882/// \param LockLoc The source location of the acquire 883/// \param LockExp The lock expression corresponding to the lock to be added 884void BuildLockset::addLock(SourceLocation LockLoc, Expr *LockExp, 885 LockKind LK) { 886 // FIXME: deal with acquired before/after annotations 887 LockID Lock(LockExp); 888 LockData NewLockData(LockLoc, LK); 889 890 // FIXME: Don't always warn when we have support for reentrant locks. 891 if (locksetContains(Lock)) 892 S.Diag(LockLoc, diag::warn_double_lock) << Lock.getName(); 893 LSet = LocksetFactory.add(LSet, Lock, NewLockData); 894} 895 896/// \brief Remove a lock from the lockset, warning if the lock is not there. 897/// \param LockExp The lock expression corresponding to the lock to be removed 898/// \param UnlockLoc The source location of the unlock (only used in error msg) 899void BuildLockset::removeLock(SourceLocation UnlockLoc, Expr *LockExp) { 900 LockID Lock(LockExp); 901 902 Lockset NewLSet = LocksetFactory.remove(LSet, Lock); 903 if(NewLSet == LSet) 904 S.Diag(UnlockLoc, diag::warn_unlock_but_no_acquire) << Lock.getName(); 905 906 LSet = NewLSet; 907} 908 909/// \brief Gets the value decl pointer from DeclRefExprs or MemberExprs 910const ValueDecl *BuildLockset::getValueDecl(Expr *Exp) { 911 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Exp)) 912 return DR->getDecl(); 913 914 if (const MemberExpr *ME = dyn_cast<MemberExpr>(Exp)) 915 return ME->getMemberDecl(); 916 917 return 0; 918} 919 920/// \brief Warn if the LSet does not contain a lock sufficient to protect access 921/// of at least the passed in AccessType. 922void BuildLockset::warnIfLockNotHeld(const NamedDecl *D, Expr *Exp, 923 AccessKind AK, LockID &Lock, 924 unsigned DiagID) { 925 switch (AK) { 926 case AK_Read: 927 if (!locksetContains(Lock)) 928 S.Diag(Exp->getExprLoc(), DiagID) 929 << D->getName() << Lock.getName() << LK_Shared; 930 break; 931 case AK_Written : 932 if (!locksetContains(Lock, LK_Exclusive)) 933 S.Diag(Exp->getExprLoc(), DiagID) 934 << D->getName() << Lock.getName() << LK_Exclusive; 935 break; 936 } 937} 938 939 940/// \brief This method identifies variable dereferences and checks pt_guarded_by 941/// and pt_guarded_var annotations. Note that we only check these annotations 942/// at the time a pointer is dereferenced. 943/// FIXME: We need to check for other types of pointer dereferences 944/// (e.g. [], ->) and deal with them here. 945/// \param Exp An expression that has been read or written. 946void BuildLockset::checkDereference(Expr *Exp, AccessKind AK) { 947 UnaryOperator *UO = dyn_cast<UnaryOperator>(Exp); 948 if (!UO || UO->getOpcode() != clang::UO_Deref) 949 return; 950 Exp = UO->getSubExpr()->IgnoreParenCasts(); 951 952 const ValueDecl *D = getValueDecl(Exp); 953 if(!D || !D->hasAttrs()) 954 return; 955 956 if (D->getAttr<PtGuardedVarAttr>() && LSet.isEmpty()) 957 S.Diag(Exp->getExprLoc(), diag::warn_var_deref_requires_any_lock) 958 << D->getName(); 959 960 const AttrVec &ArgAttrs = D->getAttrs(); 961 for(unsigned i = 0, Size = ArgAttrs.size(); i < Size; ++i) { 962 if (ArgAttrs[i]->getKind() != attr::PtGuardedBy) 963 continue; 964 const PtGuardedByAttr *PGBAttr = cast<PtGuardedByAttr>(ArgAttrs[i]); 965 LockID Lock(PGBAttr->getArg()); 966 warnIfLockNotHeld(D, Exp, AK, Lock, diag::warn_var_deref_requires_lock); 967 } 968} 969 970/// \brief Checks guarded_by and guarded_var attributes. 971/// Whenever we identify an access (read or write) of a DeclRefExpr or 972/// MemberExpr, we need to check whether there are any guarded_by or 973/// guarded_var attributes, and make sure we hold the appropriate locks. 