1 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements extra semantic analysis beyond what is enforced 11 // by the C type system. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/Sema/SemaInternal.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/CharUnits.h" 18 #include "clang/AST/DeclCXX.h" 19 #include "clang/AST/DeclObjC.h" 20 #include "clang/AST/EvaluatedExprVisitor.h" 21 #include "clang/AST/Expr.h" 22 #include "clang/AST/ExprCXX.h" 23 #include "clang/AST/ExprObjC.h" 24 #include "clang/AST/StmtCXX.h" 25 #include "clang/AST/StmtObjC.h" 26 #include "clang/Analysis/Analyses/FormatString.h" 27 #include "clang/Basic/CharInfo.h" 28 #include "clang/Basic/TargetBuiltins.h" 29 #include "clang/Basic/TargetInfo.h" 30 #include "clang/Lex/Preprocessor.h" 31 #include "clang/Sema/Initialization.h" 32 #include "clang/Sema/Lookup.h" 33 #include "clang/Sema/ScopeInfo.h" 34 #include "clang/Sema/Sema.h" 35 #include "llvm/ADT/SmallBitVector.h" 36 #include "llvm/ADT/SmallString.h" 37 #include "llvm/ADT/STLExtras.h" 38 #include "llvm/Support/ConvertUTF.h" 39 #include "llvm/Support/raw_ostream.h" 40 #include <limits> 41 using namespace clang; 42 using namespace sema; 43 44 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 45 unsigned ByteNo) const { 46 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 47 PP.getLangOpts(), PP.getTargetInfo()); 48 } 49 50 /// Checks that a call expression's argument count is the desired number. 51 /// This is useful when doing custom type-checking. Returns true on error. 52 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 53 unsigned argCount = call->getNumArgs(); 54 if (argCount == desiredArgCount) return false; 55 56 if (argCount < desiredArgCount) 57 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 58 << 0 /*function call*/ << desiredArgCount << argCount 59 << call->getSourceRange(); 60 61 // Highlight all the excess arguments. 62 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 63 call->getArg(argCount - 1)->getLocEnd()); 64 65 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 66 << 0 /*function call*/ << desiredArgCount << argCount 67 << call->getArg(1)->getSourceRange(); 68 } 69 70 /// Check that the first argument to __builtin_annotation is an integer 71 /// and the second argument is a non-wide string literal. 72 static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 73 if (checkArgCount(S, TheCall, 2)) 74 return true; 75 76 // First argument should be an integer. 77 Expr *ValArg = TheCall->getArg(0); 78 QualType Ty = ValArg->getType(); 79 if (!Ty->isIntegerType()) { 80 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 81 << ValArg->getSourceRange(); 82 return true; 83 } 84 85 // Second argument should be a constant string. 86 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 87 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 88 if (!Literal || !Literal->isAscii()) { 89 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 90 << StrArg->getSourceRange(); 91 return true; 92 } 93 94 TheCall->setType(Ty); 95 return false; 96 } 97 98 /// Check that the argument to __builtin_addressof is a glvalue, and set the 99 /// result type to the corresponding pointer type. 100 static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) { 101 if (checkArgCount(S, TheCall, 1)) 102 return true; 103 104 ExprResult Arg(S.Owned(TheCall->getArg(0))); 105 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart()); 106 if (ResultType.isNull()) 107 return true; 108 109 TheCall->setArg(0, Arg.take()); 110 TheCall->setType(ResultType); 111 return false; 112 } 113 114 ExprResult 115 Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 116 ExprResult TheCallResult(Owned(TheCall)); 117 118 // Find out if any arguments are required to be integer constant expressions. 119 unsigned ICEArguments = 0; 120 ASTContext::GetBuiltinTypeError Error; 121 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 122 if (Error != ASTContext::GE_None) 123 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 124 125 // If any arguments are required to be ICE's, check and diagnose. 126 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 127 // Skip arguments not required to be ICE's. 128 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 129 130 llvm::APSInt Result; 131 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 132 return true; 133 ICEArguments &= ~(1 << ArgNo); 134 } 135 136 switch (BuiltinID) { 137 case Builtin::BI__builtin___CFStringMakeConstantString: 138 assert(TheCall->getNumArgs() == 1 && 139 "Wrong # arguments to builtin CFStringMakeConstantString"); 140 if (CheckObjCString(TheCall->getArg(0))) 141 return ExprError(); 142 break; 143 case Builtin::BI__builtin_stdarg_start: 144 case Builtin::BI__builtin_va_start: 145 if (SemaBuiltinVAStart(TheCall)) 146 return ExprError(); 147 break; 148 case Builtin::BI__builtin_isgreater: 149 case Builtin::BI__builtin_isgreaterequal: 150 case Builtin::BI__builtin_isless: 151 case Builtin::BI__builtin_islessequal: 152 case Builtin::BI__builtin_islessgreater: 153 case Builtin::BI__builtin_isunordered: 154 if (SemaBuiltinUnorderedCompare(TheCall)) 155 return ExprError(); 156 break; 157 case Builtin::BI__builtin_fpclassify: 158 if (SemaBuiltinFPClassification(TheCall, 6)) 159 return ExprError(); 160 break; 161 case Builtin::BI__builtin_isfinite: 162 case Builtin::BI__builtin_isinf: 163 case Builtin::BI__builtin_isinf_sign: 164 case Builtin::BI__builtin_isnan: 165 case Builtin::BI__builtin_isnormal: 166 if (SemaBuiltinFPClassification(TheCall, 1)) 167 return ExprError(); 168 break; 169 case Builtin::BI__builtin_shufflevector: 170 return SemaBuiltinShuffleVector(TheCall); 171 // TheCall will be freed by the smart pointer here, but that's fine, since 172 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 173 case Builtin::BI__builtin_prefetch: 174 if (SemaBuiltinPrefetch(TheCall)) 175 return ExprError(); 176 break; 177 case Builtin::BI__builtin_object_size: 178 if (SemaBuiltinObjectSize(TheCall)) 179 return ExprError(); 180 break; 181 case Builtin::BI__builtin_longjmp: 182 if (SemaBuiltinLongjmp(TheCall)) 183 return ExprError(); 184 break; 185 186 case Builtin::BI__builtin_classify_type: 187 if (checkArgCount(*this, TheCall, 1)) return true; 188 TheCall->setType(Context.IntTy); 189 break; 190 case Builtin::BI__builtin_constant_p: 191 if (checkArgCount(*this, TheCall, 1)) return true; 192 TheCall->setType(Context.IntTy); 193 break; 194 case Builtin::BI__sync_fetch_and_add: 195 case Builtin::BI__sync_fetch_and_add_1: 196 case Builtin::BI__sync_fetch_and_add_2: 197 case Builtin::BI__sync_fetch_and_add_4: 198 case Builtin::BI__sync_fetch_and_add_8: 199 case Builtin::BI__sync_fetch_and_add_16: 200 case Builtin::BI__sync_fetch_and_sub: 201 case Builtin::BI__sync_fetch_and_sub_1: 202 case Builtin::BI__sync_fetch_and_sub_2: 203 case Builtin::BI__sync_fetch_and_sub_4: 204 case Builtin::BI__sync_fetch_and_sub_8: 205 case Builtin::BI__sync_fetch_and_sub_16: 206 case Builtin::BI__sync_fetch_and_or: 207 case Builtin::BI__sync_fetch_and_or_1: 208 case Builtin::BI__sync_fetch_and_or_2: 209 case Builtin::BI__sync_fetch_and_or_4: 210 case Builtin::BI__sync_fetch_and_or_8: 211 case Builtin::BI__sync_fetch_and_or_16: 212 case Builtin::BI__sync_fetch_and_and: 213 case Builtin::BI__sync_fetch_and_and_1: 214 case Builtin::BI__sync_fetch_and_and_2: 215 case Builtin::BI__sync_fetch_and_and_4: 216 case Builtin::BI__sync_fetch_and_and_8: 217 case Builtin::BI__sync_fetch_and_and_16: 218 case Builtin::BI__sync_fetch_and_xor: 219 case Builtin::BI__sync_fetch_and_xor_1: 220 case Builtin::BI__sync_fetch_and_xor_2: 221 case Builtin::BI__sync_fetch_and_xor_4: 222 case Builtin::BI__sync_fetch_and_xor_8: 223 case Builtin::BI__sync_fetch_and_xor_16: 224 case Builtin::BI__sync_add_and_fetch: 225 case Builtin::BI__sync_add_and_fetch_1: 226 case Builtin::BI__sync_add_and_fetch_2: 227 case Builtin::BI__sync_add_and_fetch_4: 228 case Builtin::BI__sync_add_and_fetch_8: 229 case Builtin::BI__sync_add_and_fetch_16: 230 case Builtin::BI__sync_sub_and_fetch: 231 case Builtin::BI__sync_sub_and_fetch_1: 232 case Builtin::BI__sync_sub_and_fetch_2: 233 case Builtin::BI__sync_sub_and_fetch_4: 234 case Builtin::BI__sync_sub_and_fetch_8: 235 case Builtin::BI__sync_sub_and_fetch_16: 236 case Builtin::BI__sync_and_and_fetch: 237 case Builtin::BI__sync_and_and_fetch_1: 238 case Builtin::BI__sync_and_and_fetch_2: 239 case Builtin::BI__sync_and_and_fetch_4: 240 case Builtin::BI__sync_and_and_fetch_8: 241 case Builtin::BI__sync_and_and_fetch_16: 242 case Builtin::BI__sync_or_and_fetch: 243 case Builtin::BI__sync_or_and_fetch_1: 244 case Builtin::BI__sync_or_and_fetch_2: 245 case Builtin::BI__sync_or_and_fetch_4: 246 case Builtin::BI__sync_or_and_fetch_8: 247 case Builtin::BI__sync_or_and_fetch_16: 248 case Builtin::BI__sync_xor_and_fetch: 249 case Builtin::BI__sync_xor_and_fetch_1: 250 case Builtin::BI__sync_xor_and_fetch_2: 251 case Builtin::BI__sync_xor_and_fetch_4: 252 case Builtin::BI__sync_xor_and_fetch_8: 253 case Builtin::BI__sync_xor_and_fetch_16: 254 case Builtin::BI__sync_val_compare_and_swap: 255 case Builtin::BI__sync_val_compare_and_swap_1: 256 case Builtin::BI__sync_val_compare_and_swap_2: 257 case Builtin::BI__sync_val_compare_and_swap_4: 258 case Builtin::BI__sync_val_compare_and_swap_8: 259 case Builtin::BI__sync_val_compare_and_swap_16: 260 case Builtin::BI__sync_bool_compare_and_swap: 261 case Builtin::BI__sync_bool_compare_and_swap_1: 262 case Builtin::BI__sync_bool_compare_and_swap_2: 263 case Builtin::BI__sync_bool_compare_and_swap_4: 264 case Builtin::BI__sync_bool_compare_and_swap_8: 265 case Builtin::BI__sync_bool_compare_and_swap_16: 266 case Builtin::BI__sync_lock_test_and_set: 267 case Builtin::BI__sync_lock_test_and_set_1: 268 case Builtin::BI__sync_lock_test_and_set_2: 269 case Builtin::BI__sync_lock_test_and_set_4: 270 case Builtin::BI__sync_lock_test_and_set_8: 271 case Builtin::BI__sync_lock_test_and_set_16: 272 case Builtin::BI__sync_lock_release: 273 case Builtin::BI__sync_lock_release_1: 274 case Builtin::BI__sync_lock_release_2: 275 case Builtin::BI__sync_lock_release_4: 276 case Builtin::BI__sync_lock_release_8: 277 case Builtin::BI__sync_lock_release_16: 278 case Builtin::BI__sync_swap: 279 case Builtin::BI__sync_swap_1: 280 case Builtin::BI__sync_swap_2: 281 case Builtin::BI__sync_swap_4: 282 case Builtin::BI__sync_swap_8: 283 case Builtin::BI__sync_swap_16: 284 return SemaBuiltinAtomicOverloaded(TheCallResult); 285 #define BUILTIN(ID, TYPE, ATTRS) 286 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 287 case Builtin::BI##ID: \ 288 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 289 #include "clang/Basic/Builtins.def" 290 case Builtin::BI__builtin_annotation: 291 if (SemaBuiltinAnnotation(*this, TheCall)) 292 return ExprError(); 293 break; 294 case Builtin::BI__builtin_addressof: 295 if (SemaBuiltinAddressof(*this, TheCall)) 296 return ExprError(); 297 break; 298 } 299 300 // Since the target specific builtins for each arch overlap, only check those 301 // of the arch we are compiling for. 302 if (BuiltinID >= Builtin::FirstTSBuiltin) { 303 switch (Context.getTargetInfo().getTriple().getArch()) { 304 case llvm::Triple::arm: 305 case llvm::Triple::thumb: 306 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 307 return ExprError(); 308 break; 309 case llvm::Triple::aarch64: 310 if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall)) 311 return ExprError(); 312 break; 313 case llvm::Triple::mips: 314 case llvm::Triple::mipsel: 315 case llvm::Triple::mips64: 316 case llvm::Triple::mips64el: 317 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 318 return ExprError(); 319 break; 320 default: 321 break; 322 } 323 } 324 325 return TheCallResult; 326 } 327 328 // Get the valid immediate range for the specified NEON type code. 329 static unsigned RFT(unsigned t, bool shift = false) { 330 NeonTypeFlags Type(t); 331 int IsQuad = Type.isQuad(); 332 switch (Type.getEltType()) { 333 case NeonTypeFlags::Int8: 334 case NeonTypeFlags::Poly8: 335 return shift ? 7 : (8 << IsQuad) - 1; 336 case NeonTypeFlags::Int16: 337 case NeonTypeFlags::Poly16: 338 return shift ? 15 : (4 << IsQuad) - 1; 339 case NeonTypeFlags::Int32: 340 return shift ? 31 : (2 << IsQuad) - 1; 341 case NeonTypeFlags::Int64: 342 return shift ? 63 : (1 << IsQuad) - 1; 343 case NeonTypeFlags::Float16: 344 assert(!shift && "cannot shift float types!"); 345 return (4 << IsQuad) - 1; 346 case NeonTypeFlags::Float32: 347 assert(!shift && "cannot shift float types!"); 348 return (2 << IsQuad) - 1; 349 case NeonTypeFlags::Float64: 350 assert(!shift && "cannot shift float types!"); 351 return (1 << IsQuad) - 1; 352 } 353 llvm_unreachable("Invalid NeonTypeFlag!"); 354 } 355 356 /// getNeonEltType - Return the QualType corresponding to the elements of 357 /// the vector type specified by the NeonTypeFlags. This is used to check 358 /// the pointer arguments for Neon load/store intrinsics. 359 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 360 switch (Flags.getEltType()) { 361 case NeonTypeFlags::Int8: 362 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 363 case NeonTypeFlags::Int16: 364 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 365 case NeonTypeFlags::Int32: 366 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 367 case NeonTypeFlags::Int64: 368 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 369 case NeonTypeFlags::Poly8: 370 return Context.SignedCharTy; 371 case NeonTypeFlags::Poly16: 372 return Context.ShortTy; 373 case NeonTypeFlags::Float16: 374 return Context.UnsignedShortTy; 375 case NeonTypeFlags::Float32: 376 return Context.FloatTy; 377 case NeonTypeFlags::Float64: 378 return Context.DoubleTy; 379 } 380 llvm_unreachable("Invalid NeonTypeFlag!"); 381 } 382 383 bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, 384 CallExpr *TheCall) { 385 386 llvm::APSInt Result; 387 388 uint64_t mask = 0; 389 unsigned TV = 0; 390 int PtrArgNum = -1; 391 bool HasConstPtr = false; 392 switch (BuiltinID) { 393 #define GET_NEON_AARCH64_OVERLOAD_CHECK 394 #include "clang/Basic/arm_neon.inc" 395 #undef GET_NEON_AARCH64_OVERLOAD_CHECK 396 } 397 398 // For NEON intrinsics which are overloaded on vector element type, validate 399 // the immediate which specifies which variant to emit. 400 unsigned ImmArg = TheCall->getNumArgs() - 1; 401 if (mask) { 402 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 403 return true; 404 405 TV = Result.getLimitedValue(64); 406 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 407 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 408 << TheCall->getArg(ImmArg)->getSourceRange(); 409 } 410 411 if (PtrArgNum >= 0) { 412 // Check that pointer arguments have the specified type. 413 Expr *Arg = TheCall->getArg(PtrArgNum); 414 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 415 Arg = ICE->getSubExpr(); 416 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 417 QualType RHSTy = RHS.get()->getType(); 418 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 419 if (HasConstPtr) 420 EltTy = EltTy.withConst(); 421 QualType LHSTy = Context.getPointerType(EltTy); 422 AssignConvertType ConvTy; 423 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 424 if (RHS.isInvalid()) 425 return true; 426 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 427 RHS.get(), AA_Assigning)) 428 return true; 429 } 430 431 // For NEON intrinsics which take an immediate value as part of the 432 // instruction, range check them here. 433 unsigned i = 0, l = 0, u = 0; 434 switch (BuiltinID) { 435 default: 436 return false; 437 #define GET_NEON_AARCH64_IMMEDIATE_CHECK 438 #include "clang/Basic/arm_neon.inc" 439 #undef GET_NEON_AARCH64_IMMEDIATE_CHECK 440 } 441 ; 442 443 // We can't check the value of a dependent argument. 444 if (TheCall->getArg(i)->isTypeDependent() || 445 TheCall->getArg(i)->isValueDependent()) 446 return false; 447 448 // Check that the immediate argument is actually a constant. 449 if (SemaBuiltinConstantArg(TheCall, i, Result)) 450 return true; 451 452 // Range check against the upper/lower values for this isntruction. 453 unsigned Val = Result.getZExtValue(); 454 if (Val < l || Val > (u + l)) 455 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 456 << l << u + l << TheCall->getArg(i)->getSourceRange(); 457 458 return false; 459 } 460 461 bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall) { 462 assert((BuiltinID == ARM::BI__builtin_arm_ldrex || 463 BuiltinID == ARM::BI__builtin_arm_strex) && 464 "unexpected ARM builtin"); 465 bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex; 466 467 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 468 469 // Ensure that we have the proper number of arguments. 470 if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2)) 471 return true; 472 473 // Inspect the pointer argument of the atomic builtin. This should always be 474 // a pointer type, whose element is an integral scalar or pointer type. 475 // Because it is a pointer type, we don't have to worry about any implicit 476 // casts here. 477 Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1); 478 ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg); 479 if (PointerArgRes.isInvalid()) 480 return true; 481 PointerArg = PointerArgRes.take(); 482 483 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 484 if (!pointerType) { 485 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 486 << PointerArg->getType() << PointerArg->getSourceRange(); 487 return true; 488 } 489 490 // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next 491 // task is to insert the appropriate casts into the AST. First work out just 492 // what the appropriate type is. 493 QualType ValType = pointerType->getPointeeType(); 494 QualType AddrType = ValType.getUnqualifiedType().withVolatile(); 495 if (IsLdrex) 496 AddrType.addConst(); 497 498 // Issue a warning if the cast is dodgy. 499 CastKind CastNeeded = CK_NoOp; 500 if (!AddrType.isAtLeastAsQualifiedAs(ValType)) { 501 CastNeeded = CK_BitCast; 502 Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers) 503 << PointerArg->getType() 504 << Context.getPointerType(AddrType) 505 << AA_Passing << PointerArg->getSourceRange(); 506 } 507 508 // Finally, do the cast and replace the argument with the corrected version. 509 AddrType = Context.getPointerType(AddrType); 510 PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded); 511 if (PointerArgRes.isInvalid()) 512 return true; 513 PointerArg = PointerArgRes.take(); 514 515 TheCall->setArg(IsLdrex ? 0 : 1, PointerArg); 516 517 // In general, we allow ints, floats and pointers to be loaded and stored. 518 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 519 !ValType->isBlockPointerType() && !ValType->isFloatingType()) { 520 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr) 521 << PointerArg->getType() << PointerArg->getSourceRange(); 522 return true; 523 } 524 525 // But ARM doesn't have instructions to deal with 128-bit versions. 526 if (Context.getTypeSize(ValType) > 64) { 527 Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size) 528 << PointerArg->getType() << PointerArg->getSourceRange(); 529 return true; 530 } 531 532 switch (ValType.getObjCLifetime()) { 533 case Qualifiers::OCL_None: 534 case Qualifiers::OCL_ExplicitNone: 535 // okay 536 break; 537 538 case Qualifiers::OCL_Weak: 539 case Qualifiers::OCL_Strong: 540 case Qualifiers::OCL_Autoreleasing: 541 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 542 << ValType << PointerArg->getSourceRange(); 543 return true; 544 } 545 546 547 if (IsLdrex) { 548 TheCall->setType(ValType); 549 return false; 550 } 551 552 // Initialize the argument to be stored. 553 ExprResult ValArg = TheCall->getArg(0); 554 InitializedEntity Entity = InitializedEntity::InitializeParameter( 555 Context, ValType, /*consume*/ false); 556 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 557 if (ValArg.isInvalid()) 558 return true; 559 560 TheCall->setArg(0, ValArg.get()); 561 return false; 562 } 563 564 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 565 llvm::APSInt Result; 566 567 if (BuiltinID == ARM::BI__builtin_arm_ldrex || 568 BuiltinID == ARM::BI__builtin_arm_strex) { 569 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall); 570 } 571 572 uint64_t mask = 0; 573 unsigned TV = 0; 574 int PtrArgNum = -1; 575 bool HasConstPtr = false; 576 switch (BuiltinID) { 577 #define GET_NEON_OVERLOAD_CHECK 578 #include "clang/Basic/arm_neon.inc" 579 #undef GET_NEON_OVERLOAD_CHECK 580 } 581 582 // For NEON intrinsics which are overloaded on vector element type, validate 583 // the immediate which specifies which variant to emit. 584 unsigned ImmArg = TheCall->getNumArgs()-1; 585 if (mask) { 586 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 587 return true; 588 589 TV = Result.getLimitedValue(64); 590 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 591 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 592 << TheCall->getArg(ImmArg)->getSourceRange(); 593 } 594 595 if (PtrArgNum >= 0) { 596 // Check that pointer arguments have the specified type. 597 Expr *Arg = TheCall->getArg(PtrArgNum); 598 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 599 Arg = ICE->getSubExpr(); 600 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 601 QualType RHSTy = RHS.get()->getType(); 602 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 603 if (HasConstPtr) 604 EltTy = EltTy.withConst(); 605 QualType LHSTy = Context.getPointerType(EltTy); 606 AssignConvertType ConvTy; 607 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 608 if (RHS.isInvalid()) 609 return true; 610 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 611 RHS.get(), AA_Assigning)) 612 return true; 613 } 614 615 // For NEON intrinsics which take an immediate value as part of the 616 // instruction, range check them here. 617 unsigned i = 0, l = 0, u = 0; 618 switch (BuiltinID) { 619 default: return false; 620 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 621 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 622 case ARM::BI__builtin_arm_vcvtr_f: 623 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 624 #define GET_NEON_IMMEDIATE_CHECK 625 #include "clang/Basic/arm_neon.inc" 626 #undef GET_NEON_IMMEDIATE_CHECK 627 }; 628 629 // We can't check the value of a dependent argument. 630 if (TheCall->getArg(i)->isTypeDependent() || 631 TheCall->getArg(i)->isValueDependent()) 632 return false; 633 634 // Check that the immediate argument is actually a constant. 635 if (SemaBuiltinConstantArg(TheCall, i, Result)) 636 return true; 637 638 // Range check against the upper/lower values for this isntruction. 639 unsigned Val = Result.getZExtValue(); 640 if (Val < l || Val > (u + l)) 641 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 642 << l << u+l << TheCall->getArg(i)->getSourceRange(); 643 644 // FIXME: VFP Intrinsics should error if VFP not present. 645 return false; 646 } 647 648 bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 649 unsigned i = 0, l = 0, u = 0; 650 switch (BuiltinID) { 651 default: return false; 652 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 653 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 654 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 655 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 656 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 657 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 658 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 659 }; 660 661 // We can't check the value of a dependent argument. 662 if (TheCall->getArg(i)->isTypeDependent() || 663 TheCall->getArg(i)->isValueDependent()) 664 return false; 665 666 // Check that the immediate argument is actually a constant. 667 llvm::APSInt Result; 668 if (SemaBuiltinConstantArg(TheCall, i, Result)) 669 return true; 670 671 // Range check against the upper/lower values for this instruction. 672 unsigned Val = Result.getZExtValue(); 673 if (Val < l || Val > u) 674 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 675 << l << u << TheCall->getArg(i)->getSourceRange(); 676 677 return false; 678 } 679 680 /// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 681 /// parameter with the FormatAttr's correct format_idx and firstDataArg. 682 /// Returns true when the format fits the function and the FormatStringInfo has 683 /// been populated. 684 bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 685 FormatStringInfo *FSI) { 686 FSI->HasVAListArg = Format->getFirstArg() == 0; 687 FSI->FormatIdx = Format->getFormatIdx() - 1; 688 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 689 690 // The way the format attribute works in GCC, the implicit this argument 691 // of member functions is counted. However, it doesn't appear in our own 692 // lists, so decrement format_idx in that case. 693 if (IsCXXMember) { 694 if(FSI->FormatIdx == 0) 695 return false; 696 --FSI->FormatIdx; 697 if (FSI->FirstDataArg != 0) 698 --FSI->FirstDataArg; 699 } 700 return true; 701 } 702 703 /// Handles the checks for format strings, non-POD arguments to vararg 704 /// functions, and NULL arguments passed to non-NULL parameters. 705 void Sema::checkCall(NamedDecl *FDecl, 706 ArrayRef<const Expr *> Args, 707 unsigned NumProtoArgs, 708 bool IsMemberFunction, 709 SourceLocation Loc, 710 SourceRange Range, 711 VariadicCallType CallType) { 712 // FIXME: We should check as much as we can in the template definition. 713 if (CurContext->isDependentContext()) 714 return; 715 716 // Printf and scanf checking. 717 llvm::SmallBitVector CheckedVarArgs; 718 if (FDecl) { 719 for (specific_attr_iterator<FormatAttr> 720 I = FDecl->specific_attr_begin<FormatAttr>(), 721 E = FDecl->specific_attr_end<FormatAttr>(); 722 I != E; ++I) { 723 // Only create vector if there are format attributes. 724 CheckedVarArgs.resize(Args.size()); 725 726 CheckFormatArguments(*I, Args, IsMemberFunction, CallType, Loc, Range, 727 CheckedVarArgs); 728 } 729 } 730 731 // Refuse POD arguments that weren't caught by the format string 732 // checks above. 733 if (CallType != VariadicDoesNotApply) { 734 for (unsigned ArgIdx = NumProtoArgs; ArgIdx < Args.size(); ++ArgIdx) { 735 // Args[ArgIdx] can be null in malformed code. 736 if (const Expr *Arg = Args[ArgIdx]) { 737 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx]) 738 checkVariadicArgument(Arg, CallType); 739 } 740 } 741 } 742 743 if (FDecl) { 744 for (specific_attr_iterator<NonNullAttr> 745 I = FDecl->specific_attr_begin<NonNullAttr>(), 746 E = FDecl->specific_attr_end<NonNullAttr>(); I != E; ++I) 747 CheckNonNullArguments(*I, Args.data(), Loc); 748 749 // Type safety checking. 750 for (specific_attr_iterator<ArgumentWithTypeTagAttr> 751 i = FDecl->specific_attr_begin<ArgumentWithTypeTagAttr>(), 752 e = FDecl->specific_attr_end<ArgumentWithTypeTagAttr>(); 753 i != e; ++i) { 754 CheckArgumentWithTypeTag(*i, Args.data()); 755 } 756 } 757 } 758 759 /// CheckConstructorCall - Check a constructor call for correctness and safety 760 /// properties not enforced by the C type system. 761 void Sema::CheckConstructorCall(FunctionDecl *FDecl, 762 ArrayRef<const Expr *> Args, 763 const FunctionProtoType *Proto, 764 SourceLocation Loc) { 765 VariadicCallType CallType = 766 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 767 checkCall(FDecl, Args, Proto->getNumArgs(), 768 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 769 } 770 771 /// CheckFunctionCall - Check a direct function call for various correctness 772 /// and safety properties not strictly enforced by the C type system. 773 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 774 const FunctionProtoType *Proto) { 775 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 776 isa<CXXMethodDecl>(FDecl); 777 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 778 IsMemberOperatorCall; 779 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 780 TheCall->getCallee()); 781 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 782 Expr** Args = TheCall->getArgs(); 783 unsigned NumArgs = TheCall->getNumArgs(); 784 if (IsMemberOperatorCall) { 785 // If this is a call to a member operator, hide the first argument 786 // from checkCall. 