1 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements extra semantic analysis beyond what is enforced 11 // by the C type system. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/Sema/Initialization.h" 16 #include "clang/Sema/Sema.h" 17 #include "clang/Sema/SemaInternal.h" 18 #include "clang/Sema/Initialization.h" 19 #include "clang/Sema/ScopeInfo.h" 20 #include "clang/Analysis/Analyses/FormatString.h" 21 #include "clang/AST/ASTContext.h" 22 #include "clang/AST/CharUnits.h" 23 #include "clang/AST/DeclCXX.h" 24 #include "clang/AST/DeclObjC.h" 25 #include "clang/AST/ExprCXX.h" 26 #include "clang/AST/ExprObjC.h" 27 #include "clang/AST/EvaluatedExprVisitor.h" 28 #include "clang/AST/DeclObjC.h" 29 #include "clang/AST/StmtCXX.h" 30 #include "clang/AST/StmtObjC.h" 31 #include "clang/Lex/Preprocessor.h" 32 #include "llvm/ADT/BitVector.h" 33 #include "llvm/ADT/STLExtras.h" 34 #include "llvm/Support/raw_ostream.h" 35 #include "clang/Basic/TargetBuiltins.h" 36 #include "clang/Basic/TargetInfo.h" 37 #include "clang/Basic/ConvertUTF.h" 38 #include <limits> 39 using namespace clang; 40 using namespace sema; 41 42 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 43 unsigned ByteNo) const { 44 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 45 PP.getLangOptions(), PP.getTargetInfo()); 46 } 47 48 bool Sema::CheckablePrintfAttr(const FormatAttr *Format, Expr **Args, 49 unsigned NumArgs, bool IsCXXMemberCall) { 50 StringRef Type = Format->getType(); 51 // FIXME: add support for "CFString" Type. They are not string literal though, 52 // so they need special handling. 53 if (Type == "printf" || Type == "NSString") return true; 54 if (Type == "printf0") { 55 // printf0 allows null "format" string; if so don't check format/args 56 unsigned format_idx = Format->getFormatIdx() - 1; 57 // Does the index refer to the implicit object argument? 58 if (IsCXXMemberCall) { 59 if (format_idx == 0) 60 return false; 61 --format_idx; 62 } 63 if (format_idx < NumArgs) { 64 Expr *Format = Args[format_idx]->IgnoreParenCasts(); 65 if (!Format->isNullPointerConstant(Context, 66 Expr::NPC_ValueDependentIsNull)) 67 return true; 68 } 69 } 70 return false; 71 } 72 73 /// Checks that a call expression's argument count is the desired number. 74 /// This is useful when doing custom type-checking. Returns true on error. 75 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 76 unsigned argCount = call->getNumArgs(); 77 if (argCount == desiredArgCount) return false; 78 79 if (argCount < desiredArgCount) 80 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 81 << 0 /*function call*/ << desiredArgCount << argCount 82 << call->getSourceRange(); 83 84 // Highlight all the excess arguments. 85 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 86 call->getArg(argCount - 1)->getLocEnd()); 87 88 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 89 << 0 /*function call*/ << desiredArgCount << argCount 90 << call->getArg(1)->getSourceRange(); 91 } 92 93 /// CheckBuiltinAnnotationString - Checks that string argument to the builtin 94 /// annotation is a non wide string literal. 95 static bool CheckBuiltinAnnotationString(Sema &S, Expr *Arg) { 96 Arg = Arg->IgnoreParenCasts(); 97 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 98 if (!Literal || !Literal->isAscii()) { 99 S.Diag(Arg->getLocStart(), diag::err_builtin_annotation_not_string_constant) 100 << Arg->getSourceRange(); 101 return true; 102 } 103 return false; 104 } 105 106 ExprResult 107 Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 108 ExprResult TheCallResult(Owned(TheCall)); 109 110 // Find out if any arguments are required to be integer constant expressions. 111 unsigned ICEArguments = 0; 112 ASTContext::GetBuiltinTypeError Error; 113 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 114 if (Error != ASTContext::GE_None) 115 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 116 117 // If any arguments are required to be ICE's, check and diagnose. 118 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 119 // Skip arguments not required to be ICE's. 120 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 121 122 llvm::APSInt Result; 123 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 124 return true; 125 ICEArguments &= ~(1 << ArgNo); 126 } 127 128 switch (BuiltinID) { 129 case Builtin::BI__builtin___CFStringMakeConstantString: 130 assert(TheCall->getNumArgs() == 1 && 131 "Wrong # arguments to builtin CFStringMakeConstantString"); 132 if (CheckObjCString(TheCall->getArg(0))) 133 return ExprError(); 134 break; 135 case Builtin::BI__builtin_stdarg_start: 136 case Builtin::BI__builtin_va_start: 137 if (SemaBuiltinVAStart(TheCall)) 138 return ExprError(); 139 break; 140 case Builtin::BI__builtin_isgreater: 141 case Builtin::BI__builtin_isgreaterequal: 142 case Builtin::BI__builtin_isless: 143 case Builtin::BI__builtin_islessequal: 144 case Builtin::BI__builtin_islessgreater: 145 case Builtin::BI__builtin_isunordered: 146 if (SemaBuiltinUnorderedCompare(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_fpclassify: 150 if (SemaBuiltinFPClassification(TheCall, 6)) 151 return ExprError(); 152 break; 153 case Builtin::BI__builtin_isfinite: 154 case Builtin::BI__builtin_isinf: 155 case Builtin::BI__builtin_isinf_sign: 156 case Builtin::BI__builtin_isnan: 157 case Builtin::BI__builtin_isnormal: 158 if (SemaBuiltinFPClassification(TheCall, 1)) 159 return ExprError(); 160 break; 161 case Builtin::BI__builtin_shufflevector: 162 return SemaBuiltinShuffleVector(TheCall); 163 // TheCall will be freed by the smart pointer here, but that's fine, since 164 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 165 case Builtin::BI__builtin_prefetch: 166 if (SemaBuiltinPrefetch(TheCall)) 167 return ExprError(); 168 break; 169 case Builtin::BI__builtin_object_size: 170 if (SemaBuiltinObjectSize(TheCall)) 171 return ExprError(); 172 break; 173 case Builtin::BI__builtin_longjmp: 174 if (SemaBuiltinLongjmp(TheCall)) 175 return ExprError(); 176 break; 177 178 case Builtin::BI__builtin_classify_type: 179 if (checkArgCount(*this, TheCall, 1)) return true; 180 TheCall->setType(Context.IntTy); 181 break; 182 case Builtin::BI__builtin_constant_p: 183 if (checkArgCount(*this, TheCall, 1)) return true; 184 TheCall->setType(Context.IntTy); 185 break; 186 case Builtin::BI__sync_fetch_and_add: 187 case Builtin::BI__sync_fetch_and_add_1: 188 case Builtin::BI__sync_fetch_and_add_2: 189 case Builtin::BI__sync_fetch_and_add_4: 190 case Builtin::BI__sync_fetch_and_add_8: 191 case Builtin::BI__sync_fetch_and_add_16: 192 case Builtin::BI__sync_fetch_and_sub: 193 case Builtin::BI__sync_fetch_and_sub_1: 194 case Builtin::BI__sync_fetch_and_sub_2: 195 case Builtin::BI__sync_fetch_and_sub_4: 196 case Builtin::BI__sync_fetch_and_sub_8: 197 case Builtin::BI__sync_fetch_and_sub_16: 198 case Builtin::BI__sync_fetch_and_or: 199 case Builtin::BI__sync_fetch_and_or_1: 200 case Builtin::BI__sync_fetch_and_or_2: 201 case Builtin::BI__sync_fetch_and_or_4: 202 case Builtin::BI__sync_fetch_and_or_8: 203 case Builtin::BI__sync_fetch_and_or_16: 204 case Builtin::BI__sync_fetch_and_and: 205 case Builtin::BI__sync_fetch_and_and_1: 206 case Builtin::BI__sync_fetch_and_and_2: 207 case Builtin::BI__sync_fetch_and_and_4: 208 case Builtin::BI__sync_fetch_and_and_8: 209 case Builtin::BI__sync_fetch_and_and_16: 210 case Builtin::BI__sync_fetch_and_xor: 211 case Builtin::BI__sync_fetch_and_xor_1: 212 case Builtin::BI__sync_fetch_and_xor_2: 213 case Builtin::BI__sync_fetch_and_xor_4: 214 case Builtin::BI__sync_fetch_and_xor_8: 215 case Builtin::BI__sync_fetch_and_xor_16: 216 case Builtin::BI__sync_add_and_fetch: 217 case Builtin::BI__sync_add_and_fetch_1: 218 case Builtin::BI__sync_add_and_fetch_2: 219 case Builtin::BI__sync_add_and_fetch_4: 220 case Builtin::BI__sync_add_and_fetch_8: 221 case Builtin::BI__sync_add_and_fetch_16: 222 case Builtin::BI__sync_sub_and_fetch: 223 case Builtin::BI__sync_sub_and_fetch_1: 224 case Builtin::BI__sync_sub_and_fetch_2: 225 case Builtin::BI__sync_sub_and_fetch_4: 226 case Builtin::BI__sync_sub_and_fetch_8: 227 case Builtin::BI__sync_sub_and_fetch_16: 228 case Builtin::BI__sync_and_and_fetch: 229 case Builtin::BI__sync_and_and_fetch_1: 230 case Builtin::BI__sync_and_and_fetch_2: 231 case Builtin::BI__sync_and_and_fetch_4: 232 case Builtin::BI__sync_and_and_fetch_8: 233 case Builtin::BI__sync_and_and_fetch_16: 234 case Builtin::BI__sync_or_and_fetch: 235 case Builtin::BI__sync_or_and_fetch_1: 236 case Builtin::BI__sync_or_and_fetch_2: 237 case Builtin::BI__sync_or_and_fetch_4: 238 case Builtin::BI__sync_or_and_fetch_8: 239 case Builtin::BI__sync_or_and_fetch_16: 240 case Builtin::BI__sync_xor_and_fetch: 241 case Builtin::BI__sync_xor_and_fetch_1: 242 case Builtin::BI__sync_xor_and_fetch_2: 243 case Builtin::BI__sync_xor_and_fetch_4: 244 case Builtin::BI__sync_xor_and_fetch_8: 245 case Builtin::BI__sync_xor_and_fetch_16: 246 case Builtin::BI__sync_val_compare_and_swap: 247 case Builtin::BI__sync_val_compare_and_swap_1: 248 case Builtin::BI__sync_val_compare_and_swap_2: 249 case Builtin::BI__sync_val_compare_and_swap_4: 250 case Builtin::BI__sync_val_compare_and_swap_8: 251 case Builtin::BI__sync_val_compare_and_swap_16: 252 case Builtin::BI__sync_bool_compare_and_swap: 253 case Builtin::BI__sync_bool_compare_and_swap_1: 254 case Builtin::BI__sync_bool_compare_and_swap_2: 255 case Builtin::BI__sync_bool_compare_and_swap_4: 256 case Builtin::BI__sync_bool_compare_and_swap_8: 257 case Builtin::BI__sync_bool_compare_and_swap_16: 258 case Builtin::BI__sync_lock_test_and_set: 259 case Builtin::BI__sync_lock_test_and_set_1: 260 case Builtin::BI__sync_lock_test_and_set_2: 261 case Builtin::BI__sync_lock_test_and_set_4: 262 case Builtin::BI__sync_lock_test_and_set_8: 263 case Builtin::BI__sync_lock_test_and_set_16: 264 case Builtin::BI__sync_lock_release: 265 case Builtin::BI__sync_lock_release_1: 266 case Builtin::BI__sync_lock_release_2: 267 case Builtin::BI__sync_lock_release_4: 268 case Builtin::BI__sync_lock_release_8: 269 case Builtin::BI__sync_lock_release_16: 270 case Builtin::BI__sync_swap: 271 case Builtin::BI__sync_swap_1: 272 case Builtin::BI__sync_swap_2: 273 case Builtin::BI__sync_swap_4: 274 case Builtin::BI__sync_swap_8: 275 case Builtin::BI__sync_swap_16: 276 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 277 case Builtin::BI__atomic_load: 278 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Load); 279 case Builtin::BI__atomic_store: 280 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Store); 281 case Builtin::BI__atomic_init: 282 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Init); 283 case Builtin::BI__atomic_exchange: 284 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xchg); 285 case Builtin::BI__atomic_compare_exchange_strong: 286 return SemaAtomicOpsOverloaded(move(TheCallResult), 287 AtomicExpr::CmpXchgStrong); 288 case Builtin::BI__atomic_compare_exchange_weak: 289 return SemaAtomicOpsOverloaded(move(TheCallResult), 290 AtomicExpr::CmpXchgWeak); 291 case Builtin::BI__atomic_fetch_add: 292 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Add); 293 case Builtin::BI__atomic_fetch_sub: 294 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Sub); 295 case Builtin::BI__atomic_fetch_and: 296 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::And); 297 case Builtin::BI__atomic_fetch_or: 298 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Or); 299 case Builtin::BI__atomic_fetch_xor: 300 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xor); 301 case Builtin::BI__builtin_annotation: 302 if (CheckBuiltinAnnotationString(*this, TheCall->getArg(1))) 303 return ExprError(); 304 break; 305 } 306 307 // Since the target specific builtins for each arch overlap, only check those 308 // of the arch we are compiling for. 309 if (BuiltinID >= Builtin::FirstTSBuiltin) { 310 switch (Context.getTargetInfo().getTriple().getArch()) { 311 case llvm::Triple::arm: 312 case llvm::Triple::thumb: 313 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 314 return ExprError(); 315 break; 316 default: 317 break; 318 } 319 } 320 321 return move(TheCallResult); 322 } 323 324 // Get the valid immediate range for the specified NEON type code. 325 static unsigned RFT(unsigned t, bool shift = false) { 326 NeonTypeFlags Type(t); 327 int IsQuad = Type.isQuad(); 328 switch (Type.getEltType()) { 329 case NeonTypeFlags::Int8: 330 case NeonTypeFlags::Poly8: 331 return shift ? 7 : (8 << IsQuad) - 1; 332 case NeonTypeFlags::Int16: 333 case NeonTypeFlags::Poly16: 334 return shift ? 15 : (4 << IsQuad) - 1; 335 case NeonTypeFlags::Int32: 336 return shift ? 31 : (2 << IsQuad) - 1; 337 case NeonTypeFlags::Int64: 338 return shift ? 63 : (1 << IsQuad) - 1; 339 case NeonTypeFlags::Float16: 340 assert(!shift && "cannot shift float types!"); 341 return (4 << IsQuad) - 1; 342 case NeonTypeFlags::Float32: 343 assert(!shift && "cannot shift float types!"); 344 return (2 << IsQuad) - 1; 345 } 346 llvm_unreachable("Invalid NeonTypeFlag!"); 347 } 348 349 /// getNeonEltType - Return the QualType corresponding to the elements of 350 /// the vector type specified by the NeonTypeFlags. This is used to check 351 /// the pointer arguments for Neon load/store intrinsics. 352 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 353 switch (Flags.getEltType()) { 354 case NeonTypeFlags::Int8: 355 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 356 case NeonTypeFlags::Int16: 357 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 358 case NeonTypeFlags::Int32: 359 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 360 case NeonTypeFlags::Int64: 361 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 362 case NeonTypeFlags::Poly8: 363 return Context.SignedCharTy; 364 case NeonTypeFlags::Poly16: 365 return Context.ShortTy; 366 case NeonTypeFlags::Float16: 367 return Context.UnsignedShortTy; 368 case NeonTypeFlags::Float32: 369 return Context.FloatTy; 370 } 371 llvm_unreachable("Invalid NeonTypeFlag!"); 372 } 373 374 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 375 llvm::APSInt Result; 376 377 unsigned mask = 0; 378 unsigned TV = 0; 379 int PtrArgNum = -1; 380 bool HasConstPtr = false; 381 switch (BuiltinID) { 382 #define GET_NEON_OVERLOAD_CHECK 383 #include "clang/Basic/arm_neon.inc" 384 #undef GET_NEON_OVERLOAD_CHECK 385 } 386 387 // For NEON intrinsics which are overloaded on vector element type, validate 388 // the immediate which specifies which variant to emit. 389 unsigned ImmArg = TheCall->getNumArgs()-1; 390 if (mask) { 391 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 392 return true; 393 394 TV = Result.getLimitedValue(64); 395 if ((TV > 63) || (mask & (1 << TV)) == 0) 396 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 397 << TheCall->getArg(ImmArg)->getSourceRange(); 398 } 399 400 if (PtrArgNum >= 0) { 401 // Check that pointer arguments have the specified type. 402 Expr *Arg = TheCall->getArg(PtrArgNum); 403 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 404 Arg = ICE->getSubExpr(); 405 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 406 QualType RHSTy = RHS.get()->getType(); 407 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 408 if (HasConstPtr) 409 EltTy = EltTy.withConst(); 410 QualType LHSTy = Context.getPointerType(EltTy); 411 AssignConvertType ConvTy; 412 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 413 if (RHS.isInvalid()) 414 return true; 415 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 416 RHS.get(), AA_Assigning)) 417 return true; 418 } 419 420 // For NEON intrinsics which take an immediate value as part of the 421 // instruction, range check them here. 422 unsigned i = 0, l = 0, u = 0; 423 switch (BuiltinID) { 424 default: return false; 425 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 426 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 427 case ARM::BI__builtin_arm_vcvtr_f: 428 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 429 #define GET_NEON_IMMEDIATE_CHECK 430 #include "clang/Basic/arm_neon.inc" 431 #undef GET_NEON_IMMEDIATE_CHECK 432 }; 433 434 // Check that the immediate argument is actually a constant. 435 if (SemaBuiltinConstantArg(TheCall, i, Result)) 436 return true; 437 438 // Range check against the upper/lower values for this isntruction. 439 unsigned Val = Result.getZExtValue(); 440 if (Val < l || Val > (u + l)) 441 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 442 << l << u+l << TheCall->getArg(i)->getSourceRange(); 443 444 // FIXME: VFP Intrinsics should error if VFP not present. 445 return false; 446 } 447 448 /// CheckFunctionCall - Check a direct function call for various correctness 449 /// and safety properties not strictly enforced by the C type system. 450 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 451 // Get the IdentifierInfo* for the called function. 452 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 453 454 // None of the checks below are needed for functions that don't have 455 // simple names (e.g., C++ conversion functions). 456 if (!FnInfo) 457 return false; 458 459 // FIXME: This mechanism should be abstracted to be less fragile and 460 // more efficient. For example, just map function ids to custom 461 // handlers. 462 463 // Printf and scanf checking. 464 for (specific_attr_iterator<FormatAttr> 465 i = FDecl->specific_attr_begin<FormatAttr>(), 466 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 467 CheckFormatArguments(*i, TheCall); 468 } 469 470 for (specific_attr_iterator<NonNullAttr> 471 i = FDecl->specific_attr_begin<NonNullAttr>(), 472 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 473 CheckNonNullArguments(*i, TheCall->getArgs(), 474 TheCall->getCallee()->getLocStart()); 475 } 476 477 unsigned CMId = FDecl->getMemoryFunctionKind(); 478 if (CMId == 0) 479 return false; 480 481 // Handle memory setting and copying functions. 482 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 483 CheckStrlcpycatArguments(TheCall, FnInfo); 484 else 485 CheckMemaccessArguments(TheCall, CMId, FnInfo); 486 487 return false; 488 } 489 490 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 491 Expr **Args, unsigned NumArgs) { 492 for (specific_attr_iterator<FormatAttr> 493 i = Method->specific_attr_begin<FormatAttr>(), 494 e = Method->specific_attr_end<FormatAttr>(); i != e ; ++i) { 495 496 CheckFormatArguments(*i, Args, NumArgs, false, lbrac, 497 Method->getSourceRange()); 498 } 499 500 // diagnose nonnull arguments. 501 for (specific_attr_iterator<NonNullAttr> 502 i = Method->specific_attr_begin<NonNullAttr>(), 503 e = Method->specific_attr_end<NonNullAttr>(); i != e; ++i) { 504 CheckNonNullArguments(*i, Args, lbrac); 505 } 506 507 return false; 508 } 509 510 bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 511 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 512 if (!V) 513 return false; 514 515 QualType Ty = V->getType(); 516 if (!Ty->isBlockPointerType()) 517 return false; 518 519 // format string checking. 520 for (specific_attr_iterator<FormatAttr> 521 i = NDecl->specific_attr_begin<FormatAttr>(), 522 e = NDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 523 CheckFormatArguments(*i, TheCall); 524 } 525 526 return false; 527 } 528 529 ExprResult 530 Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, AtomicExpr::AtomicOp Op) { 531 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 532 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 533 534 // All these operations take one of the following four forms: 535 // T __atomic_load(_Atomic(T)*, int) (loads) 536 // T* __atomic_add(_Atomic(T*)*, ptrdiff_t, int) (pointer add/sub) 537 // int __atomic_compare_exchange_strong(_Atomic(T)*, T*, T, int, int) 538 // (cmpxchg) 539 // T __atomic_exchange(_Atomic(T)*, T, int) (everything else) 540 // where T is an appropriate type, and the int paremeterss are for orderings. 