974void BuildLockset::checkAccess(Expr *Exp, AccessKind AK) { 975 const ValueDecl *D = getValueDecl(Exp); 976 if(!D || !D->hasAttrs()) 977 return; 978 979 if (D->getAttr<GuardedVarAttr>() && LSet.isEmpty()) 980 S.Diag(Exp->getExprLoc(), diag::warn_variable_requires_any_lock) 981 << D->getName(); 982 983 const AttrVec &ArgAttrs = D->getAttrs(); 984 for(unsigned i = 0, Size = ArgAttrs.size(); i < Size; ++i) { 985 if (ArgAttrs[i]->getKind() != attr::GuardedBy) 986 continue; 987 const GuardedByAttr *GBAttr = cast<GuardedByAttr>(ArgAttrs[i]); 988 LockID Lock(GBAttr->getArg()); 989 warnIfLockNotHeld(D, Exp, AK, Lock, diag::warn_variable_requires_lock); 990 } 991} 992 993/// \brief For unary operations which read and write a variable, we need to 994/// check whether we hold any required locks. Reads are checked in 995/// VisitCastExpr. 996void BuildLockset::VisitUnaryOperator(UnaryOperator *UO) { 997 switch (UO->getOpcode()) { 998 case clang::UO_PostDec: 999 case clang::UO_PostInc: 1000 case clang::UO_PreDec: 1001 case clang::UO_PreInc: { 1002 Expr *SubExp = UO->getSubExpr()->IgnoreParenCasts(); 1003 checkAccess(SubExp, AK_Written); 1004 checkDereference(SubExp, AK_Written); 1005 break; 1006 } 1007 default: 1008 break; 1009 } 1010} 1011 1012/// For binary operations which assign to a variable (writes), we need to check 1013/// whether we hold any required locks. 1014/// FIXME: Deal with non-primitive types. 1015void BuildLockset::VisitBinaryOperator(BinaryOperator *BO) { 1016 if (!BO->isAssignmentOp()) 1017 return; 1018 Expr *LHSExp = BO->getLHS()->IgnoreParenCasts(); 1019 checkAccess(LHSExp, AK_Written); 1020 checkDereference(LHSExp, AK_Written); 1021} 1022 1023/// Whenever we do an LValue to Rvalue cast, we are reading a variable and 1024/// need to ensure we hold any required locks. 1025/// FIXME: Deal with non-primitive types. 1026void BuildLockset::VisitCastExpr(CastExpr *CE) { 1027 if (CE->getCastKind() != CK_LValueToRValue) 1028 return; 1029 Expr *SubExp = CE->getSubExpr()->IgnoreParenCasts(); 1030 checkAccess(SubExp, AK_Read); 1031 checkDereference(SubExp, AK_Read); 1032} 1033 1034/// \brief This function, parameterized by an attribute type, is used to add a 1035/// set of locks specified as attribute arguments to the lockset. 1036template <typename AttrType> 1037void BuildLockset::addLocksToSet(LockKind LK, Attr *Attr, 1038 CXXMemberCallExpr *Exp) { 1039 typedef typename AttrType::args_iterator iterator_type; 1040 SourceLocation ExpLocation = Exp->getExprLoc(); 1041 Expr *Parent = Exp->getImplicitObjectArgument(); 1042 AttrType *SpecificAttr = cast<AttrType>(Attr); 1043 1044 if (SpecificAttr->args_size() == 0) { 1045 // The lock held is the "this" object. 1046 addLock(ExpLocation, Parent, LK); 1047 return; 1048 } 1049 1050 for (iterator_type I = SpecificAttr->args_begin(), 1051 E = SpecificAttr->args_end(); I != E; ++I) 1052 addLock(ExpLocation, *I, LK); 1053} 1054 1055/// \brief When visiting CXXMemberCallExprs we need to examine the attributes on 1056/// the method that is being called and add, remove or check locks in the 1057/// lockset accordingly. 1058/// 1059/// FIXME: For classes annotated with one of the guarded annotations, we need 1060/// to treat const method calls as reads and non-const method calls as writes, 1061/// and check that the appropriate locks are held. Non-const method calls with 1062/// the same signature as const method calls can be also treated as reads. 1063/// 1064/// FIXME: We need to also visit CallExprs to catch/check global functions. 1065void BuildLockset::VisitCXXMemberCallExpr(CXXMemberCallExpr *Exp) { 1066 NamedDecl *D = dyn_cast_or_null<NamedDecl>(Exp->getCalleeDecl()); 1067 1068 SourceLocation ExpLocation = Exp->getExprLoc(); 1069 Expr *Parent = Exp->getImplicitObjectArgument(); 1070 1071 if(!D || !D->hasAttrs()) 1072 return; 1073 1074 AttrVec &ArgAttrs = D->getAttrs(); 1075 for(unsigned i = 0; i < ArgAttrs.size(); ++i) { 1076 Attr *Attr = ArgAttrs[i]; 1077 switch (Attr->getKind()) { 1078 // When we encounter an exclusive lock function, we need to add the lock 1079 // to our lockset, marked as exclusive. 