1 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements extra semantic analysis beyond what is enforced 11 // by the C type system. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/Sema/SemaInternal.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/CharUnits.h" 18 #include "clang/AST/DeclCXX.h" 19 #include "clang/AST/DeclObjC.h" 20 #include "clang/AST/EvaluatedExprVisitor.h" 21 #include "clang/AST/Expr.h" 22 #include "clang/AST/ExprCXX.h" 23 #include "clang/AST/ExprObjC.h" 24 #include "clang/AST/StmtCXX.h" 25 #include "clang/AST/StmtObjC.h" 26 #include "clang/Analysis/Analyses/FormatString.h" 27 #include "clang/Basic/CharInfo.h" 28 #include "clang/Basic/TargetBuiltins.h" 29 #include "clang/Basic/TargetInfo.h" 30 #include "clang/Lex/Preprocessor.h" 31 #include "clang/Sema/Initialization.h" 32 #include "clang/Sema/Lookup.h" 33 #include "clang/Sema/ScopeInfo.h" 34 #include "clang/Sema/Sema.h" 35 #include "llvm/ADT/STLExtras.h" 36 #include "llvm/ADT/SmallBitVector.h" 37 #include "llvm/ADT/SmallString.h" 38 #include "llvm/Support/ConvertUTF.h" 39 #include "llvm/Support/raw_ostream.h" 40 #include <limits> 41 using namespace clang; 42 using namespace sema; 43 44 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 45 unsigned ByteNo) const { 46 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 47 PP.getLangOpts(), PP.getTargetInfo()); 48 } 49 50 /// Checks that a call expression's argument count is the desired number. 51 /// This is useful when doing custom type-checking. Returns true on error. 52 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 53 unsigned argCount = call->getNumArgs(); 54 if (argCount == desiredArgCount) return false; 55 56 if (argCount < desiredArgCount) 57 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 58 << 0 /*function call*/ << desiredArgCount << argCount 59 << call->getSourceRange(); 60 61 // Highlight all the excess arguments. 62 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 63 call->getArg(argCount - 1)->getLocEnd()); 64 65 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 66 << 0 /*function call*/ << desiredArgCount << argCount 67 << call->getArg(1)->getSourceRange(); 68 } 69 70 /// Check that the first argument to __builtin_annotation is an integer 71 /// and the second argument is a non-wide string literal. 72 static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 73 if (checkArgCount(S, TheCall, 2)) 74 return true; 75 76 // First argument should be an integer. 77 Expr *ValArg = TheCall->getArg(0); 78 QualType Ty = ValArg->getType(); 79 if (!Ty->isIntegerType()) { 80 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 81 << ValArg->getSourceRange(); 82 return true; 83 } 84 85 // Second argument should be a constant string. 86 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 87 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 88 if (!Literal || !Literal->isAscii()) { 89 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 90 << StrArg->getSourceRange(); 91 return true; 92 } 93 94 TheCall->setType(Ty); 95 return false; 96 } 97 98 /// Check that the argument to __builtin_addressof is a glvalue, and set the 99 /// result type to the corresponding pointer type. 100 static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) { 101 if (checkArgCount(S, TheCall, 1)) 102 return true; 103 104 ExprResult Arg(S.Owned(TheCall->getArg(0))); 105 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart()); 106 if (ResultType.isNull()) 107 return true; 108 109 TheCall->setArg(0, Arg.take()); 110 TheCall->setType(ResultType); 111 return false; 112 } 113 114 ExprResult 115 Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 116 ExprResult TheCallResult(Owned(TheCall)); 117 118 // Find out if any arguments are required to be integer constant expressions. 119 unsigned ICEArguments = 0; 120 ASTContext::GetBuiltinTypeError Error; 121 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 122 if (Error != ASTContext::GE_None) 123 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 124 125 // If any arguments are required to be ICE's, check and diagnose. 126 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 127 // Skip arguments not required to be ICE's. 128 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 129 130 llvm::APSInt Result; 131 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 132 return true; 133 ICEArguments &= ~(1 << ArgNo); 134 } 135 136 switch (BuiltinID) { 137 case Builtin::BI__builtin___CFStringMakeConstantString: 138 assert(TheCall->getNumArgs() == 1 && 139 "Wrong # arguments to builtin CFStringMakeConstantString"); 140 if (CheckObjCString(TheCall->getArg(0))) 141 return ExprError(); 142 break; 143 case Builtin::BI__builtin_stdarg_start: 144 case Builtin::BI__builtin_va_start: 145 case Builtin::BI__va_start: 146 if (SemaBuiltinVAStart(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_isgreater: 150 case Builtin::BI__builtin_isgreaterequal: 151 case Builtin::BI__builtin_isless: 152 case Builtin::BI__builtin_islessequal: 153 case Builtin::BI__builtin_islessgreater: 154 case Builtin::BI__builtin_isunordered: 155 if (SemaBuiltinUnorderedCompare(TheCall)) 156 return ExprError(); 157 break; 158 case Builtin::BI__builtin_fpclassify: 159 if (SemaBuiltinFPClassification(TheCall, 6)) 160 return ExprError(); 161 break; 162 case Builtin::BI__builtin_isfinite: 163 case Builtin::BI__builtin_isinf: 164 case Builtin::BI__builtin_isinf_sign: 165 case Builtin::BI__builtin_isnan: 166 case Builtin::BI__builtin_isnormal: 167 if (SemaBuiltinFPClassification(TheCall, 1)) 168 return ExprError(); 169 break; 170 case Builtin::BI__builtin_shufflevector: 171 return SemaBuiltinShuffleVector(TheCall); 172 // TheCall will be freed by the smart pointer here, but that's fine, since 173 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 174 case Builtin::BI__builtin_prefetch: 175 if (SemaBuiltinPrefetch(TheCall)) 176 return ExprError(); 177 break; 178 case Builtin::BI__builtin_object_size: 179 if (SemaBuiltinObjectSize(TheCall)) 180 return ExprError(); 181 break; 182 case Builtin::BI__builtin_longjmp: 183 if (SemaBuiltinLongjmp(TheCall)) 184 return ExprError(); 185 break; 186 187 case Builtin::BI__builtin_classify_type: 188 if (checkArgCount(*this, TheCall, 1)) return true; 189 TheCall->setType(Context.IntTy); 190 break; 191 case Builtin::BI__builtin_constant_p: 192 if (checkArgCount(*this, TheCall, 1)) return true; 193 TheCall->setType(Context.IntTy); 194 break; 195 case Builtin::BI__sync_fetch_and_add: 196 case Builtin::BI__sync_fetch_and_add_1: 197 case Builtin::BI__sync_fetch_and_add_2: 198 case Builtin::BI__sync_fetch_and_add_4: 199 case Builtin::BI__sync_fetch_and_add_8: 200 case Builtin::BI__sync_fetch_and_add_16: 201 case Builtin::BI__sync_fetch_and_sub: 202 case Builtin::BI__sync_fetch_and_sub_1: 203 case Builtin::BI__sync_fetch_and_sub_2: 204 case Builtin::BI__sync_fetch_and_sub_4: 205 case Builtin::BI__sync_fetch_and_sub_8: 206 case Builtin::BI__sync_fetch_and_sub_16: 207 case Builtin::BI__sync_fetch_and_or: 208 case Builtin::BI__sync_fetch_and_or_1: 209 case Builtin::BI__sync_fetch_and_or_2: 210 case Builtin::BI__sync_fetch_and_or_4: 211 case Builtin::BI__sync_fetch_and_or_8: 212 case Builtin::BI__sync_fetch_and_or_16: 213 case Builtin::BI__sync_fetch_and_and: 214 case Builtin::BI__sync_fetch_and_and_1: 215 case Builtin::BI__sync_fetch_and_and_2: 216 case Builtin::BI__sync_fetch_and_and_4: 217 case Builtin::BI__sync_fetch_and_and_8: 218 case Builtin::BI__sync_fetch_and_and_16: 219 case Builtin::BI__sync_fetch_and_xor: 220 case Builtin::BI__sync_fetch_and_xor_1: 221 case Builtin::BI__sync_fetch_and_xor_2: 222 case Builtin::BI__sync_fetch_and_xor_4: 223 case Builtin::BI__sync_fetch_and_xor_8: 224 case Builtin::BI__sync_fetch_and_xor_16: 225 case Builtin::BI__sync_add_and_fetch: 226 case Builtin::BI__sync_add_and_fetch_1: 227 case Builtin::BI__sync_add_and_fetch_2: 228 case Builtin::BI__sync_add_and_fetch_4: 229 case Builtin::BI__sync_add_and_fetch_8: 230 case Builtin::BI__sync_add_and_fetch_16: 231 case Builtin::BI__sync_sub_and_fetch: 232 case Builtin::BI__sync_sub_and_fetch_1: 233 case Builtin::BI__sync_sub_and_fetch_2: 234 case Builtin::BI__sync_sub_and_fetch_4: 235 case Builtin::BI__sync_sub_and_fetch_8: 236 case Builtin::BI__sync_sub_and_fetch_16: 237 case Builtin::BI__sync_and_and_fetch: 238 case Builtin::BI__sync_and_and_fetch_1: 239 case Builtin::BI__sync_and_and_fetch_2: 240 case Builtin::BI__sync_and_and_fetch_4: 241 case Builtin::BI__sync_and_and_fetch_8: 242 case Builtin::BI__sync_and_and_fetch_16: 243 case Builtin::BI__sync_or_and_fetch: 244 case Builtin::BI__sync_or_and_fetch_1: 245 case Builtin::BI__sync_or_and_fetch_2: 246 case Builtin::BI__sync_or_and_fetch_4: 247 case Builtin::BI__sync_or_and_fetch_8: 248 case Builtin::BI__sync_or_and_fetch_16: 249 case Builtin::BI__sync_xor_and_fetch: 250 case Builtin::BI__sync_xor_and_fetch_1: 251 case Builtin::BI__sync_xor_and_fetch_2: 252 case Builtin::BI__sync_xor_and_fetch_4: 253 case Builtin::BI__sync_xor_and_fetch_8: 254 case Builtin::BI__sync_xor_and_fetch_16: 255 case Builtin::BI__sync_val_compare_and_swap: 256 case Builtin::BI__sync_val_compare_and_swap_1: 257 case Builtin::BI__sync_val_compare_and_swap_2: 258 case Builtin::BI__sync_val_compare_and_swap_4: 259 case Builtin::BI__sync_val_compare_and_swap_8: 260 case Builtin::BI__sync_val_compare_and_swap_16: 261 case Builtin::BI__sync_bool_compare_and_swap: 262 case Builtin::BI__sync_bool_compare_and_swap_1: 263 case Builtin::BI__sync_bool_compare_and_swap_2: 264 case Builtin::BI__sync_bool_compare_and_swap_4: 265 case Builtin::BI__sync_bool_compare_and_swap_8: 266 case Builtin::BI__sync_bool_compare_and_swap_16: 267 case Builtin::BI__sync_lock_test_and_set: 268 case Builtin::BI__sync_lock_test_and_set_1: 269 case Builtin::BI__sync_lock_test_and_set_2: 270 case Builtin::BI__sync_lock_test_and_set_4: 271 case Builtin::BI__sync_lock_test_and_set_8: 272 case Builtin::BI__sync_lock_test_and_set_16: 273 case Builtin::BI__sync_lock_release: 274 case Builtin::BI__sync_lock_release_1: 275 case Builtin::BI__sync_lock_release_2: 276 case Builtin::BI__sync_lock_release_4: 277 case Builtin::BI__sync_lock_release_8: 278 case Builtin::BI__sync_lock_release_16: 279 case Builtin::BI__sync_swap: 280 case Builtin::BI__sync_swap_1: 281 case Builtin::BI__sync_swap_2: 282 case Builtin::BI__sync_swap_4: 283 case Builtin::BI__sync_swap_8: 284 case Builtin::BI__sync_swap_16: 285 return SemaBuiltinAtomicOverloaded(TheCallResult); 286 #define BUILTIN(ID, TYPE, ATTRS) 287 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 288 case Builtin::BI##ID: \ 289 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 290 #include "clang/Basic/Builtins.def" 291 case Builtin::BI__builtin_annotation: 292 if (SemaBuiltinAnnotation(*this, TheCall)) 293 return ExprError(); 294 break; 295 case Builtin::BI__builtin_addressof: 296 if (SemaBuiltinAddressof(*this, TheCall)) 297 return ExprError(); 298 break; 299 } 300 301 // Since the target specific builtins for each arch overlap, only check those 302 // of the arch we are compiling for. 303 if (BuiltinID >= Builtin::FirstTSBuiltin) { 304 switch (Context.getTargetInfo().getTriple().getArch()) { 305 case llvm::Triple::arm: 306 case llvm::Triple::armeb: 307 case llvm::Triple::thumb: 308 case llvm::Triple::thumbeb: 309 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 310 return ExprError(); 311 break; 312 case llvm::Triple::arm64: 313 if (CheckARM64BuiltinFunctionCall(BuiltinID, TheCall)) 314 return ExprError(); 315 break; 316 case llvm::Triple::aarch64: 317 case llvm::Triple::aarch64_be: 318 if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall)) 319 return ExprError(); 320 break; 321 case llvm::Triple::mips: 322 case llvm::Triple::mipsel: 323 case llvm::Triple::mips64: 324 case llvm::Triple::mips64el: 325 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 326 return ExprError(); 327 break; 328 case llvm::Triple::x86: 329 case llvm::Triple::x86_64: 330 if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall)) 331 return ExprError(); 332 break; 333 default: 334 break; 335 } 336 } 337 338 return TheCallResult; 339 } 340 341 // Get the valid immediate range for the specified NEON type code. 342 static unsigned RFT(unsigned t, bool shift = false, bool ForceQuad = false) { 343 NeonTypeFlags Type(t); 344 int IsQuad = ForceQuad ? true : Type.isQuad(); 345 switch (Type.getEltType()) { 346 case NeonTypeFlags::Int8: 347 case NeonTypeFlags::Poly8: 348 return shift ? 7 : (8 << IsQuad) - 1; 349 case NeonTypeFlags::Int16: 350 case NeonTypeFlags::Poly16: 351 return shift ? 15 : (4 << IsQuad) - 1; 352 case NeonTypeFlags::Int32: 353 return shift ? 31 : (2 << IsQuad) - 1; 354 case NeonTypeFlags::Int64: 355 case NeonTypeFlags::Poly64: 356 return shift ? 63 : (1 << IsQuad) - 1; 357 case NeonTypeFlags::Poly128: 358 return shift ? 127 : (1 << IsQuad) - 1; 359 case NeonTypeFlags::Float16: 360 assert(!shift && "cannot shift float types!"); 361 return (4 << IsQuad) - 1; 362 case NeonTypeFlags::Float32: 363 assert(!shift && "cannot shift float types!"); 364 return (2 << IsQuad) - 1; 365 case NeonTypeFlags::Float64: 366 assert(!shift && "cannot shift float types!"); 367 return (1 << IsQuad) - 1; 368 } 369 llvm_unreachable("Invalid NeonTypeFlag!"); 370 } 371 372 /// getNeonEltType - Return the QualType corresponding to the elements of 373 /// the vector type specified by the NeonTypeFlags. This is used to check 374 /// the pointer arguments for Neon load/store intrinsics. 375 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context, 376 bool IsPolyUnsigned, bool IsInt64Long) { 377 switch (Flags.getEltType()) { 378 case NeonTypeFlags::Int8: 379 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 380 case NeonTypeFlags::Int16: 381 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 382 case NeonTypeFlags::Int32: 383 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 384 case NeonTypeFlags::Int64: 385 if (IsInt64Long) 386 return Flags.isUnsigned() ? Context.UnsignedLongTy : Context.LongTy; 387 else 388 return Flags.isUnsigned() ? Context.UnsignedLongLongTy 389 : Context.LongLongTy; 390 case NeonTypeFlags::Poly8: 391 return IsPolyUnsigned ? Context.UnsignedCharTy : Context.SignedCharTy; 392 case NeonTypeFlags::Poly16: 393 return IsPolyUnsigned ? Context.UnsignedShortTy : Context.ShortTy; 394 case NeonTypeFlags::Poly64: 395 return Context.UnsignedLongTy; 396 case NeonTypeFlags::Poly128: 397 break; 398 case NeonTypeFlags::Float16: 399 return Context.HalfTy; 400 case NeonTypeFlags::Float32: 401 return Context.FloatTy; 402 case NeonTypeFlags::Float64: 403 return Context.DoubleTy; 404 } 405 llvm_unreachable("Invalid NeonTypeFlag!"); 406 } 407 408 bool Sema::CheckNeonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 409 llvm::APSInt Result; 410 uint64_t mask = 0; 411 unsigned TV = 0; 412 int PtrArgNum = -1; 413 bool HasConstPtr = false; 414 switch (BuiltinID) { 415 #define GET_NEON_OVERLOAD_CHECK 416 #include "clang/Basic/arm_neon.inc" 417 #undef GET_NEON_OVERLOAD_CHECK 418 } 419 420 // For NEON intrinsics which are overloaded on vector element type, validate 421 // the immediate which specifies which variant to emit. 422 unsigned ImmArg = TheCall->getNumArgs()-1; 423 if (mask) { 424 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 425 return true; 426 427 TV = Result.getLimitedValue(64); 428 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 429 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 430 << TheCall->getArg(ImmArg)->getSourceRange(); 431 } 432 433 if (PtrArgNum >= 0) { 434 // Check that pointer arguments have the specified type. 435 Expr *Arg = TheCall->getArg(PtrArgNum); 436 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 437 Arg = ICE->getSubExpr(); 438 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 439 QualType RHSTy = RHS.get()->getType(); 440 441 llvm::Triple::ArchType Arch = Context.getTargetInfo().getTriple().getArch(); 442 bool IsPolyUnsigned = 443 Arch == llvm::Triple::aarch64 || Arch == llvm::Triple::arm64; 444 bool IsInt64Long = 445 Context.getTargetInfo().getInt64Type() == TargetInfo::SignedLong; 446 QualType EltTy = 447 getNeonEltType(NeonTypeFlags(TV), Context, IsPolyUnsigned, IsInt64Long); 448 if (HasConstPtr) 449 EltTy = EltTy.withConst(); 450 QualType LHSTy = Context.getPointerType(EltTy); 451 AssignConvertType ConvTy; 452 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 453 if (RHS.isInvalid()) 454 return true; 455 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 456 RHS.get(), AA_Assigning)) 457 return true; 458 } 459 460 // For NEON intrinsics which take an immediate value as part of the 461 // instruction, range check them here. 462 unsigned i = 0, l = 0, u = 0; 463 switch (BuiltinID) { 464 default: 465 return false; 466 #define GET_NEON_IMMEDIATE_CHECK 467 #include "clang/Basic/arm_neon.inc" 468 #undef GET_NEON_IMMEDIATE_CHECK 469 } 470 ; 471 472 // We can't check the value of a dependent argument. 473 if (TheCall->getArg(i)->isTypeDependent() || 474 TheCall->getArg(i)->isValueDependent()) 475 return false; 476 477 // Check that the immediate argument is actually a constant. 478 if (SemaBuiltinConstantArg(TheCall, i, Result)) 479 return true; 480 481 // Range check against the upper/lower values for this isntruction. 482 unsigned Val = Result.getZExtValue(); 483 if (Val < l || Val > (u + l)) 484 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 485 << l << u + l << TheCall->getArg(i)->getSourceRange(); 486 487 return false; 488 } 489 490 bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, 491 CallExpr *TheCall) { 492 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 493 return true; 494 495 return false; 496 } 497 498 bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall, 499 unsigned MaxWidth) { 500 assert((BuiltinID == ARM::BI__builtin_arm_ldrex || 501 BuiltinID == ARM::BI__builtin_arm_strex || 502 BuiltinID == ARM64::BI__builtin_arm_ldrex || 503 BuiltinID == ARM64::BI__builtin_arm_strex) && 504 "unexpected ARM builtin"); 505 bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex || 506 BuiltinID == ARM64::BI__builtin_arm_ldrex; 507 508 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 509 510 // Ensure that we have the proper number of arguments. 511 if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2)) 512 return true; 513 514 // Inspect the pointer argument of the atomic builtin. This should always be 515 // a pointer type, whose element is an integral scalar or pointer type. 516 // Because it is a pointer type, we don't have to worry about any implicit 517 // casts here. 518 Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1); 519 ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg); 520 if (PointerArgRes.isInvalid()) 521 return true; 522 PointerArg = PointerArgRes.take(); 523 524 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 525 if (!pointerType) { 526 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 527 << PointerArg->getType() << PointerArg->getSourceRange(); 528 return true; 529 } 530 531 // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next 532 // task is to insert the appropriate casts into the AST. First work out just 533 // what the appropriate type is. 534 QualType ValType = pointerType->getPointeeType(); 535 QualType AddrType = ValType.getUnqualifiedType().withVolatile(); 536 if (IsLdrex) 537 AddrType.addConst(); 538 539 // Issue a warning if the cast is dodgy. 540 CastKind CastNeeded = CK_NoOp; 541 if (!AddrType.isAtLeastAsQualifiedAs(ValType)) { 542 CastNeeded = CK_BitCast; 543 Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers) 544 << PointerArg->getType() 545 << Context.getPointerType(AddrType) 546 << AA_Passing << PointerArg->getSourceRange(); 547 } 548 549 // Finally, do the cast and replace the argument with the corrected version. 550 AddrType = Context.getPointerType(AddrType); 551 PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded); 552 if (PointerArgRes.isInvalid()) 553 return true; 554 PointerArg = PointerArgRes.take(); 555 556 TheCall->setArg(IsLdrex ? 0 : 1, PointerArg); 557 558 // In general, we allow ints, floats and pointers to be loaded and stored. 559 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 560 !ValType->isBlockPointerType() && !ValType->isFloatingType()) { 561 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr) 562 << PointerArg->getType() << PointerArg->getSourceRange(); 563 return true; 564 } 565 566 // But ARM doesn't have instructions to deal with 128-bit versions. 567 if (Context.getTypeSize(ValType) > MaxWidth) { 568 assert(MaxWidth == 64 && "Diagnostic unexpectedly inaccurate"); 569 Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size) 570 << PointerArg->getType() << PointerArg->getSourceRange(); 571 return true; 572 } 573 574 switch (ValType.getObjCLifetime()) { 575 case Qualifiers::OCL_None: 576 case Qualifiers::OCL_ExplicitNone: 577 // okay 578 break; 579 580 case Qualifiers::OCL_Weak: 581 case Qualifiers::OCL_Strong: 582 case Qualifiers::OCL_Autoreleasing: 583 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 584 << ValType << PointerArg->getSourceRange(); 585 return true; 586 } 587 588 589 if (IsLdrex) { 590 TheCall->setType(ValType); 591 return false; 592 } 593 594 // Initialize the argument to be stored. 595 ExprResult ValArg = TheCall->getArg(0); 596 InitializedEntity Entity = InitializedEntity::InitializeParameter( 597 Context, ValType, /*consume*/ false); 598 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 599 if (ValArg.isInvalid()) 600 return true; 601 TheCall->setArg(0, ValArg.get()); 602 603 // __builtin_arm_strex always returns an int. It's marked as such in the .def, 604 // but the custom checker bypasses all default analysis. 605 TheCall->setType(Context.IntTy); 606 return false; 607 } 608 609 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 610 llvm::APSInt Result; 611 612 if (BuiltinID == ARM::BI__builtin_arm_ldrex || 613 BuiltinID == ARM::BI__builtin_arm_strex) { 614 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 64); 615 } 616 617 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 618 return true; 619 620 // For NEON intrinsics which take an immediate value as part of the 621 // instruction, range check them here. 622 unsigned i = 0, l = 0, u = 0; 623 switch (BuiltinID) { 624 default: return false; 625 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 626 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 627 case ARM::BI__builtin_arm_vcvtr_f: 628 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 629 case ARM::BI__builtin_arm_dmb: 630 case ARM::BI__builtin_arm_dsb: l = 0; u = 15; break; 631 }; 632 633 // We can't check the value of a dependent argument. 634 if (TheCall->getArg(i)->isTypeDependent() || 635 TheCall->getArg(i)->isValueDependent()) 636 return false; 637 638 // Check that the immediate argument is actually a constant. 639 if (SemaBuiltinConstantArg(TheCall, i, Result)) 640 return true; 641 642 // Range check against the upper/lower values for this isntruction. 643 unsigned Val = Result.getZExtValue(); 644 if (Val < l || Val > (u + l)) 645 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 646 << l << u+l << TheCall->getArg(i)->getSourceRange(); 647 648 // FIXME: VFP Intrinsics should error if VFP not present. 649 return false; 650 } 651 652 bool Sema::CheckARM64BuiltinFunctionCall(unsigned BuiltinID, 653 CallExpr *TheCall) { 654 llvm::APSInt Result; 655 656 if (BuiltinID == ARM64::BI__builtin_arm_ldrex || 657 BuiltinID == ARM64::BI__builtin_arm_strex) { 658 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 128); 659 } 660 661 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 662 return true; 663 664 return false; 665 } 666 667 bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 668 unsigned i = 0, l = 0, u = 0; 669 switch (BuiltinID) { 670 default: return false; 671 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 672 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 673 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 674 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 675 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 676 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 677 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 678 }; 679 680 // We can't check the value of a dependent argument. 681 if (TheCall->getArg(i)->isTypeDependent() || 682 TheCall->getArg(i)->isValueDependent()) 683 return false; 684 685 // Check that the immediate argument is actually a constant. 686 llvm::APSInt Result; 687 if (SemaBuiltinConstantArg(TheCall, i, Result)) 688 return true; 689 690 // Range check against the upper/lower values for this instruction. 691 unsigned Val = Result.getZExtValue(); 692 if (Val < l || Val > u) 693 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 694 << l << u << TheCall->getArg(i)->getSourceRange(); 695 696 return false; 697 } 698 699 bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 700 switch (BuiltinID) { 701 case X86::BI_mm_prefetch: 702 return SemaBuiltinMMPrefetch(TheCall); 703 } 704 return false; 705 } 706 707 /// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 708 /// parameter with the FormatAttr's correct format_idx and firstDataArg. 709 /// Returns true when the format fits the function and the FormatStringInfo has 710 /// been populated. 711 bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 712 FormatStringInfo *FSI) { 713 FSI->HasVAListArg = Format->getFirstArg() == 0; 714 FSI->FormatIdx = Format->getFormatIdx() - 1; 715 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 716 717 // The way the format attribute works in GCC, the implicit this argument 718 // of member functions is counted. However, it doesn't appear in our own 719 // lists, so decrement format_idx in that case. 720 if (IsCXXMember) { 721 if(FSI->FormatIdx == 0) 722 return false; 723 --FSI->FormatIdx; 724 if (FSI->FirstDataArg != 0) 725 --FSI->FirstDataArg; 726 } 727 return true; 728 } 729 730 /// Checks if a the given expression evaluates to null. 731 /// 732 /// \brief Returns true if the value evaluates to null. 733 static bool CheckNonNullExpr(Sema &S, 734 const Expr *Expr) { 735 // As a special case, transparent unions initialized with zero are 736 // considered null for the purposes of the nonnull attribute. 737 if (const RecordType *UT = Expr->getType()->getAsUnionType()) { 738 if (UT->getDecl()->hasAttr<TransparentUnionAttr>()) 739 if (const CompoundLiteralExpr *CLE = 740 dyn_cast<CompoundLiteralExpr>(Expr)) 741 if (const InitListExpr *ILE = 742 dyn_cast<InitListExpr>(CLE->getInitializer())) 743 Expr = ILE->getInit(0); 744 } 745 746 bool Result; 747 return (!Expr->isValueDependent() && 748 Expr->EvaluateAsBooleanCondition(Result, S.Context) && 749 !Result); 750 } 751 752 static void CheckNonNullArgument(Sema &S, 753 const Expr *ArgExpr, 754 SourceLocation CallSiteLoc) { 755 if (CheckNonNullExpr(S, ArgExpr)) 756 S.Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 757 } 758 759 static void CheckNonNullArguments(Sema &S, 760 const NamedDecl *FDecl, 761 const Expr * const *ExprArgs, 762 SourceLocation CallSiteLoc) { 763 // Check the attributes attached to the method/function itself. 764 for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) { 765 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 766 e = NonNull->args_end(); 767 i != e; ++i) { 768 CheckNonNullArgument(S, ExprArgs[*i], CallSiteLoc); 769 } 770 } 771 772 // Check the attributes on the parameters. 773 ArrayRef<ParmVarDecl*> parms; 774 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl)) 775 parms = FD->parameters(); 776 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(FDecl)) 777 parms = MD->parameters(); 778 779 unsigned argIndex = 0; 780 for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end(); 781 I != E; ++I, ++argIndex) { 782 const ParmVarDecl *PVD = *I; 783 if (PVD->hasAttr<NonNullAttr>()) 784 CheckNonNullArgument(S, ExprArgs[argIndex], CallSiteLoc); 785 } 786 } 787 788 /// Handles the checks for format strings, non-POD arguments to vararg 789 /// functions, and NULL arguments passed to non-NULL parameters. 790 void Sema::checkCall(NamedDecl *FDecl, ArrayRef<const Expr *> Args, 791 unsigned NumParams, bool IsMemberFunction, 792 SourceLocation Loc, SourceRange Range, 793 VariadicCallType CallType) { 794 // FIXME: We should check as much as we can in the template definition. 795 if (CurContext->isDependentContext()) 796 return; 797 798 // Printf and scanf checking. 799 llvm::SmallBitVector CheckedVarArgs; 800 if (FDecl) { 801 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) { 802 // Only create vector if there are format attributes. 803 CheckedVarArgs.resize(Args.size()); 804 805 CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range, 806 CheckedVarArgs); 807 } 808 } 809 810 // Refuse POD arguments that weren't caught by the format string 811 // checks above. 812 if (CallType != VariadicDoesNotApply) { 813 for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) { 814 // Args[ArgIdx] can be null in malformed code. 815 if (const Expr *Arg = Args[ArgIdx]) { 816 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx]) 817 checkVariadicArgument(Arg, CallType); 818 } 819 } 820 } 821 822 if (FDecl) { 823 CheckNonNullArguments(*this, FDecl, Args.data(), Loc); 824 825 // Type safety checking. 826 for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>()) 827 CheckArgumentWithTypeTag(I, Args.data()); 828 } 829 } 830 831 /// CheckConstructorCall - Check a constructor call for correctness and safety 832 /// properties not enforced by the C type system. 833 void Sema::CheckConstructorCall(FunctionDecl *FDecl, 834 ArrayRef<const Expr *> Args, 835 const FunctionProtoType *Proto, 836 SourceLocation Loc) { 837 VariadicCallType CallType = 838 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 839 checkCall(FDecl, Args, Proto->getNumParams(), 840 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 841 } 842 843 /// CheckFunctionCall - Check a direct function call for various correctness 844 /// and safety properties not strictly enforced by the C type system. 845 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 846 const FunctionProtoType *Proto) { 847 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 848 isa<CXXMethodDecl>(FDecl); 849 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 850 IsMemberOperatorCall; 851 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 852 TheCall->getCallee()); 853 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 854 Expr** Args = TheCall->getArgs(); 855 unsigned NumArgs = TheCall->getNumArgs(); 856 if (IsMemberOperatorCall) { 857 // If this is a call to a member operator, hide the first argument 858 // from checkCall. 859 // FIXME: Our choice of AST representation here is less than ideal. 860 ++Args; 861 --NumArgs; 862 } 863 checkCall(FDecl, llvm::makeArrayRef<const Expr *>(Args, NumArgs), NumParams, 864 IsMemberFunction, TheCall->getRParenLoc(), 865 TheCall->getCallee()->getSourceRange(), CallType); 866 867 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 868 // None of the checks below are needed for functions that don't have 869 // simple names (e.g., C++ conversion functions). 870 if (!FnInfo) 871 return false; 872 873 CheckAbsoluteValueFunction(TheCall, FDecl, FnInfo); 874 875 unsigned CMId = FDecl->getMemoryFunctionKind(); 876 if (CMId == 0) 877 return false; 878 879 // Handle memory setting and copying functions. 880 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 881 CheckStrlcpycatArguments(TheCall, FnInfo); 882 else if (CMId == Builtin::BIstrncat) 883 CheckStrncatArguments(TheCall, FnInfo); 884 else 885 CheckMemaccessArguments(TheCall, CMId, FnInfo); 886 887 return false; 888 } 889 890 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 891 ArrayRef<const Expr *> Args) { 892 VariadicCallType CallType = 893 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 894 895 checkCall(Method, Args, Method->param_size(), 896 /*IsMemberFunction=*/false, 897 lbrac, Method->getSourceRange(), CallType); 898 899 return false; 900 } 901 902 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, 903 const FunctionProtoType *Proto) { 904 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 905 if (!V) 906 return false; 907 908 QualType Ty = V->getType(); 909 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType()) 910 return false; 911 912 VariadicCallType CallType; 913 if (!Proto || !Proto->isVariadic()) { 914 CallType = VariadicDoesNotApply; 915 } else if (Ty->isBlockPointerType()) { 916 CallType = VariadicBlock; 917 } else { // Ty->isFunctionPointerType() 918 CallType = VariadicFunction; 919 } 920 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 921 922 checkCall(NDecl, llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 923 TheCall->getNumArgs()), 924 NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 925 TheCall->getCallee()->getSourceRange(), CallType); 926 927 return false; 928 } 929 930 /// Checks function calls when a FunctionDecl or a NamedDecl is not available, 931 /// such as function pointers returned from functions. 932 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) { 933 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/0, Proto, 934 TheCall->getCallee()); 935 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 936 937 checkCall(/*FDecl=*/0, llvm::makeArrayRef<const Expr *>( 938 TheCall->getArgs(), TheCall->getNumArgs()), 939 NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 940 TheCall->getCallee()->getSourceRange(), CallType); 941 942 return false; 943 } 944 945 static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) { 946 if (Ordering < AtomicExpr::AO_ABI_memory_order_relaxed || 947 Ordering > AtomicExpr::AO_ABI_memory_order_seq_cst) 948 return false; 949 950 switch (Op) { 951 case AtomicExpr::AO__c11_atomic_init: 952 llvm_unreachable("There is no ordering argument for an init"); 953 954 case AtomicExpr::AO__c11_atomic_load: 955 case AtomicExpr::AO__atomic_load_n: 956 case AtomicExpr::AO__atomic_load: 957 return Ordering != AtomicExpr::AO_ABI_memory_order_release && 958 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 959 960 case AtomicExpr::AO__c11_atomic_store: 961 case AtomicExpr::AO__atomic_store: 962 case AtomicExpr::AO__atomic_store_n: 963 return Ordering != AtomicExpr::AO_ABI_memory_order_consume && 964 Ordering != AtomicExpr::AO_ABI_memory_order_acquire && 965 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 966 967 default: 968 return true; 969 } 970 } 971 972 ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 973 AtomicExpr::AtomicOp Op) { 974 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 975 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 976 977 // All these operations take one of the following forms: 978 enum { 979 // C __c11_atomic_init(A *, C) 980 Init, 981 // C __c11_atomic_load(A *, int) 982 Load, 983 // void __atomic_load(A *, CP, int) 984 Copy, 985 // C __c11_atomic_add(A *, M, int) 986 Arithmetic, 987 // C __atomic_exchange_n(A *, CP, int) 988 Xchg, 989 // void __atomic_exchange(A *, C *, CP, int) 990 GNUXchg, 991 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 992 C11CmpXchg, 993 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 994 GNUCmpXchg 995 } Form = Init; 996 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 997 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 998 // where: 999 // C is an appropriate type, 1000 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 1001 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 1002 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 1003 // the int parameters are for orderings. 