541 unsigned NumVals = 1; 542 unsigned NumOrders = 1; 543 if (Op == AtomicExpr::Load) { 544 NumVals = 0; 545 } else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) { 546 NumVals = 2; 547 NumOrders = 2; 548 } 549 if (Op == AtomicExpr::Init) 550 NumOrders = 0; 551 552 if (TheCall->getNumArgs() < NumVals+NumOrders+1) { 553 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 554 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 555 << TheCall->getCallee()->getSourceRange(); 556 return ExprError(); 557 } else if (TheCall->getNumArgs() > NumVals+NumOrders+1) { 558 Diag(TheCall->getArg(NumVals+NumOrders+1)->getLocStart(), 559 diag::err_typecheck_call_too_many_args) 560 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 561 << TheCall->getCallee()->getSourceRange(); 562 return ExprError(); 563 } 564 565 // Inspect the first argument of the atomic operation. This should always be 566 // a pointer to an _Atomic type. 567 Expr *Ptr = TheCall->getArg(0); 568 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 569 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 570 if (!pointerType) { 571 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 572 << Ptr->getType() << Ptr->getSourceRange(); 573 return ExprError(); 574 } 575 576 QualType AtomTy = pointerType->getPointeeType(); 577 if (!AtomTy->isAtomicType()) { 578 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 579 << Ptr->getType() << Ptr->getSourceRange(); 580 return ExprError(); 581 } 582 QualType ValType = AtomTy->getAs<AtomicType>()->getValueType(); 583 584 if ((Op == AtomicExpr::Add || Op == AtomicExpr::Sub) && 585 !ValType->isIntegerType() && !ValType->isPointerType()) { 586 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 587 << Ptr->getType() << Ptr->getSourceRange(); 588 return ExprError(); 589 } 590 591 if (!ValType->isIntegerType() && 592 (Op == AtomicExpr::And || Op == AtomicExpr::Or || Op == AtomicExpr::Xor)){ 593 Diag(DRE->getLocStart(), diag::err_atomic_op_logical_needs_atomic_int) 594 << Ptr->getType() << Ptr->getSourceRange(); 595 return ExprError(); 596 } 597 598 switch (ValType.getObjCLifetime()) { 599 case Qualifiers::OCL_None: 600 case Qualifiers::OCL_ExplicitNone: 601 // okay 602 break; 603 604 case Qualifiers::OCL_Weak: 605 case Qualifiers::OCL_Strong: 606 case Qualifiers::OCL_Autoreleasing: 607 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 608 << ValType << Ptr->getSourceRange(); 609 return ExprError(); 610 } 611 612 QualType ResultType = ValType; 613 if (Op == AtomicExpr::Store || Op == AtomicExpr::Init) 614 ResultType = Context.VoidTy; 615 else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) 616 ResultType = Context.BoolTy; 617 618 // The first argument --- the pointer --- has a fixed type; we 619 // deduce the types of the rest of the arguments accordingly. Walk 620 // the remaining arguments, converting them to the deduced value type. 621 for (unsigned i = 1; i != NumVals+NumOrders+1; ++i) { 622 ExprResult Arg = TheCall->getArg(i); 623 QualType Ty; 624 if (i < NumVals+1) { 625 // The second argument to a cmpxchg is a pointer to the data which will 626 // be exchanged. The second argument to a pointer add/subtract is the 627 // amount to add/subtract, which must be a ptrdiff_t. The third 628 // argument to a cmpxchg and the second argument in all other cases 629 // is the type of the value. 630 if (i == 1 && (Op == AtomicExpr::CmpXchgWeak || 631 Op == AtomicExpr::CmpXchgStrong)) 632 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 633 else if (!ValType->isIntegerType() && 634 (Op == AtomicExpr::Add || Op == AtomicExpr::Sub)) 635 Ty = Context.getPointerDiffType(); 636 else 637 Ty = ValType; 638 } else { 639 // The order(s) are always converted to int. 640 Ty = Context.IntTy; 641 } 642 InitializedEntity Entity = 643 InitializedEntity::InitializeParameter(Context, Ty, false); 644 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 645 if (Arg.isInvalid()) 646 return true; 647 TheCall->setArg(i, Arg.get()); 648 } 649 650 SmallVector<Expr*, 5> SubExprs; 651 SubExprs.push_back(Ptr); 652 if (Op == AtomicExpr::Load) { 653 SubExprs.push_back(TheCall->getArg(1)); // Order 654 } else if (Op == AtomicExpr::Init) { 655 SubExprs.push_back(TheCall->getArg(1)); // Val1 656 } else if (Op != AtomicExpr::CmpXchgWeak && Op != AtomicExpr::CmpXchgStrong) { 657 SubExprs.push_back(TheCall->getArg(2)); // Order 658 SubExprs.push_back(TheCall->getArg(1)); // Val1 659 } else { 660 SubExprs.push_back(TheCall->getArg(3)); // Order 661 SubExprs.push_back(TheCall->getArg(1)); // Val1 662 SubExprs.push_back(TheCall->getArg(2)); // Val2 663 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 664 } 665 666 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 667 SubExprs.data(), SubExprs.size(), 668 ResultType, Op, 669 TheCall->getRParenLoc())); 670 } 671 672 673 /// checkBuiltinArgument - Given a call to a builtin function, perform 674 /// normal type-checking on the given argument, updating the call in 675 /// place. This is useful when a builtin function requires custom 676 /// type-checking for some of its arguments but not necessarily all of 677 /// them. 678 /// 679 /// Returns true on error. 680 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 681 FunctionDecl *Fn = E->getDirectCallee(); 682 assert(Fn && "builtin call without direct callee!"); 683 684 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 685 InitializedEntity Entity = 686 InitializedEntity::InitializeParameter(S.Context, Param); 687 688 ExprResult Arg = E->getArg(0); 689 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 690 if (Arg.isInvalid()) 691 return true; 692 693 E->setArg(ArgIndex, Arg.take()); 694 return false; 695 } 696 697 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 698 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 699 /// type of its first argument. The main ActOnCallExpr routines have already 700 /// promoted the types of arguments because all of these calls are prototyped as 701 /// void(...). 702 /// 703 /// This function goes through and does final semantic checking for these 704 /// builtins, 705 ExprResult 706 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 707 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 708 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 709 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 710 711 // Ensure that we have at least one argument to do type inference from. 712 if (TheCall->getNumArgs() < 1) { 713 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 714 << 0 << 1 << TheCall->getNumArgs() 715 << TheCall->getCallee()->getSourceRange(); 716 return ExprError(); 717 } 718 719 // Inspect the first argument of the atomic builtin. This should always be 720 // a pointer type, whose element is an integral scalar or pointer type. 721 // Because it is a pointer type, we don't have to worry about any implicit 722 // casts here. 723 // FIXME: We don't allow floating point scalars as input. 724 Expr *FirstArg = TheCall->getArg(0); 725 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 726 if (FirstArgResult.isInvalid()) 727 return ExprError(); 728 FirstArg = FirstArgResult.take(); 729 TheCall->setArg(0, FirstArg); 730 731 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 732 if (!pointerType) { 733 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 734 << FirstArg->getType() << FirstArg->getSourceRange(); 735 return ExprError(); 736 } 737 738 QualType ValType = pointerType->getPointeeType(); 739 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 740 !ValType->isBlockPointerType()) { 741 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 742 << FirstArg->getType() << FirstArg->getSourceRange(); 743 return ExprError(); 744 } 745 746 switch (ValType.getObjCLifetime()) { 747 case Qualifiers::OCL_None: 748 case Qualifiers::OCL_ExplicitNone: 749 // okay 750 break; 751 752 case Qualifiers::OCL_Weak: 753 case Qualifiers::OCL_Strong: 754 case Qualifiers::OCL_Autoreleasing: 755 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 756 << ValType << FirstArg->getSourceRange(); 757 return ExprError(); 758 } 759 760 // Strip any qualifiers off ValType. 761 ValType = ValType.getUnqualifiedType(); 762 763 // The majority of builtins return a value, but a few have special return 764 // types, so allow them to override appropriately below. 765 QualType ResultType = ValType; 766 767 // We need to figure out which concrete builtin this maps onto. For example, 768 // __sync_fetch_and_add with a 2 byte object turns into 769 // __sync_fetch_and_add_2. 770 #define BUILTIN_ROW(x) \ 771 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 772 Builtin::BI##x##_8, Builtin::BI##x##_16 } 773 774 static const unsigned BuiltinIndices[][5] = { 775 BUILTIN_ROW(__sync_fetch_and_add), 776 BUILTIN_ROW(__sync_fetch_and_sub), 777 BUILTIN_ROW(__sync_fetch_and_or), 778 BUILTIN_ROW(__sync_fetch_and_and), 779 BUILTIN_ROW(__sync_fetch_and_xor), 780 781 BUILTIN_ROW(__sync_add_and_fetch), 782 BUILTIN_ROW(__sync_sub_and_fetch), 783 BUILTIN_ROW(__sync_and_and_fetch), 784 BUILTIN_ROW(__sync_or_and_fetch), 785 BUILTIN_ROW(__sync_xor_and_fetch), 786 787 BUILTIN_ROW(__sync_val_compare_and_swap), 788 BUILTIN_ROW(__sync_bool_compare_and_swap), 789 BUILTIN_ROW(__sync_lock_test_and_set), 790 BUILTIN_ROW(__sync_lock_release), 791 BUILTIN_ROW(__sync_swap) 792 }; 793 #undef BUILTIN_ROW 794 795 // Determine the index of the size. 796 unsigned SizeIndex; 797 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 798 case 1: SizeIndex = 0; break; 799 case 2: SizeIndex = 1; break; 800 case 4: SizeIndex = 2; break; 801 case 8: SizeIndex = 3; break; 802 case 16: SizeIndex = 4; break; 803 default: 804 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 805 << FirstArg->getType() << FirstArg->getSourceRange(); 806 return ExprError(); 807 } 808 809 // Each of these builtins has one pointer argument, followed by some number of 810 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 811 // that we ignore. Find out which row of BuiltinIndices to read from as well 812 // as the number of fixed args. 813 unsigned BuiltinID = FDecl->getBuiltinID(); 814 unsigned BuiltinIndex, NumFixed = 1; 815 switch (BuiltinID) { 816 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 817 case Builtin::BI__sync_fetch_and_add: 818 case Builtin::BI__sync_fetch_and_add_1: 819 case Builtin::BI__sync_fetch_and_add_2: 820 case Builtin::BI__sync_fetch_and_add_4: 821 case Builtin::BI__sync_fetch_and_add_8: 822 case Builtin::BI__sync_fetch_and_add_16: 823 BuiltinIndex = 0; 824 break; 825 826 case Builtin::BI__sync_fetch_and_sub: 827 case Builtin::BI__sync_fetch_and_sub_1: 828 case Builtin::BI__sync_fetch_and_sub_2: 829 case Builtin::BI__sync_fetch_and_sub_4: 830 case Builtin::BI__sync_fetch_and_sub_8: 831 case Builtin::BI__sync_fetch_and_sub_16: 832 BuiltinIndex = 1; 833 break; 834 835 case Builtin::BI__sync_fetch_and_or: 836 case Builtin::BI__sync_fetch_and_or_1: 837 case Builtin::BI__sync_fetch_and_or_2: 838 case Builtin::BI__sync_fetch_and_or_4: 839 case Builtin::BI__sync_fetch_and_or_8: 840 case Builtin::BI__sync_fetch_and_or_16: 841 BuiltinIndex = 2; 842 break; 843 844 case Builtin::BI__sync_fetch_and_and: 845 case Builtin::BI__sync_fetch_and_and_1: 846 case Builtin::BI__sync_fetch_and_and_2: 847 case Builtin::BI__sync_fetch_and_and_4: 848 case Builtin::BI__sync_fetch_and_and_8: 849 case Builtin::BI__sync_fetch_and_and_16: 850 BuiltinIndex = 3; 851 break; 852 853 case Builtin::BI__sync_fetch_and_xor: 854 case Builtin::BI__sync_fetch_and_xor_1: 855 case Builtin::BI__sync_fetch_and_xor_2: 856 case Builtin::BI__sync_fetch_and_xor_4: 857 case Builtin::BI__sync_fetch_and_xor_8: 858 case Builtin::BI__sync_fetch_and_xor_16: 859 BuiltinIndex = 4; 860 break; 861 862 case Builtin::BI__sync_add_and_fetch: 863 case Builtin::BI__sync_add_and_fetch_1: 864 case Builtin::BI__sync_add_and_fetch_2: 865 case Builtin::BI__sync_add_and_fetch_4: 866 case Builtin::BI__sync_add_and_fetch_8: 867 case Builtin::BI__sync_add_and_fetch_16: 868 BuiltinIndex = 5; 869 break; 870 871 case Builtin::BI__sync_sub_and_fetch: 872 case Builtin::BI__sync_sub_and_fetch_1: 873 case Builtin::BI__sync_sub_and_fetch_2: 874 case Builtin::BI__sync_sub_and_fetch_4: 875 case Builtin::BI__sync_sub_and_fetch_8: 876 case Builtin::BI__sync_sub_and_fetch_16: 877 BuiltinIndex = 6; 878 break; 879 880 case Builtin::BI__sync_and_and_fetch: 881 case Builtin::BI__sync_and_and_fetch_1: 882 case Builtin::BI__sync_and_and_fetch_2: 883 case Builtin::BI__sync_and_and_fetch_4: 884 case Builtin::BI__sync_and_and_fetch_8: 885 case Builtin::BI__sync_and_and_fetch_16: 886 BuiltinIndex = 7; 887 break; 888 889 case Builtin::BI__sync_or_and_fetch: 890 case Builtin::BI__sync_or_and_fetch_1: 891 case Builtin::BI__sync_or_and_fetch_2: 892 case Builtin::BI__sync_or_and_fetch_4: 893 case Builtin::BI__sync_or_and_fetch_8: 894 case Builtin::BI__sync_or_and_fetch_16: 895 BuiltinIndex = 8; 896 break; 897 898 case Builtin::BI__sync_xor_and_fetch: 899 case Builtin::BI__sync_xor_and_fetch_1: 900 case Builtin::BI__sync_xor_and_fetch_2: 901 case Builtin::BI__sync_xor_and_fetch_4: 902 case Builtin::BI__sync_xor_and_fetch_8: 903 case Builtin::BI__sync_xor_and_fetch_16: 904 BuiltinIndex = 9; 905 break; 906 907 case Builtin::BI__sync_val_compare_and_swap: 908 case Builtin::BI__sync_val_compare_and_swap_1: 909 case Builtin::BI__sync_val_compare_and_swap_2: 910 case Builtin::BI__sync_val_compare_and_swap_4: 911 case Builtin::BI__sync_val_compare_and_swap_8: 912 case Builtin::BI__sync_val_compare_and_swap_16: 913 BuiltinIndex = 10; 914 NumFixed = 2; 915 break; 916 917 case Builtin::BI__sync_bool_compare_and_swap: 918 case Builtin::BI__sync_bool_compare_and_swap_1: 919 case Builtin::BI__sync_bool_compare_and_swap_2: 920 case Builtin::BI__sync_bool_compare_and_swap_4: 921 case Builtin::BI__sync_bool_compare_and_swap_8: 922 case Builtin::BI__sync_bool_compare_and_swap_16: 923 BuiltinIndex = 11; 924 NumFixed = 2; 925 ResultType = Context.BoolTy; 926 break; 927 928 case Builtin::BI__sync_lock_test_and_set: 929 case Builtin::BI__sync_lock_test_and_set_1: 930 case Builtin::BI__sync_lock_test_and_set_2: 931 case Builtin::BI__sync_lock_test_and_set_4: 932 case Builtin::BI__sync_lock_test_and_set_8: 933 case Builtin::BI__sync_lock_test_and_set_16: 934 BuiltinIndex = 12; 935 break; 936 937 case Builtin::BI__sync_lock_release: 938 case Builtin::BI__sync_lock_release_1: 939 case Builtin::BI__sync_lock_release_2: 940 case Builtin::BI__sync_lock_release_4: 941 case Builtin::BI__sync_lock_release_8: 942 case Builtin::BI__sync_lock_release_16: 943 BuiltinIndex = 13; 944 NumFixed = 0; 945 ResultType = Context.VoidTy; 946 break; 947 948 case Builtin::BI__sync_swap: 949 case Builtin::BI__sync_swap_1: 950 case Builtin::BI__sync_swap_2: 951 case Builtin::BI__sync_swap_4: 952 case Builtin::BI__sync_swap_8: 953 case Builtin::BI__sync_swap_16: 954 BuiltinIndex = 14; 955 break; 956 } 957 958 // Now that we know how many fixed arguments we expect, first check that we 959 // have at least that many. 960 if (TheCall->getNumArgs() < 1+NumFixed) { 961 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 962 << 0 << 1+NumFixed << TheCall->getNumArgs() 963 << TheCall->getCallee()->getSourceRange(); 964 return ExprError(); 965 } 966 967 // Get the decl for the concrete builtin from this, we can tell what the 968 // concrete integer type we should convert to is. 969 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 970 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 971 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 972 FunctionDecl *NewBuiltinDecl = 973 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 974 TUScope, false, DRE->getLocStart())); 975 976 // The first argument --- the pointer --- has a fixed type; we 977 // deduce the types of the rest of the arguments accordingly. Walk 978 // the remaining arguments, converting them to the deduced value type. 979 for (unsigned i = 0; i != NumFixed; ++i) { 980 ExprResult Arg = TheCall->getArg(i+1); 981 982 // GCC does an implicit conversion to the pointer or integer ValType. This 983 // can fail in some cases (1i -> int**), check for this error case now. 984 // Initialize the argument. 985 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 986 ValType, /*consume*/ false); 987 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 988 if (Arg.isInvalid()) 989 return ExprError(); 990 991 // Okay, we have something that *can* be converted to the right type. Check 992 // to see if there is a potentially weird extension going on here. This can 993 // happen when you do an atomic operation on something like an char* and 994 // pass in 42. The 42 gets converted to char. This is even more strange 995 // for things like 45.123 -> char, etc. 996 // FIXME: Do this check. 997 TheCall->setArg(i+1, Arg.take()); 998 } 999 1000 ASTContext& Context = this->getASTContext(); 1001 1002 // Create a new DeclRefExpr to refer to the new decl. 1003 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1004 Context, 1005 DRE->getQualifierLoc(), 1006 NewBuiltinDecl, 1007 DRE->getLocation(), 1008 NewBuiltinDecl->getType(), 1009 DRE->getValueKind()); 1010 1011 // Set the callee in the CallExpr. 1012 // FIXME: This leaks the original parens and implicit casts. 1013 ExprResult PromotedCall = UsualUnaryConversions(NewDRE); 1014 if (PromotedCall.isInvalid()) 1015 return ExprError(); 1016 TheCall->setCallee(PromotedCall.take()); 1017 1018 // Change the result type of the call to match the original value type. This 1019 // is arbitrary, but the codegen for these builtins ins design to handle it 1020 // gracefully. 1021 TheCall->setType(ResultType); 1022 1023 return move(TheCallResult); 1024 } 1025 1026 /// CheckObjCString - Checks that the argument to the builtin 1027 /// CFString constructor is correct 1028 /// Note: It might also make sense to do the UTF-16 conversion here (would 1029 /// simplify the backend). 1030 bool Sema::CheckObjCString(Expr *Arg) { 1031 Arg = Arg->IgnoreParenCasts(); 1032 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1033 1034 if (!Literal || !Literal->isAscii()) { 1035 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1036 << Arg->getSourceRange(); 1037 return true; 1038 } 1039 1040 if (Literal->containsNonAsciiOrNull()) { 1041 StringRef String = Literal->getString(); 1042 unsigned NumBytes = String.size(); 1043 SmallVector<UTF16, 128> ToBuf(NumBytes); 1044 const UTF8 *FromPtr = (UTF8 *)String.data(); 1045 UTF16 *ToPtr = &ToBuf[0]; 1046 1047 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1048 &ToPtr, ToPtr + NumBytes, 1049 strictConversion); 1050 // Check for conversion failure. 1051 if (Result != conversionOK) 1052 Diag(Arg->getLocStart(), 1053 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1054 } 1055 return false; 1056 } 1057 1058 /// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1059 /// Emit an error and return true on failure, return false on success. 1060 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1061 Expr *Fn = TheCall->getCallee(); 1062 if (TheCall->getNumArgs() > 2) { 1063 Diag(TheCall->getArg(2)->getLocStart(), 1064 diag::err_typecheck_call_too_many_args) 1065 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1066 << Fn->getSourceRange() 1067 << SourceRange(TheCall->getArg(2)->getLocStart(), 1068 (*(TheCall->arg_end()-1))->getLocEnd()); 1069 return true; 1070 } 1071 1072 if (TheCall->getNumArgs() < 2) { 1073 return Diag(TheCall->getLocEnd(), 1074 diag::err_typecheck_call_too_few_args_at_least) 1075 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1076 } 1077 1078 // Type-check the first argument normally. 1079 if (checkBuiltinArgument(*this, TheCall, 0)) 1080 return true; 1081 1082 // Determine whether the current function is variadic or not. 1083 BlockScopeInfo *CurBlock = getCurBlock(); 1084 bool isVariadic; 1085 if (CurBlock) 1086 isVariadic = CurBlock->TheDecl->isVariadic(); 1087 else if (FunctionDecl *FD = getCurFunctionDecl()) 1088 isVariadic = FD->isVariadic(); 1089 else 1090 isVariadic = getCurMethodDecl()->isVariadic(); 1091 1092 if (!isVariadic) { 1093 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1094 return true; 1095 } 1096 1097 // Verify that the second argument to the builtin is the last argument of the 1098 // current function or method. 1099 bool SecondArgIsLastNamedArgument = false; 1100 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1101 1102 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1103 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1104 // FIXME: This isn't correct for methods (results in bogus warning). 1105 // Get the last formal in the current function. 1106 const ParmVarDecl *LastArg; 1107 if (CurBlock) 1108 LastArg = *(CurBlock->TheDecl->param_end()-1); 1109 else if (FunctionDecl *FD = getCurFunctionDecl()) 1110 LastArg = *(FD->param_end()-1); 1111 else 1112 LastArg = *(getCurMethodDecl()->param_end()-1); 1113 SecondArgIsLastNamedArgument = PV == LastArg; 1114 } 1115 } 1116 1117 if (!SecondArgIsLastNamedArgument) 1118 Diag(TheCall->getArg(1)->getLocStart(), 1119 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1120 return false; 1121 } 1122 1123 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1124 /// friends. This is declared to take (...), so we have to check everything. 1125 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1126 if (TheCall->getNumArgs() < 2) 1127 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1128 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1129 if (TheCall->getNumArgs() > 2) 1130 return Diag(TheCall->getArg(2)->getLocStart(), 1131 diag::err_typecheck_call_too_many_args) 1132 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1133 << SourceRange(TheCall->getArg(2)->getLocStart(), 1134 (*(TheCall->arg_end()-1))->getLocEnd()); 1135 1136 ExprResult OrigArg0 = TheCall->getArg(0); 1137 ExprResult OrigArg1 = TheCall->getArg(1); 1138 1139 // Do standard promotions between the two arguments, returning their common 1140 // type. 1141 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1142 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1143 return true; 1144 1145 // Make sure any conversions are pushed back into the call; this is 1146 // type safe since unordered compare builtins are declared as "_Bool 1147 // foo(...)". 1148 TheCall->setArg(0, OrigArg0.get()); 1149 TheCall->setArg(1, OrigArg1.get()); 1150 1151 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1152 return false; 1153 1154 // If the common type isn't a real floating type, then the arguments were 1155 // invalid for this operation. 