clang/lib/StaticAnalyzer/Checkers/UnreachableCodeChecker.cpp - external/github.com/llvm/llvm-project.git - Git at Google

 //==- UnreachableCodeChecker.cpp - Generalized dead code checker -*- C++ -*-==//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // This file implements a generalized unreachable code checker using a
 // path-sensitive analysis. We mark any path visited, and then walk the CFG as a
 // post-analysis to determine what was never visited.
 //
 // A similar flow-sensitive only check exists in Analysis/ReachableCode.cpp
 //===----------------------------------------------------------------------===//

 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
 #include "clang/AST/ParentMap.h"
 #include "clang/Basic/Builtins.h"
 #include "clang/Basic/SourceManager.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
 #include "llvm/ADT/SmallSet.h"
 #include <optional>

 using namespace clang;
 using namespace ento;

 namespace {
 class UnreachableCodeChecker : public Checker<check::EndAnalysis> {
 public:
   void checkEndAnalysis(ExplodedGraph &G, BugReporter &B,
                         ExprEngine &Eng) const;
 private:
   typedef llvm::SmallSet<unsigned, 32> CFGBlocksSet;

   static inline const Stmt *getUnreachableStmt(const CFGBlock *CB);
   static void FindUnreachableEntryPoints(const CFGBlock *CB,
                                          CFGBlocksSet &reachable,
                                          CFGBlocksSet &visited);
   static bool isInvalidPath(const CFGBlock *CB, const ParentMap &PM);
   static inline bool isEmptyCFGBlock(const CFGBlock *CB);
 };
 }

 void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
                                               BugReporter &B,
                                               ExprEngine &Eng) const {
   CFGBlocksSet reachable, visited;

   if (Eng.hasWorkRemaining())
     return;

   const Decl *D = nullptr;
   CFG *C = nullptr;
   const ParentMap *PM = nullptr;
   const LocationContext *LC = nullptr;
   // Iterate over ExplodedGraph
   for (const ExplodedNode &N : G.nodes()) {
     const ProgramPoint &P = N.getLocation();
     LC = P.getLocationContext();
     if (!LC->inTopFrame())
       continue;

     if (!D)
       D = LC->getAnalysisDeclContext()->getDecl();

     // Save the CFG if we don't have it already
     if (!C)
       C = LC->getAnalysisDeclContext()->getUnoptimizedCFG();
     if (!PM)
       PM = &LC->getParentMap();

     if (std::optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
       const CFGBlock *CB = BE->getBlock();
       reachable.insert(CB->getBlockID());
     }
   }

   // Bail out if we didn't get the CFG or the ParentMap.
   if (!D || !C || !PM)
     return;

   // Don't do anything for template instantiations.  Proving that code
   // in a template instantiation is unreachable means proving that it is
   // unreachable in all instantiations.
   if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
     if (FD->isTemplateInstantiation())
       return;

   // Find CFGBlocks that were not covered by any node
   for (const CFGBlock *CB : *C) {
     // Check if the block is unreachable
     if (reachable.count(CB->getBlockID()))
       continue;

     // Check if the block is empty (an artificial block)
     if (isEmptyCFGBlock(CB))
       continue;

     // Find the entry points for this block
     if (!visited.count(CB->getBlockID()))
       FindUnreachableEntryPoints(CB, reachable, visited);

     // This block may have been pruned; check if we still want to report it
     if (reachable.count(CB->getBlockID()))
       continue;

     // Check for false positives
     if (isInvalidPath(CB, *PM))
       continue;

     // It is good practice to always have a "default" label in a "switch", even
     // if we should never get there. It can be used to detect errors, for
     // instance. Unreachable code directly under a "default" label is therefore
     // likely to be a false positive.
     if (const Stmt *label = CB->getLabel())
       if (label->getStmtClass() == Stmt::DefaultStmtClass)
         continue;

     // Special case for __builtin_unreachable.
     // FIXME: This should be extended to include other unreachable markers,
     // such as llvm_unreachable.
     if (!CB->empty()) {
       bool foundUnreachable = false;
       for (CFGBlock::const_iterator ci = CB->begin(), ce = CB->end();
            ci != ce; ++ci) {
         if (std::optional<CFGStmt> S = (*ci).getAs<CFGStmt>())
           if (const CallExpr *CE = dyn_cast<CallExpr>(S->getStmt())) {
             if (CE->getBuiltinCallee() == Builtin::BI__builtin_unreachable ||
                 CE->isBuiltinAssumeFalse(Eng.getContext())) {
               foundUnreachable = true;
               break;
             }
           }
       }
       if (foundUnreachable)
         continue;
     }