787 // FIXME: Our choice of AST representation here is less than ideal. 788 ++Args; 789 --NumArgs; 790 } 791 checkCall(FDecl, llvm::makeArrayRef<const Expr *>(Args, NumArgs), 792 NumProtoArgs, 793 IsMemberFunction, TheCall->getRParenLoc(), 794 TheCall->getCallee()->getSourceRange(), CallType); 795 796 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 797 // None of the checks below are needed for functions that don't have 798 // simple names (e.g., C++ conversion functions). 799 if (!FnInfo) 800 return false; 801 802 unsigned CMId = FDecl->getMemoryFunctionKind(); 803 if (CMId == 0) 804 return false; 805 806 // Handle memory setting and copying functions. 807 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 808 CheckStrlcpycatArguments(TheCall, FnInfo); 809 else if (CMId == Builtin::BIstrncat) 810 CheckStrncatArguments(TheCall, FnInfo); 811 else 812 CheckMemaccessArguments(TheCall, CMId, FnInfo); 813 814 return false; 815 } 816 817 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 818 ArrayRef<const Expr *> Args) { 819 VariadicCallType CallType = 820 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 821 822 checkCall(Method, Args, Method->param_size(), 823 /*IsMemberFunction=*/false, 824 lbrac, Method->getSourceRange(), CallType); 825 826 return false; 827 } 828 829 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, 830 const FunctionProtoType *Proto) { 831 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 832 if (!V) 833 return false; 834 835 QualType Ty = V->getType(); 836 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType()) 837 return false; 838 839 VariadicCallType CallType; 840 if (!Proto || !Proto->isVariadic()) { 841 CallType = VariadicDoesNotApply; 842 } else if (Ty->isBlockPointerType()) { 843 CallType = VariadicBlock; 844 } else { // Ty->isFunctionPointerType() 845 CallType = VariadicFunction; 846 } 847 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 848 849 checkCall(NDecl, 850 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 851 TheCall->getNumArgs()), 852 NumProtoArgs, /*IsMemberFunction=*/false, 853 TheCall->getRParenLoc(), 854 TheCall->getCallee()->getSourceRange(), CallType); 855 856 return false; 857 } 858 859 /// Checks function calls when a FunctionDecl or a NamedDecl is not available, 860 /// such as function pointers returned from functions. 861 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) { 862 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/0, Proto, 863 TheCall->getCallee()); 864 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 865 866 checkCall(/*FDecl=*/0, 867 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 868 TheCall->getNumArgs()), 869 NumProtoArgs, /*IsMemberFunction=*/false, 870 TheCall->getRParenLoc(), 871 TheCall->getCallee()->getSourceRange(), CallType); 872 873 return false; 874 } 875 876 ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 877 AtomicExpr::AtomicOp Op) { 878 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 879 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 880 881 // All these operations take one of the following forms: 882 enum { 883 // C __c11_atomic_init(A *, C) 884 Init, 885 // C __c11_atomic_load(A *, int) 886 Load, 887 // void __atomic_load(A *, CP, int) 888 Copy, 889 // C __c11_atomic_add(A *, M, int) 890 Arithmetic, 891 // C __atomic_exchange_n(A *, CP, int) 892 Xchg, 893 // void __atomic_exchange(A *, C *, CP, int) 894 GNUXchg, 895 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 896 C11CmpXchg, 897 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 898 GNUCmpXchg 899 } Form = Init; 900 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 901 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 902 // where: 903 // C is an appropriate type, 904 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 905 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 906 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 907 // the int parameters are for orderings. 908 909 assert(AtomicExpr::AO__c11_atomic_init == 0 && 910 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 911 && "need to update code for modified C11 atomics"); 912 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 913 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 914 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 915 Op == AtomicExpr::AO__atomic_store_n || 916 Op == AtomicExpr::AO__atomic_exchange_n || 917 Op == AtomicExpr::AO__atomic_compare_exchange_n; 918 bool IsAddSub = false; 919 920 switch (Op) { 921 case AtomicExpr::AO__c11_atomic_init: 922 Form = Init; 923 break; 924 925 case AtomicExpr::AO__c11_atomic_load: 926 case AtomicExpr::AO__atomic_load_n: 927 Form = Load; 928 break; 929 930 case AtomicExpr::AO__c11_atomic_store: 931 case AtomicExpr::AO__atomic_load: 932 case AtomicExpr::AO__atomic_store: 933 case AtomicExpr::AO__atomic_store_n: 934 Form = Copy; 935 break; 936 937 case AtomicExpr::AO__c11_atomic_fetch_add: 938 case AtomicExpr::AO__c11_atomic_fetch_sub: 939 case AtomicExpr::AO__atomic_fetch_add: 940 case AtomicExpr::AO__atomic_fetch_sub: 941 case AtomicExpr::AO__atomic_add_fetch: 942 case AtomicExpr::AO__atomic_sub_fetch: 943 IsAddSub = true; 944 // Fall through. 945 case AtomicExpr::AO__c11_atomic_fetch_and: 946 case AtomicExpr::AO__c11_atomic_fetch_or: 947 case AtomicExpr::AO__c11_atomic_fetch_xor: 948 case AtomicExpr::AO__atomic_fetch_and: 949 case AtomicExpr::AO__atomic_fetch_or: 950 case AtomicExpr::AO__atomic_fetch_xor: 951 case AtomicExpr::AO__atomic_fetch_nand: 952 case AtomicExpr::AO__atomic_and_fetch: 953 case AtomicExpr::AO__atomic_or_fetch: 954 case AtomicExpr::AO__atomic_xor_fetch: 955 case AtomicExpr::AO__atomic_nand_fetch: 956 Form = Arithmetic; 957 break; 958 959 case AtomicExpr::AO__c11_atomic_exchange: 960 case AtomicExpr::AO__atomic_exchange_n: 961 Form = Xchg; 962 break; 963 964 case AtomicExpr::AO__atomic_exchange: 965 Form = GNUXchg; 966 break; 967 968 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 969 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 970 Form = C11CmpXchg; 971 break; 972 973 case AtomicExpr::AO__atomic_compare_exchange: 974 case AtomicExpr::AO__atomic_compare_exchange_n: 975 Form = GNUCmpXchg; 976 break; 977 } 978 979 // Check we have the right number of arguments. 980 if (TheCall->getNumArgs() < NumArgs[Form]) { 981 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 982 << 0 << NumArgs[Form] << TheCall->getNumArgs() 983 << TheCall->getCallee()->getSourceRange(); 984 return ExprError(); 985 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 986 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 987 diag::err_typecheck_call_too_many_args) 988 << 0 << NumArgs[Form] << TheCall->getNumArgs() 989 << TheCall->getCallee()->getSourceRange(); 990 return ExprError(); 991 } 992 993 // Inspect the first argument of the atomic operation. 994 Expr *Ptr = TheCall->getArg(0); 995 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 996 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 997 if (!pointerType) { 998 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 999 << Ptr->getType() << Ptr->getSourceRange(); 1000 return ExprError(); 1001 } 1002 1003 // For a __c11 builtin, this should be a pointer to an _Atomic type. 1004 QualType AtomTy = pointerType->getPointeeType(); // 'A' 1005 QualType ValType = AtomTy; // 'C' 1006 if (IsC11) { 1007 if (!AtomTy->isAtomicType()) { 1008 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 1009 << Ptr->getType() << Ptr->getSourceRange(); 1010 return ExprError(); 1011 } 1012 if (AtomTy.isConstQualified()) { 1013 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 1014 << Ptr->getType() << Ptr->getSourceRange(); 1015 return ExprError(); 1016 } 1017 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 1018 } 1019 1020 // For an arithmetic operation, the implied arithmetic must be well-formed. 1021 if (Form == Arithmetic) { 1022 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 1023 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 1024 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1025 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1026 return ExprError(); 1027 } 1028 if (!IsAddSub && !ValType->isIntegerType()) { 1029 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 1030 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1031 return ExprError(); 1032 } 1033 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 1034 // For __atomic_*_n operations, the value type must be a scalar integral or 1035 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 1036 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1037 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1038 return ExprError(); 1039 } 1040 1041 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) && 1042 !AtomTy->isScalarType()) { 1043 // For GNU atomics, require a trivially-copyable type. This is not part of 1044 // the GNU atomics specification, but we enforce it for sanity. 1045 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 1046 << Ptr->getType() << Ptr->getSourceRange(); 1047 return ExprError(); 1048 } 1049 1050 // FIXME: For any builtin other than a load, the ValType must not be 1051 // const-qualified. 1052 1053 switch (ValType.getObjCLifetime()) { 1054 case Qualifiers::OCL_None: 1055 case Qualifiers::OCL_ExplicitNone: 1056 // okay 1057 break; 1058 1059 case Qualifiers::OCL_Weak: 1060 case Qualifiers::OCL_Strong: 1061 case Qualifiers::OCL_Autoreleasing: 1062 // FIXME: Can this happen? By this point, ValType should be known 1063 // to be trivially copyable. 1064 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1065 << ValType << Ptr->getSourceRange(); 1066 return ExprError(); 1067 } 1068 1069 QualType ResultType = ValType; 1070 if (Form == Copy || Form == GNUXchg || Form == Init) 1071 ResultType = Context.VoidTy; 1072 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 1073 ResultType = Context.BoolTy; 1074 1075 // The type of a parameter passed 'by value'. In the GNU atomics, such 1076 // arguments are actually passed as pointers. 1077 QualType ByValType = ValType; // 'CP' 1078 if (!IsC11 && !IsN) 1079 ByValType = Ptr->getType(); 1080 1081 // The first argument --- the pointer --- has a fixed type; we 1082 // deduce the types of the rest of the arguments accordingly. Walk 1083 // the remaining arguments, converting them to the deduced value type. 1084 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 1085 QualType Ty; 1086 if (i < NumVals[Form] + 1) { 1087 switch (i) { 1088 case 1: 1089 // The second argument is the non-atomic operand. For arithmetic, this 1090 // is always passed by value, and for a compare_exchange it is always 1091 // passed by address. For the rest, GNU uses by-address and C11 uses 1092 // by-value. 1093 assert(Form != Load); 1094 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 1095 Ty = ValType; 1096 else if (Form == Copy || Form == Xchg) 1097 Ty = ByValType; 1098 else if (Form == Arithmetic) 1099 Ty = Context.getPointerDiffType(); 1100 else 1101 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 1102 break; 1103 case 2: 1104 // The third argument to compare_exchange / GNU exchange is a 1105 // (pointer to a) desired value. 1106 Ty = ByValType; 1107 break; 1108 case 3: 1109 // The fourth argument to GNU compare_exchange is a 'weak' flag. 1110 Ty = Context.BoolTy; 1111 break; 1112 } 1113 } else { 1114 // The order(s) are always converted to int. 1115 Ty = Context.IntTy; 1116 } 1117 1118 InitializedEntity Entity = 1119 InitializedEntity::InitializeParameter(Context, Ty, false); 1120 ExprResult Arg = TheCall->getArg(i); 1121 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1122 if (Arg.isInvalid()) 1123 return true; 1124 TheCall->setArg(i, Arg.get()); 1125 } 1126 1127 // Permute the arguments into a 'consistent' order. 1128 SmallVector<Expr*, 5> SubExprs; 1129 SubExprs.push_back(Ptr); 1130 switch (Form) { 1131 case Init: 1132 // Note, AtomicExpr::getVal1() has a special case for this atomic. 1133 SubExprs.push_back(TheCall->getArg(1)); // Val1 1134 break; 1135 case Load: 1136 SubExprs.push_back(TheCall->getArg(1)); // Order 1137 break; 1138 case Copy: 1139 case Arithmetic: 1140 case Xchg: 1141 SubExprs.push_back(TheCall->getArg(2)); // Order 1142 SubExprs.push_back(TheCall->getArg(1)); // Val1 1143 break; 1144 case GNUXchg: 1145 // Note, AtomicExpr::getVal2() has a special case for this atomic. 1146 SubExprs.push_back(TheCall->getArg(3)); // Order 1147 SubExprs.push_back(TheCall->getArg(1)); // Val1 1148 SubExprs.push_back(TheCall->getArg(2)); // Val2 1149 break; 1150 case C11CmpXchg: 1151 SubExprs.push_back(TheCall->getArg(3)); // Order 1152 SubExprs.push_back(TheCall->getArg(1)); // Val1 1153 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 1154 SubExprs.push_back(TheCall->getArg(2)); // Val2 1155 break; 1156 case GNUCmpXchg: 1157 SubExprs.push_back(TheCall->getArg(4)); // Order 1158 SubExprs.push_back(TheCall->getArg(1)); // Val1 1159 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 1160 SubExprs.push_back(TheCall->getArg(2)); // Val2 1161 SubExprs.push_back(TheCall->getArg(3)); // Weak 1162 break; 1163 } 1164 1165 AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 1166 SubExprs, ResultType, Op, 1167 TheCall->getRParenLoc()); 1168 1169 if ((Op == AtomicExpr::AO__c11_atomic_load || 1170 (Op == AtomicExpr::AO__c11_atomic_store)) && 1171 Context.AtomicUsesUnsupportedLibcall(AE)) 1172 Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) << 1173 ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1); 1174 1175 return Owned(AE); 1176 } 1177 1178 1179 /// checkBuiltinArgument - Given a call to a builtin function, perform 1180 /// normal type-checking on the given argument, updating the call in 1181 /// place. This is useful when a builtin function requires custom 1182 /// type-checking for some of its arguments but not necessarily all of 1183 /// them. 1184 /// 1185 /// Returns true on error. 1186 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 1187 FunctionDecl *Fn = E->getDirectCallee(); 1188 assert(Fn && "builtin call without direct callee!"); 1189 1190 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 1191 InitializedEntity Entity = 1192 InitializedEntity::InitializeParameter(S.Context, Param); 1193 1194 ExprResult Arg = E->getArg(0); 1195 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 1196 if (Arg.isInvalid()) 1197 return true; 1198 1199 E->setArg(ArgIndex, Arg.take()); 1200 return false; 1201 } 1202 1203 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 1204 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 1205 /// type of its first argument. The main ActOnCallExpr routines have already 1206 /// promoted the types of arguments because all of these calls are prototyped as 1207 /// void(...). 1208 /// 1209 /// This function goes through and does final semantic checking for these 1210 /// builtins, 1211 ExprResult 1212 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 1213 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 1214 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1215 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1216 1217 // Ensure that we have at least one argument to do type inference from. 1218 if (TheCall->getNumArgs() < 1) { 1219 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1220 << 0 << 1 << TheCall->getNumArgs() 1221 << TheCall->getCallee()->getSourceRange(); 1222 return ExprError(); 1223 } 1224 1225 // Inspect the first argument of the atomic builtin. This should always be 1226 // a pointer type, whose element is an integral scalar or pointer type. 1227 // Because it is a pointer type, we don't have to worry about any implicit 1228 // casts here. 1229 // FIXME: We don't allow floating point scalars as input. 1230 Expr *FirstArg = TheCall->getArg(0); 1231 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 1232 if (FirstArgResult.isInvalid()) 1233 return ExprError(); 1234 FirstArg = FirstArgResult.take(); 1235 TheCall->setArg(0, FirstArg); 1236 1237 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 1238 if (!pointerType) { 1239 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1240 << FirstArg->getType() << FirstArg->getSourceRange(); 1241 return ExprError(); 1242 } 1243 1244 QualType ValType = pointerType->getPointeeType(); 1245 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 1246 !ValType->isBlockPointerType()) { 1247 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 1248 << FirstArg->getType() << FirstArg->getSourceRange(); 1249 return ExprError(); 1250 } 1251 1252 switch (ValType.getObjCLifetime()) { 1253 case Qualifiers::OCL_None: 1254 case Qualifiers::OCL_ExplicitNone: 1255 // okay 1256 break; 1257 1258 case Qualifiers::OCL_Weak: 1259 case Qualifiers::OCL_Strong: 1260 case Qualifiers::OCL_Autoreleasing: 1261 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1262 << ValType << FirstArg->getSourceRange(); 1263 return ExprError(); 1264 } 1265 1266 // Strip any qualifiers off ValType. 1267 ValType = ValType.getUnqualifiedType(); 1268 1269 // The majority of builtins return a value, but a few have special return 1270 // types, so allow them to override appropriately below. 1271 QualType ResultType = ValType; 1272 1273 // We need to figure out which concrete builtin this maps onto. For example, 1274 // __sync_fetch_and_add with a 2 byte object turns into 1275 // __sync_fetch_and_add_2. 1276 #define BUILTIN_ROW(x) \ 1277 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1278 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1279 1280 static const unsigned BuiltinIndices[][5] = { 1281 BUILTIN_ROW(__sync_fetch_and_add), 1282 BUILTIN_ROW(__sync_fetch_and_sub), 1283 BUILTIN_ROW(__sync_fetch_and_or), 1284 BUILTIN_ROW(__sync_fetch_and_and), 1285 BUILTIN_ROW(__sync_fetch_and_xor), 1286 1287 BUILTIN_ROW(__sync_add_and_fetch), 1288 BUILTIN_ROW(__sync_sub_and_fetch), 1289 BUILTIN_ROW(__sync_and_and_fetch), 1290 BUILTIN_ROW(__sync_or_and_fetch), 1291 BUILTIN_ROW(__sync_xor_and_fetch), 1292 1293 BUILTIN_ROW(__sync_val_compare_and_swap), 1294 BUILTIN_ROW(__sync_bool_compare_and_swap), 1295 BUILTIN_ROW(__sync_lock_test_and_set), 1296 BUILTIN_ROW(__sync_lock_release), 1297 BUILTIN_ROW(__sync_swap) 1298 }; 1299 #undef BUILTIN_ROW 1300 1301 // Determine the index of the size. 1302 unsigned SizeIndex; 1303 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1304 case 1: SizeIndex = 0; break; 1305 case 2: SizeIndex = 1; break; 1306 case 4: SizeIndex = 2; break; 1307 case 8: SizeIndex = 3; break; 1308 case 16: SizeIndex = 4; break; 1309 default: 1310 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1311 << FirstArg->getType() << FirstArg->getSourceRange(); 1312 return ExprError(); 1313 } 1314 1315 // Each of these builtins has one pointer argument, followed by some number of 1316 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1317 // that we ignore. Find out which row of BuiltinIndices to read from as well 1318 // as the number of fixed args. 1319 unsigned BuiltinID = FDecl->getBuiltinID(); 1320 unsigned BuiltinIndex, NumFixed = 1; 1321 switch (BuiltinID) { 1322 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1323 case Builtin::BI__sync_fetch_and_add: 1324 case Builtin::BI__sync_fetch_and_add_1: 1325 case Builtin::BI__sync_fetch_and_add_2: 1326 case Builtin::BI__sync_fetch_and_add_4: 1327 case Builtin::BI__sync_fetch_and_add_8: 1328 case Builtin::BI__sync_fetch_and_add_16: 1329 BuiltinIndex = 0; 1330 break; 1331 1332 case Builtin::BI__sync_fetch_and_sub: 1333 case Builtin::BI__sync_fetch_and_sub_1: 1334 case Builtin::BI__sync_fetch_and_sub_2: 1335 case Builtin::BI__sync_fetch_and_sub_4: 1336 case Builtin::BI__sync_fetch_and_sub_8: 1337 case Builtin::BI__sync_fetch_and_sub_16: 1338 BuiltinIndex = 1; 1339 break; 1340 1341 case Builtin::BI__sync_fetch_and_or: 1342 case Builtin::BI__sync_fetch_and_or_1: 1343 case Builtin::BI__sync_fetch_and_or_2: 1344 case Builtin::BI__sync_fetch_and_or_4: 1345 case Builtin::BI__sync_fetch_and_or_8: 1346 case Builtin::BI__sync_fetch_and_or_16: 1347 BuiltinIndex = 2; 1348 break; 1349 1350 case Builtin::BI__sync_fetch_and_and: 1351 case Builtin::BI__sync_fetch_and_and_1: 1352 case Builtin::BI__sync_fetch_and_and_2: 1353 case Builtin::BI__sync_fetch_and_and_4: 1354 case Builtin::BI__sync_fetch_and_and_8: 1355 case Builtin::BI__sync_fetch_and_and_16: 1356 BuiltinIndex = 3; 1357 break; 1358 1359 case Builtin::BI__sync_fetch_and_xor: 1360 case Builtin::BI__sync_fetch_and_xor_1: 1361 case Builtin::BI__sync_fetch_and_xor_2: 1362 case Builtin::BI__sync_fetch_and_xor_4: 1363 case Builtin::BI__sync_fetch_and_xor_8: 1364 case Builtin::BI__sync_fetch_and_xor_16: 1365 BuiltinIndex = 4; 1366 break; 1367 1368 case Builtin::BI__sync_add_and_fetch: 1369 case Builtin::BI__sync_add_and_fetch_1: 1370 case Builtin::BI__sync_add_and_fetch_2: 1371 case Builtin::BI__sync_add_and_fetch_4: 1372 case Builtin::BI__sync_add_and_fetch_8: 1373 case Builtin::BI__sync_add_and_fetch_16: 1374 BuiltinIndex = 5; 1375 break; 1376 1377 case Builtin::BI__sync_sub_and_fetch: 1378 case Builtin::BI__sync_sub_and_fetch_1: 1379 case Builtin::BI__sync_sub_and_fetch_2: 1380 case Builtin::BI__sync_sub_and_fetch_4: 1381 case Builtin::BI__sync_sub_and_fetch_8: 1382 case Builtin::BI__sync_sub_and_fetch_16: 1383 BuiltinIndex = 6; 1384 break; 1385 1386 case Builtin::BI__sync_and_and_fetch: 1387 case Builtin::BI__sync_and_and_fetch_1: 1388 case Builtin::BI__sync_and_and_fetch_2: 1389 case Builtin::BI__sync_and_and_fetch_4: 1390 case Builtin::BI__sync_and_and_fetch_8: 1391 case Builtin::BI__sync_and_and_fetch_16: 1392 BuiltinIndex = 7; 1393 break; 1394 1395 case Builtin::BI__sync_or_and_fetch: 1396 case Builtin::BI__sync_or_and_fetch_1: 1397 case Builtin::BI__sync_or_and_fetch_2: 1398 case Builtin::BI__sync_or_and_fetch_4: 1399 case Builtin::BI__sync_or_and_fetch_8: 1400 case Builtin::BI__sync_or_and_fetch_16: 1401 BuiltinIndex = 8; 1402 break; 1403 1404 case Builtin::BI__sync_xor_and_fetch: 1405 case Builtin::BI__sync_xor_and_fetch_1: 1406 case Builtin::BI__sync_xor_and_fetch_2: 1407 case Builtin::BI__sync_xor_and_fetch_4: 1408 case Builtin::BI__sync_xor_and_fetch_8: 1409 case Builtin::BI__sync_xor_and_fetch_16: 1410 BuiltinIndex = 9; 1411 break; 1412 1413 case Builtin::BI__sync_val_compare_and_swap: 1414 case Builtin::BI__sync_val_compare_and_swap_1: 1415 case Builtin::BI__sync_val_compare_and_swap_2: 1416 case Builtin::BI__sync_val_compare_and_swap_4: 1417 case Builtin::BI__sync_val_compare_and_swap_8: 1418 case Builtin::BI__sync_val_compare_and_swap_16: 1419 BuiltinIndex = 10; 1420 NumFixed = 2; 1421 break; 1422 1423 case Builtin::BI__sync_bool_compare_and_swap: 1424 case Builtin::BI__sync_bool_compare_and_swap_1: 1425 case Builtin::BI__sync_bool_compare_and_swap_2: 1426 case Builtin::BI__sync_bool_compare_and_swap_4: 1427 case Builtin::BI__sync_bool_compare_and_swap_8: 1428 case Builtin::BI__sync_bool_compare_and_swap_16: 1429 BuiltinIndex = 11; 1430 NumFixed = 2; 1431 ResultType = Context.BoolTy; 1432 break; 1433 1434 case Builtin::BI__sync_lock_test_and_set: 1435 case Builtin::BI__sync_lock_test_and_set_1: 1436 case Builtin::BI__sync_lock_test_and_set_2: 1437 case Builtin::BI__sync_lock_test_and_set_4: 1438 case Builtin::BI__sync_lock_test_and_set_8: 1439 case Builtin::BI__sync_lock_test_and_set_16: 1440 BuiltinIndex = 12; 1441 break; 1442 1443 case Builtin::BI__sync_lock_release: 1444 case Builtin::BI__sync_lock_release_1: 1445 case Builtin::BI__sync_lock_release_2: 1446 case Builtin::BI__sync_lock_release_4: 1447 case Builtin::BI__sync_lock_release_8: 1448 case Builtin::BI__sync_lock_release_16: 1449 BuiltinIndex = 13; 1450 NumFixed = 0; 1451 ResultType = Context.VoidTy; 1452 break; 1453 1454 case Builtin::BI__sync_swap: 1455 case Builtin::BI__sync_swap_1: 1456 case Builtin::BI__sync_swap_2: 1457 case Builtin::BI__sync_swap_4: 1458 case Builtin::BI__sync_swap_8: 1459 case Builtin::BI__sync_swap_16: 1460 BuiltinIndex = 14; 1461 break; 1462 } 1463 1464 // Now that we know how many fixed arguments we expect, first check that we 1465 // have at least that many. 1466 if (TheCall->getNumArgs() < 1+NumFixed) { 1467 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1468 << 0 << 1+NumFixed << TheCall->getNumArgs() 1469 << TheCall->getCallee()->getSourceRange(); 1470 return ExprError(); 1471 } 1472 1473 // Get the decl for the concrete builtin from this, we can tell what the 1474 // concrete integer type we should convert to is. 1475 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1476 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1477 FunctionDecl *NewBuiltinDecl; 1478 if (NewBuiltinID == BuiltinID) 1479 NewBuiltinDecl = FDecl; 1480 else { 1481 // Perform builtin lookup to avoid redeclaring it. 1482 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 1483 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 1484 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 1485 assert(Res.getFoundDecl()); 1486 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 1487 if (NewBuiltinDecl == 0) 1488 return ExprError(); 1489 } 1490 1491 // The first argument --- the pointer --- has a fixed type; we 1492 // deduce the types of the rest of the arguments accordingly. Walk 1493 // the remaining arguments, converting them to the deduced value type. 1494 for (unsigned i = 0; i != NumFixed; ++i) { 1495 ExprResult Arg = TheCall->getArg(i+1); 1496 1497 // GCC does an implicit conversion to the pointer or integer ValType. This 1498 // can fail in some cases (1i -> int**), check for this error case now. 1499 // Initialize the argument. 1500 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1501 ValType, /*consume*/ false); 1502 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1503 if (Arg.isInvalid()) 1504 return ExprError(); 1505 1506 // Okay, we have something that *can* be converted to the right type. Check 1507 // to see if there is a potentially weird extension going on here. This can 1508 // happen when you do an atomic operation on something like an char* and 1509 // pass in 42. The 42 gets converted to char. This is even more strange 1510 // for things like 45.123 -> char, etc. 1511 // FIXME: Do this check. 1512 TheCall->setArg(i+1, Arg.take()); 1513 } 1514 1515 ASTContext& Context = this->getASTContext(); 1516 1517 // Create a new DeclRefExpr to refer to the new decl. 1518 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1519 Context, 1520 DRE->getQualifierLoc(), 1521 SourceLocation(), 1522 NewBuiltinDecl, 1523 /*enclosing*/ false, 1524 DRE->getLocation(), 1525 Context.BuiltinFnTy, 1526 DRE->getValueKind()); 1527 1528 // Set the callee in the CallExpr. 1529 // FIXME: This loses syntactic information. 1530 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1531 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1532 CK_BuiltinFnToFnPtr); 1533 TheCall->setCallee(PromotedCall.take()); 1534 1535 // Change the result type of the call to match the original value type. This 1536 // is arbitrary, but the codegen for these builtins ins design to handle it 1537 // gracefully. 1538 TheCall->setType(ResultType); 1539 1540 return TheCallResult; 1541 } 1542 1543 /// CheckObjCString - Checks that the argument to the builtin 1544 /// CFString constructor is correct 1545 /// Note: It might also make sense to do the UTF-16 conversion here (would 1546 /// simplify the backend). 1547 bool Sema::CheckObjCString(Expr *Arg) { 1548 Arg = Arg->IgnoreParenCasts(); 1549 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1550 1551 if (!Literal || !Literal->isAscii()) { 1552 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1553 << Arg->getSourceRange(); 1554 return true; 1555 } 1556 1557 if (Literal->containsNonAsciiOrNull()) { 1558 StringRef String = Literal->getString(); 1559 unsigned NumBytes = String.size(); 1560 SmallVector<UTF16, 128> ToBuf(NumBytes); 1561 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1562 UTF16 *ToPtr = &ToBuf[0]; 1563 1564 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1565 &ToPtr, ToPtr + NumBytes, 1566 strictConversion); 1567 // Check for conversion failure. 