1080 case attr::ExclusiveLockFunction: 1081 addLocksToSet<ExclusiveLockFunctionAttr>(LK_Exclusive, Attr, Exp); 1082 break; 1083 1084 // When we encounter a shared lock function, we need to add the lock 1085 // to our lockset, marked as not exclusive 1086 case attr::SharedLockFunction: 1087 addLocksToSet<SharedLockFunctionAttr>(LK_Shared, Attr, Exp); 1088 break; 1089 1090 // When we encounter an unlock function, we need to remove unlocked locks 1091 // from the lockset, and flag a warning if they are not there. 1092 case attr::UnlockFunction: { 1093 UnlockFunctionAttr *UFAttr = cast<UnlockFunctionAttr>(Attr); 1094 1095 if (UFAttr->args_size() == 0) { // The lock held is the "this" object. 1096 removeLock(ExpLocation, Parent); 1097 break; 1098 } 1099 1100 for (UnlockFunctionAttr::args_iterator I = UFAttr->args_begin(), 1101 E = UFAttr->args_end(); I != E; ++I) 1102 removeLock(ExpLocation, *I); 1103 break; 1104 } 1105 1106 case attr::ExclusiveLocksRequired: { 1107 // FIXME: Also use this attribute to add required locks to the initial 1108 // lockset when processing a CFG for a function annotated with this 1109 // attribute. 1110 ExclusiveLocksRequiredAttr *ELRAttr = 1111 cast<ExclusiveLocksRequiredAttr>(Attr); 1112 1113 for (ExclusiveLocksRequiredAttr::args_iterator 1114 I = ELRAttr->args_begin(), E = ELRAttr->args_end(); I != E; ++I) { 1115 LockID Lock(*I); 1116 warnIfLockNotHeld(D, Exp, AK_Written, Lock, 1117 diag::warn_fun_requires_lock); 1118 } 1119 break; 1120 } 1121 1122 case attr::SharedLocksRequired: { 1123 // FIXME: Also use this attribute to add required locks to the initial 1124 // lockset when processing a CFG for a function annotated with this 1125 // attribute. 1126 SharedLocksRequiredAttr *SLRAttr = cast<SharedLocksRequiredAttr>(Attr); 1127 1128 for (SharedLocksRequiredAttr::args_iterator I = SLRAttr->args_begin(), 1129 E = SLRAttr->args_end(); I != E; ++I) { 1130 LockID Lock(*I); 1131 warnIfLockNotHeld(D, Exp, AK_Read, Lock, 1132 diag::warn_fun_requires_lock); 1133 } 1134 break; 1135 } 1136 1137 case attr::LocksExcluded: { 1138 LocksExcludedAttr *LEAttr = cast<LocksExcludedAttr>(Attr); 1139 for (LocksExcludedAttr::args_iterator I = LEAttr->args_begin(), 1140 E = LEAttr->args_end(); I != E; ++I) { 1141 LockID Lock(*I); 1142 if (locksetContains(Lock)) 1143 S.Diag(ExpLocation, diag::warn_fun_excludes_lock) 1144 << D->getName() << Lock.getName(); 1145 } 1146 break; 1147 } 1148 1149 case attr::LockReturned: 1150 // FIXME: Deal with this attribute. 1151 break; 1152 1153 // Ignore other (non thread-safety) attributes 1154 default: 1155 break; 1156 } 1157 } 1158} 1159 1160typedef std::pair<SourceLocation, PartialDiagnostic> DelayedDiag; 1161typedef llvm::SmallVector<DelayedDiag, 4> DiagList; 1162 1163struct SortDiagBySourceLocation { 1164 Sema &S; 1165 1166 SortDiagBySourceLocation(Sema &S) : S(S) {} 1167 1168 bool operator()(const DelayedDiag &left, const DelayedDiag &right) { 1169 // Although this call will be slow, this is only called when outputting 1170 // multiple warnings. 1171 return S.getSourceManager().isBeforeInTranslationUnit(left.first, 1172 right.first); 1173 } 1174}; 1175} // end anonymous namespace 1176 1177/// \brief Emit all buffered diagnostics in order of sourcelocation. 