     // We found a block that wasn't covered - find the statement to report
     SourceRange SR;
     PathDiagnosticLocation DL;
     SourceLocation SL;
     if (const Stmt *S = getUnreachableStmt(CB)) {
       // In macros, 'do {...} while (0)' is often used. Don't warn about the
       // condition 0 when it is unreachable.
       if (S->getBeginLoc().isMacroID())
         if (const auto *I = dyn_cast<IntegerLiteral>(S))
           if (I->getValue() == 0ULL)
             if (const Stmt *Parent = PM->getParent(S))
               if (isa<DoStmt>(Parent))
                 continue;
       SR = S->getSourceRange();
       DL = PathDiagnosticLocation::createBegin(S, B.getSourceManager(), LC);
       SL = DL.asLocation();
       if (SR.isInvalid() || !SL.isValid())
         continue;
       if (isa<CXXTryStmt>(S))
         continue;
     }
     else
       continue;

     // Check if the SourceLocation is in a system header
     const SourceManager &SM = B.getSourceManager();
     if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL))
       continue;

     B.EmitBasicReport(D, this, "Unreachable code", categories::UnusedCode,
                       "This statement is never executed", DL, SR);
   }
 }

 // Recursively finds the entry point(s) for this dead CFGBlock.
 void UnreachableCodeChecker::FindUnreachableEntryPoints(const CFGBlock *CB,
                                                         CFGBlocksSet &reachable,
                                                         CFGBlocksSet &visited) {
   visited.insert(CB->getBlockID());

   for (const CFGBlock *PredBlock : CB->preds()) {
     if (!PredBlock)
       continue;

     if (!reachable.count(PredBlock->getBlockID())) {
       // If we find an unreachable predecessor, mark this block as reachable so
       // we don't report this block
       reachable.insert(CB->getBlockID());
       if (!visited.count(PredBlock->getBlockID()))
         // If we haven't previously visited the unreachable predecessor, recurse
         FindUnreachableEntryPoints(PredBlock, reachable, visited);
     }
   }
 }

 // Find the Stmt* in a CFGBlock for reporting a warning
 const Stmt *UnreachableCodeChecker::getUnreachableStmt(const CFGBlock *CB) {
   for (const CFGElement &Elem : *CB) {
     if (std::optional<CFGStmt> S = Elem.getAs<CFGStmt>()) {
       if (!isa<DeclStmt>(S->getStmt()))
         return S->getStmt();
     }
   }
   return CB->getTerminatorStmt();
 }

 // Determines if the path to this CFGBlock contained an element that infers this
 // block is a false positive. We assume that FindUnreachableEntryPoints has
 // already marked only the entry points to any dead code, so we need only to
 // find the condition that led to this block (the predecessor of this block.)
 // There will never be more than one predecessor.
 bool UnreachableCodeChecker::isInvalidPath(const CFGBlock *CB,
                                            const ParentMap &PM) {
   // We only expect a predecessor size of 0 or 1. If it is >1, then an external
   // condition has broken our assumption (for example, a sink being placed by
   // another check). In these cases, we choose not to report.
   if (CB->pred_size() > 1)
     return true;

   // If there are no predecessors, then this block is trivially unreachable
   if (CB->pred_size() == 0)
     return false;

   const CFGBlock *pred = *CB->pred_begin();
   if (!pred)
     return false;

   // Get the predecessor block's terminator condition
   const Stmt *cond = pred->getTerminatorCondition();

   //assert(cond && "CFGBlock's predecessor has a terminator condition");
   // The previous assertion is invalid in some cases (eg do/while). Leaving
   // reporting of these situations on at the moment to help triage these cases.
   if (!cond)
     return false;

   // Run each of the checks on the conditions
   return containsMacro(cond) || containsEnum(cond) ||
          containsStaticLocal(cond) || containsBuiltinOffsetOf(cond) ||
          containsStmt<UnaryExprOrTypeTraitExpr>(cond);
 }

 // Returns true if the given CFGBlock is empty
 bool UnreachableCodeChecker::isEmptyCFGBlock(const CFGBlock *CB) {
   return CB->getLabel() == nullptr // No labels
       && CB->size() == 0           // No statements
       && !CB->getTerminatorStmt(); // No terminator
 }

 void ento::registerUnreachableCodeChecker(CheckerManager &mgr) {
   mgr.registerChecker<UnreachableCodeChecker>();
 }

 bool ento::shouldRegisterUnreachableCodeChecker(const CheckerManager &mgr) {
   return true;
 }
	//==- UnreachableCodeChecker.cpp - Generalized dead code checker -- C++ --==//
	//
	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
	// See https://llvm.org/LICENSE.txt for license information.
	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
	//
	//===----------------------------------------------------------------------===//
	// This file implements a generalized unreachable code checker using a
	// path-sensitive analysis. We mark any path visited, and then walk the CFG as a
	// post-analysis to determine what was never visited.
	//
	// A similar flow-sensitive only check exists in Analysis/ReachableCode.cpp
	//===----------------------------------------------------------------------===//