1568 if (Result != conversionOK) 1569 Diag(Arg->getLocStart(), 1570 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1571 } 1572 return false; 1573 } 1574 1575 /// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1576 /// Emit an error and return true on failure, return false on success. 1577 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1578 Expr *Fn = TheCall->getCallee(); 1579 if (TheCall->getNumArgs() > 2) { 1580 Diag(TheCall->getArg(2)->getLocStart(), 1581 diag::err_typecheck_call_too_many_args) 1582 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1583 << Fn->getSourceRange() 1584 << SourceRange(TheCall->getArg(2)->getLocStart(), 1585 (*(TheCall->arg_end()-1))->getLocEnd()); 1586 return true; 1587 } 1588 1589 if (TheCall->getNumArgs() < 2) { 1590 return Diag(TheCall->getLocEnd(), 1591 diag::err_typecheck_call_too_few_args_at_least) 1592 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1593 } 1594 1595 // Type-check the first argument normally. 1596 if (checkBuiltinArgument(*this, TheCall, 0)) 1597 return true; 1598 1599 // Determine whether the current function is variadic or not. 1600 BlockScopeInfo *CurBlock = getCurBlock(); 1601 bool isVariadic; 1602 if (CurBlock) 1603 isVariadic = CurBlock->TheDecl->isVariadic(); 1604 else if (FunctionDecl *FD = getCurFunctionDecl()) 1605 isVariadic = FD->isVariadic(); 1606 else 1607 isVariadic = getCurMethodDecl()->isVariadic(); 1608 1609 if (!isVariadic) { 1610 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1611 return true; 1612 } 1613 1614 // Verify that the second argument to the builtin is the last argument of the 1615 // current function or method. 1616 bool SecondArgIsLastNamedArgument = false; 1617 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1618 1619 // These are valid if SecondArgIsLastNamedArgument is false after the next 1620 // block. 1621 QualType Type; 1622 SourceLocation ParamLoc; 1623 1624 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1625 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1626 // FIXME: This isn't correct for methods (results in bogus warning). 1627 // Get the last formal in the current function. 1628 const ParmVarDecl *LastArg; 1629 if (CurBlock) 1630 LastArg = *(CurBlock->TheDecl->param_end()-1); 1631 else if (FunctionDecl *FD = getCurFunctionDecl()) 1632 LastArg = *(FD->param_end()-1); 1633 else 1634 LastArg = *(getCurMethodDecl()->param_end()-1); 1635 SecondArgIsLastNamedArgument = PV == LastArg; 1636 1637 Type = PV->getType(); 1638 ParamLoc = PV->getLocation(); 1639 } 1640 } 1641 1642 if (!SecondArgIsLastNamedArgument) 1643 Diag(TheCall->getArg(1)->getLocStart(), 1644 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1645 else if (Type->isReferenceType()) { 1646 Diag(Arg->getLocStart(), 1647 diag::warn_va_start_of_reference_type_is_undefined); 1648 Diag(ParamLoc, diag::note_parameter_type) << Type; 1649 } 1650 1651 return false; 1652 } 1653 1654 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1655 /// friends. This is declared to take (...), so we have to check everything. 1656 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1657 if (TheCall->getNumArgs() < 2) 1658 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1659 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1660 if (TheCall->getNumArgs() > 2) 1661 return Diag(TheCall->getArg(2)->getLocStart(), 1662 diag::err_typecheck_call_too_many_args) 1663 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1664 << SourceRange(TheCall->getArg(2)->getLocStart(), 1665 (*(TheCall->arg_end()-1))->getLocEnd()); 1666 1667 ExprResult OrigArg0 = TheCall->getArg(0); 1668 ExprResult OrigArg1 = TheCall->getArg(1); 1669 1670 // Do standard promotions between the two arguments, returning their common 1671 // type. 1672 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1673 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1674 return true; 1675 1676 // Make sure any conversions are pushed back into the call; this is 1677 // type safe since unordered compare builtins are declared as "_Bool 1678 // foo(...)". 1679 TheCall->setArg(0, OrigArg0.get()); 1680 TheCall->setArg(1, OrigArg1.get()); 1681 1682 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1683 return false; 1684 1685 // If the common type isn't a real floating type, then the arguments were 1686 // invalid for this operation. 1687 if (Res.isNull() || !Res->isRealFloatingType()) 1688 return Diag(OrigArg0.get()->getLocStart(), 1689 diag::err_typecheck_call_invalid_ordered_compare) 1690 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1691 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1692 1693 return false; 1694 } 1695 1696 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1697 /// __builtin_isnan and friends. This is declared to take (...), so we have 1698 /// to check everything. We expect the last argument to be a floating point 1699 /// value. 1700 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1701 if (TheCall->getNumArgs() < NumArgs) 1702 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1703 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1704 if (TheCall->getNumArgs() > NumArgs) 1705 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1706 diag::err_typecheck_call_too_many_args) 1707 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1708 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1709 (*(TheCall->arg_end()-1))->getLocEnd()); 1710 1711 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1712 1713 if (OrigArg->isTypeDependent()) 1714 return false; 1715 1716 // This operation requires a non-_Complex floating-point number. 1717 if (!OrigArg->getType()->isRealFloatingType()) 1718 return Diag(OrigArg->getLocStart(), 1719 diag::err_typecheck_call_invalid_unary_fp) 1720 << OrigArg->getType() << OrigArg->getSourceRange(); 1721 1722 // If this is an implicit conversion from float -> double, remove it. 1723 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1724 Expr *CastArg = Cast->getSubExpr(); 1725 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1726 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1727 "promotion from float to double is the only expected cast here"); 1728 Cast->setSubExpr(0); 1729 TheCall->setArg(NumArgs-1, CastArg); 1730 } 1731 } 1732 1733 return false; 1734 } 1735 1736 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1737 // This is declared to take (...), so we have to check everything. 1738 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1739 if (TheCall->getNumArgs() < 2) 1740 return ExprError(Diag(TheCall->getLocEnd(), 1741 diag::err_typecheck_call_too_few_args_at_least) 1742 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1743 << TheCall->getSourceRange()); 1744 1745 // Determine which of the following types of shufflevector we're checking: 1746 // 1) unary, vector mask: (lhs, mask) 1747 // 2) binary, vector mask: (lhs, rhs, mask) 1748 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1749 QualType resType = TheCall->getArg(0)->getType(); 1750 unsigned numElements = 0; 1751 1752 if (!TheCall->getArg(0)->isTypeDependent() && 1753 !TheCall->getArg(1)->isTypeDependent()) { 1754 QualType LHSType = TheCall->getArg(0)->getType(); 1755 QualType RHSType = TheCall->getArg(1)->getType(); 1756 1757 if (!LHSType->isVectorType() || !RHSType->isVectorType()) 1758 return ExprError(Diag(TheCall->getLocStart(), 1759 diag::err_shufflevector_non_vector) 1760 << SourceRange(TheCall->getArg(0)->getLocStart(), 1761 TheCall->getArg(1)->getLocEnd())); 1762 1763 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1764 unsigned numResElements = TheCall->getNumArgs() - 2; 1765 1766 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1767 // with mask. If so, verify that RHS is an integer vector type with the 1768 // same number of elts as lhs. 1769 if (TheCall->getNumArgs() == 2) { 1770 if (!RHSType->hasIntegerRepresentation() || 1771 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1772 return ExprError(Diag(TheCall->getLocStart(), 1773 diag::err_shufflevector_incompatible_vector) 1774 << SourceRange(TheCall->getArg(1)->getLocStart(), 1775 TheCall->getArg(1)->getLocEnd())); 1776 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1777 return ExprError(Diag(TheCall->getLocStart(), 1778 diag::err_shufflevector_incompatible_vector) 1779 << SourceRange(TheCall->getArg(0)->getLocStart(), 1780 TheCall->getArg(1)->getLocEnd())); 1781 } else if (numElements != numResElements) { 1782 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1783 resType = Context.getVectorType(eltType, numResElements, 1784 VectorType::GenericVector); 1785 } 1786 } 1787 1788 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1789 if (TheCall->getArg(i)->isTypeDependent() || 1790 TheCall->getArg(i)->isValueDependent()) 1791 continue; 1792 1793 llvm::APSInt Result(32); 1794 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1795 return ExprError(Diag(TheCall->getLocStart(), 1796 diag::err_shufflevector_nonconstant_argument) 1797 << TheCall->getArg(i)->getSourceRange()); 1798 1799 // Allow -1 which will be translated to undef in the IR. 1800 if (Result.isSigned() && Result.isAllOnesValue()) 1801 continue; 1802 1803 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1804 return ExprError(Diag(TheCall->getLocStart(), 1805 diag::err_shufflevector_argument_too_large) 1806 << TheCall->getArg(i)->getSourceRange()); 1807 } 1808 1809 SmallVector<Expr*, 32> exprs; 1810 1811 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1812 exprs.push_back(TheCall->getArg(i)); 1813 TheCall->setArg(i, 0); 1814 } 1815 1816 return Owned(new (Context) ShuffleVectorExpr(Context, exprs, resType, 1817 TheCall->getCallee()->getLocStart(), 1818 TheCall->getRParenLoc())); 1819 } 1820 1821 /// SemaConvertVectorExpr - Handle __builtin_convertvector 1822 ExprResult Sema::SemaConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo, 1823 SourceLocation BuiltinLoc, 1824 SourceLocation RParenLoc) { 1825 ExprValueKind VK = VK_RValue; 1826 ExprObjectKind OK = OK_Ordinary; 1827 QualType DstTy = TInfo->getType(); 1828 QualType SrcTy = E->getType(); 1829 1830 if (!SrcTy->isVectorType() && !SrcTy->isDependentType()) 1831 return ExprError(Diag(BuiltinLoc, 1832 diag::err_convertvector_non_vector) 1833 << E->getSourceRange()); 1834 if (!DstTy->isVectorType() && !DstTy->isDependentType()) 1835 return ExprError(Diag(BuiltinLoc, 1836 diag::err_convertvector_non_vector_type)); 1837 1838 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) { 1839 unsigned SrcElts = SrcTy->getAs<VectorType>()->getNumElements(); 1840 unsigned DstElts = DstTy->getAs<VectorType>()->getNumElements(); 1841 if (SrcElts != DstElts) 1842 return ExprError(Diag(BuiltinLoc, 1843 diag::err_convertvector_incompatible_vector) 1844 << E->getSourceRange()); 1845 } 1846 1847 return Owned(new (Context) ConvertVectorExpr(E, TInfo, DstTy, VK, OK, 1848 BuiltinLoc, RParenLoc)); 1849 1850 } 1851 1852 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1853 // This is declared to take (const void*, ...) and can take two 1854 // optional constant int args. 1855 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1856 unsigned NumArgs = TheCall->getNumArgs(); 1857 1858 if (NumArgs > 3) 1859 return Diag(TheCall->getLocEnd(), 1860 diag::err_typecheck_call_too_many_args_at_most) 1861 << 0 /*function call*/ << 3 << NumArgs 1862 << TheCall->getSourceRange(); 1863 1864 // Argument 0 is checked for us and the remaining arguments must be 1865 // constant integers. 1866 for (unsigned i = 1; i != NumArgs; ++i) { 1867 Expr *Arg = TheCall->getArg(i); 1868 1869 // We can't check the value of a dependent argument. 1870 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1871 continue; 1872 1873 llvm::APSInt Result; 1874 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1875 return true; 1876 1877 // FIXME: gcc issues a warning and rewrites these to 0. These 1878 // seems especially odd for the third argument since the default 1879 // is 3. 1880 if (i == 1) { 1881 if (Result.getLimitedValue() > 1) 1882 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1883 << "0" << "1" << Arg->getSourceRange(); 1884 } else { 1885 if (Result.getLimitedValue() > 3) 1886 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1887 << "0" << "3" << Arg->getSourceRange(); 1888 } 1889 } 1890 1891 return false; 1892 } 1893 1894 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1895 /// TheCall is a constant expression. 1896 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1897 llvm::APSInt &Result) { 1898 Expr *Arg = TheCall->getArg(ArgNum); 1899 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1900 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1901 1902 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1903 1904 if (!Arg->isIntegerConstantExpr(Result, Context)) 1905 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1906 << FDecl->getDeclName() << Arg->getSourceRange(); 1907 1908 return false; 1909 } 1910 1911 /// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1912 /// int type). This simply type checks that type is one of the defined 1913 /// constants (0-3). 1914 // For compatibility check 0-3, llvm only handles 0 and 2. 1915 bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1916 llvm::APSInt Result; 1917 1918 // We can't check the value of a dependent argument. 1919 if (TheCall->getArg(1)->isTypeDependent() || 1920 TheCall->getArg(1)->isValueDependent()) 1921 return false; 1922 1923 // Check constant-ness first. 1924 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1925 return true; 1926 1927 Expr *Arg = TheCall->getArg(1); 1928 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1929 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1930 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1931 } 1932 1933 return false; 1934 } 1935 1936 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1937 /// This checks that val is a constant 1. 1938 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1939 Expr *Arg = TheCall->getArg(1); 1940 llvm::APSInt Result; 1941 1942 // TODO: This is less than ideal. Overload this to take a value. 1943 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1944 return true; 1945 1946 if (Result != 1) 1947 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1948 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1949 1950 return false; 1951 } 1952 1953 namespace { 1954 enum StringLiteralCheckType { 1955 SLCT_NotALiteral, 1956 SLCT_UncheckedLiteral, 1957 SLCT_CheckedLiteral 1958 }; 1959 } 1960 1961 // Determine if an expression is a string literal or constant string. 1962 // If this function returns false on the arguments to a function expecting a 1963 // format string, we will usually need to emit a warning. 1964 // True string literals are then checked by CheckFormatString. 1965 static StringLiteralCheckType 1966 checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, 1967 bool HasVAListArg, unsigned format_idx, 1968 unsigned firstDataArg, Sema::FormatStringType Type, 1969 Sema::VariadicCallType CallType, bool InFunctionCall, 1970 llvm::SmallBitVector &CheckedVarArgs) { 1971 tryAgain: 1972 if (E->isTypeDependent() || E->isValueDependent()) 1973 return SLCT_NotALiteral; 1974 1975 E = E->IgnoreParenCasts(); 1976 1977 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) 1978 // Technically -Wformat-nonliteral does not warn about this case. 1979 // The behavior of printf and friends in this case is implementation 1980 // dependent. Ideally if the format string cannot be null then 1981 // it should have a 'nonnull' attribute in the function prototype. 1982 return SLCT_UncheckedLiteral; 1983 1984 switch (E->getStmtClass()) { 1985 case Stmt::BinaryConditionalOperatorClass: 1986 case Stmt::ConditionalOperatorClass: { 1987 // The expression is a literal if both sub-expressions were, and it was 1988 // completely checked only if both sub-expressions were checked. 1989 const AbstractConditionalOperator *C = 1990 cast<AbstractConditionalOperator>(E); 1991 StringLiteralCheckType Left = 1992 checkFormatStringExpr(S, C->getTrueExpr(), Args, 1993 HasVAListArg, format_idx, firstDataArg, 1994 Type, CallType, InFunctionCall, CheckedVarArgs); 1995 if (Left == SLCT_NotALiteral) 1996 return SLCT_NotALiteral; 1997 StringLiteralCheckType Right = 1998 checkFormatStringExpr(S, C->getFalseExpr(), Args, 1999 HasVAListArg, format_idx, firstDataArg, 2000 Type, CallType, InFunctionCall, CheckedVarArgs); 2001 return Left < Right ? Left : Right; 2002 } 2003 2004 case Stmt::ImplicitCastExprClass: { 2005 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 2006 goto tryAgain; 2007 } 2008 2009 case Stmt::OpaqueValueExprClass: 2010 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 2011 E = src; 2012 goto tryAgain; 2013 } 2014 return SLCT_NotALiteral; 2015 2016 case Stmt::PredefinedExprClass: 2017 // While __func__, etc., are technically not string literals, they 2018 // cannot contain format specifiers and thus are not a security 2019 // liability. 2020 return SLCT_UncheckedLiteral; 2021 2022 case Stmt::DeclRefExprClass: { 2023 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 2024 2025 // As an exception, do not flag errors for variables binding to 2026 // const string literals. 2027 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 2028 bool isConstant = false; 2029 QualType T = DR->getType(); 2030 2031 if (const ArrayType *AT = S.Context.getAsArrayType(T)) { 2032 isConstant = AT->getElementType().isConstant(S.Context); 2033 } else if (const PointerType *PT = T->getAs<PointerType>()) { 2034 isConstant = T.isConstant(S.Context) && 2035 PT->getPointeeType().isConstant(S.Context); 2036 } else if (T->isObjCObjectPointerType()) { 2037 // In ObjC, there is usually no "const ObjectPointer" type, 2038 // so don't check if the pointee type is constant. 2039 isConstant = T.isConstant(S.Context); 2040 } 2041 2042 if (isConstant) { 2043 if (const Expr *Init = VD->getAnyInitializer()) { 2044 // Look through initializers like const char c[] = { "foo" } 2045 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 2046 if (InitList->isStringLiteralInit()) 2047 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 2048 } 2049 return checkFormatStringExpr(S, Init, Args, 2050 HasVAListArg, format_idx, 2051 firstDataArg, Type, CallType, 2052 /*InFunctionCall*/false, CheckedVarArgs); 2053 } 2054 } 2055 2056 // For vprintf* functions (i.e., HasVAListArg==true), we add a 2057 // special check to see if the format string is a function parameter 2058 // of the function calling the printf function. If the function 2059 // has an attribute indicating it is a printf-like function, then we 2060 // should suppress warnings concerning non-literals being used in a call 2061 // to a vprintf function. For example: 2062 // 2063 // void 2064 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 2065 // va_list ap; 2066 // va_start(ap, fmt); 2067 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 2068 // ... 2069 // } 2070 if (HasVAListArg) { 2071 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 2072 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 2073 int PVIndex = PV->getFunctionScopeIndex() + 1; 2074 for (specific_attr_iterator<FormatAttr> 2075 i = ND->specific_attr_begin<FormatAttr>(), 2076 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 2077 FormatAttr *PVFormat = *i; 2078 // adjust for implicit parameter 2079 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2080 if (MD->isInstance()) 2081 ++PVIndex; 2082 // We also check if the formats are compatible. 2083 // We can't pass a 'scanf' string to a 'printf' function. 2084 if (PVIndex == PVFormat->getFormatIdx() && 2085 Type == S.GetFormatStringType(PVFormat)) 2086 return SLCT_UncheckedLiteral; 2087 } 2088 } 2089 } 2090 } 2091 } 2092 2093 return SLCT_NotALiteral; 2094 } 2095 2096 case Stmt::CallExprClass: 2097 case Stmt::CXXMemberCallExprClass: { 2098 const CallExpr *CE = cast<CallExpr>(E); 2099 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 2100 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2101 unsigned ArgIndex = FA->getFormatIdx(); 2102 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2103 if (MD->isInstance()) 2104 --ArgIndex; 2105 const Expr *Arg = CE->getArg(ArgIndex - 1); 2106 2107 return checkFormatStringExpr(S, Arg, Args, 2108 HasVAListArg, format_idx, firstDataArg, 2109 Type, CallType, InFunctionCall, 2110 CheckedVarArgs); 2111 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 2112 unsigned BuiltinID = FD->getBuiltinID(); 2113 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 2114 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 2115 const Expr *Arg = CE->getArg(0); 2116 return checkFormatStringExpr(S, Arg, Args, 2117 HasVAListArg, format_idx, 2118 firstDataArg, Type, CallType, 2119 InFunctionCall, CheckedVarArgs); 2120 } 2121 } 2122 } 2123 2124 return SLCT_NotALiteral; 2125 } 2126 2127 case Stmt::ObjCMessageExprClass: { 2128 const ObjCMessageExpr *ME = cast<ObjCMessageExpr>(E); 2129 if (const ObjCMethodDecl *MDecl = ME->getMethodDecl()) { 2130 if (const NamedDecl *ND = dyn_cast<NamedDecl>(MDecl)) { 2131 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2132 unsigned ArgIndex = FA->getFormatIdx(); 2133 if (ArgIndex <= ME->getNumArgs()) { 2134 const Expr *Arg = ME->getArg(ArgIndex-1); 2135 return checkFormatStringExpr(S, Arg, Args, 2136 HasVAListArg, format_idx, 2137 firstDataArg, Type, CallType, 2138 InFunctionCall, CheckedVarArgs); 2139 } 2140 } 2141 } 2142 } 2143 2144 return SLCT_NotALiteral; 2145 } 2146 2147 case Stmt::ObjCStringLiteralClass: 2148 case Stmt::StringLiteralClass: { 2149 const StringLiteral *StrE = NULL; 2150 2151 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 2152 StrE = ObjCFExpr->getString(); 2153 else 2154 StrE = cast<StringLiteral>(E); 2155 2156 if (StrE) { 2157 S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg, 2158 Type, InFunctionCall, CallType, CheckedVarArgs); 2159 return SLCT_CheckedLiteral; 2160 } 2161 2162 return SLCT_NotALiteral; 2163 } 2164 2165 default: 2166 return SLCT_NotALiteral; 2167 } 2168 } 2169 2170 void 2171 Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 2172 const Expr * const *ExprArgs, 2173 SourceLocation CallSiteLoc) { 2174 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 2175 e = NonNull->args_end(); 2176 i != e; ++i) { 2177 const Expr *ArgExpr = ExprArgs[*i]; 2178 2179 // As a special case, transparent unions initialized with zero are 2180 // considered null for the purposes of the nonnull attribute. 2181 if (const RecordType *UT = ArgExpr->getType()->getAsUnionType()) { 2182 if (UT->getDecl()->hasAttr<TransparentUnionAttr>()) 2183 if (const CompoundLiteralExpr *CLE = 2184 dyn_cast<CompoundLiteralExpr>(ArgExpr)) 2185 if (const InitListExpr *ILE = 2186 dyn_cast<InitListExpr>(CLE->getInitializer())) 2187 ArgExpr = ILE->getInit(0); 2188 } 2189 2190 bool Result; 2191 if (ArgExpr->EvaluateAsBooleanCondition(Result, Context) && !Result) 2192 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 2193 } 2194 } 2195 2196 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 2197 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName()) 2198 .Case("scanf", FST_Scanf) 2199 .Cases("printf", "printf0", FST_Printf) 2200 .Cases("NSString", "CFString", FST_NSString) 2201 .Case("strftime", FST_Strftime) 2202 .Case("strfmon", FST_Strfmon) 2203 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 2204 .Default(FST_Unknown); 2205 } 2206 2207 /// CheckFormatArguments - Check calls to printf and scanf (and similar 2208 /// functions) for correct use of format strings. 2209 /// Returns true if a format string has been fully checked. 2210 bool Sema::CheckFormatArguments(const FormatAttr *Format, 2211 ArrayRef<const Expr *> Args, 2212 bool IsCXXMember, 2213 VariadicCallType CallType, 2214 SourceLocation Loc, SourceRange Range, 2215 llvm::SmallBitVector &CheckedVarArgs) { 2216 FormatStringInfo FSI; 2217 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 2218 return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, 2219 FSI.FirstDataArg, GetFormatStringType(Format), 2220 CallType, Loc, Range, CheckedVarArgs); 2221 return false; 2222 } 2223 2224 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, 2225 bool HasVAListArg, unsigned format_idx, 2226 unsigned firstDataArg, FormatStringType Type, 2227 VariadicCallType CallType, 2228 SourceLocation Loc, SourceRange Range, 2229 llvm::SmallBitVector &CheckedVarArgs) { 2230 // CHECK: printf/scanf-like function is called with no format string. 2231 if (format_idx >= Args.size()) { 2232 Diag(Loc, diag::warn_missing_format_string) << Range; 2233 return false; 2234 } 2235 2236 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 2237 2238 // CHECK: format string is not a string literal. 2239 // 2240 // Dynamically generated format strings are difficult to 2241 // automatically vet at compile time. Requiring that format strings 2242 // are string literals: (1) permits the checking of format strings by 2243 // the compiler and thereby (2) can practically remove the source of 2244 // many format string exploits. 2245 2246 // Format string can be either ObjC string (e.g. @"%d") or 2247 // C string (e.g. "%d") 2248 // ObjC string uses the same format specifiers as C string, so we can use 2249 // the same format string checking logic for both ObjC and C strings. 2250 StringLiteralCheckType CT = 2251 checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, 2252 format_idx, firstDataArg, Type, CallType, 2253 /*IsFunctionCall*/true, CheckedVarArgs); 2254 if (CT != SLCT_NotALiteral) 2255 // Literal format string found, check done! 2256 return CT == SLCT_CheckedLiteral; 2257 2258 // Strftime is particular as it always uses a single 'time' argument, 2259 // so it is safe to pass a non-literal string. 2260 if (Type == FST_Strftime) 2261 return false; 2262 2263 // Do not emit diag when the string param is a macro expansion and the 2264 // format is either NSString or CFString. This is a hack to prevent 2265 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 2266 // which are usually used in place of NS and CF string literals. 2267 if (Type == FST_NSString && 2268 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 2269 return false; 2270 2271 // If there are no arguments specified, warn with -Wformat-security, otherwise 2272 // warn only with -Wformat-nonliteral. 2273 if (Args.size() == firstDataArg) 2274 Diag(Args[format_idx]->getLocStart(), 2275 diag::warn_format_nonliteral_noargs) 2276 << OrigFormatExpr->getSourceRange(); 2277 else 2278 Diag(Args[format_idx]->getLocStart(), 2279 diag::warn_format_nonliteral) 2280 << OrigFormatExpr->getSourceRange(); 2281 return false; 2282 } 2283 2284 namespace { 2285 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 2286 protected: 2287 Sema &S; 2288 const StringLiteral *FExpr; 2289 const Expr *OrigFormatExpr; 2290 const unsigned FirstDataArg; 2291 const unsigned NumDataArgs; 2292 const char *Beg; // Start of format string. 