1004 1005 assert(AtomicExpr::AO__c11_atomic_init == 0 && 1006 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 1007 && "need to update code for modified C11 atomics"); 1008 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 1009 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 1010 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 1011 Op == AtomicExpr::AO__atomic_store_n || 1012 Op == AtomicExpr::AO__atomic_exchange_n || 1013 Op == AtomicExpr::AO__atomic_compare_exchange_n; 1014 bool IsAddSub = false; 1015 1016 switch (Op) { 1017 case AtomicExpr::AO__c11_atomic_init: 1018 Form = Init; 1019 break; 1020 1021 case AtomicExpr::AO__c11_atomic_load: 1022 case AtomicExpr::AO__atomic_load_n: 1023 Form = Load; 1024 break; 1025 1026 case AtomicExpr::AO__c11_atomic_store: 1027 case AtomicExpr::AO__atomic_load: 1028 case AtomicExpr::AO__atomic_store: 1029 case AtomicExpr::AO__atomic_store_n: 1030 Form = Copy; 1031 break; 1032 1033 case AtomicExpr::AO__c11_atomic_fetch_add: 1034 case AtomicExpr::AO__c11_atomic_fetch_sub: 1035 case AtomicExpr::AO__atomic_fetch_add: 1036 case AtomicExpr::AO__atomic_fetch_sub: 1037 case AtomicExpr::AO__atomic_add_fetch: 1038 case AtomicExpr::AO__atomic_sub_fetch: 1039 IsAddSub = true; 1040 // Fall through. 1041 case AtomicExpr::AO__c11_atomic_fetch_and: 1042 case AtomicExpr::AO__c11_atomic_fetch_or: 1043 case AtomicExpr::AO__c11_atomic_fetch_xor: 1044 case AtomicExpr::AO__atomic_fetch_and: 1045 case AtomicExpr::AO__atomic_fetch_or: 1046 case AtomicExpr::AO__atomic_fetch_xor: 1047 case AtomicExpr::AO__atomic_fetch_nand: 1048 case AtomicExpr::AO__atomic_and_fetch: 1049 case AtomicExpr::AO__atomic_or_fetch: 1050 case AtomicExpr::AO__atomic_xor_fetch: 1051 case AtomicExpr::AO__atomic_nand_fetch: 1052 Form = Arithmetic; 1053 break; 1054 1055 case AtomicExpr::AO__c11_atomic_exchange: 1056 case AtomicExpr::AO__atomic_exchange_n: 1057 Form = Xchg; 1058 break; 1059 1060 case AtomicExpr::AO__atomic_exchange: 1061 Form = GNUXchg; 1062 break; 1063 1064 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 1065 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 1066 Form = C11CmpXchg; 1067 break; 1068 1069 case AtomicExpr::AO__atomic_compare_exchange: 1070 case AtomicExpr::AO__atomic_compare_exchange_n: 1071 Form = GNUCmpXchg; 1072 break; 1073 } 1074 1075 // Check we have the right number of arguments. 1076 if (TheCall->getNumArgs() < NumArgs[Form]) { 1077 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1078 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1079 << TheCall->getCallee()->getSourceRange(); 1080 return ExprError(); 1081 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 1082 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 1083 diag::err_typecheck_call_too_many_args) 1084 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1085 << TheCall->getCallee()->getSourceRange(); 1086 return ExprError(); 1087 } 1088 1089 // Inspect the first argument of the atomic operation. 1090 Expr *Ptr = TheCall->getArg(0); 1091 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 1092 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 1093 if (!pointerType) { 1094 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1095 << Ptr->getType() << Ptr->getSourceRange(); 1096 return ExprError(); 1097 } 1098 1099 // For a __c11 builtin, this should be a pointer to an _Atomic type. 1100 QualType AtomTy = pointerType->getPointeeType(); // 'A' 1101 QualType ValType = AtomTy; // 'C' 1102 if (IsC11) { 1103 if (!AtomTy->isAtomicType()) { 1104 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 1105 << Ptr->getType() << Ptr->getSourceRange(); 1106 return ExprError(); 1107 } 1108 if (AtomTy.isConstQualified()) { 1109 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 1110 << Ptr->getType() << Ptr->getSourceRange(); 1111 return ExprError(); 1112 } 1113 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 1114 } 1115 1116 // For an arithmetic operation, the implied arithmetic must be well-formed. 1117 if (Form == Arithmetic) { 1118 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 1119 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 1120 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1121 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1122 return ExprError(); 1123 } 1124 if (!IsAddSub && !ValType->isIntegerType()) { 1125 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 1126 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1127 return ExprError(); 1128 } 1129 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 1130 // For __atomic_*_n operations, the value type must be a scalar integral or 1131 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 1132 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1133 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1134 return ExprError(); 1135 } 1136 1137 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) && 1138 !AtomTy->isScalarType()) { 1139 // For GNU atomics, require a trivially-copyable type. This is not part of 1140 // the GNU atomics specification, but we enforce it for sanity. 1141 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 1142 << Ptr->getType() << Ptr->getSourceRange(); 1143 return ExprError(); 1144 } 1145 1146 // FIXME: For any builtin other than a load, the ValType must not be 1147 // const-qualified. 1148 1149 switch (ValType.getObjCLifetime()) { 1150 case Qualifiers::OCL_None: 1151 case Qualifiers::OCL_ExplicitNone: 1152 // okay 1153 break; 1154 1155 case Qualifiers::OCL_Weak: 1156 case Qualifiers::OCL_Strong: 1157 case Qualifiers::OCL_Autoreleasing: 1158 // FIXME: Can this happen? By this point, ValType should be known 1159 // to be trivially copyable. 1160 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1161 << ValType << Ptr->getSourceRange(); 1162 return ExprError(); 1163 } 1164 1165 QualType ResultType = ValType; 1166 if (Form == Copy || Form == GNUXchg || Form == Init) 1167 ResultType = Context.VoidTy; 1168 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 1169 ResultType = Context.BoolTy; 1170 1171 // The type of a parameter passed 'by value'. In the GNU atomics, such 1172 // arguments are actually passed as pointers. 1173 QualType ByValType = ValType; // 'CP' 1174 if (!IsC11 && !IsN) 1175 ByValType = Ptr->getType(); 1176 1177 // The first argument --- the pointer --- has a fixed type; we 1178 // deduce the types of the rest of the arguments accordingly. Walk 1179 // the remaining arguments, converting them to the deduced value type. 1180 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 1181 QualType Ty; 1182 if (i < NumVals[Form] + 1) { 1183 switch (i) { 1184 case 1: 1185 // The second argument is the non-atomic operand. For arithmetic, this 1186 // is always passed by value, and for a compare_exchange it is always 1187 // passed by address. For the rest, GNU uses by-address and C11 uses 1188 // by-value. 1189 assert(Form != Load); 1190 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 1191 Ty = ValType; 1192 else if (Form == Copy || Form == Xchg) 1193 Ty = ByValType; 1194 else if (Form == Arithmetic) 1195 Ty = Context.getPointerDiffType(); 1196 else 1197 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 1198 break; 1199 case 2: 1200 // The third argument to compare_exchange / GNU exchange is a 1201 // (pointer to a) desired value. 1202 Ty = ByValType; 1203 break; 1204 case 3: 1205 // The fourth argument to GNU compare_exchange is a 'weak' flag. 1206 Ty = Context.BoolTy; 1207 break; 1208 } 1209 } else { 1210 // The order(s) are always converted to int. 1211 Ty = Context.IntTy; 1212 } 1213 1214 InitializedEntity Entity = 1215 InitializedEntity::InitializeParameter(Context, Ty, false); 1216 ExprResult Arg = TheCall->getArg(i); 1217 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1218 if (Arg.isInvalid()) 1219 return true; 1220 TheCall->setArg(i, Arg.get()); 1221 } 1222 1223 // Permute the arguments into a 'consistent' order. 1224 SmallVector<Expr*, 5> SubExprs; 1225 SubExprs.push_back(Ptr); 1226 switch (Form) { 1227 case Init: 1228 // Note, AtomicExpr::getVal1() has a special case for this atomic. 1229 SubExprs.push_back(TheCall->getArg(1)); // Val1 1230 break; 1231 case Load: 1232 SubExprs.push_back(TheCall->getArg(1)); // Order 1233 break; 1234 case Copy: 1235 case Arithmetic: 1236 case Xchg: 1237 SubExprs.push_back(TheCall->getArg(2)); // Order 1238 SubExprs.push_back(TheCall->getArg(1)); // Val1 1239 break; 1240 case GNUXchg: 1241 // Note, AtomicExpr::getVal2() has a special case for this atomic. 1242 SubExprs.push_back(TheCall->getArg(3)); // Order 1243 SubExprs.push_back(TheCall->getArg(1)); // Val1 1244 SubExprs.push_back(TheCall->getArg(2)); // Val2 1245 break; 1246 case C11CmpXchg: 1247 SubExprs.push_back(TheCall->getArg(3)); // Order 1248 SubExprs.push_back(TheCall->getArg(1)); // Val1 1249 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 1250 SubExprs.push_back(TheCall->getArg(2)); // Val2 1251 break; 1252 case GNUCmpXchg: 1253 SubExprs.push_back(TheCall->getArg(4)); // Order 1254 SubExprs.push_back(TheCall->getArg(1)); // Val1 1255 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 1256 SubExprs.push_back(TheCall->getArg(2)); // Val2 1257 SubExprs.push_back(TheCall->getArg(3)); // Weak 1258 break; 1259 } 1260 1261 if (SubExprs.size() >= 2 && Form != Init) { 1262 llvm::APSInt Result(32); 1263 if (SubExprs[1]->isIntegerConstantExpr(Result, Context) && 1264 !isValidOrderingForOp(Result.getSExtValue(), Op)) 1265 Diag(SubExprs[1]->getLocStart(), 1266 diag::warn_atomic_op_has_invalid_memory_order) 1267 << SubExprs[1]->getSourceRange(); 1268 } 1269 1270 AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 1271 SubExprs, ResultType, Op, 1272 TheCall->getRParenLoc()); 1273 1274 if ((Op == AtomicExpr::AO__c11_atomic_load || 1275 (Op == AtomicExpr::AO__c11_atomic_store)) && 1276 Context.AtomicUsesUnsupportedLibcall(AE)) 1277 Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) << 1278 ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1); 1279 1280 return Owned(AE); 1281 } 1282 1283 1284 /// checkBuiltinArgument - Given a call to a builtin function, perform 1285 /// normal type-checking on the given argument, updating the call in 1286 /// place. This is useful when a builtin function requires custom 1287 /// type-checking for some of its arguments but not necessarily all of 1288 /// them. 1289 /// 1290 /// Returns true on error. 1291 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 1292 FunctionDecl *Fn = E->getDirectCallee(); 1293 assert(Fn && "builtin call without direct callee!"); 1294 1295 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 1296 InitializedEntity Entity = 1297 InitializedEntity::InitializeParameter(S.Context, Param); 1298 1299 ExprResult Arg = E->getArg(0); 1300 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 1301 if (Arg.isInvalid()) 1302 return true; 1303 1304 E->setArg(ArgIndex, Arg.take()); 1305 return false; 1306 } 1307 1308 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 1309 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 1310 /// type of its first argument. The main ActOnCallExpr routines have already 1311 /// promoted the types of arguments because all of these calls are prototyped as 1312 /// void(...). 1313 /// 1314 /// This function goes through and does final semantic checking for these 1315 /// builtins, 1316 ExprResult 1317 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 1318 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 1319 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1320 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1321 1322 // Ensure that we have at least one argument to do type inference from. 1323 if (TheCall->getNumArgs() < 1) { 1324 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1325 << 0 << 1 << TheCall->getNumArgs() 1326 << TheCall->getCallee()->getSourceRange(); 1327 return ExprError(); 1328 } 1329 1330 // Inspect the first argument of the atomic builtin. This should always be 1331 // a pointer type, whose element is an integral scalar or pointer type. 1332 // Because it is a pointer type, we don't have to worry about any implicit 1333 // casts here. 1334 // FIXME: We don't allow floating point scalars as input. 1335 Expr *FirstArg = TheCall->getArg(0); 1336 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 1337 if (FirstArgResult.isInvalid()) 1338 return ExprError(); 1339 FirstArg = FirstArgResult.take(); 1340 TheCall->setArg(0, FirstArg); 1341 1342 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 1343 if (!pointerType) { 1344 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1345 << FirstArg->getType() << FirstArg->getSourceRange(); 1346 return ExprError(); 1347 } 1348 1349 QualType ValType = pointerType->getPointeeType(); 1350 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 1351 !ValType->isBlockPointerType()) { 1352 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 1353 << FirstArg->getType() << FirstArg->getSourceRange(); 1354 return ExprError(); 1355 } 1356 1357 switch (ValType.getObjCLifetime()) { 1358 case Qualifiers::OCL_None: 1359 case Qualifiers::OCL_ExplicitNone: 1360 // okay 1361 break; 1362 1363 case Qualifiers::OCL_Weak: 1364 case Qualifiers::OCL_Strong: 1365 case Qualifiers::OCL_Autoreleasing: 1366 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1367 << ValType << FirstArg->getSourceRange(); 1368 return ExprError(); 1369 } 1370 1371 // Strip any qualifiers off ValType. 1372 ValType = ValType.getUnqualifiedType(); 1373 1374 // The majority of builtins return a value, but a few have special return 1375 // types, so allow them to override appropriately below. 1376 QualType ResultType = ValType; 1377 1378 // We need to figure out which concrete builtin this maps onto. For example, 1379 // __sync_fetch_and_add with a 2 byte object turns into 1380 // __sync_fetch_and_add_2. 1381 #define BUILTIN_ROW(x) \ 1382 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1383 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1384 1385 static const unsigned BuiltinIndices[][5] = { 1386 BUILTIN_ROW(__sync_fetch_and_add), 1387 BUILTIN_ROW(__sync_fetch_and_sub), 1388 BUILTIN_ROW(__sync_fetch_and_or), 1389 BUILTIN_ROW(__sync_fetch_and_and), 1390 BUILTIN_ROW(__sync_fetch_and_xor), 1391 1392 BUILTIN_ROW(__sync_add_and_fetch), 1393 BUILTIN_ROW(__sync_sub_and_fetch), 1394 BUILTIN_ROW(__sync_and_and_fetch), 1395 BUILTIN_ROW(__sync_or_and_fetch), 1396 BUILTIN_ROW(__sync_xor_and_fetch), 1397 1398 BUILTIN_ROW(__sync_val_compare_and_swap), 1399 BUILTIN_ROW(__sync_bool_compare_and_swap), 1400 BUILTIN_ROW(__sync_lock_test_and_set), 1401 BUILTIN_ROW(__sync_lock_release), 1402 BUILTIN_ROW(__sync_swap) 1403 }; 1404 #undef BUILTIN_ROW 1405 1406 // Determine the index of the size. 1407 unsigned SizeIndex; 1408 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1409 case 1: SizeIndex = 0; break; 1410 case 2: SizeIndex = 1; break; 1411 case 4: SizeIndex = 2; break; 1412 case 8: SizeIndex = 3; break; 1413 case 16: SizeIndex = 4; break; 1414 default: 1415 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1416 << FirstArg->getType() << FirstArg->getSourceRange(); 1417 return ExprError(); 1418 } 1419 1420 // Each of these builtins has one pointer argument, followed by some number of 1421 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1422 // that we ignore. Find out which row of BuiltinIndices to read from as well 1423 // as the number of fixed args. 1424 unsigned BuiltinID = FDecl->getBuiltinID(); 1425 unsigned BuiltinIndex, NumFixed = 1; 1426 switch (BuiltinID) { 1427 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1428 case Builtin::BI__sync_fetch_and_add: 1429 case Builtin::BI__sync_fetch_and_add_1: 1430 case Builtin::BI__sync_fetch_and_add_2: 1431 case Builtin::BI__sync_fetch_and_add_4: 1432 case Builtin::BI__sync_fetch_and_add_8: 1433 case Builtin::BI__sync_fetch_and_add_16: 1434 BuiltinIndex = 0; 1435 break; 1436 1437 case Builtin::BI__sync_fetch_and_sub: 1438 case Builtin::BI__sync_fetch_and_sub_1: 1439 case Builtin::BI__sync_fetch_and_sub_2: 1440 case Builtin::BI__sync_fetch_and_sub_4: 1441 case Builtin::BI__sync_fetch_and_sub_8: 1442 case Builtin::BI__sync_fetch_and_sub_16: 1443 BuiltinIndex = 1; 1444 break; 1445 1446 case Builtin::BI__sync_fetch_and_or: 1447 case Builtin::BI__sync_fetch_and_or_1: 1448 case Builtin::BI__sync_fetch_and_or_2: 1449 case Builtin::BI__sync_fetch_and_or_4: 1450 case Builtin::BI__sync_fetch_and_or_8: 1451 case Builtin::BI__sync_fetch_and_or_16: 1452 BuiltinIndex = 2; 1453 break; 1454 1455 case Builtin::BI__sync_fetch_and_and: 1456 case Builtin::BI__sync_fetch_and_and_1: 1457 case Builtin::BI__sync_fetch_and_and_2: 1458 case Builtin::BI__sync_fetch_and_and_4: 1459 case Builtin::BI__sync_fetch_and_and_8: 1460 case Builtin::BI__sync_fetch_and_and_16: 1461 BuiltinIndex = 3; 1462 break; 1463 1464 case Builtin::BI__sync_fetch_and_xor: 1465 case Builtin::BI__sync_fetch_and_xor_1: 1466 case Builtin::BI__sync_fetch_and_xor_2: 1467 case Builtin::BI__sync_fetch_and_xor_4: 1468 case Builtin::BI__sync_fetch_and_xor_8: 1469 case Builtin::BI__sync_fetch_and_xor_16: 1470 BuiltinIndex = 4; 1471 break; 1472 1473 case Builtin::BI__sync_add_and_fetch: 1474 case Builtin::BI__sync_add_and_fetch_1: 1475 case Builtin::BI__sync_add_and_fetch_2: 1476 case Builtin::BI__sync_add_and_fetch_4: 1477 case Builtin::BI__sync_add_and_fetch_8: 1478 case Builtin::BI__sync_add_and_fetch_16: 1479 BuiltinIndex = 5; 1480 break; 1481 1482 case Builtin::BI__sync_sub_and_fetch: 1483 case Builtin::BI__sync_sub_and_fetch_1: 1484 case Builtin::BI__sync_sub_and_fetch_2: 1485 case Builtin::BI__sync_sub_and_fetch_4: 1486 case Builtin::BI__sync_sub_and_fetch_8: 1487 case Builtin::BI__sync_sub_and_fetch_16: 1488 BuiltinIndex = 6; 1489 break; 1490 1491 case Builtin::BI__sync_and_and_fetch: 1492 case Builtin::BI__sync_and_and_fetch_1: 1493 case Builtin::BI__sync_and_and_fetch_2: 1494 case Builtin::BI__sync_and_and_fetch_4: 1495 case Builtin::BI__sync_and_and_fetch_8: 1496 case Builtin::BI__sync_and_and_fetch_16: 1497 BuiltinIndex = 7; 1498 break; 1499 1500 case Builtin::BI__sync_or_and_fetch: 1501 case Builtin::BI__sync_or_and_fetch_1: 1502 case Builtin::BI__sync_or_and_fetch_2: 1503 case Builtin::BI__sync_or_and_fetch_4: 1504 case Builtin::BI__sync_or_and_fetch_8: 1505 case Builtin::BI__sync_or_and_fetch_16: 1506 BuiltinIndex = 8; 1507 break; 1508 1509 case Builtin::BI__sync_xor_and_fetch: 1510 case Builtin::BI__sync_xor_and_fetch_1: 1511 case Builtin::BI__sync_xor_and_fetch_2: 1512 case Builtin::BI__sync_xor_and_fetch_4: 1513 case Builtin::BI__sync_xor_and_fetch_8: 1514 case Builtin::BI__sync_xor_and_fetch_16: 1515 BuiltinIndex = 9; 1516 break; 1517 1518 case Builtin::BI__sync_val_compare_and_swap: 1519 case Builtin::BI__sync_val_compare_and_swap_1: 1520 case Builtin::BI__sync_val_compare_and_swap_2: 1521 case Builtin::BI__sync_val_compare_and_swap_4: 1522 case Builtin::BI__sync_val_compare_and_swap_8: 1523 case Builtin::BI__sync_val_compare_and_swap_16: 1524 BuiltinIndex = 10; 1525 NumFixed = 2; 1526 break; 1527 1528 case Builtin::BI__sync_bool_compare_and_swap: 1529 case Builtin::BI__sync_bool_compare_and_swap_1: 1530 case Builtin::BI__sync_bool_compare_and_swap_2: 1531 case Builtin::BI__sync_bool_compare_and_swap_4: 1532 case Builtin::BI__sync_bool_compare_and_swap_8: 1533 case Builtin::BI__sync_bool_compare_and_swap_16: 1534 BuiltinIndex = 11; 1535 NumFixed = 2; 1536 ResultType = Context.BoolTy; 1537 break; 1538 1539 case Builtin::BI__sync_lock_test_and_set: 1540 case Builtin::BI__sync_lock_test_and_set_1: 1541 case Builtin::BI__sync_lock_test_and_set_2: 1542 case Builtin::BI__sync_lock_test_and_set_4: 1543 case Builtin::BI__sync_lock_test_and_set_8: 1544 case Builtin::BI__sync_lock_test_and_set_16: 1545 BuiltinIndex = 12; 1546 break; 1547 1548 case Builtin::BI__sync_lock_release: 1549 case Builtin::BI__sync_lock_release_1: 1550 case Builtin::BI__sync_lock_release_2: 1551 case Builtin::BI__sync_lock_release_4: 1552 case Builtin::BI__sync_lock_release_8: 1553 case Builtin::BI__sync_lock_release_16: 1554 BuiltinIndex = 13; 1555 NumFixed = 0; 1556 ResultType = Context.VoidTy; 1557 break; 1558 1559 case Builtin::BI__sync_swap: 1560 case Builtin::BI__sync_swap_1: 1561 case Builtin::BI__sync_swap_2: 1562 case Builtin::BI__sync_swap_4: 1563 case Builtin::BI__sync_swap_8: 1564 case Builtin::BI__sync_swap_16: 1565 BuiltinIndex = 14; 1566 break; 1567 } 1568 1569 // Now that we know how many fixed arguments we expect, first check that we 1570 // have at least that many. 1571 if (TheCall->getNumArgs() < 1+NumFixed) { 1572 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1573 << 0 << 1+NumFixed << TheCall->getNumArgs() 1574 << TheCall->getCallee()->getSourceRange(); 1575 return ExprError(); 1576 } 1577 1578 // Get the decl for the concrete builtin from this, we can tell what the 1579 // concrete integer type we should convert to is. 1580 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1581 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1582 FunctionDecl *NewBuiltinDecl; 1583 if (NewBuiltinID == BuiltinID) 1584 NewBuiltinDecl = FDecl; 1585 else { 1586 // Perform builtin lookup to avoid redeclaring it. 1587 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 1588 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 1589 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 1590 assert(Res.getFoundDecl()); 1591 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 1592 if (NewBuiltinDecl == 0) 1593 return ExprError(); 1594 } 1595 1596 // The first argument --- the pointer --- has a fixed type; we 1597 // deduce the types of the rest of the arguments accordingly. Walk 1598 // the remaining arguments, converting them to the deduced value type. 1599 for (unsigned i = 0; i != NumFixed; ++i) { 1600 ExprResult Arg = TheCall->getArg(i+1); 1601 1602 // GCC does an implicit conversion to the pointer or integer ValType. This 1603 // can fail in some cases (1i -> int**), check for this error case now. 1604 // Initialize the argument. 1605 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1606 ValType, /*consume*/ false); 1607 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1608 if (Arg.isInvalid()) 1609 return ExprError(); 1610 1611 // Okay, we have something that *can* be converted to the right type. Check 1612 // to see if there is a potentially weird extension going on here. This can 1613 // happen when you do an atomic operation on something like an char* and 1614 // pass in 42. The 42 gets converted to char. This is even more strange 1615 // for things like 45.123 -> char, etc. 1616 // FIXME: Do this check. 1617 TheCall->setArg(i+1, Arg.take()); 1618 } 1619 1620 ASTContext& Context = this->getASTContext(); 1621 1622 // Create a new DeclRefExpr to refer to the new decl. 1623 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1624 Context, 1625 DRE->getQualifierLoc(), 1626 SourceLocation(), 1627 NewBuiltinDecl, 1628 /*enclosing*/ false, 1629 DRE->getLocation(), 1630 Context.BuiltinFnTy, 1631 DRE->getValueKind()); 1632 1633 // Set the callee in the CallExpr. 1634 // FIXME: This loses syntactic information. 1635 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1636 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1637 CK_BuiltinFnToFnPtr); 1638 TheCall->setCallee(PromotedCall.take()); 1639 1640 // Change the result type of the call to match the original value type. This 1641 // is arbitrary, but the codegen for these builtins ins design to handle it 1642 // gracefully. 1643 TheCall->setType(ResultType); 1644 1645 return TheCallResult; 1646 } 1647 1648 /// CheckObjCString - Checks that the argument to the builtin 1649 /// CFString constructor is correct 1650 /// Note: It might also make sense to do the UTF-16 conversion here (would 1651 /// simplify the backend). 1652 bool Sema::CheckObjCString(Expr *Arg) { 1653 Arg = Arg->IgnoreParenCasts(); 1654 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1655 1656 if (!Literal || !Literal->isAscii()) { 1657 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1658 << Arg->getSourceRange(); 1659 return true; 1660 } 1661 1662 if (Literal->containsNonAsciiOrNull()) { 1663 StringRef String = Literal->getString(); 1664 unsigned NumBytes = String.size(); 1665 SmallVector<UTF16, 128> ToBuf(NumBytes); 1666 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1667 UTF16 *ToPtr = &ToBuf[0]; 1668 1669 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1670 &ToPtr, ToPtr + NumBytes, 1671 strictConversion); 1672 // Check for conversion failure. 1673 if (Result != conversionOK) 1674 Diag(Arg->getLocStart(), 1675 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1676 } 1677 return false; 1678 } 1679 1680 /// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1681 /// Emit an error and return true on failure, return false on success. 1682 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1683 Expr *Fn = TheCall->getCallee(); 1684 if (TheCall->getNumArgs() > 2) { 1685 Diag(TheCall->getArg(2)->getLocStart(), 1686 diag::err_typecheck_call_too_many_args) 1687 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1688 << Fn->getSourceRange() 1689 << SourceRange(TheCall->getArg(2)->getLocStart(), 1690 (*(TheCall->arg_end()-1))->getLocEnd()); 1691 return true; 1692 } 1693 1694 if (TheCall->getNumArgs() < 2) { 1695 return Diag(TheCall->getLocEnd(), 1696 diag::err_typecheck_call_too_few_args_at_least) 1697 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1698 } 1699 1700 // Type-check the first argument normally. 1701 if (checkBuiltinArgument(*this, TheCall, 0)) 1702 return true; 1703 1704 // Determine whether the current function is variadic or not. 1705 BlockScopeInfo *CurBlock = getCurBlock(); 1706 bool isVariadic; 1707 if (CurBlock) 1708 isVariadic = CurBlock->TheDecl->isVariadic(); 1709 else if (FunctionDecl *FD = getCurFunctionDecl()) 1710 isVariadic = FD->isVariadic(); 1711 else 1712 isVariadic = getCurMethodDecl()->isVariadic(); 1713 1714 if (!isVariadic) { 1715 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1716 return true; 1717 } 1718 1719 // Verify that the second argument to the builtin is the last argument of the 1720 // current function or method. 1721 bool SecondArgIsLastNamedArgument = false; 1722 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1723 1724 // These are valid if SecondArgIsLastNamedArgument is false after the next 1725 // block. 1726 QualType Type; 1727 SourceLocation ParamLoc; 1728 1729 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1730 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1731 // FIXME: This isn't correct for methods (results in bogus warning). 1732 // Get the last formal in the current function. 1733 const ParmVarDecl *LastArg; 1734 if (CurBlock) 1735 LastArg = *(CurBlock->TheDecl->param_end()-1); 1736 else if (FunctionDecl *FD = getCurFunctionDecl()) 1737 LastArg = *(FD->param_end()-1); 1738 else 1739 LastArg = *(getCurMethodDecl()->param_end()-1); 1740 SecondArgIsLastNamedArgument = PV == LastArg; 1741 1742 Type = PV->getType(); 1743 ParamLoc = PV->getLocation(); 1744 } 1745 } 1746 1747 if (!SecondArgIsLastNamedArgument) 1748 Diag(TheCall->getArg(1)->getLocStart(), 1749 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1750 else if (Type->isReferenceType()) { 1751 Diag(Arg->getLocStart(), 1752 diag::warn_va_start_of_reference_type_is_undefined); 1753 Diag(ParamLoc, diag::note_parameter_type) << Type; 1754 } 1755 1756 TheCall->setType(Context.VoidTy); 1757 return false; 1758 } 1759 1760 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1761 /// friends. This is declared to take (...), so we have to check everything. 1762 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1763 if (TheCall->getNumArgs() < 2) 1764 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1765 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1766 if (TheCall->getNumArgs() > 2) 1767 return Diag(TheCall->getArg(2)->getLocStart(), 1768 diag::err_typecheck_call_too_many_args) 1769 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1770 << SourceRange(TheCall->getArg(2)->getLocStart(), 1771 (*(TheCall->arg_end()-1))->getLocEnd()); 1772 1773 ExprResult OrigArg0 = TheCall->getArg(0); 1774 ExprResult OrigArg1 = TheCall->getArg(1); 1775 1776 // Do standard promotions between the two arguments, returning their common 1777 // type. 1778 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1779 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1780 return true; 1781 1782 // Make sure any conversions are pushed back into the call; this is 1783 // type safe since unordered compare builtins are declared as "_Bool 1784 // foo(...)". 1785 TheCall->setArg(0, OrigArg0.get()); 1786 TheCall->setArg(1, OrigArg1.get()); 1787 1788 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1789 return false; 1790 1791 // If the common type isn't a real floating type, then the arguments were 1792 // invalid for this operation. 1793 if (Res.isNull() || !Res->isRealFloatingType()) 1794 return Diag(OrigArg0.get()->getLocStart(), 1795 diag::err_typecheck_call_invalid_ordered_compare) 1796 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1797 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1798 1799 return false; 1800 } 1801 1802 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1803 /// __builtin_isnan and friends. This is declared to take (...), so we have 1804 /// to check everything. We expect the last argument to be a floating point 1805 /// value. 1806 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1807 if (TheCall->getNumArgs() < NumArgs) 1808 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1809 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1810 if (TheCall->getNumArgs() > NumArgs) 1811 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1812 diag::err_typecheck_call_too_many_args) 1813 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1814 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1815 (*(TheCall->arg_end()-1))->getLocEnd()); 1816 1817 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1818 1819 if (OrigArg->isTypeDependent()) 1820 return false; 1821 1822 // This operation requires a non-_Complex floating-point number. 1823 if (!OrigArg->getType()->isRealFloatingType()) 1824 return Diag(OrigArg->getLocStart(), 1825 diag::err_typecheck_call_invalid_unary_fp) 1826 << OrigArg->getType() << OrigArg->getSourceRange(); 1827 1828 // If this is an implicit conversion from float -> double, remove it. 1829 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1830 Expr *CastArg = Cast->getSubExpr(); 1831 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1832 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1833 "promotion from float to double is the only expected cast here"); 1834 Cast->setSubExpr(0); 1835 TheCall->setArg(NumArgs-1, CastArg); 1836 } 1837 } 1838 1839 return false; 1840 } 1841 1842 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1843 // This is declared to take (...), so we have to check everything. 1844 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1845 if (TheCall->getNumArgs() < 2) 1846 return ExprError(Diag(TheCall->getLocEnd(), 1847 diag::err_typecheck_call_too_few_args_at_least) 1848 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1849 << TheCall->getSourceRange()); 1850 1851 // Determine which of the following types of shufflevector we're checking: 1852 // 1) unary, vector mask: (lhs, mask) 1853 // 2) binary, vector mask: (lhs, rhs, mask) 1854 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1855 QualType resType = TheCall->getArg(0)->getType(); 1856 unsigned numElements = 0; 1857 1858 if (!TheCall->getArg(0)->isTypeDependent() && 1859 !TheCall->getArg(1)->isTypeDependent()) { 1860 QualType LHSType = TheCall->getArg(0)->getType(); 1861 QualType RHSType = TheCall->getArg(1)->getType(); 1862 1863 if (!LHSType->isVectorType() || !RHSType->isVectorType()) 1864 return ExprError(Diag(TheCall->getLocStart(), 1865 diag::err_shufflevector_non_vector) 1866 << SourceRange(TheCall->getArg(0)->getLocStart(), 1867 TheCall->getArg(1)->getLocEnd())); 1868 1869 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1870 unsigned numResElements = TheCall->getNumArgs() - 2; 1871 1872 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1873 // with mask. If so, verify that RHS is an integer vector type with the 1874 // same number of elts as lhs. 1875 if (TheCall->getNumArgs() == 2) { 1876 if (!RHSType->hasIntegerRepresentation() || 1877 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1878 return ExprError(Diag(TheCall->getLocStart(), 1879 diag::err_shufflevector_incompatible_vector) 1880 << SourceRange(TheCall->getArg(1)->getLocStart(), 1881 TheCall->getArg(1)->getLocEnd())); 1882 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1883 return ExprError(Diag(TheCall->getLocStart(), 1884 diag::err_shufflevector_incompatible_vector) 1885 << SourceRange(TheCall->getArg(0)->getLocStart(), 1886 TheCall->getArg(1)->getLocEnd())); 1887 } else if (numElements != numResElements) { 1888 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1889 resType = Context.getVectorType(eltType, numResElements, 1890 VectorType::GenericVector); 1891 } 1892 } 1893 1894 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1895 if (TheCall->getArg(i)->isTypeDependent() || 1896 TheCall->getArg(i)->isValueDependent()) 1897 continue; 1898 1899 llvm::APSInt Result(32); 1900 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1901 return ExprError(Diag(TheCall->getLocStart(), 1902 diag::err_shufflevector_nonconstant_argument) 1903 << TheCall->getArg(i)->getSourceRange()); 1904 1905 // Allow -1 which will be translated to undef in the IR. 1906 if (Result.isSigned() && Result.isAllOnesValue()) 1907 continue; 1908 1909 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1910 return ExprError(Diag(TheCall->getLocStart(), 1911 diag::err_shufflevector_argument_too_large) 1912 << TheCall->getArg(i)->getSourceRange()); 1913 } 1914 1915 SmallVector<Expr*, 32> exprs; 1916 1917 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1918 exprs.push_back(TheCall->getArg(i)); 1919 TheCall->setArg(i, 0); 1920 } 1921 1922 return Owned(new (Context) ShuffleVectorExpr(Context, exprs, resType, 1923 TheCall->getCallee()->getLocStart(), 1924 TheCall->getRParenLoc())); 1925 } 1926 1927 /// SemaConvertVectorExpr - Handle __builtin_convertvector 1928 ExprResult Sema::SemaConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo, 1929 SourceLocation BuiltinLoc, 1930 SourceLocation RParenLoc) { 1931 ExprValueKind VK = VK_RValue; 1932 ExprObjectKind OK = OK_Ordinary; 1933 QualType DstTy = TInfo->getType(); 1934 QualType SrcTy = E->getType(); 1935 1936 if (!SrcTy->isVectorType() && !SrcTy->isDependentType()) 1937 return ExprError(Diag(BuiltinLoc, 1938 diag::err_convertvector_non_vector) 1939 << E->getSourceRange()); 1940 if (!DstTy->isVectorType() && !DstTy->isDependentType()) 1941 return ExprError(Diag(BuiltinLoc, 1942 diag::err_convertvector_non_vector_type)); 1943 1944 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) { 1945 unsigned SrcElts = SrcTy->getAs<VectorType>()->getNumElements(); 1946 unsigned DstElts = DstTy->getAs<VectorType>()->getNumElements(); 1947 if (SrcElts != DstElts) 1948 return ExprError(Diag(BuiltinLoc, 1949 diag::err_convertvector_incompatible_vector) 1950 << E->getSourceRange()); 1951 } 1952 1953 return Owned(new (Context) ConvertVectorExpr(E, TInfo, DstTy, VK, OK, 1954 BuiltinLoc, RParenLoc)); 1955 1956 } 1957 1958 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1959 // This is declared to take (const void*, ...) and can take two 1960 // optional constant int args. 1961 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1962 unsigned NumArgs = TheCall->getNumArgs(); 1963 1964 if (NumArgs > 3) 1965 return Diag(TheCall->getLocEnd(), 1966 diag::err_typecheck_call_too_many_args_at_most) 1967 << 0 /*function call*/ << 3 << NumArgs 1968 << TheCall->getSourceRange(); 1969 1970 // Argument 0 is checked for us and the remaining arguments must be 1971 // constant integers. 1972 for (unsigned i = 1; i != NumArgs; ++i) { 1973 Expr *Arg = TheCall->getArg(i); 1974 1975 // We can't check the value of a dependent argument. 1976 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1977 continue; 1978 1979 llvm::APSInt Result; 1980 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1981 return true; 1982 1983 // FIXME: gcc issues a warning and rewrites these to 0. These 1984 // seems especially odd for the third argument since the default 1985 // is 3. 