1 //== IdenticalExprChecker.cpp - Identical expression checker----------------==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 /// 9 /// \file 10 /// This defines IdenticalExprChecker, a check that warns about 11 /// unintended use of identical expressions. 12 /// 13 /// It checks for use of identical expressions with comparison operators and 14 /// inside conditional expressions. 15 /// 16 //===----------------------------------------------------------------------===// 17 18 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 19 #include "clang/AST/RecursiveASTVisitor.h" 20 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21 #include "clang/StaticAnalyzer/Core/Checker.h" 22 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 25 using namespace clang; 26 using namespace ento; 27 28 static bool isIdenticalStmt(const ASTContext &Ctx, const Stmt *Stmt1, 29 const Stmt *Stmt2, bool IgnoreSideEffects = false); 30 //===----------------------------------------------------------------------===// 31 // FindIdenticalExprVisitor - Identify nodes using identical expressions. 32 //===----------------------------------------------------------------------===// 33 34 namespace { 35 class FindIdenticalExprVisitor 36 : public RecursiveASTVisitor<FindIdenticalExprVisitor> { 37 BugReporter &BR; 38 const CheckerBase *Checker; 39 AnalysisDeclContext *AC; 40 public: FindIdenticalExprVisitor(BugReporter & B,const CheckerBase * Checker,AnalysisDeclContext * A)41 explicit FindIdenticalExprVisitor(BugReporter &B, 42 const CheckerBase *Checker, 43 AnalysisDeclContext *A) 44 : BR(B), Checker(Checker), AC(A) {} 45 // FindIdenticalExprVisitor only visits nodes 46 // that are binary operators, if statements or 47 // conditional operators. 48 bool VisitBinaryOperator(const BinaryOperator *B); 49 bool VisitIfStmt(const IfStmt *I); 50 bool VisitConditionalOperator(const ConditionalOperator *C); 51 52 private: 53 void reportIdenticalExpr(const BinaryOperator *B, bool CheckBitwise, 54 ArrayRef<SourceRange> Sr); 55 void checkBitwiseOrLogicalOp(const BinaryOperator *B, bool CheckBitwise); 56 void checkComparisonOp(const BinaryOperator *B); 57 }; 58 } // end anonymous namespace 59 reportIdenticalExpr(const BinaryOperator * B,bool CheckBitwise,ArrayRef<SourceRange> Sr)60 void FindIdenticalExprVisitor::reportIdenticalExpr(const BinaryOperator *B, 61 bool CheckBitwise, 62 ArrayRef<SourceRange> Sr) { 63 StringRef Message; 64 if (CheckBitwise) 65 Message = "identical expressions on both sides of bitwise operator"; 66 else 67 Message = "identical expressions on both sides of logical operator"; 68 69 PathDiagnosticLocation ELoc = 70 PathDiagnosticLocation::createOperatorLoc(B, BR.getSourceManager()); 71 BR.EmitBasicReport(AC->getDecl(), Checker, 72 "Use of identical expressions", 73 categories::LogicError, 74 Message, ELoc, Sr); 75 } 76 checkBitwiseOrLogicalOp(const BinaryOperator * B,bool CheckBitwise)77 void FindIdenticalExprVisitor::checkBitwiseOrLogicalOp(const BinaryOperator *B, 78 bool CheckBitwise) { 79 SourceRange Sr[2]; 80 81 const Expr *LHS = B->getLHS(); 82 const Expr *RHS = B->getRHS(); 83 84 // Split operators as long as we still have operators to split on. We will 85 // get called for every binary operator in an expression so there is no need 86 // to check every one against each other here, just the right most one with 87 // the others. 