aboutsummaryrefslogblamecommitdiffstats
path: root/libsolidity/analysis/ControlFlowAnalyzer.cpp
blob: 6edf7986d896fbb4c0e9c59ff5fd40192712e0cc (plain) (tree) 
16e966de




























































































































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156




























































































































































                                                                                                                                         
/*
    This file is part of solidity.

    solidity is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    solidity is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with solidity.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <libsolidity/analysis/ControlFlowAnalyzer.h>

using namespace std;
using namespace dev::solidity;

bool ControlFlowAnalyzer::analyze(ASTNode const& _astRoot)
{
    _astRoot.accept(*this);
    return Error::containsOnlyWarnings(m_errorReporter.errors());
}

bool ControlFlowAnalyzer::visit(FunctionDefinition const& _function)
{
    auto const& functionFlow = m_cfg.functionFlow(_function);
    checkUnassignedStorageReturnValues(_function, functionFlow.entry, functionFlow.exit);
    return false;
}

set<VariableDeclaration const*> ControlFlowAnalyzer::variablesAssignedInNode(CFGNode const *node)
{
    set<VariableDeclaration const*> result;
    for (auto expression: node->block.expressions)
    {
        if (auto const* assignment = dynamic_cast<Assignment const*>(expression))
        {
            stack<Expression const*> expressions;
            expressions.push(&assignment->leftHandSide());
            while (!expressions.empty())
            {
                Expression const* expression = expressions.top();
                expressions.pop();

                if (auto const *tuple = dynamic_cast<TupleExpression const*>(expression))
                    for (auto const& component: tuple->components())
                        expressions.push(component.get());
                else if (auto const* identifier = dynamic_cast<Identifier const*>(expression))
                    if (auto const* variableDeclaration = dynamic_cast<VariableDeclaration const*>(
                        identifier->annotation().referencedDeclaration
                    ))
                        result.insert(variableDeclaration);
            }
        }
    }
    return result;
}

void ControlFlowAnalyzer::checkUnassignedStorageReturnValues(
    FunctionDefinition const& _function,
    CFGNode const* _functionEntry,
    CFGNode const* _functionExit
) const
{
    if (_function.returnParameterList()->parameters().empty())
        return;

    map<CFGNode const*, set<VariableDeclaration const*>> unassigned;

    {
        auto& unassignedAtFunctionEntry = unassigned[_functionEntry];
        for (auto const& returnParameter: _function.returnParameterList()->parameters())
            if (returnParameter->type()->dataStoredIn(DataLocation::Storage))
                unassignedAtFunctionEntry.insert(returnParameter.get());
    }

    stack<CFGNode const*> nodesToTraverse;
    nodesToTraverse.push(_functionEntry);

    // walk all paths from entry with maximal set of unassigned return values
    while (!nodesToTraverse.empty())
    {
        auto node = nodesToTraverse.top();
        nodesToTraverse.pop();

        auto& unassignedAtNode = unassigned[node];

        if (node->block.returnStatement != nullptr)
            if (node->block.returnStatement->expression())
                unassignedAtNode.clear();
        if (!unassignedAtNode.empty())
        {
            // kill all return values to which a value is assigned
            for (auto const* variableDeclaration: variablesAssignedInNode(node))
                unassignedAtNode.erase(variableDeclaration);

            // kill all return values referenced in inline assembly
            // a reference is enough, checking whether there actually was an assignment might be overkill
            for (auto assembly: node->block.inlineAssemblyStatements)
                for (auto const& ref: assembly->annotation().externalReferences)
                    if (auto variableDeclaration = dynamic_cast<VariableDeclaration const*>(ref.second.declaration))
                        unassignedAtNode.erase(variableDeclaration);
        }

        for (auto const& exit: node->exits)
        {
            auto& unassignedAtExit = unassigned[exit];
            auto oldSize = unassignedAtExit.size();
            unassignedAtExit.insert(unassignedAtNode.begin(), unassignedAtNode.end());
            // (re)traverse an exit, if we are on a path with new unassigned return values to consider
            // this will terminate, since there is only a finite number of unassigned return values
            if (unassignedAtExit.size() > oldSize)
                nodesToTraverse.push(exit);
        }
    }

    if (!unassigned[_functionExit].empty())
    {
        vector<VariableDeclaration const*> unassignedOrdered(
            unassigned[_functionExit].begin(),
            unassigned[_functionExit].end()
        );
        sort(
            unassignedOrdered.begin(),
            unassignedOrdered.end(),
            [](VariableDeclaration const* lhs, VariableDeclaration const* rhs) -> bool {
                return lhs->id() < rhs->id();
            }
        );
        for (auto const* returnVal: unassignedOrdered)
        {
            SecondarySourceLocation ssl;
            for (CFGNode* lastNodeBeforeExit: _functionExit->entries)
                if (unassigned[lastNodeBeforeExit].count(returnVal))
                {
                    if (!!lastNodeBeforeExit->block.returnStatement)
                        ssl.append("Problematic return:", lastNodeBeforeExit->block.returnStatement->location());
                    else
                        ssl.append("Problematic end of function:", _function.location());
                }

            m_errorReporter.warning(
                returnVal->location(),
                "This variable is of storage pointer type and might be returned without assignment. "
                "This can cause storage corruption. Assign the variable (potentially from itself) "
                "to remove this warning.",
                ssl
            );
        }
    }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-17 07:18:04 +0800