1156 if (!Res->isRealFloatingType()) 1157 return Diag(OrigArg0.get()->getLocStart(), 1158 diag::err_typecheck_call_invalid_ordered_compare) 1159 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1160 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1161 1162 return false; 1163 } 1164 1165 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1166 /// __builtin_isnan and friends. This is declared to take (...), so we have 1167 /// to check everything. We expect the last argument to be a floating point 1168 /// value. 1169 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1170 if (TheCall->getNumArgs() < NumArgs) 1171 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1172 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1173 if (TheCall->getNumArgs() > NumArgs) 1174 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1175 diag::err_typecheck_call_too_many_args) 1176 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1177 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1178 (*(TheCall->arg_end()-1))->getLocEnd()); 1179 1180 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1181 1182 if (OrigArg->isTypeDependent()) 1183 return false; 1184 1185 // This operation requires a non-_Complex floating-point number. 1186 if (!OrigArg->getType()->isRealFloatingType()) 1187 return Diag(OrigArg->getLocStart(), 1188 diag::err_typecheck_call_invalid_unary_fp) 1189 << OrigArg->getType() << OrigArg->getSourceRange(); 1190 1191 // If this is an implicit conversion from float -> double, remove it. 1192 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1193 Expr *CastArg = Cast->getSubExpr(); 1194 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1195 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1196 "promotion from float to double is the only expected cast here"); 1197 Cast->setSubExpr(0); 1198 TheCall->setArg(NumArgs-1, CastArg); 1199 OrigArg = CastArg; 1200 } 1201 } 1202 1203 return false; 1204 } 1205 1206 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1207 // This is declared to take (...), so we have to check everything. 1208 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1209 if (TheCall->getNumArgs() < 2) 1210 return ExprError(Diag(TheCall->getLocEnd(), 1211 diag::err_typecheck_call_too_few_args_at_least) 1212 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1213 << TheCall->getSourceRange()); 1214 1215 // Determine which of the following types of shufflevector we're checking: 1216 // 1) unary, vector mask: (lhs, mask) 1217 // 2) binary, vector mask: (lhs, rhs, mask) 1218 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1219 QualType resType = TheCall->getArg(0)->getType(); 1220 unsigned numElements = 0; 1221 1222 if (!TheCall->getArg(0)->isTypeDependent() && 1223 !TheCall->getArg(1)->isTypeDependent()) { 1224 QualType LHSType = TheCall->getArg(0)->getType(); 1225 QualType RHSType = TheCall->getArg(1)->getType(); 1226 1227 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 1228 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 1229 << SourceRange(TheCall->getArg(0)->getLocStart(), 1230 TheCall->getArg(1)->getLocEnd()); 1231 return ExprError(); 1232 } 1233 1234 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1235 unsigned numResElements = TheCall->getNumArgs() - 2; 1236 1237 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1238 // with mask. If so, verify that RHS is an integer vector type with the 1239 // same number of elts as lhs. 1240 if (TheCall->getNumArgs() == 2) { 1241 if (!RHSType->hasIntegerRepresentation() || 1242 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1243 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1244 << SourceRange(TheCall->getArg(1)->getLocStart(), 1245 TheCall->getArg(1)->getLocEnd()); 1246 numResElements = numElements; 1247 } 1248 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1249 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1250 << SourceRange(TheCall->getArg(0)->getLocStart(), 1251 TheCall->getArg(1)->getLocEnd()); 1252 return ExprError(); 1253 } else if (numElements != numResElements) { 1254 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1255 resType = Context.getVectorType(eltType, numResElements, 1256 VectorType::GenericVector); 1257 } 1258 } 1259 1260 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1261 if (TheCall->getArg(i)->isTypeDependent() || 1262 TheCall->getArg(i)->isValueDependent()) 1263 continue; 1264 1265 llvm::APSInt Result(32); 1266 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1267 return ExprError(Diag(TheCall->getLocStart(), 1268 diag::err_shufflevector_nonconstant_argument) 1269 << TheCall->getArg(i)->getSourceRange()); 1270 1271 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1272 return ExprError(Diag(TheCall->getLocStart(), 1273 diag::err_shufflevector_argument_too_large) 1274 << TheCall->getArg(i)->getSourceRange()); 1275 } 1276 1277 SmallVector<Expr*, 32> exprs; 1278 1279 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1280 exprs.push_back(TheCall->getArg(i)); 1281 TheCall->setArg(i, 0); 1282 } 1283 1284 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 1285 exprs.size(), resType, 1286 TheCall->getCallee()->getLocStart(), 1287 TheCall->getRParenLoc())); 1288 } 1289 1290 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1291 // This is declared to take (const void*, ...) and can take two 1292 // optional constant int args. 1293 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1294 unsigned NumArgs = TheCall->getNumArgs(); 1295 1296 if (NumArgs > 3) 1297 return Diag(TheCall->getLocEnd(), 1298 diag::err_typecheck_call_too_many_args_at_most) 1299 << 0 /*function call*/ << 3 << NumArgs 1300 << TheCall->getSourceRange(); 1301 1302 // Argument 0 is checked for us and the remaining arguments must be 1303 // constant integers. 1304 for (unsigned i = 1; i != NumArgs; ++i) { 1305 Expr *Arg = TheCall->getArg(i); 1306 1307 llvm::APSInt Result; 1308 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1309 return true; 1310 1311 // FIXME: gcc issues a warning and rewrites these to 0. These 1312 // seems especially odd for the third argument since the default 1313 // is 3. 1314 if (i == 1) { 1315 if (Result.getLimitedValue() > 1) 1316 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1317 << "0" << "1" << Arg->getSourceRange(); 1318 } else { 1319 if (Result.getLimitedValue() > 3) 1320 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1321 << "0" << "3" << Arg->getSourceRange(); 1322 } 1323 } 1324 1325 return false; 1326 } 1327 1328 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1329 /// TheCall is a constant expression. 1330 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1331 llvm::APSInt &Result) { 1332 Expr *Arg = TheCall->getArg(ArgNum); 1333 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1334 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1335 1336 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1337 1338 if (!Arg->isIntegerConstantExpr(Result, Context)) 1339 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1340 << FDecl->getDeclName() << Arg->getSourceRange(); 1341 1342 return false; 1343 } 1344 1345 /// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1346 /// int type). This simply type checks that type is one of the defined 1347 /// constants (0-3). 1348 // For compatibility check 0-3, llvm only handles 0 and 2. 1349 bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1350 llvm::APSInt Result; 1351 1352 // Check constant-ness first. 1353 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1354 return true; 1355 1356 Expr *Arg = TheCall->getArg(1); 1357 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1358 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1359 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1360 } 1361 1362 return false; 1363 } 1364 1365 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1366 /// This checks that val is a constant 1. 1367 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1368 Expr *Arg = TheCall->getArg(1); 1369 llvm::APSInt Result; 1370 1371 // TODO: This is less than ideal. Overload this to take a value. 1372 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1373 return true; 1374 1375 if (Result != 1) 1376 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1377 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1378 1379 return false; 1380 } 1381 1382 // Handle i > 1 ? "x" : "y", recursively. 1383 bool Sema::SemaCheckStringLiteral(const Expr *E, Expr **Args, 1384 unsigned NumArgs, bool HasVAListArg, 1385 unsigned format_idx, unsigned firstDataArg, 1386 bool isPrintf, bool inFunctionCall) { 1387 tryAgain: 1388 if (E->isTypeDependent() || E->isValueDependent()) 1389 return false; 1390 1391 E = E->IgnoreParens(); 1392 1393 switch (E->getStmtClass()) { 1394 case Stmt::BinaryConditionalOperatorClass: 1395 case Stmt::ConditionalOperatorClass: { 1396 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 1397 return SemaCheckStringLiteral(C->getTrueExpr(), Args, NumArgs, HasVAListArg, 1398 format_idx, firstDataArg, isPrintf, 1399 inFunctionCall) 1400 && SemaCheckStringLiteral(C->getFalseExpr(), Args, NumArgs, HasVAListArg, 1401 format_idx, firstDataArg, isPrintf, 1402 inFunctionCall); 1403 } 1404 1405 case Stmt::IntegerLiteralClass: 1406 // Technically -Wformat-nonliteral does not warn about this case. 1407 // The behavior of printf and friends in this case is implementation 1408 // dependent. Ideally if the format string cannot be null then 1409 // it should have a 'nonnull' attribute in the function prototype. 1410 return true; 1411 1412 case Stmt::ImplicitCastExprClass: { 1413 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1414 goto tryAgain; 1415 } 1416 1417 case Stmt::OpaqueValueExprClass: 1418 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1419 E = src; 1420 goto tryAgain; 1421 } 1422 return false; 1423 1424 case Stmt::PredefinedExprClass: 1425 // While __func__, etc., are technically not string literals, they 1426 // cannot contain format specifiers and thus are not a security 1427 // liability. 1428 return true; 1429 1430 case Stmt::DeclRefExprClass: { 1431 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1432 1433 // As an exception, do not flag errors for variables binding to 1434 // const string literals. 1435 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1436 bool isConstant = false; 1437 QualType T = DR->getType(); 1438 1439 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1440 isConstant = AT->getElementType().isConstant(Context); 1441 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1442 isConstant = T.isConstant(Context) && 1443 PT->getPointeeType().isConstant(Context); 1444 } else if (T->isObjCObjectPointerType()) { 1445 // In ObjC, there is usually no "const ObjectPointer" type, 1446 // so don't check if the pointee type is constant. 1447 isConstant = T.isConstant(Context); 1448 } 1449 1450 if (isConstant) { 1451 if (const Expr *Init = VD->getAnyInitializer()) 1452 return SemaCheckStringLiteral(Init, Args, NumArgs, 1453 HasVAListArg, format_idx, firstDataArg, 1454 isPrintf, /*inFunctionCall*/false); 1455 } 1456 1457 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1458 // special check to see if the format string is a function parameter 1459 // of the function calling the printf function. If the function 1460 // has an attribute indicating it is a printf-like function, then we 1461 // should suppress warnings concerning non-literals being used in a call 1462 // to a vprintf function. For example: 1463 // 1464 // void 1465 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1466 // va_list ap; 1467 // va_start(ap, fmt); 1468 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1469 // ... 1470 // 1471 // 1472 // FIXME: We don't have full attribute support yet, so just check to see 1473 // if the argument is a DeclRefExpr that references a parameter. We'll 1474 // add proper support for checking the attribute later. 1475 if (HasVAListArg) 1476 if (isa<ParmVarDecl>(VD)) 1477 return true; 1478 } 1479 1480 return false; 1481 } 1482 1483 case Stmt::CallExprClass: { 1484 const CallExpr *CE = cast<CallExpr>(E); 1485 if (const ImplicitCastExpr *ICE 1486 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 1487 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 1488 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 1489 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 1490 unsigned ArgIndex = FA->getFormatIdx(); 1491 const Expr *Arg = CE->getArg(ArgIndex - 1); 1492 1493 return SemaCheckStringLiteral(Arg, Args, NumArgs, HasVAListArg, 1494 format_idx, firstDataArg, isPrintf, 1495 inFunctionCall); 1496 } 1497 } 1498 } 1499 } 1500 1501 return false; 1502 } 1503 case Stmt::ObjCStringLiteralClass: 1504 case Stmt::StringLiteralClass: { 1505 const StringLiteral *StrE = NULL; 1506 1507 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1508 StrE = ObjCFExpr->getString(); 1509 else 1510 StrE = cast<StringLiteral>(E); 1511 1512 if (StrE) { 1513 CheckFormatString(StrE, E, Args, NumArgs, HasVAListArg, format_idx, 1514 firstDataArg, isPrintf, inFunctionCall); 1515 return true; 1516 } 1517 1518 return false; 1519 } 1520 1521 default: 1522 return false; 1523 } 1524 } 1525 1526 void 1527 Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1528 const Expr * const *ExprArgs, 1529 SourceLocation CallSiteLoc) { 1530 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1531 e = NonNull->args_end(); 1532 i != e; ++i) { 1533 const Expr *ArgExpr = ExprArgs[*i]; 1534 if (ArgExpr->isNullPointerConstant(Context, 1535 Expr::NPC_ValueDependentIsNotNull)) 1536 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1537 } 1538 } 1539 1540 /// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1541 /// functions) for correct use of format strings. 1542 void Sema::CheckFormatArguments(const FormatAttr *Format, CallExpr *TheCall) { 1543 bool IsCXXMember = false; 1544 // The way the format attribute works in GCC, the implicit this argument 1545 // of member functions is counted. However, it doesn't appear in our own 1546 // lists, so decrement format_idx in that case. 1547 if (isa<CXXMemberCallExpr>(TheCall)) { 1548 const CXXMethodDecl *method_decl = 1549 dyn_cast<CXXMethodDecl>(TheCall->getCalleeDecl()); 1550 IsCXXMember = method_decl && method_decl->isInstance(); 1551 } 1552 CheckFormatArguments(Format, TheCall->getArgs(), TheCall->getNumArgs(), 1553 IsCXXMember, TheCall->getRParenLoc(), 1554 TheCall->getCallee()->getSourceRange()); 1555 } 1556 1557 void Sema::CheckFormatArguments(const FormatAttr *Format, Expr **Args, 1558 unsigned NumArgs, bool IsCXXMember, 1559 SourceLocation Loc, SourceRange Range) { 1560 const bool b = Format->getType() == "scanf"; 1561 if (b || CheckablePrintfAttr(Format, Args, NumArgs, IsCXXMember)) { 1562 bool HasVAListArg = Format->getFirstArg() == 0; 1563 unsigned format_idx = Format->getFormatIdx() - 1; 1564 unsigned firstDataArg = HasVAListArg ? 0 : Format->getFirstArg() - 1; 1565 if (IsCXXMember) { 1566 if (format_idx == 0) 1567 return; 1568 --format_idx; 1569 if(firstDataArg != 0) 1570 --firstDataArg; 1571 } 1572 CheckPrintfScanfArguments(Args, NumArgs, HasVAListArg, format_idx, 1573 firstDataArg, !b, Loc, Range); 1574 } 1575 } 1576 1577 void Sema::CheckPrintfScanfArguments(Expr **Args, unsigned NumArgs, 1578 bool HasVAListArg, unsigned format_idx, 1579 unsigned firstDataArg, bool isPrintf, 1580 SourceLocation Loc, SourceRange Range) { 1581 // CHECK: printf/scanf-like function is called with no format string. 1582 if (format_idx >= NumArgs) { 1583 Diag(Loc, diag::warn_missing_format_string) << Range; 1584 return; 1585 } 1586 1587 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 1588 1589 // CHECK: format string is not a string literal. 1590 // 1591 // Dynamically generated format strings are difficult to 1592 // automatically vet at compile time. Requiring that format strings 1593 // are string literals: (1) permits the checking of format strings by 1594 // the compiler and thereby (2) can practically remove the source of 1595 // many format string exploits. 1596 1597 // Format string can be either ObjC string (e.g. @"%d") or 1598 // C string (e.g. "%d") 1599 // ObjC string uses the same format specifiers as C string, so we can use 1600 // the same format string checking logic for both ObjC and C strings. 1601 if (SemaCheckStringLiteral(OrigFormatExpr, Args, NumArgs, HasVAListArg, 1602 format_idx, firstDataArg, isPrintf)) 1603 return; // Literal format string found, check done! 1604 1605 // If there are no arguments specified, warn with -Wformat-security, otherwise 1606 // warn only with -Wformat-nonliteral. 1607 if (NumArgs == format_idx+1) 1608 Diag(Args[format_idx]->getLocStart(), 1609 diag::warn_format_nonliteral_noargs) 1610 << OrigFormatExpr->getSourceRange(); 1611 else 1612 Diag(Args[format_idx]->getLocStart(), 1613 diag::warn_format_nonliteral) 1614 << OrigFormatExpr->getSourceRange(); 1615 } 1616 1617 namespace { 1618 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1619 protected: 1620 Sema &S; 1621 const StringLiteral *FExpr; 1622 const Expr *OrigFormatExpr; 1623 const unsigned FirstDataArg; 1624 const unsigned NumDataArgs; 1625 const bool IsObjCLiteral; 1626 const char *Beg; // Start of format string. 1627 const bool HasVAListArg; 1628 const Expr * const *Args; 1629 const unsigned NumArgs; 1630 unsigned FormatIdx; 1631 llvm::BitVector CoveredArgs; 1632 bool usesPositionalArgs; 1633 bool atFirstArg; 1634 bool inFunctionCall; 1635 public: 1636 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1637 const Expr *origFormatExpr, unsigned firstDataArg, 1638 unsigned numDataArgs, bool isObjCLiteral, 1639 const char *beg, bool hasVAListArg, 1640 Expr **args, unsigned numArgs, 1641 unsigned formatIdx, bool inFunctionCall) 1642 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1643 FirstDataArg(firstDataArg), 1644 NumDataArgs(numDataArgs), 1645 IsObjCLiteral(isObjCLiteral), Beg(beg), 1646 HasVAListArg(hasVAListArg), 1647 Args(args), NumArgs(numArgs), FormatIdx(formatIdx), 1648 usesPositionalArgs(false), atFirstArg(true), 1649 inFunctionCall(inFunctionCall) { 1650 CoveredArgs.resize(numDataArgs); 1651 CoveredArgs.reset(); 1652 } 1653 1654 void DoneProcessing(); 1655 1656 void HandleIncompleteSpecifier(const char *startSpecifier, 1657 unsigned specifierLen); 1658 1659 virtual void HandleInvalidPosition(const char *startSpecifier, 1660 unsigned specifierLen, 1661 analyze_format_string::PositionContext p); 1662 1663 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1664 1665 void HandleNullChar(const char *nullCharacter); 1666 1667 template <typename Range> 1668 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 1669 const Expr *ArgumentExpr, 1670 PartialDiagnostic PDiag, 1671 SourceLocation StringLoc, 1672 bool IsStringLocation, Range StringRange, 1673 FixItHint Fixit = FixItHint()); 1674 1675 protected: 1676 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1677 const char *startSpec, 1678 unsigned specifierLen, 1679 const char *csStart, unsigned csLen); 1680 1681 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 1682 const char *startSpec, 1683 unsigned specifierLen); 1684 1685 SourceRange getFormatStringRange(); 1686 CharSourceRange getSpecifierRange(const char *startSpecifier, 1687 unsigned specifierLen); 1688 SourceLocation getLocationOfByte(const char *x); 1689 1690 const Expr *getDataArg(unsigned i) const; 1691 1692 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1693 const analyze_format_string::ConversionSpecifier &CS, 1694 const char *startSpecifier, unsigned specifierLen, 1695 unsigned argIndex); 1696 1697 template <typename Range> 1698 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 1699 bool IsStringLocation, Range StringRange, 1700 FixItHint Fixit = FixItHint()); 1701 1702 void CheckPositionalAndNonpositionalArgs( 1703 const analyze_format_string::FormatSpecifier *FS); 1704 }; 1705 } 1706 1707 SourceRange CheckFormatHandler::getFormatStringRange() { 1708 return OrigFormatExpr->getSourceRange(); 1709 } 1710 1711 CharSourceRange CheckFormatHandler:: 1712 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1713 SourceLocation Start = getLocationOfByte(startSpecifier); 1714 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1715 1716 // Advance the end SourceLocation by one due to half-open ranges. 1717 End = End.getLocWithOffset(1); 1718 1719 return CharSourceRange::getCharRange(Start, End); 1720 } 1721 1722 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1723 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1724 } 1725 1726 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1727 unsigned specifierLen){ 1728 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 1729 getLocationOfByte(startSpecifier), 1730 /*IsStringLocation*/true, 1731 getSpecifierRange(startSpecifier, specifierLen)); 1732 } 1733 1734 void 1735 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1736 analyze_format_string::PositionContext p) { 1737 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 1738 << (unsigned) p, 1739 getLocationOfByte(startPos), /*IsStringLocation*/true, 1740 getSpecifierRange(startPos, posLen)); 1741 } 1742 1743 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1744 unsigned posLen) { 1745 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 1746 getLocationOfByte(startPos), 1747 /*IsStringLocation*/true, 1748 getSpecifierRange(startPos, posLen)); 1749 } 1750 1751 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1752 if (!IsObjCLiteral) { 1753 // The presence of a null character is likely an error. 