1178/// We need to output diagnostics produced while iterating through 1179/// the lockset in deterministic order, so this function orders diagnostics 1180/// and outputs them. 1181static void EmitDiagnostics(Sema &S, DiagList &D) { 1182 SortDiagBySourceLocation SortDiagBySL(S); 1183 sort(D.begin(), D.end(), SortDiagBySL); 1184 for (DiagList::iterator I = D.begin(), E = D.end(); I != E; ++I) 1185 S.Diag(I->first, I->second); 1186} 1187 1188static Lockset warnIfNotInFirstSetOrNotSameKind(Sema &S, const Lockset LSet1, 1189 const Lockset LSet2, 1190 DiagList &Warnings, 1191 Lockset Intersection, 1192 Lockset::Factory &Fact) { 1193 for (Lockset::iterator I = LSet2.begin(), E = LSet2.end(); I != E; ++I) { 1194 const LockID &LSet2Lock = I.getKey(); 1195 const LockData &LSet2LockData = I.getData(); 1196 if (const LockData *LD = LSet1.lookup(LSet2Lock)) { 1197 if (LD->LKind != LSet2LockData.LKind) { 1198 PartialDiagnostic Warning = 1199 S.PDiag(diag::warn_lock_exclusive_and_shared) << LSet2Lock.getName(); 1200 PartialDiagnostic Note = 1201 S.PDiag(diag::note_lock_exclusive_and_shared) << LSet2Lock.getName(); 1202 Warnings.push_back(DelayedDiag(LSet2LockData.AcquireLoc, Warning)); 1203 Warnings.push_back(DelayedDiag(LD->AcquireLoc, Note)); 1204 if (LD->LKind != LK_Exclusive) 1205 Intersection = Fact.add(Intersection, LSet2Lock, LSet2LockData); 1206 } 1207 } else { 1208 PartialDiagnostic Warning = 1209 S.PDiag(diag::warn_lock_not_released_in_scope) << LSet2Lock.getName(); 1210 Warnings.push_back(DelayedDiag(LSet2LockData.AcquireLoc, Warning)); 1211 } 1212 } 1213 return Intersection; 1214} 1215 1216 1217/// \brief Compute the intersection of two locksets and issue warnings for any 1218/// locks in the symmetric difference. 1219/// 1220/// This function is used at a merge point in the CFG when comparing the lockset 1221/// of each branch being merged. For example, given the following sequence: 1222/// A; if () then B; else C; D; we need to check that the lockset after B and C 1223/// are the same. In the event of a difference, we use the intersection of these 1224/// two locksets at the start of D. 1225static Lockset intersectAndWarn(Sema &S, const Lockset LSet1, 1226 const Lockset LSet2, 1227 Lockset::Factory &Fact) { 1228 Lockset Intersection = LSet1; 1229 DiagList Warnings; 1230 1231 Intersection = warnIfNotInFirstSetOrNotSameKind(S, LSet1, LSet2, Warnings, 1232 Intersection, Fact); 1233 1234 for (Lockset::iterator I = LSet1.begin(), E = LSet1.end(); I != E; ++I) { 1235 if (!LSet2.contains(I.getKey())) { 1236 const LockID &MissingLock = I.getKey(); 1237 const LockData &MissingLockData = I.getData(); 1238 PartialDiagnostic Warning = 1239 S.PDiag(diag::warn_lock_not_released_in_scope) << MissingLock.getName(); 1240 Warnings.push_back(DelayedDiag(MissingLockData.AcquireLoc, Warning)); 1241 Intersection = Fact.remove(Intersection, MissingLock); 1242 } 1243 } 1244 1245 EmitDiagnostics(S, Warnings); 1246 return Intersection; 1247} 1248 1249/// \brief Returns the location of the first Stmt in a Block. 1250static SourceLocation getFirstStmtLocation(CFGBlock *Block) { 1251 SourceLocation Loc; 1252 for (CFGBlock::const_iterator BI = Block->begin(), BE = Block->end(); 1253 BI != BE; ++BI) { 1254 if (const CFGStmt *CfgStmt = dyn_cast<CFGStmt>(&(*BI))) { 1255 Loc = CfgStmt->getStmt()->getLocStart(); 1256 if (Loc.isValid()) return Loc; 1257 } 1258 } 1259 if (Stmt *S = Block->getTerminator().getStmt()) { 1260 Loc = S->getLocStart(); 1261 if (Loc.isValid()) return Loc; 1262 } 1263 return Loc; 1264} 1265 1266/// \brief Warn about different locksets along backedges of loops. 1267/// This function is called when we encounter a back edge. At that point, 1268/// we need to verify that the lockset before taking the backedge is the 1269/// same as the lockset before entering the loop. 1270/// 1271/// \param LoopEntrySet Locks held before starting the loop 1272/// \param LoopReentrySet Locks held in the last CFG block of the loop 1273static void warnBackEdgeUnequalLocksets(Sema &S, const Lockset LoopReentrySet, 1274 const Lockset LoopEntrySet, 1275 SourceLocation FirstLocInLoop, 1276 Lockset::Factory &Fact) { 1277 assert(FirstLocInLoop.isValid()); 1278 DiagList