88 while (const BinaryOperator *B2 = dyn_cast<BinaryOperator>(LHS)) { 89 if (B->getOpcode() != B2->getOpcode()) 90 break; 91 if (isIdenticalStmt(AC->getASTContext(), RHS, B2->getRHS())) { 92 Sr[0] = RHS->getSourceRange(); 93 Sr[1] = B2->getRHS()->getSourceRange(); 94 reportIdenticalExpr(B, CheckBitwise, Sr); 95 } 96 LHS = B2->getLHS(); 97 } 98 99 if (isIdenticalStmt(AC->getASTContext(), RHS, LHS)) { 100 Sr[0] = RHS->getSourceRange(); 101 Sr[1] = LHS->getSourceRange(); 102 reportIdenticalExpr(B, CheckBitwise, Sr); 103 } 104 } 105 VisitIfStmt(const IfStmt * I)106 bool FindIdenticalExprVisitor::VisitIfStmt(const IfStmt *I) { 107 const Stmt *Stmt1 = I->getThen(); 108 const Stmt *Stmt2 = I->getElse(); 109 110 // Check for identical inner condition: 111 // 112 // if (x<10) { 113 // if (x<10) { 114 // .. 115 if (const CompoundStmt *CS = dyn_cast<CompoundStmt>(Stmt1)) { 116 if (!CS->body_empty()) { 117 const IfStmt *InnerIf = dyn_cast<IfStmt>(*CS->body_begin()); 118 if (InnerIf && isIdenticalStmt(AC->getASTContext(), I->getCond(), InnerIf->getCond(), /*IgnoreSideEffects=*/ false)) { 119 PathDiagnosticLocation ELoc(InnerIf->getCond(), BR.getSourceManager(), AC); 120 BR.EmitBasicReport(AC->getDecl(), Checker, "Identical conditions", 121 categories::LogicError, 122 "conditions of the inner and outer statements are identical", 123 ELoc); 124 } 125 } 126 } 127 128 // Check for identical conditions: 129 // 130 // if (b) { 131 // foo1(); 132 // } else if (b) { 133 // foo2(); 134 // } 135 if (Stmt1 && Stmt2) { 136 const Expr *Cond1 = I->getCond(); 137 const Stmt *Else = Stmt2; 138 while (const IfStmt *I2 = dyn_cast_or_null<IfStmt>(Else)) { 139 const Expr *Cond2 = I2->getCond(); 140 if (isIdenticalStmt(AC->getASTContext(), Cond1, Cond2, false)) { 141 SourceRange Sr = Cond1->getSourceRange(); 142 PathDiagnosticLocation ELoc(Cond2, BR.getSourceManager(), AC); 143 BR.EmitBasicReport(AC->getDecl(), Checker, "Identical conditions", 144 categories::LogicError, 145 "expression is identical to previous condition", 146 ELoc, Sr); 147 } 148 Else = I2->getElse(); 149 } 150 } 151 152 if (!Stmt1 || !Stmt2) 153 return true; 154 155 // Special handling for code like: 156 // 157 // if (b) { 158 // i = 1; 159 // } else 160 // i = 1; 161 if (const CompoundStmt *CompStmt = dyn_cast<CompoundStmt>(Stmt1)) { 162 if (CompStmt->size() == 1) 163 Stmt1 = CompStmt->body_back(); 164 } 165 if (const CompoundStmt *CompStmt = dyn_cast<CompoundStmt>(Stmt2)) { 166 if (CompStmt->size() == 1) 167 Stmt2 = CompStmt->body_back(); 168 } 169 170 if (isIdenticalStmt(AC->getASTContext(), Stmt1, Stmt2, true)) { 171 PathDiagnosticLocation ELoc = 172 PathDiagnosticLocation::createBegin(I, BR.getSourceManager(), AC); 173 BR.EmitBasicReport(AC->getDecl(), Checker, 174 "Identical branches", 175 categories::LogicError, 176 "true and false branches are identical", ELoc); 177 } 178 return true; 179 } 180 VisitBinaryOperator(const BinaryOperator * B)181 bool FindIdenticalExprVisitor::VisitBinaryOperator(const BinaryOperator *B) { 182 BinaryOperator::Opcode Op = B->getOpcode(); 183 184 if (BinaryOperator::isBitwiseOp(Op)) 185 checkBitwiseOrLogicalOp(B, true); 186 187 if (BinaryOperator::isLogicalOp(Op)) 188 checkBitwiseOrLogicalOp(B, false); 189 190 if (BinaryOperator::isComparisonOp(Op)) 191 checkComparisonOp(B); 192 193 // We want to visit ALL nodes (subexpressions of binary comparison 194 // expressions too) that contains comparison operators. 