1754 EmitFormatDiagnostic( 1755 S.PDiag(diag::warn_printf_format_string_contains_null_char), 1756 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 1757 getFormatStringRange()); 1758 } 1759 } 1760 1761 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1762 return Args[FirstDataArg + i]; 1763 } 1764 1765 void CheckFormatHandler::DoneProcessing() { 1766 // Does the number of data arguments exceed the number of 1767 // format conversions in the format string? 1768 if (!HasVAListArg) { 1769 // Find any arguments that weren't covered. 1770 CoveredArgs.flip(); 1771 signed notCoveredArg = CoveredArgs.find_first(); 1772 if (notCoveredArg >= 0) { 1773 assert((unsigned)notCoveredArg < NumDataArgs); 1774 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 1775 getDataArg((unsigned) notCoveredArg)->getLocStart(), 1776 /*IsStringLocation*/false, getFormatStringRange()); 1777 } 1778 } 1779 } 1780 1781 bool 1782 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1783 SourceLocation Loc, 1784 const char *startSpec, 1785 unsigned specifierLen, 1786 const char *csStart, 1787 unsigned csLen) { 1788 1789 bool keepGoing = true; 1790 if (argIndex < NumDataArgs) { 1791 // Consider the argument coverered, even though the specifier doesn't 1792 // make sense. 1793 CoveredArgs.set(argIndex); 1794 } 1795 else { 1796 // If argIndex exceeds the number of data arguments we 1797 // don't issue a warning because that is just a cascade of warnings (and 1798 // they may have intended '%%' anyway). We don't want to continue processing 1799 // the format string after this point, however, as we will like just get 1800 // gibberish when trying to match arguments. 1801 keepGoing = false; 1802 } 1803 1804 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 1805 << StringRef(csStart, csLen), 1806 Loc, /*IsStringLocation*/true, 1807 getSpecifierRange(startSpec, specifierLen)); 1808 1809 return keepGoing; 1810 } 1811 1812 void 1813 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 1814 const char *startSpec, 1815 unsigned specifierLen) { 1816 EmitFormatDiagnostic( 1817 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 1818 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 1819 } 1820 1821 bool 1822 CheckFormatHandler::CheckNumArgs( 1823 const analyze_format_string::FormatSpecifier &FS, 1824 const analyze_format_string::ConversionSpecifier &CS, 1825 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 1826 1827 if (argIndex >= NumDataArgs) { 1828 PartialDiagnostic PDiag = FS.usesPositionalArg() 1829 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 1830 << (argIndex+1) << NumDataArgs) 1831 : S.PDiag(diag::warn_printf_insufficient_data_args); 1832 EmitFormatDiagnostic( 1833 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 1834 getSpecifierRange(startSpecifier, specifierLen)); 1835 return false; 1836 } 1837 return true; 1838 } 1839 1840 template<typename Range> 1841 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 1842 SourceLocation Loc, 1843 bool IsStringLocation, 1844 Range StringRange, 1845 FixItHint FixIt) { 1846 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 1847 Loc, IsStringLocation, StringRange, FixIt); 1848 } 1849 1850 /// \brief If the format string is not within the funcion call, emit a note 1851 /// so that the function call and string are in diagnostic messages. 1852 /// 1853 /// \param inFunctionCall if true, the format string is within the function 1854 /// call and only one diagnostic message will be produced. Otherwise, an 1855 /// extra note will be emitted pointing to location of the format string. 1856 /// 1857 /// \param ArgumentExpr the expression that is passed as the format string 1858 /// argument in the function call. Used for getting locations when two 1859 /// diagnostics are emitted. 1860 /// 1861 /// \param PDiag the callee should already have provided any strings for the 1862 /// diagnostic message. This function only adds locations and fixits 1863 /// to diagnostics. 1864 /// 1865 /// \param Loc primary location for diagnostic. If two diagnostics are 1866 /// required, one will be at Loc and a new SourceLocation will be created for 1867 /// the other one. 1868 /// 1869 /// \param IsStringLocation if true, Loc points to the format string should be 1870 /// used for the note. Otherwise, Loc points to the argument list and will 1871 /// be used with PDiag. 1872 /// 1873 /// \param StringRange some or all of the string to highlight. This is 1874 /// templated so it can accept either a CharSourceRange or a SourceRange. 1875 /// 1876 /// \param Fixit optional fix it hint for the format string. 1877 template<typename Range> 1878 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 1879 const Expr *ArgumentExpr, 1880 PartialDiagnostic PDiag, 1881 SourceLocation Loc, 1882 bool IsStringLocation, 1883 Range StringRange, 1884 FixItHint FixIt) { 1885 if (InFunctionCall) 1886 S.Diag(Loc, PDiag) << StringRange << FixIt; 1887 else { 1888 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 1889 << ArgumentExpr->getSourceRange(); 1890 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 1891 diag::note_format_string_defined) 1892 << StringRange << FixIt; 1893 } 1894 } 1895 1896 //===--- CHECK: Printf format string checking ------------------------------===// 1897 1898 namespace { 1899 class CheckPrintfHandler : public CheckFormatHandler { 1900 public: 1901 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1902 const Expr *origFormatExpr, unsigned firstDataArg, 1903 unsigned numDataArgs, bool isObjCLiteral, 1904 const char *beg, bool hasVAListArg, 1905 Expr **Args, unsigned NumArgs, 1906 unsigned formatIdx, bool inFunctionCall) 1907 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1908 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1909 Args, NumArgs, formatIdx, inFunctionCall) {} 1910 1911 1912 bool HandleInvalidPrintfConversionSpecifier( 1913 const analyze_printf::PrintfSpecifier &FS, 1914 const char *startSpecifier, 1915 unsigned specifierLen); 1916 1917 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 1918 const char *startSpecifier, 1919 unsigned specifierLen); 1920 1921 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 1922 const char *startSpecifier, unsigned specifierLen); 1923 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 1924 const analyze_printf::OptionalAmount &Amt, 1925 unsigned type, 1926 const char *startSpecifier, unsigned specifierLen); 1927 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1928 const analyze_printf::OptionalFlag &flag, 1929 const char *startSpecifier, unsigned specifierLen); 1930 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 1931 const analyze_printf::OptionalFlag &ignoredFlag, 1932 const analyze_printf::OptionalFlag &flag, 1933 const char *startSpecifier, unsigned specifierLen); 1934 }; 1935 } 1936 1937 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 1938 const analyze_printf::PrintfSpecifier &FS, 1939 const char *startSpecifier, 1940 unsigned specifierLen) { 1941 const analyze_printf::PrintfConversionSpecifier &CS = 1942 FS.getConversionSpecifier(); 1943 1944 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1945 getLocationOfByte(CS.getStart()), 1946 startSpecifier, specifierLen, 1947 CS.getStart(), CS.getLength()); 1948 } 1949 1950 bool CheckPrintfHandler::HandleAmount( 1951 const analyze_format_string::OptionalAmount &Amt, 1952 unsigned k, const char *startSpecifier, 1953 unsigned specifierLen) { 1954 1955 if (Amt.hasDataArgument()) { 1956 if (!HasVAListArg) { 1957 unsigned argIndex = Amt.getArgIndex(); 1958 if (argIndex >= NumDataArgs) { 1959 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 1960 << k, 1961 getLocationOfByte(Amt.getStart()), 1962 /*IsStringLocation*/true, 1963 getSpecifierRange(startSpecifier, specifierLen)); 1964 // Don't do any more checking. We will just emit 1965 // spurious errors. 1966 return false; 1967 } 1968 1969 // Type check the data argument. It should be an 'int'. 1970 // Although not in conformance with C99, we also allow the argument to be 1971 // an 'unsigned int' as that is a reasonably safe case. GCC also 1972 // doesn't emit a warning for that case. 1973 CoveredArgs.set(argIndex); 1974 const Expr *Arg = getDataArg(argIndex); 1975 QualType T = Arg->getType(); 1976 1977 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1978 assert(ATR.isValid()); 1979 1980 if (!ATR.matchesType(S.Context, T)) { 1981 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 1982 << k << ATR.getRepresentativeTypeName(S.Context) 1983 << T << Arg->getSourceRange(), 1984 getLocationOfByte(Amt.getStart()), 1985 /*IsStringLocation*/true, 1986 getSpecifierRange(startSpecifier, specifierLen)); 1987 // Don't do any more checking. We will just emit 1988 // spurious errors. 1989 return false; 1990 } 1991 } 1992 } 1993 return true; 1994 } 1995 1996 void CheckPrintfHandler::HandleInvalidAmount( 1997 const analyze_printf::PrintfSpecifier &FS, 1998 const analyze_printf::OptionalAmount &Amt, 1999 unsigned type, 2000 const char *startSpecifier, 2001 unsigned specifierLen) { 2002 const analyze_printf::PrintfConversionSpecifier &CS = 2003 FS.getConversionSpecifier(); 2004 2005 FixItHint fixit = 2006 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2007 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2008 Amt.getConstantLength())) 2009 : FixItHint(); 2010 2011 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2012 << type << CS.toString(), 2013 getLocationOfByte(Amt.getStart()), 2014 /*IsStringLocation*/true, 2015 getSpecifierRange(startSpecifier, specifierLen), 2016 fixit); 2017 } 2018 2019 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2020 const analyze_printf::OptionalFlag &flag, 2021 const char *startSpecifier, 2022 unsigned specifierLen) { 2023 // Warn about pointless flag with a fixit removal. 2024 const analyze_printf::PrintfConversionSpecifier &CS = 2025 FS.getConversionSpecifier(); 2026 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2027 << flag.toString() << CS.toString(), 2028 getLocationOfByte(flag.getPosition()), 2029 /*IsStringLocation*/true, 2030 getSpecifierRange(startSpecifier, specifierLen), 2031 FixItHint::CreateRemoval( 2032 getSpecifierRange(flag.getPosition(), 1))); 2033 } 2034 2035 void CheckPrintfHandler::HandleIgnoredFlag( 2036 const analyze_printf::PrintfSpecifier &FS, 2037 const analyze_printf::OptionalFlag &ignoredFlag, 2038 const analyze_printf::OptionalFlag &flag, 2039 const char *startSpecifier, 2040 unsigned specifierLen) { 2041 // Warn about ignored flag with a fixit removal. 2042 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2043 << ignoredFlag.toString() << flag.toString(), 2044 getLocationOfByte(ignoredFlag.getPosition()), 2045 /*IsStringLocation*/true, 2046 getSpecifierRange(startSpecifier, specifierLen), 2047 FixItHint::CreateRemoval( 2048 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2049 } 2050 2051 bool 2052 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2053 &FS, 2054 const char *startSpecifier, 2055 unsigned specifierLen) { 2056 2057 using namespace analyze_format_string; 2058 using namespace analyze_printf; 2059 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2060 2061 if (FS.consumesDataArgument()) { 2062 if (atFirstArg) { 2063 atFirstArg = false; 2064 usesPositionalArgs = FS.usesPositionalArg(); 2065 } 2066 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2067 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2068 startSpecifier, specifierLen); 2069 return false; 2070 } 2071 } 2072 2073 // First check if the field width, precision, and conversion specifier 2074 // have matching data arguments. 2075 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2076 startSpecifier, specifierLen)) { 2077 return false; 2078 } 2079 2080 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2081 startSpecifier, specifierLen)) { 2082 return false; 2083 } 2084 2085 if (!CS.consumesDataArgument()) { 2086 // FIXME: Technically specifying a precision or field width here 2087 // makes no sense. Worth issuing a warning at some point. 2088 return true; 2089 } 2090 2091 // Consume the argument. 2092 unsigned argIndex = FS.getArgIndex(); 2093 if (argIndex < NumDataArgs) { 2094 // The check to see if the argIndex is valid will come later. 2095 // We set the bit here because we may exit early from this 2096 // function if we encounter some other error. 2097 CoveredArgs.set(argIndex); 2098 } 2099 2100 // Check for using an Objective-C specific conversion specifier 2101 // in a non-ObjC literal. 2102 if (!IsObjCLiteral && CS.isObjCArg()) { 2103 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2104 specifierLen); 2105 } 2106 2107 // Check for invalid use of field width 2108 if (!FS.hasValidFieldWidth()) { 2109 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2110 startSpecifier, specifierLen); 2111 } 2112 2113 // Check for invalid use of precision 2114 if (!FS.hasValidPrecision()) { 2115 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2116 startSpecifier, specifierLen); 2117 } 2118 2119 // Check each flag does not conflict with any other component. 2120 if (!FS.hasValidThousandsGroupingPrefix()) 2121 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2122 if (!FS.hasValidLeadingZeros()) 2123 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2124 if (!FS.hasValidPlusPrefix()) 2125 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2126 if (!FS.hasValidSpacePrefix()) 2127 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2128 if (!FS.hasValidAlternativeForm()) 2129 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2130 if (!FS.hasValidLeftJustified()) 2131 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2132 2133 // Check that flags are not ignored by another flag 2134 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2135 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2136 startSpecifier, specifierLen); 2137 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2138 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2139 startSpecifier, specifierLen); 2140 2141 // Check the length modifier is valid with the given conversion specifier. 2142 const LengthModifier &LM = FS.getLengthModifier(); 2143 if (!FS.hasValidLengthModifier()) 2144 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 2145 << LM.toString() << CS.toString(), 2146 getLocationOfByte(LM.getStart()), 2147 /*IsStringLocation*/true, 2148 getSpecifierRange(startSpecifier, specifierLen), 2149 FixItHint::CreateRemoval( 2150 getSpecifierRange(LM.getStart(), 2151 LM.getLength()))); 2152 2153 // Are we using '%n'? 2154 if (CS.getKind() == ConversionSpecifier::nArg) { 2155 // Issue a warning about this being a possible security issue. 2156 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_write_back), 2157 getLocationOfByte(CS.getStart()), 2158 /*IsStringLocation*/true, 2159 getSpecifierRange(startSpecifier, specifierLen)); 2160 // Continue checking the other format specifiers. 2161 return true; 2162 } 2163 2164 // The remaining checks depend on the data arguments. 2165 if (HasVAListArg) 2166 return true; 2167 2168 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2169 return false; 2170 2171 // Now type check the data expression that matches the 2172 // format specifier. 2173 const Expr *Ex = getDataArg(argIndex); 2174 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 2175 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2176 // Check if we didn't match because of an implicit cast from a 'char' 2177 // or 'short' to an 'int'. This is done because printf is a varargs 2178 // function. 2179 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 2180 if (ICE->getType() == S.Context.IntTy) { 2181 // All further checking is done on the subexpression. 2182 Ex = ICE->getSubExpr(); 2183 if (ATR.matchesType(S.Context, Ex->getType())) 2184 return true; 2185 } 2186 2187 // We may be able to offer a FixItHint if it is a supported type. 2188 PrintfSpecifier fixedFS = FS; 2189 bool success = fixedFS.fixType(Ex->getType(), S.getLangOptions()); 2190 2191 if (success) { 2192 // Get the fix string from the fixed format specifier 2193 llvm::SmallString<128> buf; 2194 llvm::raw_svector_ostream os(buf); 2195 fixedFS.toString(os); 2196 2197 EmitFormatDiagnostic( 2198 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2199 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2200 << Ex->getSourceRange(), 2201 getLocationOfByte(CS.getStart()), 2202 /*IsStringLocation*/true, 2203 getSpecifierRange(startSpecifier, specifierLen), 2204 FixItHint::CreateReplacement( 2205 getSpecifierRange(startSpecifier, specifierLen), 2206 os.str())); 2207 } 2208 else { 2209 S.Diag(getLocationOfByte(CS.getStart()), 2210 diag::warn_printf_conversion_argument_type_mismatch) 2211 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2212 << getSpecifierRange(startSpecifier, specifierLen) 2213 << Ex->getSourceRange(); 2214 } 2215 } 2216 2217 return true; 2218 } 2219 2220 //===--- CHECK: Scanf format string checking ------------------------------===// 2221 2222 namespace { 2223 class CheckScanfHandler : public CheckFormatHandler { 2224 public: 2225 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 2226 const Expr *origFormatExpr, unsigned firstDataArg, 2227 unsigned numDataArgs, bool isObjCLiteral, 2228 const char *beg, bool hasVAListArg, 2229 Expr **Args, unsigned NumArgs, 2230 unsigned formatIdx, bool inFunctionCall) 2231 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2232 numDataArgs, isObjCLiteral, beg, hasVAListArg, 2233 Args, NumArgs, formatIdx, inFunctionCall) {} 2234 2235 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 2236 const char *startSpecifier, 2237 unsigned specifierLen); 2238 2239 bool HandleInvalidScanfConversionSpecifier( 2240 const analyze_scanf::ScanfSpecifier &FS, 2241 const char *startSpecifier, 2242 unsigned specifierLen); 2243 2244 void HandleIncompleteScanList(const char *start, const char *end); 2245 }; 2246 } 2247 2248 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 2249 const char *end) { 2250 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 2251 getLocationOfByte(end), /*IsStringLocation*/true, 2252 getSpecifierRange(start, end - start)); 2253 } 2254 2255 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 2256 const analyze_scanf::ScanfSpecifier &FS, 2257 const char *startSpecifier, 2258 unsigned specifierLen) { 2259 2260 const analyze_scanf::ScanfConversionSpecifier &CS = 2261 FS.getConversionSpecifier(); 2262 2263 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2264 getLocationOfByte(CS.getStart()), 2265 startSpecifier, specifierLen, 2266 CS.getStart(), CS.getLength()); 2267 } 2268 2269 bool CheckScanfHandler::HandleScanfSpecifier( 2270 const analyze_scanf::ScanfSpecifier &FS, 2271 const char *startSpecifier, 2272 unsigned specifierLen) { 2273 2274 using namespace analyze_scanf; 2275 using namespace analyze_format_string; 2276 2277 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 2278 2279 // Handle case where '%' and '*' don't consume an argument. These shouldn't 2280 // be used to decide if we are using positional arguments consistently. 2281 if (FS.consumesDataArgument()) { 2282 if (atFirstArg) { 2283 atFirstArg = false; 2284 usesPositionalArgs = FS.usesPositionalArg(); 2285 } 2286 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2287 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2288 startSpecifier, specifierLen); 2289 return false; 2290 } 2291 } 2292 2293 // Check if the field with is non-zero. 2294 const OptionalAmount &Amt = FS.getFieldWidth(); 2295 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 2296 if (Amt.getConstantAmount() == 0) { 2297 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 2298 Amt.getConstantLength()); 2299 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 2300 getLocationOfByte(Amt.getStart()), 2301 /*IsStringLocation*/true, R, 2302 FixItHint::CreateRemoval(R)); 2303 } 2304 } 2305 2306 if (!FS.consumesDataArgument()) { 2307 // FIXME: Technically specifying a precision or field width here 2308 // makes no sense. Worth issuing a warning at some point. 2309 return true; 2310 } 2311 2312 // Consume the argument. 2313 unsigned argIndex = FS.getArgIndex(); 2314 if (argIndex < NumDataArgs) { 2315 // The check to see if the argIndex is valid will come later. 2316 // We set the bit here because we may exit early from this 2317 // function if we encounter some other error. 2318 CoveredArgs.set(argIndex); 2319 } 2320 2321 // Check the length modifier is valid with the given conversion specifier. 2322 const LengthModifier &LM = FS.getLengthModifier(); 2323 if (!FS.hasValidLengthModifier()) { 2324 S.Diag(getLocationOfByte(LM.getStart()), 2325 diag::warn_format_nonsensical_length) 2326 << LM.toString() << CS.toString() 2327 << getSpecifierRange(startSpecifier, specifierLen) 2328 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 2329 LM.getLength())); 2330 } 2331 2332 // The remaining checks depend on the data arguments. 2333 if (HasVAListArg) 2334 return true; 2335 2336 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2337 return false; 2338 2339 // Check that the argument type matches the format specifier. 