Consider mappings return values in control flow analysis.

6 files changed, 25 insertions, 1 deletions

diff --git a/Changelog.md b/Changelog.md
index a61a7300..9e8337a5 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -17,6 +17,7 @@ Breaking Changes:
  * Commandline interface: Rename the ``--julia`` option to ``--yul``.
  * Commandline interface: Require ``-`` if standard input is used as source.
  * Compiler interface: Disallow remappings with empty prefix.
+ * Control Flow Analyzer: Consider mappings as well when checking for uninitialized return values.
  * Control Flow Analyzer: Turn warning about returning uninitialized storage pointers into an error.
  * General: ``continue`` in a ``do...while`` loop jumps to the condition (it used to jump to the loop body). Warning: this may silently change the semantics of existing code.
  * General: Disallow declaring empty structs.
diff --git a/libsolidity/analysis/ControlFlowAnalyzer.cpp b/libsolidity/analysis/ControlFlowAnalyzer.cpp
index 483d08c8..ab6569be 100644
--- a/libsolidity/analysis/ControlFlowAnalyzer.cpp
+++ b/libsolidity/analysis/ControlFlowAnalyzer.cpp
@@ -75,7 +75,10 @@ void ControlFlowAnalyzer::checkUnassignedStorageReturnValues(
 	{
 		auto& unassignedAtFunctionEntry = unassigned[_functionEntry];
 		for (auto const& returnParameter: _function.returnParameterList()->parameters())
-			if (returnParameter->type()->dataStoredIn(DataLocation::Storage))
+			if (
+				returnParameter->type()->dataStoredIn(DataLocation::Storage) ||
+				returnParameter->type()->category() == Type::Category::Mapping
+			)
 				unassignedAtFunctionEntry.insert(returnParameter.get());
 	}
 
diff --git a/test/libsolidity/syntaxTests/controlFlow/mappingReturn/named_err.sol b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/named_err.sol
new file mode 100644
index 00000000..35420b6d
--- /dev/null
+++ b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/named_err.sol
@@ -0,0 +1,5 @@
+contract C {
+    function f() internal pure returns (mapping(uint=>uint) storage r) { }
+}
+// ----
+// TypeError: (53-82): This variable is of storage pointer type and might be returned without assignment and could be used uninitialized. Assign the variable (potentially from itself) to fix this error.
diff --git a/test/libsolidity/syntaxTests/controlFlow/mappingReturn/named_fine.sol b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/named_fine.sol
new file mode 100644
index 00000000..4146192f
--- /dev/null
+++ b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/named_fine.sol
@@ -0,0 +1,5 @@
+contract C {
+    mapping(uint=>uint) m;
+    function f() internal view returns (mapping(uint=>uint) storage r) { r = m; }
+}
+// ----
diff --git a/test/libsolidity/syntaxTests/controlFlow/mappingReturn/unnamed_err.sol b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/unnamed_err.sol
new file mode 100644
index 00000000..7e8c4501
--- /dev/null
+++ b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/unnamed_err.sol
@@ -0,0 +1,5 @@
+contract C {
+    function f() internal pure returns (mapping(uint=>uint) storage) {}
+}
+// ----
+// TypeError: (53-72): This variable is of storage pointer type and might be returned without assignment and could be used uninitialized. Assign the variable (potentially from itself) to fix this error.
diff --git a/test/libsolidity/syntaxTests/controlFlow/mappingReturn/unnamed_fine.sol b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/unnamed_fine.sol
new file mode 100644
index 00000000..9c5e3149
--- /dev/null
+++ b/test/libsolidity/syntaxTests/controlFlow/mappingReturn/unnamed_fine.sol
@@ -0,0 +1,5 @@
+contract C {
+    mapping(uint=>uint) m;
+    function f() internal view returns (mapping(uint=>uint) storage) { return m; }
+}
+// ----