1 //==- DeadStoresChecker.cpp - Check for stores to dead variables -*- C++ -*-==//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines a DeadStores, a flow-sensitive checker that looks for
11 // stores to variables that are no longer live.
12 //
13 //===----------------------------------------------------------------------===//
14
15 #include "ClangSACheckers.h"
16 #include "clang/AST/ASTContext.h"
17 #include "clang/AST/Attr.h"
18 #include "clang/AST/ParentMap.h"
19 #include "clang/AST/RecursiveASTVisitor.h"
20 #include "clang/Analysis/Analyses/LiveVariables.h"
21 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
22 #include "clang/StaticAnalyzer/Core/Checker.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
24 #include "llvm/ADT/BitVector.h"
25 #include "llvm/ADT/SmallString.h"
26 #include "llvm/Support/SaveAndRestore.h"
27
28 using namespace clang;
29 using namespace ento;
30
31 namespace {
32
33 /// A simple visitor to record what VarDecls occur in EH-handling code.
34 class EHCodeVisitor : public RecursiveASTVisitor<EHCodeVisitor> {
35 public:
36 bool inEH;
37 llvm::DenseSet<const VarDecl *> &S;
38
TraverseObjCAtFinallyStmt(ObjCAtFinallyStmt * S)39 bool TraverseObjCAtFinallyStmt(ObjCAtFinallyStmt *S) {
40 SaveAndRestore<bool> inFinally(inEH, true);
41 return ::RecursiveASTVisitor<EHCodeVisitor>::TraverseObjCAtFinallyStmt(S);
42 }
43
TraverseObjCAtCatchStmt(ObjCAtCatchStmt * S)44 bool TraverseObjCAtCatchStmt(ObjCAtCatchStmt *S) {
45 SaveAndRestore<bool> inCatch(inEH, true);
46 return ::RecursiveASTVisitor<EHCodeVisitor>::TraverseObjCAtCatchStmt(S);
47 }
48
TraverseCXXCatchStmt(CXXCatchStmt * S)49 bool TraverseCXXCatchStmt(CXXCatchStmt *S) {
50 SaveAndRestore<bool> inCatch(inEH, true);
51 return TraverseStmt(S->getHandlerBlock());
52 }
53
VisitDeclRefExpr(DeclRefExpr * DR)54 bool VisitDeclRefExpr(DeclRefExpr *DR) {
55 if (inEH)
56 if (const VarDecl *D = dyn_cast<VarDecl>(DR->getDecl()))
57 S.insert(D);
58 return true;
59 }
60
EHCodeVisitor(llvm::DenseSet<const VarDecl * > & S)61 EHCodeVisitor(llvm::DenseSet<const VarDecl *> &S) :
62 inEH(false), S(S) {}
63 };
64
65 // FIXME: Eventually migrate into its own file, and have it managed by
66 // AnalysisManager.
67 class ReachableCode {
68 const CFG &cfg;
69 llvm::BitVector reachable;
70 public:
ReachableCode(const CFG & cfg)71 ReachableCode(const CFG &cfg)
72 : cfg(cfg), reachable(cfg.getNumBlockIDs(), false) {}
73
74 void computeReachableBlocks();
75
isReachable(const CFGBlock * block) const76 bool isReachable(const CFGBlock *block) const {
77 return reachable[block->getBlockID()];
78 }
79 };
80 }
81
computeReachableBlocks()82 void ReachableCode::computeReachableBlocks() {
83 if (!cfg.getNumBlockIDs())
84 return;
85
86 SmallVector<const CFGBlock*, 10> worklist;
87 worklist.push_back(&cfg.getEntry());
88
89 while (!worklist.empty()) {
90 const CFGBlock *block = worklist.back();
91 worklist.pop_back();
92 llvm::BitVector::reference isReachable = reachable[block->getBlockID()];
93 if (isReachable)
94 continue;
95 isReachable = true;
96 for (CFGBlock::const_succ_iterator i = block->succ_begin(),
97 e = block->succ_end(); i != e; ++i)
98 if (const CFGBlock *succ = *i)
99 worklist.push_back(succ);
100 }
101 }
102
103 static const Expr *
LookThroughTransitiveAssignmentsAndCommaOperators(const Expr * Ex)104 LookThroughTransitiveAssignmentsAndCommaOperators(const Expr *Ex) {
105 while (Ex) {
106 const BinaryOperator *BO =
107 dyn_cast<BinaryOperator>(Ex->IgnoreParenCasts());
108 if (!BO)
109 break;
110 if (BO->getOpcode() == BO_Assign) {