2293 const bool HasVAListArg; 2294 ArrayRef<const Expr *> Args; 2295 unsigned FormatIdx; 2296 llvm::SmallBitVector CoveredArgs; 2297 bool usesPositionalArgs; 2298 bool atFirstArg; 2299 bool inFunctionCall; 2300 Sema::VariadicCallType CallType; 2301 llvm::SmallBitVector &CheckedVarArgs; 2302 public: 2303 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 2304 const Expr *origFormatExpr, unsigned firstDataArg, 2305 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2306 ArrayRef<const Expr *> Args, 2307 unsigned formatIdx, bool inFunctionCall, 2308 Sema::VariadicCallType callType, 2309 llvm::SmallBitVector &CheckedVarArgs) 2310 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 2311 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 2312 Beg(beg), HasVAListArg(hasVAListArg), 2313 Args(Args), FormatIdx(formatIdx), 2314 usesPositionalArgs(false), atFirstArg(true), 2315 inFunctionCall(inFunctionCall), CallType(callType), 2316 CheckedVarArgs(CheckedVarArgs) { 2317 CoveredArgs.resize(numDataArgs); 2318 CoveredArgs.reset(); 2319 } 2320 2321 void DoneProcessing(); 2322 2323 void HandleIncompleteSpecifier(const char *startSpecifier, 2324 unsigned specifierLen); 2325 2326 void HandleInvalidLengthModifier( 2327 const analyze_format_string::FormatSpecifier &FS, 2328 const analyze_format_string::ConversionSpecifier &CS, 2329 const char *startSpecifier, unsigned specifierLen, unsigned DiagID); 2330 2331 void HandleNonStandardLengthModifier( 2332 const analyze_format_string::FormatSpecifier &FS, 2333 const char *startSpecifier, unsigned specifierLen); 2334 2335 void HandleNonStandardConversionSpecifier( 2336 const analyze_format_string::ConversionSpecifier &CS, 2337 const char *startSpecifier, unsigned specifierLen); 2338 2339 virtual void HandlePosition(const char *startPos, unsigned posLen); 2340 2341 virtual void HandleInvalidPosition(const char *startSpecifier, 2342 unsigned specifierLen, 2343 analyze_format_string::PositionContext p); 2344 2345 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 2346 2347 void HandleNullChar(const char *nullCharacter); 2348 2349 template <typename Range> 2350 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 2351 const Expr *ArgumentExpr, 2352 PartialDiagnostic PDiag, 2353 SourceLocation StringLoc, 2354 bool IsStringLocation, Range StringRange, 2355 ArrayRef<FixItHint> Fixit = None); 2356 2357 protected: 2358 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 2359 const char *startSpec, 2360 unsigned specifierLen, 2361 const char *csStart, unsigned csLen); 2362 2363 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 2364 const char *startSpec, 2365 unsigned specifierLen); 2366 2367 SourceRange getFormatStringRange(); 2368 CharSourceRange getSpecifierRange(const char *startSpecifier, 2369 unsigned specifierLen); 2370 SourceLocation getLocationOfByte(const char *x); 2371 2372 const Expr *getDataArg(unsigned i) const; 2373 2374 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 2375 const analyze_format_string::ConversionSpecifier &CS, 2376 const char *startSpecifier, unsigned specifierLen, 2377 unsigned argIndex); 2378 2379 template <typename Range> 2380 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 2381 bool IsStringLocation, Range StringRange, 2382 ArrayRef<FixItHint> Fixit = None); 2383 2384 void CheckPositionalAndNonpositionalArgs( 2385 const analyze_format_string::FormatSpecifier *FS); 2386 }; 2387 } 2388 2389 SourceRange CheckFormatHandler::getFormatStringRange() { 2390 return OrigFormatExpr->getSourceRange(); 2391 } 2392 2393 CharSourceRange CheckFormatHandler:: 2394 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2395 SourceLocation Start = getLocationOfByte(startSpecifier); 2396 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2397 2398 // Advance the end SourceLocation by one due to half-open ranges. 2399 End = End.getLocWithOffset(1); 2400 2401 return CharSourceRange::getCharRange(Start, End); 2402 } 2403 2404 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2405 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2406 } 2407 2408 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2409 unsigned specifierLen){ 2410 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2411 getLocationOfByte(startSpecifier), 2412 /*IsStringLocation*/true, 2413 getSpecifierRange(startSpecifier, specifierLen)); 2414 } 2415 2416 void CheckFormatHandler::HandleInvalidLengthModifier( 2417 const analyze_format_string::FormatSpecifier &FS, 2418 const analyze_format_string::ConversionSpecifier &CS, 2419 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2420 using namespace analyze_format_string; 2421 2422 const LengthModifier &LM = FS.getLengthModifier(); 2423 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2424 2425 // See if we know how to fix this length modifier. 2426 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2427 if (FixedLM) { 2428 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2429 getLocationOfByte(LM.getStart()), 2430 /*IsStringLocation*/true, 2431 getSpecifierRange(startSpecifier, specifierLen)); 2432 2433 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2434 << FixedLM->toString() 2435 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2436 2437 } else { 2438 FixItHint Hint; 2439 if (DiagID == diag::warn_format_nonsensical_length) 2440 Hint = FixItHint::CreateRemoval(LMRange); 2441 2442 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2443 getLocationOfByte(LM.getStart()), 2444 /*IsStringLocation*/true, 2445 getSpecifierRange(startSpecifier, specifierLen), 2446 Hint); 2447 } 2448 } 2449 2450 void CheckFormatHandler::HandleNonStandardLengthModifier( 2451 const analyze_format_string::FormatSpecifier &FS, 2452 const char *startSpecifier, unsigned specifierLen) { 2453 using namespace analyze_format_string; 2454 2455 const LengthModifier &LM = FS.getLengthModifier(); 2456 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2457 2458 // See if we know how to fix this length modifier. 2459 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2460 if (FixedLM) { 2461 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2462 << LM.toString() << 0, 2463 getLocationOfByte(LM.getStart()), 2464 /*IsStringLocation*/true, 2465 getSpecifierRange(startSpecifier, specifierLen)); 2466 2467 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2468 << FixedLM->toString() 2469 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2470 2471 } else { 2472 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2473 << LM.toString() << 0, 2474 getLocationOfByte(LM.getStart()), 2475 /*IsStringLocation*/true, 2476 getSpecifierRange(startSpecifier, specifierLen)); 2477 } 2478 } 2479 2480 void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2481 const analyze_format_string::ConversionSpecifier &CS, 2482 const char *startSpecifier, unsigned specifierLen) { 2483 using namespace analyze_format_string; 2484 2485 // See if we know how to fix this conversion specifier. 2486 Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 2487 if (FixedCS) { 2488 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2489 << CS.toString() << /*conversion specifier*/1, 2490 getLocationOfByte(CS.getStart()), 2491 /*IsStringLocation*/true, 2492 getSpecifierRange(startSpecifier, specifierLen)); 2493 2494 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 2495 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 2496 << FixedCS->toString() 2497 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 2498 } else { 2499 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2500 << CS.toString() << /*conversion specifier*/1, 2501 getLocationOfByte(CS.getStart()), 2502 /*IsStringLocation*/true, 2503 getSpecifierRange(startSpecifier, specifierLen)); 2504 } 2505 } 2506 2507 void CheckFormatHandler::HandlePosition(const char *startPos, 2508 unsigned posLen) { 2509 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2510 getLocationOfByte(startPos), 2511 /*IsStringLocation*/true, 2512 getSpecifierRange(startPos, posLen)); 2513 } 2514 2515 void 2516 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2517 analyze_format_string::PositionContext p) { 2518 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2519 << (unsigned) p, 2520 getLocationOfByte(startPos), /*IsStringLocation*/true, 2521 getSpecifierRange(startPos, posLen)); 2522 } 2523 2524 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2525 unsigned posLen) { 2526 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2527 getLocationOfByte(startPos), 2528 /*IsStringLocation*/true, 2529 getSpecifierRange(startPos, posLen)); 2530 } 2531 2532 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2533 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2534 // The presence of a null character is likely an error. 2535 EmitFormatDiagnostic( 2536 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2537 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2538 getFormatStringRange()); 2539 } 2540 } 2541 2542 // Note that this may return NULL if there was an error parsing or building 2543 // one of the argument expressions. 2544 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2545 return Args[FirstDataArg + i]; 2546 } 2547 2548 void CheckFormatHandler::DoneProcessing() { 2549 // Does the number of data arguments exceed the number of 2550 // format conversions in the format string? 2551 if (!HasVAListArg) { 2552 // Find any arguments that weren't covered. 2553 CoveredArgs.flip(); 2554 signed notCoveredArg = CoveredArgs.find_first(); 2555 if (notCoveredArg >= 0) { 2556 assert((unsigned)notCoveredArg < NumDataArgs); 2557 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2558 SourceLocation Loc = E->getLocStart(); 2559 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2560 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2561 Loc, /*IsStringLocation*/false, 2562 getFormatStringRange()); 2563 } 2564 } 2565 } 2566 } 2567 } 2568 2569 bool 2570 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2571 SourceLocation Loc, 2572 const char *startSpec, 2573 unsigned specifierLen, 2574 const char *csStart, 2575 unsigned csLen) { 2576 2577 bool keepGoing = true; 2578 if (argIndex < NumDataArgs) { 2579 // Consider the argument coverered, even though the specifier doesn't 2580 // make sense. 2581 CoveredArgs.set(argIndex); 2582 } 2583 else { 2584 // If argIndex exceeds the number of data arguments we 2585 // don't issue a warning because that is just a cascade of warnings (and 2586 // they may have intended '%%' anyway). We don't want to continue processing 2587 // the format string after this point, however, as we will like just get 2588 // gibberish when trying to match arguments. 2589 keepGoing = false; 2590 } 2591 2592 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2593 << StringRef(csStart, csLen), 2594 Loc, /*IsStringLocation*/true, 2595 getSpecifierRange(startSpec, specifierLen)); 2596 2597 return keepGoing; 2598 } 2599 2600 void 2601 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2602 const char *startSpec, 2603 unsigned specifierLen) { 2604 EmitFormatDiagnostic( 2605 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2606 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2607 } 2608 2609 bool 2610 CheckFormatHandler::CheckNumArgs( 2611 const analyze_format_string::FormatSpecifier &FS, 2612 const analyze_format_string::ConversionSpecifier &CS, 2613 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2614 2615 if (argIndex >= NumDataArgs) { 2616 PartialDiagnostic PDiag = FS.usesPositionalArg() 2617 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2618 << (argIndex+1) << NumDataArgs) 2619 : S.PDiag(diag::warn_printf_insufficient_data_args); 2620 EmitFormatDiagnostic( 2621 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2622 getSpecifierRange(startSpecifier, specifierLen)); 2623 return false; 2624 } 2625 return true; 2626 } 2627 2628 template<typename Range> 2629 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2630 SourceLocation Loc, 2631 bool IsStringLocation, 2632 Range StringRange, 2633 ArrayRef<FixItHint> FixIt) { 2634 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2635 Loc, IsStringLocation, StringRange, FixIt); 2636 } 2637 2638 /// \brief If the format string is not within the funcion call, emit a note 2639 /// so that the function call and string are in diagnostic messages. 2640 /// 2641 /// \param InFunctionCall if true, the format string is within the function 2642 /// call and only one diagnostic message will be produced. Otherwise, an 2643 /// extra note will be emitted pointing to location of the format string. 2644 /// 2645 /// \param ArgumentExpr the expression that is passed as the format string 2646 /// argument in the function call. Used for getting locations when two 2647 /// diagnostics are emitted. 2648 /// 2649 /// \param PDiag the callee should already have provided any strings for the 2650 /// diagnostic message. This function only adds locations and fixits 2651 /// to diagnostics. 2652 /// 2653 /// \param Loc primary location for diagnostic. If two diagnostics are 2654 /// required, one will be at Loc and a new SourceLocation will be created for 2655 /// the other one. 2656 /// 2657 /// \param IsStringLocation if true, Loc points to the format string should be 2658 /// used for the note. Otherwise, Loc points to the argument list and will 2659 /// be used with PDiag. 2660 /// 2661 /// \param StringRange some or all of the string to highlight. This is 2662 /// templated so it can accept either a CharSourceRange or a SourceRange. 2663 /// 2664 /// \param FixIt optional fix it hint for the format string. 2665 template<typename Range> 2666 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2667 const Expr *ArgumentExpr, 2668 PartialDiagnostic PDiag, 2669 SourceLocation Loc, 2670 bool IsStringLocation, 2671 Range StringRange, 2672 ArrayRef<FixItHint> FixIt) { 2673 if (InFunctionCall) { 2674 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2675 D << StringRange; 2676 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2677 I != E; ++I) { 2678 D << *I; 2679 } 2680 } else { 2681 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2682 << ArgumentExpr->getSourceRange(); 2683 2684 const Sema::SemaDiagnosticBuilder &Note = 2685 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2686 diag::note_format_string_defined); 2687 2688 Note << StringRange; 2689 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2690 I != E; ++I) { 2691 Note << *I; 2692 } 2693 } 2694 } 2695 2696 //===--- CHECK: Printf format string checking ------------------------------===// 2697 2698 namespace { 2699 class CheckPrintfHandler : public CheckFormatHandler { 2700 bool ObjCContext; 2701 public: 2702 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2703 const Expr *origFormatExpr, unsigned firstDataArg, 2704 unsigned numDataArgs, bool isObjC, 2705 const char *beg, bool hasVAListArg, 2706 ArrayRef<const Expr *> Args, 2707 unsigned formatIdx, bool inFunctionCall, 2708 Sema::VariadicCallType CallType, 2709 llvm::SmallBitVector &CheckedVarArgs) 2710 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2711 numDataArgs, beg, hasVAListArg, Args, 2712 formatIdx, inFunctionCall, CallType, CheckedVarArgs), 2713 ObjCContext(isObjC) 2714 {} 2715 2716 2717 bool HandleInvalidPrintfConversionSpecifier( 2718 const analyze_printf::PrintfSpecifier &FS, 2719 const char *startSpecifier, 2720 unsigned specifierLen); 2721 2722 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2723 const char *startSpecifier, 2724 unsigned specifierLen); 2725 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2726 const char *StartSpecifier, 2727 unsigned SpecifierLen, 2728 const Expr *E); 2729 2730 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2731 const char *startSpecifier, unsigned specifierLen); 2732 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2733 const analyze_printf::OptionalAmount &Amt, 2734 unsigned type, 2735 const char *startSpecifier, unsigned specifierLen); 2736 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2737 const analyze_printf::OptionalFlag &flag, 2738 const char *startSpecifier, unsigned specifierLen); 2739 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2740 const analyze_printf::OptionalFlag &ignoredFlag, 2741 const analyze_printf::OptionalFlag &flag, 2742 const char *startSpecifier, unsigned specifierLen); 2743 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2744 const Expr *E, const CharSourceRange &CSR); 2745 2746 }; 2747 } 2748 2749 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2750 const analyze_printf::PrintfSpecifier &FS, 2751 const char *startSpecifier, 2752 unsigned specifierLen) { 2753 const analyze_printf::PrintfConversionSpecifier &CS = 2754 FS.getConversionSpecifier(); 2755 2756 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2757 getLocationOfByte(CS.getStart()), 2758 startSpecifier, specifierLen, 2759 CS.getStart(), CS.getLength()); 2760 } 2761 2762 bool CheckPrintfHandler::HandleAmount( 2763 const analyze_format_string::OptionalAmount &Amt, 2764 unsigned k, const char *startSpecifier, 2765 unsigned specifierLen) { 2766 2767 if (Amt.hasDataArgument()) { 2768 if (!HasVAListArg) { 2769 unsigned argIndex = Amt.getArgIndex(); 2770 if (argIndex >= NumDataArgs) { 2771 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2772 << k, 2773 getLocationOfByte(Amt.getStart()), 2774 /*IsStringLocation*/true, 2775 getSpecifierRange(startSpecifier, specifierLen)); 2776 // Don't do any more checking. We will just emit 2777 // spurious errors. 2778 return false; 2779 } 2780 2781 // Type check the data argument. It should be an 'int'. 2782 // Although not in conformance with C99, we also allow the argument to be 2783 // an 'unsigned int' as that is a reasonably safe case. GCC also 2784 // doesn't emit a warning for that case. 2785 CoveredArgs.set(argIndex); 2786 const Expr *Arg = getDataArg(argIndex); 2787 if (!Arg) 2788 return false; 2789 2790 QualType T = Arg->getType(); 2791 2792 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2793 assert(AT.isValid()); 2794 2795 if (!AT.matchesType(S.Context, T)) { 2796 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2797 << k << AT.getRepresentativeTypeName(S.Context) 2798 << T << Arg->getSourceRange(), 2799 getLocationOfByte(Amt.getStart()), 2800 /*IsStringLocation*/true, 2801 getSpecifierRange(startSpecifier, specifierLen)); 2802 // Don't do any more checking. We will just emit 2803 // spurious errors. 2804 return false; 2805 } 2806 } 2807 } 2808 return true; 2809 } 2810 2811 void CheckPrintfHandler::HandleInvalidAmount( 2812 const analyze_printf::PrintfSpecifier &FS, 2813 const analyze_printf::OptionalAmount &Amt, 2814 unsigned type, 2815 const char *startSpecifier, 2816 unsigned specifierLen) { 2817 const analyze_printf::PrintfConversionSpecifier &CS = 2818 FS.getConversionSpecifier(); 2819 2820 FixItHint fixit = 2821 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2822 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2823 Amt.getConstantLength())) 2824 : FixItHint(); 2825 2826 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2827 << type << CS.toString(), 2828 getLocationOfByte(Amt.getStart()), 2829 /*IsStringLocation*/true, 2830 getSpecifierRange(startSpecifier, specifierLen), 2831 fixit); 2832 } 2833 2834 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2835 const analyze_printf::OptionalFlag &flag, 2836 const char *startSpecifier, 2837 unsigned specifierLen) { 2838 // Warn about pointless flag with a fixit removal. 2839 const analyze_printf::PrintfConversionSpecifier &CS = 2840 FS.getConversionSpecifier(); 2841 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2842 << flag.toString() << CS.toString(), 2843 getLocationOfByte(flag.getPosition()), 2844 /*IsStringLocation*/true, 2845 getSpecifierRange(startSpecifier, specifierLen), 2846 FixItHint::CreateRemoval( 2847 getSpecifierRange(flag.getPosition(), 1))); 2848 } 2849 2850 void CheckPrintfHandler::HandleIgnoredFlag( 2851 const analyze_printf::PrintfSpecifier &FS, 2852 const analyze_printf::OptionalFlag &ignoredFlag, 2853 const analyze_printf::OptionalFlag &flag, 2854 const char *startSpecifier, 2855 unsigned specifierLen) { 2856 // Warn about ignored flag with a fixit removal. 2857 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2858 << ignoredFlag.toString() << flag.toString(), 2859 getLocationOfByte(ignoredFlag.getPosition()), 2860 /*IsStringLocation*/true, 2861 getSpecifierRange(startSpecifier, specifierLen), 2862 FixItHint::CreateRemoval( 2863 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2864 } 2865 2866 // Determines if the specified is a C++ class or struct containing 2867 // a member with the specified name and kind (e.g. a CXXMethodDecl named 2868 // "c_str()"). 2869 template<typename MemberKind> 2870 static llvm::SmallPtrSet<MemberKind*, 1> 2871 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2872 const RecordType *RT = Ty->getAs<RecordType>(); 2873 llvm::SmallPtrSet<MemberKind*, 1> Results; 2874 2875 if (!RT) 2876 return Results; 2877 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2878 if (!RD) 2879 return Results; 2880 2881 LookupResult R(S, &S.PP.getIdentifierTable().get(Name), SourceLocation(), 2882 Sema::LookupMemberName); 2883 2884 // We just need to include all members of the right kind turned up by the 2885 // filter, at this point. 2886 if (S.LookupQualifiedName(R, RT->getDecl())) 2887 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2888 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2889 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2890 Results.insert(FK); 2891 } 2892 return Results; 2893 } 2894 2895 // Check if a (w)string was passed when a (w)char* was needed, and offer a 2896 // better diagnostic if so. AT is assumed to be valid. 2897 // Returns true when a c_str() conversion method is found. 2898 bool CheckPrintfHandler::checkForCStrMembers( 2899 const analyze_printf::ArgType &AT, const Expr *E, 2900 const CharSourceRange &CSR) { 2901 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2902 2903 MethodSet Results = 2904 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2905 2906 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2907 MI != ME; ++MI) { 2908 const CXXMethodDecl *Method = *MI; 2909 if (Method->getNumParams() == 0 && 2910 AT.matchesType(S.Context, Method->getResultType())) { 2911 // FIXME: Suggest parens if the expression needs them. 2912 SourceLocation EndLoc = 2913 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()); 2914 S.Diag(E->getLocStart(), diag::note_printf_c_str) 2915 << "c_str()" 2916 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 2917 return true; 2918 } 2919 } 2920 2921 return false; 2922 } 2923 2924 bool 2925 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2926 &FS, 2927 const char *startSpecifier, 2928 unsigned specifierLen) { 2929 2930 using namespace analyze_format_string; 2931 using namespace analyze_printf; 2932 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2933 2934 if (FS.consumesDataArgument()) { 2935 if (atFirstArg) { 2936 atFirstArg = false; 2937 usesPositionalArgs = FS.usesPositionalArg(); 2938 } 2939 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2940 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2941 startSpecifier, specifierLen); 2942 return false; 2943 } 2944 } 2945 2946 // First check if the field width, precision, and conversion specifier 2947 // have matching data arguments. 2948 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2949 startSpecifier, specifierLen)) { 2950 return false; 2951 } 2952 2953 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2954 startSpecifier, specifierLen)) { 2955 return false; 2956 } 2957 2958 if (!CS.consumesDataArgument()) { 2959 // FIXME: Technically specifying a precision or field width here 2960 // makes no sense. Worth issuing a warning at some point. 2961 return true; 2962 } 2963 2964 // Consume the argument. 2965 unsigned argIndex = FS.getArgIndex(); 2966 if (argIndex < NumDataArgs) { 2967 // The check to see if the argIndex is valid will come later. 2968 // We set the bit here because we may exit early from this 2969 // function if we encounter some other error. 2970 CoveredArgs.set(argIndex); 2971 } 2972 2973 // Check for using an Objective-C specific conversion specifier 2974 // in a non-ObjC literal. 2975 if (!ObjCContext && CS.isObjCArg()) { 2976 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2977 specifierLen); 2978 } 2979 2980 // Check for invalid use of field width 2981 if (!FS.hasValidFieldWidth()) { 2982 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2983 startSpecifier, specifierLen); 2984 } 2985 2986 // Check for invalid use of precision 2987 if (!FS.hasValidPrecision()) { 2988 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2989 startSpecifier, specifierLen); 2990 } 2991 2992 // Check each flag does not conflict with any other component. 2993 if (!FS.hasValidThousandsGroupingPrefix()) 2994 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2995 if (!FS.hasValidLeadingZeros()) 2996 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2997 if (!FS.hasValidPlusPrefix()) 2998 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2999 if (!FS.hasValidSpacePrefix()) 3000 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 3001 if (!FS.hasValidAlternativeForm()) 3002 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 3003 if (!FS.hasValidLeftJustified()) 3004 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 3005 3006 // Check that flags are not ignored by another flag 3007 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 3008 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 3009 startSpecifier, specifierLen); 3010 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 3011 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 3012 startSpecifier, specifierLen); 3013 3014 // Check the length modifier is valid with the given conversion specifier. 3015 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3016 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3017 diag::warn_format_nonsensical_length); 3018 else if (!FS.hasStandardLengthModifier()) 3019 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3020 else if (!FS.hasStandardLengthConversionCombination()) 3021 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3022 diag::warn_format_non_standard_conversion_spec); 3023 3024 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3025 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3026 3027 // The remaining checks depend on the data arguments. 3028 if (HasVAListArg) 3029 return true; 3030 3031 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3032 return false; 3033 3034 const Expr *Arg = getDataArg(argIndex); 3035 if (!Arg) 3036 return true; 3037 3038 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 3039 } 3040 3041 static bool requiresParensToAddCast(const Expr *E) { 3042 // FIXME: We should have a general way to reason about operator 3043 // precedence and whether parens are actually needed here. 3044 // Take care of a few common cases where they aren't. 3045 const Expr *Inside = E->IgnoreImpCasts(); 3046 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 3047 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 3048 3049 switch (Inside->getStmtClass()) { 3050 case Stmt::ArraySubscriptExprClass: 3051 case Stmt::CallExprClass: 3052 case Stmt::CharacterLiteralClass: 3053 case Stmt::CXXBoolLiteralExprClass: 3054 case Stmt::DeclRefExprClass: 3055 case Stmt::FloatingLiteralClass: 3056 case Stmt::IntegerLiteralClass: 3057 case Stmt::MemberExprClass: 3058 case Stmt::ObjCArrayLiteralClass: 3059 case Stmt::ObjCBoolLiteralExprClass: 3060 case Stmt::ObjCBoxedExprClass: 3061 case Stmt::ObjCDictionaryLiteralClass: 3062 case Stmt::ObjCEncodeExprClass: 3063 case Stmt::ObjCIvarRefExprClass: 3064 case Stmt::ObjCMessageExprClass: 3065 case Stmt::ObjCPropertyRefExprClass: 3066 case Stmt::ObjCStringLiteralClass: 3067 case Stmt::ObjCSubscriptRefExprClass: 3068 case Stmt::ParenExprClass: 3069 case Stmt::StringLiteralClass: 3070 case Stmt::UnaryOperatorClass: 3071 return false; 3072 default: 3073 return true; 3074 } 3075 } 3076 3077 bool 3078 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 3079 const char *StartSpecifier, 3080 unsigned SpecifierLen, 3081 const Expr *E) { 3082 using namespace analyze_format_string; 3083 using namespace analyze_printf; 3084 // Now type check the data expression that matches the 3085 // format specifier. 