Warnings; 1279 1280 // Warn for locks held at the start of the loop, but not the end. 1281 for (Lockset::iterator I = LoopEntrySet.begin(), E = LoopEntrySet.end(); 1282 I != E; ++I) { 1283 if (!LoopReentrySet.contains(I.getKey())) { 1284 const LockID &MissingLock = I.getKey(); 1285 // We report this error at the location of the first statement in a loop 1286 PartialDiagnostic Warning = 1287 S.PDiag(diag::warn_expecting_lock_held_on_loop) 1288 << MissingLock.getName() << LK_Shared; 1289 Warnings.push_back(DelayedDiag(FirstLocInLoop, Warning)); 1290 } 1291 } 1292 1293 // Warn for locks held at the end of the loop, but not at the start. 1294 warnIfNotInFirstSetOrNotSameKind(S, LoopEntrySet, LoopReentrySet, Warnings, 1295 LoopReentrySet, Fact); 1296 1297 EmitDiagnostics(S, Warnings); 1298} 1299 1300/// \brief Check a function's CFG for thread-safety violations. 1301/// 1302/// We traverse the blocks in the CFG, compute the set of locks that are held 1303/// at the end of each block, and issue warnings for thread safety violations. 1304/// Each block in the CFG is traversed exactly once. 1305static void checkThreadSafety(Sema &S, AnalysisContext &AC) { 1306 CFG *CFGraph = AC.getCFG(); 1307 if (!CFGraph) return; 1308 const Decl *D = AC.getDecl(); 1309 if (D && D->getAttr<NoThreadSafetyAnalysisAttr>()) return; 1310 1311 Lockset::Factory LocksetFactory; 1312 1313 // FIXME: Swith to SmallVector? Otherwise improve performance impact? 1314 std::vector<Lockset> EntryLocksets(CFGraph->getNumBlockIDs(), 1315 LocksetFactory.getEmptyMap()); 1316 std::vector<Lockset> ExitLocksets(CFGraph->getNumBlockIDs(), 1317 LocksetFactory.getEmptyMap()); 1318 1319 // We need to explore the CFG via a "topological" ordering. 1320 // That way, we will be guaranteed to have information about required 1321 // predecessor locksets when exploring a new block. 1322 TopologicallySortedCFG SortedGraph(CFGraph); 1323 CFGBlockSet VisitedBlocks(CFGraph); 1324 1325 for (TopologicallySortedCFG::iterator I = SortedGraph.begin(), 1326 E = SortedGraph.end(); I!= E; ++I) { 1327 const CFGBlock *CurrBlock = *I; 1328 int CurrBlockID = CurrBlock->getBlockID(); 1329 1330 VisitedBlocks.insert(CurrBlock); 1331 1332 // Use the default initial lockset in case there are no predecessors. 1333 Lockset &Entryset = EntryLocksets[CurrBlockID]; 1334 Lockset &Exitset = ExitLocksets[CurrBlockID]; 1335 1336 // Iterate through the predecessor blocks and warn if the lockset for all 1337 // predecessors is not the same. We take the entry lockset of the current 1338 // block to be the intersection of all previous locksets. 1339 // FIXME: By keeping the intersection, we may output more errors in future 1340 // for a lock which is not in the intersection, but was in the union. We 1341 // may want to also keep the union in future. As an example, let's say 1342 // the intersection contains Lock L, and the union contains L and M. 1343 // Later we unlock M. At this point, we would output an error because we 1344 // never locked M; although the real error is probably that we forgot to 1345 // lock M on all code paths. Conversely, let's say that later we lock M. 1346 // In this case, we should compare against the intersection instead of the 1347 // union because the real error is probably that we forgot to unlock M on 1348 // all code paths. 