195 // True is always returned to traverse ALL nodes. 196 return true; 197 } 198 checkComparisonOp(const BinaryOperator * B)199 void FindIdenticalExprVisitor::checkComparisonOp(const BinaryOperator *B) { 200 BinaryOperator::Opcode Op = B->getOpcode(); 201 202 // 203 // Special case for floating-point representation. 204 // 205 // If expressions on both sides of comparison operator are of type float, 206 // then for some comparison operators no warning shall be 207 // reported even if the expressions are identical from a symbolic point of 208 // view. Comparison between expressions, declared variables and literals 209 // are treated differently. 210 // 211 // != and == between float literals that have the same value should NOT warn. 212 // < > between float literals that have the same value SHOULD warn. 213 // 214 // != and == between the same float declaration should NOT warn. 215 // < > between the same float declaration SHOULD warn. 216 // 217 // != and == between eq. expressions that evaluates into float 218 // should NOT warn. 219 // < > between eq. expressions that evaluates into float 220 // should NOT warn. 221 // 222 const Expr *LHS = B->getLHS()->IgnoreParenImpCasts(); 223 const Expr *RHS = B->getRHS()->IgnoreParenImpCasts(); 224 225 const DeclRefExpr *DeclRef1 = dyn_cast<DeclRefExpr>(LHS); 226 const DeclRefExpr *DeclRef2 = dyn_cast<DeclRefExpr>(RHS); 227 const FloatingLiteral *FloatLit1 = dyn_cast<FloatingLiteral>(LHS); 228 const FloatingLiteral *FloatLit2 = dyn_cast<FloatingLiteral>(RHS); 229 if ((DeclRef1) && (DeclRef2)) { 230 if ((DeclRef1->getType()->hasFloatingRepresentation()) && 231 (DeclRef2->getType()->hasFloatingRepresentation())) { 232 if (DeclRef1->getDecl() == DeclRef2->getDecl()) { 233 if ((Op == BO_EQ) || (Op == BO_NE)) { 234 return; 235 } 236 } 237 } 238 } else if ((FloatLit1) && (FloatLit2)) { 239 if (FloatLit1->getValue().bitwiseIsEqual(FloatLit2->getValue())) { 240 if ((Op == BO_EQ) || (Op == BO_NE)) { 241 return; 242 } 243 } 244 } else if (LHS->getType()->hasFloatingRepresentation()) { 245 // If any side of comparison operator still has floating-point 246 // representation, then it's an expression. Don't warn. 247 // Here only LHS is checked since RHS will be implicit casted to float. 248 return; 249 } else { 250 // No special case with floating-point representation, report as usual. 