111 Ex = BO->getRHS();
112 continue;
113 }
114 if (BO->getOpcode() == BO_Comma) {
115 Ex = BO->getRHS();
116 continue;
117 }
118 break;
119 }
120 return Ex;
121 }
122
123 namespace {
124 class DeadStoreObs : public LiveVariables::Observer {
125 const CFG &cfg;
126 ASTContext &Ctx;
127 BugReporter& BR;
128 AnalysisDeclContext* AC;
129 ParentMap& Parents;
130 llvm::SmallPtrSet<const VarDecl*, 20> Escaped;
131 OwningPtr<ReachableCode> reachableCode;
132 const CFGBlock *currentBlock;
133 OwningPtr<llvm::DenseSet<const VarDecl *> > InEH;
134
135 enum DeadStoreKind { Standard, Enclosing, DeadIncrement, DeadInit };
136
137 public:
DeadStoreObs(const CFG & cfg,ASTContext & ctx,BugReporter & br,AnalysisDeclContext * ac,ParentMap & parents,llvm::SmallPtrSet<const VarDecl *,20> & escaped)138 DeadStoreObs(const CFG &cfg, ASTContext &ctx,
139 BugReporter& br, AnalysisDeclContext* ac, ParentMap& parents,
140 llvm::SmallPtrSet<const VarDecl*, 20> &escaped)
141 : cfg(cfg), Ctx(ctx), BR(br), AC(ac), Parents(parents),
142 Escaped(escaped), currentBlock(0) {}
143
~DeadStoreObs()144 virtual ~DeadStoreObs() {}
145
isLive(const LiveVariables::LivenessValues & Live,const VarDecl * D)146 bool isLive(const LiveVariables::LivenessValues &Live, const VarDecl *D) {
147 if (Live.isLive(D))
148 return true;
149 // Lazily construct the set that records which VarDecls are in
150 // EH code.
151 if (!InEH.get()) {
152 InEH.reset(new llvm::DenseSet<const VarDecl *>());
153 EHCodeVisitor V(*InEH.get());
154 V.TraverseStmt(AC->getBody());
155 }
156 // Treat all VarDecls that occur in EH code as being "always live"
157 // when considering to suppress dead stores. Frequently stores
158 // are followed by reads in EH code, but we don't have the ability
159 // to analyze that yet.
160 return InEH->count(D);
161 }
162
Report(const VarDecl * V,DeadStoreKind dsk,PathDiagnosticLocation L,SourceRange R)163 void Report(const VarDecl *V, DeadStoreKind dsk,
164 PathDiagnosticLocation L, SourceRange R) {
165 if (Escaped.count(V))
166 return;
167
168 // Compute reachable blocks within the CFG for trivial cases
169 // where a bogus dead store can be reported because itself is unreachable.
170 if (!reachableCode.get()) {
171 reachableCode.reset(new ReachableCode(cfg));
172 reachableCode->computeReachableBlocks();
173 }
174
175 if (!reachableCode->isReachable(currentBlock))
176 return;
177
178 SmallString<64> buf;
179 llvm::raw_svector_ostream os(buf);
180 const char *BugType = 0;
181
182 switch (dsk) {
183 case DeadInit:
184 BugType = "Dead initialization";
185 os << "Value stored to '" << *V
186 << "' during its initialization is never read";
187 break;
188
189 case DeadIncrement:
190 BugType = "Dead increment";
191 case Standard:
192 if (!BugType) BugType = "Dead assignment";
193 os << "Value stored to '" << *V << "' is never read";
194 break;
195
196 case Enclosing:
197 // Don't report issues in this case, e.g.: "if (x = foo())",
198 // where 'x' is unused later. We have yet to see a case where
199 // this is a real bug.
200 return;
201 }
202
203 BR.EmitBasicReport(AC->getDecl(), BugType, "Dead store", os.str(), L, R);
204 }
205
CheckVarDecl(const VarDecl * VD,const Expr * Ex,const Expr * Val,DeadStoreKind dsk,const LiveVariables::LivenessValues & Live)206 void CheckVarDecl(const VarDecl *VD, const Expr *Ex, const Expr *Val,
207 DeadStoreKind dsk,
208 const LiveVariables::LivenessValues &Live) {
209
210 if (!VD->hasLocalStorage())
211 return;
212 // Reference types confuse the dead stores checker. Skip them
213 // for now.