1349 bool LocksetInitialized = false; 1350 for (CFGBlock::const_pred_iterator PI = CurrBlock->pred_begin(), 1351 PE = CurrBlock->pred_end(); PI != PE; ++PI) { 1352 1353 // if *PI -> CurrBlock is a back edge 1354 if (*PI == 0 || !VisitedBlocks.alreadySet(*PI)) 1355 continue; 1356 1357 int PrevBlockID = (*PI)->getBlockID(); 1358 if (!LocksetInitialized) { 1359 Entryset = ExitLocksets[PrevBlockID]; 1360 LocksetInitialized = true; 1361 } else { 1362 Entryset = intersectAndWarn(S, Entryset, ExitLocksets[PrevBlockID], 1363 LocksetFactory); 1364 } 1365 } 1366 1367 BuildLockset LocksetBuilder(S, Entryset, LocksetFactory); 1368 for (CFGBlock::const_iterator BI = CurrBlock->begin(), 1369 BE = CurrBlock->end(); BI != BE; ++BI) { 1370 if (const CFGStmt *CfgStmt = dyn_cast<CFGStmt>(&*BI)) 1371 LocksetBuilder.Visit(const_cast<Stmt*>(CfgStmt->getStmt())); 1372 } 1373 Exitset = LocksetBuilder.getLockset(); 1374 1375 // For every back edge from CurrBlock (the end of the loop) to another block 1376 // (FirstLoopBlock) we need to check that the Lockset of Block is equal to 1377 // the one held at the beginning of FirstLoopBlock. We can look up the 1378 // Lockset held at the beginning of FirstLoopBlock in the EntryLockSets map. 1379 for (CFGBlock::const_succ_iterator SI = CurrBlock->succ_begin(), 1380 SE = CurrBlock->succ_end(); SI != SE; ++SI) { 1381 1382 // if CurrBlock -> *SI is *not* a back edge 1383 if (*SI == 0 || !VisitedBlocks.alreadySet(*SI)) 1384 continue; 1385 1386 CFGBlock *FirstLoopBlock = *SI; 1387 SourceLocation FirstLoopLocation = getFirstStmtLocation(FirstLoopBlock); 1388 1389 assert(FirstLoopLocation.isValid()); 1390 1391 // Fail gracefully in release code. 1392 if (!FirstLoopLocation.isValid()) 1393 continue; 1394 1395 Lockset PreLoop = EntryLocksets[FirstLoopBlock->getBlockID()]; 1396 Lockset LoopEnd = ExitLocksets[CurrBlockID]; 1397 warnBackEdgeUnequalLocksets(S, LoopEnd, PreLoop, FirstLoopLocation, 1398 LocksetFactory); 1399 } 1400 } 1401 1402 Lockset FinalLockset = ExitLocksets[CFGraph->getExit().getBlockID()]; 1403 if (!FinalLockset.isEmpty()) { 1404 DiagList Warnings; 1405 for (Lockset::iterator I=FinalLockset.begin(), E=FinalLockset.end(); 1406 I != E; ++I) { 1407 const LockID &MissingLock = I.getKey(); 1408 const LockData &MissingLockData = I.getData(); 1409 1410 std::string FunName = "<unknown>"; 1411 if (const NamedDecl *ContextDecl = dyn_cast<NamedDecl>(AC.getDecl())) { 1412 FunName = ContextDecl->getDeclName().getAsString(); 1413 } 1414 1415 PartialDiagnostic Warning = 1416 S.PDiag(diag::warn_locks_not_released) 1417 << MissingLock.getName() << FunName; 1418 Warnings.push_back(DelayedDiag(MissingLockData.AcquireLoc, Warning)); 1419 } 1420 EmitDiagnostics(S, Warnings); 1421 } 1422} 1423 1424 1425//===----------------------------------------------------------------------===// 1426// AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based 1427// warnings on a function, method, or block. 1428//===----------------------------------------------------------------------===// 1429 1430clang::sema::AnalysisBasedWarnings::Policy::Policy() { 1431 enableCheckFallThrough = 1; 1432 enableCheckUnreachable = 0; 1433 enableThreadSafetyAnalysis = 0; 1434} 1435 1436clang::sema::AnalysisBasedWarnings::AnalysisBasedWarnings(Sema &s) 1437 : S(s), 1438 NumFunctionsAnalyzed(0), 1439 NumFunctionsWithBadCFGs(0), 1440 NumCFGBlocks(0), 1441 MaxCFGBlocksPerFunction(0), 1442 NumUninitAnalysisFunctions(0), 1443 NumUninitAnalysisVariables(0), 1444 MaxUninitAnalysisVariablesPerFunction(0), 1445 NumUninitAnalysisBlockVisits(0), 1446 MaxUninitAnalysisBlockVisitsPerFunction(0) { 1447 Diagnostic &D = S.getDiagnostics(); 1448 DefaultPolicy.enableCheckUnreachable = (unsigned) 1449 (D.getDiagnosticLevel(diag::warn_unreachable, SourceLocation()) != 1450 Diagnostic::Ignored); 1451 DefaultPolicy.enableThreadSafetyAnalysis = (unsigned) 1452 (D.getDiagnosticLevel(diag::warn_double_lock, SourceLocation()) != 1453 Diagnostic::Ignored); 1454 1455} 1456 1457static void flushDiagnostics(Sema &S, sema::FunctionScopeInfo *fscope) { 1458 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 1459 i = fscope->PossiblyUnreachableDiags.begin(), 1460 e = fscope->PossiblyUnreachableDiags.end(); 1461 i != e; ++i) { 1462 const sema::PossiblyUnreachableDiag &D = *i; 1463 S.Diag(D.Loc, D.PD); 1464 } 1465} 1466 1467void clang::sema:: 1468AnalysisBasedWarnings::IssueWarnings(sema::AnalysisBasedWarnings::Policy P, 1469 sema::FunctionScopeInfo *fscope, 1470 const Decl *D, const BlockExpr *blkExpr) { 1471 1472 // We avoid doing analysis-based warnings when there are errors for 1473 // two reasons: 1474 // (1) The CFGs often can't be constructed (if the body is invalid), so 1475 // don't bother trying. 