251 } 252 253 if (isIdenticalStmt(AC->getASTContext(), B->getLHS(), B->getRHS())) { 254 PathDiagnosticLocation ELoc = 255 PathDiagnosticLocation::createOperatorLoc(B, BR.getSourceManager()); 256 StringRef Message; 257 if (Op == BO_Cmp) 258 Message = "comparison of identical expressions always evaluates to " 259 "'equal'"; 260 else if (((Op == BO_EQ) || (Op == BO_LE) || (Op == BO_GE))) 261 Message = "comparison of identical expressions always evaluates to true"; 262 else 263 Message = "comparison of identical expressions always evaluates to false"; 264 BR.EmitBasicReport(AC->getDecl(), Checker, 265 "Compare of identical expressions", 266 categories::LogicError, Message, ELoc); 267 } 268 } 269 VisitConditionalOperator(const ConditionalOperator * C)270 bool FindIdenticalExprVisitor::VisitConditionalOperator( 271 const ConditionalOperator *C) { 272 273 // Check if expressions in conditional expression are identical 274 // from a symbolic point of view. 275 276 if (isIdenticalStmt(AC->getASTContext(), C->getTrueExpr(), 277 C->getFalseExpr(), true)) { 278 PathDiagnosticLocation ELoc = 279 PathDiagnosticLocation::createConditionalColonLoc( 280 C, BR.getSourceManager()); 281 282 SourceRange Sr[2]; 283 Sr[0] = C->getTrueExpr()->getSourceRange(); 284 Sr[1] = C->getFalseExpr()->getSourceRange(); 285 BR.EmitBasicReport( 286 AC->getDecl(), Checker, 287 "Identical expressions in conditional expression", 288 categories::LogicError, 289 "identical expressions on both sides of ':' in conditional expression", 290 ELoc, Sr); 291 } 292 // We want to visit ALL nodes (expressions in conditional 293 // expressions too) that contains conditional operators, 294 // thus always return true to traverse ALL nodes. 295 return true; 296 } 297 298 /// Determines whether two statement trees are identical regarding 299 /// operators and symbols. 300 /// 301 /// Exceptions: expressions containing macros or functions with possible side 302 /// effects are never considered identical. 303 /// Limitations: (t + u) and (u + t) are not considered identical. 304 /// t*(u + t) and t*u + t*t are not considered identical. 305 /// isIdenticalStmt(const ASTContext & Ctx,const Stmt * Stmt1,const Stmt * Stmt2,bool IgnoreSideEffects)306 static bool isIdenticalStmt(const ASTContext &Ctx, const Stmt *Stmt1, 307 const Stmt *Stmt2, bool IgnoreSideEffects) { 308 309 if (!Stmt1 || !Stmt2) { 310 return !Stmt1 && !Stmt2; 311 } 312 313 // If Stmt1 & Stmt2 are of different class then they are not 314 // identical statements. 315 if (Stmt1->getStmtClass() != Stmt2->getStmtClass()) 316 return false; 317 318 const Expr *Expr1 = dyn_cast<Expr>(Stmt1); 319 const Expr *Expr2 = dyn_cast<Expr>(Stmt2); 320 321 if (Expr1 && Expr2) { 322 // If Stmt1 has side effects then don't warn even if expressions 323 // are identical. 324 if (!IgnoreSideEffects && Expr1->HasSideEffects(Ctx)) 325 return false; 326 // If either expression comes from a macro then don't warn even if 327 // the expressions are identical. 328 if ((Expr1->getExprLoc().isMacroID()) || (Expr2->getExprLoc().isMacroID())) 329 return false; 330 331 // If all children of two expressions are identical, return true. 332 Expr::const_child_iterator I1 = Expr1->child_begin(); 333 Expr::const_child_iterator I2 = Expr2->child_begin(); 334 while (I1 != Expr1->child_end() && I2 != Expr2->child_end()) { 335 if (!*I1 || !*I2 || !isIdenticalStmt(Ctx, *I1, *I2, IgnoreSideEffects)) 336 return false; 337 ++I1; 338 ++I2; 339 } 340 // If there are different number of children in the statements, return 341 // false. 