1986 if (i == 1) { 1987 if (Result.getLimitedValue() > 1) 1988 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1989 << "0" << "1" << Arg->getSourceRange(); 1990 } else { 1991 if (Result.getLimitedValue() > 3) 1992 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1993 << "0" << "3" << Arg->getSourceRange(); 1994 } 1995 } 1996 1997 return false; 1998 } 1999 2000 /// SemaBuiltinMMPrefetch - Handle _mm_prefetch. 2001 // This is declared to take (const char*, int) 2002 bool Sema::SemaBuiltinMMPrefetch(CallExpr *TheCall) { 2003 Expr *Arg = TheCall->getArg(1); 2004 2005 // We can't check the value of a dependent argument. 2006 if (Arg->isTypeDependent() || Arg->isValueDependent()) 2007 return false; 2008 2009 llvm::APSInt Result; 2010 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 2011 return true; 2012 2013 if (Result.getLimitedValue() > 3) 2014 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 2015 << "0" << "3" << Arg->getSourceRange(); 2016 2017 return false; 2018 } 2019 2020 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 2021 /// TheCall is a constant expression. 2022 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 2023 llvm::APSInt &Result) { 2024 Expr *Arg = TheCall->getArg(ArgNum); 2025 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 2026 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 2027 2028 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 2029 2030 if (!Arg->isIntegerConstantExpr(Result, Context)) 2031 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 2032 << FDecl->getDeclName() << Arg->getSourceRange(); 2033 2034 return false; 2035 } 2036 2037 /// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 2038 /// int type). This simply type checks that type is one of the defined 2039 /// constants (0-3). 2040 // For compatibility check 0-3, llvm only handles 0 and 2. 2041 bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 2042 llvm::APSInt Result; 2043 2044 // We can't check the value of a dependent argument. 2045 if (TheCall->getArg(1)->isTypeDependent() || 2046 TheCall->getArg(1)->isValueDependent()) 2047 return false; 2048 2049 // Check constant-ness first. 2050 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 2051 return true; 2052 2053 Expr *Arg = TheCall->getArg(1); 2054 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 2055 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 2056 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 2057 } 2058 2059 return false; 2060 } 2061 2062 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 2063 /// This checks that val is a constant 1. 2064 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 2065 Expr *Arg = TheCall->getArg(1); 2066 llvm::APSInt Result; 2067 2068 // TODO: This is less than ideal. Overload this to take a value. 2069 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 2070 return true; 2071 2072 if (Result != 1) 2073 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 2074 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 2075 2076 return false; 2077 } 2078 2079 namespace { 2080 enum StringLiteralCheckType { 2081 SLCT_NotALiteral, 2082 SLCT_UncheckedLiteral, 2083 SLCT_CheckedLiteral 2084 }; 2085 } 2086 2087 // Determine if an expression is a string literal or constant string. 2088 // If this function returns false on the arguments to a function expecting a 2089 // format string, we will usually need to emit a warning. 2090 // True string literals are then checked by CheckFormatString. 2091 static StringLiteralCheckType 2092 checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, 2093 bool HasVAListArg, unsigned format_idx, 2094 unsigned firstDataArg, Sema::FormatStringType Type, 2095 Sema::VariadicCallType CallType, bool InFunctionCall, 2096 llvm::SmallBitVector &CheckedVarArgs) { 2097 tryAgain: 2098 if (E->isTypeDependent() || E->isValueDependent()) 2099 return SLCT_NotALiteral; 2100 2101 E = E->IgnoreParenCasts(); 2102 2103 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) 2104 // Technically -Wformat-nonliteral does not warn about this case. 2105 // The behavior of printf and friends in this case is implementation 2106 // dependent. Ideally if the format string cannot be null then 2107 // it should have a 'nonnull' attribute in the function prototype. 2108 return SLCT_UncheckedLiteral; 2109 2110 switch (E->getStmtClass()) { 2111 case Stmt::BinaryConditionalOperatorClass: 2112 case Stmt::ConditionalOperatorClass: { 2113 // The expression is a literal if both sub-expressions were, and it was 2114 // completely checked only if both sub-expressions were checked. 2115 const AbstractConditionalOperator *C = 2116 cast<AbstractConditionalOperator>(E); 2117 StringLiteralCheckType Left = 2118 checkFormatStringExpr(S, C->getTrueExpr(), Args, 2119 HasVAListArg, format_idx, firstDataArg, 2120 Type, CallType, InFunctionCall, CheckedVarArgs); 2121 if (Left == SLCT_NotALiteral) 2122 return SLCT_NotALiteral; 2123 StringLiteralCheckType Right = 2124 checkFormatStringExpr(S, C->getFalseExpr(), Args, 2125 HasVAListArg, format_idx, firstDataArg, 2126 Type, CallType, InFunctionCall, CheckedVarArgs); 2127 return Left < Right ? Left : Right; 2128 } 2129 2130 case Stmt::ImplicitCastExprClass: { 2131 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 2132 goto tryAgain; 2133 } 2134 2135 case Stmt::OpaqueValueExprClass: 2136 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 2137 E = src; 2138 goto tryAgain; 2139 } 2140 return SLCT_NotALiteral; 2141 2142 case Stmt::PredefinedExprClass: 2143 // While __func__, etc., are technically not string literals, they 2144 // cannot contain format specifiers and thus are not a security 2145 // liability. 2146 return SLCT_UncheckedLiteral; 2147 2148 case Stmt::DeclRefExprClass: { 2149 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 2150 2151 // As an exception, do not flag errors for variables binding to 2152 // const string literals. 2153 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 2154 bool isConstant = false; 2155 QualType T = DR->getType(); 2156 2157 if (const ArrayType *AT = S.Context.getAsArrayType(T)) { 2158 isConstant = AT->getElementType().isConstant(S.Context); 2159 } else if (const PointerType *PT = T->getAs<PointerType>()) { 2160 isConstant = T.isConstant(S.Context) && 2161 PT->getPointeeType().isConstant(S.Context); 2162 } else if (T->isObjCObjectPointerType()) { 2163 // In ObjC, there is usually no "const ObjectPointer" type, 2164 // so don't check if the pointee type is constant. 2165 isConstant = T.isConstant(S.Context); 2166 } 2167 2168 if (isConstant) { 2169 if (const Expr *Init = VD->getAnyInitializer()) { 2170 // Look through initializers like const char c[] = { "foo" } 2171 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 2172 if (InitList->isStringLiteralInit()) 2173 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 2174 } 2175 return checkFormatStringExpr(S, Init, Args, 2176 HasVAListArg, format_idx, 2177 firstDataArg, Type, CallType, 2178 /*InFunctionCall*/false, CheckedVarArgs); 2179 } 2180 } 2181 2182 // For vprintf* functions (i.e., HasVAListArg==true), we add a 2183 // special check to see if the format string is a function parameter 2184 // of the function calling the printf function. If the function 2185 // has an attribute indicating it is a printf-like function, then we 2186 // should suppress warnings concerning non-literals being used in a call 2187 // to a vprintf function. For example: 2188 // 2189 // void 2190 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 2191 // va_list ap; 2192 // va_start(ap, fmt); 2193 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 2194 // ... 2195 // } 2196 if (HasVAListArg) { 2197 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 2198 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 2199 int PVIndex = PV->getFunctionScopeIndex() + 1; 2200 for (const auto *PVFormat : ND->specific_attrs<FormatAttr>()) { 2201 // adjust for implicit parameter 2202 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2203 if (MD->isInstance()) 2204 ++PVIndex; 2205 // We also check if the formats are compatible. 2206 // We can't pass a 'scanf' string to a 'printf' function. 2207 if (PVIndex == PVFormat->getFormatIdx() && 2208 Type == S.GetFormatStringType(PVFormat)) 2209 return SLCT_UncheckedLiteral; 2210 } 2211 } 2212 } 2213 } 2214 } 2215 2216 return SLCT_NotALiteral; 2217 } 2218 2219 case Stmt::CallExprClass: 2220 case Stmt::CXXMemberCallExprClass: { 2221 const CallExpr *CE = cast<CallExpr>(E); 2222 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 2223 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2224 unsigned ArgIndex = FA->getFormatIdx(); 2225 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2226 if (MD->isInstance()) 2227 --ArgIndex; 2228 const Expr *Arg = CE->getArg(ArgIndex - 1); 2229 2230 return checkFormatStringExpr(S, Arg, Args, 2231 HasVAListArg, format_idx, firstDataArg, 2232 Type, CallType, InFunctionCall, 2233 CheckedVarArgs); 2234 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 2235 unsigned BuiltinID = FD->getBuiltinID(); 2236 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 2237 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 2238 const Expr *Arg = CE->getArg(0); 2239 return checkFormatStringExpr(S, Arg, Args, 2240 HasVAListArg, format_idx, 2241 firstDataArg, Type, CallType, 2242 InFunctionCall, CheckedVarArgs); 2243 } 2244 } 2245 } 2246 2247 return SLCT_NotALiteral; 2248 } 2249 case Stmt::ObjCStringLiteralClass: 2250 case Stmt::StringLiteralClass: { 2251 const StringLiteral *StrE = NULL; 2252 2253 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 2254 StrE = ObjCFExpr->getString(); 2255 else 2256 StrE = cast<StringLiteral>(E); 2257 2258 if (StrE) { 2259 S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg, 2260 Type, InFunctionCall, CallType, CheckedVarArgs); 2261 return SLCT_CheckedLiteral; 2262 } 2263 2264 return SLCT_NotALiteral; 2265 } 2266 2267 default: 2268 return SLCT_NotALiteral; 2269 } 2270 } 2271 2272 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 2273 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName()) 2274 .Case("scanf", FST_Scanf) 2275 .Cases("printf", "printf0", FST_Printf) 2276 .Cases("NSString", "CFString", FST_NSString) 2277 .Case("strftime", FST_Strftime) 2278 .Case("strfmon", FST_Strfmon) 2279 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 2280 .Default(FST_Unknown); 2281 } 2282 2283 /// CheckFormatArguments - Check calls to printf and scanf (and similar 2284 /// functions) for correct use of format strings. 2285 /// Returns true if a format string has been fully checked. 2286 bool Sema::CheckFormatArguments(const FormatAttr *Format, 2287 ArrayRef<const Expr *> Args, 2288 bool IsCXXMember, 2289 VariadicCallType CallType, 2290 SourceLocation Loc, SourceRange Range, 2291 llvm::SmallBitVector &CheckedVarArgs) { 2292 FormatStringInfo FSI; 2293 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 2294 return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, 2295 FSI.FirstDataArg, GetFormatStringType(Format), 2296 CallType, Loc, Range, CheckedVarArgs); 2297 return false; 2298 } 2299 2300 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, 2301 bool HasVAListArg, unsigned format_idx, 2302 unsigned firstDataArg, FormatStringType Type, 2303 VariadicCallType CallType, 2304 SourceLocation Loc, SourceRange Range, 2305 llvm::SmallBitVector &CheckedVarArgs) { 2306 // CHECK: printf/scanf-like function is called with no format string. 2307 if (format_idx >= Args.size()) { 2308 Diag(Loc, diag::warn_missing_format_string) << Range; 2309 return false; 2310 } 2311 2312 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 2313 2314 // CHECK: format string is not a string literal. 2315 // 2316 // Dynamically generated format strings are difficult to 2317 // automatically vet at compile time. Requiring that format strings 2318 // are string literals: (1) permits the checking of format strings by 2319 // the compiler and thereby (2) can practically remove the source of 2320 // many format string exploits. 2321 2322 // Format string can be either ObjC string (e.g. @"%d") or 2323 // C string (e.g. "%d") 2324 // ObjC string uses the same format specifiers as C string, so we can use 2325 // the same format string checking logic for both ObjC and C strings. 2326 StringLiteralCheckType CT = 2327 checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, 2328 format_idx, firstDataArg, Type, CallType, 2329 /*IsFunctionCall*/true, CheckedVarArgs); 2330 if (CT != SLCT_NotALiteral) 2331 // Literal format string found, check done! 2332 return CT == SLCT_CheckedLiteral; 2333 2334 // Strftime is particular as it always uses a single 'time' argument, 2335 // so it is safe to pass a non-literal string. 2336 if (Type == FST_Strftime) 2337 return false; 2338 2339 // Do not emit diag when the string param is a macro expansion and the 2340 // format is either NSString or CFString. This is a hack to prevent 2341 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 2342 // which are usually used in place of NS and CF string literals. 2343 if (Type == FST_NSString && 2344 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 2345 return false; 2346 2347 // If there are no arguments specified, warn with -Wformat-security, otherwise 2348 // warn only with -Wformat-nonliteral. 2349 if (Args.size() == firstDataArg) 2350 Diag(Args[format_idx]->getLocStart(), 2351 diag::warn_format_nonliteral_noargs) 2352 << OrigFormatExpr->getSourceRange(); 2353 else 2354 Diag(Args[format_idx]->getLocStart(), 2355 diag::warn_format_nonliteral) 2356 << OrigFormatExpr->getSourceRange(); 2357 return false; 2358 } 2359 2360 namespace { 2361 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 2362 protected: 2363 Sema &S; 2364 const StringLiteral *FExpr; 2365 const Expr *OrigFormatExpr; 2366 const unsigned FirstDataArg; 2367 const unsigned NumDataArgs; 2368 const char *Beg; // Start of format string. 2369 const bool HasVAListArg; 2370 ArrayRef<const Expr *> Args; 2371 unsigned FormatIdx; 2372 llvm::SmallBitVector CoveredArgs; 2373 bool usesPositionalArgs; 2374 bool atFirstArg; 2375 bool inFunctionCall; 2376 Sema::VariadicCallType CallType; 2377 llvm::SmallBitVector &CheckedVarArgs; 2378 public: 2379 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 2380 const Expr *origFormatExpr, unsigned firstDataArg, 2381 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2382 ArrayRef<const Expr *> Args, 2383 unsigned formatIdx, bool inFunctionCall, 2384 Sema::VariadicCallType callType, 2385 llvm::SmallBitVector &CheckedVarArgs) 2386 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 2387 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 2388 Beg(beg), HasVAListArg(hasVAListArg), 2389 Args(Args), FormatIdx(formatIdx), 2390 usesPositionalArgs(false), atFirstArg(true), 2391 inFunctionCall(inFunctionCall), CallType(callType), 2392 CheckedVarArgs(CheckedVarArgs) { 2393 CoveredArgs.resize(numDataArgs); 2394 CoveredArgs.reset(); 2395 } 2396 2397 void DoneProcessing(); 2398 2399 void HandleIncompleteSpecifier(const char *startSpecifier, 2400 unsigned specifierLen) override; 2401 2402 void HandleInvalidLengthModifier( 2403 const analyze_format_string::FormatSpecifier &FS, 2404 const analyze_format_string::ConversionSpecifier &CS, 2405 const char *startSpecifier, unsigned specifierLen, 2406 unsigned DiagID); 2407 2408 void HandleNonStandardLengthModifier( 2409 const analyze_format_string::FormatSpecifier &FS, 2410 const char *startSpecifier, unsigned specifierLen); 2411 2412 void HandleNonStandardConversionSpecifier( 2413 const analyze_format_string::ConversionSpecifier &CS, 2414 const char *startSpecifier, unsigned specifierLen); 2415 2416 void HandlePosition(const char *startPos, unsigned posLen) override; 2417 2418 void HandleInvalidPosition(const char *startSpecifier, 2419 unsigned specifierLen, 2420 analyze_format_string::PositionContext p) override; 2421 2422 void HandleZeroPosition(const char *startPos, unsigned posLen) override; 2423 2424 void HandleNullChar(const char *nullCharacter) override; 2425 2426 template <typename Range> 2427 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 2428 const Expr *ArgumentExpr, 2429 PartialDiagnostic PDiag, 2430 SourceLocation StringLoc, 2431 bool IsStringLocation, Range StringRange, 2432 ArrayRef<FixItHint> Fixit = None); 2433 2434 protected: 2435 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 2436 const char *startSpec, 2437 unsigned specifierLen, 2438 const char *csStart, unsigned csLen); 2439 2440 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 2441 const char *startSpec, 2442 unsigned specifierLen); 2443 2444 SourceRange getFormatStringRange(); 2445 CharSourceRange getSpecifierRange(const char *startSpecifier, 2446 unsigned specifierLen); 2447 SourceLocation getLocationOfByte(const char *x); 2448 2449 const Expr *getDataArg(unsigned i) const; 2450 2451 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 2452 const analyze_format_string::ConversionSpecifier &CS, 2453 const char *startSpecifier, unsigned specifierLen, 2454 unsigned argIndex); 2455 2456 template <typename Range> 2457 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 2458 bool IsStringLocation, Range StringRange, 2459 ArrayRef<FixItHint> Fixit = None); 2460 }; 2461 } 2462 2463 SourceRange CheckFormatHandler::getFormatStringRange() { 2464 return OrigFormatExpr->getSourceRange(); 2465 } 2466 2467 CharSourceRange CheckFormatHandler:: 2468 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2469 SourceLocation Start = getLocationOfByte(startSpecifier); 2470 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2471 2472 // Advance the end SourceLocation by one due to half-open ranges. 2473 End = End.getLocWithOffset(1); 2474 2475 return CharSourceRange::getCharRange(Start, End); 2476 } 2477 2478 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2479 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2480 } 2481 2482 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2483 unsigned specifierLen){ 2484 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2485 getLocationOfByte(startSpecifier), 2486 /*IsStringLocation*/true, 2487 getSpecifierRange(startSpecifier, specifierLen)); 2488 } 2489 2490 void CheckFormatHandler::HandleInvalidLengthModifier( 2491 const analyze_format_string::FormatSpecifier &FS, 2492 const analyze_format_string::ConversionSpecifier &CS, 2493 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2494 using namespace analyze_format_string; 2495 2496 const LengthModifier &LM = FS.getLengthModifier(); 2497 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2498 2499 // See if we know how to fix this length modifier. 2500 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2501 if (FixedLM) { 2502 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2503 getLocationOfByte(LM.getStart()), 2504 /*IsStringLocation*/true, 2505 getSpecifierRange(startSpecifier, specifierLen)); 2506 2507 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2508 << FixedLM->toString() 2509 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2510 2511 } else { 2512 FixItHint Hint; 2513 if (DiagID == diag::warn_format_nonsensical_length) 2514 Hint = FixItHint::CreateRemoval(LMRange); 2515 2516 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2517 getLocationOfByte(LM.getStart()), 2518 /*IsStringLocation*/true, 2519 getSpecifierRange(startSpecifier, specifierLen), 2520 Hint); 2521 } 2522 } 2523 2524 void CheckFormatHandler::HandleNonStandardLengthModifier( 2525 const analyze_format_string::FormatSpecifier &FS, 2526 const char *startSpecifier, unsigned specifierLen) { 2527 using namespace analyze_format_string; 2528 2529 const LengthModifier &LM = FS.getLengthModifier(); 2530 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2531 2532 // See if we know how to fix this length modifier. 2533 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2534 if (FixedLM) { 2535 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2536 << LM.toString() << 0, 2537 getLocationOfByte(LM.getStart()), 2538 /*IsStringLocation*/true, 2539 getSpecifierRange(startSpecifier, specifierLen)); 2540 2541 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2542 << FixedLM->toString() 2543 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2544 2545 } else { 2546 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2547 << LM.toString() << 0, 2548 getLocationOfByte(LM.getStart()), 2549 /*IsStringLocation*/true, 2550 getSpecifierRange(startSpecifier, specifierLen)); 2551 } 2552 } 2553 2554 void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2555 const analyze_format_string::ConversionSpecifier &CS, 2556 const char *startSpecifier, unsigned specifierLen) { 2557 using namespace analyze_format_string; 2558 2559 // See if we know how to fix this conversion specifier. 2560 Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 2561 if (FixedCS) { 2562 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2563 << CS.toString() << /*conversion specifier*/1, 2564 getLocationOfByte(CS.getStart()), 2565 /*IsStringLocation*/true, 2566 getSpecifierRange(startSpecifier, specifierLen)); 2567 2568 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 2569 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 2570 << FixedCS->toString() 2571 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 2572 } else { 2573 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2574 << CS.toString() << /*conversion specifier*/1, 2575 getLocationOfByte(CS.getStart()), 2576 /*IsStringLocation*/true, 2577 getSpecifierRange(startSpecifier, specifierLen)); 2578 } 2579 } 2580 2581 void CheckFormatHandler::HandlePosition(const char *startPos, 2582 unsigned posLen) { 2583 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2584 getLocationOfByte(startPos), 2585 /*IsStringLocation*/true, 2586 getSpecifierRange(startPos, posLen)); 2587 } 2588 2589 void 2590 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2591 analyze_format_string::PositionContext p) { 2592 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2593 << (unsigned) p, 2594 getLocationOfByte(startPos), /*IsStringLocation*/true, 2595 getSpecifierRange(startPos, posLen)); 2596 } 2597 2598 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2599 unsigned posLen) { 2600 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2601 getLocationOfByte(startPos), 2602 /*IsStringLocation*/true, 2603 getSpecifierRange(startPos, posLen)); 2604 } 2605 2606 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2607 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2608 // The presence of a null character is likely an error. 2609 EmitFormatDiagnostic( 2610 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2611 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2612 getFormatStringRange()); 2613 } 2614 } 2615 2616 // Note that this may return NULL if there was an error parsing or building 2617 // one of the argument expressions. 2618 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2619 return Args[FirstDataArg + i]; 2620 } 2621 2622 void CheckFormatHandler::DoneProcessing() { 2623 // Does the number of data arguments exceed the number of 2624 // format conversions in the format string? 2625 if (!HasVAListArg) { 2626 // Find any arguments that weren't covered. 2627 CoveredArgs.flip(); 2628 signed notCoveredArg = CoveredArgs.find_first(); 2629 if (notCoveredArg >= 0) { 2630 assert((unsigned)notCoveredArg < NumDataArgs); 2631 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2632 SourceLocation Loc = E->getLocStart(); 2633 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2634 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2635 Loc, /*IsStringLocation*/false, 2636 getFormatStringRange()); 2637 } 2638 } 2639 } 2640 } 2641 } 2642 2643 bool 2644 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2645 SourceLocation Loc, 2646 const char *startSpec, 2647 unsigned specifierLen, 2648 const char *csStart, 2649 unsigned csLen) { 2650 2651 bool keepGoing = true; 2652 if (argIndex < NumDataArgs) { 2653 // Consider the argument coverered, even though the specifier doesn't 2654 // make sense. 2655 CoveredArgs.set(argIndex); 2656 } 2657 else { 2658 // If argIndex exceeds the number of data arguments we 2659 // don't issue a warning because that is just a cascade of warnings (and 2660 // they may have intended '%%' anyway). We don't want to continue processing 2661 // the format string after this point, however, as we will like just get 2662 // gibberish when trying to match arguments. 2663 keepGoing = false; 2664 } 2665 2666 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2667 << StringRef(csStart, csLen), 2668 Loc, /*IsStringLocation*/true, 2669 getSpecifierRange(startSpec, specifierLen)); 2670 2671 return keepGoing; 2672 } 2673 2674 void 2675 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2676 const char *startSpec, 2677 unsigned specifierLen) { 2678 EmitFormatDiagnostic( 2679 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2680 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2681 } 2682 2683 bool 2684 CheckFormatHandler::CheckNumArgs( 2685 const analyze_format_string::FormatSpecifier &FS, 2686 const analyze_format_string::ConversionSpecifier &CS, 2687 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2688 2689 if (argIndex >= NumDataArgs) { 2690 PartialDiagnostic PDiag = FS.usesPositionalArg() 2691 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2692 << (argIndex+1) << NumDataArgs) 2693 : S.PDiag(diag::warn_printf_insufficient_data_args); 2694 EmitFormatDiagnostic( 2695 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2696 getSpecifierRange(startSpecifier, specifierLen)); 2697 return false; 2698 } 2699 return true; 2700 } 2701 2702 template<typename Range> 2703 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2704 SourceLocation Loc, 2705 bool IsStringLocation, 2706 Range StringRange, 2707 ArrayRef<FixItHint> FixIt) { 2708 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2709 Loc, IsStringLocation, StringRange, FixIt); 2710 } 2711 2712 /// \brief If the format string is not within the funcion call, emit a note 2713 /// so that the function call and string are in diagnostic messages. 2714 /// 2715 /// \param InFunctionCall if true, the format string is within the function 2716 /// call and only one diagnostic message will be produced. Otherwise, an 2717 /// extra note will be emitted pointing to location of the format string. 2718 /// 2719 /// \param ArgumentExpr the expression that is passed as the format string 2720 /// argument in the function call. Used for getting locations when two 2721 /// diagnostics are emitted. 2722 /// 2723 /// \param PDiag the callee should already have provided any strings for the 2724 /// diagnostic message. This function only adds locations and fixits 2725 /// to diagnostics. 2726 /// 2727 /// \param Loc primary location for diagnostic. If two diagnostics are 2728 /// required, one will be at Loc and a new SourceLocation will be created for 2729 /// the other one. 2730 /// 2731 /// \param IsStringLocation if true, Loc points to the format string should be 2732 /// used for the note. Otherwise, Loc points to the argument list and will 2733 /// be used with PDiag. 2734 /// 2735 /// \param StringRange some or all of the string to highlight. This is 2736 /// templated so it can accept either a CharSourceRange or a SourceRange. 2737 /// 2738 /// \param FixIt optional fix it hint for the format string. 2739 template<typename Range> 2740 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2741 const Expr *ArgumentExpr, 2742 PartialDiagnostic PDiag, 2743 SourceLocation Loc, 2744 bool IsStringLocation, 2745 Range StringRange, 2746 ArrayRef<FixItHint> FixIt) { 2747 if (InFunctionCall) { 2748 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2749 D << StringRange; 2750 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2751 I != E; ++I) { 2752 D << *I; 2753 } 2754 } else { 2755 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2756 << ArgumentExpr->getSourceRange(); 2757 2758 const Sema::SemaDiagnosticBuilder &Note = 2759 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2760 diag::note_format_string_defined); 2761 2762 Note << StringRange; 2763 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2764 I != E; ++I) { 2765 Note << *I; 2766 } 2767 } 2768 } 2769 2770 //===--- CHECK: Printf format string checking ------------------------------===// 2771 2772 namespace { 2773 class CheckPrintfHandler : public CheckFormatHandler { 2774 bool ObjCContext; 2775 public: 2776 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2777 const Expr *origFormatExpr, unsigned firstDataArg, 2778 unsigned numDataArgs, bool isObjC, 2779 const char *beg, bool hasVAListArg, 2780 ArrayRef<const Expr *> Args, 2781 unsigned formatIdx, bool inFunctionCall, 2782 Sema::VariadicCallType CallType, 2783 llvm::SmallBitVector &CheckedVarArgs) 2784 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2785 numDataArgs, beg, hasVAListArg, Args, 2786 formatIdx, inFunctionCall, CallType, CheckedVarArgs), 2787 ObjCContext(isObjC) 2788 {} 2789 2790 2791 bool HandleInvalidPrintfConversionSpecifier( 2792 const analyze_printf::PrintfSpecifier &FS, 2793 const char *startSpecifier, 2794 unsigned specifierLen) override; 2795 2796 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2797 const char *startSpecifier, 2798 unsigned specifierLen) override; 2799 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2800 const char *StartSpecifier, 2801 unsigned SpecifierLen, 2802 const Expr *E); 2803 2804 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2805 const char *startSpecifier, unsigned specifierLen); 2806 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2807 const analyze_printf::OptionalAmount &Amt, 2808 unsigned type, 2809 const char *startSpecifier, unsigned specifierLen); 2810 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2811 const analyze_printf::OptionalFlag &flag, 2812 const char *startSpecifier, unsigned specifierLen); 2813 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2814 const analyze_printf::OptionalFlag &ignoredFlag, 2815 const analyze_printf::OptionalFlag &flag, 2816 const char *startSpecifier, unsigned specifierLen); 2817 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2818 const Expr *E); 2819 2820 }; 2821 } 2822 2823 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2824 const analyze_printf::PrintfSpecifier &FS, 2825 const char *startSpecifier, 2826 unsigned specifierLen) { 2827 const analyze_printf::PrintfConversionSpecifier &CS = 2828 FS.getConversionSpecifier(); 2829 2830 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2831 getLocationOfByte(CS.getStart()), 2832 startSpecifier, specifierLen, 2833 CS.getStart(), CS.getLength()); 2834 } 2835 2836 bool CheckPrintfHandler::HandleAmount( 2837 const analyze_format_string::OptionalAmount &Amt, 2838 unsigned k, const char *startSpecifier, 2839 unsigned specifierLen) { 2840 2841 if (Amt.hasDataArgument()) { 2842 if (!HasVAListArg) { 2843 unsigned argIndex = Amt.getArgIndex(); 2844 if (argIndex >= NumDataArgs) { 2845 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2846 << k, 2847 getLocationOfByte(Amt.getStart()), 2848 /*IsStringLocation*/true, 2849 getSpecifierRange(startSpecifier, specifierLen)); 2850 // Don't do any more checking. We will just emit 2851 // spurious errors. 2852 return false; 2853 } 2854 2855 // Type check the data argument. It should be an 'int'. 2856 // Although not in conformance with C99, we also allow the argument to be 2857 // an 'unsigned int' as that is a reasonably safe case. GCC also 2858 // doesn't emit a warning for that case. 2859 CoveredArgs.set(argIndex); 2860 const Expr *Arg = getDataArg(argIndex); 2861 if (!Arg) 2862 return false; 2863 2864 QualType T = Arg->getType(); 2865 2866 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2867 assert(AT.isValid()); 2868 2869 if (!AT.matchesType(S.Context, T)) { 2870 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2871 << k << AT.getRepresentativeTypeName(S.Context) 2872 << T << Arg->getSourceRange(), 2873 getLocationOfByte(Amt.getStart()), 2874 /*IsStringLocation*/true, 2875 getSpecifierRange(startSpecifier, specifierLen)); 2876 // Don't do any more checking. We will just emit 2877 // spurious errors. 2878 return false; 2879 } 2880 } 2881 } 2882 return true; 2883 } 2884 2885 void CheckPrintfHandler::HandleInvalidAmount( 2886 const analyze_printf::PrintfSpecifier &FS, 2887 const analyze_printf::OptionalAmount &Amt, 2888 unsigned type, 2889 const char *startSpecifier, 2890 unsigned specifierLen) { 2891 const analyze_printf::PrintfConversionSpecifier &CS = 2892 FS.getConversionSpecifier(); 2893 2894 FixItHint fixit = 2895 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2896 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2897 Amt.getConstantLength())) 2898 : FixItHint(); 2899 2900 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2901 << type << CS.toString(), 2902 getLocationOfByte(Amt.getStart()), 2903 /*IsStringLocation*/true, 2904 getSpecifierRange(startSpecifier, specifierLen), 2905 fixit); 2906 } 2907 2908 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2909 const analyze_printf::OptionalFlag &flag, 2910 const char *startSpecifier, 2911 unsigned specifierLen) { 2912 // Warn about pointless flag with a fixit removal. 2913 const analyze_printf::PrintfConversionSpecifier &CS = 2914 FS.getConversionSpecifier(); 2915 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2916 << flag.toString() << CS.toString(), 2917 getLocationOfByte(flag.getPosition()), 2918 /*IsStringLocation*/true, 2919 getSpecifierRange(startSpecifier, specifierLen), 2920 FixItHint::CreateRemoval( 2921 getSpecifierRange(flag.getPosition(), 1))); 2922 } 2923 2924 void CheckPrintfHandler::HandleIgnoredFlag( 2925 const analyze_printf::PrintfSpecifier &FS, 2926 const analyze_printf::OptionalFlag &ignoredFlag, 2927 const analyze_printf::OptionalFlag &flag, 2928 const char *startSpecifier, 2929 unsigned specifierLen) { 2930 // Warn about ignored flag with a fixit removal. 2931 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2932 << ignoredFlag.toString() << flag.toString(), 2933 getLocationOfByte(ignoredFlag.getPosition()), 2934 /*IsStringLocation*/true, 2935 getSpecifierRange(startSpecifier, specifierLen), 2936 FixItHint::CreateRemoval( 2937 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2938 } 2939 2940 // Determines if the specified is a C++ class or struct containing 2941 // a member with the specified name and kind (e.g. a CXXMethodDecl named 2942 // "c_str()"). 2943 template<typename MemberKind> 2944 static llvm::SmallPtrSet<MemberKind*, 1> 2945 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2946 const RecordType *RT = Ty->getAs<RecordType>(); 2947 llvm::SmallPtrSet<MemberKind*, 1> Results; 2948 2949 if (!RT) 2950 return Results; 2951 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2952 if (!RD || !RD->getDefinition()) 2953 return Results; 2954 2955 LookupResult R(S, &S.PP.getIdentifierTable().get(Name), SourceLocation(), 2956 Sema::LookupMemberName); 2957 R.suppressDiagnostics(); 2958 2959 // We just need to include all members of the right kind turned up by the 2960 // filter, at this point. 2961 if (S.LookupQualifiedName(R, RT->getDecl())) 2962 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2963 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2964 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2965 Results.insert(FK); 2966 } 2967 return Results; 2968 } 2969 2970 /// Check if we could call '.c_str()' on an object. 2971 /// 2972 /// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't 2973 /// allow the call, or if it would be ambiguous). 