1476 // (2) The code already has problems; running the analysis just takes more 1477 // time. 1478 Diagnostic &Diags = S.getDiagnostics(); 1479 1480 // Do not do any analysis for declarations in system headers if we are 1481 // going to just ignore them. 1482 if (Diags.getSuppressSystemWarnings() && 1483 S.SourceMgr.isInSystemHeader(D->getLocation())) 1484 return; 1485 1486 // For code in dependent contexts, we'll do this at instantiation time. 1487 if (cast<DeclContext>(D)->isDependentContext()) 1488 return; 1489 1490 if (Diags.hasErrorOccurred() || Diags.hasFatalErrorOccurred()) { 1491 // Flush out any possibly unreachable diagnostics. 1492 flushDiagnostics(S, fscope); 1493 return; 1494 } 1495 1496 const Stmt *Body = D->getBody(); 1497 assert(Body); 1498 1499 AnalysisContext AC(D, 0); 1500 1501 // Don't generate EH edges for CallExprs as we'd like to avoid the n^2 1502 // explosion for destrutors that can result and the compile time hit. 1503 AC.getCFGBuildOptions().PruneTriviallyFalseEdges = true; 1504 AC.getCFGBuildOptions().AddEHEdges = false; 1505 AC.getCFGBuildOptions().AddInitializers = true; 1506 AC.getCFGBuildOptions().AddImplicitDtors = true; 1507 1508 // Force that certain expressions appear as CFGElements in the CFG. This 1509 // is used to speed up various analyses. 1510 // FIXME: This isn't the right factoring. This is here for initial 1511 // prototyping, but we need a way for analyses to say what expressions they 1512 // expect to always be CFGElements and then fill in the BuildOptions 1513 // appropriately. This is essentially a layering violation. 1514 if (P.enableCheckUnreachable) { 1515 // Unreachable code analysis requires a linearized CFG. 1516 AC.getCFGBuildOptions().setAllAlwaysAdd(); 1517 } 1518 else { 1519 AC.getCFGBuildOptions() 1520 .setAlwaysAdd(Stmt::BinaryOperatorClass) 1521 .setAlwaysAdd(Stmt::BlockExprClass) 1522 .setAlwaysAdd(Stmt::CStyleCastExprClass) 1523 .setAlwaysAdd(Stmt::DeclRefExprClass) 1524 .setAlwaysAdd(Stmt::ImplicitCastExprClass) 1525 .setAlwaysAdd(Stmt::UnaryOperatorClass); 1526 } 1527 1528 // Construct the analysis context with the specified CFG build options. 1529 1530 // Emit delayed diagnostics. 1531 if (!fscope->PossiblyUnreachableDiags.empty()) { 1532 bool analyzed = false; 1533 1534 // Register the expressions with the CFGBuilder. 1535 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 1536 i = fscope->PossiblyUnreachableDiags.begin(), 1537 e = fscope->PossiblyUnreachableDiags.end(); 1538 i != e; ++i) { 1539 if (const Stmt *stmt = i->stmt) 1540 AC.registerForcedBlockExpression(stmt); 1541 } 1542 1543 if (AC.getCFG()) { 1544 analyzed = true; 1545 for (SmallVectorImpl<sema::PossiblyUnreachableDiag>::iterator 1546 i = fscope->PossiblyUnreachableDiags.begin(), 1547 e = fscope->PossiblyUnreachableDiags.end(); 1548 i != e; ++i) 1549 { 1550 const sema::PossiblyUnreachableDiag &D = *i; 1551 bool processed = false; 1552 if (const Stmt *stmt = i->stmt) { 1553 const CFGBlock *block = AC.getBlockForRegisteredExpression(stmt); 1554 assert(block); 1555 if (CFGReverseBlockReachabilityAnalysis *cra = AC.getCFGReachablityAnalysis()) { 1556 // Can this block be reached from the entrance? 1557 if (cra->isReachable(&AC.getCFG()->getEntry(), block)) 1558 S.Diag(D.Loc, D.PD); 1559 processed = true; 1560 } 1561 } 1562 if (!processed) { 1563 // Emit the warning anyway if we cannot map to a basic block. 