3086 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 3087 ObjCContext); 3088 if (!AT.isValid()) 3089 return true; 3090 3091 QualType ExprTy = E->getType(); 3092 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { 3093 ExprTy = TET->getUnderlyingExpr()->getType(); 3094 } 3095 3096 if (AT.matchesType(S.Context, ExprTy)) 3097 return true; 3098 3099 // Look through argument promotions for our error message's reported type. 3100 // This includes the integral and floating promotions, but excludes array 3101 // and function pointer decay; seeing that an argument intended to be a 3102 // string has type 'char [6]' is probably more confusing than 'char *'. 3103 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3104 if (ICE->getCastKind() == CK_IntegralCast || 3105 ICE->getCastKind() == CK_FloatingCast) { 3106 E = ICE->getSubExpr(); 3107 ExprTy = E->getType(); 3108 3109 // Check if we didn't match because of an implicit cast from a 'char' 3110 // or 'short' to an 'int'. This is done because printf is a varargs 3111 // function. 3112 if (ICE->getType() == S.Context.IntTy || 3113 ICE->getType() == S.Context.UnsignedIntTy) { 3114 // All further checking is done on the subexpression. 3115 if (AT.matchesType(S.Context, ExprTy)) 3116 return true; 3117 } 3118 } 3119 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 3120 // Special case for 'a', which has type 'int' in C. 3121 // Note, however, that we do /not/ want to treat multibyte constants like 3122 // 'MooV' as characters! This form is deprecated but still exists. 3123 if (ExprTy == S.Context.IntTy) 3124 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 3125 ExprTy = S.Context.CharTy; 3126 } 3127 3128 // %C in an Objective-C context prints a unichar, not a wchar_t. 3129 // If the argument is an integer of some kind, believe the %C and suggest 3130 // a cast instead of changing the conversion specifier. 3131 QualType IntendedTy = ExprTy; 3132 if (ObjCContext && 3133 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 3134 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 3135 !ExprTy->isCharType()) { 3136 // 'unichar' is defined as a typedef of unsigned short, but we should 3137 // prefer using the typedef if it is visible. 3138 IntendedTy = S.Context.UnsignedShortTy; 3139 3140 // While we are here, check if the value is an IntegerLiteral that happens 3141 // to be within the valid range. 3142 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) { 3143 const llvm::APInt &V = IL->getValue(); 3144 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy)) 3145 return true; 3146 } 3147 3148 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 3149 Sema::LookupOrdinaryName); 3150 if (S.LookupName(Result, S.getCurScope())) { 3151 NamedDecl *ND = Result.getFoundDecl(); 3152 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 3153 if (TD->getUnderlyingType() == IntendedTy) 3154 IntendedTy = S.Context.getTypedefType(TD); 3155 } 3156 } 3157 } 3158 3159 // Special-case some of Darwin's platform-independence types by suggesting 3160 // casts to primitive types that are known to be large enough. 3161 bool ShouldNotPrintDirectly = false; 3162 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 3163 // Use a 'while' to peel off layers of typedefs. 3164 QualType TyTy = IntendedTy; 3165 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) { 3166 StringRef Name = UserTy->getDecl()->getName(); 3167 QualType CastTy = llvm::StringSwitch<QualType>(Name) 3168 .Case("NSInteger", S.Context.LongTy) 3169 .Case("NSUInteger", S.Context.UnsignedLongTy) 3170 .Case("SInt32", S.Context.IntTy) 3171 .Case("UInt32", S.Context.UnsignedIntTy) 3172 .Default(QualType()); 3173 3174 if (!CastTy.isNull()) { 3175 ShouldNotPrintDirectly = true; 3176 IntendedTy = CastTy; 3177 break; 3178 } 3179 TyTy = UserTy->desugar(); 3180 } 3181 } 3182 3183 // We may be able to offer a FixItHint if it is a supported type. 3184 PrintfSpecifier fixedFS = FS; 3185 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 3186 S.Context, ObjCContext); 3187 3188 if (success) { 3189 // Get the fix string from the fixed format specifier 3190 SmallString<16> buf; 3191 llvm::raw_svector_ostream os(buf); 3192 fixedFS.toString(os); 3193 3194 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 3195 3196 if (IntendedTy == ExprTy) { 3197 // In this case, the specifier is wrong and should be changed to match 3198 // the argument. 3199 EmitFormatDiagnostic( 3200 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3201 << AT.getRepresentativeTypeName(S.Context) << IntendedTy 3202 << E->getSourceRange(), 3203 E->getLocStart(), 3204 /*IsStringLocation*/false, 3205 SpecRange, 3206 FixItHint::CreateReplacement(SpecRange, os.str())); 3207 3208 } else { 3209 // The canonical type for formatting this value is different from the 3210 // actual type of the expression. (This occurs, for example, with Darwin's 3211 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 3212 // should be printed as 'long' for 64-bit compatibility.) 3213 // Rather than emitting a normal format/argument mismatch, we want to 3214 // add a cast to the recommended type (and correct the format string 3215 // if necessary). 3216 SmallString<16> CastBuf; 3217 llvm::raw_svector_ostream CastFix(CastBuf); 3218 CastFix << "("; 3219 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 3220 CastFix << ")"; 3221 3222 SmallVector<FixItHint,4> Hints; 3223 if (!AT.matchesType(S.Context, IntendedTy)) 3224 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 3225 3226 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 3227 // If there's already a cast present, just replace it. 3228 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 3229 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 3230 3231 } else if (!requiresParensToAddCast(E)) { 3232 // If the expression has high enough precedence, 3233 // just write the C-style cast. 3234 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3235 CastFix.str())); 3236 } else { 3237 // Otherwise, add parens around the expression as well as the cast. 3238 CastFix << "("; 3239 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3240 CastFix.str())); 3241 3242 SourceLocation After = S.PP.getLocForEndOfToken(E->getLocEnd()); 3243 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 3244 } 3245 3246 if (ShouldNotPrintDirectly) { 3247 // The expression has a type that should not be printed directly. 3248 // We extract the name from the typedef because we don't want to show 3249 // the underlying type in the diagnostic. 3250 StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName(); 3251 3252 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 3253 << Name << IntendedTy 3254 << E->getSourceRange(), 3255 E->getLocStart(), /*IsStringLocation=*/false, 3256 SpecRange, Hints); 3257 } else { 3258 // In this case, the expression could be printed using a different 3259 // specifier, but we've decided that the specifier is probably correct 3260 // and we should cast instead. Just use the normal warning message. 3261 EmitFormatDiagnostic( 3262 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3263 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3264 << E->getSourceRange(), 3265 E->getLocStart(), /*IsStringLocation*/false, 3266 SpecRange, Hints); 3267 } 3268 } 3269 } else { 3270 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 3271 SpecifierLen); 3272 // Since the warning for passing non-POD types to variadic functions 3273 // was deferred until now, we emit a warning for non-POD 3274 // arguments here. 3275 switch (S.isValidVarArgType(ExprTy)) { 3276 case Sema::VAK_Valid: 3277 case Sema::VAK_ValidInCXX11: 3278 EmitFormatDiagnostic( 3279 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3280 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3281 << CSR 3282 << E->getSourceRange(), 3283 E->getLocStart(), /*IsStringLocation*/false, CSR); 3284 break; 3285 3286 case Sema::VAK_Undefined: 3287 EmitFormatDiagnostic( 3288 S.PDiag(diag::warn_non_pod_vararg_with_format_string) 3289 << S.getLangOpts().CPlusPlus11 3290 << ExprTy 3291 << CallType 3292 << AT.getRepresentativeTypeName(S.Context) 3293 << CSR 3294 << E->getSourceRange(), 3295 E->getLocStart(), /*IsStringLocation*/false, CSR); 3296 checkForCStrMembers(AT, E, CSR); 3297 break; 3298 3299 case Sema::VAK_Invalid: 3300 if (ExprTy->isObjCObjectType()) 3301 EmitFormatDiagnostic( 3302 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) 3303 << S.getLangOpts().CPlusPlus11 3304 << ExprTy 3305 << CallType 3306 << AT.getRepresentativeTypeName(S.Context) 3307 << CSR 3308 << E->getSourceRange(), 3309 E->getLocStart(), /*IsStringLocation*/false, CSR); 3310 else 3311 // FIXME: If this is an initializer list, suggest removing the braces 3312 // or inserting a cast to the target type. 3313 S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format) 3314 << isa<InitListExpr>(E) << ExprTy << CallType 3315 << AT.getRepresentativeTypeName(S.Context) 3316 << E->getSourceRange(); 3317 break; 3318 } 3319 3320 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && 3321 "format string specifier index out of range"); 3322 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; 3323 } 3324 3325 return true; 3326 } 3327 3328 //===--- CHECK: Scanf format string checking ------------------------------===// 3329 3330 namespace { 3331 class CheckScanfHandler : public CheckFormatHandler { 3332 public: 3333 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 3334 const Expr *origFormatExpr, unsigned firstDataArg, 3335 unsigned numDataArgs, const char *beg, bool hasVAListArg, 3336 ArrayRef<const Expr *> Args, 3337 unsigned formatIdx, bool inFunctionCall, 3338 Sema::VariadicCallType CallType, 3339 llvm::SmallBitVector &CheckedVarArgs) 3340 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 3341 numDataArgs, beg, hasVAListArg, 3342 Args, formatIdx, inFunctionCall, CallType, 3343 CheckedVarArgs) 3344 {} 3345 3346 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 3347 const char *startSpecifier, 3348 unsigned specifierLen); 3349 3350 bool HandleInvalidScanfConversionSpecifier( 3351 const analyze_scanf::ScanfSpecifier &FS, 3352 const char *startSpecifier, 3353 unsigned specifierLen); 3354 3355 void HandleIncompleteScanList(const char *start, const char *end); 3356 }; 3357 } 3358 3359 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 3360 const char *end) { 3361 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 3362 getLocationOfByte(end), /*IsStringLocation*/true, 3363 getSpecifierRange(start, end - start)); 3364 } 3365 3366 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 3367 const analyze_scanf::ScanfSpecifier &FS, 3368 const char *startSpecifier, 3369 unsigned specifierLen) { 3370 3371 const analyze_scanf::ScanfConversionSpecifier &CS = 3372 FS.getConversionSpecifier(); 3373 3374 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 3375 getLocationOfByte(CS.getStart()), 3376 startSpecifier, specifierLen, 3377 CS.getStart(), CS.getLength()); 3378 } 3379 3380 bool CheckScanfHandler::HandleScanfSpecifier( 3381 const analyze_scanf::ScanfSpecifier &FS, 3382 const char *startSpecifier, 3383 unsigned specifierLen) { 3384 3385 using namespace analyze_scanf; 3386 using namespace analyze_format_string; 3387 3388 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 3389 3390 // Handle case where '%' and '*' don't consume an argument. These shouldn't 3391 // be used to decide if we are using positional arguments consistently. 3392 if (FS.consumesDataArgument()) { 3393 if (atFirstArg) { 3394 atFirstArg = false; 3395 usesPositionalArgs = FS.usesPositionalArg(); 3396 } 3397 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3398 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3399 startSpecifier, specifierLen); 3400 return false; 3401 } 3402 } 3403 3404 // Check if the field with is non-zero. 3405 const OptionalAmount &Amt = FS.getFieldWidth(); 3406 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 3407 if (Amt.getConstantAmount() == 0) { 3408 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 3409 Amt.getConstantLength()); 3410 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 3411 getLocationOfByte(Amt.getStart()), 3412 /*IsStringLocation*/true, R, 3413 FixItHint::CreateRemoval(R)); 3414 } 3415 } 3416 3417 if (!FS.consumesDataArgument()) { 3418 // FIXME: Technically specifying a precision or field width here 3419 // makes no sense. Worth issuing a warning at some point. 3420 return true; 3421 } 3422 3423 // Consume the argument. 3424 unsigned argIndex = FS.getArgIndex(); 3425 if (argIndex < NumDataArgs) { 3426 // The check to see if the argIndex is valid will come later. 3427 // We set the bit here because we may exit early from this 3428 // function if we encounter some other error. 3429 CoveredArgs.set(argIndex); 3430 } 3431 3432 // Check the length modifier is valid with the given conversion specifier. 3433 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3434 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3435 diag::warn_format_nonsensical_length); 3436 else if (!FS.hasStandardLengthModifier()) 3437 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3438 else if (!FS.hasStandardLengthConversionCombination()) 3439 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3440 diag::warn_format_non_standard_conversion_spec); 3441 3442 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3443 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3444 3445 // The remaining checks depend on the data arguments. 3446 if (HasVAListArg) 3447 return true; 3448 3449 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3450 return false; 3451 3452 // Check that the argument type matches the format specifier. 3453 const Expr *Ex = getDataArg(argIndex); 3454 if (!Ex) 3455 return true; 3456 3457 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 3458 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 3459 ScanfSpecifier fixedFS = FS; 3460 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 3461 S.Context); 3462 3463 if (success) { 3464 // Get the fix string from the fixed format specifier. 3465 SmallString<128> buf; 3466 llvm::raw_svector_ostream os(buf); 3467 fixedFS.toString(os); 3468 3469 EmitFormatDiagnostic( 3470 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3471 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3472 << Ex->getSourceRange(), 3473 Ex->getLocStart(), 3474 /*IsStringLocation*/false, 3475 getSpecifierRange(startSpecifier, specifierLen), 3476 FixItHint::CreateReplacement( 3477 getSpecifierRange(startSpecifier, specifierLen), 3478 os.str())); 3479 } else { 3480 EmitFormatDiagnostic( 3481 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3482 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3483 << Ex->getSourceRange(), 3484 Ex->getLocStart(), 3485 /*IsStringLocation*/false, 3486 getSpecifierRange(startSpecifier, specifierLen)); 3487 } 3488 } 3489 3490 return true; 3491 } 3492 3493 void Sema::CheckFormatString(const StringLiteral *FExpr, 3494 const Expr *OrigFormatExpr, 3495 ArrayRef<const Expr *> Args, 3496 bool HasVAListArg, unsigned format_idx, 3497 unsigned firstDataArg, FormatStringType Type, 3498 bool inFunctionCall, VariadicCallType CallType, 3499 llvm::SmallBitVector &CheckedVarArgs) { 3500 3501 // CHECK: is the format string a wide literal? 3502 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 3503 CheckFormatHandler::EmitFormatDiagnostic( 3504 *this, inFunctionCall, Args[format_idx], 3505 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 3506 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3507 return; 3508 } 3509 3510 // Str - The format string. NOTE: this is NOT null-terminated! 3511 StringRef StrRef = FExpr->getString(); 3512 const char *Str = StrRef.data(); 3513 unsigned StrLen = StrRef.size(); 3514 const unsigned numDataArgs = Args.size() - firstDataArg; 3515 3516 // CHECK: empty format string? 3517 if (StrLen == 0 && numDataArgs > 0) { 3518 CheckFormatHandler::EmitFormatDiagnostic( 3519 *this, inFunctionCall, Args[format_idx], 3520 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3521 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3522 return; 3523 } 3524 3525 if (Type == FST_Printf || Type == FST_NSString) { 3526 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3527 numDataArgs, (Type == FST_NSString), 3528 Str, HasVAListArg, Args, format_idx, 3529 inFunctionCall, CallType, CheckedVarArgs); 3530 3531 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3532 getLangOpts(), 3533 Context.getTargetInfo())) 3534 H.DoneProcessing(); 3535 } else if (Type == FST_Scanf) { 3536 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3537 Str, HasVAListArg, Args, format_idx, 3538 inFunctionCall, CallType, CheckedVarArgs); 3539 3540 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3541 getLangOpts(), 3542 Context.getTargetInfo())) 3543 H.DoneProcessing(); 3544 } // TODO: handle other formats 3545 } 3546 3547 //===--- CHECK: Standard memory functions ---------------------------------===// 3548 3549 /// \brief Determine whether the given type is a dynamic class type (e.g., 3550 /// whether it has a vtable). 3551 static bool isDynamicClassType(QualType T) { 3552 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 3553 if (CXXRecordDecl *Definition = Record->getDefinition()) 3554 if (Definition->isDynamicClass()) 3555 return true; 3556 3557 return false; 3558 } 3559 3560 /// \brief If E is a sizeof expression, returns its argument expression, 3561 /// otherwise returns NULL. 3562 static const Expr *getSizeOfExprArg(const Expr* E) { 3563 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3564 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3565 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 3566 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 3567 3568 return 0; 3569 } 3570 3571 /// \brief If E is a sizeof expression, returns its argument type. 3572 static QualType getSizeOfArgType(const Expr* E) { 3573 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3574 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3575 if (SizeOf->getKind() == clang::UETT_SizeOf) 3576 return SizeOf->getTypeOfArgument(); 3577 3578 return QualType(); 3579 } 3580 3581 /// \brief Check for dangerous or invalid arguments to memset(). 3582 /// 3583 /// This issues warnings on known problematic, dangerous or unspecified 3584 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 3585 /// function calls. 3586 /// 3587 /// \param Call The call expression to diagnose. 3588 void Sema::CheckMemaccessArguments(const CallExpr *Call, 3589 unsigned BId, 3590 IdentifierInfo *FnName) { 3591 assert(BId != 0); 3592 3593 // It is possible to have a non-standard definition of memset. Validate 3594 // we have enough arguments, and if not, abort further checking. 3595 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 3596 if (Call->getNumArgs() < ExpectedNumArgs) 3597 return; 3598 3599 unsigned LastArg = (BId == Builtin::BImemset || 3600 BId == Builtin::BIstrndup ? 1 : 2); 3601 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 3602 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 3603 3604 // We have special checking when the length is a sizeof expression. 3605 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 3606 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 3607 llvm::FoldingSetNodeID SizeOfArgID; 3608 3609 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 3610 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 3611 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 3612 3613 QualType DestTy = Dest->getType(); 3614 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 3615 QualType PointeeTy = DestPtrTy->getPointeeType(); 3616 3617 // Never warn about void type pointers. This can be used to suppress 3618 // false positives. 3619 if (PointeeTy->isVoidType()) 3620 continue; 3621 3622 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 3623 // actually comparing the expressions for equality. Because computing the 3624 // expression IDs can be expensive, we only do this if the diagnostic is 3625 // enabled. 3626 if (SizeOfArg && 3627 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 3628 SizeOfArg->getExprLoc())) { 3629 // We only compute IDs for expressions if the warning is enabled, and 3630 // cache the sizeof arg's ID. 3631 if (SizeOfArgID == llvm::FoldingSetNodeID()) 3632 SizeOfArg->Profile(SizeOfArgID, Context, true); 3633 llvm::FoldingSetNodeID DestID; 3634 Dest->Profile(DestID, Context, true); 3635 if (DestID == SizeOfArgID) { 3636 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 3637 // over sizeof(src) as well. 3638 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 3639 StringRef ReadableName = FnName->getName(); 3640 3641 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 3642 if (UnaryOp->getOpcode() == UO_AddrOf) 3643 ActionIdx = 1; // If its an address-of operator, just remove it. 3644 if (!PointeeTy->isIncompleteType() && 3645 (Context.getTypeSize(PointeeTy) == Context.getCharWidth())) 3646 ActionIdx = 2; // If the pointee's size is sizeof(char), 3647 // suggest an explicit length. 3648 3649 // If the function is defined as a builtin macro, do not show macro 3650 // expansion. 3651 SourceLocation SL = SizeOfArg->getExprLoc(); 3652 SourceRange DSR = Dest->getSourceRange(); 3653 SourceRange SSR = SizeOfArg->getSourceRange(); 3654 SourceManager &SM = PP.getSourceManager(); 3655 3656 if (SM.isMacroArgExpansion(SL)) { 3657 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 3658 SL = SM.getSpellingLoc(SL); 3659 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 3660 SM.getSpellingLoc(DSR.getEnd())); 3661 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 3662 SM.getSpellingLoc(SSR.getEnd())); 3663 } 3664 3665 DiagRuntimeBehavior(SL, SizeOfArg, 3666 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 3667 << ReadableName 3668 << PointeeTy 3669 << DestTy 3670 << DSR 3671 << SSR); 3672 DiagRuntimeBehavior(SL, SizeOfArg, 3673 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 3674 << ActionIdx 3675 << SSR); 3676 3677 break; 3678 } 3679 } 3680 3681 // Also check for cases where the sizeof argument is the exact same 3682 // type as the memory argument, and where it points to a user-defined 3683 // record type. 3684 if (SizeOfArgTy != QualType()) { 3685 if (PointeeTy->isRecordType() && 3686 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 3687 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 3688 PDiag(diag::warn_sizeof_pointer_type_memaccess) 3689 << FnName << SizeOfArgTy << ArgIdx 3690 << PointeeTy << Dest->getSourceRange() 3691 << LenExpr->getSourceRange()); 3692 break; 3693 } 3694 } 3695 3696 // Always complain about dynamic classes. 3697 if (isDynamicClassType(PointeeTy)) { 3698 3699 unsigned OperationType = 0; 3700 // "overwritten" if we're warning about the destination for any call 3701 // but memcmp; otherwise a verb appropriate to the call. 3702 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 3703 if (BId == Builtin::BImemcpy) 3704 OperationType = 1; 3705 else if(BId == Builtin::BImemmove) 3706 OperationType = 2; 3707 else if (BId == Builtin::BImemcmp) 3708 OperationType = 3; 3709 } 3710 3711 DiagRuntimeBehavior( 3712 Dest->getExprLoc(), Dest, 3713 PDiag(diag::warn_dyn_class_memaccess) 3714 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 3715 << FnName << PointeeTy 3716 << OperationType 3717 << Call->getCallee()->getSourceRange()); 3718 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 3719 BId != Builtin::BImemset) 3720 DiagRuntimeBehavior( 3721 Dest->getExprLoc(), Dest, 3722 PDiag(diag::warn_arc_object_memaccess) 3723 << ArgIdx << FnName << PointeeTy 3724 << Call->getCallee()->getSourceRange()); 3725 else 3726 continue; 3727 3728 DiagRuntimeBehavior( 3729 Dest->getExprLoc(), Dest, 3730 PDiag(diag::note_bad_memaccess_silence) 3731 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 3732 break; 3733 } 3734 } 3735 } 3736 3737 // A little helper routine: ignore addition and subtraction of integer literals. 3738 // This intentionally does not ignore all integer constant expressions because 3739 // we don't want to remove sizeof(). 3740 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 3741 Ex = Ex->IgnoreParenCasts(); 3742 3743 for (;;) { 3744 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 3745 if (!BO || !BO->isAdditiveOp()) 3746 break; 3747 3748 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 3749 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 3750 3751 if (isa<IntegerLiteral>(RHS)) 3752 Ex = LHS; 3753 else if (isa<IntegerLiteral>(LHS)) 3754 Ex = RHS; 3755 else 3756 break; 3757 } 3758 3759 return Ex; 3760 } 3761 3762 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 3763 ASTContext &Context) { 3764 // Only handle constant-sized or VLAs, but not flexible members. 3765 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 3766 // Only issue the FIXIT for arrays of size > 1. 3767 if (CAT->getSize().getSExtValue() <= 1) 3768 return false; 3769 } else if (!Ty->isVariableArrayType()) { 3770 return false; 3771 } 3772 return true; 3773 } 3774 3775 // Warn if the user has made the 'size' argument to strlcpy or strlcat 3776 // be the size of the source, instead of the destination. 3777 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 3778 IdentifierInfo *FnName) { 3779 3780 // Don't crash if the user has the wrong number of arguments 3781 if (Call->getNumArgs() != 3) 3782 return; 3783 3784 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 3785 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 3786 const Expr *CompareWithSrc = NULL; 3787 3788 // Look for 'strlcpy(dst, x, sizeof(x))' 3789 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 3790 CompareWithSrc = Ex; 3791 else { 3792 // Look for 'strlcpy(dst, x, strlen(x))' 3793 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 3794 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 3795 && SizeCall->getNumArgs() == 1) 3796 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 3797 } 3798 } 3799 3800 if (!CompareWithSrc) 3801 return; 3802 3803 // Determine if the argument to sizeof/strlen is equal to the source 3804 // argument. In principle there's all kinds of things you could do 3805 // here, for instance creating an == expression and evaluating it with 3806 // EvaluateAsBooleanCondition, but this uses a more direct technique: 3807 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 3808 if (!SrcArgDRE) 3809 return; 3810 3811 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 3812 if (!CompareWithSrcDRE || 3813 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 3814 return; 3815 3816 const Expr *OriginalSizeArg = Call->getArg(2); 3817 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 3818 << OriginalSizeArg->getSourceRange() << FnName; 3819 3820 // Output a FIXIT hint if the destination is an array (rather than a 3821 // pointer to an array). This could be enhanced to handle some 3822 // pointers if we know the actual size, like if DstArg is 'array+2' 3823 // we could say 'sizeof(array)-2'. 3824 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 3825 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 3826 return; 3827 3828 SmallString<128> sizeString; 3829 llvm::raw_svector_ostream OS(sizeString); 3830 OS << "sizeof("; 3831 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3832 OS << ")"; 3833 3834 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 3835 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 3836 OS.str()); 3837 } 3838 3839 /// Check if two expressions refer to the same declaration. 3840 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 3841 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 3842 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 3843 return D1->getDecl() == D2->getDecl(); 3844 return false; 3845 } 3846 3847 static const Expr *getStrlenExprArg(const Expr *E) { 3848 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 3849 const FunctionDecl *FD = CE->getDirectCallee(); 3850 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 3851 return 0; 3852 return CE->getArg(0)->IgnoreParenCasts(); 3853 } 3854 return 0; 3855 } 3856 3857 // Warn on anti-patterns as the 'size' argument to strncat. 