2974 bool Sema::hasCStrMethod(const Expr *E) { 2975 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2976 MethodSet Results = 2977 CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType()); 2978 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2979 MI != ME; ++MI) 2980 if ((*MI)->getMinRequiredArguments() == 0) 2981 return true; 2982 return false; 2983 } 2984 2985 // Check if a (w)string was passed when a (w)char* was needed, and offer a 2986 // better diagnostic if so. AT is assumed to be valid. 2987 // Returns true when a c_str() conversion method is found. 2988 bool CheckPrintfHandler::checkForCStrMembers( 2989 const analyze_printf::ArgType &AT, const Expr *E) { 2990 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2991 2992 MethodSet Results = 2993 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2994 2995 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2996 MI != ME; ++MI) { 2997 const CXXMethodDecl *Method = *MI; 2998 if (Method->getMinRequiredArguments() == 0 && 2999 AT.matchesType(S.Context, Method->getReturnType())) { 3000 // FIXME: Suggest parens if the expression needs them. 3001 SourceLocation EndLoc = 3002 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()); 3003 S.Diag(E->getLocStart(), diag::note_printf_c_str) 3004 << "c_str()" 3005 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 3006 return true; 3007 } 3008 } 3009 3010 return false; 3011 } 3012 3013 bool 3014 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 3015 &FS, 3016 const char *startSpecifier, 3017 unsigned specifierLen) { 3018 3019 using namespace analyze_format_string; 3020 using namespace analyze_printf; 3021 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 3022 3023 if (FS.consumesDataArgument()) { 3024 if (atFirstArg) { 3025 atFirstArg = false; 3026 usesPositionalArgs = FS.usesPositionalArg(); 3027 } 3028 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3029 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3030 startSpecifier, specifierLen); 3031 return false; 3032 } 3033 } 3034 3035 // First check if the field width, precision, and conversion specifier 3036 // have matching data arguments. 3037 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 3038 startSpecifier, specifierLen)) { 3039 return false; 3040 } 3041 3042 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 3043 startSpecifier, specifierLen)) { 3044 return false; 3045 } 3046 3047 if (!CS.consumesDataArgument()) { 3048 // FIXME: Technically specifying a precision or field width here 3049 // makes no sense. Worth issuing a warning at some point. 3050 return true; 3051 } 3052 3053 // Consume the argument. 3054 unsigned argIndex = FS.getArgIndex(); 3055 if (argIndex < NumDataArgs) { 3056 // The check to see if the argIndex is valid will come later. 3057 // We set the bit here because we may exit early from this 3058 // function if we encounter some other error. 3059 CoveredArgs.set(argIndex); 3060 } 3061 3062 // Check for using an Objective-C specific conversion specifier 3063 // in a non-ObjC literal. 3064 if (!ObjCContext && CS.isObjCArg()) { 3065 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 3066 specifierLen); 3067 } 3068 3069 // Check for invalid use of field width 3070 if (!FS.hasValidFieldWidth()) { 3071 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 3072 startSpecifier, specifierLen); 3073 } 3074 3075 // Check for invalid use of precision 3076 if (!FS.hasValidPrecision()) { 3077 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 3078 startSpecifier, specifierLen); 3079 } 3080 3081 // Check each flag does not conflict with any other component. 3082 if (!FS.hasValidThousandsGroupingPrefix()) 3083 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 3084 if (!FS.hasValidLeadingZeros()) 3085 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 3086 if (!FS.hasValidPlusPrefix()) 3087 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 3088 if (!FS.hasValidSpacePrefix()) 3089 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 3090 if (!FS.hasValidAlternativeForm()) 3091 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 3092 if (!FS.hasValidLeftJustified()) 3093 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 3094 3095 // Check that flags are not ignored by another flag 3096 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 3097 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 3098 startSpecifier, specifierLen); 3099 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 3100 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 3101 startSpecifier, specifierLen); 3102 3103 // Check the length modifier is valid with the given conversion specifier. 3104 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3105 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3106 diag::warn_format_nonsensical_length); 3107 else if (!FS.hasStandardLengthModifier()) 3108 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3109 else if (!FS.hasStandardLengthConversionCombination()) 3110 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3111 diag::warn_format_non_standard_conversion_spec); 3112 3113 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3114 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3115 3116 // The remaining checks depend on the data arguments. 3117 if (HasVAListArg) 3118 return true; 3119 3120 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3121 return false; 3122 3123 const Expr *Arg = getDataArg(argIndex); 3124 if (!Arg) 3125 return true; 3126 3127 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 3128 } 3129 3130 static bool requiresParensToAddCast(const Expr *E) { 3131 // FIXME: We should have a general way to reason about operator 3132 // precedence and whether parens are actually needed here. 3133 // Take care of a few common cases where they aren't. 3134 const Expr *Inside = E->IgnoreImpCasts(); 3135 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 3136 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 3137 3138 switch (Inside->getStmtClass()) { 3139 case Stmt::ArraySubscriptExprClass: 3140 case Stmt::CallExprClass: 3141 case Stmt::CharacterLiteralClass: 3142 case Stmt::CXXBoolLiteralExprClass: 3143 case Stmt::DeclRefExprClass: 3144 case Stmt::FloatingLiteralClass: 3145 case Stmt::IntegerLiteralClass: 3146 case Stmt::MemberExprClass: 3147 case Stmt::ObjCArrayLiteralClass: 3148 case Stmt::ObjCBoolLiteralExprClass: 3149 case Stmt::ObjCBoxedExprClass: 3150 case Stmt::ObjCDictionaryLiteralClass: 3151 case Stmt::ObjCEncodeExprClass: 3152 case Stmt::ObjCIvarRefExprClass: 3153 case Stmt::ObjCMessageExprClass: 3154 case Stmt::ObjCPropertyRefExprClass: 3155 case Stmt::ObjCStringLiteralClass: 3156 case Stmt::ObjCSubscriptRefExprClass: 3157 case Stmt::ParenExprClass: 3158 case Stmt::StringLiteralClass: 3159 case Stmt::UnaryOperatorClass: 3160 return false; 3161 default: 3162 return true; 3163 } 3164 } 3165 3166 bool 3167 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 3168 const char *StartSpecifier, 3169 unsigned SpecifierLen, 3170 const Expr *E) { 3171 using namespace analyze_format_string; 3172 using namespace analyze_printf; 3173 // Now type check the data expression that matches the 3174 // format specifier. 3175 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 3176 ObjCContext); 3177 if (!AT.isValid()) 3178 return true; 3179 3180 QualType ExprTy = E->getType(); 3181 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { 3182 ExprTy = TET->getUnderlyingExpr()->getType(); 3183 } 3184 3185 if (AT.matchesType(S.Context, ExprTy)) 3186 return true; 3187 3188 // Look through argument promotions for our error message's reported type. 3189 // This includes the integral and floating promotions, but excludes array 3190 // and function pointer decay; seeing that an argument intended to be a 3191 // string has type 'char [6]' is probably more confusing than 'char *'. 3192 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3193 if (ICE->getCastKind() == CK_IntegralCast || 3194 ICE->getCastKind() == CK_FloatingCast) { 3195 E = ICE->getSubExpr(); 3196 ExprTy = E->getType(); 3197 3198 // Check if we didn't match because of an implicit cast from a 'char' 3199 // or 'short' to an 'int'. This is done because printf is a varargs 3200 // function. 3201 if (ICE->getType() == S.Context.IntTy || 3202 ICE->getType() == S.Context.UnsignedIntTy) { 3203 // All further checking is done on the subexpression. 3204 if (AT.matchesType(S.Context, ExprTy)) 3205 return true; 3206 } 3207 } 3208 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 3209 // Special case for 'a', which has type 'int' in C. 3210 // Note, however, that we do /not/ want to treat multibyte constants like 3211 // 'MooV' as characters! This form is deprecated but still exists. 3212 if (ExprTy == S.Context.IntTy) 3213 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 3214 ExprTy = S.Context.CharTy; 3215 } 3216 3217 // %C in an Objective-C context prints a unichar, not a wchar_t. 3218 // If the argument is an integer of some kind, believe the %C and suggest 3219 // a cast instead of changing the conversion specifier. 3220 QualType IntendedTy = ExprTy; 3221 if (ObjCContext && 3222 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 3223 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 3224 !ExprTy->isCharType()) { 3225 // 'unichar' is defined as a typedef of unsigned short, but we should 3226 // prefer using the typedef if it is visible. 3227 IntendedTy = S.Context.UnsignedShortTy; 3228 3229 // While we are here, check if the value is an IntegerLiteral that happens 3230 // to be within the valid range. 3231 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) { 3232 const llvm::APInt &V = IL->getValue(); 3233 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy)) 3234 return true; 3235 } 3236 3237 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 3238 Sema::LookupOrdinaryName); 3239 if (S.LookupName(Result, S.getCurScope())) { 3240 NamedDecl *ND = Result.getFoundDecl(); 3241 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 3242 if (TD->getUnderlyingType() == IntendedTy) 3243 IntendedTy = S.Context.getTypedefType(TD); 3244 } 3245 } 3246 } 3247 3248 // Special-case some of Darwin's platform-independence types by suggesting 3249 // casts to primitive types that are known to be large enough. 3250 bool ShouldNotPrintDirectly = false; 3251 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 3252 // Use a 'while' to peel off layers of typedefs. 3253 QualType TyTy = IntendedTy; 3254 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) { 3255 StringRef Name = UserTy->getDecl()->getName(); 3256 QualType CastTy = llvm::StringSwitch<QualType>(Name) 3257 .Case("NSInteger", S.Context.LongTy) 3258 .Case("NSUInteger", S.Context.UnsignedLongTy) 3259 .Case("SInt32", S.Context.IntTy) 3260 .Case("UInt32", S.Context.UnsignedIntTy) 3261 .Default(QualType()); 3262 3263 if (!CastTy.isNull()) { 3264 ShouldNotPrintDirectly = true; 3265 IntendedTy = CastTy; 3266 break; 3267 } 3268 TyTy = UserTy->desugar(); 3269 } 3270 } 3271 3272 // We may be able to offer a FixItHint if it is a supported type. 3273 PrintfSpecifier fixedFS = FS; 3274 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 3275 S.Context, ObjCContext); 3276 3277 if (success) { 3278 // Get the fix string from the fixed format specifier 3279 SmallString<16> buf; 3280 llvm::raw_svector_ostream os(buf); 3281 fixedFS.toString(os); 3282 3283 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 3284 3285 if (IntendedTy == ExprTy) { 3286 // In this case, the specifier is wrong and should be changed to match 3287 // the argument. 3288 EmitFormatDiagnostic( 3289 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3290 << AT.getRepresentativeTypeName(S.Context) << IntendedTy 3291 << E->getSourceRange(), 3292 E->getLocStart(), 3293 /*IsStringLocation*/false, 3294 SpecRange, 3295 FixItHint::CreateReplacement(SpecRange, os.str())); 3296 3297 } else { 3298 // The canonical type for formatting this value is different from the 3299 // actual type of the expression. (This occurs, for example, with Darwin's 3300 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 3301 // should be printed as 'long' for 64-bit compatibility.) 3302 // Rather than emitting a normal format/argument mismatch, we want to 3303 // add a cast to the recommended type (and correct the format string 3304 // if necessary). 3305 SmallString<16> CastBuf; 3306 llvm::raw_svector_ostream CastFix(CastBuf); 3307 CastFix << "("; 3308 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 3309 CastFix << ")"; 3310 3311 SmallVector<FixItHint,4> Hints; 3312 if (!AT.matchesType(S.Context, IntendedTy)) 3313 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 3314 3315 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 3316 // If there's already a cast present, just replace it. 3317 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 3318 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 3319 3320 } else if (!requiresParensToAddCast(E)) { 3321 // If the expression has high enough precedence, 3322 // just write the C-style cast. 3323 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3324 CastFix.str())); 3325 } else { 3326 // Otherwise, add parens around the expression as well as the cast. 3327 CastFix << "("; 3328 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3329 CastFix.str())); 3330 3331 SourceLocation After = S.PP.getLocForEndOfToken(E->getLocEnd()); 3332 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 3333 } 3334 3335 if (ShouldNotPrintDirectly) { 3336 // The expression has a type that should not be printed directly. 3337 // We extract the name from the typedef because we don't want to show 3338 // the underlying type in the diagnostic. 3339 StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName(); 3340 3341 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 3342 << Name << IntendedTy 3343 << E->getSourceRange(), 3344 E->getLocStart(), /*IsStringLocation=*/false, 3345 SpecRange, Hints); 3346 } else { 3347 // In this case, the expression could be printed using a different 3348 // specifier, but we've decided that the specifier is probably correct 3349 // and we should cast instead. Just use the normal warning message. 3350 EmitFormatDiagnostic( 3351 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3352 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3353 << E->getSourceRange(), 3354 E->getLocStart(), /*IsStringLocation*/false, 3355 SpecRange, Hints); 3356 } 3357 } 3358 } else { 3359 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 3360 SpecifierLen); 3361 // Since the warning for passing non-POD types to variadic functions 3362 // was deferred until now, we emit a warning for non-POD 3363 // arguments here. 3364 switch (S.isValidVarArgType(ExprTy)) { 3365 case Sema::VAK_Valid: 3366 case Sema::VAK_ValidInCXX11: 3367 EmitFormatDiagnostic( 3368 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3369 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3370 << CSR 3371 << E->getSourceRange(), 3372 E->getLocStart(), /*IsStringLocation*/false, CSR); 3373 break; 3374 3375 case Sema::VAK_Undefined: 3376 EmitFormatDiagnostic( 3377 S.PDiag(diag::warn_non_pod_vararg_with_format_string) 3378 << S.getLangOpts().CPlusPlus11 3379 << ExprTy 3380 << CallType 3381 << AT.getRepresentativeTypeName(S.Context) 3382 << CSR 3383 << E->getSourceRange(), 3384 E->getLocStart(), /*IsStringLocation*/false, CSR); 3385 checkForCStrMembers(AT, E); 3386 break; 3387 3388 case Sema::VAK_Invalid: 3389 if (ExprTy->isObjCObjectType()) 3390 EmitFormatDiagnostic( 3391 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) 3392 << S.getLangOpts().CPlusPlus11 3393 << ExprTy 3394 << CallType 3395 << AT.getRepresentativeTypeName(S.Context) 3396 << CSR 3397 << E->getSourceRange(), 3398 E->getLocStart(), /*IsStringLocation*/false, CSR); 3399 else 3400 // FIXME: If this is an initializer list, suggest removing the braces 3401 // or inserting a cast to the target type. 3402 S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format) 3403 << isa<InitListExpr>(E) << ExprTy << CallType 3404 << AT.getRepresentativeTypeName(S.Context) 3405 << E->getSourceRange(); 3406 break; 3407 } 3408 3409 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && 3410 "format string specifier index out of range"); 3411 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; 3412 } 3413 3414 return true; 3415 } 3416 3417 //===--- CHECK: Scanf format string checking ------------------------------===// 3418 3419 namespace { 3420 class CheckScanfHandler : public CheckFormatHandler { 3421 public: 3422 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 3423 const Expr *origFormatExpr, unsigned firstDataArg, 3424 unsigned numDataArgs, const char *beg, bool hasVAListArg, 3425 ArrayRef<const Expr *> Args, 3426 unsigned formatIdx, bool inFunctionCall, 3427 Sema::VariadicCallType CallType, 3428 llvm::SmallBitVector &CheckedVarArgs) 3429 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 3430 numDataArgs, beg, hasVAListArg, 3431 Args, formatIdx, inFunctionCall, CallType, 3432 CheckedVarArgs) 3433 {} 3434 3435 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 3436 const char *startSpecifier, 3437 unsigned specifierLen) override; 3438 3439 bool HandleInvalidScanfConversionSpecifier( 3440 const analyze_scanf::ScanfSpecifier &FS, 3441 const char *startSpecifier, 3442 unsigned specifierLen) override; 3443 3444 void HandleIncompleteScanList(const char *start, const char *end) override; 3445 }; 3446 } 3447 3448 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 3449 const char *end) { 3450 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 3451 getLocationOfByte(end), /*IsStringLocation*/true, 3452 getSpecifierRange(start, end - start)); 3453 } 3454 3455 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 3456 const analyze_scanf::ScanfSpecifier &FS, 3457 const char *startSpecifier, 3458 unsigned specifierLen) { 3459 3460 const analyze_scanf::ScanfConversionSpecifier &CS = 3461 FS.getConversionSpecifier(); 3462 3463 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 3464 getLocationOfByte(CS.getStart()), 3465 startSpecifier, specifierLen, 3466 CS.getStart(), CS.getLength()); 3467 } 3468 3469 bool CheckScanfHandler::HandleScanfSpecifier( 3470 const analyze_scanf::ScanfSpecifier &FS, 3471 const char *startSpecifier, 3472 unsigned specifierLen) { 3473 3474 using namespace analyze_scanf; 3475 using namespace analyze_format_string; 3476 3477 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 3478 3479 // Handle case where '%' and '*' don't consume an argument. These shouldn't 3480 // be used to decide if we are using positional arguments consistently. 3481 if (FS.consumesDataArgument()) { 3482 if (atFirstArg) { 3483 atFirstArg = false; 3484 usesPositionalArgs = FS.usesPositionalArg(); 3485 } 3486 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3487 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3488 startSpecifier, specifierLen); 3489 return false; 3490 } 3491 } 3492 3493 // Check if the field with is non-zero. 3494 const OptionalAmount &Amt = FS.getFieldWidth(); 3495 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 3496 if (Amt.getConstantAmount() == 0) { 3497 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 3498 Amt.getConstantLength()); 3499 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 3500 getLocationOfByte(Amt.getStart()), 3501 /*IsStringLocation*/true, R, 3502 FixItHint::CreateRemoval(R)); 3503 } 3504 } 3505 3506 if (!FS.consumesDataArgument()) { 3507 // FIXME: Technically specifying a precision or field width here 3508 // makes no sense. Worth issuing a warning at some point. 3509 return true; 3510 } 3511 3512 // Consume the argument. 3513 unsigned argIndex = FS.getArgIndex(); 3514 if (argIndex < NumDataArgs) { 3515 // The check to see if the argIndex is valid will come later. 3516 // We set the bit here because we may exit early from this 3517 // function if we encounter some other error. 3518 CoveredArgs.set(argIndex); 3519 } 3520 3521 // Check the length modifier is valid with the given conversion specifier. 3522 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3523 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3524 diag::warn_format_nonsensical_length); 3525 else if (!FS.hasStandardLengthModifier()) 3526 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3527 else if (!FS.hasStandardLengthConversionCombination()) 3528 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3529 diag::warn_format_non_standard_conversion_spec); 3530 3531 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3532 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3533 3534 // The remaining checks depend on the data arguments. 3535 if (HasVAListArg) 3536 return true; 3537 3538 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3539 return false; 3540 3541 // Check that the argument type matches the format specifier. 3542 const Expr *Ex = getDataArg(argIndex); 3543 if (!Ex) 3544 return true; 3545 3546 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 3547 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 3548 ScanfSpecifier fixedFS = FS; 3549 bool success = fixedFS.fixType(Ex->getType(), 3550 Ex->IgnoreImpCasts()->getType(), 3551 S.getLangOpts(), S.Context); 3552 3553 if (success) { 3554 // Get the fix string from the fixed format specifier. 3555 SmallString<128> buf; 3556 llvm::raw_svector_ostream os(buf); 3557 fixedFS.toString(os); 3558 3559 EmitFormatDiagnostic( 3560 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3561 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3562 << Ex->getSourceRange(), 3563 Ex->getLocStart(), 3564 /*IsStringLocation*/false, 3565 getSpecifierRange(startSpecifier, specifierLen), 3566 FixItHint::CreateReplacement( 3567 getSpecifierRange(startSpecifier, specifierLen), 3568 os.str())); 3569 } else { 3570 EmitFormatDiagnostic( 3571 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3572 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3573 << Ex->getSourceRange(), 3574 Ex->getLocStart(), 3575 /*IsStringLocation*/false, 3576 getSpecifierRange(startSpecifier, specifierLen)); 3577 } 3578 } 3579 3580 return true; 3581 } 3582 3583 void Sema::CheckFormatString(const StringLiteral *FExpr, 3584 const Expr *OrigFormatExpr, 3585 ArrayRef<const Expr *> Args, 3586 bool HasVAListArg, unsigned format_idx, 3587 unsigned firstDataArg, FormatStringType Type, 3588 bool inFunctionCall, VariadicCallType CallType, 3589 llvm::SmallBitVector &CheckedVarArgs) { 3590 3591 // CHECK: is the format string a wide literal? 3592 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 3593 CheckFormatHandler::EmitFormatDiagnostic( 3594 *this, inFunctionCall, Args[format_idx], 3595 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 3596 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3597 return; 3598 } 3599 3600 // Str - The format string. NOTE: this is NOT null-terminated! 3601 StringRef StrRef = FExpr->getString(); 3602 const char *Str = StrRef.data(); 3603 // Account for cases where the string literal is truncated in a declaration. 3604 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType()); 3605 assert(T && "String literal not of constant array type!"); 3606 size_t TypeSize = T->getSize().getZExtValue(); 3607 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size()); 3608 const unsigned numDataArgs = Args.size() - firstDataArg; 3609 3610 // Emit a warning if the string literal is truncated and does not contain an 3611 // embedded null character. 3612 if (TypeSize <= StrRef.size() && 3613 StrRef.substr(0, TypeSize).find('\0') == StringRef::npos) { 3614 CheckFormatHandler::EmitFormatDiagnostic( 3615 *this, inFunctionCall, Args[format_idx], 3616 PDiag(diag::warn_printf_format_string_not_null_terminated), 3617 FExpr->getLocStart(), 3618 /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange()); 3619 return; 3620 } 3621 3622 // CHECK: empty format string? 3623 if (StrLen == 0 && numDataArgs > 0) { 3624 CheckFormatHandler::EmitFormatDiagnostic( 3625 *this, inFunctionCall, Args[format_idx], 3626 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3627 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3628 return; 3629 } 3630 3631 if (Type == FST_Printf || Type == FST_NSString) { 3632 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3633 numDataArgs, (Type == FST_NSString), 3634 Str, HasVAListArg, Args, format_idx, 3635 inFunctionCall, CallType, CheckedVarArgs); 3636 3637 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3638 getLangOpts(), 3639 Context.getTargetInfo())) 3640 H.DoneProcessing(); 3641 } else if (Type == FST_Scanf) { 3642 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3643 Str, HasVAListArg, Args, format_idx, 3644 inFunctionCall, CallType, CheckedVarArgs); 3645 3646 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3647 getLangOpts(), 3648 Context.getTargetInfo())) 3649 H.DoneProcessing(); 3650 } // TODO: handle other formats 3651 } 3652 3653 //===--- CHECK: Warn on use of wrong absolute value function. -------------===// 3654 3655 // Returns the related absolute value function that is larger, of 0 if one 3656 // does not exist. 3657 static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) { 3658 switch (AbsFunction) { 3659 default: 3660 return 0; 3661 3662 case Builtin::BI__builtin_abs: 3663 return Builtin::BI__builtin_labs; 3664 case Builtin::BI__builtin_labs: 3665 return Builtin::BI__builtin_llabs; 3666 case Builtin::BI__builtin_llabs: 3667 return 0; 3668 3669 case Builtin::BI__builtin_fabsf: 3670 return Builtin::BI__builtin_fabs; 3671 case Builtin::BI__builtin_fabs: 3672 return Builtin::BI__builtin_fabsl; 3673 case Builtin::BI__builtin_fabsl: 3674 return 0; 3675 3676 case Builtin::BI__builtin_cabsf: 3677 return Builtin::BI__builtin_cabs; 3678 case Builtin::BI__builtin_cabs: 3679 return Builtin::BI__builtin_cabsl; 3680 case Builtin::BI__builtin_cabsl: 3681 return 0; 3682 3683 case Builtin::BIabs: 3684 return Builtin::BIlabs; 3685 case Builtin::BIlabs: 3686 return Builtin::BIllabs; 3687 case Builtin::BIllabs: 3688 return 0; 3689 3690 case Builtin::BIfabsf: 3691 return Builtin::BIfabs; 3692 case Builtin::BIfabs: 3693 return Builtin::BIfabsl; 3694 case Builtin::BIfabsl: 3695 return 0; 3696 3697 case Builtin::BIcabsf: 3698 return Builtin::BIcabs; 3699 case Builtin::BIcabs: 3700 return Builtin::BIcabsl; 3701 case Builtin::BIcabsl: 3702 return 0; 3703 } 3704 } 3705 3706 // Returns the argument type of the absolute value function. 3707 static QualType getAbsoluteValueArgumentType(ASTContext &Context, 3708 unsigned AbsType) { 3709 if (AbsType == 0) 3710 return QualType(); 3711 3712 ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None; 3713 QualType BuiltinType = Context.GetBuiltinType(AbsType, Error); 3714 if (Error != ASTContext::GE_None) 3715 return QualType(); 3716 3717 const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>(); 3718 if (!FT) 3719 return QualType(); 3720 3721 if (FT->getNumParams() != 1) 3722 return QualType(); 3723 3724 return FT->getParamType(0); 3725 } 3726 3727 // Returns the best absolute value function, or zero, based on type and 3728 // current absolute value function. 3729 static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType, 3730 unsigned AbsFunctionKind) { 3731 unsigned BestKind = 0; 3732 uint64_t ArgSize = Context.getTypeSize(ArgType); 3733 for (unsigned Kind = AbsFunctionKind; Kind != 0; 3734 Kind = getLargerAbsoluteValueFunction(Kind)) { 3735 QualType ParamType = getAbsoluteValueArgumentType(Context, Kind); 3736 if (Context.getTypeSize(ParamType) >= ArgSize) { 3737 if (BestKind == 0) 3738 BestKind = Kind; 3739 else if (Context.hasSameType(ParamType, ArgType)) { 3740 BestKind = Kind; 3741 break; 3742 } 3743 } 3744 } 3745 return BestKind; 3746 } 3747 3748 enum AbsoluteValueKind { 3749 AVK_Integer, 3750 AVK_Floating, 3751 AVK_Complex 3752 }; 3753 3754 static AbsoluteValueKind getAbsoluteValueKind(QualType T) { 3755 if (T->isIntegralOrEnumerationType()) 3756 return AVK_Integer; 3757 if (T->isRealFloatingType()) 3758 return AVK_Floating; 3759 if (T->isAnyComplexType()) 3760 return AVK_Complex; 3761 3762 llvm_unreachable("Type not integer, floating, or complex"); 3763 } 3764 3765 // Changes the absolute value function to a different type. Preserves whether 3766 // the function is a builtin. 3767 static unsigned changeAbsFunction(unsigned AbsKind, 3768 AbsoluteValueKind ValueKind) { 3769 switch (ValueKind) { 3770 case AVK_Integer: 3771 switch (AbsKind) { 3772 default: 3773 return 0; 3774 case Builtin::BI__builtin_fabsf: 3775 case Builtin::BI__builtin_fabs: 3776 case Builtin::BI__builtin_fabsl: 3777 case Builtin::BI__builtin_cabsf: 3778 case Builtin::BI__builtin_cabs: 3779 case Builtin::BI__builtin_cabsl: 3780 return Builtin::BI__builtin_abs; 3781 case Builtin::BIfabsf: 3782 case Builtin::BIfabs: 3783 case Builtin::BIfabsl: 3784 case Builtin::BIcabsf: 3785 case Builtin::BIcabs: 3786 case Builtin::BIcabsl: 3787 return Builtin::BIabs; 3788 } 3789 case AVK_Floating: 3790 switch (AbsKind) { 3791 default: 3792 return 0; 3793 case Builtin::BI__builtin_abs: 3794 case Builtin::BI__builtin_labs: 3795 case Builtin::BI__builtin_llabs: 3796 case Builtin::BI__builtin_cabsf: 3797 case Builtin::BI__builtin_cabs: 3798 case Builtin::BI__builtin_cabsl: 3799 return Builtin::BI__builtin_fabsf; 3800 case Builtin::BIabs: 3801 case Builtin::BIlabs: 3802 case Builtin::BIllabs: 3803 case Builtin::BIcabsf: 3804 case Builtin::BIcabs: 3805 case Builtin::BIcabsl: 3806 return Builtin::BIfabsf; 3807 } 3808 case AVK_Complex: 3809 switch (AbsKind) { 3810 default: 3811 return 0; 3812 case Builtin::BI__builtin_abs: 3813 case Builtin::BI__builtin_labs: 3814 case Builtin::BI__builtin_llabs: 3815 case Builtin::BI__builtin_fabsf: 3816 case Builtin::BI__builtin_fabs: 3817 case Builtin::BI__builtin_fabsl: 3818 return Builtin::BI__builtin_cabsf; 3819 case Builtin::BIabs: 3820 case Builtin::BIlabs: 3821 case Builtin::BIllabs: 3822 case Builtin::BIfabsf: 3823 case Builtin::BIfabs: 3824 case Builtin::BIfabsl: 3825 return Builtin::BIcabsf; 3826 } 3827 } 3828 llvm_unreachable("Unable to convert function"); 3829 } 3830 3831 static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) { 3832 const IdentifierInfo *FnInfo = FDecl->getIdentifier(); 3833 if (!FnInfo) 3834 return 0; 3835 3836 switch (FDecl->getBuiltinID()) { 3837 default: 3838 return 0; 3839 case Builtin::BI__builtin_abs: 3840 case Builtin::BI__builtin_fabs: 3841 case Builtin::BI__builtin_fabsf: 3842 case Builtin::BI__builtin_fabsl: 3843 case Builtin::BI__builtin_labs: 3844 case Builtin::BI__builtin_llabs: 3845 case Builtin::BI__builtin_cabs: 3846 case Builtin::BI__builtin_cabsf: 3847 case Builtin::BI__builtin_cabsl: 3848 case Builtin::BIabs: 3849 case Builtin::BIlabs: 3850 case Builtin::BIllabs: 3851 case Builtin::BIfabs: 3852 case Builtin::BIfabsf: 3853 case Builtin::BIfabsl: 3854 case Builtin::BIcabs: 3855 case Builtin::BIcabsf: 3856 case Builtin::BIcabsl: 3857 return FDecl->getBuiltinID(); 3858 } 3859 llvm_unreachable("Unknown Builtin type"); 3860 } 3861 3862 // If the replacement is valid, emit a note with replacement function. 3863 // Additionally, suggest including the proper header if not already included. 3864 static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range, 3865 unsigned AbsKind, QualType ArgType) { 3866 bool EmitHeaderHint = true; 3867 const char *HeaderName = 0; 3868 const char *FunctionName = 0; 3869 if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) { 3870 FunctionName = "std::abs"; 3871 if (ArgType->isIntegralOrEnumerationType()) { 3872 HeaderName = "cstdlib"; 3873 } else if (ArgType->isRealFloatingType()) { 3874 HeaderName = "cmath"; 3875 } else { 3876 llvm_unreachable("Invalid Type"); 3877 } 3878 3879 // Lookup all std::abs 3880 if (NamespaceDecl *Std = S.getStdNamespace()) { 3881 LookupResult R(S, &S.PP.getIdentifierTable().get("abs"), Loc, 3882 Sema::LookupAnyName); 3883 R.suppressDiagnostics(); 3884 S.LookupQualifiedName(R, Std); 3885 3886 for (const auto *I : R) { 3887 const FunctionDecl *FDecl = 0; 3888 if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) { 3889 FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl()); 3890 } else { 3891 FDecl = dyn_cast<FunctionDecl>(I); 3892 } 3893 if (!FDecl) 3894 continue; 3895 3896 // Found std::abs(), check that they are the right ones. 3897 if (FDecl->getNumParams() != 1) 3898 continue; 3899 3900 // Check that the parameter type can handle the argument. 3901 QualType ParamType = FDecl->getParamDecl(0)->getType(); 3902 if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) && 3903 S.Context.getTypeSize(ArgType) <= 3904 S.Context.getTypeSize(ParamType)) { 3905 // Found a function, don't need the header hint. 3906 EmitHeaderHint = false; 3907 break; 3908 } 3909 } 3910 } 3911 } else { 3912 FunctionName = S.Context.BuiltinInfo.GetName(AbsKind); 3913 HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind); 3914 3915 if (HeaderName) { 3916 DeclarationName DN(&S.Context.Idents.get(FunctionName)); 3917 LookupResult R(S, DN, Loc, Sema::LookupAnyName); 3918 R.suppressDiagnostics(); 3919 S.LookupName(R, S.getCurScope()); 3920 3921 if (R.isSingleResult()) { 3922 FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl()); 3923 if (FD && FD->getBuiltinID() == AbsKind) { 3924 EmitHeaderHint = false; 3925 } else { 3926 return; 3927 } 3928 } else if (!R.empty()) { 3929 return; 3930 } 3931 } 3932 } 3933 3934 S.Diag(Loc, diag::note_replace_abs_function) 3935 << FunctionName << FixItHint::CreateReplacement(Range, FunctionName); 3936 3937 if (!HeaderName) 3938 return; 3939 3940 if (!EmitHeaderHint) 3941 return; 3942 3943 S.Diag(Loc, diag::note_please_include_header) << HeaderName << FunctionName; 3944 } 3945 3946 static bool IsFunctionStdAbs(const FunctionDecl *FDecl) { 3947 if (!FDecl) 3948 return false; 3949 3950 if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr("abs")) 3951 return false; 3952 3953 const NamespaceDecl *ND = dyn_cast<NamespaceDecl>(FDecl->getDeclContext()); 3954 3955 while (ND && ND->isInlineNamespace()) { 3956 ND = dyn_cast<NamespaceDecl>(ND->getDeclContext()); 3957 } 3958 3959 if (!ND || !ND->getIdentifier() || !ND->getIdentifier()->isStr("std")) 3960 return false; 3961 3962 if (!isa<TranslationUnitDecl>(ND->getDeclContext())) 3963 return false; 3964 3965 return true; 3966 } 3967 3968 // Warn when using the wrong abs() function. 3969 void Sema::CheckAbsoluteValueFunction(const CallExpr *Call, 3970 const FunctionDecl *FDecl, 3971 IdentifierInfo *FnInfo) { 3972 if (Call->getNumArgs() != 1) 3973 return; 3974 3975 unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl); 3976 bool IsStdAbs = IsFunctionStdAbs(FDecl); 3977 if (AbsKind == 0 && !IsStdAbs) 3978 return; 3979 3980 QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType(); 3981 QualType ParamType = Call->getArg(0)->getType(); 3982 3983 // Unsigned types can not be negative. Suggest to drop the absolute value 3984 // function. 3985 if (ArgType->isUnsignedIntegerType()) { 3986 const char *FunctionName = 3987 IsStdAbs ? "std::abs" : Context.BuiltinInfo.GetName(AbsKind); 3988 Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType; 3989 Diag(Call->getExprLoc(), diag::note_remove_abs) 3990 << FunctionName 3991 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange()); 3992 return; 3993 } 3994 3995 // std::abs has overloads which prevent most of the absolute value problems 3996 // from occurring. 3997 if (IsStdAbs) 3998 return; 3999 4000 AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType); 4001 AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType); 4002 4003 // The argument and parameter are the same kind. Check if they are the right 4004 // size. 4005 if (ArgValueKind == ParamValueKind) { 4006 if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType)) 4007 return; 4008 4009 unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind); 4010 Diag(Call->getExprLoc(), diag::warn_abs_too_small) 4011 << FDecl << ArgType << ParamType; 4012 4013 if (NewAbsKind == 0) 4014 return; 4015 4016 emitReplacement(*this, Call->getExprLoc(), 4017 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 4018 return; 4019 } 4020 4021 // ArgValueKind != ParamValueKind 4022 // The wrong type of absolute value function was used. Attempt to find the 4023 // proper one. 4024 unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind); 4025 NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind); 4026 if (NewAbsKind == 0) 4027 return; 4028 4029 Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type) 4030 << FDecl << ParamValueKind << ArgValueKind; 4031 4032 emitReplacement(*this, Call->getExprLoc(), 4033 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 4034 return; 4035 } 4036 4037 //===--- CHECK: Standard memory functions ---------------------------------===// 4038 4039 /// \brief Takes the expression passed to the size_t parameter of functions 4040 /// such as memcmp, strncat, etc and warns if it's a comparison. 