Variable Shadowing
Detects local variables or inherited state variables that shadow declarations in parent contracts, causing confusion about which variable is accessed.
Variable Shadowing
Overview
The variable shadowing detector identifies cases where a variable declaration in a derived contract or a local scope hides a variable with the same name in a parent contract or outer scope. The developer may read or write the shadowed variable believing they are accessing the parent’s version, leading to state that silently diverges from expectations.
Why This Is an Issue
In Solidity’s inheritance model, a derived contract that declares a state variable with the same name as one in a parent contract creates two separate storage slots. Functions in the derived contract access the local version, while functions inherited from the parent access the parent’s version. This split can cause one party to update a value that the other party never reads, breaking invariants that depend on shared state.
How to Resolve
// Before: Shadowing — derived contract hides parent's 'owner'
contract Parent {
address public owner;
constructor() { owner = msg.sender; }
}
contract Child is Parent {
address public owner; // Shadows Parent.owner — different storage slot
}
// After: Fixed — use parent's variable directly
contract Child is Parent {
// No redeclaration; inherits Parent.owner
}Detection Methodology
- Inheritance analysis: Reconstructs the contract inheritance hierarchy from bytecode patterns and constructor chains.
- Storage slot mapping: Maps state variable names (when available via debug info) to storage slots across parent and child contracts.
- Duplicate detection: Identifies variables that map to different storage slots but share the same name across the hierarchy.
- Local shadowing: Detects function-local variables that share names with state variables.
Limitations
False positives: Intentional overrides in some design patterns (though Solidity 0.6.0+ forbids state variable shadowing). False negatives: Without source code or debug information, variable names are not available, limiting detection to structural patterns only.
Related Detectors
- Storage Collision — detects storage slot conflicts in proxies
- Access Control — detects authorization issues