2340 const Expr *Ex = getDataArg(argIndex); 2341 const analyze_scanf::ScanfArgTypeResult &ATR = FS.getArgType(S.Context); 2342 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2343 ScanfSpecifier fixedFS = FS; 2344 bool success = fixedFS.fixType(Ex->getType(), S.getLangOptions()); 2345 2346 if (success) { 2347 // Get the fix string from the fixed format specifier. 2348 llvm::SmallString<128> buf; 2349 llvm::raw_svector_ostream os(buf); 2350 fixedFS.toString(os); 2351 2352 EmitFormatDiagnostic( 2353 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2354 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2355 << Ex->getSourceRange(), 2356 getLocationOfByte(CS.getStart()), 2357 /*IsStringLocation*/true, 2358 getSpecifierRange(startSpecifier, specifierLen), 2359 FixItHint::CreateReplacement( 2360 getSpecifierRange(startSpecifier, specifierLen), 2361 os.str())); 2362 } else { 2363 S.Diag(getLocationOfByte(CS.getStart()), 2364 diag::warn_printf_conversion_argument_type_mismatch) 2365 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2366 << getSpecifierRange(startSpecifier, specifierLen) 2367 << Ex->getSourceRange(); 2368 } 2369 } 2370 2371 return true; 2372 } 2373 2374 void Sema::CheckFormatString(const StringLiteral *FExpr, 2375 const Expr *OrigFormatExpr, 2376 Expr **Args, unsigned NumArgs, 2377 bool HasVAListArg, unsigned format_idx, 2378 unsigned firstDataArg, bool isPrintf, 2379 bool inFunctionCall) { 2380 2381 // CHECK: is the format string a wide literal? 2382 if (!FExpr->isAscii()) { 2383 CheckFormatHandler::EmitFormatDiagnostic( 2384 *this, inFunctionCall, Args[format_idx], 2385 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 2386 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2387 return; 2388 } 2389 2390 // Str - The format string. NOTE: this is NOT null-terminated! 2391 StringRef StrRef = FExpr->getString(); 2392 const char *Str = StrRef.data(); 2393 unsigned StrLen = StrRef.size(); 2394 const unsigned numDataArgs = NumArgs - firstDataArg; 2395 2396 // CHECK: empty format string? 2397 if (StrLen == 0 && numDataArgs > 0) { 2398 CheckFormatHandler::EmitFormatDiagnostic( 2399 *this, inFunctionCall, Args[format_idx], 2400 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 2401 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2402 return; 2403 } 2404 2405 if (isPrintf) { 2406 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2407 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2408 Str, HasVAListArg, Args, NumArgs, format_idx, 2409 inFunctionCall); 2410 2411 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 2412 getLangOptions())) 2413 H.DoneProcessing(); 2414 } 2415 else { 2416 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2417 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2418 Str, HasVAListArg, Args, NumArgs, format_idx, 2419 inFunctionCall); 2420 2421 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 2422 getLangOptions())) 2423 H.DoneProcessing(); 2424 } 2425 } 2426 2427 //===--- CHECK: Standard memory functions ---------------------------------===// 2428 2429 /// \brief Determine whether the given type is a dynamic class type (e.g., 2430 /// whether it has a vtable). 2431 static bool isDynamicClassType(QualType T) { 2432 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 2433 if (CXXRecordDecl *Definition = Record->getDefinition()) 2434 if (Definition->isDynamicClass()) 2435 return true; 2436 2437 return false; 2438 } 2439 2440 /// \brief If E is a sizeof expression, returns its argument expression, 2441 /// otherwise returns NULL. 2442 static const Expr *getSizeOfExprArg(const Expr* E) { 2443 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2444 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2445 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 2446 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 2447 2448 return 0; 2449 } 2450 2451 /// \brief If E is a sizeof expression, returns its argument type. 2452 static QualType getSizeOfArgType(const Expr* E) { 2453 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2454 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2455 if (SizeOf->getKind() == clang::UETT_SizeOf) 2456 return SizeOf->getTypeOfArgument(); 2457 2458 return QualType(); 2459 } 2460 2461 /// \brief Check for dangerous or invalid arguments to memset(). 2462 /// 2463 /// This issues warnings on known problematic, dangerous or unspecified 2464 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 2465 /// function calls. 2466 /// 2467 /// \param Call The call expression to diagnose. 2468 void Sema::CheckMemaccessArguments(const CallExpr *Call, 2469 unsigned BId, 2470 IdentifierInfo *FnName) { 2471 assert(BId != 0); 2472 2473 // It is possible to have a non-standard definition of memset. Validate 2474 // we have enough arguments, and if not, abort further checking. 2475 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 2476 if (Call->getNumArgs() < ExpectedNumArgs) 2477 return; 2478 2479 unsigned LastArg = (BId == Builtin::BImemset || 2480 BId == Builtin::BIstrndup ? 1 : 2); 2481 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 2482 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 2483 2484 // We have special checking when the length is a sizeof expression. 2485 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 2486 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 2487 llvm::FoldingSetNodeID SizeOfArgID; 2488 2489 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 2490 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 2491 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 2492 2493 QualType DestTy = Dest->getType(); 2494 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 2495 QualType PointeeTy = DestPtrTy->getPointeeType(); 2496 2497 // Never warn about void type pointers. This can be used to suppress 2498 // false positives. 2499 if (PointeeTy->isVoidType()) 2500 continue; 2501 2502 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 2503 // actually comparing the expressions for equality. Because computing the 2504 // expression IDs can be expensive, we only do this if the diagnostic is 2505 // enabled. 2506 if (SizeOfArg && 2507 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 2508 SizeOfArg->getExprLoc())) { 2509 // We only compute IDs for expressions if the warning is enabled, and 2510 // cache the sizeof arg's ID. 2511 if (SizeOfArgID == llvm::FoldingSetNodeID()) 2512 SizeOfArg->Profile(SizeOfArgID, Context, true); 2513 llvm::FoldingSetNodeID DestID; 2514 Dest->Profile(DestID, Context, true); 2515 if (DestID == SizeOfArgID) { 2516 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 2517 // over sizeof(src) as well. 2518 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 2519 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 2520 if (UnaryOp->getOpcode() == UO_AddrOf) 2521 ActionIdx = 1; // If its an address-of operator, just remove it. 2522 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 2523 ActionIdx = 2; // If the pointee's size is sizeof(char), 2524 // suggest an explicit length. 2525 unsigned DestSrcSelect = 2526 (BId == Builtin::BIstrndup ? 1 : ArgIdx); 2527 DiagRuntimeBehavior(SizeOfArg->getExprLoc(), Dest, 2528 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 2529 << FnName << DestSrcSelect << ActionIdx 2530 << Dest->getSourceRange() 2531 << SizeOfArg->getSourceRange()); 2532 break; 2533 } 2534 } 2535 2536 // Also check for cases where the sizeof argument is the exact same 2537 // type as the memory argument, and where it points to a user-defined 2538 // record type. 2539 if (SizeOfArgTy != QualType()) { 2540 if (PointeeTy->isRecordType() && 2541 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 2542 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 2543 PDiag(diag::warn_sizeof_pointer_type_memaccess) 2544 << FnName << SizeOfArgTy << ArgIdx 2545 << PointeeTy << Dest->getSourceRange() 2546 << LenExpr->getSourceRange()); 2547 break; 2548 } 2549 } 2550 2551 // Always complain about dynamic classes. 2552 if (isDynamicClassType(PointeeTy)) { 2553 2554 unsigned OperationType = 0; 2555 // "overwritten" if we're warning about the destination for any call 2556 // but memcmp; otherwise a verb appropriate to the call. 2557 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 2558 if (BId == Builtin::BImemcpy) 2559 OperationType = 1; 2560 else if(BId == Builtin::BImemmove) 2561 OperationType = 2; 2562 else if (BId == Builtin::BImemcmp) 2563 OperationType = 3; 2564 } 2565 2566 DiagRuntimeBehavior( 2567 Dest->getExprLoc(), Dest, 2568 PDiag(diag::warn_dyn_class_memaccess) 2569 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 2570 << FnName << PointeeTy 2571 << OperationType 2572 << Call->getCallee()->getSourceRange()); 2573 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 2574 BId != Builtin::BImemset) 2575 DiagRuntimeBehavior( 2576 Dest->getExprLoc(), Dest, 2577 PDiag(diag::warn_arc_object_memaccess) 2578 << ArgIdx << FnName << PointeeTy 2579 << Call->getCallee()->getSourceRange()); 2580 else 2581 continue; 2582 2583 DiagRuntimeBehavior( 2584 Dest->getExprLoc(), Dest, 2585 PDiag(diag::note_bad_memaccess_silence) 2586 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 2587 break; 2588 } 2589 } 2590 } 2591 2592 // A little helper routine: ignore addition and subtraction of integer literals. 2593 // This intentionally does not ignore all integer constant expressions because 2594 // we don't want to remove sizeof(). 2595 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 2596 Ex = Ex->IgnoreParenCasts(); 2597 2598 for (;;) { 2599 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 2600 if (!BO || !BO->isAdditiveOp()) 2601 break; 2602 2603 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 2604 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 2605 2606 if (isa<IntegerLiteral>(RHS)) 2607 Ex = LHS; 2608 else if (isa<IntegerLiteral>(LHS)) 2609 Ex = RHS; 2610 else 2611 break; 2612 } 2613 2614 return Ex; 2615 } 2616 2617 // Warn if the user has made the 'size' argument to strlcpy or strlcat 2618 // be the size of the source, instead of the destination. 2619 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 2620 IdentifierInfo *FnName) { 2621 2622 // Don't crash if the user has the wrong number of arguments 2623 if (Call->getNumArgs() != 3) 2624 return; 2625 2626 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 2627 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 2628 const Expr *CompareWithSrc = NULL; 2629 2630 // Look for 'strlcpy(dst, x, sizeof(x))' 2631 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 2632 CompareWithSrc = Ex; 2633 else { 2634 // Look for 'strlcpy(dst, x, strlen(x))' 2635 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 2636 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 2637 && SizeCall->getNumArgs() == 1) 2638 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 2639 } 2640 } 2641 2642 if (!CompareWithSrc) 2643 return; 2644 2645 // Determine if the argument to sizeof/strlen is equal to the source 2646 // argument. In principle there's all kinds of things you could do 2647 // here, for instance creating an == expression and evaluating it with 2648 // EvaluateAsBooleanCondition, but this uses a more direct technique: 2649 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 2650 if (!SrcArgDRE) 2651 return; 2652 2653 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 2654 if (!CompareWithSrcDRE || 2655 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 2656 return; 2657 2658 const Expr *OriginalSizeArg = Call->getArg(2); 2659 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 2660 << OriginalSizeArg->getSourceRange() << FnName; 2661 2662 // Output a FIXIT hint if the destination is an array (rather than a 2663 // pointer to an array). This could be enhanced to handle some 2664 // pointers if we know the actual size, like if DstArg is 'array+2' 2665 // we could say 'sizeof(array)-2'. 2666 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 2667 QualType DstArgTy = DstArg->getType(); 2668 2669 // Only handle constant-sized or VLAs, but not flexible members. 2670 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2671 // Only issue the FIXIT for arrays of size > 1. 2672 if (CAT->getSize().getSExtValue() <= 1) 2673 return; 2674 } else if (!DstArgTy->isVariableArrayType()) { 2675 return; 2676 } 2677 2678 llvm::SmallString<128> sizeString; 2679 llvm::raw_svector_ostream OS(sizeString); 2680 OS << "sizeof("; 2681 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2682 OS << ")"; 2683 2684 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 2685 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 2686 OS.str()); 2687 } 2688 2689 //===--- CHECK: Return Address of Stack Variable --------------------------===// 2690 2691 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars); 2692 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars); 2693 2694 /// CheckReturnStackAddr - Check if a return statement returns the address 2695 /// of a stack variable. 2696 void 2697 Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 2698 SourceLocation ReturnLoc) { 2699 2700 Expr *stackE = 0; 2701 SmallVector<DeclRefExpr *, 8> refVars; 2702 2703 // Perform checking for returned stack addresses, local blocks, 2704 // label addresses or references to temporaries. 2705 if (lhsType->isPointerType() || 2706 (!getLangOptions().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 2707 stackE = EvalAddr(RetValExp, refVars); 2708 } else if (lhsType->isReferenceType()) { 2709 stackE = EvalVal(RetValExp, refVars); 2710 } 2711 2712 if (stackE == 0) 2713 return; // Nothing suspicious was found. 2714 2715 SourceLocation diagLoc; 2716 SourceRange diagRange; 2717 if (refVars.empty()) { 2718 diagLoc = stackE->getLocStart(); 2719 diagRange = stackE->getSourceRange(); 2720 } else { 2721 // We followed through a reference variable. 'stackE' contains the 2722 // problematic expression but we will warn at the return statement pointing 2723 // at the reference variable. We will later display the "trail" of 2724 // reference variables using notes. 2725 diagLoc = refVars[0]->getLocStart(); 2726 diagRange = refVars[0]->getSourceRange(); 2727 } 2728 2729 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 2730 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 2731 : diag::warn_ret_stack_addr) 2732 << DR->getDecl()->getDeclName() << diagRange; 2733 } else if (isa<BlockExpr>(stackE)) { // local block. 2734 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 2735 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 2736 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 2737 } else { // local temporary. 2738 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 2739 : diag::warn_ret_local_temp_addr) 2740 << diagRange; 2741 } 2742 2743 // Display the "trail" of reference variables that we followed until we 2744 // found the problematic expression using notes. 2745 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 2746 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 2747 // If this var binds to another reference var, show the range of the next 2748 // var, otherwise the var binds to the problematic expression, in which case 2749 // show the range of the expression. 2750 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 2751 : stackE->getSourceRange(); 2752 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 2753 << VD->getDeclName() << range; 2754 } 2755 } 2756 2757 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 2758 /// check if the expression in a return statement evaluates to an address 2759 /// to a location on the stack, a local block, an address of a label, or a 2760 /// reference to local temporary. The recursion is used to traverse the 2761 /// AST of the return expression, with recursion backtracking when we 2762 /// encounter a subexpression that (1) clearly does not lead to one of the 2763 /// above problematic expressions (2) is something we cannot determine leads to 2764 /// a problematic expression based on such local checking. 2765 /// 2766 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 2767 /// the expression that they point to. Such variables are added to the 2768 /// 'refVars' vector so that we know what the reference variable "trail" was. 2769 /// 2770 /// EvalAddr processes expressions that are pointers that are used as 2771 /// references (and not L-values). EvalVal handles all other values. 2772 /// At the base case of the recursion is a check for the above problematic 2773 /// expressions. 2774 /// 2775 /// This implementation handles: 2776 /// 2777 /// * pointer-to-pointer casts 2778 /// * implicit conversions from array references to pointers 2779 /// * taking the address of fields 2780 /// * arbitrary interplay between "&" and "*" operators 2781 /// * pointer arithmetic from an address of a stack variable 2782 /// * taking the address of an array element where the array is on the stack 2783 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2784 if (E->isTypeDependent()) 2785 return NULL; 2786 2787 // We should only be called for evaluating pointer expressions. 2788 assert((E->getType()->isAnyPointerType() || 2789 E->getType()->isBlockPointerType() || 2790 E->getType()->isObjCQualifiedIdType()) && 2791 "EvalAddr only works on pointers"); 2792 2793 E = E->IgnoreParens(); 2794 2795 // Our "symbolic interpreter" is just a dispatch off the currently 2796 // viewed AST node. We then recursively traverse the AST by calling 2797 // EvalAddr and EvalVal appropriately. 2798 switch (E->getStmtClass()) { 2799 case Stmt::DeclRefExprClass: { 2800 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2801 2802 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2803 // If this is a reference variable, follow through to the expression that 2804 // it points to. 2805 if (V->hasLocalStorage() && 2806 V->getType()->isReferenceType() && V->hasInit()) { 2807 // Add the reference variable to the "trail". 2808 refVars.push_back(DR); 2809 return EvalAddr(V->getInit(), refVars); 2810 } 2811 2812 return NULL; 2813 } 2814 2815 case Stmt::UnaryOperatorClass: { 2816 // The only unary operator that make sense to handle here 2817 // is AddrOf. All others don't make sense as pointers. 2818 UnaryOperator *U = cast<UnaryOperator>(E); 2819 2820 if (U->getOpcode() == UO_AddrOf) 2821 return EvalVal(U->getSubExpr(), refVars); 2822 else 2823 return NULL; 2824 } 2825 2826 case Stmt::BinaryOperatorClass: { 2827 // Handle pointer arithmetic. All other binary operators are not valid 2828 // in this context. 2829 BinaryOperator *B = cast<BinaryOperator>(E); 2830 BinaryOperatorKind op = B->getOpcode(); 2831 2832 if (op != BO_Add && op != BO_Sub) 2833 return NULL; 2834 2835 Expr *Base = B->getLHS(); 2836 2837 // Determine which argument is the real pointer base. It could be 2838 // the RHS argument instead of the LHS. 2839 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 2840 2841 assert (Base->getType()->isPointerType()); 2842 return EvalAddr(Base, refVars); 2843 } 2844 2845 // For conditional operators we need to see if either the LHS or RHS are 2846 // valid DeclRefExpr*s. If one of them is valid, we return it. 2847 case Stmt::ConditionalOperatorClass: { 2848 ConditionalOperator *C = cast<ConditionalOperator>(E); 2849 2850 // Handle the GNU extension for missing LHS. 2851 if (Expr *lhsExpr = C->getLHS()) { 2852 // In C++, we can have a throw-expression, which has 'void' type. 2853 if (!lhsExpr->getType()->isVoidType()) 2854 if (Expr* LHS = EvalAddr(lhsExpr, refVars)) 2855 return LHS; 2856 } 2857 2858 // In C++, we can have a throw-expression, which has 'void' type. 2859 if (C->getRHS()->getType()->isVoidType()) 2860 return NULL; 2861 2862 return EvalAddr(C->getRHS(), refVars); 2863 } 2864 2865 case Stmt::BlockExprClass: 2866 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 2867 return E; // local block. 2868 return NULL; 2869 2870 case Stmt::AddrLabelExprClass: 2871 return E; // address of label. 2872 2873 case Stmt::ExprWithCleanupsClass: 2874 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 2875 2876 // For casts, we need to handle conversions from arrays to 2877 // pointer values, and pointer-to-pointer conversions. 2878 case Stmt::ImplicitCastExprClass: 2879 case Stmt::CStyleCastExprClass: 2880 case Stmt::CXXFunctionalCastExprClass: 2881 case Stmt::ObjCBridgedCastExprClass: { 2882 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 2883 QualType T = SubExpr->getType(); 2884 2885 if (SubExpr->getType()->isPointerType() || 2886 SubExpr->getType()->isBlockPointerType() || 2887 SubExpr->getType()->isObjCQualifiedIdType()) 2888 return EvalAddr(SubExpr, refVars); 2889 else if (T->isArrayType()) 2890 return EvalVal(SubExpr, refVars); 2891 else 2892 return 0; 2893 } 2894 2895 // C++ casts. For dynamic casts, static casts, and const casts, we 2896 // are always converting from a pointer-to-pointer, so we just blow 2897 // through the cast. In the case the dynamic cast doesn't fail (and 2898 // return NULL), we take the conservative route and report cases 2899 // where we return the address of a stack variable. For Reinterpre 2900 // FIXME: The comment about is wrong; we're not always converting 2901 // from pointer to pointer. I'm guessing that this code should also 2902 // handle references to objects. 