4041 /// 4042 /// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`. 4043 static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E, 4044 IdentifierInfo *FnName, 4045 SourceLocation FnLoc, 4046 SourceLocation RParenLoc) { 4047 const BinaryOperator *Size = dyn_cast<BinaryOperator>(E); 4048 if (!Size) 4049 return false; 4050 4051 // if E is binop and op is >, <, >=, <=, ==, &&, ||: 4052 if (!Size->isComparisonOp() && !Size->isEqualityOp() && !Size->isLogicalOp()) 4053 return false; 4054 4055 Preprocessor &PP = S.getPreprocessor(); 4056 SourceRange SizeRange = Size->getSourceRange(); 4057 S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison) 4058 << SizeRange << FnName; 4059 S.Diag(FnLoc, diag::warn_memsize_comparison_paren_note) 4060 << FnName 4061 << FixItHint::CreateInsertion( 4062 PP.getLocForEndOfToken(Size->getLHS()->getLocEnd()), 4063 ")") 4064 << FixItHint::CreateRemoval(RParenLoc); 4065 S.Diag(SizeRange.getBegin(), diag::warn_memsize_comparison_cast_note) 4066 << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(") 4067 << FixItHint::CreateInsertion( 4068 PP.getLocForEndOfToken(SizeRange.getEnd()), ")"); 4069 4070 return true; 4071 } 4072 4073 /// \brief Determine whether the given type is a dynamic class type (e.g., 4074 /// whether it has a vtable). 4075 static bool isDynamicClassType(QualType T) { 4076 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 4077 if (CXXRecordDecl *Definition = Record->getDefinition()) 4078 if (Definition->isDynamicClass()) 4079 return true; 4080 4081 return false; 4082 } 4083 4084 /// \brief If E is a sizeof expression, returns its argument expression, 4085 /// otherwise returns NULL. 4086 static const Expr *getSizeOfExprArg(const Expr* E) { 4087 if (const UnaryExprOrTypeTraitExpr *SizeOf = 4088 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 4089 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 4090 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 4091 4092 return 0; 4093 } 4094 4095 /// \brief If E is a sizeof expression, returns its argument type. 4096 static QualType getSizeOfArgType(const Expr* E) { 4097 if (const UnaryExprOrTypeTraitExpr *SizeOf = 4098 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 4099 if (SizeOf->getKind() == clang::UETT_SizeOf) 4100 return SizeOf->getTypeOfArgument(); 4101 4102 return QualType(); 4103 } 4104 4105 /// \brief Check for dangerous or invalid arguments to memset(). 4106 /// 4107 /// This issues warnings on known problematic, dangerous or unspecified 4108 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 4109 /// function calls. 4110 /// 4111 /// \param Call The call expression to diagnose. 4112 void Sema::CheckMemaccessArguments(const CallExpr *Call, 4113 unsigned BId, 4114 IdentifierInfo *FnName) { 4115 assert(BId != 0); 4116 4117 // It is possible to have a non-standard definition of memset. Validate 4118 // we have enough arguments, and if not, abort further checking. 4119 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 4120 if (Call->getNumArgs() < ExpectedNumArgs) 4121 return; 4122 4123 unsigned LastArg = (BId == Builtin::BImemset || 4124 BId == Builtin::BIstrndup ? 1 : 2); 4125 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 4126 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 4127 4128 if (CheckMemorySizeofForComparison(*this, LenExpr, FnName, 4129 Call->getLocStart(), Call->getRParenLoc())) 4130 return; 4131 4132 // We have special checking when the length is a sizeof expression. 4133 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 4134 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 4135 llvm::FoldingSetNodeID SizeOfArgID; 4136 4137 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 4138 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 4139 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 4140 4141 QualType DestTy = Dest->getType(); 4142 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 4143 QualType PointeeTy = DestPtrTy->getPointeeType(); 4144 4145 // Never warn about void type pointers. This can be used to suppress 4146 // false positives. 4147 if (PointeeTy->isVoidType()) 4148 continue; 4149 4150 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 4151 // actually comparing the expressions for equality. Because computing the 4152 // expression IDs can be expensive, we only do this if the diagnostic is 4153 // enabled. 4154 if (SizeOfArg && 4155 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 4156 SizeOfArg->getExprLoc())) { 4157 // We only compute IDs for expressions if the warning is enabled, and 4158 // cache the sizeof arg's ID. 4159 if (SizeOfArgID == llvm::FoldingSetNodeID()) 4160 SizeOfArg->Profile(SizeOfArgID, Context, true); 4161 llvm::FoldingSetNodeID DestID; 4162 Dest->Profile(DestID, Context, true); 4163 if (DestID == SizeOfArgID) { 4164 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 4165 // over sizeof(src) as well. 4166 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 4167 StringRef ReadableName = FnName->getName(); 4168 4169 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 4170 if (UnaryOp->getOpcode() == UO_AddrOf) 4171 ActionIdx = 1; // If its an address-of operator, just remove it. 4172 if (!PointeeTy->isIncompleteType() && 4173 (Context.getTypeSize(PointeeTy) == Context.getCharWidth())) 4174 ActionIdx = 2; // If the pointee's size is sizeof(char), 4175 // suggest an explicit length. 4176 4177 // If the function is defined as a builtin macro, do not show macro 4178 // expansion. 4179 SourceLocation SL = SizeOfArg->getExprLoc(); 4180 SourceRange DSR = Dest->getSourceRange(); 4181 SourceRange SSR = SizeOfArg->getSourceRange(); 4182 SourceManager &SM = PP.getSourceManager(); 4183 4184 if (SM.isMacroArgExpansion(SL)) { 4185 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 4186 SL = SM.getSpellingLoc(SL); 4187 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 4188 SM.getSpellingLoc(DSR.getEnd())); 4189 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 4190 SM.getSpellingLoc(SSR.getEnd())); 4191 } 4192 4193 DiagRuntimeBehavior(SL, SizeOfArg, 4194 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 4195 << ReadableName 4196 << PointeeTy 4197 << DestTy 4198 << DSR 4199 << SSR); 4200 DiagRuntimeBehavior(SL, SizeOfArg, 4201 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 4202 << ActionIdx 4203 << SSR); 4204 4205 break; 4206 } 4207 } 4208 4209 // Also check for cases where the sizeof argument is the exact same 4210 // type as the memory argument, and where it points to a user-defined 4211 // record type. 4212 if (SizeOfArgTy != QualType()) { 4213 if (PointeeTy->isRecordType() && 4214 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 4215 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 4216 PDiag(diag::warn_sizeof_pointer_type_memaccess) 4217 << FnName << SizeOfArgTy << ArgIdx 4218 << PointeeTy << Dest->getSourceRange() 4219 << LenExpr->getSourceRange()); 4220 break; 4221 } 4222 } 4223 4224 // Always complain about dynamic classes. 4225 if (isDynamicClassType(PointeeTy)) { 4226 4227 unsigned OperationType = 0; 4228 // "overwritten" if we're warning about the destination for any call 4229 // but memcmp; otherwise a verb appropriate to the call. 4230 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 4231 if (BId == Builtin::BImemcpy) 4232 OperationType = 1; 4233 else if(BId == Builtin::BImemmove) 4234 OperationType = 2; 4235 else if (BId == Builtin::BImemcmp) 4236 OperationType = 3; 4237 } 4238 4239 DiagRuntimeBehavior( 4240 Dest->getExprLoc(), Dest, 4241 PDiag(diag::warn_dyn_class_memaccess) 4242 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 4243 << FnName << PointeeTy 4244 << OperationType 4245 << Call->getCallee()->getSourceRange()); 4246 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 4247 BId != Builtin::BImemset) 4248 DiagRuntimeBehavior( 4249 Dest->getExprLoc(), Dest, 4250 PDiag(diag::warn_arc_object_memaccess) 4251 << ArgIdx << FnName << PointeeTy 4252 << Call->getCallee()->getSourceRange()); 4253 else 4254 continue; 4255 4256 DiagRuntimeBehavior( 4257 Dest->getExprLoc(), Dest, 4258 PDiag(diag::note_bad_memaccess_silence) 4259 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 4260 break; 4261 } 4262 } 4263 } 4264 4265 // A little helper routine: ignore addition and subtraction of integer literals. 4266 // This intentionally does not ignore all integer constant expressions because 4267 // we don't want to remove sizeof(). 4268 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 4269 Ex = Ex->IgnoreParenCasts(); 4270 4271 for (;;) { 4272 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 4273 if (!BO || !BO->isAdditiveOp()) 4274 break; 4275 4276 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 4277 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 4278 4279 if (isa<IntegerLiteral>(RHS)) 4280 Ex = LHS; 4281 else if (isa<IntegerLiteral>(LHS)) 4282 Ex = RHS; 4283 else 4284 break; 4285 } 4286 4287 return Ex; 4288 } 4289 4290 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 4291 ASTContext &Context) { 4292 // Only handle constant-sized or VLAs, but not flexible members. 4293 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 4294 // Only issue the FIXIT for arrays of size > 1. 4295 if (CAT->getSize().getSExtValue() <= 1) 4296 return false; 4297 } else if (!Ty->isVariableArrayType()) { 4298 return false; 4299 } 4300 return true; 4301 } 4302 4303 // Warn if the user has made the 'size' argument to strlcpy or strlcat 4304 // be the size of the source, instead of the destination. 4305 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 4306 IdentifierInfo *FnName) { 4307 4308 // Don't crash if the user has the wrong number of arguments 4309 if (Call->getNumArgs() != 3) 4310 return; 4311 4312 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 4313 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 4314 const Expr *CompareWithSrc = NULL; 4315 4316 if (CheckMemorySizeofForComparison(*this, SizeArg, FnName, 4317 Call->getLocStart(), Call->getRParenLoc())) 4318 return; 4319 4320 // Look for 'strlcpy(dst, x, sizeof(x))' 4321 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 4322 CompareWithSrc = Ex; 4323 else { 4324 // Look for 'strlcpy(dst, x, strlen(x))' 4325 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 4326 if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen && 4327 SizeCall->getNumArgs() == 1) 4328 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 4329 } 4330 } 4331 4332 if (!CompareWithSrc) 4333 return; 4334 4335 // Determine if the argument to sizeof/strlen is equal to the source 4336 // argument. In principle there's all kinds of things you could do 4337 // here, for instance creating an == expression and evaluating it with 4338 // EvaluateAsBooleanCondition, but this uses a more direct technique: 4339 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 4340 if (!SrcArgDRE) 4341 return; 4342 4343 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 4344 if (!CompareWithSrcDRE || 4345 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 4346 return; 4347 4348 const Expr *OriginalSizeArg = Call->getArg(2); 4349 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 4350 << OriginalSizeArg->getSourceRange() << FnName; 4351 4352 // Output a FIXIT hint if the destination is an array (rather than a 4353 // pointer to an array). This could be enhanced to handle some 4354 // pointers if we know the actual size, like if DstArg is 'array+2' 4355 // we could say 'sizeof(array)-2'. 4356 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 4357 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 4358 return; 4359 4360 SmallString<128> sizeString; 4361 llvm::raw_svector_ostream OS(sizeString); 4362 OS << "sizeof("; 4363 DstArg->printPretty(OS, 0, getPrintingPolicy()); 4364 OS << ")"; 4365 4366 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 4367 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 4368 OS.str()); 4369 } 4370 4371 /// Check if two expressions refer to the same declaration. 4372 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 4373 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 4374 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 4375 return D1->getDecl() == D2->getDecl(); 4376 return false; 4377 } 4378 4379 static const Expr *getStrlenExprArg(const Expr *E) { 4380 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 4381 const FunctionDecl *FD = CE->getDirectCallee(); 4382 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 4383 return 0; 4384 return CE->getArg(0)->IgnoreParenCasts(); 4385 } 4386 return 0; 4387 } 4388 4389 // Warn on anti-patterns as the 'size' argument to strncat. 4390 // The correct size argument should look like following: 4391 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 4392 void Sema::CheckStrncatArguments(const CallExpr *CE, 4393 IdentifierInfo *FnName) { 4394 // Don't crash if the user has the wrong number of arguments. 4395 if (CE->getNumArgs() < 3) 4396 return; 4397 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 4398 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 4399 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 4400 4401 if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getLocStart(), 4402 CE->getRParenLoc())) 4403 return; 4404 4405 // Identify common expressions, which are wrongly used as the size argument 4406 // to strncat and may lead to buffer overflows. 4407 unsigned PatternType = 0; 4408 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 4409 // - sizeof(dst) 4410 if (referToTheSameDecl(SizeOfArg, DstArg)) 4411 PatternType = 1; 4412 // - sizeof(src) 4413 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 4414 PatternType = 2; 4415 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 4416 if (BE->getOpcode() == BO_Sub) { 4417 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 4418 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 4419 // - sizeof(dst) - strlen(dst) 4420 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 4421 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 4422 PatternType = 1; 4423 // - sizeof(src) - (anything) 4424 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 4425 PatternType = 2; 4426 } 4427 } 4428 4429 if (PatternType == 0) 4430 return; 4431 4432 // Generate the diagnostic. 4433 SourceLocation SL = LenArg->getLocStart(); 4434 SourceRange SR = LenArg->getSourceRange(); 4435 SourceManager &SM = PP.getSourceManager(); 4436 4437 // If the function is defined as a builtin macro, do not show macro expansion. 4438 if (SM.isMacroArgExpansion(SL)) { 4439 SL = SM.getSpellingLoc(SL); 4440 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 4441 SM.getSpellingLoc(SR.getEnd())); 4442 } 4443 4444 // Check if the destination is an array (rather than a pointer to an array). 4445 QualType DstTy = DstArg->getType(); 4446 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 4447 Context); 4448 if (!isKnownSizeArray) { 4449 if (PatternType == 1) 4450 Diag(SL, diag::warn_strncat_wrong_size) << SR; 4451 else 4452 Diag(SL, diag::warn_strncat_src_size) << SR; 4453 return; 4454 } 4455 4456 if (PatternType == 1) 4457 Diag(SL, diag::warn_strncat_large_size) << SR; 4458 else 4459 Diag(SL, diag::warn_strncat_src_size) << SR; 4460 4461 SmallString<128> sizeString; 4462 llvm::raw_svector_ostream OS(sizeString); 4463 OS << "sizeof("; 4464 DstArg->printPretty(OS, 0, getPrintingPolicy()); 4465 OS << ") - "; 4466 OS << "strlen("; 4467 DstArg->printPretty(OS, 0, getPrintingPolicy()); 4468 OS << ") - 1"; 4469 4470 Diag(SL, diag::note_strncat_wrong_size) 4471 << FixItHint::CreateReplacement(SR, OS.str()); 4472 } 4473 4474 //===--- CHECK: Return Address of Stack Variable --------------------------===// 4475 4476 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4477 Decl *ParentDecl); 4478 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 4479 Decl *ParentDecl); 4480 4481 /// CheckReturnStackAddr - Check if a return statement returns the address 4482 /// of a stack variable. 4483 static void 4484 CheckReturnStackAddr(Sema &S, Expr *RetValExp, QualType lhsType, 4485 SourceLocation ReturnLoc) { 4486 4487 Expr *stackE = 0; 4488 SmallVector<DeclRefExpr *, 8> refVars; 4489 4490 // Perform checking for returned stack addresses, local blocks, 4491 // label addresses or references to temporaries. 4492 if (lhsType->isPointerType() || 4493 (!S.getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 4494 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/0); 4495 } else if (lhsType->isReferenceType()) { 4496 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/0); 4497 } 4498 4499 if (stackE == 0) 4500 return; // Nothing suspicious was found. 4501 4502 SourceLocation diagLoc; 4503 SourceRange diagRange; 4504 if (refVars.empty()) { 4505 diagLoc = stackE->getLocStart(); 4506 diagRange = stackE->getSourceRange(); 4507 } else { 4508 // We followed through a reference variable. 'stackE' contains the 4509 // problematic expression but we will warn at the return statement pointing 4510 // at the reference variable. We will later display the "trail" of 4511 // reference variables using notes. 4512 diagLoc = refVars[0]->getLocStart(); 4513 diagRange = refVars[0]->getSourceRange(); 4514 } 4515 4516 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 4517 S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 4518 : diag::warn_ret_stack_addr) 4519 << DR->getDecl()->getDeclName() << diagRange; 4520 } else if (isa<BlockExpr>(stackE)) { // local block. 4521 S.Diag(diagLoc, diag::err_ret_local_block) << diagRange; 4522 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 4523 S.Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 4524 } else { // local temporary. 4525 S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 4526 : diag::warn_ret_local_temp_addr) 4527 << diagRange; 4528 } 4529 4530 // Display the "trail" of reference variables that we followed until we 4531 // found the problematic expression using notes. 4532 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 4533 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 4534 // If this var binds to another reference var, show the range of the next 4535 // var, otherwise the var binds to the problematic expression, in which case 4536 // show the range of the expression. 4537 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 4538 : stackE->getSourceRange(); 4539 S.Diag(VD->getLocation(), diag::note_ref_var_local_bind) 4540 << VD->getDeclName() << range; 4541 } 4542 } 4543 4544 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 4545 /// check if the expression in a return statement evaluates to an address 4546 /// to a location on the stack, a local block, an address of a label, or a 4547 /// reference to local temporary. The recursion is used to traverse the 4548 /// AST of the return expression, with recursion backtracking when we 4549 /// encounter a subexpression that (1) clearly does not lead to one of the 4550 /// above problematic expressions (2) is something we cannot determine leads to 4551 /// a problematic expression based on such local checking. 4552 /// 4553 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 4554 /// the expression that they point to. Such variables are added to the 4555 /// 'refVars' vector so that we know what the reference variable "trail" was. 4556 /// 4557 /// EvalAddr processes expressions that are pointers that are used as 4558 /// references (and not L-values). EvalVal handles all other values. 4559 /// At the base case of the recursion is a check for the above problematic 4560 /// expressions. 4561 /// 4562 /// This implementation handles: 4563 /// 4564 /// * pointer-to-pointer casts 4565 /// * implicit conversions from array references to pointers 4566 /// * taking the address of fields 4567 /// * arbitrary interplay between "&" and "*" operators 4568 /// * pointer arithmetic from an address of a stack variable 4569 /// * taking the address of an array element where the array is on the stack 4570 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4571 Decl *ParentDecl) { 4572 if (E->isTypeDependent()) 4573 return NULL; 4574 4575 // We should only be called for evaluating pointer expressions. 4576 assert((E->getType()->isAnyPointerType() || 4577 E->getType()->isBlockPointerType() || 4578 E->getType()->isObjCQualifiedIdType()) && 4579 "EvalAddr only works on pointers"); 4580 4581 E = E->IgnoreParens(); 4582 4583 // Our "symbolic interpreter" is just a dispatch off the currently 4584 // viewed AST node. We then recursively traverse the AST by calling 4585 // EvalAddr and EvalVal appropriately. 4586 switch (E->getStmtClass()) { 4587 case Stmt::DeclRefExprClass: { 4588 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4589 4590 // If we leave the immediate function, the lifetime isn't about to end. 4591 if (DR->refersToEnclosingLocal()) 4592 return 0; 4593 4594 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 4595 // If this is a reference variable, follow through to the expression that 4596 // it points to. 4597 if (V->hasLocalStorage() && 4598 V->getType()->isReferenceType() && V->hasInit()) { 4599 // Add the reference variable to the "trail". 4600 refVars.push_back(DR); 4601 return EvalAddr(V->getInit(), refVars, ParentDecl); 4602 } 4603 4604 return NULL; 4605 } 4606 4607 case Stmt::UnaryOperatorClass: { 4608 // The only unary operator that make sense to handle here 4609 // is AddrOf. All others don't make sense as pointers. 4610 UnaryOperator *U = cast<UnaryOperator>(E); 4611 4612 if (U->getOpcode() == UO_AddrOf) 4613 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 4614 else 4615 return NULL; 4616 } 4617 4618 case Stmt::BinaryOperatorClass: { 4619 // Handle pointer arithmetic. All other binary operators are not valid 4620 // in this context. 4621 BinaryOperator *B = cast<BinaryOperator>(E); 4622 BinaryOperatorKind op = B->getOpcode(); 4623 4624 if (op != BO_Add && op != BO_Sub) 4625 return NULL; 4626 4627 Expr *Base = B->getLHS(); 4628 4629 // Determine which argument is the real pointer base. It could be 4630 // the RHS argument instead of the LHS. 4631 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 4632 4633 assert (Base->getType()->isPointerType()); 4634 return EvalAddr(Base, refVars, ParentDecl); 4635 } 4636 4637 // For conditional operators we need to see if either the LHS or RHS are 4638 // valid DeclRefExpr*s. If one of them is valid, we return it. 4639 case Stmt::ConditionalOperatorClass: { 4640 ConditionalOperator *C = cast<ConditionalOperator>(E); 4641 4642 // Handle the GNU extension for missing LHS. 4643 // FIXME: That isn't a ConditionalOperator, so doesn't get here. 4644 if (Expr *LHSExpr = C->getLHS()) { 4645 // In C++, we can have a throw-expression, which has 'void' type. 4646 if (!LHSExpr->getType()->isVoidType()) 4647 if (Expr *LHS = EvalAddr(LHSExpr, refVars, ParentDecl)) 4648 return LHS; 4649 } 4650 4651 // In C++, we can have a throw-expression, which has 'void' type. 4652 if (C->getRHS()->getType()->isVoidType()) 4653 return 0; 4654 4655 return EvalAddr(C->getRHS(), refVars, ParentDecl); 4656 } 4657 4658 case Stmt::BlockExprClass: 4659 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 4660 return E; // local block. 4661 return NULL; 4662 4663 case Stmt::AddrLabelExprClass: 4664 return E; // address of label. 4665 4666 case Stmt::ExprWithCleanupsClass: 4667 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 4668 ParentDecl); 4669 4670 // For casts, we need to handle conversions from arrays to 4671 // pointer values, and pointer-to-pointer conversions. 4672 case Stmt::ImplicitCastExprClass: 4673 case Stmt::CStyleCastExprClass: 4674 case Stmt::CXXFunctionalCastExprClass: 4675 case Stmt::ObjCBridgedCastExprClass: 4676 case Stmt::CXXStaticCastExprClass: 4677 case Stmt::CXXDynamicCastExprClass: 4678 case Stmt::CXXConstCastExprClass: 4679 case Stmt::CXXReinterpretCastExprClass: { 4680 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 4681 switch (cast<CastExpr>(E)->getCastKind()) { 4682 case CK_BitCast: 4683 case CK_LValueToRValue: 4684 case CK_NoOp: 4685 case CK_BaseToDerived: 4686 case CK_DerivedToBase: 4687 case CK_UncheckedDerivedToBase: 4688 case CK_Dynamic: 4689 case CK_CPointerToObjCPointerCast: 4690 case CK_BlockPointerToObjCPointerCast: 4691 case CK_AnyPointerToBlockPointerCast: 4692 return EvalAddr(SubExpr, refVars, ParentDecl); 4693 4694 case CK_ArrayToPointerDecay: 4695 return EvalVal(SubExpr, refVars, ParentDecl); 4696 4697 default: 4698 return 0; 4699 } 4700 } 4701 4702 case Stmt::MaterializeTemporaryExprClass: 4703 if (Expr *Result = EvalAddr( 4704 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4705 refVars, ParentDecl)) 4706 return Result; 4707 4708 return E; 4709 4710 // Everything else: we simply don't reason about them. 4711 default: 4712 return NULL; 4713 } 4714 } 4715 4716 4717 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 4718 /// See the comments for EvalAddr for more details. 4719 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4720 Decl *ParentDecl) { 4721 do { 4722 // We should only be called for evaluating non-pointer expressions, or 4723 // expressions with a pointer type that are not used as references but instead 4724 // are l-values (e.g., DeclRefExpr with a pointer type). 4725 4726 // Our "symbolic interpreter" is just a dispatch off the currently 4727 // viewed AST node. We then recursively traverse the AST by calling 4728 // EvalAddr and EvalVal appropriately. 4729 4730 E = E->IgnoreParens(); 4731 switch (E->getStmtClass()) { 4732 case Stmt::ImplicitCastExprClass: { 4733 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 4734 if (IE->getValueKind() == VK_LValue) { 4735 E = IE->getSubExpr(); 4736 continue; 4737 } 4738 return NULL; 4739 } 4740 4741 case Stmt::ExprWithCleanupsClass: 4742 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 4743 4744 case Stmt::DeclRefExprClass: { 4745 // When we hit a DeclRefExpr we are looking at code that refers to a 4746 // variable's name. If it's not a reference variable we check if it has 4747 // local storage within the function, and if so, return the expression. 4748 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4749 4750 // If we leave the immediate function, the lifetime isn't about to end. 4751 if (DR->refersToEnclosingLocal()) 4752 return 0; 4753 4754 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 4755 // Check if it refers to itself, e.g. "int& i = i;". 4756 if (V == ParentDecl) 4757 return DR; 4758 4759 if (V->hasLocalStorage()) { 4760 if (!V->getType()->isReferenceType()) 4761 return DR; 4762 4763 // Reference variable, follow through to the expression that 4764 // it points to. 4765 if (V->hasInit()) { 4766 // Add the reference variable to the "trail". 4767 refVars.push_back(DR); 4768 return EvalVal(V->getInit(), refVars, V); 4769 } 4770 } 4771 } 4772 4773 return NULL; 4774 } 4775 4776 case Stmt::UnaryOperatorClass: { 4777 // The only unary operator that make sense to handle here 4778 // is Deref. All others don't resolve to a "name." This includes 4779 // handling all sorts of rvalues passed to a unary operator. 4780 UnaryOperator *U = cast<UnaryOperator>(E); 4781 4782 if (U->getOpcode() == UO_Deref) 4783 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 4784 4785 return NULL; 4786 } 4787 4788 case Stmt::ArraySubscriptExprClass: { 4789 // Array subscripts are potential references to data on the stack. We 4790 // retrieve the DeclRefExpr* for the array variable if it indeed 4791 // has local storage. 4792 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 4793 } 4794 4795 case Stmt::ConditionalOperatorClass: { 4796 // For conditional operators we need to see if either the LHS or RHS are 4797 // non-NULL Expr's. If one is non-NULL, we return it. 4798 ConditionalOperator *C = cast<ConditionalOperator>(E); 4799 4800 // Handle the GNU extension for missing LHS. 4801 if (Expr *LHSExpr = C->getLHS()) { 4802 // In C++, we can have a throw-expression, which has 'void' type. 4803 if (!LHSExpr->getType()->isVoidType()) 4804 if (Expr *LHS = EvalVal(LHSExpr, refVars, ParentDecl)) 4805 return LHS; 4806 } 4807 4808 // In C++, we can have a throw-expression, which has 'void' type. 4809 if (C->getRHS()->getType()->isVoidType()) 4810 return 0; 4811 4812 return EvalVal(C->getRHS(), refVars, ParentDecl); 4813 } 4814 4815 // Accesses to members are potential references to data on the stack. 4816 case Stmt::MemberExprClass: { 4817 MemberExpr *M = cast<MemberExpr>(E); 4818 4819 // Check for indirect access. We only want direct field accesses. 4820 if (M->isArrow()) 4821 return NULL; 4822 4823 // Check whether the member type is itself a reference, in which case 4824 // we're not going to refer to the member, but to what the member refers to. 4825 if (M->getMemberDecl()->getType()->isReferenceType()) 4826 return NULL; 4827 4828 return EvalVal(M->getBase(), refVars, ParentDecl); 4829 } 4830 4831 case Stmt::MaterializeTemporaryExprClass: 4832 if (Expr *Result = EvalVal( 4833 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4834 refVars, ParentDecl)) 4835 return Result; 4836 4837 return E; 4838 4839 default: 4840 // Check that we don't return or take the address of a reference to a 4841 // temporary. This is only useful in C++. 4842 if (!E->isTypeDependent() && E->isRValue()) 4843 return E; 4844 4845 // Everything else: we simply don't reason about them. 4846 return NULL; 4847 } 4848 } while (true); 4849 } 4850 4851 void 4852 Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType, 4853 SourceLocation ReturnLoc, 4854 bool isObjCMethod, 4855 const AttrVec *Attrs, 4856 const FunctionDecl *FD) { 4857 CheckReturnStackAddr(*this, RetValExp, lhsType, ReturnLoc); 4858 4859 // Check if the return value is null but should not be. 4860 if (Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs) && 4861 CheckNonNullExpr(*this, RetValExp)) 4862 Diag(ReturnLoc, diag::warn_null_ret) 4863 << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange(); 4864 4865 // C++11 [basic.stc.dynamic.allocation]p4: 4866 // If an allocation function declared with a non-throwing 4867 // exception-specification fails to allocate storage, it shall return 4868 // a null pointer. Any other allocation function that fails to allocate 4869 // storage shall indicate failure only by throwing an exception [...] 4870 if (FD) { 4871 OverloadedOperatorKind Op = FD->getOverloadedOperator(); 4872 if (Op == OO_New || Op == OO_Array_New) { 4873 const FunctionProtoType *Proto 4874 = FD->getType()->castAs<FunctionProtoType>(); 4875 if (!Proto->isNothrow(Context, /*ResultIfDependent*/true) && 4876 CheckNonNullExpr(*this, RetValExp)) 4877 Diag(ReturnLoc, diag::warn_operator_new_returns_null) 4878 << FD << getLangOpts().CPlusPlus11; 4879 } 4880 } 4881 } 4882 4883 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 4884 4885 /// Check for comparisons of floating point operands using != and ==. 4886 /// Issue a warning if these are no self-comparisons, as they are not likely 4887 /// to do what the programmer intended. 4888 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 4889 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 4890 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 4891 4892 // Special case: check for x == x (which is OK). 4893 // Do not emit warnings for such cases. 4894 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 4895 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 4896 if (DRL->getDecl() == DRR->getDecl()) 4897 return; 4898 4899 4900 // Special case: check for comparisons against literals that can be exactly 4901 // represented by APFloat. In such cases, do not emit a warning. This 4902 // is a heuristic: often comparison against such literals are used to 4903 // detect if a value in a variable has not changed. This clearly can 4904 // lead to false negatives. 4905 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 4906 if (FLL->isExact()) 4907 return; 4908 } else 4909 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 4910 if (FLR->isExact()) 4911 return; 4912 4913 // Check for comparisons with builtin types. 4914 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 4915 if (CL->getBuiltinCallee()) 4916 return; 4917 4918 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 4919 if (CR->getBuiltinCallee()) 4920 return; 4921 4922 // Emit the diagnostic. 4923 Diag(Loc, diag::warn_floatingpoint_eq) 4924 << LHS->getSourceRange() << RHS->getSourceRange(); 4925 } 4926 4927 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 4928 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 4929 4930 namespace { 4931 4932 /// Structure recording the 'active' range of an integer-valued 4933 /// expression. 4934 struct IntRange { 4935 /// The number of bits active in the int. 4936 unsigned Width; 4937 4938 /// True if the int is known not to have negative values. 4939 bool NonNegative; 4940 4941 IntRange(unsigned Width, bool NonNegative) 4942 : Width(Width), NonNegative(NonNegative) 4943 {} 4944 4945 /// Returns the range of the bool type. 4946 static IntRange forBoolType() { 4947 return IntRange(1, true); 4948 } 4949 4950 /// Returns the range of an opaque value of the given integral type. 4951 static IntRange forValueOfType(ASTContext &C, QualType T) { 4952 return forValueOfCanonicalType(C, 4953 T->getCanonicalTypeInternal().getTypePtr()); 4954 } 4955 4956 /// Returns the range of an opaque value of a canonical integral type. 4957 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 4958 assert(T->isCanonicalUnqualified()); 4959 4960 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4961 T = VT->getElementType().getTypePtr(); 4962 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4963 T = CT->getElementType().getTypePtr(); 4964 4965 // For enum types, use the known bit width of the enumerators. 4966 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 4967 EnumDecl *Enum = ET->getDecl(); 4968 if (!Enum->isCompleteDefinition()) 4969 return IntRange(C.getIntWidth(QualType(T, 0)), false); 4970 4971 unsigned NumPositive = Enum->getNumPositiveBits(); 4972 unsigned NumNegative = Enum->getNumNegativeBits(); 4973 4974 if (NumNegative == 0) 4975 return IntRange(NumPositive, true/*NonNegative*/); 4976 else 4977 return IntRange(std::max(NumPositive + 1, NumNegative), 4978 false/*NonNegative*/); 4979 } 4980 4981 const BuiltinType *BT = cast<BuiltinType>(T); 4982 assert(BT->isInteger()); 4983 4984 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4985 } 4986 4987 /// Returns the "target" range of a canonical integral type, i.e. 4988 /// the range of values expressible in the type. 4989 /// 4990 /// This matches forValueOfCanonicalType except that enums have the 4991 /// full range of their type, not the range of their enumerators. 4992 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 4993 assert(T->isCanonicalUnqualified()); 4994 4995 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4996 T = VT->getElementType().getTypePtr(); 4997 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4998 T = CT->getElementType().getTypePtr(); 4999 if (const EnumType *ET = dyn_cast<EnumType>(T)) 5000 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 5001 5002 const BuiltinType *BT = cast<BuiltinType>(T); 5003 assert(BT->isInteger()); 5004 5005 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 5006 } 5007 5008 /// Returns the supremum of two ranges: i.e. their conservative merge. 