	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
	#include "clang/AST/ParentMap.h"
	#include "clang/Basic/Builtins.h"
	#include "clang/Basic/SourceManager.h"
	#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
	#include "clang/StaticAnalyzer/Core/Checker.h"
	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
	#include "llvm/ADT/SmallSet.h"
	#include <optional>

	using namespace clang;
	using namespace ento;

	namespace {
	class UnreachableCodeChecker : public Checker<check::EndAnalysis> {
	public:
	void checkEndAnalysis(ExplodedGraph &G, BugReporter &B,
	ExprEngine &Eng) const;
	private:
	typedef llvm::SmallSet<unsigned, 32> CFGBlocksSet;

	static inline const Stmt getUnreachableStmt(const CFGBlock CB);
	static void FindUnreachableEntryPoints(const CFGBlock *CB,
	CFGBlocksSet &reachable,
	CFGBlocksSet &visited);
	static bool isInvalidPath(const CFGBlock *CB, const ParentMap &PM);
	static inline bool isEmptyCFGBlock(const CFGBlock *CB);
	};
	}

	void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
	BugReporter &B,
	ExprEngine &Eng) const {
	CFGBlocksSet reachable, visited;

	if (Eng.hasWorkRemaining())
	return;

	const Decl *D = nullptr;
	CFG *C = nullptr;
	const ParentMap *PM = nullptr;
	const LocationContext *LC = nullptr;
	// Iterate over ExplodedGraph
	for (const ExplodedNode &N : G.nodes()) {
	const ProgramPoint &P = N.getLocation();
	LC = P.getLocationContext();
	if (!LC->inTopFrame())
	continue;

	if (!D)
	D = LC->getAnalysisDeclContext()->getDecl();

	// Save the CFG if we don't have it already
	if (!C)
	C = LC->getAnalysisDeclContext()->getUnoptimizedCFG();
	if (!PM)
	PM = &LC->getParentMap();

	if (std::optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
	const CFGBlock *CB = BE->getBlock();
	reachable.insert(CB->getBlockID());
	}
	}

	// Bail out if we didn't get the CFG or the ParentMap.
	if (!D \|\| !C \|\| !PM)
	return;

	// Don't do anything for template instantiations. Proving that code
	// in a template instantiation is unreachable means proving that it is
	// unreachable in all instantiations.
	if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
	if (FD->isTemplateInstantiation())
	return;

	// Find CFGBlocks that were not covered by any node
	for (const CFGBlock CB : C) {
	// Check if the block is unreachable
	if (reachable.count(CB->getBlockID()))
	continue;

	// Check if the block is empty (an artificial block)
	if (isEmptyCFGBlock(CB))
	continue;

	// Find the entry points for this block
	if (!visited.count(CB->getBlockID()))
	FindUnreachableEntryPoints(CB, reachable, visited);

	// This block may have been pruned; check if we still want to report it
	if (reachable.count(CB->getBlockID()))
	continue;

	// Check for false positives
	if (isInvalidPath(CB, *PM))
	continue;

	// It is good practice to always have a "default" label in a "switch", even
	// if we should never get there. It can be used to detect errors, for
	// instance. Unreachable code directly under a "default" label is therefore
	// likely to be a false positive.
	if (const Stmt *label = CB->getLabel())
	if (label->getStmtClass() == Stmt::DefaultStmtClass)
	continue;

	// Special case for __builtin_unreachable.
	// FIXME: This should be extended to include other unreachable markers,
	// such as llvm_unreachable.
	if (!CB->empty()) {
	bool foundUnreachable = false;
	for (CFGBlock::const_iterator ci = CB->begin(), ce = CB->end();
	ci != ce; ++ci) {
	if (std::optional<CFGStmt> S = (*ci).getAs<CFGStmt>())
	if (const CallExpr *CE = dyn_cast<CallExpr>(S->getStmt())) {
	if (CE->getBuiltinCallee() == Builtin::BI__builtin_unreachable \|\|
	CE->isBuiltinAssumeFalse(Eng.getContext())) {
	foundUnreachable = true;
	break;
	}
	}
	}
	if (foundUnreachable)
	continue;
	}