3858 // The correct size argument should look like following: 3859 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 3860 void Sema::CheckStrncatArguments(const CallExpr *CE, 3861 IdentifierInfo *FnName) { 3862 // Don't crash if the user has the wrong number of arguments. 3863 if (CE->getNumArgs() < 3) 3864 return; 3865 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 3866 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 3867 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 3868 3869 // Identify common expressions, which are wrongly used as the size argument 3870 // to strncat and may lead to buffer overflows. 3871 unsigned PatternType = 0; 3872 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 3873 // - sizeof(dst) 3874 if (referToTheSameDecl(SizeOfArg, DstArg)) 3875 PatternType = 1; 3876 // - sizeof(src) 3877 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 3878 PatternType = 2; 3879 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 3880 if (BE->getOpcode() == BO_Sub) { 3881 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 3882 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 3883 // - sizeof(dst) - strlen(dst) 3884 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 3885 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 3886 PatternType = 1; 3887 // - sizeof(src) - (anything) 3888 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 3889 PatternType = 2; 3890 } 3891 } 3892 3893 if (PatternType == 0) 3894 return; 3895 3896 // Generate the diagnostic. 3897 SourceLocation SL = LenArg->getLocStart(); 3898 SourceRange SR = LenArg->getSourceRange(); 3899 SourceManager &SM = PP.getSourceManager(); 3900 3901 // If the function is defined as a builtin macro, do not show macro expansion. 3902 if (SM.isMacroArgExpansion(SL)) { 3903 SL = SM.getSpellingLoc(SL); 3904 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 3905 SM.getSpellingLoc(SR.getEnd())); 3906 } 3907 3908 // Check if the destination is an array (rather than a pointer to an array). 3909 QualType DstTy = DstArg->getType(); 3910 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 3911 Context); 3912 if (!isKnownSizeArray) { 3913 if (PatternType == 1) 3914 Diag(SL, diag::warn_strncat_wrong_size) << SR; 3915 else 3916 Diag(SL, diag::warn_strncat_src_size) << SR; 3917 return; 3918 } 3919 3920 if (PatternType == 1) 3921 Diag(SL, diag::warn_strncat_large_size) << SR; 3922 else 3923 Diag(SL, diag::warn_strncat_src_size) << SR; 3924 3925 SmallString<128> sizeString; 3926 llvm::raw_svector_ostream OS(sizeString); 3927 OS << "sizeof("; 3928 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3929 OS << ") - "; 3930 OS << "strlen("; 3931 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3932 OS << ") - 1"; 3933 3934 Diag(SL, diag::note_strncat_wrong_size) 3935 << FixItHint::CreateReplacement(SR, OS.str()); 3936 } 3937 3938 //===--- CHECK: Return Address of Stack Variable --------------------------===// 3939 3940 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3941 Decl *ParentDecl); 3942 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 3943 Decl *ParentDecl); 3944 3945 /// CheckReturnStackAddr - Check if a return statement returns the address 3946 /// of a stack variable. 3947 void 3948 Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 3949 SourceLocation ReturnLoc) { 3950 3951 Expr *stackE = 0; 3952 SmallVector<DeclRefExpr *, 8> refVars; 3953 3954 // Perform checking for returned stack addresses, local blocks, 3955 // label addresses or references to temporaries. 3956 if (lhsType->isPointerType() || 3957 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 3958 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/0); 3959 } else if (lhsType->isReferenceType()) { 3960 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/0); 3961 } 3962 3963 if (stackE == 0) 3964 return; // Nothing suspicious was found. 3965 3966 SourceLocation diagLoc; 3967 SourceRange diagRange; 3968 if (refVars.empty()) { 3969 diagLoc = stackE->getLocStart(); 3970 diagRange = stackE->getSourceRange(); 3971 } else { 3972 // We followed through a reference variable. 'stackE' contains the 3973 // problematic expression but we will warn at the return statement pointing 3974 // at the reference variable. We will later display the "trail" of 3975 // reference variables using notes. 3976 diagLoc = refVars[0]->getLocStart(); 3977 diagRange = refVars[0]->getSourceRange(); 3978 } 3979 3980 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 3981 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 3982 : diag::warn_ret_stack_addr) 3983 << DR->getDecl()->getDeclName() << diagRange; 3984 } else if (isa<BlockExpr>(stackE)) { // local block. 3985 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 3986 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 3987 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 3988 } else { // local temporary. 3989 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 3990 : diag::warn_ret_local_temp_addr) 3991 << diagRange; 3992 } 3993 3994 // Display the "trail" of reference variables that we followed until we 3995 // found the problematic expression using notes. 3996 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 3997 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 3998 // If this var binds to another reference var, show the range of the next 3999 // var, otherwise the var binds to the problematic expression, in which case 4000 // show the range of the expression. 4001 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 4002 : stackE->getSourceRange(); 4003 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 4004 << VD->getDeclName() << range; 4005 } 4006 } 4007 4008 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 4009 /// check if the expression in a return statement evaluates to an address 4010 /// to a location on the stack, a local block, an address of a label, or a 4011 /// reference to local temporary. The recursion is used to traverse the 4012 /// AST of the return expression, with recursion backtracking when we 4013 /// encounter a subexpression that (1) clearly does not lead to one of the 4014 /// above problematic expressions (2) is something we cannot determine leads to 4015 /// a problematic expression based on such local checking. 4016 /// 4017 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 4018 /// the expression that they point to. Such variables are added to the 4019 /// 'refVars' vector so that we know what the reference variable "trail" was. 4020 /// 4021 /// EvalAddr processes expressions that are pointers that are used as 4022 /// references (and not L-values). EvalVal handles all other values. 4023 /// At the base case of the recursion is a check for the above problematic 4024 /// expressions. 4025 /// 4026 /// This implementation handles: 4027 /// 4028 /// * pointer-to-pointer casts 4029 /// * implicit conversions from array references to pointers 4030 /// * taking the address of fields 4031 /// * arbitrary interplay between "&" and "*" operators 4032 /// * pointer arithmetic from an address of a stack variable 4033 /// * taking the address of an array element where the array is on the stack 4034 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4035 Decl *ParentDecl) { 4036 if (E->isTypeDependent()) 4037 return NULL; 4038 4039 // We should only be called for evaluating pointer expressions. 4040 assert((E->getType()->isAnyPointerType() || 4041 E->getType()->isBlockPointerType() || 4042 E->getType()->isObjCQualifiedIdType()) && 4043 "EvalAddr only works on pointers"); 4044 4045 E = E->IgnoreParens(); 4046 4047 // Our "symbolic interpreter" is just a dispatch off the currently 4048 // viewed AST node. We then recursively traverse the AST by calling 4049 // EvalAddr and EvalVal appropriately. 4050 switch (E->getStmtClass()) { 4051 case Stmt::DeclRefExprClass: { 4052 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4053 4054 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 4055 // If this is a reference variable, follow through to the expression that 4056 // it points to. 4057 if (V->hasLocalStorage() && 4058 V->getType()->isReferenceType() && V->hasInit()) { 4059 // Add the reference variable to the "trail". 4060 refVars.push_back(DR); 4061 return EvalAddr(V->getInit(), refVars, ParentDecl); 4062 } 4063 4064 return NULL; 4065 } 4066 4067 case Stmt::UnaryOperatorClass: { 4068 // The only unary operator that make sense to handle here 4069 // is AddrOf. All others don't make sense as pointers. 4070 UnaryOperator *U = cast<UnaryOperator>(E); 4071 4072 if (U->getOpcode() == UO_AddrOf) 4073 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 4074 else 4075 return NULL; 4076 } 4077 4078 case Stmt::BinaryOperatorClass: { 4079 // Handle pointer arithmetic. All other binary operators are not valid 4080 // in this context. 4081 BinaryOperator *B = cast<BinaryOperator>(E); 4082 BinaryOperatorKind op = B->getOpcode(); 4083 4084 if (op != BO_Add && op != BO_Sub) 4085 return NULL; 4086 4087 Expr *Base = B->getLHS(); 4088 4089 // Determine which argument is the real pointer base. It could be 4090 // the RHS argument instead of the LHS. 4091 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 4092 4093 assert (Base->getType()->isPointerType()); 4094 return EvalAddr(Base, refVars, ParentDecl); 4095 } 4096 4097 // For conditional operators we need to see if either the LHS or RHS are 4098 // valid DeclRefExpr*s. If one of them is valid, we return it. 4099 case Stmt::ConditionalOperatorClass: { 4100 ConditionalOperator *C = cast<ConditionalOperator>(E); 4101 4102 // Handle the GNU extension for missing LHS. 4103 if (Expr *lhsExpr = C->getLHS()) { 4104 // In C++, we can have a throw-expression, which has 'void' type. 4105 if (!lhsExpr->getType()->isVoidType()) 4106 if (Expr* LHS = EvalAddr(lhsExpr, refVars, ParentDecl)) 4107 return LHS; 4108 } 4109 4110 // In C++, we can have a throw-expression, which has 'void' type. 4111 if (C->getRHS()->getType()->isVoidType()) 4112 return NULL; 4113 4114 return EvalAddr(C->getRHS(), refVars, ParentDecl); 4115 } 4116 4117 case Stmt::BlockExprClass: 4118 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 4119 return E; // local block. 4120 return NULL; 4121 4122 case Stmt::AddrLabelExprClass: 4123 return E; // address of label. 4124 4125 case Stmt::ExprWithCleanupsClass: 4126 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 4127 ParentDecl); 4128 4129 // For casts, we need to handle conversions from arrays to 4130 // pointer values, and pointer-to-pointer conversions. 4131 case Stmt::ImplicitCastExprClass: 4132 case Stmt::CStyleCastExprClass: 4133 case Stmt::CXXFunctionalCastExprClass: 4134 case Stmt::ObjCBridgedCastExprClass: 4135 case Stmt::CXXStaticCastExprClass: 4136 case Stmt::CXXDynamicCastExprClass: 4137 case Stmt::CXXConstCastExprClass: 4138 case Stmt::CXXReinterpretCastExprClass: { 4139 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 4140 switch (cast<CastExpr>(E)->getCastKind()) { 4141 case CK_BitCast: 4142 case CK_LValueToRValue: 4143 case CK_NoOp: 4144 case CK_BaseToDerived: 4145 case CK_DerivedToBase: 4146 case CK_UncheckedDerivedToBase: 4147 case CK_Dynamic: 4148 case CK_CPointerToObjCPointerCast: 4149 case CK_BlockPointerToObjCPointerCast: 4150 case CK_AnyPointerToBlockPointerCast: 4151 return EvalAddr(SubExpr, refVars, ParentDecl); 4152 4153 case CK_ArrayToPointerDecay: 4154 return EvalVal(SubExpr, refVars, ParentDecl); 4155 4156 default: 4157 return 0; 4158 } 4159 } 4160 4161 case Stmt::MaterializeTemporaryExprClass: 4162 if (Expr *Result = EvalAddr( 4163 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4164 refVars, ParentDecl)) 4165 return Result; 4166 4167 return E; 4168 4169 // Everything else: we simply don't reason about them. 4170 default: 4171 return NULL; 4172 } 4173 } 4174 4175 4176 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 4177 /// See the comments for EvalAddr for more details. 4178 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4179 Decl *ParentDecl) { 4180 do { 4181 // We should only be called for evaluating non-pointer expressions, or 4182 // expressions with a pointer type that are not used as references but instead 4183 // are l-values (e.g., DeclRefExpr with a pointer type). 4184 4185 // Our "symbolic interpreter" is just a dispatch off the currently 4186 // viewed AST node. We then recursively traverse the AST by calling 4187 // EvalAddr and EvalVal appropriately. 4188 4189 E = E->IgnoreParens(); 4190 switch (E->getStmtClass()) { 4191 case Stmt::ImplicitCastExprClass: { 4192 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 4193 if (IE->getValueKind() == VK_LValue) { 4194 E = IE->getSubExpr(); 4195 continue; 4196 } 4197 return NULL; 4198 } 4199 4200 case Stmt::ExprWithCleanupsClass: 4201 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 4202 4203 case Stmt::DeclRefExprClass: { 4204 // When we hit a DeclRefExpr we are looking at code that refers to a 4205 // variable's name. If it's not a reference variable we check if it has 4206 // local storage within the function, and if so, return the expression. 4207 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4208 4209 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 4210 // Check if it refers to itself, e.g. "int& i = i;". 4211 if (V == ParentDecl) 4212 return DR; 4213 4214 if (V->hasLocalStorage()) { 4215 if (!V->getType()->isReferenceType()) 4216 return DR; 4217 4218 // Reference variable, follow through to the expression that 4219 // it points to. 4220 if (V->hasInit()) { 4221 // Add the reference variable to the "trail". 4222 refVars.push_back(DR); 4223 return EvalVal(V->getInit(), refVars, V); 4224 } 4225 } 4226 } 4227 4228 return NULL; 4229 } 4230 4231 case Stmt::UnaryOperatorClass: { 4232 // The only unary operator that make sense to handle here 4233 // is Deref. All others don't resolve to a "name." This includes 4234 // handling all sorts of rvalues passed to a unary operator. 4235 UnaryOperator *U = cast<UnaryOperator>(E); 4236 4237 if (U->getOpcode() == UO_Deref) 4238 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 4239 4240 return NULL; 4241 } 4242 4243 case Stmt::ArraySubscriptExprClass: { 4244 // Array subscripts are potential references to data on the stack. We 4245 // retrieve the DeclRefExpr* for the array variable if it indeed 4246 // has local storage. 4247 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 4248 } 4249 4250 case Stmt::ConditionalOperatorClass: { 4251 // For conditional operators we need to see if either the LHS or RHS are 4252 // non-NULL Expr's. If one is non-NULL, we return it. 4253 ConditionalOperator *C = cast<ConditionalOperator>(E); 4254 4255 // Handle the GNU extension for missing LHS. 4256 if (Expr *lhsExpr = C->getLHS()) 4257 if (Expr *LHS = EvalVal(lhsExpr, refVars, ParentDecl)) 4258 return LHS; 4259 4260 return EvalVal(C->getRHS(), refVars, ParentDecl); 4261 } 4262 4263 // Accesses to members are potential references to data on the stack. 4264 case Stmt::MemberExprClass: { 4265 MemberExpr *M = cast<MemberExpr>(E); 4266 4267 // Check for indirect access. We only want direct field accesses. 4268 if (M->isArrow()) 4269 return NULL; 4270 4271 // Check whether the member type is itself a reference, in which case 4272 // we're not going to refer to the member, but to what the member refers to. 4273 if (M->getMemberDecl()->getType()->isReferenceType()) 4274 return NULL; 4275 4276 return EvalVal(M->getBase(), refVars, ParentDecl); 4277 } 4278 4279 case Stmt::MaterializeTemporaryExprClass: 4280 if (Expr *Result = EvalVal( 4281 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4282 refVars, ParentDecl)) 4283 return Result; 4284 4285 return E; 4286 4287 default: 4288 // Check that we don't return or take the address of a reference to a 4289 // temporary. This is only useful in C++. 4290 if (!E->isTypeDependent() && E->isRValue()) 4291 return E; 4292 4293 // Everything else: we simply don't reason about them. 4294 return NULL; 4295 } 4296 } while (true); 4297 } 4298 4299 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 4300 4301 /// Check for comparisons of floating point operands using != and ==. 4302 /// Issue a warning if these are no self-comparisons, as they are not likely 4303 /// to do what the programmer intended. 4304 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 4305 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 4306 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 4307 4308 // Special case: check for x == x (which is OK). 4309 // Do not emit warnings for such cases. 4310 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 4311 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 4312 if (DRL->getDecl() == DRR->getDecl()) 4313 return; 4314 4315 4316 // Special case: check for comparisons against literals that can be exactly 4317 // represented by APFloat. In such cases, do not emit a warning. This 4318 // is a heuristic: often comparison against such literals are used to 4319 // detect if a value in a variable has not changed. This clearly can 4320 // lead to false negatives. 4321 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 4322 if (FLL->isExact()) 4323 return; 4324 } else 4325 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 4326 if (FLR->isExact()) 4327 return; 4328 4329 // Check for comparisons with builtin types. 4330 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 4331 if (CL->isBuiltinCall()) 4332 return; 4333 4334 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 4335 if (CR->isBuiltinCall()) 4336 return; 4337 4338 // Emit the diagnostic. 4339 Diag(Loc, diag::warn_floatingpoint_eq) 4340 << LHS->getSourceRange() << RHS->getSourceRange(); 4341 } 4342 4343 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 4344 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 4345 4346 namespace { 4347 4348 /// Structure recording the 'active' range of an integer-valued 4349 /// expression. 4350 struct IntRange { 4351 /// The number of bits active in the int. 4352 unsigned Width; 4353 4354 /// True if the int is known not to have negative values. 4355 bool NonNegative; 4356 4357 IntRange(unsigned Width, bool NonNegative) 4358 : Width(Width), NonNegative(NonNegative) 4359 {} 4360 4361 /// Returns the range of the bool type. 4362 static IntRange forBoolType() { 4363 return IntRange(1, true); 4364 } 4365 4366 /// Returns the range of an opaque value of the given integral type. 4367 static IntRange forValueOfType(ASTContext &C, QualType T) { 4368 return forValueOfCanonicalType(C, 4369 T->getCanonicalTypeInternal().getTypePtr()); 4370 } 4371 4372 /// Returns the range of an opaque value of a canonical integral type. 4373 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 4374 assert(T->isCanonicalUnqualified()); 4375 4376 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4377 T = VT->getElementType().getTypePtr(); 4378 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4379 T = CT->getElementType().getTypePtr(); 4380 4381 // For enum types, use the known bit width of the enumerators. 4382 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 4383 EnumDecl *Enum = ET->getDecl(); 4384 if (!Enum->isCompleteDefinition()) 4385 return IntRange(C.getIntWidth(QualType(T, 0)), false); 4386 4387 unsigned NumPositive = Enum->getNumPositiveBits(); 4388 unsigned NumNegative = Enum->getNumNegativeBits(); 4389 4390 if (NumNegative == 0) 4391 return IntRange(NumPositive, true/*NonNegative*/); 4392 else 4393 return IntRange(std::max(NumPositive + 1, NumNegative), 4394 false/*NonNegative*/); 4395 } 4396 4397 const BuiltinType *BT = cast<BuiltinType>(T); 4398 assert(BT->isInteger()); 4399 4400 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4401 } 4402 4403 /// Returns the "target" range of a canonical integral type, i.e. 4404 /// the range of values expressible in the type. 4405 /// 4406 /// This matches forValueOfCanonicalType except that enums have the 4407 /// full range of their type, not the range of their enumerators. 4408 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 4409 assert(T->isCanonicalUnqualified()); 4410 4411 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4412 T = VT->getElementType().getTypePtr(); 4413 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4414 T = CT->getElementType().getTypePtr(); 4415 if (const EnumType *ET = dyn_cast<EnumType>(T)) 4416 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 4417 4418 const BuiltinType *BT = cast<BuiltinType>(T); 4419 assert(BT->isInteger()); 4420 4421 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4422 } 4423 4424 /// Returns the supremum of two ranges: i.e. their conservative merge. 4425 static IntRange join(IntRange L, IntRange R) { 4426 return IntRange(std::max(L.Width, R.Width), 4427 L.NonNegative && R.NonNegative); 4428 } 4429 4430 /// Returns the infinum of two ranges: i.e. their aggressive merge. 4431 static IntRange meet(IntRange L, IntRange R) { 4432 return IntRange(std::min(L.Width, R.Width), 4433 L.NonNegative || R.NonNegative); 4434 } 4435 }; 4436 4437 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 4438 unsigned MaxWidth) { 4439 if (value.isSigned() && value.isNegative()) 4440 return IntRange(value.getMinSignedBits(), false); 4441 4442 if (value.getBitWidth() > MaxWidth) 4443 value = value.trunc(MaxWidth); 4444 4445 // isNonNegative() just checks the sign bit without considering 4446 // signedness. 4447 return IntRange(value.getActiveBits(), true); 4448 } 4449 4450 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 4451 unsigned MaxWidth) { 4452 if (result.isInt()) 4453 return GetValueRange(C, result.getInt(), MaxWidth); 4454 4455 if (result.isVector()) { 4456 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 4457 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 4458 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 4459 R = IntRange::join(R, El); 4460 } 4461 return R; 4462 } 4463 4464 if (result.isComplexInt()) { 4465 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 4466 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 4467 return IntRange::join(R, I); 4468 } 4469 4470 // This can happen with lossless casts to intptr_t of "based" lvalues. 4471 // Assume it might use arbitrary bits. 4472 // FIXME: The only reason we need to pass the type in here is to get 4473 // the sign right on this one case. It would be nice if APValue 4474 // preserved this. 4475 assert(result.isLValue() || result.isAddrLabelDiff()); 4476 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 4477 } 4478 4479 static QualType GetExprType(Expr *E) { 4480 QualType Ty = E->getType(); 4481 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>()) 4482 Ty = AtomicRHS->getValueType(); 4483 return Ty; 4484 } 4485 4486 /// Pseudo-evaluate the given integer expression, estimating the 4487 /// range of values it might take. 4488 /// 4489 /// \param MaxWidth - the width to which the value will be truncated 4490 static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 4491 E = E->IgnoreParens(); 4492 4493 // Try a full evaluation first. 4494 Expr::EvalResult result; 4495 if (E->EvaluateAsRValue(result, C)) 4496 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth); 4497 4498 // I think we only want to look through implicit casts here; if the 4499 // user has an explicit widening cast, we should treat the value as 4500 // being of the new, wider type. 4501 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 4502 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 4503 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 4504 4505 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE)); 4506 4507 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 4508 4509 // Assume that non-integer casts can span the full range of the type. 4510 if (!isIntegerCast) 4511 return OutputTypeRange; 4512 4513 IntRange SubRange 4514 = GetExprRange(C, CE->getSubExpr(), 4515 std::min(MaxWidth, OutputTypeRange.Width)); 4516 4517 // Bail out if the subexpr's range is as wide as the cast type. 4518 if (SubRange.Width >= OutputTypeRange.Width) 4519 return OutputTypeRange; 4520 4521 // Otherwise, we take the smaller width, and we're non-negative if 4522 // either the output type or the subexpr is. 4523 return IntRange(SubRange.Width, 4524 SubRange.NonNegative || OutputTypeRange.NonNegative); 4525 } 4526 4527 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 4528 // If we can fold the condition, just take that operand. 4529 bool CondResult; 4530 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 4531 return GetExprRange(C, CondResult ? CO->getTrueExpr() 4532 : CO->getFalseExpr(), 4533 MaxWidth); 4534 4535 // Otherwise, conservatively merge. 4536 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 4537 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 4538 return IntRange::join(L, R); 4539 } 4540 4541 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4542 switch (BO->getOpcode()) { 4543 4544 // Boolean-valued operations are single-bit and positive. 4545 case BO_LAnd: 4546 case BO_LOr: 4547 case BO_LT: 4548 case BO_GT: 4549 case BO_LE: 4550 case BO_GE: 4551 case BO_EQ: 4552 case BO_NE: 4553 return IntRange::forBoolType(); 4554 4555 // The type of the assignments is the type of the LHS, so the RHS 4556 // is not necessarily the same type. 4557 case BO_MulAssign: 4558 case BO_DivAssign: 4559 case BO_RemAssign: 4560 case BO_AddAssign: 4561 case BO_SubAssign: 4562 case BO_XorAssign: 4563 case BO_OrAssign: 4564 // TODO: bitfields? 4565 return IntRange::forValueOfType(C, GetExprType(E)); 4566 4567 // Simple assignments just pass through the RHS, which will have 4568 // been coerced to the LHS type. 4569 case BO_Assign: 4570 // TODO: bitfields? 4571 return GetExprRange(C, BO->getRHS(), MaxWidth); 4572 4573 // Operations with opaque sources are black-listed. 4574 case BO_PtrMemD: 4575 case BO_PtrMemI: 4576 return IntRange::forValueOfType(C, GetExprType(E)); 4577 4578 // Bitwise-and uses the *infinum* of the two source ranges. 4579 case BO_And: 4580 case BO_AndAssign: 4581 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 4582 GetExprRange(C, BO->getRHS(), MaxWidth)); 4583 4584 // Left shift gets black-listed based on a judgement call. 4585 case BO_Shl: 4586 // ...except that we want to treat '1 << (blah)' as logically 4587 // positive. It's an important idiom. 4588 if (IntegerLiteral *I 4589 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 4590 if (I->getValue() == 1) { 4591 IntRange R = IntRange::forValueOfType(C, GetExprType(E)); 4592 return IntRange(R.Width, /*NonNegative*/ true); 4593 } 4594 } 4595 // fallthrough 4596 4597 case BO_ShlAssign: 4598 return IntRange::forValueOfType(C, GetExprType(E)); 4599 4600 // Right shift by a constant can narrow its left argument. 4601 case BO_Shr: 4602 case BO_ShrAssign: { 4603 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4604 4605 // If the shift amount is a positive constant, drop the width by 4606 // that much. 4607 llvm::APSInt shift; 4608 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 4609 shift.isNonNegative()) { 4610 unsigned zext = shift.getZExtValue(); 4611 if (zext >= L.Width) 4612 L.Width = (L.NonNegative ? 0 : 1); 4613 else 4614 L.Width -= zext; 4615 } 4616 4617 return L; 4618 } 4619 4620 // Comma acts as its right operand. 4621 case BO_Comma: 4622 return GetExprRange(C, BO->getRHS(), MaxWidth); 4623 4624 // Black-list pointer subtractions. 4625 case BO_Sub: 4626 if (BO->getLHS()->getType()->isPointerType()) 4627 return IntRange::forValueOfType(C, GetExprType(E)); 4628 break; 4629 4630 // The width of a division result is mostly determined by the size 4631 // of the LHS. 4632 case BO_Div: { 4633 // Don't 'pre-truncate' the operands. 4634 unsigned opWidth = C.getIntWidth(GetExprType(E)); 4635 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4636 4637 // If the divisor is constant, use that. 4638 llvm::APSInt divisor; 4639 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 4640 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 4641 if (log2 >= L.Width) 4642 L.Width = (L.NonNegative ? 