5009 static IntRange join(IntRange L, IntRange R) { 5010 return IntRange(std::max(L.Width, R.Width), 5011 L.NonNegative && R.NonNegative); 5012 } 5013 5014 /// Returns the infinum of two ranges: i.e. their aggressive merge. 5015 static IntRange meet(IntRange L, IntRange R) { 5016 return IntRange(std::min(L.Width, R.Width), 5017 L.NonNegative || R.NonNegative); 5018 } 5019 }; 5020 5021 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 5022 unsigned MaxWidth) { 5023 if (value.isSigned() && value.isNegative()) 5024 return IntRange(value.getMinSignedBits(), false); 5025 5026 if (value.getBitWidth() > MaxWidth) 5027 value = value.trunc(MaxWidth); 5028 5029 // isNonNegative() just checks the sign bit without considering 5030 // signedness. 5031 return IntRange(value.getActiveBits(), true); 5032 } 5033 5034 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 5035 unsigned MaxWidth) { 5036 if (result.isInt()) 5037 return GetValueRange(C, result.getInt(), MaxWidth); 5038 5039 if (result.isVector()) { 5040 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 5041 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 5042 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 5043 R = IntRange::join(R, El); 5044 } 5045 return R; 5046 } 5047 5048 if (result.isComplexInt()) { 5049 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 5050 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 5051 return IntRange::join(R, I); 5052 } 5053 5054 // This can happen with lossless casts to intptr_t of "based" lvalues. 5055 // Assume it might use arbitrary bits. 5056 // FIXME: The only reason we need to pass the type in here is to get 5057 // the sign right on this one case. It would be nice if APValue 5058 // preserved this. 5059 assert(result.isLValue() || result.isAddrLabelDiff()); 5060 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 5061 } 5062 5063 static QualType GetExprType(Expr *E) { 5064 QualType Ty = E->getType(); 5065 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>()) 5066 Ty = AtomicRHS->getValueType(); 5067 return Ty; 5068 } 5069 5070 /// Pseudo-evaluate the given integer expression, estimating the 5071 /// range of values it might take. 5072 /// 5073 /// \param MaxWidth - the width to which the value will be truncated 5074 static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 5075 E = E->IgnoreParens(); 5076 5077 // Try a full evaluation first. 5078 Expr::EvalResult result; 5079 if (E->EvaluateAsRValue(result, C)) 5080 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth); 5081 5082 // I think we only want to look through implicit casts here; if the 5083 // user has an explicit widening cast, we should treat the value as 5084 // being of the new, wider type. 5085 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 5086 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 5087 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 5088 5089 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE)); 5090 5091 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 5092 5093 // Assume that non-integer casts can span the full range of the type. 5094 if (!isIntegerCast) 5095 return OutputTypeRange; 5096 5097 IntRange SubRange 5098 = GetExprRange(C, CE->getSubExpr(), 5099 std::min(MaxWidth, OutputTypeRange.Width)); 5100 5101 // Bail out if the subexpr's range is as wide as the cast type. 5102 if (SubRange.Width >= OutputTypeRange.Width) 5103 return OutputTypeRange; 5104 5105 // Otherwise, we take the smaller width, and we're non-negative if 5106 // either the output type or the subexpr is. 5107 return IntRange(SubRange.Width, 5108 SubRange.NonNegative || OutputTypeRange.NonNegative); 5109 } 5110 5111 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 5112 // If we can fold the condition, just take that operand. 5113 bool CondResult; 5114 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 5115 return GetExprRange(C, CondResult ? CO->getTrueExpr() 5116 : CO->getFalseExpr(), 5117 MaxWidth); 5118 5119 // Otherwise, conservatively merge. 5120 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 5121 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 5122 return IntRange::join(L, R); 5123 } 5124 5125 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5126 switch (BO->getOpcode()) { 5127 5128 // Boolean-valued operations are single-bit and positive. 5129 case BO_LAnd: 5130 case BO_LOr: 5131 case BO_LT: 5132 case BO_GT: 5133 case BO_LE: 5134 case BO_GE: 5135 case BO_EQ: 5136 case BO_NE: 5137 return IntRange::forBoolType(); 5138 5139 // The type of the assignments is the type of the LHS, so the RHS 5140 // is not necessarily the same type. 5141 case BO_MulAssign: 5142 case BO_DivAssign: 5143 case BO_RemAssign: 5144 case BO_AddAssign: 5145 case BO_SubAssign: 5146 case BO_XorAssign: 5147 case BO_OrAssign: 5148 // TODO: bitfields? 5149 return IntRange::forValueOfType(C, GetExprType(E)); 5150 5151 // Simple assignments just pass through the RHS, which will have 5152 // been coerced to the LHS type. 5153 case BO_Assign: 5154 // TODO: bitfields? 5155 return GetExprRange(C, BO->getRHS(), MaxWidth); 5156 5157 // Operations with opaque sources are black-listed. 5158 case BO_PtrMemD: 5159 case BO_PtrMemI: 5160 return IntRange::forValueOfType(C, GetExprType(E)); 5161 5162 // Bitwise-and uses the *infinum* of the two source ranges. 5163 case BO_And: 5164 case BO_AndAssign: 5165 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 5166 GetExprRange(C, BO->getRHS(), MaxWidth)); 5167 5168 // Left shift gets black-listed based on a judgement call. 5169 case BO_Shl: 5170 // ...except that we want to treat '1 << (blah)' as logically 5171 // positive. It's an important idiom. 5172 if (IntegerLiteral *I 5173 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 5174 if (I->getValue() == 1) { 5175 IntRange R = IntRange::forValueOfType(C, GetExprType(E)); 5176 return IntRange(R.Width, /*NonNegative*/ true); 5177 } 5178 } 5179 // fallthrough 5180 5181 case BO_ShlAssign: 5182 return IntRange::forValueOfType(C, GetExprType(E)); 5183 5184 // Right shift by a constant can narrow its left argument. 5185 case BO_Shr: 5186 case BO_ShrAssign: { 5187 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 5188 5189 // If the shift amount is a positive constant, drop the width by 5190 // that much. 5191 llvm::APSInt shift; 5192 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 5193 shift.isNonNegative()) { 5194 unsigned zext = shift.getZExtValue(); 5195 if (zext >= L.Width) 5196 L.Width = (L.NonNegative ? 0 : 1); 5197 else 5198 L.Width -= zext; 5199 } 5200 5201 return L; 5202 } 5203 5204 // Comma acts as its right operand. 5205 case BO_Comma: 5206 return GetExprRange(C, BO->getRHS(), MaxWidth); 5207 5208 // Black-list pointer subtractions. 5209 case BO_Sub: 5210 if (BO->getLHS()->getType()->isPointerType()) 5211 return IntRange::forValueOfType(C, GetExprType(E)); 5212 break; 5213 5214 // The width of a division result is mostly determined by the size 5215 // of the LHS. 5216 case BO_Div: { 5217 // Don't 'pre-truncate' the operands. 5218 unsigned opWidth = C.getIntWidth(GetExprType(E)); 5219 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 5220 5221 // If the divisor is constant, use that. 5222 llvm::APSInt divisor; 5223 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 5224 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 5225 if (log2 >= L.Width) 5226 L.Width = (L.NonNegative ? 0 : 1); 5227 else 5228 L.Width = std::min(L.Width - log2, MaxWidth); 5229 return L; 5230 } 5231 5232 // Otherwise, just use the LHS's width. 5233 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 5234 return IntRange(L.Width, L.NonNegative && R.NonNegative); 5235 } 5236 5237 // The result of a remainder can't be larger than the result of 5238 // either side. 5239 case BO_Rem: { 5240 // Don't 'pre-truncate' the operands. 5241 unsigned opWidth = C.getIntWidth(GetExprType(E)); 5242 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 5243 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 5244 5245 IntRange meet = IntRange::meet(L, R); 5246 meet.Width = std::min(meet.Width, MaxWidth); 5247 return meet; 5248 } 5249 5250 // The default behavior is okay for these. 5251 case BO_Mul: 5252 case BO_Add: 5253 case BO_Xor: 5254 case BO_Or: 5255 break; 5256 } 5257 5258 // The default case is to treat the operation as if it were closed 5259 // on the narrowest type that encompasses both operands. 5260 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 5261 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 5262 return IntRange::join(L, R); 5263 } 5264 5265 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 5266 switch (UO->getOpcode()) { 5267 // Boolean-valued operations are white-listed. 5268 case UO_LNot: 5269 return IntRange::forBoolType(); 5270 5271 // Operations with opaque sources are black-listed. 5272 case UO_Deref: 5273 case UO_AddrOf: // should be impossible 5274 return IntRange::forValueOfType(C, GetExprType(E)); 5275 5276 default: 5277 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 5278 } 5279 } 5280 5281 if (OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 5282 return GetExprRange(C, OVE->getSourceExpr(), MaxWidth); 5283 5284 if (FieldDecl *BitField = E->getSourceBitField()) 5285 return IntRange(BitField->getBitWidthValue(C), 5286 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 5287 5288 return IntRange::forValueOfType(C, GetExprType(E)); 5289 } 5290 5291 static IntRange GetExprRange(ASTContext &C, Expr *E) { 5292 return GetExprRange(C, E, C.getIntWidth(GetExprType(E))); 5293 } 5294 5295 /// Checks whether the given value, which currently has the given 5296 /// source semantics, has the same value when coerced through the 5297 /// target semantics. 5298 static bool IsSameFloatAfterCast(const llvm::APFloat &value, 5299 const llvm::fltSemantics &Src, 5300 const llvm::fltSemantics &Tgt) { 5301 llvm::APFloat truncated = value; 5302 5303 bool ignored; 5304 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 5305 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 5306 5307 return truncated.bitwiseIsEqual(value); 5308 } 5309 5310 /// Checks whether the given value, which currently has the given 5311 /// source semantics, has the same value when coerced through the 5312 /// target semantics. 5313 /// 5314 /// The value might be a vector of floats (or a complex number). 5315 static bool IsSameFloatAfterCast(const APValue &value, 5316 const llvm::fltSemantics &Src, 5317 const llvm::fltSemantics &Tgt) { 5318 if (value.isFloat()) 5319 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 5320 5321 if (value.isVector()) { 5322 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 5323 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 5324 return false; 5325 return true; 5326 } 5327 5328 assert(value.isComplexFloat()); 5329 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 5330 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 5331 } 5332 5333 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 5334 5335 static bool IsZero(Sema &S, Expr *E) { 5336 // Suppress cases where we are comparing against an enum constant. 5337 if (const DeclRefExpr *DR = 5338 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 5339 if (isa<EnumConstantDecl>(DR->getDecl())) 5340 return false; 5341 5342 // Suppress cases where the '0' value is expanded from a macro. 5343 if (E->getLocStart().isMacroID()) 5344 return false; 5345 5346 llvm::APSInt Value; 5347 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 5348 } 5349 5350 static bool HasEnumType(Expr *E) { 5351 // Strip off implicit integral promotions. 5352 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 5353 if (ICE->getCastKind() != CK_IntegralCast && 5354 ICE->getCastKind() != CK_NoOp) 5355 break; 5356 E = ICE->getSubExpr(); 5357 } 5358 5359 return E->getType()->isEnumeralType(); 5360 } 5361 5362 static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 5363 // Disable warning in template instantiations. 5364 if (!S.ActiveTemplateInstantiations.empty()) 5365 return; 5366 5367 BinaryOperatorKind op = E->getOpcode(); 5368 if (E->isValueDependent()) 5369 return; 5370 5371 if (op == BO_LT && IsZero(S, E->getRHS())) { 5372 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 5373 << "< 0" << "false" << HasEnumType(E->getLHS()) 5374 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5375 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 5376 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 5377 << ">= 0" << "true" << HasEnumType(E->getLHS()) 5378 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5379 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 5380 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 5381 << "0 >" << "false" << HasEnumType(E->getRHS()) 5382 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5383 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 5384 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 5385 << "0 <=" << "true" << HasEnumType(E->getRHS()) 5386 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5387 } 5388 } 5389 5390 static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 5391 Expr *Constant, Expr *Other, 5392 llvm::APSInt Value, 5393 bool RhsConstant) { 5394 // Disable warning in template instantiations. 5395 if (!S.ActiveTemplateInstantiations.empty()) 5396 return; 5397 5398 // TODO: Investigate using GetExprRange() to get tighter bounds 5399 // on the bit ranges. 5400 QualType OtherT = Other->getType(); 5401 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 5402 unsigned OtherWidth = OtherRange.Width; 5403 5404 bool OtherIsBooleanType = Other->isKnownToHaveBooleanValue(); 5405 5406 // 0 values are handled later by CheckTrivialUnsignedComparison(). 5407 if ((Value == 0) && (!OtherIsBooleanType)) 5408 return; 5409 5410 BinaryOperatorKind op = E->getOpcode(); 5411 bool IsTrue = true; 5412 5413 // Used for diagnostic printout. 5414 enum { 5415 LiteralConstant = 0, 5416 CXXBoolLiteralTrue, 5417 CXXBoolLiteralFalse 5418 } LiteralOrBoolConstant = LiteralConstant; 5419 5420 if (!OtherIsBooleanType) { 5421 QualType ConstantT = Constant->getType(); 5422 QualType CommonT = E->getLHS()->getType(); 5423 5424 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 5425 return; 5426 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) && 5427 "comparison with non-integer type"); 5428 5429 bool ConstantSigned = ConstantT->isSignedIntegerType(); 5430 bool CommonSigned = CommonT->isSignedIntegerType(); 5431 5432 bool EqualityOnly = false; 5433 5434 if (CommonSigned) { 5435 // The common type is signed, therefore no signed to unsigned conversion. 5436 if (!OtherRange.NonNegative) { 5437 // Check that the constant is representable in type OtherT. 5438 if (ConstantSigned) { 5439 if (OtherWidth >= Value.getMinSignedBits()) 5440 return; 5441 } else { // !ConstantSigned 5442 if (OtherWidth >= Value.getActiveBits() + 1) 5443 return; 5444 } 5445 } else { // !OtherSigned 5446 // Check that the constant is representable in type OtherT. 5447 // Negative values are out of range. 5448 if (ConstantSigned) { 5449 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 5450 return; 5451 } else { // !ConstantSigned 5452 if (OtherWidth >= Value.getActiveBits()) 5453 return; 5454 } 5455 } 5456 } else { // !CommonSigned 5457 if (OtherRange.NonNegative) { 5458 if (OtherWidth >= Value.getActiveBits()) 5459 return; 5460 } else if (!OtherRange.NonNegative && !ConstantSigned) { 5461 // Check to see if the constant is representable in OtherT. 5462 if (OtherWidth > Value.getActiveBits()) 5463 return; 5464 // Check to see if the constant is equivalent to a negative value 5465 // cast to CommonT. 5466 if (S.Context.getIntWidth(ConstantT) == 5467 S.Context.getIntWidth(CommonT) && 5468 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 5469 return; 5470 // The constant value rests between values that OtherT can represent 5471 // after conversion. Relational comparison still works, but equality 5472 // comparisons will be tautological. 5473 EqualityOnly = true; 5474 } else { // OtherSigned && ConstantSigned 5475 assert(0 && "Two signed types converted to unsigned types."); 5476 } 5477 } 5478 5479 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 5480 5481 if (op == BO_EQ || op == BO_NE) { 5482 IsTrue = op == BO_NE; 5483 } else if (EqualityOnly) { 5484 return; 5485 } else if (RhsConstant) { 5486 if (op == BO_GT || op == BO_GE) 5487 IsTrue = !PositiveConstant; 5488 else // op == BO_LT || op == BO_LE 5489 IsTrue = PositiveConstant; 5490 } else { 5491 if (op == BO_LT || op == BO_LE) 5492 IsTrue = !PositiveConstant; 5493 else // op == BO_GT || op == BO_GE 5494 IsTrue = PositiveConstant; 5495 } 5496 } else { 5497 // Other isKnownToHaveBooleanValue 5498 enum CompareBoolWithConstantResult { AFals, ATrue, Unkwn }; 5499 enum ConstantValue { LT_Zero, Zero, One, GT_One, SizeOfConstVal }; 5500 enum ConstantSide { Lhs, Rhs, SizeOfConstSides }; 5501 5502 static const struct LinkedConditions { 5503 CompareBoolWithConstantResult BO_LT_OP[SizeOfConstSides][SizeOfConstVal]; 5504 CompareBoolWithConstantResult BO_GT_OP[SizeOfConstSides][SizeOfConstVal]; 5505 CompareBoolWithConstantResult BO_LE_OP[SizeOfConstSides][SizeOfConstVal]; 5506 CompareBoolWithConstantResult BO_GE_OP[SizeOfConstSides][SizeOfConstVal]; 5507 CompareBoolWithConstantResult BO_EQ_OP[SizeOfConstSides][SizeOfConstVal]; 5508 CompareBoolWithConstantResult BO_NE_OP[SizeOfConstSides][SizeOfConstVal]; 5509 5510 } TruthTable = { 5511 // Constant on LHS. | Constant on RHS. | 5512 // LT_Zero| Zero | One |GT_One| LT_Zero| Zero | One |GT_One| 5513 { { ATrue, Unkwn, AFals, AFals }, { AFals, AFals, Unkwn, ATrue } }, 5514 { { AFals, AFals, Unkwn, ATrue }, { ATrue, Unkwn, AFals, AFals } }, 5515 { { ATrue, ATrue, Unkwn, AFals }, { AFals, Unkwn, ATrue, ATrue } }, 5516 { { AFals, Unkwn, ATrue, ATrue }, { ATrue, ATrue, Unkwn, AFals } }, 5517 { { AFals, Unkwn, Unkwn, AFals }, { AFals, Unkwn, Unkwn, AFals } }, 5518 { { ATrue, Unkwn, Unkwn, ATrue }, { ATrue, Unkwn, Unkwn, ATrue } } 5519 }; 5520 5521 bool ConstantIsBoolLiteral = isa<CXXBoolLiteralExpr>(Constant); 5522 5523 enum ConstantValue ConstVal = Zero; 5524 if (Value.isUnsigned() || Value.isNonNegative()) { 5525 if (Value == 0) { 5526 LiteralOrBoolConstant = 5527 ConstantIsBoolLiteral ? CXXBoolLiteralFalse : LiteralConstant; 5528 ConstVal = Zero; 5529 } else if (Value == 1) { 5530 LiteralOrBoolConstant = 5531 ConstantIsBoolLiteral ? CXXBoolLiteralTrue : LiteralConstant; 5532 ConstVal = One; 5533 } else { 5534 LiteralOrBoolConstant = LiteralConstant; 5535 ConstVal = GT_One; 5536 } 5537 } else { 5538 ConstVal = LT_Zero; 5539 } 5540 5541 CompareBoolWithConstantResult CmpRes; 5542 5543 switch (op) { 5544 case BO_LT: 5545 CmpRes = TruthTable.BO_LT_OP[RhsConstant][ConstVal]; 5546 break; 5547 case BO_GT: 5548 CmpRes = TruthTable.BO_GT_OP[RhsConstant][ConstVal]; 5549 break; 5550 case BO_LE: 5551 CmpRes = TruthTable.BO_LE_OP[RhsConstant][ConstVal]; 5552 break; 5553 case BO_GE: 5554 CmpRes = TruthTable.BO_GE_OP[RhsConstant][ConstVal]; 5555 break; 5556 case BO_EQ: 5557 CmpRes = TruthTable.BO_EQ_OP[RhsConstant][ConstVal]; 5558 break; 5559 case BO_NE: 5560 CmpRes = TruthTable.BO_NE_OP[RhsConstant][ConstVal]; 5561 break; 5562 default: 5563 CmpRes = Unkwn; 5564 break; 5565 } 5566 5567 if (CmpRes == AFals) { 5568 IsTrue = false; 5569 } else if (CmpRes == ATrue) { 5570 IsTrue = true; 5571 } else { 5572 return; 5573 } 5574 } 5575 5576 // If this is a comparison to an enum constant, include that 5577 // constant in the diagnostic. 5578 const EnumConstantDecl *ED = 0; 5579 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant)) 5580 ED = dyn_cast<EnumConstantDecl>(DR->getDecl()); 5581 5582 SmallString<64> PrettySourceValue; 5583 llvm::raw_svector_ostream OS(PrettySourceValue); 5584 if (ED) 5585 OS << '\'' << *ED << "' (" << Value << ")"; 5586 else 5587 OS << Value; 5588 5589 S.DiagRuntimeBehavior( 5590 E->getOperatorLoc(), E, 5591 S.PDiag(diag::warn_out_of_range_compare) 5592 << OS.str() << LiteralOrBoolConstant 5593 << OtherT << (OtherIsBooleanType && !OtherT->isBooleanType()) << IsTrue 5594 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange()); 5595 } 5596 5597 /// Analyze the operands of the given comparison. Implements the 5598 /// fallback case from AnalyzeComparison. 5599 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 5600 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5601 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5602 } 5603 5604 /// \brief Implements -Wsign-compare. 5605 /// 5606 /// \param E the binary operator to check for warnings 5607 static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 5608 // The type the comparison is being performed in. 5609 QualType T = E->getLHS()->getType(); 5610 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 5611 && "comparison with mismatched types"); 5612 if (E->isValueDependent()) 5613 return AnalyzeImpConvsInComparison(S, E); 5614 5615 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 5616 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 5617 5618 bool IsComparisonConstant = false; 5619 5620 // Check whether an integer constant comparison results in a value 5621 // of 'true' or 'false'. 5622 if (T->isIntegralType(S.Context)) { 5623 llvm::APSInt RHSValue; 5624 bool IsRHSIntegralLiteral = 5625 RHS->isIntegerConstantExpr(RHSValue, S.Context); 5626 llvm::APSInt LHSValue; 5627 bool IsLHSIntegralLiteral = 5628 LHS->isIntegerConstantExpr(LHSValue, S.Context); 5629 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 5630 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 5631 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 5632 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 5633 else 5634 IsComparisonConstant = 5635 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 5636 } else if (!T->hasUnsignedIntegerRepresentation()) 5637 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 5638 5639 // We don't do anything special if this isn't an unsigned integral 5640 // comparison: we're only interested in integral comparisons, and 5641 // signed comparisons only happen in cases we don't care to warn about. 5642 // 5643 // We also don't care about value-dependent expressions or expressions 5644 // whose result is a constant. 5645 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 5646 return AnalyzeImpConvsInComparison(S, E); 5647 5648 // Check to see if one of the (unmodified) operands is of different 5649 // signedness. 5650 Expr *signedOperand, *unsignedOperand; 5651 if (LHS->getType()->hasSignedIntegerRepresentation()) { 5652 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 5653 "unsigned comparison between two signed integer expressions?"); 5654 signedOperand = LHS; 5655 unsignedOperand = RHS; 5656 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 5657 signedOperand = RHS; 5658 unsignedOperand = LHS; 5659 } else { 5660 CheckTrivialUnsignedComparison(S, E); 5661 return AnalyzeImpConvsInComparison(S, E); 5662 } 5663 5664 // Otherwise, calculate the effective range of the signed operand. 5665 IntRange signedRange = GetExprRange(S.Context, signedOperand); 5666 5667 // Go ahead and analyze implicit conversions in the operands. Note 5668 // that we skip the implicit conversions on both sides. 5669 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 5670 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 5671 5672 // If the signed range is non-negative, -Wsign-compare won't fire, 5673 // but we should still check for comparisons which are always true 5674 // or false. 5675 if (signedRange.NonNegative) 5676 return CheckTrivialUnsignedComparison(S, E); 5677 5678 // For (in)equality comparisons, if the unsigned operand is a 5679 // constant which cannot collide with a overflowed signed operand, 5680 // then reinterpreting the signed operand as unsigned will not 5681 // change the result of the comparison. 5682 if (E->isEqualityOp()) { 5683 unsigned comparisonWidth = S.Context.getIntWidth(T); 5684 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 5685 5686 // We should never be unable to prove that the unsigned operand is 5687 // non-negative. 5688 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 5689 5690 if (unsignedRange.Width < comparisonWidth) 5691 return; 5692 } 5693 5694 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 5695 S.PDiag(diag::warn_mixed_sign_comparison) 5696 << LHS->getType() << RHS->getType() 5697 << LHS->getSourceRange() << RHS->getSourceRange()); 5698 } 5699 5700 /// Analyzes an attempt to assign the given value to a bitfield. 5701 /// 5702 /// Returns true if there was something fishy about the attempt. 5703 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 5704 SourceLocation InitLoc) { 5705 assert(Bitfield->isBitField()); 5706 if (Bitfield->isInvalidDecl()) 5707 return false; 5708 5709 // White-list bool bitfields. 5710 if (Bitfield->getType()->isBooleanType()) 5711 return false; 5712 5713 // Ignore value- or type-dependent expressions. 5714 if (Bitfield->getBitWidth()->isValueDependent() || 5715 Bitfield->getBitWidth()->isTypeDependent() || 5716 Init->isValueDependent() || 5717 Init->isTypeDependent()) 5718 return false; 5719 5720 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 5721 5722 llvm::APSInt Value; 5723 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 5724 return false; 5725 5726 unsigned OriginalWidth = Value.getBitWidth(); 5727 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 5728 5729 if (OriginalWidth <= FieldWidth) 5730 return false; 5731 5732 // Compute the value which the bitfield will contain. 5733 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 5734 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 5735 5736 // Check whether the stored value is equal to the original value. 5737 TruncatedValue = TruncatedValue.extend(OriginalWidth); 5738 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 5739 return false; 5740 5741 // Special-case bitfields of width 1: booleans are naturally 0/1, and 5742 // therefore don't strictly fit into a signed bitfield of width 1. 5743 if (FieldWidth == 1 && Value == 1) 5744 return false; 5745 5746 std::string PrettyValue = Value.toString(10); 5747 std::string PrettyTrunc = TruncatedValue.toString(10); 5748 5749 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 5750 << PrettyValue << PrettyTrunc << OriginalInit->getType() 5751 << Init->getSourceRange(); 5752 5753 return true; 5754 } 5755 5756 /// Analyze the given simple or compound assignment for warning-worthy 5757 /// operations. 5758 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 5759 // Just recurse on the LHS. 5760 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5761 5762 // We want to recurse on the RHS as normal unless we're assigning to 5763 // a bitfield. 5764 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) { 5765 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 5766 E->getOperatorLoc())) { 5767 // Recurse, ignoring any implicit conversions on the RHS. 5768 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 5769 E->getOperatorLoc()); 5770 } 5771 } 5772 5773 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5774 } 5775 5776 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5777 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 5778 SourceLocation CContext, unsigned diag, 5779 bool pruneControlFlow = false) { 5780 if (pruneControlFlow) { 5781 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5782 S.PDiag(diag) 5783 << SourceType << T << E->getSourceRange() 5784 << SourceRange(CContext)); 5785 return; 5786 } 5787 S.Diag(E->getExprLoc(), diag) 5788 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 5789 } 5790 5791 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5792 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 5793 SourceLocation CContext, unsigned diag, 5794 bool pruneControlFlow = false) { 5795 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 5796 } 5797 5798 /// Diagnose an implicit cast from a literal expression. Does not warn when the 5799 /// cast wouldn't lose information. 5800 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 5801 SourceLocation CContext) { 5802 // Try to convert the literal exactly to an integer. If we can, don't warn. 5803 bool isExact = false; 5804 const llvm::APFloat &Value = FL->getValue(); 5805 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 5806 T->hasUnsignedIntegerRepresentation()); 5807 if (Value.convertToInteger(IntegerValue, 5808 llvm::APFloat::rmTowardZero, &isExact) 5809 == llvm::APFloat::opOK && isExact) 5810 return; 5811 5812 // FIXME: Force the precision of the source value down so we don't print 5813 // digits which are usually useless (we don't really care here if we 5814 // truncate a digit by accident in edge cases). Ideally, APFloat::toString 5815 // would automatically print the shortest representation, but it's a bit 5816 // tricky to implement. 5817 SmallString<16> PrettySourceValue; 5818 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics()); 5819 precision = (precision * 59 + 195) / 196; 5820 Value.toString(PrettySourceValue, precision); 5821 5822 SmallString<16> PrettyTargetValue; 5823 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 5824 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 5825 else 5826 IntegerValue.toString(PrettyTargetValue); 5827 5828 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 5829 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 5830 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 5831 } 5832 5833 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 5834 if (!Range.Width) return "0"; 5835 5836 llvm::APSInt ValueInRange = Value; 5837 ValueInRange.setIsSigned(!Range.NonNegative); 5838 ValueInRange = ValueInRange.trunc(Range.Width); 5839 return ValueInRange.toString(10); 5840 } 5841 5842 static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 5843 if (!isa<ImplicitCastExpr>(Ex)) 5844 return false; 5845 5846 Expr *InnerE = Ex->IgnoreParenImpCasts(); 5847 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 5848 const Type *Source = 5849 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5850 if (Target->isDependentType()) 5851 return false; 5852 5853 const BuiltinType *FloatCandidateBT = 5854 dyn_cast<BuiltinType>(ToBool ? Source : Target); 5855 const Type *BoolCandidateType = ToBool ? Target : Source; 5856 5857 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 5858 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 5859 } 5860 5861 void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 5862 SourceLocation CC) { 5863 unsigned NumArgs = TheCall->getNumArgs(); 5864 for (unsigned i = 0; i < NumArgs; ++i) { 5865 Expr *CurrA = TheCall->getArg(i); 5866 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 5867 continue; 5868 5869 bool IsSwapped = ((i > 0) && 5870 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 5871 IsSwapped |= ((i < (NumArgs - 1)) && 5872 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 5873 if (IsSwapped) { 5874 // Warn on this floating-point to bool conversion. 5875 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 5876 CurrA->getType(), CC, 5877 diag::warn_impcast_floating_point_to_bool); 5878 } 5879 } 5880 } 5881 5882 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 5883 SourceLocation CC, bool *ICContext = 0) { 5884 if (E->isTypeDependent() || E->isValueDependent()) return; 5885 5886 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 5887 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 5888 if (Source == Target) return; 5889 if (Target->isDependentType()) return; 5890 5891 // If the conversion context location is invalid don't complain. We also 5892 // don't want to emit a warning if the issue occurs from the expansion of 5893 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 5894 // delay this check as long as possible. Once we detect we are in that 5895 // scenario, we just return. 5896 if (CC.isInvalid()) 5897 return; 5898 5899 // Diagnose implicit casts to bool. 5900 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 5901 if (isa<StringLiteral>(E)) 5902 // Warn on string literal to bool. Checks for string literals in logical 5903 // and expressions, for instance, assert(0 && "error here"), are 5904 // prevented by a check in AnalyzeImplicitConversions(). 5905 return DiagnoseImpCast(S, E, T, CC, 5906 diag::warn_impcast_string_literal_to_bool); 5907 if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) || 5908 isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) { 5909 // This covers the literal expressions that evaluate to Objective-C 5910 // objects. 5911 return DiagnoseImpCast(S, E, T, CC, 5912 diag::warn_impcast_objective_c_literal_to_bool); 5913 } 5914 if (Source->isPointerType() || Source->canDecayToPointerType()) { 5915 // Warn on pointer to bool conversion that is always true. 5916 S.DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false, 5917 SourceRange(CC)); 5918 } 5919 } 5920 5921 // Strip vector types. 5922 if (isa<VectorType>(Source)) { 5923 if (!isa<VectorType>(Target)) { 5924 if (S.SourceMgr.isInSystemMacro(CC)) 5925 return; 5926 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 5927 } 5928 5929 // If the vector cast is cast between two vectors of the same size, it is 5930 // a bitcast, not a conversion. 5931 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 5932 return; 5933 5934 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 5935 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 5936 } 5937 if (auto VecTy = dyn_cast<VectorType>(Target)) 5938 Target = VecTy->getElementType().getTypePtr(); 5939 5940 // Strip complex types. 5941 if (isa<ComplexType>(Source)) { 5942 if (!isa<ComplexType>(Target)) { 5943 if (S.SourceMgr.isInSystemMacro(CC)) 5944 return; 5945 5946 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 5947 } 5948 5949 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 5950 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 5951 } 5952 5953 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 5954 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 5955 5956 // If the source is floating point... 5957 if (SourceBT && SourceBT->isFloatingPoint()) { 5958 // ...and the target is floating point... 5959 if (TargetBT && TargetBT->isFloatingPoint()) { 5960 // ...then warn if we're dropping FP rank. 5961 5962 // Builtin FP kinds are ordered by increasing FP rank. 5963 if (SourceBT->getKind() > TargetBT->getKind()) { 5964 // Don't warn about float constants that are precisely 5965 // representable in the target type. 5966 Expr::EvalResult result; 5967 if (E->EvaluateAsRValue(result, S.Context)) { 5968 // Value might be a float, a float vector, or a float complex. 