	// We found a block that wasn't covered - find the statement to report
	SourceRange SR;
	PathDiagnosticLocation DL;
	SourceLocation SL;
	if (const Stmt *S = getUnreachableStmt(CB)) {
	// In macros, 'do {...} while (0)' is often used. Don't warn about the
	// condition 0 when it is unreachable.
	if (S->getBeginLoc().isMacroID())
	if (const auto *I = dyn_cast<IntegerLiteral>(S))
	if (I->getValue() == 0ULL)
	if (const Stmt *Parent = PM->getParent(S))
	if (isa<DoStmt>(Parent))
	continue;
	SR = S->getSourceRange();
	DL = PathDiagnosticLocation::createBegin(S, B.getSourceManager(), LC);
	SL = DL.asLocation();
	if (SR.isInvalid() \|\| !SL.isValid())
	continue;
	if (isa<CXXTryStmt>(S))
	continue;
	}
	else
	continue;

	// Check if the SourceLocation is in a system header
	const SourceManager &SM = B.getSourceManager();
	if (SM.isInSystemHeader(SL) \|\| SM.isInExternCSystemHeader(SL))
	continue;

	B.EmitBasicReport(D, this, "Unreachable code", categories::UnusedCode,
	"This statement is never executed", DL, SR);
	}
	}

	// Recursively finds the entry point(s) for this dead CFGBlock.
	void UnreachableCodeChecker::FindUnreachableEntryPoints(const CFGBlock *CB,
	CFGBlocksSet &reachable,
	CFGBlocksSet &visited) {
	visited.insert(CB->getBlockID());

	for (const CFGBlock *PredBlock : CB->preds()) {
	if (!PredBlock)
	continue;

	if (!reachable.count(PredBlock->getBlockID())) {
	// If we find an unreachable predecessor, mark this block as reachable so
	// we don't report this block
	reachable.insert(CB->getBlockID());
	if (!visited.count(PredBlock->getBlockID()))
	// If we haven't previously visited the unreachable predecessor, recurse
	FindUnreachableEntryPoints(PredBlock, reachable, visited);
	}
	}
	}

	// Find the Stmt* in a CFGBlock for reporting a warning
	const Stmt UnreachableCodeChecker::getUnreachableStmt(const CFGBlock CB) {
	for (const CFGElement &Elem : *CB) {
	if (std::optional<CFGStmt> S = Elem.getAs<CFGStmt>()) {
	if (!isa<DeclStmt>(S->getStmt()))
	return S->getStmt();
	}
	}
	return CB->getTerminatorStmt();
	}

	// Determines if the path to this CFGBlock contained an element that infers this
	// block is a false positive. We assume that FindUnreachableEntryPoints has
	// already marked only the entry points to any dead code, so we need only to
	// find the condition that led to this block (the predecessor of this block.)
	// There will never be more than one predecessor.
	bool UnreachableCodeChecker::isInvalidPath(const CFGBlock *CB,
	const ParentMap &PM) {
	// We only expect a predecessor size of 0 or 1. If it is >1, then an external
	// condition has broken our assumption (for example, a sink being placed by
	// another check). In these cases, we choose not to report.
	if (CB->pred_size() > 1)
	return true;

	// If there are no predecessors, then this block is trivially unreachable
	if (CB->pred_size() == 0)
	return false;

	const CFGBlock pred = CB->pred_begin();
	if (!pred)
	return false;

	// Get the predecessor block's terminator condition
	const Stmt *cond = pred->getTerminatorCondition();

	//assert(cond && "CFGBlock's predecessor has a terminator condition");
	// The previous assertion is invalid in some cases (eg do/while). Leaving
	// reporting of these situations on at the moment to help triage these cases.
	if (!cond)
	return false;

	// Run each of the checks on the conditions
	return containsMacro(cond) \|\| containsEnum(cond) \|\|
	containsStaticLocal(cond) \|\| containsBuiltinOffsetOf(cond) \|\|
	containsStmt<UnaryExprOrTypeTraitExpr>(cond);
	}

	// Returns true if the given CFGBlock is empty
	bool UnreachableCodeChecker::isEmptyCFGBlock(const CFGBlock *CB) {
	return CB->getLabel() == nullptr // No labels
	&& CB->size() == 0 // No statements
	&& !CB->getTerminatorStmt(); // No terminator
	}

	void ento::registerUnreachableCodeChecker(CheckerManager &mgr) {
	mgr.registerChecker<UnreachableCodeChecker>();
	}

	bool ento::shouldRegisterUnreachableCodeChecker(const CheckerManager &mgr) {
	return true;
	}