214 if (VD->getType()->getAs<ReferenceType>())
215 return;
216
217 if (!isLive(Live, VD) &&
218 !(VD->getAttr<UnusedAttr>() || VD->getAttr<BlocksAttr>())) {
219
220 PathDiagnosticLocation ExLoc =
221 PathDiagnosticLocation::createBegin(Ex, BR.getSourceManager(), AC);
222 Report(VD, dsk, ExLoc, Val->getSourceRange());
223 }
224 }
225
CheckDeclRef(const DeclRefExpr * DR,const Expr * Val,DeadStoreKind dsk,const LiveVariables::LivenessValues & Live)226 void CheckDeclRef(const DeclRefExpr *DR, const Expr *Val, DeadStoreKind dsk,
227 const LiveVariables::LivenessValues& Live) {
228 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl()))
229 CheckVarDecl(VD, DR, Val, dsk, Live);
230 }
231
isIncrement(VarDecl * VD,const BinaryOperator * B)232 bool isIncrement(VarDecl *VD, const BinaryOperator* B) {
233 if (B->isCompoundAssignmentOp())
234 return true;
235
236 const Expr *RHS = B->getRHS()->IgnoreParenCasts();
237 const BinaryOperator* BRHS = dyn_cast<BinaryOperator>(RHS);
238
239 if (!BRHS)
240 return false;
241
242 const DeclRefExpr *DR;
243
244 if ((DR = dyn_cast<DeclRefExpr>(BRHS->getLHS()->IgnoreParenCasts())))
245 if (DR->getDecl() == VD)
246 return true;
247
248 if ((DR = dyn_cast<DeclRefExpr>(BRHS->getRHS()->IgnoreParenCasts())))
249 if (DR->getDecl() == VD)
250 return true;
251
252 return false;
253 }
254
observeStmt(const Stmt * S,const CFGBlock * block,const LiveVariables::LivenessValues & Live)255 virtual void observeStmt(const Stmt *S, const CFGBlock *block,
256 const LiveVariables::LivenessValues &Live) {
257
258 currentBlock = block;
259
260 // Skip statements in macros.
261 if (S->getLocStart().isMacroID())
262 return;
263
264 // Only cover dead stores from regular assignments. ++/-- dead stores
265 // have never flagged a real bug.
266 if (const BinaryOperator* B = dyn_cast<BinaryOperator>(S)) {
267 if (!B->isAssignmentOp()) return; // Skip non-assignments.
268
269 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(B->getLHS()))
270 if (VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
271 // Special case: check for assigning null to a pointer.
272 // This is a common form of defensive programming.
273 const Expr *RHS =
274 LookThroughTransitiveAssignmentsAndCommaOperators(B->getRHS());
275 RHS = RHS->IgnoreParenCasts();
276
277 QualType T = VD->getType();
278 if (T->isPointerType() || T->isObjCObjectPointerType()) {
279 if (RHS->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNull))
280 return;
281 }
282
283 // Special case: self-assignments. These are often used to shut up
284 // "unused variable" compiler warnings.
285 if (const DeclRefExpr *RhsDR = dyn_cast<DeclRefExpr>(RHS))
286 if (VD == dyn_cast<VarDecl>(RhsDR->getDecl()))
287 return;
288
289 // Otherwise, issue a warning.
290 DeadStoreKind dsk = Parents.isConsumedExpr(B)
291 ? Enclosing
292 : (isIncrement(VD,B) ? DeadIncrement : Standard);
293
294 CheckVarDecl(VD, DR, B->getRHS(), dsk, Live);
295 }
296 }
297 else if (const UnaryOperator* U = dyn_cast<UnaryOperator>(S)) {
298 if (!U->isIncrementOp() || U->isPrefix())
299 return;
300
301 const Stmt *parent = Parents.getParentIgnoreParenCasts(U);
302 if (!parent || !isa<ReturnStmt>(parent))
303 return;
304
305 const Expr *Ex = U->getSubExpr()->IgnoreParenCasts();
306
307 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Ex))
308 CheckDeclRef(DR, U, DeadIncrement, Live);
309 }
310 else if (const DeclStmt *DS = dyn_cast<DeclStmt>(S))
311 // Iterate through the decls. Warn if any initializers are complex
312 // expressions that are not live (never used).
313 for (DeclStmt::const_decl_iterator DI=DS->decl_begin(), DE=DS->decl_end();
314 DI != DE; ++DI) {
315
316 VarDecl *V = dyn_cast<VarDecl>(*DI);
317
318 if (!V)
319 continue;
320
321 if (V->hasLocalStorage()) {
322 // Reference types confuse the dead stores checker. Skip them
323 // for now.