1564 S.Diag(D.Loc, D.PD); 1565 } 1566 } 1567 } 1568 1569 if (!analyzed) 1570 flushDiagnostics(S, fscope); 1571 } 1572 1573 1574 // Warning: check missing 'return' 1575 if (P.enableCheckFallThrough) { 1576 const CheckFallThroughDiagnostics &CD = 1577 (isa<BlockDecl>(D) ? CheckFallThroughDiagnostics::MakeForBlock() 1578 : CheckFallThroughDiagnostics::MakeForFunction(D)); 1579 CheckFallThroughForBody(S, D, Body, blkExpr, CD, AC); 1580 } 1581 1582 // Warning: check for unreachable code 1583 if (P.enableCheckUnreachable) 1584 CheckUnreachable(S, AC); 1585 1586 // Check for thread safety violations 1587 if (P.enableThreadSafetyAnalysis) 1588 checkThreadSafety(S, AC); 1589 1590 if (Diags.getDiagnosticLevel(diag::warn_uninit_var, D->getLocStart()) 1591 != Diagnostic::Ignored || 1592 Diags.getDiagnosticLevel(diag::warn_maybe_uninit_var, D->getLocStart()) 1593 != Diagnostic::Ignored) { 1594 if (CFG *cfg = AC.getCFG()) { 1595 UninitValsDiagReporter reporter(S); 1596 UninitVariablesAnalysisStats stats; 1597 std::memset(&stats, 0, sizeof(UninitVariablesAnalysisStats)); 1598 runUninitializedVariablesAnalysis(*cast<DeclContext>(D), *cfg, AC, 1599 reporter, stats); 1600 1601 if (S.CollectStats && stats.NumVariablesAnalyzed > 0) { 1602 ++NumUninitAnalysisFunctions; 1603 NumUninitAnalysisVariables += stats.NumVariablesAnalyzed; 1604 NumUninitAnalysisBlockVisits += stats.NumBlockVisits; 1605 MaxUninitAnalysisVariablesPerFunction = 1606 std::max(MaxUninitAnalysisVariablesPerFunction, 1607 stats.NumVariablesAnalyzed); 1608 MaxUninitAnalysisBlockVisitsPerFunction = 1609 std::max(MaxUninitAnalysisBlockVisitsPerFunction, 1610 stats.NumBlockVisits); 1611 } 1612 } 1613 } 1614 1615 // Collect statistics about the CFG if it was built. 1616 if (S.CollectStats && AC.isCFGBuilt()) { 1617 ++NumFunctionsAnalyzed; 1618 if (CFG *cfg = AC.getCFG()) { 1619 // If we successfully built a CFG for this context, record some more 1620 // detail information about it. 1621 NumCFGBlocks += cfg->getNumBlockIDs(); 1622 MaxCFGBlocksPerFunction = std::max(MaxCFGBlocksPerFunction, 1623 cfg->getNumBlockIDs()); 1624 } else { 1625 ++NumFunctionsWithBadCFGs; 1626 } 1627 } 1628} 1629 1630void clang::sema::AnalysisBasedWarnings::PrintStats() const { 1631 llvm::errs() << "\n*** Analysis Based Warnings Stats:\n"; 1632 1633 unsigned NumCFGsBuilt = NumFunctionsAnalyzed - NumFunctionsWithBadCFGs; 1634 unsigned AvgCFGBlocksPerFunction = 1635 !NumCFGsBuilt ? 0 : NumCFGBlocks/NumCFGsBuilt; 1636 llvm::errs() << NumFunctionsAnalyzed << " functions analyzed (" 1637 << NumFunctionsWithBadCFGs << " w/o CFGs).\n" 1638 << " " << NumCFGBlocks << " CFG blocks built.\n" 1639 << " " << AvgCFGBlocksPerFunction 1640 << " average CFG blocks per function.\n" 1641 << " " << MaxCFGBlocksPerFunction 1642 << " max CFG blocks per function.\n"; 1643 1644 unsigned AvgUninitVariablesPerFunction = !NumUninitAnalysisFunctions ? 0 1645 : NumUninitAnalysisVariables/NumUninitAnalysisFunctions; 1646 unsigned AvgUninitBlockVisitsPerFunction = !NumUninitAnalysisFunctions ? 0 1647 : NumUninitAnalysisBlockVisits/NumUninitAnalysisFunctions; 1648 llvm::errs() << NumUninitAnalysisFunctions 1649 << " functions analyzed for uninitialiazed variables\n" 1650 << " " << NumUninitAnalysisVariables << " variables analyzed.\n" 1651 << " " << AvgUninitVariablesPerFunction 1652 << " average variables per function.\n" 1653 << " " << MaxUninitAnalysisVariablesPerFunction 1654 << " max variables per function.\n" 1655 << " " << NumUninitAnalysisBlockVisits << " block visits.\n" 1656 << " " << AvgUninitBlockVisitsPerFunction 1657 << " average block visits per function.\n" 1658 << " " << MaxUninitAnalysisBlockVisitsPerFunction 1659 << " max block visits per function.\n"; 1660} 1661