0 : 1); 4643 else 4644 L.Width = std::min(L.Width - log2, MaxWidth); 4645 return L; 4646 } 4647 4648 // Otherwise, just use the LHS's width. 4649 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4650 return IntRange(L.Width, L.NonNegative && R.NonNegative); 4651 } 4652 4653 // The result of a remainder can't be larger than the result of 4654 // either side. 4655 case BO_Rem: { 4656 // Don't 'pre-truncate' the operands. 4657 unsigned opWidth = C.getIntWidth(GetExprType(E)); 4658 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4659 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4660 4661 IntRange meet = IntRange::meet(L, R); 4662 meet.Width = std::min(meet.Width, MaxWidth); 4663 return meet; 4664 } 4665 4666 // The default behavior is okay for these. 4667 case BO_Mul: 4668 case BO_Add: 4669 case BO_Xor: 4670 case BO_Or: 4671 break; 4672 } 4673 4674 // The default case is to treat the operation as if it were closed 4675 // on the narrowest type that encompasses both operands. 4676 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4677 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 4678 return IntRange::join(L, R); 4679 } 4680 4681 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 4682 switch (UO->getOpcode()) { 4683 // Boolean-valued operations are white-listed. 4684 case UO_LNot: 4685 return IntRange::forBoolType(); 4686 4687 // Operations with opaque sources are black-listed. 4688 case UO_Deref: 4689 case UO_AddrOf: // should be impossible 4690 return IntRange::forValueOfType(C, GetExprType(E)); 4691 4692 default: 4693 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 4694 } 4695 } 4696 4697 if (OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 4698 return GetExprRange(C, OVE->getSourceExpr(), MaxWidth); 4699 4700 if (FieldDecl *BitField = E->getSourceBitField()) 4701 return IntRange(BitField->getBitWidthValue(C), 4702 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 4703 4704 return IntRange::forValueOfType(C, GetExprType(E)); 4705 } 4706 4707 static IntRange GetExprRange(ASTContext &C, Expr *E) { 4708 return GetExprRange(C, E, C.getIntWidth(GetExprType(E))); 4709 } 4710 4711 /// Checks whether the given value, which currently has the given 4712 /// source semantics, has the same value when coerced through the 4713 /// target semantics. 4714 static bool IsSameFloatAfterCast(const llvm::APFloat &value, 4715 const llvm::fltSemantics &Src, 4716 const llvm::fltSemantics &Tgt) { 4717 llvm::APFloat truncated = value; 4718 4719 bool ignored; 4720 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 4721 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 4722 4723 return truncated.bitwiseIsEqual(value); 4724 } 4725 4726 /// Checks whether the given value, which currently has the given 4727 /// source semantics, has the same value when coerced through the 4728 /// target semantics. 4729 /// 4730 /// The value might be a vector of floats (or a complex number). 4731 static bool IsSameFloatAfterCast(const APValue &value, 4732 const llvm::fltSemantics &Src, 4733 const llvm::fltSemantics &Tgt) { 4734 if (value.isFloat()) 4735 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 4736 4737 if (value.isVector()) { 4738 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 4739 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 4740 return false; 4741 return true; 4742 } 4743 4744 assert(value.isComplexFloat()); 4745 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 4746 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 4747 } 4748 4749 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 4750 4751 static bool IsZero(Sema &S, Expr *E) { 4752 // Suppress cases where we are comparing against an enum constant. 4753 if (const DeclRefExpr *DR = 4754 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 4755 if (isa<EnumConstantDecl>(DR->getDecl())) 4756 return false; 4757 4758 // Suppress cases where the '0' value is expanded from a macro. 4759 if (E->getLocStart().isMacroID()) 4760 return false; 4761 4762 llvm::APSInt Value; 4763 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 4764 } 4765 4766 static bool HasEnumType(Expr *E) { 4767 // Strip off implicit integral promotions. 4768 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 4769 if (ICE->getCastKind() != CK_IntegralCast && 4770 ICE->getCastKind() != CK_NoOp) 4771 break; 4772 E = ICE->getSubExpr(); 4773 } 4774 4775 return E->getType()->isEnumeralType(); 4776 } 4777 4778 static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 4779 BinaryOperatorKind op = E->getOpcode(); 4780 if (E->isValueDependent()) 4781 return; 4782 4783 if (op == BO_LT && IsZero(S, E->getRHS())) { 4784 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4785 << "< 0" << "false" << HasEnumType(E->getLHS()) 4786 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4787 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 4788 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4789 << ">= 0" << "true" << HasEnumType(E->getLHS()) 4790 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4791 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 4792 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4793 << "0 >" << "false" << HasEnumType(E->getRHS()) 4794 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4795 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 4796 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4797 << "0 <=" << "true" << HasEnumType(E->getRHS()) 4798 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4799 } 4800 } 4801 4802 static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 4803 Expr *Constant, Expr *Other, 4804 llvm::APSInt Value, 4805 bool RhsConstant) { 4806 // 0 values are handled later by CheckTrivialUnsignedComparison(). 4807 if (Value == 0) 4808 return; 4809 4810 BinaryOperatorKind op = E->getOpcode(); 4811 QualType OtherT = Other->getType(); 4812 QualType ConstantT = Constant->getType(); 4813 QualType CommonT = E->getLHS()->getType(); 4814 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 4815 return; 4816 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) 4817 && "comparison with non-integer type"); 4818 4819 bool ConstantSigned = ConstantT->isSignedIntegerType(); 4820 bool CommonSigned = CommonT->isSignedIntegerType(); 4821 4822 bool EqualityOnly = false; 4823 4824 // TODO: Investigate using GetExprRange() to get tighter bounds on 4825 // on the bit ranges. 4826 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 4827 unsigned OtherWidth = OtherRange.Width; 4828 4829 if (CommonSigned) { 4830 // The common type is signed, therefore no signed to unsigned conversion. 4831 if (!OtherRange.NonNegative) { 4832 // Check that the constant is representable in type OtherT. 4833 if (ConstantSigned) { 4834 if (OtherWidth >= Value.getMinSignedBits()) 4835 return; 4836 } else { // !ConstantSigned 4837 if (OtherWidth >= Value.getActiveBits() + 1) 4838 return; 4839 } 4840 } else { // !OtherSigned 4841 // Check that the constant is representable in type OtherT. 4842 // Negative values are out of range. 4843 if (ConstantSigned) { 4844 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 4845 return; 4846 } else { // !ConstantSigned 4847 if (OtherWidth >= Value.getActiveBits()) 4848 return; 4849 } 4850 } 4851 } else { // !CommonSigned 4852 if (OtherRange.NonNegative) { 4853 if (OtherWidth >= Value.getActiveBits()) 4854 return; 4855 } else if (!OtherRange.NonNegative && !ConstantSigned) { 4856 // Check to see if the constant is representable in OtherT. 4857 if (OtherWidth > Value.getActiveBits()) 4858 return; 4859 // Check to see if the constant is equivalent to a negative value 4860 // cast to CommonT. 4861 if (S.Context.getIntWidth(ConstantT) == S.Context.getIntWidth(CommonT) && 4862 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 4863 return; 4864 // The constant value rests between values that OtherT can represent after 4865 // conversion. Relational comparison still works, but equality 4866 // comparisons will be tautological. 4867 EqualityOnly = true; 4868 } else { // OtherSigned && ConstantSigned 4869 assert(0 && "Two signed types converted to unsigned types."); 4870 } 4871 } 4872 4873 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 4874 4875 bool IsTrue = true; 4876 if (op == BO_EQ || op == BO_NE) { 4877 IsTrue = op == BO_NE; 4878 } else if (EqualityOnly) { 4879 return; 4880 } else if (RhsConstant) { 4881 if (op == BO_GT || op == BO_GE) 4882 IsTrue = !PositiveConstant; 4883 else // op == BO_LT || op == BO_LE 4884 IsTrue = PositiveConstant; 4885 } else { 4886 if (op == BO_LT || op == BO_LE) 4887 IsTrue = !PositiveConstant; 4888 else // op == BO_GT || op == BO_GE 4889 IsTrue = PositiveConstant; 4890 } 4891 4892 // If this is a comparison to an enum constant, include that 4893 // constant in the diagnostic. 4894 const EnumConstantDecl *ED = 0; 4895 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant)) 4896 ED = dyn_cast<EnumConstantDecl>(DR->getDecl()); 4897 4898 SmallString<64> PrettySourceValue; 4899 llvm::raw_svector_ostream OS(PrettySourceValue); 4900 if (ED) 4901 OS << '\'' << *ED << "' (" << Value << ")"; 4902 else 4903 OS << Value; 4904 4905 S.Diag(E->getOperatorLoc(), diag::warn_out_of_range_compare) 4906 << OS.str() << OtherT << IsTrue 4907 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4908 } 4909 4910 /// Analyze the operands of the given comparison. Implements the 4911 /// fallback case from AnalyzeComparison. 4912 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 4913 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 4914 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4915 } 4916 4917 /// \brief Implements -Wsign-compare. 4918 /// 4919 /// \param E the binary operator to check for warnings 4920 static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 4921 // The type the comparison is being performed in. 4922 QualType T = E->getLHS()->getType(); 4923 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 4924 && "comparison with mismatched types"); 4925 if (E->isValueDependent()) 4926 return AnalyzeImpConvsInComparison(S, E); 4927 4928 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 4929 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 4930 4931 bool IsComparisonConstant = false; 4932 4933 // Check whether an integer constant comparison results in a value 4934 // of 'true' or 'false'. 4935 if (T->isIntegralType(S.Context)) { 4936 llvm::APSInt RHSValue; 4937 bool IsRHSIntegralLiteral = 4938 RHS->isIntegerConstantExpr(RHSValue, S.Context); 4939 llvm::APSInt LHSValue; 4940 bool IsLHSIntegralLiteral = 4941 LHS->isIntegerConstantExpr(LHSValue, S.Context); 4942 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 4943 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 4944 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 4945 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 4946 else 4947 IsComparisonConstant = 4948 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 4949 } else if (!T->hasUnsignedIntegerRepresentation()) 4950 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 4951 4952 // We don't do anything special if this isn't an unsigned integral 4953 // comparison: we're only interested in integral comparisons, and 4954 // signed comparisons only happen in cases we don't care to warn about. 4955 // 4956 // We also don't care about value-dependent expressions or expressions 4957 // whose result is a constant. 4958 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 4959 return AnalyzeImpConvsInComparison(S, E); 4960 4961 // Check to see if one of the (unmodified) operands is of different 4962 // signedness. 4963 Expr *signedOperand, *unsignedOperand; 4964 if (LHS->getType()->hasSignedIntegerRepresentation()) { 4965 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 4966 "unsigned comparison between two signed integer expressions?"); 4967 signedOperand = LHS; 4968 unsignedOperand = RHS; 4969 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 4970 signedOperand = RHS; 4971 unsignedOperand = LHS; 4972 } else { 4973 CheckTrivialUnsignedComparison(S, E); 4974 return AnalyzeImpConvsInComparison(S, E); 4975 } 4976 4977 // Otherwise, calculate the effective range of the signed operand. 4978 IntRange signedRange = GetExprRange(S.Context, signedOperand); 4979 4980 // Go ahead and analyze implicit conversions in the operands. Note 4981 // that we skip the implicit conversions on both sides. 4982 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 4983 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 4984 4985 // If the signed range is non-negative, -Wsign-compare won't fire, 4986 // but we should still check for comparisons which are always true 4987 // or false. 4988 if (signedRange.NonNegative) 4989 return CheckTrivialUnsignedComparison(S, E); 4990 4991 // For (in)equality comparisons, if the unsigned operand is a 4992 // constant which cannot collide with a overflowed signed operand, 4993 // then reinterpreting the signed operand as unsigned will not 4994 // change the result of the comparison. 4995 if (E->isEqualityOp()) { 4996 unsigned comparisonWidth = S.Context.getIntWidth(T); 4997 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 4998 4999 // We should never be unable to prove that the unsigned operand is 5000 // non-negative. 5001 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 5002 5003 if (unsignedRange.Width < comparisonWidth) 5004 return; 5005 } 5006 5007 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 5008 S.PDiag(diag::warn_mixed_sign_comparison) 5009 << LHS->getType() << RHS->getType() 5010 << LHS->getSourceRange() << RHS->getSourceRange()); 5011 } 5012 5013 /// Analyzes an attempt to assign the given value to a bitfield. 5014 /// 5015 /// Returns true if there was something fishy about the attempt. 5016 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 5017 SourceLocation InitLoc) { 5018 assert(Bitfield->isBitField()); 5019 if (Bitfield->isInvalidDecl()) 5020 return false; 5021 5022 // White-list bool bitfields. 5023 if (Bitfield->getType()->isBooleanType()) 5024 return false; 5025 5026 // Ignore value- or type-dependent expressions. 5027 if (Bitfield->getBitWidth()->isValueDependent() || 5028 Bitfield->getBitWidth()->isTypeDependent() || 5029 Init->isValueDependent() || 5030 Init->isTypeDependent()) 5031 return false; 5032 5033 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 5034 5035 llvm::APSInt Value; 5036 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 5037 return false; 5038 5039 unsigned OriginalWidth = Value.getBitWidth(); 5040 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 5041 5042 if (OriginalWidth <= FieldWidth) 5043 return false; 5044 5045 // Compute the value which the bitfield will contain. 5046 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 5047 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 5048 5049 // Check whether the stored value is equal to the original value. 5050 TruncatedValue = TruncatedValue.extend(OriginalWidth); 5051 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 5052 return false; 5053 5054 // Special-case bitfields of width 1: booleans are naturally 0/1, and 5055 // therefore don't strictly fit into a signed bitfield of width 1. 5056 if (FieldWidth == 1 && Value == 1) 5057 return false; 5058 5059 std::string PrettyValue = Value.toString(10); 5060 std::string PrettyTrunc = TruncatedValue.toString(10); 5061 5062 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 5063 << PrettyValue << PrettyTrunc << OriginalInit->getType() 5064 << Init->getSourceRange(); 5065 5066 return true; 5067 } 5068 5069 /// Analyze the given simple or compound assignment for warning-worthy 5070 /// operations. 5071 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 5072 // Just recurse on the LHS. 5073 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5074 5075 // We want to recurse on the RHS as normal unless we're assigning to 5076 // a bitfield. 5077 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) { 5078 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 5079 E->getOperatorLoc())) { 5080 // Recurse, ignoring any implicit conversions on the RHS. 5081 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 5082 E->getOperatorLoc()); 5083 } 5084 } 5085 5086 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5087 } 5088 5089 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5090 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 5091 SourceLocation CContext, unsigned diag, 5092 bool pruneControlFlow = false) { 5093 if (pruneControlFlow) { 5094 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5095 S.PDiag(diag) 5096 << SourceType << T << E->getSourceRange() 5097 << SourceRange(CContext)); 5098 return; 5099 } 5100 S.Diag(E->getExprLoc(), diag) 5101 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 5102 } 5103 5104 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5105 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 5106 SourceLocation CContext, unsigned diag, 5107 bool pruneControlFlow = false) { 5108 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 5109 } 5110 5111 /// Diagnose an implicit cast from a literal expression. Does not warn when the 5112 /// cast wouldn't lose information. 5113 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 5114 SourceLocation CContext) { 5115 // Try to convert the literal exactly to an integer. If we can, don't warn. 5116 bool isExact = false; 5117 const llvm::APFloat &Value = FL->getValue(); 5118 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 5119 T->hasUnsignedIntegerRepresentation()); 5120 if (Value.convertToInteger(IntegerValue, 5121 llvm::APFloat::rmTowardZero, &isExact) 5122 == llvm::APFloat::opOK && isExact) 5123 return; 5124 5125 // FIXME: Force the precision of the source value down so we don't print 5126 // digits which are usually useless (we don't really care here if we 5127 // truncate a digit by accident in edge cases). Ideally, APFloat::toString 5128 // would automatically print the shortest representation, but it's a bit 5129 // tricky to implement. 5130 SmallString<16> PrettySourceValue; 5131 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics()); 5132 precision = (precision * 59 + 195) / 196; 5133 Value.toString(PrettySourceValue, precision); 5134 5135 SmallString<16> PrettyTargetValue; 5136 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 5137 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 5138 else 5139 IntegerValue.toString(PrettyTargetValue); 5140 5141 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 5142 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 5143 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 5144 } 5145 5146 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 5147 if (!Range.Width) return "0"; 5148 5149 llvm::APSInt ValueInRange = Value; 5150 ValueInRange.setIsSigned(!Range.NonNegative); 5151 ValueInRange = ValueInRange.trunc(Range.Width); 5152 return ValueInRange.toString(10); 5153 } 5154 5155 static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 5156 if (!isa<ImplicitCastExpr>(Ex)) 5157 return false; 5158 5159 Expr *InnerE = Ex->IgnoreParenImpCasts(); 5160 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 5161 const Type *Source = 5162 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5163 if (Target->isDependentType()) 5164 return false; 5165 5166 const BuiltinType *FloatCandidateBT = 5167 dyn_cast<BuiltinType>(ToBool ? Source : Target); 5168 const Type *BoolCandidateType = ToBool ? Target : Source; 5169 5170 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 5171 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 5172 } 5173 5174 void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 5175 SourceLocation CC) { 5176 unsigned NumArgs = TheCall->getNumArgs(); 5177 for (unsigned i = 0; i < NumArgs; ++i) { 5178 Expr *CurrA = TheCall->getArg(i); 5179 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 5180 continue; 5181 5182 bool IsSwapped = ((i > 0) && 5183 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 5184 IsSwapped |= ((i < (NumArgs - 1)) && 5185 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 5186 if (IsSwapped) { 5187 // Warn on this floating-point to bool conversion. 5188 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 5189 CurrA->getType(), CC, 5190 diag::warn_impcast_floating_point_to_bool); 5191 } 5192 } 5193 } 5194 5195 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 5196 SourceLocation CC, bool *ICContext = 0) { 5197 if (E->isTypeDependent() || E->isValueDependent()) return; 5198 5199 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 5200 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 5201 if (Source == Target) return; 5202 if (Target->isDependentType()) return; 5203 5204 // If the conversion context location is invalid don't complain. We also 5205 // don't want to emit a warning if the issue occurs from the expansion of 5206 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 5207 // delay this check as long as possible. Once we detect we are in that 5208 // scenario, we just return. 5209 if (CC.isInvalid()) 5210 return; 5211 5212 // Diagnose implicit casts to bool. 5213 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 5214 if (isa<StringLiteral>(E)) 5215 // Warn on string literal to bool. Checks for string literals in logical 5216 // expressions, for instances, assert(0 && "error here"), is prevented 5217 // by a check in AnalyzeImplicitConversions(). 5218 return DiagnoseImpCast(S, E, T, CC, 5219 diag::warn_impcast_string_literal_to_bool); 5220 if (Source->isFunctionType()) { 5221 // Warn on function to bool. Checks free functions and static member 5222 // functions. Weakly imported functions are excluded from the check, 5223 // since it's common to test their value to check whether the linker 5224 // found a definition for them. 5225 ValueDecl *D = 0; 5226 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 5227 D = R->getDecl(); 5228 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 5229 D = M->getMemberDecl(); 5230 } 5231 5232 if (D && !D->isWeak()) { 5233 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 5234 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 5235 << F << E->getSourceRange() << SourceRange(CC); 5236 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 5237 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 5238 QualType ReturnType; 5239 UnresolvedSet<4> NonTemplateOverloads; 5240 S.tryExprAsCall(*E, ReturnType, NonTemplateOverloads); 5241 if (!ReturnType.isNull() 5242 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 5243 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 5244 << FixItHint::CreateInsertion( 5245 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 5246 return; 5247 } 5248 } 5249 } 5250 } 5251 5252 // Strip vector types. 5253 if (isa<VectorType>(Source)) { 5254 if (!isa<VectorType>(Target)) { 5255 if (S.SourceMgr.isInSystemMacro(CC)) 5256 return; 5257 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 5258 } 5259 5260 // If the vector cast is cast between two vectors of the same size, it is 5261 // a bitcast, not a conversion. 5262 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 5263 return; 5264 5265 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 5266 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 5267 } 5268 5269 // Strip complex types. 5270 if (isa<ComplexType>(Source)) { 5271 if (!isa<ComplexType>(Target)) { 5272 if (S.SourceMgr.isInSystemMacro(CC)) 5273 return; 5274 5275 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 5276 } 5277 5278 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 5279 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 5280 } 5281 5282 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 5283 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 5284 5285 // If the source is floating point... 5286 if (SourceBT && SourceBT->isFloatingPoint()) { 5287 // ...and the target is floating point... 5288 if (TargetBT && TargetBT->isFloatingPoint()) { 5289 // ...then warn if we're dropping FP rank. 5290 5291 // Builtin FP kinds are ordered by increasing FP rank. 5292 if (SourceBT->getKind() > TargetBT->getKind()) { 5293 // Don't warn about float constants that are precisely 5294 // representable in the target type. 5295 Expr::EvalResult result; 5296 if (E->EvaluateAsRValue(result, S.Context)) { 5297 // Value might be a float, a float vector, or a float complex. 5298 if (IsSameFloatAfterCast(result.Val, 5299 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 5300 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 5301 return; 5302 } 5303 5304 if (S.SourceMgr.isInSystemMacro(CC)) 5305 return; 5306 5307 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 5308 } 5309 return; 5310 } 5311 5312 // If the target is integral, always warn. 5313 if (TargetBT && TargetBT->isInteger()) { 5314 if (S.SourceMgr.isInSystemMacro(CC)) 5315 return; 5316 5317 Expr *InnerE = E->IgnoreParenImpCasts(); 5318 // We also want to warn on, e.g., "int i = -1.234" 5319 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 5320 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 5321 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 5322 5323 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 5324 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 5325 } else { 5326 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 5327 } 5328 } 5329 5330 // If the target is bool, warn if expr is a function or method call. 5331 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 5332 isa<CallExpr>(E)) { 5333 // Check last argument of function call to see if it is an 5334 // implicit cast from a type matching the type the result 5335 // is being cast to. 5336 CallExpr *CEx = cast<CallExpr>(E); 5337 unsigned NumArgs = CEx->getNumArgs(); 5338 if (NumArgs > 0) { 5339 Expr *LastA = CEx->getArg(NumArgs - 1); 5340 Expr *InnerE = LastA->IgnoreParenImpCasts(); 5341 const Type *InnerType = 5342 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5343 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 5344 // Warn on this floating-point to bool conversion 5345 DiagnoseImpCast(S, E, T, CC, 5346 diag::warn_impcast_floating_point_to_bool); 5347 } 5348 } 5349 } 5350 return; 5351 } 5352 5353 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 5354 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 5355 && !Target->isBlockPointerType() && !Target->isMemberPointerType() 5356 && Target->isScalarType() && !Target->isNullPtrType()) { 5357 SourceLocation Loc = E->getSourceRange().getBegin(); 5358 if (Loc.isMacroID()) 5359 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 5360 if (!Loc.isMacroID() || CC.isMacroID()) 5361 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 5362 << T << clang::SourceRange(CC) 5363 << FixItHint::CreateReplacement(Loc, 5364 S.getFixItZeroLiteralForType(T, Loc)); 5365 } 5366 5367 if (!Source->isIntegerType() || !Target->isIntegerType()) 5368 return; 5369 5370 // TODO: remove this early return once the false positives for constant->bool 5371 // in templates, macros, etc, are reduced or removed. 5372 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 5373 return; 5374 5375 IntRange SourceRange = GetExprRange(S.Context, E); 5376 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 5377 5378 if (SourceRange.Width > TargetRange.Width) { 5379 // If the source is a constant, use a default-on diagnostic. 