342 if (I1 != Expr1->child_end()) 343 return false; 344 if (I2 != Expr2->child_end()) 345 return false; 346 } 347 348 switch (Stmt1->getStmtClass()) { 349 default: 350 return false; 351 case Stmt::CallExprClass: 352 case Stmt::ArraySubscriptExprClass: 353 case Stmt::ArraySectionExprClass: 354 case Stmt::OMPArrayShapingExprClass: 355 case Stmt::OMPIteratorExprClass: 356 case Stmt::ImplicitCastExprClass: 357 case Stmt::ParenExprClass: 358 case Stmt::BreakStmtClass: 359 case Stmt::ContinueStmtClass: 360 case Stmt::NullStmtClass: 361 return true; 362 case Stmt::CStyleCastExprClass: { 363 const CStyleCastExpr* CastExpr1 = cast<CStyleCastExpr>(Stmt1); 364 const CStyleCastExpr* CastExpr2 = cast<CStyleCastExpr>(Stmt2); 365 366 return CastExpr1->getTypeAsWritten() == CastExpr2->getTypeAsWritten(); 367 } 368 case Stmt::ReturnStmtClass: { 369 const ReturnStmt *ReturnStmt1 = cast<ReturnStmt>(Stmt1); 370 const ReturnStmt *ReturnStmt2 = cast<ReturnStmt>(Stmt2); 371 372 return isIdenticalStmt(Ctx, ReturnStmt1->getRetValue(), 373 ReturnStmt2->getRetValue(), IgnoreSideEffects); 374 } 375 case Stmt::ForStmtClass: { 376 const ForStmt *ForStmt1 = cast<ForStmt>(Stmt1); 377 const ForStmt *ForStmt2 = cast<ForStmt>(Stmt2); 378 379 if (!isIdenticalStmt(Ctx, ForStmt1->getInit(), ForStmt2->getInit(), 380 IgnoreSideEffects)) 381 return false; 382 if (!isIdenticalStmt(Ctx, ForStmt1->getCond(), ForStmt2->getCond(), 383 IgnoreSideEffects)) 384 return false; 385 if (!isIdenticalStmt(Ctx, ForStmt1->getInc(), ForStmt2->getInc(), 386 IgnoreSideEffects)) 387 return false; 388 if (!isIdenticalStmt(Ctx, ForStmt1->getBody(), ForStmt2->getBody(), 389 IgnoreSideEffects)) 390 return false; 391 return true; 392 } 393 case Stmt::DoStmtClass: { 394 const DoStmt *DStmt1 = cast<DoStmt>(Stmt1); 395 const DoStmt *DStmt2 = cast<DoStmt>(Stmt2); 396 397 if (!isIdenticalStmt(Ctx, DStmt1->getCond(), DStmt2->getCond(), 398 IgnoreSideEffects)) 399 return false; 400 if (!isIdenticalStmt(Ctx, DStmt1->getBody(), DStmt2->getBody(), 401 IgnoreSideEffects)) 402 return false; 403 return true; 404 } 405 case Stmt::WhileStmtClass: { 406 const WhileStmt *WStmt1 = cast<WhileStmt>(Stmt1); 407 const WhileStmt *WStmt2 = cast<WhileStmt>(Stmt2); 408 409 if (!isIdenticalStmt(Ctx, WStmt1->getCond(), WStmt2->getCond(), 410 IgnoreSideEffects)) 411 return false; 412 if (!isIdenticalStmt(Ctx, WStmt1->getBody(), WStmt2->getBody(), 413 IgnoreSideEffects)) 414 return false; 415 return true; 416 } 417 case Stmt::IfStmtClass: { 418 const IfStmt *IStmt1 = cast<IfStmt>(Stmt1); 419 const IfStmt *IStmt2 = cast<IfStmt>(Stmt2); 420 421 if (!isIdenticalStmt(Ctx, IStmt1->getCond(), IStmt2->getCond(), 422 IgnoreSideEffects)) 423 return false; 424 if (!isIdenticalStmt(Ctx, IStmt1->getThen(), IStmt2->getThen(), 425 IgnoreSideEffects)) 426 return false; 427 if (!isIdenticalStmt(Ctx, IStmt1->getElse(), IStmt2->getElse(), 428 IgnoreSideEffects)) 429 return false; 430 return true; 431 } 432 case Stmt::CompoundStmtClass: { 433 const CompoundStmt *CompStmt1 = cast<CompoundStmt>(Stmt1); 434 const CompoundStmt *CompStmt2 = cast<CompoundStmt>(Stmt2); 435 436 if (CompStmt1->size() != CompStmt2->size()) 437 return false; 438 439 CompoundStmt::const_body_iterator I1 = CompStmt1->body_begin(); 440 CompoundStmt::const_body_iterator I2 = CompStmt2->body_begin(); 441 while (I1 != CompStmt1->body_end() && I2 != CompStmt2->body_end()) { 442 if (!isIdenticalStmt(Ctx, *I1, *I2, IgnoreSideEffects)) 443 return false; 444 ++I1; 445 ++I2; 446 } 447 448 return true; 449 } 450 case Stmt::CompoundAssignOperatorClass: 451 case Stmt::BinaryOperatorClass: { 452 const BinaryOperator *BinOp1 = cast<BinaryOperator>(Stmt1); 453 const BinaryOperator *BinOp2 = cast<BinaryOperator>(Stmt2); 454 return BinOp1->getOpcode() == BinOp2->getOpcode(); 455 } 456 case Stmt::CharacterLiteralClass: { 457 const CharacterLiteral *CharLit1 = cast<CharacterLiteral>(Stmt1); 458 const CharacterLiteral *CharLit2 = cast<CharacterLiteral>(Stmt2); 459 return CharLit1->getValue() == CharLit2->getValue(); 460 } 461 case Stmt::DeclRefExprClass: { 462 const DeclRefExpr *DeclRef1 = cast<DeclRefExpr>(Stmt1); 463 const DeclRefExpr *DeclRef2 = cast<DeclRefExpr>(Stmt2); 464 return DeclRef1->getDecl() == DeclRef2->getDecl(); 465 } 466 case Stmt::IntegerLiteralClass: { 467 const IntegerLiteral *IntLit1 = cast<IntegerLiteral>(Stmt1); 468 const IntegerLiteral *IntLit2 = cast<IntegerLiteral>(Stmt2); 469 470 llvm::APInt I1 = IntLit1->getValue(); 471 llvm::APInt I2 = IntLit2->getValue(); 472 if (I1.getBitWidth() != I2.getBitWidth()) 473 return false; 474 return I1 == I2; 475 } 476 case Stmt::FloatingLiteralClass: { 477 const FloatingLiteral *FloatLit1 = cast<FloatingLiteral>(Stmt1); 478 const FloatingLiteral *FloatLit2 = cast<FloatingLiteral>(Stmt2); 479 return FloatLit1->getValue().bitwiseIsEqual(FloatLit2->getValue()); 480 } 481 case Stmt::StringLiteralClass: { 482 const StringLiteral *StringLit1 = cast<StringLiteral>(Stmt1); 483 const StringLiteral *StringLit2 = cast<StringLiteral>(Stmt2); 484 return StringLit1->getBytes() == StringLit2->getBytes(); 485 } 486 case Stmt::MemberExprClass: { 487 const MemberExpr *MemberStmt1 = cast<MemberExpr>(Stmt1); 488 const MemberExpr *MemberStmt2 = cast<MemberExpr>(Stmt2); 489 return MemberStmt1->getMemberDecl() == MemberStmt2->getMemberDecl(); 490 } 491 case Stmt::UnaryOperatorClass: { 492 const UnaryOperator *UnaryOp1 = cast<UnaryOperator>(Stmt1); 493 const UnaryOperator *UnaryOp2 = cast<UnaryOperator>(Stmt2); 494 return UnaryOp1->getOpcode() == UnaryOp2->getOpcode(); 495 } 496 } 497 } 498 499 //===----------------------------------------------------------------------===// 500 // FindIdenticalExprChecker 501 //===----------------------------------------------------------------------===// 502 503 namespace { 504 class FindIdenticalExprChecker : public Checker<check::ASTCodeBody> { 505 public: checkASTCodeBody(const Decl * D,AnalysisManager & Mgr,BugReporter & BR) const506 void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr, 507 BugReporter &BR) const { 508 FindIdenticalExprVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D)); 509 Visitor.TraverseDecl(const_cast<Decl *>(D)); 510 } 511 }; 512 } // end anonymous namespace 513 registerIdenticalExprChecker(CheckerManager & Mgr)514 void ento::registerIdenticalExprChecker(CheckerManager &Mgr) { 515 Mgr.registerChecker<FindIdenticalExprChecker>(); 516 } 517 shouldRegisterIdenticalExprChecker(const CheckerManager & mgr)518 bool ento::shouldRegisterIdenticalExprChecker(const CheckerManager &mgr) { 519 return true; 520 } 521