5969 if (IsSameFloatAfterCast(result.Val, 5970 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 5971 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 5972 return; 5973 } 5974 5975 if (S.SourceMgr.isInSystemMacro(CC)) 5976 return; 5977 5978 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 5979 } 5980 return; 5981 } 5982 5983 // If the target is integral, always warn. 5984 if (TargetBT && TargetBT->isInteger()) { 5985 if (S.SourceMgr.isInSystemMacro(CC)) 5986 return; 5987 5988 Expr *InnerE = E->IgnoreParenImpCasts(); 5989 // We also want to warn on, e.g., "int i = -1.234" 5990 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 5991 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 5992 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 5993 5994 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 5995 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 5996 } else { 5997 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 5998 } 5999 } 6000 6001 // If the target is bool, warn if expr is a function or method call. 6002 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 6003 isa<CallExpr>(E)) { 6004 // Check last argument of function call to see if it is an 6005 // implicit cast from a type matching the type the result 6006 // is being cast to. 6007 CallExpr *CEx = cast<CallExpr>(E); 6008 unsigned NumArgs = CEx->getNumArgs(); 6009 if (NumArgs > 0) { 6010 Expr *LastA = CEx->getArg(NumArgs - 1); 6011 Expr *InnerE = LastA->IgnoreParenImpCasts(); 6012 const Type *InnerType = 6013 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 6014 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 6015 // Warn on this floating-point to bool conversion 6016 DiagnoseImpCast(S, E, T, CC, 6017 diag::warn_impcast_floating_point_to_bool); 6018 } 6019 } 6020 } 6021 return; 6022 } 6023 6024 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 6025 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 6026 && !Target->isBlockPointerType() && !Target->isMemberPointerType() 6027 && Target->isScalarType() && !Target->isNullPtrType()) { 6028 SourceLocation Loc = E->getSourceRange().getBegin(); 6029 if (Loc.isMacroID()) 6030 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 6031 if (!Loc.isMacroID() || CC.isMacroID()) 6032 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 6033 << T << clang::SourceRange(CC) 6034 << FixItHint::CreateReplacement(Loc, 6035 S.getFixItZeroLiteralForType(T, Loc)); 6036 } 6037 6038 if (!Source->isIntegerType() || !Target->isIntegerType()) 6039 return; 6040 6041 // TODO: remove this early return once the false positives for constant->bool 6042 // in templates, macros, etc, are reduced or removed. 6043 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 6044 return; 6045 6046 IntRange SourceRange = GetExprRange(S.Context, E); 6047 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 6048 6049 if (SourceRange.Width > TargetRange.Width) { 6050 // If the source is a constant, use a default-on diagnostic. 6051 // TODO: this should happen for bitfield stores, too. 6052 llvm::APSInt Value(32); 6053 if (E->isIntegerConstantExpr(Value, S.Context)) { 6054 if (S.SourceMgr.isInSystemMacro(CC)) 6055 return; 6056 6057 std::string PrettySourceValue = Value.toString(10); 6058 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 6059 6060 S.DiagRuntimeBehavior(E->getExprLoc(), E, 6061 S.PDiag(diag::warn_impcast_integer_precision_constant) 6062 << PrettySourceValue << PrettyTargetValue 6063 << E->getType() << T << E->getSourceRange() 6064 << clang::SourceRange(CC)); 6065 return; 6066 } 6067 6068 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 6069 if (S.SourceMgr.isInSystemMacro(CC)) 6070 return; 6071 6072 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 6073 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 6074 /* pruneControlFlow */ true); 6075 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 6076 } 6077 6078 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 6079 (!TargetRange.NonNegative && SourceRange.NonNegative && 6080 SourceRange.Width == TargetRange.Width)) { 6081 6082 if (S.SourceMgr.isInSystemMacro(CC)) 6083 return; 6084 6085 unsigned DiagID = diag::warn_impcast_integer_sign; 6086 6087 // Traditionally, gcc has warned about this under -Wsign-compare. 6088 // We also want to warn about it in -Wconversion. 6089 // So if -Wconversion is off, use a completely identical diagnostic 6090 // in the sign-compare group. 6091 // The conditional-checking code will 6092 if (ICContext) { 6093 DiagID = diag::warn_impcast_integer_sign_conditional; 6094 *ICContext = true; 6095 } 6096 6097 return DiagnoseImpCast(S, E, T, CC, DiagID); 6098 } 6099 6100 // Diagnose conversions between different enumeration types. 6101 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 6102 // type, to give us better diagnostics. 6103 QualType SourceType = E->getType(); 6104 if (!S.getLangOpts().CPlusPlus) { 6105 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 6106 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 6107 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 6108 SourceType = S.Context.getTypeDeclType(Enum); 6109 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 6110 } 6111 } 6112 6113 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 6114 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 6115 if (SourceEnum->getDecl()->hasNameForLinkage() && 6116 TargetEnum->getDecl()->hasNameForLinkage() && 6117 SourceEnum != TargetEnum) { 6118 if (S.SourceMgr.isInSystemMacro(CC)) 6119 return; 6120 6121 return DiagnoseImpCast(S, E, SourceType, T, CC, 6122 diag::warn_impcast_different_enum_types); 6123 } 6124 6125 return; 6126 } 6127 6128 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 6129 SourceLocation CC, QualType T); 6130 6131 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 6132 SourceLocation CC, bool &ICContext) { 6133 E = E->IgnoreParenImpCasts(); 6134 6135 if (isa<ConditionalOperator>(E)) 6136 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 6137 6138 AnalyzeImplicitConversions(S, E, CC); 6139 if (E->getType() != T) 6140 return CheckImplicitConversion(S, E, T, CC, &ICContext); 6141 return; 6142 } 6143 6144 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 6145 SourceLocation CC, QualType T) { 6146 AnalyzeImplicitConversions(S, E->getCond(), CC); 6147 6148 bool Suspicious = false; 6149 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 6150 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 6151 6152 // If -Wconversion would have warned about either of the candidates 6153 // for a signedness conversion to the context type... 6154 if (!Suspicious) return; 6155 6156 // ...but it's currently ignored... 6157 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 6158 CC)) 6159 return; 6160 6161 // ...then check whether it would have warned about either of the 6162 // candidates for a signedness conversion to the condition type. 6163 if (E->getType() == T) return; 6164 6165 Suspicious = false; 6166 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 6167 E->getType(), CC, &Suspicious); 6168 if (!Suspicious) 6169 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 6170 E->getType(), CC, &Suspicious); 6171 } 6172 6173 /// AnalyzeImplicitConversions - Find and report any interesting 6174 /// implicit conversions in the given expression. There are a couple 6175 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 6176 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 6177 QualType T = OrigE->getType(); 6178 Expr *E = OrigE->IgnoreParenImpCasts(); 6179 6180 if (E->isTypeDependent() || E->isValueDependent()) 6181 return; 6182 6183 // For conditional operators, we analyze the arguments as if they 6184 // were being fed directly into the output. 6185 if (isa<ConditionalOperator>(E)) { 6186 ConditionalOperator *CO = cast<ConditionalOperator>(E); 6187 CheckConditionalOperator(S, CO, CC, T); 6188 return; 6189 } 6190 6191 // Check implicit argument conversions for function calls. 6192 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 6193 CheckImplicitArgumentConversions(S, Call, CC); 6194 6195 // Go ahead and check any implicit conversions we might have skipped. 6196 // The non-canonical typecheck is just an optimization; 6197 // CheckImplicitConversion will filter out dead implicit conversions. 6198 if (E->getType() != T) 6199 CheckImplicitConversion(S, E, T, CC); 6200 6201 // Now continue drilling into this expression. 6202 6203 if (PseudoObjectExpr * POE = dyn_cast<PseudoObjectExpr>(E)) { 6204 if (POE->getResultExpr()) 6205 E = POE->getResultExpr(); 6206 } 6207 6208 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 6209 return AnalyzeImplicitConversions(S, OVE->getSourceExpr(), CC); 6210 6211 // Skip past explicit casts. 6212 if (isa<ExplicitCastExpr>(E)) { 6213 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 6214 return AnalyzeImplicitConversions(S, E, CC); 6215 } 6216 6217 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 6218 // Do a somewhat different check with comparison operators. 6219 if (BO->isComparisonOp()) 6220 return AnalyzeComparison(S, BO); 6221 6222 // And with simple assignments. 6223 if (BO->getOpcode() == BO_Assign) 6224 return AnalyzeAssignment(S, BO); 6225 } 6226 6227 // These break the otherwise-useful invariant below. Fortunately, 6228 // we don't really need to recurse into them, because any internal 6229 // expressions should have been analyzed already when they were 6230 // built into statements. 6231 if (isa<StmtExpr>(E)) return; 6232 6233 // Don't descend into unevaluated contexts. 6234 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 6235 6236 // Now just recurse over the expression's children. 6237 CC = E->getExprLoc(); 6238 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 6239 bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd; 6240 for (Stmt::child_range I = E->children(); I; ++I) { 6241 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 6242 if (!ChildExpr) 6243 continue; 6244 6245 if (IsLogicalAndOperator && 6246 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 6247 // Ignore checking string literals that are in logical and operators. 6248 // This is a common pattern for asserts. 6249 continue; 6250 AnalyzeImplicitConversions(S, ChildExpr, CC); 6251 } 6252 } 6253 6254 } // end anonymous namespace 6255 6256 enum { 6257 AddressOf, 6258 FunctionPointer, 6259 ArrayPointer 6260 }; 6261 6262 /// \brief Diagnose pointers that are always non-null. 6263 /// \param E the expression containing the pointer 6264 /// \param NullKind NPCK_NotNull if E is a cast to bool, otherwise, E is 6265 /// compared to a null pointer 6266 /// \param IsEqual True when the comparison is equal to a null pointer 6267 /// \param Range Extra SourceRange to highlight in the diagnostic 6268 void Sema::DiagnoseAlwaysNonNullPointer(Expr *E, 6269 Expr::NullPointerConstantKind NullKind, 6270 bool IsEqual, SourceRange Range) { 6271 6272 // Don't warn inside macros. 6273 if (E->getExprLoc().isMacroID()) 6274 return; 6275 E = E->IgnoreImpCasts(); 6276 6277 const bool IsCompare = NullKind != Expr::NPCK_NotNull; 6278 6279 bool IsAddressOf = false; 6280 6281 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 6282 if (UO->getOpcode() != UO_AddrOf) 6283 return; 6284 IsAddressOf = true; 6285 E = UO->getSubExpr(); 6286 } 6287 6288 // Expect to find a single Decl. Skip anything more complicated. 6289 ValueDecl *D = 0; 6290 if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) { 6291 D = R->getDecl(); 6292 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 6293 D = M->getMemberDecl(); 6294 } 6295 6296 // Weak Decls can be null. 6297 if (!D || D->isWeak()) 6298 return; 6299 6300 QualType T = D->getType(); 6301 const bool IsArray = T->isArrayType(); 6302 const bool IsFunction = T->isFunctionType(); 6303 6304 if (IsAddressOf) { 6305 // Address of function is used to silence the function warning. 6306 if (IsFunction) 6307 return; 6308 // Address of reference can be null. 6309 if (T->isReferenceType()) 6310 return; 6311 } 6312 6313 // Found nothing. 6314 if (!IsAddressOf && !IsFunction && !IsArray) 6315 return; 6316 6317 // Pretty print the expression for the diagnostic. 6318 std::string Str; 6319 llvm::raw_string_ostream S(Str); 6320 E->printPretty(S, 0, getPrintingPolicy()); 6321 6322 unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare 6323 : diag::warn_impcast_pointer_to_bool; 6324 unsigned DiagType; 6325 if (IsAddressOf) 6326 DiagType = AddressOf; 6327 else if (IsFunction) 6328 DiagType = FunctionPointer; 6329 else if (IsArray) 6330 DiagType = ArrayPointer; 6331 else 6332 llvm_unreachable("Could not determine diagnostic."); 6333 Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange() 6334 << Range << IsEqual; 6335 6336 if (!IsFunction) 6337 return; 6338 6339 // Suggest '&' to silence the function warning. 6340 Diag(E->getExprLoc(), diag::note_function_warning_silence) 6341 << FixItHint::CreateInsertion(E->getLocStart(), "&"); 6342 6343 // Check to see if '()' fixit should be emitted. 6344 QualType ReturnType; 6345 UnresolvedSet<4> NonTemplateOverloads; 6346 tryExprAsCall(*E, ReturnType, NonTemplateOverloads); 6347 if (ReturnType.isNull()) 6348 return; 6349 6350 if (IsCompare) { 6351 // There are two cases here. If there is null constant, the only suggest 6352 // for a pointer return type. If the null is 0, then suggest if the return 6353 // type is a pointer or an integer type. 6354 if (!ReturnType->isPointerType()) { 6355 if (NullKind == Expr::NPCK_ZeroExpression || 6356 NullKind == Expr::NPCK_ZeroLiteral) { 6357 if (!ReturnType->isIntegerType()) 6358 return; 6359 } else { 6360 return; 6361 } 6362 } 6363 } else { // !IsCompare 6364 // For function to bool, only suggest if the function pointer has bool 6365 // return type. 6366 if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 6367 return; 6368 } 6369 Diag(E->getExprLoc(), diag::note_function_to_function_call) 6370 << FixItHint::CreateInsertion( 6371 getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 6372 } 6373 6374 6375 /// Diagnoses "dangerous" implicit conversions within the given 6376 /// expression (which is a full expression). Implements -Wconversion 6377 /// and -Wsign-compare. 6378 /// 6379 /// \param CC the "context" location of the implicit conversion, i.e. 6380 /// the most location of the syntactic entity requiring the implicit 6381 /// conversion 6382 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 6383 // Don't diagnose in unevaluated contexts. 6384 if (isUnevaluatedContext()) 6385 return; 6386 6387 // Don't diagnose for value- or type-dependent expressions. 6388 if (E->isTypeDependent() || E->isValueDependent()) 6389 return; 6390 6391 // Check for array bounds violations in cases where the check isn't triggered 6392 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 6393 // ArraySubscriptExpr is on the RHS of a variable initialization. 6394 CheckArrayAccess(E); 6395 6396 // This is not the right CC for (e.g.) a variable initialization. 6397 AnalyzeImplicitConversions(*this, E, CC); 6398 } 6399 6400 /// Diagnose when expression is an integer constant expression and its evaluation 6401 /// results in integer overflow 6402 void Sema::CheckForIntOverflow (Expr *E) { 6403 if (isa<BinaryOperator>(E->IgnoreParens())) 6404 E->EvaluateForOverflow(Context); 6405 } 6406 6407 namespace { 6408 /// \brief Visitor for expressions which looks for unsequenced operations on the 6409 /// same object. 6410 class SequenceChecker : public EvaluatedExprVisitor<SequenceChecker> { 6411 typedef EvaluatedExprVisitor<SequenceChecker> Base; 6412 6413 /// \brief A tree of sequenced regions within an expression. Two regions are 6414 /// unsequenced if one is an ancestor or a descendent of the other. When we 6415 /// finish processing an expression with sequencing, such as a comma 6416 /// expression, we fold its tree nodes into its parent, since they are 6417 /// unsequenced with respect to nodes we will visit later. 6418 class SequenceTree { 6419 struct Value { 6420 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {} 6421 unsigned Parent : 31; 6422 bool Merged : 1; 6423 }; 6424 SmallVector<Value, 8> Values; 6425 6426 public: 6427 /// \brief A region within an expression which may be sequenced with respect 6428 /// to some other region. 6429 class Seq { 6430 explicit Seq(unsigned N) : Index(N) {} 6431 unsigned Index; 6432 friend class SequenceTree; 6433 public: 6434 Seq() : Index(0) {} 6435 }; 6436 6437 SequenceTree() { Values.push_back(Value(0)); } 6438 Seq root() const { return Seq(0); } 6439 6440 /// \brief Create a new sequence of operations, which is an unsequenced 6441 /// subset of \p Parent. This sequence of operations is sequenced with 6442 /// respect to other children of \p Parent. 6443 Seq allocate(Seq Parent) { 6444 Values.push_back(Value(Parent.Index)); 6445 return Seq(Values.size() - 1); 6446 } 6447 6448 /// \brief Merge a sequence of operations into its parent. 6449 void merge(Seq S) { 6450 Values[S.Index].Merged = true; 6451 } 6452 6453 /// \brief Determine whether two operations are unsequenced. This operation 6454 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old 6455 /// should have been merged into its parent as appropriate. 6456 bool isUnsequenced(Seq Cur, Seq Old) { 6457 unsigned C = representative(Cur.Index); 6458 unsigned Target = representative(Old.Index); 6459 while (C >= Target) { 6460 if (C == Target) 6461 return true; 6462 C = Values[C].Parent; 6463 } 6464 return false; 6465 } 6466 6467 private: 6468 /// \brief Pick a representative for a sequence. 6469 unsigned representative(unsigned K) { 6470 if (Values[K].Merged) 6471 // Perform path compression as we go. 6472 return Values[K].Parent = representative(Values[K].Parent); 6473 return K; 6474 } 6475 }; 6476 6477 /// An object for which we can track unsequenced uses. 6478 typedef NamedDecl *Object; 6479 6480 /// Different flavors of object usage which we track. We only track the 6481 /// least-sequenced usage of each kind. 6482 enum UsageKind { 6483 /// A read of an object. Multiple unsequenced reads are OK. 6484 UK_Use, 6485 /// A modification of an object which is sequenced before the value 6486 /// computation of the expression, such as ++n in C++. 6487 UK_ModAsValue, 6488 /// A modification of an object which is not sequenced before the value 6489 /// computation of the expression, such as n++. 6490 UK_ModAsSideEffect, 6491 6492 UK_Count = UK_ModAsSideEffect + 1 6493 }; 6494 6495 struct Usage { 6496 Usage() : Use(0), Seq() {} 6497 Expr *Use; 6498 SequenceTree::Seq Seq; 6499 }; 6500 6501 struct UsageInfo { 6502 UsageInfo() : Diagnosed(false) {} 6503 Usage Uses[UK_Count]; 6504 /// Have we issued a diagnostic for this variable already? 6505 bool Diagnosed; 6506 }; 6507 typedef llvm::SmallDenseMap<Object, UsageInfo, 16> UsageInfoMap; 6508 6509 Sema &SemaRef; 6510 /// Sequenced regions within the expression. 6511 SequenceTree Tree; 6512 /// Declaration modifications and references which we have seen. 6513 UsageInfoMap UsageMap; 6514 /// The region we are currently within. 6515 SequenceTree::Seq Region; 6516 /// Filled in with declarations which were modified as a side-effect 6517 /// (that is, post-increment operations). 6518 SmallVectorImpl<std::pair<Object, Usage> > *ModAsSideEffect; 6519 /// Expressions to check later. We defer checking these to reduce 6520 /// stack usage. 6521 SmallVectorImpl<Expr *> &WorkList; 6522 6523 /// RAII object wrapping the visitation of a sequenced subexpression of an 6524 /// expression. At the end of this process, the side-effects of the evaluation 6525 /// become sequenced with respect to the value computation of the result, so 6526 /// we downgrade any UK_ModAsSideEffect within the evaluation to 6527 /// UK_ModAsValue. 6528 struct SequencedSubexpression { 6529 SequencedSubexpression(SequenceChecker &Self) 6530 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) { 6531 Self.ModAsSideEffect = &ModAsSideEffect; 6532 } 6533 ~SequencedSubexpression() { 6534 for (unsigned I = 0, E = ModAsSideEffect.size(); I != E; ++I) { 6535 UsageInfo &U = Self.UsageMap[ModAsSideEffect[I].first]; 6536 U.Uses[UK_ModAsSideEffect] = ModAsSideEffect[I].second; 6537 Self.addUsage(U, ModAsSideEffect[I].first, 6538 ModAsSideEffect[I].second.Use, UK_ModAsValue); 6539 } 6540 Self.ModAsSideEffect = OldModAsSideEffect; 6541 } 6542 6543 SequenceChecker &Self; 6544 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect; 6545 SmallVectorImpl<std::pair<Object, Usage> > *OldModAsSideEffect; 6546 }; 6547 6548 /// RAII object wrapping the visitation of a subexpression which we might 6549 /// choose to evaluate as a constant. If any subexpression is evaluated and 6550 /// found to be non-constant, this allows us to suppress the evaluation of 6551 /// the outer expression. 6552 class EvaluationTracker { 6553 public: 6554 EvaluationTracker(SequenceChecker &Self) 6555 : Self(Self), Prev(Self.EvalTracker), EvalOK(true) { 6556 Self.EvalTracker = this; 6557 } 6558 ~EvaluationTracker() { 6559 Self.EvalTracker = Prev; 6560 if (Prev) 6561 Prev->EvalOK &= EvalOK; 6562 } 6563 6564 bool evaluate(const Expr *E, bool &Result) { 6565 if (!EvalOK || E->isValueDependent()) 6566 return false; 6567 EvalOK = E->EvaluateAsBooleanCondition(Result, Self.SemaRef.Context); 6568 return EvalOK; 6569 } 6570 6571 private: 6572 SequenceChecker &Self; 6573 EvaluationTracker *Prev; 6574 bool EvalOK; 6575 } *EvalTracker; 6576 6577 /// \brief Find the object which is produced by the specified expression, 6578 /// if any. 6579 Object getObject(Expr *E, bool Mod) const { 6580 E = E->IgnoreParenCasts(); 6581 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 6582 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec)) 6583 return getObject(UO->getSubExpr(), Mod); 6584 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 6585 if (BO->getOpcode() == BO_Comma) 6586 return getObject(BO->getRHS(), Mod); 6587 if (Mod && BO->isAssignmentOp()) 6588 return getObject(BO->getLHS(), Mod); 6589 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(E)) { 6590 // FIXME: Check for more interesting cases, like "x.n = ++x.n". 6591 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts())) 6592 return ME->getMemberDecl(); 6593 } else if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 6594 // FIXME: If this is a reference, map through to its value. 6595 return DRE->getDecl(); 6596 return 0; 6597 } 6598 6599 /// \brief Note that an object was modified or used by an expression. 6600 void addUsage(UsageInfo &UI, Object O, Expr *Ref, UsageKind UK) { 6601 Usage &U = UI.Uses[UK]; 6602 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) { 6603 if (UK == UK_ModAsSideEffect && ModAsSideEffect) 6604 ModAsSideEffect->push_back(std::make_pair(O, U)); 6605 U.Use = Ref; 6606 U.Seq = Region; 6607 } 6608 } 6609 /// \brief Check whether a modification or use conflicts with a prior usage. 6610 void checkUsage(Object O, UsageInfo &UI, Expr *Ref, UsageKind OtherKind, 6611 bool IsModMod) { 6612 if (UI.Diagnosed) 6613 return; 6614 6615 const Usage &U = UI.Uses[OtherKind]; 6616 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) 6617 return; 6618 6619 Expr *Mod = U.Use; 6620 Expr *ModOrUse = Ref; 6621 if (OtherKind == UK_Use) 6622 std::swap(Mod, ModOrUse); 6623 6624 SemaRef.Diag(Mod->getExprLoc(), 6625 IsModMod ? diag::warn_unsequenced_mod_mod 6626 : diag::warn_unsequenced_mod_use) 6627 << O << SourceRange(ModOrUse->getExprLoc()); 6628 UI.Diagnosed = true; 6629 } 6630 6631 void notePreUse(Object O, Expr *Use) { 6632 UsageInfo &U = UsageMap[O]; 6633 // Uses conflict with other modifications. 6634 checkUsage(O, U, Use, UK_ModAsValue, false); 6635 } 6636 void notePostUse(Object O, Expr *Use) { 6637 UsageInfo &U = UsageMap[O]; 6638 checkUsage(O, U, Use, UK_ModAsSideEffect, false); 6639 addUsage(U, O, Use, UK_Use); 6640 } 6641 6642 void notePreMod(Object O, Expr *Mod) { 6643 UsageInfo &U = UsageMap[O]; 6644 // Modifications conflict with other modifications and with uses. 6645 checkUsage(O, U, Mod, UK_ModAsValue, true); 6646 checkUsage(O, U, Mod, UK_Use, false); 6647 } 6648 void notePostMod(Object O, Expr *Use, UsageKind UK) { 6649 UsageInfo &U = UsageMap[O]; 6650 checkUsage(O, U, Use, UK_ModAsSideEffect, true); 6651 addUsage(U, O, Use, UK); 6652 } 6653 6654 public: 6655 SequenceChecker(Sema &S, Expr *E, SmallVectorImpl<Expr *> &WorkList) 6656 : Base(S.Context), SemaRef(S), Region(Tree.root()), ModAsSideEffect(0), 6657 WorkList(WorkList), EvalTracker(0) { 6658 Visit(E); 6659 } 6660 6661 void VisitStmt(Stmt *S) { 6662 // Skip all statements which aren't expressions for now. 6663 } 6664 6665 void VisitExpr(Expr *E) { 6666 // By default, just recurse to evaluated subexpressions. 6667 Base::VisitStmt(E); 6668 } 6669 6670 void VisitCastExpr(CastExpr *E) { 6671 Object O = Object(); 6672 if (E->getCastKind() == CK_LValueToRValue) 6673 O = getObject(E->getSubExpr(), false); 6674 6675 if (O) 6676 notePreUse(O, E); 6677 VisitExpr(E); 6678 if (O) 6679 notePostUse(O, E); 6680 } 6681 6682 void VisitBinComma(BinaryOperator *BO) { 6683 // C++11 [expr.comma]p1: 6684 // Every value computation and side effect associated with the left 6685 // expression is sequenced before every value computation and side 6686 // effect associated with the right expression. 6687 SequenceTree::Seq LHS = Tree.allocate(Region); 6688 SequenceTree::Seq RHS = Tree.allocate(Region); 6689 SequenceTree::Seq OldRegion = Region; 6690 6691 { 6692 SequencedSubexpression SeqLHS(*this); 6693 Region = LHS; 6694 Visit(BO->getLHS()); 6695 } 6696 6697 Region = RHS; 6698 Visit(BO->getRHS()); 6699 6700 Region = OldRegion; 6701 6702 // Forget that LHS and RHS are sequenced. They are both unsequenced 6703 // with respect to other stuff. 6704 Tree.merge(LHS); 6705 Tree.merge(RHS); 6706 } 6707 6708 void VisitBinAssign(BinaryOperator *BO) { 6709 // The modification is sequenced after the value computation of the LHS 6710 // and RHS, so check it before inspecting the operands and update the 6711 // map afterwards. 6712 Object O = getObject(BO->getLHS(), true); 6713 if (!O) 6714 return VisitExpr(BO); 6715 6716 notePreMod(O, BO); 6717 6718 // C++11 [expr.ass]p7: 6719 // E1 op= E2 is equivalent to E1 = E1 op E2, except that E1 is evaluated 6720 // only once. 6721 // 6722 // Therefore, for a compound assignment operator, O is considered used 6723 // everywhere except within the evaluation of E1 itself. 6724 if (isa<CompoundAssignOperator>(BO)) 6725 notePreUse(O, BO); 6726 6727 Visit(BO->getLHS()); 6728 6729 if (isa<CompoundAssignOperator>(BO)) 6730 notePostUse(O, BO); 6731 6732 Visit(BO->getRHS()); 6733 6734 // C++11 [expr.ass]p1: 6735 // the assignment is sequenced [...] before the value computation of the 6736 // assignment expression. 6737 // C11 6.5.16/3 has no such rule. 6738 notePostMod(O, BO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 6739 : UK_ModAsSideEffect); 6740 } 6741 void VisitCompoundAssignOperator(CompoundAssignOperator *CAO) { 6742 VisitBinAssign(CAO); 6743 } 6744 6745 void VisitUnaryPreInc(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 6746 void VisitUnaryPreDec(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 6747 void VisitUnaryPreIncDec(UnaryOperator *UO) { 6748 Object O = getObject(UO->getSubExpr(), true); 6749 if (!O) 6750 return VisitExpr(UO); 6751 6752 notePreMod(O, UO); 6753 Visit(UO->getSubExpr()); 6754 // C++11 [expr.pre.incr]p1: 6755 // the expression ++x is equivalent to x+=1 6756 notePostMod(O, UO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 6757 : UK_ModAsSideEffect); 6758 } 6759 6760 void VisitUnaryPostInc(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 6761 void VisitUnaryPostDec(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 6762 void VisitUnaryPostIncDec(UnaryOperator *UO) { 6763 Object O = getObject(UO->getSubExpr(), true); 6764 if (!O) 6765 return VisitExpr(UO); 6766 6767 notePreMod(O, UO); 6768 Visit(UO->getSubExpr()); 6769 notePostMod(O, UO, UK_ModAsSideEffect); 6770 } 6771 6772 /// Don't visit the RHS of '&&' or '||' if it might not be evaluated. 6773 void VisitBinLOr(BinaryOperator *BO) { 6774 // The side-effects of the LHS of an '&&' are sequenced before the 6775 // value computation of the RHS, and hence before the value computation 6776 // of the '&&' itself, unless the LHS evaluates to zero. We treat them 6777 // as if they were unconditionally sequenced. 6778 EvaluationTracker Eval(*this); 6779 { 6780 SequencedSubexpression Sequenced(*this); 6781 Visit(BO->getLHS()); 6782 } 6783 6784 bool Result; 6785 if (Eval.evaluate(BO->getLHS(), Result)) { 6786 if (!Result) 6787 Visit(BO->getRHS()); 6788 } else { 6789 // Check for unsequenced operations in the RHS, treating it as an 6790 // entirely separate evaluation. 6791 // 6792 // FIXME: If there are operations in the RHS which are unsequenced 6793 // with respect to operations outside the RHS, and those operations 6794 // are unconditionally evaluated, diagnose them. 6795 WorkList.push_back(BO->getRHS()); 6796 } 6797 } 6798 void VisitBinLAnd(BinaryOperator *BO) { 6799 EvaluationTracker Eval(*this); 6800 { 6801 SequencedSubexpression Sequenced(*this); 6802 Visit(BO->getLHS()); 6803 } 6804 6805 bool Result; 6806 if (Eval.evaluate(BO->getLHS(), Result)) { 6807 if (Result) 6808 Visit(BO->getRHS()); 6809 } else { 6810 WorkList.push_back(BO->getRHS()); 6811 } 6812 } 6813 6814 // Only visit the condition, unless we can be sure which subexpression will 6815 // be chosen. 6816 void VisitAbstractConditionalOperator(AbstractConditionalOperator *CO) { 6817 EvaluationTracker Eval(*this); 6818 { 6819 SequencedSubexpression Sequenced(*this); 6820 Visit(CO->getCond()); 6821 } 6822 6823 bool Result; 6824 if (Eval.evaluate(CO->getCond(), Result)) 6825 Visit(Result ? CO->getTrueExpr() : CO->getFalseExpr()); 6826 else { 6827 WorkList.push_back(CO->getTrueExpr()); 6828 WorkList.push_back(CO->getFalseExpr()); 6829 } 6830 } 6831 6832 void VisitCallExpr(CallExpr *CE) { 6833 // C++11 [intro.execution]p15: 6834 // When calling a function [...], every value computation and side effect 6835 // associated with any argument expression, or with the postfix expression 6836 // designating the called function, is sequenced before execution of every 6837 // expression or statement in the body of the function [and thus before 6838 // the value computation of its result]. 6839 SequencedSubexpression Sequenced(*this); 6840 Base::VisitCallExpr(CE); 6841 6842 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions. 6843 } 6844 6845 void VisitCXXConstructExpr(CXXConstructExpr *CCE) { 6846 // This is a call, so all subexpressions are sequenced before the result. 6847 SequencedSubexpression Sequenced(*this); 6848 6849 if (!CCE->isListInitialization()) 6850 return VisitExpr(CCE); 6851 6852 // In C++11, list initializations are sequenced. 6853 SmallVector<SequenceTree::Seq, 32> Elts; 6854 SequenceTree::Seq Parent = Region; 6855 for (CXXConstructExpr::arg_iterator I = CCE->arg_begin(), 6856 E = CCE->arg_end(); 6857 I != E; ++I) { 6858 Region = Tree.allocate(Parent); 6859 Elts.push_back(Region); 6860 Visit(*I); 6861 } 6862 6863 // Forget that the initializers are sequenced. 6864 Region = Parent; 6865 for (unsigned I = 0; I < Elts.size(); ++I) 6866 Tree.merge(Elts[I]); 6867 } 6868 6869 void VisitInitListExpr(InitListExpr *ILE) { 6870 if (!SemaRef.getLangOpts().CPlusPlus11) 6871 return VisitExpr(ILE); 6872 6873 // In C++11, list initializations are sequenced. 6874 SmallVector<SequenceTree::Seq, 32> Elts; 6875 SequenceTree::Seq Parent = Region; 6876 for (unsigned I = 0; I < ILE->getNumInits(); ++I) { 6877 Expr *E = ILE->getInit(I); 6878 if (!E) continue; 6879 Region = Tree.allocate(Parent); 6880 Elts.push_back(Region); 6881 Visit(E); 6882 } 6883 6884 // Forget that the initializers are sequenced. 6885 Region = Parent; 6886 for (unsigned I = 0; I < Elts.size(); ++I) 6887 Tree.merge(Elts[I]); 6888 } 6889 }; 6890 } 6891 6892 void Sema::CheckUnsequencedOperations(Expr *E) { 6893 SmallVector<Expr *, 8> WorkList; 6894 WorkList.push_back(E); 6895 while (!WorkList.empty()) { 6896 Expr *Item = WorkList.pop_back_val(); 6897 SequenceChecker(*this, Item, WorkList); 6898 } 6899 } 6900 6901 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc, 6902 bool IsConstexpr) { 6903 CheckImplicitConversions(E, CheckLoc); 6904 CheckUnsequencedOperations(E); 6905 if (!IsConstexpr && !E->isValueDependent()) 6906 CheckForIntOverflow(E); 6907 } 6908 6909 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 6910 FieldDecl *BitField, 6911 Expr *Init) { 6912 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 6913 } 6914 6915 /// CheckParmsForFunctionDef - Check that the parameters of the given 6916 /// function are appropriate for the definition of a function. This 6917 /// takes care of any checks that cannot be performed on the 6918 /// declaration itself, e.g., that the types of each of the function 6919 /// parameters are complete. 6920 bool Sema::CheckParmsForFunctionDef(ParmVarDecl *const *P, 6921 ParmVarDecl *const *PEnd, 6922 bool CheckParameterNames) { 6923 bool HasInvalidParm = false; 6924 for (; P != PEnd; ++P) { 6925 ParmVarDecl *Param = *P; 6926 6927 // C99 6.7.5.3p4: the parameters in a parameter type list in a 6928 // function declarator that is part of a function definition of 6929 // that function shall not have incomplete type. 6930 // 6931 // This is also C++ [dcl.fct]p6. 6932 if (!Param->isInvalidDecl() && 6933 RequireCompleteType(Param->getLocation(), Param->getType(), 6934 diag::err_typecheck_decl_incomplete_type)) { 6935 Param->setInvalidDecl(); 6936 HasInvalidParm = true; 6937 } 6938 6939 // C99 6.9.1p5: If the declarator includes a parameter type list, the 6940 // declaration of each parameter shall include an identifier. 6941 if (CheckParameterNames && 6942 Param->getIdentifier() == 0 && 6943 !Param->isImplicit() && 6944 !getLangOpts().CPlusPlus) 6945 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 6946 6947 // C99 6.7.5.3p12: 6948 // If the function declarator is not part of a definition of that 6949 // function, parameters may have incomplete type and may use the [*] 6950 // notation in their sequences of declarator specifiers to specify 6951 // variable length array types. 6952 QualType PType = Param->getOriginalType(); 6953 while (const ArrayType *AT = Context.getAsArrayType(PType)) { 6954 if (AT->getSizeModifier() == ArrayType::Star) { 6955 // FIXME: This diagnostic should point the '[*]' if source-location 6956 // information is added for it. 6957 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 6958 break; 6959 } 6960 PType= AT->getElementType(); 6961 } 6962 6963 // MSVC destroys objects passed by value in the callee. Therefore a 6964 // function definition which takes such a parameter must be able to call the 6965 // object's destructor. However, we don't perform any direct access check 6966 // on the dtor. 6967 if (getLangOpts().CPlusPlus && Context.getTargetInfo() 6968 .getCXXABI() 6969 .areArgsDestroyedLeftToRightInCallee()) { 6970 if (!Param->isInvalidDecl()) { 6971 if (const RecordType *RT = Param->getType()->getAs<RecordType>()) { 6972 CXXRecordDecl *ClassDecl = cast<CXXRecordDecl>(RT->getDecl()); 6973 if (!ClassDecl->isInvalidDecl() && 6974 !ClassDecl->hasIrrelevantDestructor() && 6975 !ClassDecl->isDependentContext()) { 6976 CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl); 6977 MarkFunctionReferenced(Param->getLocation(), Destructor); 6978 DiagnoseUseOfDecl(Destructor, Param->getLocation()); 6979 } 6980 } 6981 } 6982 } 6983 } 6984 6985 return HasInvalidParm; 6986 } 6987 6988 /// CheckCastAlign - Implements -Wcast-align, which warns when a 6989 /// pointer cast increases the alignment requirements. 6990 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 6991 // This is actually a lot of work to potentially be doing on every 6992 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 6993 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 6994 TRange.getBegin()) 6995 == DiagnosticsEngine::Ignored) 6996 return; 6997 6998 // Ignore dependent types. 6999 if (T->isDependentType() || Op->getType()->isDependentType()) 7000 return; 7001 7002 // Require that the destination be a pointer type. 7003 const PointerType *DestPtr = T->getAs<PointerType>(); 7004 if (!DestPtr) return; 7005 7006 // If the destination has alignment 1, we're done. 7007 QualType DestPointee = DestPtr->getPointeeType(); 7008 if (DestPointee->isIncompleteType()) return; 7009 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 7010 if (DestAlign.isOne()) return; 7011 7012 // Require that the source be a pointer type. 7013 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 7014 if (!SrcPtr) return; 7015 QualType SrcPointee = SrcPtr->getPointeeType(); 7016 7017 // Whitelist casts from cv void*. We already implicitly 7018 // whitelisted casts to cv void*, since they have alignment 1. 7019 // Also whitelist casts involving incomplete types, which implicitly 7020 // includes 'void'. 