2903 case Stmt::CXXStaticCastExprClass: 2904 case Stmt::CXXDynamicCastExprClass: 2905 case Stmt::CXXConstCastExprClass: 2906 case Stmt::CXXReinterpretCastExprClass: { 2907 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 2908 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 2909 return EvalAddr(S, refVars); 2910 else 2911 return NULL; 2912 } 2913 2914 case Stmt::MaterializeTemporaryExprClass: 2915 if (Expr *Result = EvalAddr( 2916 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 2917 refVars)) 2918 return Result; 2919 2920 return E; 2921 2922 // Everything else: we simply don't reason about them. 2923 default: 2924 return NULL; 2925 } 2926 } 2927 2928 2929 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 2930 /// See the comments for EvalAddr for more details. 2931 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2932 do { 2933 // We should only be called for evaluating non-pointer expressions, or 2934 // expressions with a pointer type that are not used as references but instead 2935 // are l-values (e.g., DeclRefExpr with a pointer type). 2936 2937 // Our "symbolic interpreter" is just a dispatch off the currently 2938 // viewed AST node. We then recursively traverse the AST by calling 2939 // EvalAddr and EvalVal appropriately. 2940 2941 E = E->IgnoreParens(); 2942 switch (E->getStmtClass()) { 2943 case Stmt::ImplicitCastExprClass: { 2944 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 2945 if (IE->getValueKind() == VK_LValue) { 2946 E = IE->getSubExpr(); 2947 continue; 2948 } 2949 return NULL; 2950 } 2951 2952 case Stmt::ExprWithCleanupsClass: 2953 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 2954 2955 case Stmt::DeclRefExprClass: { 2956 // When we hit a DeclRefExpr we are looking at code that refers to a 2957 // variable's name. If it's not a reference variable we check if it has 2958 // local storage within the function, and if so, return the expression. 2959 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2960 2961 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2962 if (V->hasLocalStorage()) { 2963 if (!V->getType()->isReferenceType()) 2964 return DR; 2965 2966 // Reference variable, follow through to the expression that 2967 // it points to. 2968 if (V->hasInit()) { 2969 // Add the reference variable to the "trail". 2970 refVars.push_back(DR); 2971 return EvalVal(V->getInit(), refVars); 2972 } 2973 } 2974 2975 return NULL; 2976 } 2977 2978 case Stmt::UnaryOperatorClass: { 2979 // The only unary operator that make sense to handle here 2980 // is Deref. All others don't resolve to a "name." This includes 2981 // handling all sorts of rvalues passed to a unary operator. 2982 UnaryOperator *U = cast<UnaryOperator>(E); 2983 2984 if (U->getOpcode() == UO_Deref) 2985 return EvalAddr(U->getSubExpr(), refVars); 2986 2987 return NULL; 2988 } 2989 2990 case Stmt::ArraySubscriptExprClass: { 2991 // Array subscripts are potential references to data on the stack. We 2992 // retrieve the DeclRefExpr* for the array variable if it indeed 2993 // has local storage. 2994 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars); 2995 } 2996 2997 case Stmt::ConditionalOperatorClass: { 2998 // For conditional operators we need to see if either the LHS or RHS are 2999 // non-NULL Expr's. If one is non-NULL, we return it. 3000 ConditionalOperator *C = cast<ConditionalOperator>(E); 3001 3002 // Handle the GNU extension for missing LHS. 3003 if (Expr *lhsExpr = C->getLHS()) 3004 if (Expr *LHS = EvalVal(lhsExpr, refVars)) 3005 return LHS; 3006 3007 return EvalVal(C->getRHS(), refVars); 3008 } 3009 3010 // Accesses to members are potential references to data on the stack. 3011 case Stmt::MemberExprClass: { 3012 MemberExpr *M = cast<MemberExpr>(E); 3013 3014 // Check for indirect access. We only want direct field accesses. 3015 if (M->isArrow()) 3016 return NULL; 3017 3018 // Check whether the member type is itself a reference, in which case 3019 // we're not going to refer to the member, but to what the member refers to. 3020 if (M->getMemberDecl()->getType()->isReferenceType()) 3021 return NULL; 3022 3023 return EvalVal(M->getBase(), refVars); 3024 } 3025 3026 case Stmt::MaterializeTemporaryExprClass: 3027 if (Expr *Result = EvalVal( 3028 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3029 refVars)) 3030 return Result; 3031 3032 return E; 3033 3034 default: 3035 // Check that we don't return or take the address of a reference to a 3036 // temporary. This is only useful in C++. 3037 if (!E->isTypeDependent() && E->isRValue()) 3038 return E; 3039 3040 // Everything else: we simply don't reason about them. 3041 return NULL; 3042 } 3043 } while (true); 3044 } 3045 3046 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 3047 3048 /// Check for comparisons of floating point operands using != and ==. 3049 /// Issue a warning if these are no self-comparisons, as they are not likely 3050 /// to do what the programmer intended. 3051 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 3052 bool EmitWarning = true; 3053 3054 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 3055 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 3056 3057 // Special case: check for x == x (which is OK). 3058 // Do not emit warnings for such cases. 3059 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 3060 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 3061 if (DRL->getDecl() == DRR->getDecl()) 3062 EmitWarning = false; 3063 3064 3065 // Special case: check for comparisons against literals that can be exactly 3066 // represented by APFloat. In such cases, do not emit a warning. This 3067 // is a heuristic: often comparison against such literals are used to 3068 // detect if a value in a variable has not changed. This clearly can 3069 // lead to false negatives. 3070 if (EmitWarning) { 3071 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 3072 if (FLL->isExact()) 3073 EmitWarning = false; 3074 } else 3075 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 3076 if (FLR->isExact()) 3077 EmitWarning = false; 3078 } 3079 } 3080 3081 // Check for comparisons with builtin types. 3082 if (EmitWarning) 3083 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 3084 if (CL->isBuiltinCall()) 3085 EmitWarning = false; 3086 3087 if (EmitWarning) 3088 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 3089 if (CR->isBuiltinCall()) 3090 EmitWarning = false; 3091 3092 // Emit the diagnostic. 3093 if (EmitWarning) 3094 Diag(Loc, diag::warn_floatingpoint_eq) 3095 << LHS->getSourceRange() << RHS->getSourceRange(); 3096 } 3097 3098 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 3099 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 3100 3101 namespace { 3102 3103 /// Structure recording the 'active' range of an integer-valued 3104 /// expression. 3105 struct IntRange { 3106 /// The number of bits active in the int. 3107 unsigned Width; 3108 3109 /// True if the int is known not to have negative values. 3110 bool NonNegative; 3111 3112 IntRange(unsigned Width, bool NonNegative) 3113 : Width(Width), NonNegative(NonNegative) 3114 {} 3115 3116 /// Returns the range of the bool type. 3117 static IntRange forBoolType() { 3118 return IntRange(1, true); 3119 } 3120 3121 /// Returns the range of an opaque value of the given integral type. 3122 static IntRange forValueOfType(ASTContext &C, QualType T) { 3123 return forValueOfCanonicalType(C, 3124 T->getCanonicalTypeInternal().getTypePtr()); 3125 } 3126 3127 /// Returns the range of an opaque value of a canonical integral type. 3128 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 3129 assert(T->isCanonicalUnqualified()); 3130 3131 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3132 T = VT->getElementType().getTypePtr(); 3133 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3134 T = CT->getElementType().getTypePtr(); 3135 3136 // For enum types, use the known bit width of the enumerators. 3137 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 3138 EnumDecl *Enum = ET->getDecl(); 3139 if (!Enum->isCompleteDefinition()) 3140 return IntRange(C.getIntWidth(QualType(T, 0)), false); 3141 3142 unsigned NumPositive = Enum->getNumPositiveBits(); 3143 unsigned NumNegative = Enum->getNumNegativeBits(); 3144 3145 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 3146 } 3147 3148 const BuiltinType *BT = cast<BuiltinType>(T); 3149 assert(BT->isInteger()); 3150 3151 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3152 } 3153 3154 /// Returns the "target" range of a canonical integral type, i.e. 3155 /// the range of values expressible in the type. 3156 /// 3157 /// This matches forValueOfCanonicalType except that enums have the 3158 /// full range of their type, not the range of their enumerators. 3159 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 3160 assert(T->isCanonicalUnqualified()); 3161 3162 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3163 T = VT->getElementType().getTypePtr(); 3164 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3165 T = CT->getElementType().getTypePtr(); 3166 if (const EnumType *ET = dyn_cast<EnumType>(T)) 3167 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 3168 3169 const BuiltinType *BT = cast<BuiltinType>(T); 3170 assert(BT->isInteger()); 3171 3172 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3173 } 3174 3175 /// Returns the supremum of two ranges: i.e. their conservative merge. 3176 static IntRange join(IntRange L, IntRange R) { 3177 return IntRange(std::max(L.Width, R.Width), 3178 L.NonNegative && R.NonNegative); 3179 } 3180 3181 /// Returns the infinum of two ranges: i.e. their aggressive merge. 3182 static IntRange meet(IntRange L, IntRange R) { 3183 return IntRange(std::min(L.Width, R.Width), 3184 L.NonNegative || R.NonNegative); 3185 } 3186 }; 3187 3188 IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 3189 if (value.isSigned() && value.isNegative()) 3190 return IntRange(value.getMinSignedBits(), false); 3191 3192 if (value.getBitWidth() > MaxWidth) 3193 value = value.trunc(MaxWidth); 3194 3195 // isNonNegative() just checks the sign bit without considering 3196 // signedness. 3197 return IntRange(value.getActiveBits(), true); 3198 } 3199 3200 IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 3201 unsigned MaxWidth) { 3202 if (result.isInt()) 3203 return GetValueRange(C, result.getInt(), MaxWidth); 3204 3205 if (result.isVector()) { 3206 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 3207 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 3208 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 3209 R = IntRange::join(R, El); 3210 } 3211 return R; 3212 } 3213 3214 if (result.isComplexInt()) { 3215 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 3216 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 3217 return IntRange::join(R, I); 3218 } 3219 3220 // This can happen with lossless casts to intptr_t of "based" lvalues. 3221 // Assume it might use arbitrary bits. 3222 // FIXME: The only reason we need to pass the type in here is to get 3223 // the sign right on this one case. It would be nice if APValue 3224 // preserved this. 3225 assert(result.isLValue() || result.isAddrLabelDiff()); 3226 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 3227 } 3228 3229 /// Pseudo-evaluate the given integer expression, estimating the 3230 /// range of values it might take. 3231 /// 3232 /// \param MaxWidth - the width to which the value will be truncated 3233 IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 3234 E = E->IgnoreParens(); 3235 3236 // Try a full evaluation first. 3237 Expr::EvalResult result; 3238 if (E->EvaluateAsRValue(result, C)) 3239 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 3240 3241 // I think we only want to look through implicit casts here; if the 3242 // user has an explicit widening cast, we should treat the value as 3243 // being of the new, wider type. 3244 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 3245 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 3246 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 3247 3248 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 3249 3250 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 3251 3252 // Assume that non-integer casts can span the full range of the type. 3253 if (!isIntegerCast) 3254 return OutputTypeRange; 3255 3256 IntRange SubRange 3257 = GetExprRange(C, CE->getSubExpr(), 3258 std::min(MaxWidth, OutputTypeRange.Width)); 3259 3260 // Bail out if the subexpr's range is as wide as the cast type. 3261 if (SubRange.Width >= OutputTypeRange.Width) 3262 return OutputTypeRange; 3263 3264 // Otherwise, we take the smaller width, and we're non-negative if 3265 // either the output type or the subexpr is. 3266 return IntRange(SubRange.Width, 3267 SubRange.NonNegative || OutputTypeRange.NonNegative); 3268 } 3269 3270 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 3271 // If we can fold the condition, just take that operand. 3272 bool CondResult; 3273 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 3274 return GetExprRange(C, CondResult ? CO->getTrueExpr() 3275 : CO->getFalseExpr(), 3276 MaxWidth); 3277 3278 // Otherwise, conservatively merge. 3279 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 3280 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 3281 return IntRange::join(L, R); 3282 } 3283 3284 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3285 switch (BO->getOpcode()) { 3286 3287 // Boolean-valued operations are single-bit and positive. 3288 case BO_LAnd: 3289 case BO_LOr: 3290 case BO_LT: 3291 case BO_GT: 3292 case BO_LE: 3293 case BO_GE: 3294 case BO_EQ: 3295 case BO_NE: 3296 return IntRange::forBoolType(); 3297 3298 // The type of the assignments is the type of the LHS, so the RHS 3299 // is not necessarily the same type. 3300 case BO_MulAssign: 3301 case BO_DivAssign: 3302 case BO_RemAssign: 3303 case BO_AddAssign: 3304 case BO_SubAssign: 3305 case BO_XorAssign: 3306 case BO_OrAssign: 3307 // TODO: bitfields? 3308 return IntRange::forValueOfType(C, E->getType()); 3309 3310 // Simple assignments just pass through the RHS, which will have 3311 // been coerced to the LHS type. 3312 case BO_Assign: 3313 // TODO: bitfields? 3314 return GetExprRange(C, BO->getRHS(), MaxWidth); 3315 3316 // Operations with opaque sources are black-listed. 3317 case BO_PtrMemD: 3318 case BO_PtrMemI: 3319 return IntRange::forValueOfType(C, E->getType()); 3320 3321 // Bitwise-and uses the *infinum* of the two source ranges. 3322 case BO_And: 3323 case BO_AndAssign: 3324 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 3325 GetExprRange(C, BO->getRHS(), MaxWidth)); 3326 3327 // Left shift gets black-listed based on a judgement call. 3328 case BO_Shl: 3329 // ...except that we want to treat '1 << (blah)' as logically 3330 // positive. It's an important idiom. 3331 if (IntegerLiteral *I 3332 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 3333 if (I->getValue() == 1) { 3334 IntRange R = IntRange::forValueOfType(C, E->getType()); 3335 return IntRange(R.Width, /*NonNegative*/ true); 3336 } 3337 } 3338 // fallthrough 3339 3340 case BO_ShlAssign: 3341 return IntRange::forValueOfType(C, E->getType()); 3342 3343 // Right shift by a constant can narrow its left argument. 3344 case BO_Shr: 3345 case BO_ShrAssign: { 3346 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3347 3348 // If the shift amount is a positive constant, drop the width by 3349 // that much. 3350 llvm::APSInt shift; 3351 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 3352 shift.isNonNegative()) { 3353 unsigned zext = shift.getZExtValue(); 3354 if (zext >= L.Width) 3355 L.Width = (L.NonNegative ? 0 : 1); 3356 else 3357 L.Width -= zext; 3358 } 3359 3360 return L; 3361 } 3362 3363 // Comma acts as its right operand. 3364 case BO_Comma: 3365 return GetExprRange(C, BO->getRHS(), MaxWidth); 3366 3367 // Black-list pointer subtractions. 3368 case BO_Sub: 3369 if (BO->getLHS()->getType()->isPointerType()) 3370 return IntRange::forValueOfType(C, E->getType()); 3371 break; 3372 3373 // The width of a division result is mostly determined by the size 3374 // of the LHS. 3375 case BO_Div: { 3376 // Don't 'pre-truncate' the operands. 3377 unsigned opWidth = C.getIntWidth(E->getType()); 3378 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3379 3380 // If the divisor is constant, use that. 3381 llvm::APSInt divisor; 3382 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 3383 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 3384 if (log2 >= L.Width) 3385 L.Width = (L.NonNegative ? 0 : 1); 3386 else 3387 L.Width = std::min(L.Width - log2, MaxWidth); 3388 return L; 3389 } 3390 3391 // Otherwise, just use the LHS's width. 3392 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3393 return IntRange(L.Width, L.NonNegative && R.NonNegative); 3394 } 3395 3396 // The result of a remainder can't be larger than the result of 3397 // either side. 3398 case BO_Rem: { 3399 // Don't 'pre-truncate' the operands. 3400 unsigned opWidth = C.getIntWidth(E->getType()); 3401 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3402 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3403 3404 IntRange meet = IntRange::meet(L, R); 3405 meet.Width = std::min(meet.Width, MaxWidth); 3406 return meet; 3407 } 3408 3409 // The default behavior is okay for these. 3410 case BO_Mul: 3411 case BO_Add: 3412 case BO_Xor: 3413 case BO_Or: 3414 break; 3415 } 3416 3417 // The default case is to treat the operation as if it were closed 3418 // on the narrowest type that encompasses both operands. 3419 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3420 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 3421 return IntRange::join(L, R); 3422 } 3423 3424 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 3425 switch (UO->getOpcode()) { 3426 // Boolean-valued operations are white-listed. 3427 case UO_LNot: 3428 return IntRange::forBoolType(); 3429 3430 // Operations with opaque sources are black-listed. 3431 case UO_Deref: 3432 case UO_AddrOf: // should be impossible 3433 return IntRange::forValueOfType(C, E->getType()); 3434 3435 default: 3436 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 3437 } 3438 } 3439 3440 if (dyn_cast<OffsetOfExpr>(E)) { 3441 IntRange::forValueOfType(C, E->getType()); 3442 } 3443 3444 if (FieldDecl *BitField = E->getBitField()) 3445 return IntRange(BitField->getBitWidthValue(C), 3446 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 3447 3448 return IntRange::forValueOfType(C, E->getType()); 3449 } 3450 3451 IntRange GetExprRange(ASTContext &C, Expr *E) { 3452 return GetExprRange(C, E, C.getIntWidth(E->getType())); 3453 } 3454 3455 /// Checks whether the given value, which currently has the given 3456 /// source semantics, has the same value when coerced through the 3457 /// target semantics. 3458 bool IsSameFloatAfterCast(const llvm::APFloat &value, 3459 const llvm::fltSemantics &Src, 3460 const llvm::fltSemantics &Tgt) { 3461 llvm::APFloat truncated = value; 3462 3463 bool ignored; 3464 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 3465 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 3466 3467 return truncated.bitwiseIsEqual(value); 3468 } 3469 3470 /// Checks whether the given value, which currently has the given 3471 /// source semantics, has the same value when coerced through the 3472 /// target semantics. 3473 /// 3474 /// The value might be a vector of floats (or a complex number). 3475 bool IsSameFloatAfterCast(const APValue &value, 3476 const llvm::fltSemantics &Src, 3477 const llvm::fltSemantics &Tgt) { 3478 if (value.isFloat()) 3479 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 3480 3481 if (value.isVector()) { 3482 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 3483 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 3484 return false; 3485 return true; 3486 } 3487 3488 assert(value.isComplexFloat()); 3489 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 3490 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 3491 } 3492 3493 void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 3494 3495 static bool IsZero(Sema &S, Expr *E) { 3496 // Suppress cases where we are comparing against an enum constant. 3497 if (const DeclRefExpr *DR = 3498 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 3499 if (isa<EnumConstantDecl>(DR->getDecl())) 3500 return false; 3501 3502 // Suppress cases where the '0' value is expanded from a macro. 3503 if (E->getLocStart().isMacroID()) 3504 return false; 3505 3506 llvm::APSInt Value; 3507 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 3508 } 3509 3510 static bool HasEnumType(Expr *E) { 3511 // Strip off implicit integral promotions. 