324 if (V->getType()->getAs<ReferenceType>())
325 return;
326
327 if (const Expr *E = V->getInit()) {
328 while (const ExprWithCleanups *exprClean =
329 dyn_cast<ExprWithCleanups>(E))
330 E = exprClean->getSubExpr();
331
332 // Look through transitive assignments, e.g.:
333 // int x = y = 0;
334 E = LookThroughTransitiveAssignmentsAndCommaOperators(E);
335
336 // Don't warn on C++ objects (yet) until we can show that their
337 // constructors/destructors don't have side effects.
338 if (isa<CXXConstructExpr>(E))
339 return;
340
341 // A dead initialization is a variable that is dead after it
342 // is initialized. We don't flag warnings for those variables
343 // marked 'unused'.
344 if (!isLive(Live, V) && V->getAttr<UnusedAttr>() == 0) {
345 // Special case: check for initializations with constants.
346 //
347 // e.g. : int x = 0;
348 //
349 // If x is EVER assigned a new value later, don't issue
350 // a warning. This is because such initialization can be
351 // due to defensive programming.
352 if (E->isEvaluatable(Ctx))
353 return;
354
355 if (const DeclRefExpr *DRE =
356 dyn_cast<DeclRefExpr>(E->IgnoreParenCasts()))
357 if (const VarDecl *VD = dyn_cast<VarDecl>(DRE->getDecl())) {
358 // Special case: check for initialization from constant
359 // variables.
360 //
361 // e.g. extern const int MyConstant;
362 // int x = MyConstant;
363 //
364 if (VD->hasGlobalStorage() &&
365 VD->getType().isConstQualified())
366 return;
367 // Special case: check for initialization from scalar
368 // parameters. This is often a form of defensive
369 // programming. Non-scalars are still an error since
370 // because it more likely represents an actual algorithmic
371 // bug.
372 if (isa<ParmVarDecl>(VD) && VD->getType()->isScalarType())
373 return;
374 }
375
376 PathDiagnosticLocation Loc =
377 PathDiagnosticLocation::create(V, BR.getSourceManager());
378 Report(V, DeadInit, Loc, E->getSourceRange());
379 }
380 }
381 }
382 }
383 }
384 };
385
386 } // end anonymous namespace
387
388 //===----------------------------------------------------------------------===//
389 // Driver function to invoke the Dead-Stores checker on a CFG.
390 //===----------------------------------------------------------------------===//
391
392 namespace {
393 class FindEscaped {
394 public:
395 llvm::SmallPtrSet<const VarDecl*, 20> Escaped;
396
operator ()(const Stmt * S)397 void operator()(const Stmt *S) {
398 // Check for '&'. Any VarDecl whose address has been taken we treat as
399 // escaped.
400 // FIXME: What about references?
401 const UnaryOperator *U = dyn_cast<UnaryOperator>(S);
402 if (!U)
403 return;
404 if (U->getOpcode() != UO_AddrOf)
405 return;
406
407 const Expr *E = U->getSubExpr()->IgnoreParenCasts();
408 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))
409 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl()))
410 Escaped.insert(VD);
411 }
412 };
413 } // end anonymous namespace
414
415
416 //===----------------------------------------------------------------------===//
417 // DeadStoresChecker
418 //===----------------------------------------------------------------------===//
419
420 namespace {
421 class DeadStoresChecker : public Checker<check::ASTCodeBody> {
422 public:
checkASTCodeBody(const Decl * D,AnalysisManager & mgr,BugReporter & BR) const423 void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
424 BugReporter &BR) const {
425
426 // Don't do anything for template instantiations.
427 // Proving that code in a template instantiation is "dead"
428 // means proving that it is dead in all instantiations.
429 // This same problem exists with -Wunreachable-code.
430 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
431 if (FD->isTemplateInstantiation())
432 return;
433
434 if (LiveVariables *L = mgr.getAnalysis<LiveVariables>(D)) {
435 CFG &cfg = *mgr.getCFG(D);
436 AnalysisDeclContext *AC = mgr.getAnalysisDeclContext(D);
437 ParentMap &pmap = mgr.getParentMap(D);
438 FindEscaped FS;
439 cfg.VisitBlockStmts(FS);
440 DeadStoreObs A(cfg, BR.getContext(), BR, AC, pmap, FS.Escaped);
441 L->runOnAllBlocks(A);
442 }
443 }
444 };
445 }
446
registerDeadStoresChecker(CheckerManager & mgr)447 void ento::registerDeadStoresChecker(CheckerManager &mgr) {
448 mgr.registerChecker<DeadStoresChecker>();
449 }
450