7021 if (SrcPointee->isIncompleteType()) return; 7022 7023 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 7024 if (SrcAlign >= DestAlign) return; 7025 7026 Diag(TRange.getBegin(), diag::warn_cast_align) 7027 << Op->getType() << T 7028 << static_cast<unsigned>(SrcAlign.getQuantity()) 7029 << static_cast<unsigned>(DestAlign.getQuantity()) 7030 << TRange << Op->getSourceRange(); 7031 } 7032 7033 static const Type* getElementType(const Expr *BaseExpr) { 7034 const Type* EltType = BaseExpr->getType().getTypePtr(); 7035 if (EltType->isAnyPointerType()) 7036 return EltType->getPointeeType().getTypePtr(); 7037 else if (EltType->isArrayType()) 7038 return EltType->getBaseElementTypeUnsafe(); 7039 return EltType; 7040 } 7041 7042 /// \brief Check whether this array fits the idiom of a size-one tail padded 7043 /// array member of a struct. 7044 /// 7045 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 7046 /// commonly used to emulate flexible arrays in C89 code. 7047 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 7048 const NamedDecl *ND) { 7049 if (Size != 1 || !ND) return false; 7050 7051 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 7052 if (!FD) return false; 7053 7054 // Don't consider sizes resulting from macro expansions or template argument 7055 // substitution to form C89 tail-padded arrays. 7056 7057 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 7058 while (TInfo) { 7059 TypeLoc TL = TInfo->getTypeLoc(); 7060 // Look through typedefs. 7061 if (TypedefTypeLoc TTL = TL.getAs<TypedefTypeLoc>()) { 7062 const TypedefNameDecl *TDL = TTL.getTypedefNameDecl(); 7063 TInfo = TDL->getTypeSourceInfo(); 7064 continue; 7065 } 7066 if (ConstantArrayTypeLoc CTL = TL.getAs<ConstantArrayTypeLoc>()) { 7067 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 7068 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 7069 return false; 7070 } 7071 break; 7072 } 7073 7074 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 7075 if (!RD) return false; 7076 if (RD->isUnion()) return false; 7077 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 7078 if (!CRD->isStandardLayout()) return false; 7079 } 7080 7081 // See if this is the last field decl in the record. 7082 const Decl *D = FD; 7083 while ((D = D->getNextDeclInContext())) 7084 if (isa<FieldDecl>(D)) 7085 return false; 7086 return true; 7087 } 7088 7089 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 7090 const ArraySubscriptExpr *ASE, 7091 bool AllowOnePastEnd, bool IndexNegated) { 7092 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 7093 if (IndexExpr->isValueDependent()) 7094 return; 7095 7096 const Type *EffectiveType = getElementType(BaseExpr); 7097 BaseExpr = BaseExpr->IgnoreParenCasts(); 7098 const ConstantArrayType *ArrayTy = 7099 Context.getAsConstantArrayType(BaseExpr->getType()); 7100 if (!ArrayTy) 7101 return; 7102 7103 llvm::APSInt index; 7104 if (!IndexExpr->EvaluateAsInt(index, Context)) 7105 return; 7106 if (IndexNegated) 7107 index = -index; 7108 7109 const NamedDecl *ND = NULL; 7110 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 7111 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 7112 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 7113 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 7114 7115 if (index.isUnsigned() || !index.isNegative()) { 7116 llvm::APInt size = ArrayTy->getSize(); 7117 if (!size.isStrictlyPositive()) 7118 return; 7119 7120 const Type* BaseType = getElementType(BaseExpr); 7121 if (BaseType != EffectiveType) { 7122 // Make sure we're comparing apples to apples when comparing index to size 7123 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 7124 uint64_t array_typesize = Context.getTypeSize(BaseType); 7125 // Handle ptrarith_typesize being zero, such as when casting to void* 7126 if (!ptrarith_typesize) ptrarith_typesize = 1; 7127 if (ptrarith_typesize != array_typesize) { 7128 // There's a cast to a different size type involved 7129 uint64_t ratio = array_typesize / ptrarith_typesize; 7130 // TODO: Be smarter about handling cases where array_typesize is not a 7131 // multiple of ptrarith_typesize 7132 if (ptrarith_typesize * ratio == array_typesize) 7133 size *= llvm::APInt(size.getBitWidth(), ratio); 7134 } 7135 } 7136 7137 if (size.getBitWidth() > index.getBitWidth()) 7138 index = index.zext(size.getBitWidth()); 7139 else if (size.getBitWidth() < index.getBitWidth()) 7140 size = size.zext(index.getBitWidth()); 7141 7142 // For array subscripting the index must be less than size, but for pointer 7143 // arithmetic also allow the index (offset) to be equal to size since 7144 // computing the next address after the end of the array is legal and 7145 // commonly done e.g. in C++ iterators and range-based for loops. 7146 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 7147 return; 7148 7149 // Also don't warn for arrays of size 1 which are members of some 7150 // structure. These are often used to approximate flexible arrays in C89 7151 // code. 7152 if (IsTailPaddedMemberArray(*this, size, ND)) 7153 return; 7154 7155 // Suppress the warning if the subscript expression (as identified by the 7156 // ']' location) and the index expression are both from macro expansions 7157 // within a system header. 7158 if (ASE) { 7159 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 7160 ASE->getRBracketLoc()); 7161 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 7162 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 7163 IndexExpr->getLocStart()); 7164 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc)) 7165 return; 7166 } 7167 } 7168 7169 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 7170 if (ASE) 7171 DiagID = diag::warn_array_index_exceeds_bounds; 7172 7173 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 7174 PDiag(DiagID) << index.toString(10, true) 7175 << size.toString(10, true) 7176 << (unsigned)size.getLimitedValue(~0U) 7177 << IndexExpr->getSourceRange()); 7178 } else { 7179 unsigned DiagID = diag::warn_array_index_precedes_bounds; 7180 if (!ASE) { 7181 DiagID = diag::warn_ptr_arith_precedes_bounds; 7182 if (index.isNegative()) index = -index; 7183 } 7184 7185 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 7186 PDiag(DiagID) << index.toString(10, true) 7187 << IndexExpr->getSourceRange()); 7188 } 7189 7190 if (!ND) { 7191 // Try harder to find a NamedDecl to point at in the note. 7192 while (const ArraySubscriptExpr *ASE = 7193 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 7194 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 7195 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 7196 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 7197 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 7198 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 7199 } 7200 7201 if (ND) 7202 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 7203 PDiag(diag::note_array_index_out_of_bounds) 7204 << ND->getDeclName()); 7205 } 7206 7207 void Sema::CheckArrayAccess(const Expr *expr) { 7208 int AllowOnePastEnd = 0; 7209 while (expr) { 7210 expr = expr->IgnoreParenImpCasts(); 7211 switch (expr->getStmtClass()) { 7212 case Stmt::ArraySubscriptExprClass: { 7213 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 7214 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 7215 AllowOnePastEnd > 0); 7216 return; 7217 } 7218 case Stmt::UnaryOperatorClass: { 7219 // Only unwrap the * and & unary operators 7220 const UnaryOperator *UO = cast<UnaryOperator>(expr); 7221 expr = UO->getSubExpr(); 7222 switch (UO->getOpcode()) { 7223 case UO_AddrOf: 7224 AllowOnePastEnd++; 7225 break; 7226 case UO_Deref: 7227 AllowOnePastEnd--; 7228 break; 7229 default: 7230 return; 7231 } 7232 break; 7233 } 7234 case Stmt::ConditionalOperatorClass: { 7235 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 7236 if (const Expr *lhs = cond->getLHS()) 7237 CheckArrayAccess(lhs); 7238 if (const Expr *rhs = cond->getRHS()) 7239 CheckArrayAccess(rhs); 7240 return; 7241 } 7242 default: 7243 return; 7244 } 7245 } 7246 } 7247 7248 //===--- CHECK: Objective-C retain cycles ----------------------------------// 7249 7250 namespace { 7251 struct RetainCycleOwner { 7252 RetainCycleOwner() : Variable(0), Indirect(false) {} 7253 VarDecl *Variable; 7254 SourceRange Range; 7255 SourceLocation Loc; 7256 bool Indirect; 7257 7258 void setLocsFrom(Expr *e) { 7259 Loc = e->getExprLoc(); 7260 Range = e->getSourceRange(); 7261 } 7262 }; 7263 } 7264 7265 /// Consider whether capturing the given variable can possibly lead to 7266 /// a retain cycle. 7267 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 7268 // In ARC, it's captured strongly iff the variable has __strong 7269 // lifetime. In MRR, it's captured strongly if the variable is 7270 // __block and has an appropriate type. 7271 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 7272 return false; 7273 7274 owner.Variable = var; 7275 if (ref) 7276 owner.setLocsFrom(ref); 7277 return true; 7278 } 7279 7280 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 7281 while (true) { 7282 e = e->IgnoreParens(); 7283 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 7284 switch (cast->getCastKind()) { 7285 case CK_BitCast: 7286 case CK_LValueBitCast: 7287 case CK_LValueToRValue: 7288 case CK_ARCReclaimReturnedObject: 7289 e = cast->getSubExpr(); 7290 continue; 7291 7292 default: 7293 return false; 7294 } 7295 } 7296 7297 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 7298 ObjCIvarDecl *ivar = ref->getDecl(); 7299 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 7300 return false; 7301 7302 // Try to find a retain cycle in the base. 7303 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 7304 return false; 7305 7306 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 7307 owner.Indirect = true; 7308 return true; 7309 } 7310 7311 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 7312 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 7313 if (!var) return false; 7314 return considerVariable(var, ref, owner); 7315 } 7316 7317 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 7318 if (member->isArrow()) return false; 7319 7320 // Don't count this as an indirect ownership. 7321 e = member->getBase(); 7322 continue; 7323 } 7324 7325 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 7326 // Only pay attention to pseudo-objects on property references. 7327 ObjCPropertyRefExpr *pre 7328 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 7329 ->IgnoreParens()); 7330 if (!pre) return false; 7331 if (pre->isImplicitProperty()) return false; 7332 ObjCPropertyDecl *property = pre->getExplicitProperty(); 7333 if (!property->isRetaining() && 7334 !(property->getPropertyIvarDecl() && 7335 property->getPropertyIvarDecl()->getType() 7336 .getObjCLifetime() == Qualifiers::OCL_Strong)) 7337 return false; 7338 7339 owner.Indirect = true; 7340 if (pre->isSuperReceiver()) { 7341 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 7342 if (!owner.Variable) 7343 return false; 7344 owner.Loc = pre->getLocation(); 7345 owner.Range = pre->getSourceRange(); 7346 return true; 7347 } 7348 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 7349 ->getSourceExpr()); 7350 continue; 7351 } 7352 7353 // Array ivars? 7354 7355 return false; 7356 } 7357 } 7358 7359 namespace { 7360 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 7361 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 7362 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 7363 Variable(variable), Capturer(0) {} 7364 7365 VarDecl *Variable; 7366 Expr *Capturer; 7367 7368 void VisitDeclRefExpr(DeclRefExpr *ref) { 7369 if (ref->getDecl() == Variable && !Capturer) 7370 Capturer = ref; 7371 } 7372 7373 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 7374 if (Capturer) return; 7375 Visit(ref->getBase()); 7376 if (Capturer && ref->isFreeIvar()) 7377 Capturer = ref; 7378 } 7379 7380 void VisitBlockExpr(BlockExpr *block) { 7381 // Look inside nested blocks 7382 if (block->getBlockDecl()->capturesVariable(Variable)) 7383 Visit(block->getBlockDecl()->getBody()); 7384 } 7385 7386 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 7387 if (Capturer) return; 7388 if (OVE->getSourceExpr()) 7389 Visit(OVE->getSourceExpr()); 7390 } 7391 }; 7392 } 7393 7394 /// Check whether the given argument is a block which captures a 7395 /// variable. 7396 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 7397 assert(owner.Variable && owner.Loc.isValid()); 7398 7399 e = e->IgnoreParenCasts(); 7400 7401 // Look through [^{...} copy] and Block_copy(^{...}). 7402 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 7403 Selector Cmd = ME->getSelector(); 7404 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 7405 e = ME->getInstanceReceiver(); 7406 if (!e) 7407 return 0; 7408 e = e->IgnoreParenCasts(); 7409 } 7410 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 7411 if (CE->getNumArgs() == 1) { 7412 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 7413 if (Fn) { 7414 const IdentifierInfo *FnI = Fn->getIdentifier(); 7415 if (FnI && FnI->isStr("_Block_copy")) { 7416 e = CE->getArg(0)->IgnoreParenCasts(); 7417 } 7418 } 7419 } 7420 } 7421 7422 BlockExpr *block = dyn_cast<BlockExpr>(e); 7423 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 7424 return 0; 7425 7426 FindCaptureVisitor visitor(S.Context, owner.Variable); 7427 visitor.Visit(block->getBlockDecl()->getBody()); 7428 return visitor.Capturer; 7429 } 7430 7431 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 7432 RetainCycleOwner &owner) { 7433 assert(capturer); 7434 assert(owner.Variable && owner.Loc.isValid()); 7435 7436 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 7437 << owner.Variable << capturer->getSourceRange(); 7438 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 7439 << owner.Indirect << owner.Range; 7440 } 7441 7442 /// Check for a keyword selector that starts with the word 'add' or 7443 /// 'set'. 7444 static bool isSetterLikeSelector(Selector sel) { 7445 if (sel.isUnarySelector()) return false; 7446 7447 StringRef str = sel.getNameForSlot(0); 7448 while (!str.empty() && str.front() == '_') str = str.substr(1); 7449 if (str.startswith("set")) 7450 str = str.substr(3); 7451 else if (str.startswith("add")) { 7452 // Specially whitelist 'addOperationWithBlock:'. 7453 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 7454 return false; 7455 str = str.substr(3); 7456 } 7457 else 7458 return false; 7459 7460 if (str.empty()) return true; 7461 return !isLowercase(str.front()); 7462 } 7463 7464 /// Check a message send to see if it's likely to cause a retain cycle. 7465 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 7466 // Only check instance methods whose selector looks like a setter. 7467 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 7468 return; 7469 7470 // Try to find a variable that the receiver is strongly owned by. 7471 RetainCycleOwner owner; 7472 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 7473 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 7474 return; 7475 } else { 7476 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 7477 owner.Variable = getCurMethodDecl()->getSelfDecl(); 7478 owner.Loc = msg->getSuperLoc(); 7479 owner.Range = msg->getSuperLoc(); 7480 } 7481 7482 // Check whether the receiver is captured by any of the arguments. 7483 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 7484 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 7485 return diagnoseRetainCycle(*this, capturer, owner); 7486 } 7487 7488 /// Check a property assign to see if it's likely to cause a retain cycle. 7489 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 7490 RetainCycleOwner owner; 7491 if (!findRetainCycleOwner(*this, receiver, owner)) 7492 return; 7493 7494 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 7495 diagnoseRetainCycle(*this, capturer, owner); 7496 } 7497 7498 void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 7499 RetainCycleOwner Owner; 7500 if (!considerVariable(Var, /*DeclRefExpr=*/0, Owner)) 7501 return; 7502 7503 // Because we don't have an expression for the variable, we have to set the 7504 // location explicitly here. 7505 Owner.Loc = Var->getLocation(); 7506 Owner.Range = Var->getSourceRange(); 7507 7508 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 7509 diagnoseRetainCycle(*this, Capturer, Owner); 7510 } 7511 7512 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 7513 Expr *RHS, bool isProperty) { 7514 // Check if RHS is an Objective-C object literal, which also can get 7515 // immediately zapped in a weak reference. Note that we explicitly 7516 // allow ObjCStringLiterals, since those are designed to never really die. 7517 RHS = RHS->IgnoreParenImpCasts(); 7518 7519 // This enum needs to match with the 'select' in 7520 // warn_objc_arc_literal_assign (off-by-1). 7521 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 7522 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 7523 return false; 7524 7525 S.Diag(Loc, diag::warn_arc_literal_assign) 7526 << (unsigned) Kind 7527 << (isProperty ? 0 : 1) 7528 << RHS->getSourceRange(); 7529 7530 return true; 7531 } 7532 7533 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 7534 Qualifiers::ObjCLifetime LT, 7535 Expr *RHS, bool isProperty) { 7536 // Strip off any implicit cast added to get to the one ARC-specific. 7537 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 7538 if (cast->getCastKind() == CK_ARCConsumeObject) { 7539 S.Diag(Loc, diag::warn_arc_retained_assign) 7540 << (LT == Qualifiers::OCL_ExplicitNone) 7541 << (isProperty ? 0 : 1) 7542 << RHS->getSourceRange(); 7543 return true; 7544 } 7545 RHS = cast->getSubExpr(); 7546 } 7547 7548 if (LT == Qualifiers::OCL_Weak && 7549 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 7550 return true; 7551 7552 return false; 7553 } 7554 7555 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 7556 QualType LHS, Expr *RHS) { 7557 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 7558 7559 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 7560 return false; 7561 7562 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 7563 return true; 7564 7565 return false; 7566 } 7567 7568 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 7569 Expr *LHS, Expr *RHS) { 7570 QualType LHSType; 7571 // PropertyRef on LHS type need be directly obtained from 7572 // its declaration as it has a PseudoType. 7573 ObjCPropertyRefExpr *PRE 7574 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 7575 if (PRE && !PRE->isImplicitProperty()) { 7576 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 7577 if (PD) 7578 LHSType = PD->getType(); 7579 } 7580 7581 if (LHSType.isNull()) 7582 LHSType = LHS->getType(); 7583 7584 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 7585 7586 if (LT == Qualifiers::OCL_Weak) { 7587 DiagnosticsEngine::Level Level = 7588 Diags.getDiagnosticLevel(diag::warn_arc_repeated_use_of_weak, Loc); 7589 if (Level != DiagnosticsEngine::Ignored) 7590 getCurFunction()->markSafeWeakUse(LHS); 7591 } 7592 7593 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 7594 return; 7595 7596 // FIXME. Check for other life times. 7597 if (LT != Qualifiers::OCL_None) 7598 return; 7599 7600 if (PRE) { 7601 if (PRE->isImplicitProperty()) 7602 return; 7603 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 7604 if (!PD) 7605 return; 7606 7607 unsigned Attributes = PD->getPropertyAttributes(); 7608 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 7609 // when 'assign' attribute was not explicitly specified 7610 // by user, ignore it and rely on property type itself 7611 // for lifetime info. 7612 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 7613 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 7614 LHSType->isObjCRetainableType()) 7615 return; 7616 7617 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 7618 if (cast->getCastKind() == CK_ARCConsumeObject) { 7619 Diag(Loc, diag::warn_arc_retained_property_assign) 7620 << RHS->getSourceRange(); 7621 return; 7622 } 7623 RHS = cast->getSubExpr(); 7624 } 7625 } 7626 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 7627 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 7628 return; 7629 } 7630 } 7631 } 7632 7633 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 7634 7635 namespace { 7636 bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 7637 SourceLocation StmtLoc, 7638 const NullStmt *Body) { 7639 // Do not warn if the body is a macro that expands to nothing, e.g: 7640 // 7641 // #define CALL(x) 7642 // if (condition) 7643 // CALL(0); 7644 // 7645 if (Body->hasLeadingEmptyMacro()) 7646 return false; 7647 7648 // Get line numbers of statement and body. 7649 bool StmtLineInvalid; 7650 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 7651 &StmtLineInvalid); 7652 if (StmtLineInvalid) 7653 return false; 7654 7655 bool BodyLineInvalid; 7656 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 7657 &BodyLineInvalid); 7658 if (BodyLineInvalid) 7659 return false; 7660 7661 // Warn if null statement and body are on the same line. 7662 if (StmtLine != BodyLine) 7663 return false; 7664 7665 return true; 7666 } 7667 } // Unnamed namespace 7668 7669 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 7670 const Stmt *Body, 7671 unsigned DiagID) { 7672 // Since this is a syntactic check, don't emit diagnostic for template 7673 // instantiations, this just adds noise. 7674 if (CurrentInstantiationScope) 7675 return; 7676 7677 // The body should be a null statement. 7678 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 7679 if (!NBody) 7680 return; 7681 7682 // Do the usual checks. 7683 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 7684 return; 7685 7686 Diag(NBody->getSemiLoc(), DiagID); 7687 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 7688 } 7689 7690 void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 7691 const Stmt *PossibleBody) { 7692 assert(!CurrentInstantiationScope); // Ensured by caller 7693 7694 SourceLocation StmtLoc; 7695 const Stmt *Body; 7696 unsigned DiagID; 7697 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 7698 StmtLoc = FS->getRParenLoc(); 7699 Body = FS->getBody(); 7700 DiagID = diag::warn_empty_for_body; 7701 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 7702 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 7703 Body = WS->getBody(); 7704 DiagID = diag::warn_empty_while_body; 7705 } else 7706 return; // Neither `for' nor `while'. 7707 7708 // The body should be a null statement. 7709 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 7710 if (!NBody) 7711 return; 7712 7713 // Skip expensive checks if diagnostic is disabled. 7714 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 7715 DiagnosticsEngine::Ignored) 7716 return; 7717 7718 // Do the usual checks. 7719 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 7720 return; 7721 7722 // `for(...);' and `while(...);' are popular idioms, so in order to keep 7723 // noise level low, emit diagnostics only if for/while is followed by a 7724 // CompoundStmt, e.g.: 7725 // for (int i = 0; i < n; i++); 7726 // { 7727 // a(i); 7728 // } 7729 // or if for/while is followed by a statement with more indentation 7730 // than for/while itself: 7731 // for (int i = 0; i < n; i++); 7732 // a(i); 7733 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 7734 if (!ProbableTypo) { 7735 bool BodyColInvalid; 7736 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 7737 PossibleBody->getLocStart(), 7738 &BodyColInvalid); 7739 if (BodyColInvalid) 7740 return; 7741 7742 bool StmtColInvalid; 7743 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 7744 S->getLocStart(), 7745 &StmtColInvalid); 7746 if (StmtColInvalid) 7747 return; 7748 7749 if (BodyCol > StmtCol) 7750 ProbableTypo = true; 7751 } 7752 7753 if (ProbableTypo) { 7754 Diag(NBody->getSemiLoc(), DiagID); 7755 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 7756 } 7757 } 7758 7759 //===--- Layout compatibility ----------------------------------------------// 7760 7761 namespace { 7762 7763 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 7764 7765 /// \brief Check if two enumeration types are layout-compatible. 7766 bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 7767 // C++11 [dcl.enum] p8: 7768 // Two enumeration types are layout-compatible if they have the same 7769 // underlying type. 7770 return ED1->isComplete() && ED2->isComplete() && 7771 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 7772 } 7773 7774 /// \brief Check if two fields are layout-compatible. 7775 bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 7776 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 7777 return false; 7778 7779 if (Field1->isBitField() != Field2->isBitField()) 7780 return false; 7781 7782 if (Field1->isBitField()) { 7783 // Make sure that the bit-fields are the same length. 7784 unsigned Bits1 = Field1->getBitWidthValue(C); 7785 unsigned Bits2 = Field2->getBitWidthValue(C); 7786 7787 if (Bits1 != Bits2) 7788 return false; 7789 } 7790 7791 return true; 7792 } 7793 7794 /// \brief Check if two standard-layout structs are layout-compatible. 7795 /// (C++11 [class.mem] p17) 7796 bool isLayoutCompatibleStruct(ASTContext &C, 7797 RecordDecl *RD1, 7798 RecordDecl *RD2) { 7799 // If both records are C++ classes, check that base classes match. 7800 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 7801 // If one of records is a CXXRecordDecl we are in C++ mode, 7802 // thus the other one is a CXXRecordDecl, too. 7803 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 7804 // Check number of base classes. 7805 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 7806 return false; 7807 7808 // Check the base classes. 7809 for (CXXRecordDecl::base_class_const_iterator 7810 Base1 = D1CXX->bases_begin(), 7811 BaseEnd1 = D1CXX->bases_end(), 7812 Base2 = D2CXX->bases_begin(); 7813 Base1 != BaseEnd1; 7814 ++Base1, ++Base2) { 7815 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 7816 return false; 7817 } 7818 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 7819 // If only RD2 is a C++ class, it should have zero base classes. 7820 if (D2CXX->getNumBases() > 0) 7821 return false; 7822 } 7823 7824 // Check the fields. 7825 RecordDecl::field_iterator Field2 = RD2->field_begin(), 7826 Field2End = RD2->field_end(), 7827 Field1 = RD1->field_begin(), 7828 Field1End = RD1->field_end(); 7829 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 7830 if (!isLayoutCompatible(C, *Field1, *Field2)) 7831 return false; 7832 } 7833 if (Field1 != Field1End || Field2 != Field2End) 7834 return false; 7835 7836 return true; 7837 } 7838 7839 /// \brief Check if two standard-layout unions are layout-compatible. 7840 /// (C++11 [class.mem] p18) 7841 bool isLayoutCompatibleUnion(ASTContext &C, 7842 RecordDecl *RD1, 7843 RecordDecl *RD2) { 7844 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 7845 for (auto *Field2 : RD2->fields()) 7846 UnmatchedFields.insert(Field2); 7847 7848 for (auto *Field1 : RD1->fields()) { 7849 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 7850 I = UnmatchedFields.begin(), 7851 E = UnmatchedFields.end(); 7852 7853 for ( ; I != E; ++I) { 7854 if (isLayoutCompatible(C, Field1, *I)) { 7855 bool Result = UnmatchedFields.erase(*I); 7856 (void) Result; 7857 assert(Result); 7858 break; 7859 } 7860 } 7861 if (I == E) 7862 return false; 7863 } 7864 7865 return UnmatchedFields.empty(); 7866 } 7867 7868 bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 7869 if (RD1->isUnion() != RD2->isUnion()) 7870 return false; 7871 7872 if (RD1->isUnion()) 7873 return isLayoutCompatibleUnion(C, RD1, RD2); 7874 else 7875 return isLayoutCompatibleStruct(C, RD1, RD2); 7876 } 7877 7878 /// \brief Check if two types are layout-compatible in C++11 sense. 7879 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 7880 if (T1.isNull() || T2.isNull()) 7881 return false; 7882 7883 // C++11 [basic.types] p11: 7884 // If two types T1 and T2 are the same type, then T1 and T2 are 7885 // layout-compatible types. 7886 if (C.hasSameType(T1, T2)) 7887 return true; 7888 7889 T1 = T1.getCanonicalType().getUnqualifiedType(); 7890 T2 = T2.getCanonicalType().getUnqualifiedType(); 7891 7892 const Type::TypeClass TC1 = T1->getTypeClass(); 7893 const Type::TypeClass TC2 = T2->getTypeClass(); 7894 7895 if (TC1 != TC2) 7896 return false; 7897 7898 if (TC1 == Type::Enum) { 7899 return isLayoutCompatible(C, 7900 cast<EnumType>(T1)->getDecl(), 7901 cast<EnumType>(T2)->getDecl()); 7902 } else if (TC1 == Type::Record) { 7903 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 7904 return false; 7905 7906 return isLayoutCompatible(C, 7907 cast<RecordType>(T1)->getDecl(), 7908 cast<RecordType>(T2)->getDecl()); 7909 } 7910 7911 return false; 7912 } 7913 } 7914 7915 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 7916 7917 namespace { 7918 /// \brief Given a type tag expression find the type tag itself. 7919 /// 7920 /// \param TypeExpr Type tag expression, as it appears in user's code. 7921 /// 7922 /// \param VD Declaration of an identifier that appears in a type tag. 7923 /// 7924 /// \param MagicValue Type tag magic value. 7925 bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 7926 const ValueDecl **VD, uint64_t *MagicValue) { 7927 while(true) { 7928 if (!TypeExpr) 7929 return false; 7930 7931 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 7932 7933 switch (TypeExpr->getStmtClass()) { 7934 case Stmt::UnaryOperatorClass: { 7935 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 7936 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 7937 TypeExpr = UO->getSubExpr(); 7938 continue; 7939 } 7940 return false; 7941 } 7942 7943 case Stmt::DeclRefExprClass: { 7944 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 7945 *VD = DRE->getDecl(); 7946 return true; 7947 } 7948 7949 case Stmt::IntegerLiteralClass: { 7950 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 7951 llvm::APInt MagicValueAPInt = IL->getValue(); 7952 if (MagicValueAPInt.getActiveBits() <= 64) { 7953 *MagicValue = MagicValueAPInt.getZExtValue(); 7954 return true; 7955 } else 7956 return false; 7957 } 7958 7959 case Stmt::BinaryConditionalOperatorClass: 7960 case Stmt::ConditionalOperatorClass: { 7961 const AbstractConditionalOperator *ACO = 7962 cast<AbstractConditionalOperator>(TypeExpr); 7963 bool Result; 7964 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 7965 if (Result) 7966 TypeExpr = ACO->getTrueExpr(); 7967 else 7968 TypeExpr = ACO->getFalseExpr(); 7969 continue; 7970 } 7971 return false; 7972 } 7973 7974 case Stmt::BinaryOperatorClass: { 7975 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 7976 if (BO->getOpcode() == BO_Comma) { 7977 TypeExpr = BO->getRHS(); 7978 continue; 7979 } 7980 return false; 7981 } 7982 7983 default: 7984 return false; 7985 } 7986 } 7987 } 7988 7989 /// \brief Retrieve the C type corresponding to type tag TypeExpr. 7990 /// 7991 /// \param TypeExpr Expression that specifies a type tag. 7992 /// 7993 /// \param MagicValues Registered magic values. 7994 /// 7995 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 7996 /// kind. 7997 /// 7998 /// \param TypeInfo Information about the corresponding C type. 7999 /// 8000 /// \returns true if the corresponding C type was found. 8001 bool GetMatchingCType( 8002 const IdentifierInfo *ArgumentKind, 8003 const Expr *TypeExpr, const ASTContext &Ctx, 8004 const llvm::DenseMap<Sema::TypeTagMagicValue, 8005 Sema::TypeTagData> *MagicValues, 8006 bool &FoundWrongKind, 8007 Sema::TypeTagData &TypeInfo) { 8008 FoundWrongKind = false; 8009 8010 // Variable declaration that has type_tag_for_datatype attribute. 8011 const ValueDecl *VD = NULL; 8012 8013 uint64_t MagicValue; 8014 8015 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 8016 return false; 8017 8018 if (VD) { 8019 if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) { 8020 if (I->getArgumentKind() != ArgumentKind) { 8021 FoundWrongKind = true; 8022 return false; 8023 } 8024 TypeInfo.Type = I->getMatchingCType(); 8025 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 8026 TypeInfo.MustBeNull = I->getMustBeNull(); 8027 return true; 8028 } 8029 return false; 8030 } 8031 8032 if (!MagicValues) 8033 return false; 8034 8035 llvm::DenseMap<Sema::TypeTagMagicValue, 8036 Sema::TypeTagData>::const_iterator I = 8037 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 8038 if (I == MagicValues->end()) 8039 return false; 8040 8041 TypeInfo = I->second; 8042 return true; 8043 } 8044 } // unnamed namespace 8045 8046 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 8047 uint64_t MagicValue, QualType Type, 8048 bool LayoutCompatible, 8049 bool MustBeNull) { 8050 if (!TypeTagForDatatypeMagicValues) 8051 TypeTagForDatatypeMagicValues.reset( 8052 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 8053 8054 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 8055 (*TypeTagForDatatypeMagicValues)[Magic] = 8056 TypeTagData(Type, LayoutCompatible, MustBeNull); 8057 } 8058 8059 namespace { 8060 bool IsSameCharType(QualType T1, QualType T2) { 8061 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 8062 if (!BT1) 8063 return false; 8064 8065 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 8066 if (!BT2) 8067 return false; 8068 8069 BuiltinType::Kind T1Kind = BT1->getKind(); 8070 BuiltinType::Kind T2Kind = BT2->getKind(); 8071 8072 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 8073 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 8074 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 8075 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 8076 } 8077 } // unnamed namespace 8078 8079 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 8080 const Expr * const *ExprArgs) { 8081 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 8082 bool IsPointerAttr = Attr->getIsPointer(); 8083 8084 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 8085 bool FoundWrongKind; 8086 TypeTagData TypeInfo; 8087 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 8088 TypeTagForDatatypeMagicValues.get(), 8089 FoundWrongKind, TypeInfo)) { 8090 if (FoundWrongKind) 8091 Diag(TypeTagExpr->getExprLoc(), 8092 diag::warn_type_tag_for_datatype_wrong_kind) 8093 << TypeTagExpr->getSourceRange(); 8094 return; 8095 } 8096 8097 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 8098 if (IsPointerAttr) { 8099 // Skip implicit cast of pointer to `void *' (as a function argument). 8100 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 8101 if (ICE->getType()->isVoidPointerType() && 8102 ICE->getCastKind() == CK_BitCast) 8103 ArgumentExpr = ICE->getSubExpr(); 8104 } 8105 QualType ArgumentType = ArgumentExpr->getType(); 8106 8107 // Passing a `void*' pointer shouldn't trigger a warning. 8108 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 8109 return; 8110 8111 if (TypeInfo.MustBeNull) { 8112 // Type tag with matching void type requires a null pointer. 8113 if (!ArgumentExpr->isNullPointerConstant(Context, 8114 Expr::NPC_ValueDependentIsNotNull)) { 8115 Diag(ArgumentExpr->getExprLoc(), 8116 diag::warn_type_safety_null_pointer_required) 8117 << ArgumentKind->getName() 8118 << ArgumentExpr->getSourceRange() 8119 << TypeTagExpr->getSourceRange(); 8120 } 8121 return; 8122 } 8123 8124 QualType RequiredType = TypeInfo.Type; 8125 if (IsPointerAttr) 8126 RequiredType = Context.getPointerType(RequiredType); 8127 8128 bool mismatch = false; 8129 if (!TypeInfo.LayoutCompatible) { 8130 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 8131 8132 // C++11 [basic.fundamental] p1: 8133 // Plain char, signed char, and unsigned char are three distinct types. 8134 // 8135 // But we treat plain `char' as equivalent to `signed char' or `unsigned 8136 // char' depending on the current char signedness mode. 8137 if (mismatch) 8138 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 8139 RequiredType->getPointeeType())) || 8140 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 8141 mismatch = false; 8142 } else 8143 if (IsPointerAttr) 8144 mismatch = !isLayoutCompatible(Context, 8145 ArgumentType->getPointeeType(), 8146 RequiredType->getPointeeType()); 8147 else 8148 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 8149 8150 if (mismatch) 8151 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 8152 << ArgumentType << ArgumentKind 8153 << TypeInfo.LayoutCompatible << RequiredType 8154 << ArgumentExpr->getSourceRange() 8155 << TypeTagExpr->getSourceRange(); 8156 } 8157 8158