3512 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3513 if (ICE->getCastKind() != CK_IntegralCast && 3514 ICE->getCastKind() != CK_NoOp) 3515 break; 3516 E = ICE->getSubExpr(); 3517 } 3518 3519 return E->getType()->isEnumeralType(); 3520 } 3521 3522 void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 3523 BinaryOperatorKind op = E->getOpcode(); 3524 if (E->isValueDependent()) 3525 return; 3526 3527 if (op == BO_LT && IsZero(S, E->getRHS())) { 3528 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3529 << "< 0" << "false" << HasEnumType(E->getLHS()) 3530 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3531 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 3532 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3533 << ">= 0" << "true" << HasEnumType(E->getLHS()) 3534 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3535 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 3536 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3537 << "0 >" << "false" << HasEnumType(E->getRHS()) 3538 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3539 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 3540 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3541 << "0 <=" << "true" << HasEnumType(E->getRHS()) 3542 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3543 } 3544 } 3545 3546 /// Analyze the operands of the given comparison. Implements the 3547 /// fallback case from AnalyzeComparison. 3548 void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 3549 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3550 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3551 } 3552 3553 /// \brief Implements -Wsign-compare. 3554 /// 3555 /// \param E the binary operator to check for warnings 3556 void AnalyzeComparison(Sema &S, BinaryOperator *E) { 3557 // The type the comparison is being performed in. 3558 QualType T = E->getLHS()->getType(); 3559 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 3560 && "comparison with mismatched types"); 3561 3562 // We don't do anything special if this isn't an unsigned integral 3563 // comparison: we're only interested in integral comparisons, and 3564 // signed comparisons only happen in cases we don't care to warn about. 3565 // 3566 // We also don't care about value-dependent expressions or expressions 3567 // whose result is a constant. 3568 if (!T->hasUnsignedIntegerRepresentation() 3569 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 3570 return AnalyzeImpConvsInComparison(S, E); 3571 3572 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 3573 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 3574 3575 // Check to see if one of the (unmodified) operands is of different 3576 // signedness. 3577 Expr *signedOperand, *unsignedOperand; 3578 if (LHS->getType()->hasSignedIntegerRepresentation()) { 3579 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 3580 "unsigned comparison between two signed integer expressions?"); 3581 signedOperand = LHS; 3582 unsignedOperand = RHS; 3583 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 3584 signedOperand = RHS; 3585 unsignedOperand = LHS; 3586 } else { 3587 CheckTrivialUnsignedComparison(S, E); 3588 return AnalyzeImpConvsInComparison(S, E); 3589 } 3590 3591 // Otherwise, calculate the effective range of the signed operand. 3592 IntRange signedRange = GetExprRange(S.Context, signedOperand); 3593 3594 // Go ahead and analyze implicit conversions in the operands. Note 3595 // that we skip the implicit conversions on both sides. 3596 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 3597 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 3598 3599 // If the signed range is non-negative, -Wsign-compare won't fire, 3600 // but we should still check for comparisons which are always true 3601 // or false. 3602 if (signedRange.NonNegative) 3603 return CheckTrivialUnsignedComparison(S, E); 3604 3605 // For (in)equality comparisons, if the unsigned operand is a 3606 // constant which cannot collide with a overflowed signed operand, 3607 // then reinterpreting the signed operand as unsigned will not 3608 // change the result of the comparison. 3609 if (E->isEqualityOp()) { 3610 unsigned comparisonWidth = S.Context.getIntWidth(T); 3611 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 3612 3613 // We should never be unable to prove that the unsigned operand is 3614 // non-negative. 3615 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 3616 3617 if (unsignedRange.Width < comparisonWidth) 3618 return; 3619 } 3620 3621 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 3622 << LHS->getType() << RHS->getType() 3623 << LHS->getSourceRange() << RHS->getSourceRange(); 3624 } 3625 3626 /// Analyzes an attempt to assign the given value to a bitfield. 3627 /// 3628 /// Returns true if there was something fishy about the attempt. 3629 bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 3630 SourceLocation InitLoc) { 3631 assert(Bitfield->isBitField()); 3632 if (Bitfield->isInvalidDecl()) 3633 return false; 3634 3635 // White-list bool bitfields. 3636 if (Bitfield->getType()->isBooleanType()) 3637 return false; 3638 3639 // Ignore value- or type-dependent expressions. 3640 if (Bitfield->getBitWidth()->isValueDependent() || 3641 Bitfield->getBitWidth()->isTypeDependent() || 3642 Init->isValueDependent() || 3643 Init->isTypeDependent()) 3644 return false; 3645 3646 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 3647 3648 llvm::APSInt Value; 3649 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 3650 return false; 3651 3652 unsigned OriginalWidth = Value.getBitWidth(); 3653 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 3654 3655 if (OriginalWidth <= FieldWidth) 3656 return false; 3657 3658 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 3659 3660 // It's fairly common to write values into signed bitfields 3661 // that, if sign-extended, would end up becoming a different 3662 // value. We don't want to warn about that. 3663 if (Value.isSigned() && Value.isNegative()) 3664 TruncatedValue = TruncatedValue.sext(OriginalWidth); 3665 else 3666 TruncatedValue = TruncatedValue.zext(OriginalWidth); 3667 3668 if (Value == TruncatedValue) 3669 return false; 3670 3671 std::string PrettyValue = Value.toString(10); 3672 std::string PrettyTrunc = TruncatedValue.toString(10); 3673 3674 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 3675 << PrettyValue << PrettyTrunc << OriginalInit->getType() 3676 << Init->getSourceRange(); 3677 3678 return true; 3679 } 3680 3681 /// Analyze the given simple or compound assignment for warning-worthy 3682 /// operations. 3683 void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 3684 // Just recurse on the LHS. 3685 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3686 3687 // We want to recurse on the RHS as normal unless we're assigning to 3688 // a bitfield. 3689 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 3690 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 3691 E->getOperatorLoc())) { 3692 // Recurse, ignoring any implicit conversions on the RHS. 3693 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 3694 E->getOperatorLoc()); 3695 } 3696 } 3697 3698 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3699 } 3700 3701 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3702 void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 3703 SourceLocation CContext, unsigned diag) { 3704 S.Diag(E->getExprLoc(), diag) 3705 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 3706 } 3707 3708 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3709 void DiagnoseImpCast(Sema &S, Expr *E, QualType T, SourceLocation CContext, 3710 unsigned diag) { 3711 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag); 3712 } 3713 3714 /// Diagnose an implicit cast from a literal expression. Does not warn when the 3715 /// cast wouldn't lose information. 3716 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 3717 SourceLocation CContext) { 3718 // Try to convert the literal exactly to an integer. If we can, don't warn. 3719 bool isExact = false; 3720 const llvm::APFloat &Value = FL->getValue(); 3721 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 3722 T->hasUnsignedIntegerRepresentation()); 3723 if (Value.convertToInteger(IntegerValue, 3724 llvm::APFloat::rmTowardZero, &isExact) 3725 == llvm::APFloat::opOK && isExact) 3726 return; 3727 3728 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 3729 << FL->getType() << T << FL->getSourceRange() << SourceRange(CContext); 3730 } 3731 3732 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 3733 if (!Range.Width) return "0"; 3734 3735 llvm::APSInt ValueInRange = Value; 3736 ValueInRange.setIsSigned(!Range.NonNegative); 3737 ValueInRange = ValueInRange.trunc(Range.Width); 3738 return ValueInRange.toString(10); 3739 } 3740 3741 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 3742 SourceLocation CC, bool *ICContext = 0) { 3743 if (E->isTypeDependent() || E->isValueDependent()) return; 3744 3745 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 3746 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 3747 if (Source == Target) return; 3748 if (Target->isDependentType()) return; 3749 3750 // If the conversion context location is invalid don't complain. We also 3751 // don't want to emit a warning if the issue occurs from the expansion of 3752 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 3753 // delay this check as long as possible. Once we detect we are in that 3754 // scenario, we just return. 3755 if (CC.isInvalid()) 3756 return; 3757 3758 // Diagnose implicit casts to bool. 3759 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 3760 if (isa<StringLiteral>(E)) 3761 // Warn on string literal to bool. Checks for string literals in logical 3762 // expressions, for instances, assert(0 && "error here"), is prevented 3763 // by a check in AnalyzeImplicitConversions(). 3764 return DiagnoseImpCast(S, E, T, CC, 3765 diag::warn_impcast_string_literal_to_bool); 3766 if (Source->isFunctionType()) { 3767 // Warn on function to bool. Checks free functions and static member 3768 // functions. Weakly imported functions are excluded from the check, 3769 // since it's common to test their value to check whether the linker 3770 // found a definition for them. 3771 ValueDecl *D = 0; 3772 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 3773 D = R->getDecl(); 3774 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 3775 D = M->getMemberDecl(); 3776 } 3777 3778 if (D && !D->isWeak()) { 3779 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 3780 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 3781 << F << E->getSourceRange() << SourceRange(CC); 3782 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 3783 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 3784 QualType ReturnType; 3785 UnresolvedSet<4> NonTemplateOverloads; 3786 S.isExprCallable(*E, ReturnType, NonTemplateOverloads); 3787 if (!ReturnType.isNull() 3788 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 3789 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 3790 << FixItHint::CreateInsertion( 3791 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 3792 return; 3793 } 3794 } 3795 } 3796 return; // Other casts to bool are not checked. 3797 } 3798 3799 // Strip vector types. 3800 if (isa<VectorType>(Source)) { 3801 if (!isa<VectorType>(Target)) { 3802 if (S.SourceMgr.isInSystemMacro(CC)) 3803 return; 3804 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 3805 } 3806 3807 // If the vector cast is cast between two vectors of the same size, it is 3808 // a bitcast, not a conversion. 3809 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 3810 return; 3811 3812 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 3813 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 3814 } 3815 3816 // Strip complex types. 3817 if (isa<ComplexType>(Source)) { 3818 if (!isa<ComplexType>(Target)) { 3819 if (S.SourceMgr.isInSystemMacro(CC)) 3820 return; 3821 3822 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 3823 } 3824 3825 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 3826 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 3827 } 3828 3829 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 3830 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 3831 3832 // If the source is floating point... 3833 if (SourceBT && SourceBT->isFloatingPoint()) { 3834 // ...and the target is floating point... 3835 if (TargetBT && TargetBT->isFloatingPoint()) { 3836 // ...then warn if we're dropping FP rank. 3837 3838 // Builtin FP kinds are ordered by increasing FP rank. 3839 if (SourceBT->getKind() > TargetBT->getKind()) { 3840 // Don't warn about float constants that are precisely 3841 // representable in the target type. 3842 Expr::EvalResult result; 3843 if (E->EvaluateAsRValue(result, S.Context)) { 3844 // Value might be a float, a float vector, or a float complex. 3845 if (IsSameFloatAfterCast(result.Val, 3846 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 3847 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 3848 return; 3849 } 3850 3851 if (S.SourceMgr.isInSystemMacro(CC)) 3852 return; 3853 3854 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 3855 } 3856 return; 3857 } 3858 3859 // If the target is integral, always warn. 3860 if ((TargetBT && TargetBT->isInteger())) { 3861 if (S.SourceMgr.isInSystemMacro(CC)) 3862 return; 3863 3864 Expr *InnerE = E->IgnoreParenImpCasts(); 3865 // We also want to warn on, e.g., "int i = -1.234" 3866 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 3867 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 3868 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 3869 3870 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 3871 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 3872 } else { 3873 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 3874 } 3875 } 3876 3877 return; 3878 } 3879 3880 if (!Source->isIntegerType() || !Target->isIntegerType()) 3881 return; 3882 3883 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 3884 == Expr::NPCK_GNUNull) && Target->isIntegerType()) { 3885 S.Diag(E->getExprLoc(), diag::warn_impcast_null_pointer_to_integer) 3886 << E->getSourceRange() << clang::SourceRange(CC); 3887 return; 3888 } 3889 3890 IntRange SourceRange = GetExprRange(S.Context, E); 3891 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 3892 3893 if (SourceRange.Width > TargetRange.Width) { 3894 // If the source is a constant, use a default-on diagnostic. 3895 // TODO: this should happen for bitfield stores, too. 3896 llvm::APSInt Value(32); 3897 if (E->isIntegerConstantExpr(Value, S.Context)) { 3898 if (S.SourceMgr.isInSystemMacro(CC)) 3899 return; 3900 3901 std::string PrettySourceValue = Value.toString(10); 3902 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 3903 3904 S.DiagRuntimeBehavior(E->getExprLoc(), E, 3905 S.PDiag(diag::warn_impcast_integer_precision_constant) 3906 << PrettySourceValue << PrettyTargetValue 3907 << E->getType() << T << E->getSourceRange() 3908 << clang::SourceRange(CC)); 3909 return; 3910 } 3911 3912 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 3913 if (S.SourceMgr.isInSystemMacro(CC)) 3914 return; 3915 3916 if (SourceRange.Width == 64 && TargetRange.Width == 32) 3917 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32); 3918 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 3919 } 3920 3921 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 3922 (!TargetRange.NonNegative && SourceRange.NonNegative && 3923 SourceRange.Width == TargetRange.Width)) { 3924 3925 if (S.SourceMgr.isInSystemMacro(CC)) 3926 return; 3927 3928 unsigned DiagID = diag::warn_impcast_integer_sign; 3929 3930 // Traditionally, gcc has warned about this under -Wsign-compare. 3931 // We also want to warn about it in -Wconversion. 3932 // So if -Wconversion is off, use a completely identical diagnostic 3933 // in the sign-compare group. 3934 // The conditional-checking code will 3935 if (ICContext) { 3936 DiagID = diag::warn_impcast_integer_sign_conditional; 3937 *ICContext = true; 3938 } 3939 3940 return DiagnoseImpCast(S, E, T, CC, DiagID); 3941 } 3942 3943 // Diagnose conversions between different enumeration types. 3944 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 3945 // type, to give us better diagnostics. 3946 QualType SourceType = E->getType(); 3947 if (!S.getLangOptions().CPlusPlus) { 3948 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 3949 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 3950 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 3951 SourceType = S.Context.getTypeDeclType(Enum); 3952 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 3953 } 3954 } 3955 3956 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 3957 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 3958 if ((SourceEnum->getDecl()->getIdentifier() || 3959 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 3960 (TargetEnum->getDecl()->getIdentifier() || 3961 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 3962 SourceEnum != TargetEnum) { 3963 if (S.SourceMgr.isInSystemMacro(CC)) 3964 return; 3965 3966 return DiagnoseImpCast(S, E, SourceType, T, CC, 3967 diag::warn_impcast_different_enum_types); 3968 } 3969 3970 return; 3971 } 3972 3973 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 3974 3975 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 3976 SourceLocation CC, bool &ICContext) { 3977 E = E->IgnoreParenImpCasts(); 3978 3979 if (isa<ConditionalOperator>(E)) 3980 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 3981 3982 AnalyzeImplicitConversions(S, E, CC); 3983 if (E->getType() != T) 3984 return CheckImplicitConversion(S, E, T, CC, &ICContext); 3985 return; 3986 } 3987 3988 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 3989 SourceLocation CC = E->getQuestionLoc(); 3990 3991 AnalyzeImplicitConversions(S, E->getCond(), CC); 3992 3993 bool Suspicious = false; 3994 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 3995 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 3996 3997 // If -Wconversion would have warned about either of the candidates 3998 // for a signedness conversion to the context type... 3999 if (!Suspicious) return; 4000 4001 // ...but it's currently ignored... 4002 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 4003 CC)) 4004 return; 4005 4006 // ...then check whether it would have warned about either of the 4007 // candidates for a signedness conversion to the condition type. 4008 if (E->getType() == T) return; 4009 4010 Suspicious = false; 4011 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 4012 E->getType(), CC, &Suspicious); 4013 if (!Suspicious) 4014 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 4015 E->getType(), CC, &Suspicious); 4016 } 4017 4018 /// AnalyzeImplicitConversions - Find and report any interesting 4019 /// implicit conversions in the given expression. There are a couple 4020 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 4021 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 4022 QualType T = OrigE->getType(); 4023 Expr *E = OrigE->IgnoreParenImpCasts(); 4024 4025 if (E->isTypeDependent() || E->isValueDependent()) 4026 return; 4027 4028 // For conditional operators, we analyze the arguments as if they 4029 // were being fed directly into the output. 4030 if (isa<ConditionalOperator>(E)) { 4031 ConditionalOperator *CO = cast<ConditionalOperator>(E); 4032 CheckConditionalOperator(S, CO, T); 4033 return; 4034 } 4035 4036 // Go ahead and check any implicit conversions we might have skipped. 4037 // The non-canonical typecheck is just an optimization; 4038 // CheckImplicitConversion will filter out dead implicit conversions. 4039 if (E->getType() != T) 4040 CheckImplicitConversion(S, E, T, CC); 4041 4042 // Now continue drilling into this expression. 4043 4044 // Skip past explicit casts. 4045 if (isa<ExplicitCastExpr>(E)) { 4046 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 4047 return AnalyzeImplicitConversions(S, E, CC); 4048 } 4049 4050 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4051 // Do a somewhat different check with comparison operators. 4052 if (BO->isComparisonOp()) 4053 return AnalyzeComparison(S, BO); 4054 4055 // And with assignments and compound assignments. 4056 if (BO->isAssignmentOp()) 4057 return AnalyzeAssignment(S, BO); 4058 } 4059 4060 // These break the otherwise-useful invariant below. Fortunately, 4061 // we don't really need to recurse into them, because any internal 4062 // expressions should have been analyzed already when they were 4063 // built into statements. 4064 if (isa<StmtExpr>(E)) return; 4065 4066 // Don't descend into unevaluated contexts. 4067 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 4068 4069 // Now just recurse over the expression's children. 4070 CC = E->getExprLoc(); 4071 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 4072 bool IsLogicalOperator = BO && BO->isLogicalOp(); 4073 for (Stmt::child_range I = E->children(); I; ++I) { 4074 Expr *ChildExpr = cast<Expr>(*I); 4075 if (IsLogicalOperator && 4076 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 4077 // Ignore checking string literals that are in logical operators. 4078 continue; 4079 AnalyzeImplicitConversions(S, ChildExpr, CC); 4080 } 4081 } 4082 4083 } // end anonymous namespace 4084 4085 /// Diagnoses "dangerous" implicit conversions within the given 4086 /// expression (which is a full expression). Implements -Wconversion 4087 /// and -Wsign-compare. 4088 /// 4089 /// \param CC the "context" location of the implicit conversion, i.e. 4090 /// the most location of the syntactic entity requiring the implicit 4091 /// conversion 4092 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 4093 // Don't diagnose in unevaluated contexts. 4094 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 4095 return; 4096 4097 // Don't diagnose for value- or type-dependent expressions. 4098 if (E->isTypeDependent() || E->isValueDependent()) 4099 return; 4100 4101 // Check for array bounds violations in cases where the check isn't triggered 4102 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 4103 // ArraySubscriptExpr is on the RHS of a variable initialization. 4104 CheckArrayAccess(E); 4105 4106 // This is not the right CC for (e.g.) a variable initialization. 4107 AnalyzeImplicitConversions(*this, E, CC); 4108 } 4109 4110 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 4111 FieldDecl *BitField, 4112 Expr *Init) { 4113 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 4114 } 4115 4116 /// CheckParmsForFunctionDef - Check that the parameters of the given 4117 /// function are appropriate for the definition of a function. This 4118 /// takes care of any checks that cannot be performed on the 4119 /// declaration itself, e.g., that the types of each of the function 4120 /// parameters are complete. 4121 bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 4122 bool CheckParameterNames) { 4123 bool HasInvalidParm = false; 4124 for (; P != PEnd; ++P) { 4125 ParmVarDecl *Param = *P; 4126 4127 // C99 6.7.5.3p4: the parameters in a parameter type list in a 4128 // function declarator that is part of a function definition of 4129 // that function shall not have incomplete type. 4130 // 4131 // This is also C++ [dcl.fct]p6. 4132 if (!Param->isInvalidDecl() && 4133 RequireCompleteType(Param->getLocation(), Param->getType(), 4134 diag::err_typecheck_decl_incomplete_type)) { 4135 Param->setInvalidDecl(); 4136 HasInvalidParm = true; 4137 } 4138 4139 // C99 6.9.1p5: If the declarator includes a parameter type list, the 4140 // declaration of each parameter shall include an identifier. 4141 if (CheckParameterNames && 4142 Param->getIdentifier() == 0 && 4143 !Param->isImplicit() && 4144 !getLangOptions().CPlusPlus) 4145 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 4146 4147 // C99 6.7.5.3p12: 4148 // If the function declarator is not part of a definition of that 4149 // function, parameters may have incomplete type and may use the [*] 4150 // notation in their sequences of declarator specifiers to specify 4151 // variable length array types. 4152 QualType PType = Param->getOriginalType(); 4153 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 4154 if (AT->getSizeModifier() == ArrayType::Star) { 4155 // FIXME: This diagnosic should point the the '[*]' if source-location 4156 // information is added for it. 4157 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 4158 } 4159 } 4160 } 4161 4162 return HasInvalidParm; 4163 } 4164 4165 /// CheckCastAlign - Implements -Wcast-align, which warns when a 4166 /// pointer cast increases the alignment requirements. 4167 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 4168 // This is actually a lot of work to potentially be doing on every 4169 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 4170 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 4171 TRange.getBegin()) 4172 == DiagnosticsEngine::Ignored) 4173 return; 4174 4175 // Ignore dependent types. 4176 if (T->isDependentType() || Op->getType()->isDependentType()) 4177 return; 4178 4179 // Require that the destination be a pointer type. 4180 const PointerType *DestPtr = T->getAs<PointerType>(); 4181 if (!DestPtr) return; 4182 4183 // If the destination has alignment 1, we're done. 4184 QualType DestPointee = DestPtr->getPointeeType(); 4185 if (DestPointee->isIncompleteType()) return; 4186 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 4187 if (DestAlign.isOne()) return; 4188 4189 // Require that the source be a pointer type. 4190 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 4191 if (!SrcPtr) return; 4192 QualType SrcPointee = SrcPtr->getPointeeType(); 4193 4194 // Whitelist casts from cv void*. We already implicitly 4195 // whitelisted casts to cv void*, since they have alignment 1. 4196 // Also whitelist casts involving incomplete types, which implicitly 4197 // includes 'void'. 4198 if (SrcPointee->isIncompleteType()) return; 4199 4200 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 4201 if (SrcAlign >= DestAlign) return; 4202 4203 Diag(TRange.getBegin(), diag::warn_cast_align) 4204 << Op->getType() << T 4205 << static_cast<unsigned>(SrcAlign.getQuantity()) 4206 << static_cast<unsigned>(DestAlign.getQuantity()) 4207 << TRange << Op->getSourceRange(); 4208 } 4209 4210 static const Type* getElementType(const Expr *BaseExpr) { 4211 const Type* EltType = BaseExpr->getType().getTypePtr(); 4212 if (EltType->isAnyPointerType()) 4213 return EltType->getPointeeType().getTypePtr(); 4214 else if (EltType->isArrayType()) 4215 return EltType->getBaseElementTypeUnsafe(); 4216 return EltType; 4217 } 4218 4219 /// \brief Check whether this array fits the idiom of a size-one tail padded 4220 /// array member of a struct. 4221 /// 4222 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 4223 /// commonly used to emulate flexible arrays in C89 code. 4224 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 4225 const NamedDecl *ND) { 4226 if (Size != 1 || !ND) return false; 4227 4228 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 4229 if (!FD) return false; 4230 4231 // Don't consider sizes resulting from macro expansions or template argument 4232 // substitution to form C89 tail-padded arrays. 4233 ConstantArrayTypeLoc TL = 4234 cast<ConstantArrayTypeLoc>(FD->getTypeSourceInfo()->getTypeLoc()); 4235 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(TL.getSizeExpr()); 4236 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 4237 return false; 4238 4239 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 4240 if (!RD) return false; 4241 if (RD->isUnion()) return false; 4242 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 4243 if (!CRD->isStandardLayout()) return false; 4244 } 4245 4246 // See if this is the last field decl in the record. 4247 const Decl *D = FD; 4248 while ((D = D->getNextDeclInContext())) 4249 if (isa<FieldDecl>(D)) 4250 return false; 4251 return true; 4252 } 4253 4254 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 4255 const ArraySubscriptExpr *ASE, 4256 bool AllowOnePastEnd, bool IndexNegated) { 4257 IndexExpr = IndexExpr->IgnoreParenCasts(); 4258 if (IndexExpr->isValueDependent()) 4259 return; 4260 4261 const Type *EffectiveType = getElementType(BaseExpr); 4262 BaseExpr = BaseExpr->IgnoreParenCasts(); 4263 const ConstantArrayType *ArrayTy = 4264 Context.getAsConstantArrayType(BaseExpr->getType()); 4265 if (!ArrayTy) 4266 return; 4267 4268 llvm::APSInt index; 4269 if (!IndexExpr->EvaluateAsInt(index, Context)) 4270 return; 4271 if (IndexNegated) 4272 index = -index; 4273 4274 const NamedDecl *ND = NULL; 4275 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4276 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4277 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4278 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4279 4280 if (index.isUnsigned() || !index.isNegative()) { 4281 llvm::APInt size = ArrayTy->getSize(); 4282 if (!size.isStrictlyPositive()) 4283 return; 4284 4285 const Type* BaseType = getElementType(BaseExpr); 4286 if (BaseType != EffectiveType) { 4287 // Make sure we're comparing apples to apples when comparing index to size 4288 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 4289 uint64_t array_typesize = Context.getTypeSize(BaseType); 4290 // Handle ptrarith_typesize being zero, such as when casting to void* 4291 if (!ptrarith_typesize) ptrarith_typesize = 1; 4292 if (ptrarith_typesize != array_typesize) { 4293 // There's a cast to a different size type involved 4294 uint64_t ratio = array_typesize / ptrarith_typesize; 4295 // TODO: Be smarter about handling cases where array_typesize is not a 4296 // multiple of ptrarith_typesize 4297 if (ptrarith_typesize * ratio == array_typesize) 4298 size *= llvm::APInt(size.getBitWidth(), ratio); 4299 } 4300 } 4301 4302 if (size.getBitWidth() > index.getBitWidth()) 4303 index = index.sext(size.getBitWidth()); 4304 else if (size.getBitWidth() < index.getBitWidth()) 4305 size = size.sext(index.getBitWidth()); 4306 4307 // For array subscripting the index must be less than size, but for pointer 4308 // arithmetic also allow the index (offset) to be equal to size since 4309 // computing the next address after the end of the array is legal and 4310 // commonly done e.g. in C++ iterators and range-based for loops. 4311 if (AllowOnePastEnd ? index.sle(size) : index.slt(size)) 4312 return; 4313 4314 // Also don't warn for arrays of size 1 which are members of some 4315 // structure. These are often used to approximate flexible arrays in C89 4316 // code. 4317 if (IsTailPaddedMemberArray(*this, size, ND)) 4318 return; 4319 4320 // Suppress the warning if the subscript expression (as identified by the 4321 // ']' location) and the index expression are both from macro expansions 4322 // within a system header. 4323 if (ASE) { 4324 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 4325 ASE->getRBracketLoc()); 4326 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 4327 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 4328 IndexExpr->getLocStart()); 4329 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 4330 return; 4331 } 4332 } 4333 4334 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 4335 if (ASE) 4336 DiagID = diag::warn_array_index_exceeds_bounds; 4337 4338 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4339 PDiag(DiagID) << index.toString(10, true) 4340 << size.toString(10, true) 4341 << (unsigned)size.getLimitedValue(~0U) 4342 << IndexExpr->getSourceRange()); 4343 } else { 4344 unsigned DiagID = diag::warn_array_index_precedes_bounds; 4345 if (!ASE) { 4346 DiagID = diag::warn_ptr_arith_precedes_bounds; 4347 if (index.isNegative()) index = -index; 4348 } 4349 4350 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4351 PDiag(DiagID) << index.toString(10, true) 4352 << IndexExpr->getSourceRange()); 4353 } 4354 4355 if (!ND) { 4356 // Try harder to find a NamedDecl to point at in the note. 4357 while (const ArraySubscriptExpr *ASE = 4358 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 4359 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 4360 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4361 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4362 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4363 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4364 } 4365 4366 if (ND) 4367 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 4368 PDiag(diag::note_array_index_out_of_bounds) 4369 << ND->getDeclName()); 4370 } 4371 4372 void Sema::CheckArrayAccess(const Expr *expr) { 4373 int AllowOnePastEnd = 0; 4374 while (expr) { 4375 expr = expr->IgnoreParenImpCasts(); 4376 switch (expr->getStmtClass()) { 4377 case Stmt::ArraySubscriptExprClass: { 4378 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 4379 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 4380 AllowOnePastEnd > 0); 4381 return; 4382 } 4383 case Stmt::UnaryOperatorClass: { 4384 // Only unwrap the * and & unary operators 4385 const UnaryOperator *UO = cast<UnaryOperator>(expr); 4386 expr = UO->getSubExpr(); 4387 switch (UO->getOpcode()) { 4388 case UO_AddrOf: 4389 AllowOnePastEnd++; 4390 break; 4391 case UO_Deref: 4392 AllowOnePastEnd--; 4393 break; 4394 default: 4395 return; 4396 } 4397 break; 4398 } 4399 case Stmt::ConditionalOperatorClass: { 4400 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 4401 if (const Expr *lhs = cond->getLHS()) 4402 CheckArrayAccess(lhs); 4403 if (const Expr *rhs = cond->getRHS()) 4404 CheckArrayAccess(rhs); 4405 return; 4406 } 4407 default: 4408 return; 4409 } 4410 } 4411 } 4412 4413 //===--- CHECK: Objective-C retain cycles ----------------------------------// 4414 4415 namespace { 4416 struct RetainCycleOwner { 4417 RetainCycleOwner() : Variable(0), Indirect(false) {} 4418 VarDecl *Variable; 4419 SourceRange Range; 4420 SourceLocation Loc; 4421 bool Indirect; 4422 4423 void setLocsFrom(Expr *e) { 4424 Loc = e->getExprLoc(); 4425 Range = e->getSourceRange(); 4426 } 4427 }; 4428 } 4429 4430 /// Consider whether capturing the given variable can possibly lead to 4431 /// a retain cycle. 4432 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 4433 // In ARC, it's captured strongly iff the variable has __strong 4434 // lifetime. In MRR, it's captured strongly if the variable is 4435 // __block and has an appropriate type. 4436 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4437 return false; 4438 4439 owner.Variable = var; 4440 owner.setLocsFrom(ref); 4441 return true; 4442 } 4443 4444 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 4445 while (true) { 4446 e = e->IgnoreParens(); 4447 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 4448 switch (cast->getCastKind()) { 4449 case CK_BitCast: 4450 case CK_LValueBitCast: 4451 case CK_LValueToRValue: 4452 case CK_ARCReclaimReturnedObject: 4453 e = cast->getSubExpr(); 4454 continue; 4455 4456 default: 4457 return false; 4458 } 4459 } 4460 4461 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 4462 ObjCIvarDecl *ivar = ref->getDecl(); 4463 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4464 return false; 4465 4466 // Try to find a retain cycle in the base. 4467 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 4468 return false; 4469 4470 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 4471 owner.Indirect = true; 4472 return true; 4473 } 4474 4475 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 4476 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 4477 if (!var) return false; 4478 return considerVariable(var, ref, owner); 4479 } 4480 4481 if (BlockDeclRefExpr *ref = dyn_cast<BlockDeclRefExpr>(e)) { 4482 owner.Variable = ref->getDecl(); 4483 owner.setLocsFrom(ref); 4484 return true; 4485 } 4486 4487 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 4488 if (member->isArrow()) return false; 4489 4490 // Don't count this as an indirect ownership. 4491 e = member->getBase(); 4492 continue; 4493 } 4494 4495 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 4496 // Only pay attention to pseudo-objects on property references. 4497 ObjCPropertyRefExpr *pre 4498 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 4499 ->IgnoreParens()); 4500 if (!pre) return false; 4501 if (pre->isImplicitProperty()) return false; 4502 ObjCPropertyDecl *property = pre->getExplicitProperty(); 4503 if (!property->isRetaining() && 4504 !(property->getPropertyIvarDecl() && 4505 property->getPropertyIvarDecl()->getType() 4506 .getObjCLifetime() == Qualifiers::OCL_Strong)) 4507 return false; 4508 4509 owner.Indirect = true; 4510 if (pre->isSuperReceiver()) { 4511 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 4512 if (!owner.Variable) 4513 return false; 4514 owner.Loc = pre->getLocation(); 4515 owner.Range = pre->getSourceRange(); 4516 return true; 4517 } 4518 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 4519 ->getSourceExpr()); 4520 continue; 4521 } 4522 4523 // Array ivars? 4524 4525 return false; 4526 } 4527 } 4528 4529 namespace { 4530 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 4531 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 4532 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 4533 Variable(variable), Capturer(0) {} 4534 4535 VarDecl *Variable; 4536 Expr *Capturer; 4537 4538 void VisitDeclRefExpr(DeclRefExpr *ref) { 4539 if (ref->getDecl() == Variable && !Capturer) 4540 Capturer = ref; 4541 } 4542 4543 void VisitBlockDeclRefExpr(BlockDeclRefExpr *ref) { 4544 if (ref->getDecl() == Variable && !Capturer) 4545 Capturer = ref; 4546 } 4547 4548 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 4549 if (Capturer) return; 4550 Visit(ref->getBase()); 4551 if (Capturer && ref->isFreeIvar()) 4552 Capturer = ref; 4553 } 4554 4555 void VisitBlockExpr(BlockExpr *block) { 4556 // Look inside nested blocks 4557 if (block->getBlockDecl()->capturesVariable(Variable)) 4558 Visit(block->getBlockDecl()->getBody()); 4559 } 4560 }; 4561 } 4562 4563 /// Check whether the given argument is a block which captures a 4564 /// variable. 4565 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 4566 assert(owner.Variable && owner.Loc.isValid()); 4567 4568 e = e->IgnoreParenCasts(); 4569 BlockExpr *block = dyn_cast<BlockExpr>(e); 4570 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 4571 return 0; 4572 4573 FindCaptureVisitor visitor(S.Context, owner.Variable); 4574 visitor.Visit(block->getBlockDecl()->getBody()); 4575 return visitor.Capturer; 4576 } 4577 4578 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 4579 RetainCycleOwner &owner) { 4580 assert(capturer); 4581 assert(owner.Variable && owner.Loc.isValid()); 4582 4583 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 4584 << owner.Variable << capturer->getSourceRange(); 4585 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 4586 << owner.Indirect << owner.Range; 4587 } 4588 4589 /// Check for a keyword selector that starts with the word 'add' or 4590 /// 'set'. 4591 static bool isSetterLikeSelector(Selector sel) { 4592 if (sel.isUnarySelector()) return false; 4593 4594 StringRef str = sel.getNameForSlot(0); 4595 while (!str.empty() && str.front() == '_') str = str.substr(1); 4596 if (str.startswith("set")) 4597 str = str.substr(3); 4598 else if (str.startswith("add")) { 4599 // Specially whitelist 'addOperationWithBlock:'. 4600 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 4601 return false; 4602 str = str.substr(3); 4603 } 4604 else 4605 return false; 4606 4607 if (str.empty()) return true; 4608 return !islower(str.front()); 4609 } 4610 4611 /// Check a message send to see if it's likely to cause a retain cycle. 4612 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 4613 // Only check instance methods whose selector looks like a setter. 4614 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 4615 return; 4616 4617 // Try to find a variable that the receiver is strongly owned by. 4618 RetainCycleOwner owner; 4619 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 4620 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 4621 return; 4622 } else { 4623 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 4624 owner.Variable = getCurMethodDecl()->getSelfDecl(); 4625 owner.Loc = msg->getSuperLoc(); 4626 owner.Range = msg->getSuperLoc(); 4627 } 4628 4629 // Check whether the receiver is captured by any of the arguments. 4630 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 4631 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 4632 return diagnoseRetainCycle(*this, capturer, owner); 4633 } 4634 4635 /// Check a property assign to see if it's likely to cause a retain cycle. 4636 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 4637 RetainCycleOwner owner; 4638 if (!findRetainCycleOwner(*this, receiver, owner)) 4639 return; 4640 4641 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 4642 diagnoseRetainCycle(*this, capturer, owner); 4643 } 4644 4645 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 4646 QualType LHS, Expr *RHS) { 4647 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 4648 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 4649 return false; 4650 // strip off any implicit cast added to get to the one arc-specific 4651 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4652 if (cast->getCastKind() == CK_ARCConsumeObject) { 4653 Diag(Loc, diag::warn_arc_retained_assign) 4654 << (LT == Qualifiers::OCL_ExplicitNone) 4655 << RHS->getSourceRange(); 4656 return true; 4657 } 4658 RHS = cast->getSubExpr(); 4659 } 4660 return false; 4661 } 4662 4663 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 4664 Expr *LHS, Expr *RHS) { 4665 QualType LHSType; 4666 // PropertyRef on LHS type need be directly obtained from 4667 // its declaration as it has a PsuedoType. 4668 ObjCPropertyRefExpr *PRE 4669 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 4670 if (PRE && !PRE->isImplicitProperty()) { 4671 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4672 if (PD) 4673 LHSType = PD->getType(); 4674 } 4675 4676 if (LHSType.isNull()) 4677 LHSType = LHS->getType(); 4678 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 4679 return; 4680 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 4681 // FIXME. Check for other life times. 4682 if (LT != Qualifiers::OCL_None) 4683 return; 4684 4685 if (PRE) { 4686 if (PRE->isImplicitProperty()) 4687 return; 4688 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4689 if (!PD) 4690 return; 4691 4692 unsigned Attributes = PD->getPropertyAttributes(); 4693 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 4694 // when 'assign' attribute was not explicitly specified 4695 // by user, ignore it and rely on property type itself 4696 // for lifetime info. 4697 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 4698 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 4699 LHSType->isObjCRetainableType()) 4700 return; 4701 4702 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4703 if (cast->getCastKind() == CK_ARCConsumeObject) { 4704 Diag(Loc, diag::warn_arc_retained_property_assign) 4705 << RHS->getSourceRange(); 4706 return; 4707 } 4708 RHS = cast->getSubExpr(); 4709 } 4710 } 4711 } 4712 } 4713