5380 // TODO: this should happen for bitfield stores, too. 5381 llvm::APSInt Value(32); 5382 if (E->isIntegerConstantExpr(Value, S.Context)) { 5383 if (S.SourceMgr.isInSystemMacro(CC)) 5384 return; 5385 5386 std::string PrettySourceValue = Value.toString(10); 5387 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 5388 5389 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5390 S.PDiag(diag::warn_impcast_integer_precision_constant) 5391 << PrettySourceValue << PrettyTargetValue 5392 << E->getType() << T << E->getSourceRange() 5393 << clang::SourceRange(CC)); 5394 return; 5395 } 5396 5397 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 5398 if (S.SourceMgr.isInSystemMacro(CC)) 5399 return; 5400 5401 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 5402 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 5403 /* pruneControlFlow */ true); 5404 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 5405 } 5406 5407 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 5408 (!TargetRange.NonNegative && SourceRange.NonNegative && 5409 SourceRange.Width == TargetRange.Width)) { 5410 5411 if (S.SourceMgr.isInSystemMacro(CC)) 5412 return; 5413 5414 unsigned DiagID = diag::warn_impcast_integer_sign; 5415 5416 // Traditionally, gcc has warned about this under -Wsign-compare. 5417 // We also want to warn about it in -Wconversion. 5418 // So if -Wconversion is off, use a completely identical diagnostic 5419 // in the sign-compare group. 5420 // The conditional-checking code will 5421 if (ICContext) { 5422 DiagID = diag::warn_impcast_integer_sign_conditional; 5423 *ICContext = true; 5424 } 5425 5426 return DiagnoseImpCast(S, E, T, CC, DiagID); 5427 } 5428 5429 // Diagnose conversions between different enumeration types. 5430 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 5431 // type, to give us better diagnostics. 5432 QualType SourceType = E->getType(); 5433 if (!S.getLangOpts().CPlusPlus) { 5434 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5435 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 5436 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 5437 SourceType = S.Context.getTypeDeclType(Enum); 5438 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 5439 } 5440 } 5441 5442 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 5443 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 5444 if (SourceEnum->getDecl()->hasNameForLinkage() && 5445 TargetEnum->getDecl()->hasNameForLinkage() && 5446 SourceEnum != TargetEnum) { 5447 if (S.SourceMgr.isInSystemMacro(CC)) 5448 return; 5449 5450 return DiagnoseImpCast(S, E, SourceType, T, CC, 5451 diag::warn_impcast_different_enum_types); 5452 } 5453 5454 return; 5455 } 5456 5457 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5458 SourceLocation CC, QualType T); 5459 5460 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 5461 SourceLocation CC, bool &ICContext) { 5462 E = E->IgnoreParenImpCasts(); 5463 5464 if (isa<ConditionalOperator>(E)) 5465 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 5466 5467 AnalyzeImplicitConversions(S, E, CC); 5468 if (E->getType() != T) 5469 return CheckImplicitConversion(S, E, T, CC, &ICContext); 5470 return; 5471 } 5472 5473 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5474 SourceLocation CC, QualType T) { 5475 AnalyzeImplicitConversions(S, E->getCond(), CC); 5476 5477 bool Suspicious = false; 5478 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 5479 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 5480 5481 // If -Wconversion would have warned about either of the candidates 5482 // for a signedness conversion to the context type... 5483 if (!Suspicious) return; 5484 5485 // ...but it's currently ignored... 5486 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 5487 CC)) 5488 return; 5489 5490 // ...then check whether it would have warned about either of the 5491 // candidates for a signedness conversion to the condition type. 5492 if (E->getType() == T) return; 5493 5494 Suspicious = false; 5495 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 5496 E->getType(), CC, &Suspicious); 5497 if (!Suspicious) 5498 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 5499 E->getType(), CC, &Suspicious); 5500 } 5501 5502 /// AnalyzeImplicitConversions - Find and report any interesting 5503 /// implicit conversions in the given expression. There are a couple 5504 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 5505 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 5506 QualType T = OrigE->getType(); 5507 Expr *E = OrigE->IgnoreParenImpCasts(); 5508 5509 if (E->isTypeDependent() || E->isValueDependent()) 5510 return; 5511 5512 // For conditional operators, we analyze the arguments as if they 5513 // were being fed directly into the output. 5514 if (isa<ConditionalOperator>(E)) { 5515 ConditionalOperator *CO = cast<ConditionalOperator>(E); 5516 CheckConditionalOperator(S, CO, CC, T); 5517 return; 5518 } 5519 5520 // Check implicit argument conversions for function calls. 5521 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 5522 CheckImplicitArgumentConversions(S, Call, CC); 5523 5524 // Go ahead and check any implicit conversions we might have skipped. 5525 // The non-canonical typecheck is just an optimization; 5526 // CheckImplicitConversion will filter out dead implicit conversions. 5527 if (E->getType() != T) 5528 CheckImplicitConversion(S, E, T, CC); 5529 5530 // Now continue drilling into this expression. 5531 5532 if (PseudoObjectExpr * POE = dyn_cast<PseudoObjectExpr>(E)) { 5533 if (POE->getResultExpr()) 5534 E = POE->getResultExpr(); 5535 } 5536 5537 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 5538 return AnalyzeImplicitConversions(S, OVE->getSourceExpr(), CC); 5539 5540 // Skip past explicit casts. 5541 if (isa<ExplicitCastExpr>(E)) { 5542 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 5543 return AnalyzeImplicitConversions(S, E, CC); 5544 } 5545 5546 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5547 // Do a somewhat different check with comparison operators. 5548 if (BO->isComparisonOp()) 5549 return AnalyzeComparison(S, BO); 5550 5551 // And with simple assignments. 5552 if (BO->getOpcode() == BO_Assign) 5553 return AnalyzeAssignment(S, BO); 5554 } 5555 5556 // These break the otherwise-useful invariant below. Fortunately, 5557 // we don't really need to recurse into them, because any internal 5558 // expressions should have been analyzed already when they were 5559 // built into statements. 5560 if (isa<StmtExpr>(E)) return; 5561 5562 // Don't descend into unevaluated contexts. 5563 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 5564 5565 // Now just recurse over the expression's children. 5566 CC = E->getExprLoc(); 5567 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 5568 bool IsLogicalOperator = BO && BO->isLogicalOp(); 5569 for (Stmt::child_range I = E->children(); I; ++I) { 5570 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 5571 if (!ChildExpr) 5572 continue; 5573 5574 if (IsLogicalOperator && 5575 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 5576 // Ignore checking string literals that are in logical operators. 5577 continue; 5578 AnalyzeImplicitConversions(S, ChildExpr, CC); 5579 } 5580 } 5581 5582 } // end anonymous namespace 5583 5584 /// Diagnoses "dangerous" implicit conversions within the given 5585 /// expression (which is a full expression). Implements -Wconversion 5586 /// and -Wsign-compare. 5587 /// 5588 /// \param CC the "context" location of the implicit conversion, i.e. 5589 /// the most location of the syntactic entity requiring the implicit 5590 /// conversion 5591 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 5592 // Don't diagnose in unevaluated contexts. 5593 if (isUnevaluatedContext()) 5594 return; 5595 5596 // Don't diagnose for value- or type-dependent expressions. 5597 if (E->isTypeDependent() || E->isValueDependent()) 5598 return; 5599 5600 // Check for array bounds violations in cases where the check isn't triggered 5601 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 5602 // ArraySubscriptExpr is on the RHS of a variable initialization. 5603 CheckArrayAccess(E); 5604 5605 // This is not the right CC for (e.g.) a variable initialization. 5606 AnalyzeImplicitConversions(*this, E, CC); 5607 } 5608 5609 /// Diagnose when expression is an integer constant expression and its evaluation 5610 /// results in integer overflow 5611 void Sema::CheckForIntOverflow (Expr *E) { 5612 if (isa<BinaryOperator>(E->IgnoreParens())) { 5613 SmallVector<PartialDiagnosticAt, 4> Diags; 5614 E->EvaluateForOverflow(Context, &Diags); 5615 } 5616 } 5617 5618 namespace { 5619 /// \brief Visitor for expressions which looks for unsequenced operations on the 5620 /// same object. 5621 class SequenceChecker : public EvaluatedExprVisitor<SequenceChecker> { 5622 typedef EvaluatedExprVisitor<SequenceChecker> Base; 5623 5624 /// \brief A tree of sequenced regions within an expression. Two regions are 5625 /// unsequenced if one is an ancestor or a descendent of the other. When we 5626 /// finish processing an expression with sequencing, such as a comma 5627 /// expression, we fold its tree nodes into its parent, since they are 5628 /// unsequenced with respect to nodes we will visit later. 5629 class SequenceTree { 5630 struct Value { 5631 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {} 5632 unsigned Parent : 31; 5633 bool Merged : 1; 5634 }; 5635 SmallVector<Value, 8> Values; 5636 5637 public: 5638 /// \brief A region within an expression which may be sequenced with respect 5639 /// to some other region. 5640 class Seq { 5641 explicit Seq(unsigned N) : Index(N) {} 5642 unsigned Index; 5643 friend class SequenceTree; 5644 public: 5645 Seq() : Index(0) {} 5646 }; 5647 5648 SequenceTree() { Values.push_back(Value(0)); } 5649 Seq root() const { return Seq(0); } 5650 5651 /// \brief Create a new sequence of operations, which is an unsequenced 5652 /// subset of \p Parent. This sequence of operations is sequenced with 5653 /// respect to other children of \p Parent. 5654 Seq allocate(Seq Parent) { 5655 Values.push_back(Value(Parent.Index)); 5656 return Seq(Values.size() - 1); 5657 } 5658 5659 /// \brief Merge a sequence of operations into its parent. 5660 void merge(Seq S) { 5661 Values[S.Index].Merged = true; 5662 } 5663 5664 /// \brief Determine whether two operations are unsequenced. This operation 5665 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old 5666 /// should have been merged into its parent as appropriate. 5667 bool isUnsequenced(Seq Cur, Seq Old) { 5668 unsigned C = representative(Cur.Index); 5669 unsigned Target = representative(Old.Index); 5670 while (C >= Target) { 5671 if (C == Target) 5672 return true; 5673 C = Values[C].Parent; 5674 } 5675 return false; 5676 } 5677 5678 private: 5679 /// \brief Pick a representative for a sequence. 5680 unsigned representative(unsigned K) { 5681 if (Values[K].Merged) 5682 // Perform path compression as we go. 5683 return Values[K].Parent = representative(Values[K].Parent); 5684 return K; 5685 } 5686 }; 5687 5688 /// An object for which we can track unsequenced uses. 5689 typedef NamedDecl *Object; 5690 5691 /// Different flavors of object usage which we track. We only track the 5692 /// least-sequenced usage of each kind. 5693 enum UsageKind { 5694 /// A read of an object. Multiple unsequenced reads are OK. 5695 UK_Use, 5696 /// A modification of an object which is sequenced before the value 5697 /// computation of the expression, such as ++n in C++. 5698 UK_ModAsValue, 5699 /// A modification of an object which is not sequenced before the value 5700 /// computation of the expression, such as n++. 5701 UK_ModAsSideEffect, 5702 5703 UK_Count = UK_ModAsSideEffect + 1 5704 }; 5705 5706 struct Usage { 5707 Usage() : Use(0), Seq() {} 5708 Expr *Use; 5709 SequenceTree::Seq Seq; 5710 }; 5711 5712 struct UsageInfo { 5713 UsageInfo() : Diagnosed(false) {} 5714 Usage Uses[UK_Count]; 5715 /// Have we issued a diagnostic for this variable already? 5716 bool Diagnosed; 5717 }; 5718 typedef llvm::SmallDenseMap<Object, UsageInfo, 16> UsageInfoMap; 5719 5720 Sema &SemaRef; 5721 /// Sequenced regions within the expression. 5722 SequenceTree Tree; 5723 /// Declaration modifications and references which we have seen. 5724 UsageInfoMap UsageMap; 5725 /// The region we are currently within. 5726 SequenceTree::Seq Region; 5727 /// Filled in with declarations which were modified as a side-effect 5728 /// (that is, post-increment operations). 5729 SmallVectorImpl<std::pair<Object, Usage> > *ModAsSideEffect; 5730 /// Expressions to check later. We defer checking these to reduce 5731 /// stack usage. 5732 SmallVectorImpl<Expr *> &WorkList; 5733 5734 /// RAII object wrapping the visitation of a sequenced subexpression of an 5735 /// expression. At the end of this process, the side-effects of the evaluation 5736 /// become sequenced with respect to the value computation of the result, so 5737 /// we downgrade any UK_ModAsSideEffect within the evaluation to 5738 /// UK_ModAsValue. 5739 struct SequencedSubexpression { 5740 SequencedSubexpression(SequenceChecker &Self) 5741 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) { 5742 Self.ModAsSideEffect = &ModAsSideEffect; 5743 } 5744 ~SequencedSubexpression() { 5745 for (unsigned I = 0, E = ModAsSideEffect.size(); I != E; ++I) { 5746 UsageInfo &U = Self.UsageMap[ModAsSideEffect[I].first]; 5747 U.Uses[UK_ModAsSideEffect] = ModAsSideEffect[I].second; 5748 Self.addUsage(U, ModAsSideEffect[I].first, 5749 ModAsSideEffect[I].second.Use, UK_ModAsValue); 5750 } 5751 Self.ModAsSideEffect = OldModAsSideEffect; 5752 } 5753 5754 SequenceChecker &Self; 5755 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect; 5756 SmallVectorImpl<std::pair<Object, Usage> > *OldModAsSideEffect; 5757 }; 5758 5759 /// RAII object wrapping the visitation of a subexpression which we might 5760 /// choose to evaluate as a constant. If any subexpression is evaluated and 5761 /// found to be non-constant, this allows us to suppress the evaluation of 5762 /// the outer expression. 5763 class EvaluationTracker { 5764 public: 5765 EvaluationTracker(SequenceChecker &Self) 5766 : Self(Self), Prev(Self.EvalTracker), EvalOK(true) { 5767 Self.EvalTracker = this; 5768 } 5769 ~EvaluationTracker() { 5770 Self.EvalTracker = Prev; 5771 if (Prev) 5772 Prev->EvalOK &= EvalOK; 5773 } 5774 5775 bool evaluate(const Expr *E, bool &Result) { 5776 if (!EvalOK || E->isValueDependent()) 5777 return false; 5778 EvalOK = E->EvaluateAsBooleanCondition(Result, Self.SemaRef.Context); 5779 return EvalOK; 5780 } 5781 5782 private: 5783 SequenceChecker &Self; 5784 EvaluationTracker *Prev; 5785 bool EvalOK; 5786 } *EvalTracker; 5787 5788 /// \brief Find the object which is produced by the specified expression, 5789 /// if any. 5790 Object getObject(Expr *E, bool Mod) const { 5791 E = E->IgnoreParenCasts(); 5792 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 5793 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec)) 5794 return getObject(UO->getSubExpr(), Mod); 5795 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5796 if (BO->getOpcode() == BO_Comma) 5797 return getObject(BO->getRHS(), Mod); 5798 if (Mod && BO->isAssignmentOp()) 5799 return getObject(BO->getLHS(), Mod); 5800 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(E)) { 5801 // FIXME: Check for more interesting cases, like "x.n = ++x.n". 5802 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts())) 5803 return ME->getMemberDecl(); 5804 } else if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5805 // FIXME: If this is a reference, map through to its value. 5806 return DRE->getDecl(); 5807 return 0; 5808 } 5809 5810 /// \brief Note that an object was modified or used by an expression. 5811 void addUsage(UsageInfo &UI, Object O, Expr *Ref, UsageKind UK) { 5812 Usage &U = UI.Uses[UK]; 5813 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) { 5814 if (UK == UK_ModAsSideEffect && ModAsSideEffect) 5815 ModAsSideEffect->push_back(std::make_pair(O, U)); 5816 U.Use = Ref; 5817 U.Seq = Region; 5818 } 5819 } 5820 /// \brief Check whether a modification or use conflicts with a prior usage. 5821 void checkUsage(Object O, UsageInfo &UI, Expr *Ref, UsageKind OtherKind, 5822 bool IsModMod) { 5823 if (UI.Diagnosed) 5824 return; 5825 5826 const Usage &U = UI.Uses[OtherKind]; 5827 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) 5828 return; 5829 5830 Expr *Mod = U.Use; 5831 Expr *ModOrUse = Ref; 5832 if (OtherKind == UK_Use) 5833 std::swap(Mod, ModOrUse); 5834 5835 SemaRef.Diag(Mod->getExprLoc(), 5836 IsModMod ? diag::warn_unsequenced_mod_mod 5837 : diag::warn_unsequenced_mod_use) 5838 << O << SourceRange(ModOrUse->getExprLoc()); 5839 UI.Diagnosed = true; 5840 } 5841 5842 void notePreUse(Object O, Expr *Use) { 5843 UsageInfo &U = UsageMap[O]; 5844 // Uses conflict with other modifications. 5845 checkUsage(O, U, Use, UK_ModAsValue, false); 5846 } 5847 void notePostUse(Object O, Expr *Use) { 5848 UsageInfo &U = UsageMap[O]; 5849 checkUsage(O, U, Use, UK_ModAsSideEffect, false); 5850 addUsage(U, O, Use, UK_Use); 5851 } 5852 5853 void notePreMod(Object O, Expr *Mod) { 5854 UsageInfo &U = UsageMap[O]; 5855 // Modifications conflict with other modifications and with uses. 5856 checkUsage(O, U, Mod, UK_ModAsValue, true); 5857 checkUsage(O, U, Mod, UK_Use, false); 5858 } 5859 void notePostMod(Object O, Expr *Use, UsageKind UK) { 5860 UsageInfo &U = UsageMap[O]; 5861 checkUsage(O, U, Use, UK_ModAsSideEffect, true); 5862 addUsage(U, O, Use, UK); 5863 } 5864 5865 public: 5866 SequenceChecker(Sema &S, Expr *E, SmallVectorImpl<Expr *> &WorkList) 5867 : Base(S.Context), SemaRef(S), Region(Tree.root()), ModAsSideEffect(0), 5868 WorkList(WorkList), EvalTracker(0) { 5869 Visit(E); 5870 } 5871 5872 void VisitStmt(Stmt *S) { 5873 // Skip all statements which aren't expressions for now. 5874 } 5875 5876 void VisitExpr(Expr *E) { 5877 // By default, just recurse to evaluated subexpressions. 5878 Base::VisitStmt(E); 5879 } 5880 5881 void VisitCastExpr(CastExpr *E) { 5882 Object O = Object(); 5883 if (E->getCastKind() == CK_LValueToRValue) 5884 O = getObject(E->getSubExpr(), false); 5885 5886 if (O) 5887 notePreUse(O, E); 5888 VisitExpr(E); 5889 if (O) 5890 notePostUse(O, E); 5891 } 5892 5893 void VisitBinComma(BinaryOperator *BO) { 5894 // C++11 [expr.comma]p1: 5895 // Every value computation and side effect associated with the left 5896 // expression is sequenced before every value computation and side 5897 // effect associated with the right expression. 5898 SequenceTree::Seq LHS = Tree.allocate(Region); 5899 SequenceTree::Seq RHS = Tree.allocate(Region); 5900 SequenceTree::Seq OldRegion = Region; 5901 5902 { 5903 SequencedSubexpression SeqLHS(*this); 5904 Region = LHS; 5905 Visit(BO->getLHS()); 5906 } 5907 5908 Region = RHS; 5909 Visit(BO->getRHS()); 5910 5911 Region = OldRegion; 5912 5913 // Forget that LHS and RHS are sequenced. They are both unsequenced 5914 // with respect to other stuff. 5915 Tree.merge(LHS); 5916 Tree.merge(RHS); 5917 } 5918 5919 void VisitBinAssign(BinaryOperator *BO) { 5920 // The modification is sequenced after the value computation of the LHS 5921 // and RHS, so check it before inspecting the operands and update the 5922 // map afterwards. 5923 Object O = getObject(BO->getLHS(), true); 5924 if (!O) 5925 return VisitExpr(BO); 5926 5927 notePreMod(O, BO); 5928 5929 // C++11 [expr.ass]p7: 5930 // E1 op= E2 is equivalent to E1 = E1 op E2, except that E1 is evaluated 5931 // only once. 5932 // 5933 // Therefore, for a compound assignment operator, O is considered used 5934 // everywhere except within the evaluation of E1 itself. 5935 if (isa<CompoundAssignOperator>(BO)) 5936 notePreUse(O, BO); 5937 5938 Visit(BO->getLHS()); 5939 5940 if (isa<CompoundAssignOperator>(BO)) 5941 notePostUse(O, BO); 5942 5943 Visit(BO->getRHS()); 5944 5945 // C++11 [expr.ass]p1: 5946 // the assignment is sequenced [...] before the value computation of the 5947 // assignment expression. 5948 // C11 6.5.16/3 has no such rule. 5949 notePostMod(O, BO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 5950 : UK_ModAsSideEffect); 5951 } 5952 void VisitCompoundAssignOperator(CompoundAssignOperator *CAO) { 5953 VisitBinAssign(CAO); 5954 } 5955 5956 void VisitUnaryPreInc(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 5957 void VisitUnaryPreDec(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 5958 void VisitUnaryPreIncDec(UnaryOperator *UO) { 5959 Object O = getObject(UO->getSubExpr(), true); 5960 if (!O) 5961 return VisitExpr(UO); 5962 5963 notePreMod(O, UO); 5964 Visit(UO->getSubExpr()); 5965 // C++11 [expr.pre.incr]p1: 5966 // the expression ++x is equivalent to x+=1 5967 notePostMod(O, UO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 5968 : UK_ModAsSideEffect); 5969 } 5970 5971 void VisitUnaryPostInc(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 5972 void VisitUnaryPostDec(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 5973 void VisitUnaryPostIncDec(UnaryOperator *UO) { 5974 Object O = getObject(UO->getSubExpr(), true); 5975 if (!O) 5976 return VisitExpr(UO); 5977 5978 notePreMod(O, UO); 5979 Visit(UO->getSubExpr()); 5980 notePostMod(O, UO, UK_ModAsSideEffect); 5981 } 5982 5983 /// Don't visit the RHS of '&&' or '||' if it might not be evaluated. 5984 void VisitBinLOr(BinaryOperator *BO) { 5985 // The side-effects of the LHS of an '&&' are sequenced before the 5986 // value computation of the RHS, and hence before the value computation 5987 // of the '&&' itself, unless the LHS evaluates to zero. We treat them 5988 // as if they were unconditionally sequenced. 5989 EvaluationTracker Eval(*this); 5990 { 5991 SequencedSubexpression Sequenced(*this); 5992 Visit(BO->getLHS()); 5993 } 5994 5995 bool Result; 5996 if (Eval.evaluate(BO->getLHS(), Result)) { 5997 if (!Result) 5998 Visit(BO->getRHS()); 5999 } else { 6000 // Check for unsequenced operations in the RHS, treating it as an 6001 // entirely separate evaluation. 6002 // 6003 // FIXME: If there are operations in the RHS which are unsequenced 6004 // with respect to operations outside the RHS, and those operations 6005 // are unconditionally evaluated, diagnose them. 6006 WorkList.push_back(BO->getRHS()); 6007 } 6008 } 6009 void VisitBinLAnd(BinaryOperator *BO) { 6010 EvaluationTracker Eval(*this); 6011 { 6012 SequencedSubexpression Sequenced(*this); 6013 Visit(BO->getLHS()); 6014 } 6015 6016 bool Result; 6017 if (Eval.evaluate(BO->getLHS(), Result)) { 6018 if (Result) 6019 Visit(BO->getRHS()); 6020 } else { 6021 WorkList.push_back(BO->getRHS()); 6022 } 6023 } 6024 6025 // Only visit the condition, unless we can be sure which subexpression will 6026 // be chosen. 6027 void VisitAbstractConditionalOperator(AbstractConditionalOperator *CO) { 6028 EvaluationTracker Eval(*this); 6029 { 6030 SequencedSubexpression Sequenced(*this); 6031 Visit(CO->getCond()); 6032 } 6033 6034 bool Result; 6035 if (Eval.evaluate(CO->getCond(), Result)) 6036 Visit(Result ? CO->getTrueExpr() : CO->getFalseExpr()); 6037 else { 6038 WorkList.push_back(CO->getTrueExpr()); 6039 WorkList.push_back(CO->getFalseExpr()); 6040 } 6041 } 6042 6043 void VisitCallExpr(CallExpr *CE) { 6044 // C++11 [intro.execution]p15: 6045 // When calling a function [...], every value computation and side effect 6046 // associated with any argument expression, or with the postfix expression 6047 // designating the called function, is sequenced before execution of every 6048 // expression or statement in the body of the function [and thus before 6049 // the value computation of its result]. 6050 SequencedSubexpression Sequenced(*this); 6051 Base::VisitCallExpr(CE); 6052 6053 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions. 6054 } 6055 6056 void VisitCXXConstructExpr(CXXConstructExpr *CCE) { 6057 // This is a call, so all subexpressions are sequenced before the result. 6058 SequencedSubexpression Sequenced(*this); 6059 6060 if (!CCE->isListInitialization()) 6061 return VisitExpr(CCE); 6062 6063 // In C++11, list initializations are sequenced. 6064 SmallVector<SequenceTree::Seq, 32> Elts; 6065 SequenceTree::Seq Parent = Region; 6066 for (CXXConstructExpr::arg_iterator I = CCE->arg_begin(), 6067 E = CCE->arg_end(); 6068 I != E; ++I) { 6069 Region = Tree.allocate(Parent); 6070 Elts.push_back(Region); 6071 Visit(*I); 6072 } 6073 6074 // Forget that the initializers are sequenced. 6075 Region = Parent; 6076 for (unsigned I = 0; I < Elts.size(); ++I) 6077 Tree.merge(Elts[I]); 6078 } 6079 6080 void VisitInitListExpr(InitListExpr *ILE) { 6081 if (!SemaRef.getLangOpts().CPlusPlus11) 6082 return VisitExpr(ILE); 6083 6084 // In C++11, list initializations are sequenced. 6085 SmallVector<SequenceTree::Seq, 32> Elts; 6086 SequenceTree::Seq Parent = Region; 6087 for (unsigned I = 0; I < ILE->getNumInits(); ++I) { 6088 Expr *E = ILE->getInit(I); 6089 if (!E) continue; 6090 Region = Tree.allocate(Parent); 6091 Elts.push_back(Region); 6092 Visit(E); 6093 } 6094 6095 // Forget that the initializers are sequenced. 6096 Region = Parent; 6097 for (unsigned I = 0; I < Elts.size(); ++I) 6098 Tree.merge(Elts[I]); 6099 } 6100 }; 6101 } 6102 6103 void Sema::CheckUnsequencedOperations(Expr *E) { 6104 SmallVector<Expr *, 8> WorkList; 6105 WorkList.push_back(E); 6106 while (!WorkList.empty()) { 6107 Expr *Item = WorkList.pop_back_val(); 6108 SequenceChecker(*this, Item, WorkList); 6109 } 6110 } 6111 6112 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc, 6113 bool IsConstexpr) { 6114 CheckImplicitConversions(E, CheckLoc); 6115 CheckUnsequencedOperations(E); 6116 if (!IsConstexpr && !E->isValueDependent()) 6117 CheckForIntOverflow(E); 6118 } 6119 6120 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 6121 FieldDecl *BitField, 6122 Expr *Init) { 6123 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 6124 } 6125 6126 /// CheckParmsForFunctionDef - Check that the parameters of the given 6127 /// function are appropriate for the definition of a function. This 6128 /// takes care of any checks that cannot be performed on the 6129 /// declaration itself, e.g., that the types of each of the function 6130 /// parameters are complete. 6131 bool Sema::CheckParmsForFunctionDef(ParmVarDecl *const *P, 6132 ParmVarDecl *const *PEnd, 6133 bool CheckParameterNames) { 6134 bool HasInvalidParm = false; 6135 for (; P != PEnd; ++P) { 6136 ParmVarDecl *Param = *P; 6137 6138 // C99 6.7.5.3p4: the parameters in a parameter type list in a 6139 // function declarator that is part of a function definition of 6140 // that function shall not have incomplete type. 6141 // 6142 // This is also C++ [dcl.fct]p6. 6143 if (!Param->isInvalidDecl() && 6144 RequireCompleteType(Param->getLocation(), Param->getType(), 6145 diag::err_typecheck_decl_incomplete_type)) { 6146 Param->setInvalidDecl(); 6147 HasInvalidParm = true; 6148 } 6149 6150 // C99 6.9.1p5: If the declarator includes a parameter type list, the 6151 // declaration of each parameter shall include an identifier. 6152 if (CheckParameterNames && 6153 Param->getIdentifier() == 0 && 6154 !Param->isImplicit() && 6155 !getLangOpts().CPlusPlus) 6156 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 6157 6158 // C99 6.7.5.3p12: 6159 // If the function declarator is not part of a definition of that 6160 // function, parameters may have incomplete type and may use the [*] 6161 // notation in their sequences of declarator specifiers to specify 6162 // variable length array types. 6163 QualType PType = Param->getOriginalType(); 6164 while (const ArrayType *AT = Context.getAsArrayType(PType)) { 6165 if (AT->getSizeModifier() == ArrayType::Star) { 6166 // FIXME: This diagnostic should point the '[*]' if source-location 6167 // information is added for it. 6168 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 6169 break; 6170 } 6171 PType= AT->getElementType(); 6172 } 6173 6174 // MSVC destroys objects passed by value in the callee. Therefore a 6175 // function definition which takes such a parameter must be able to call the 6176 // object's destructor. 6177 if (getLangOpts().CPlusPlus && 6178 Context.getTargetInfo().getCXXABI().isArgumentDestroyedByCallee()) { 6179 if (const RecordType *RT = Param->getType()->getAs<RecordType>()) 6180 FinalizeVarWithDestructor(Param, RT); 6181 } 6182 } 6183 6184 return HasInvalidParm; 6185 } 6186 6187 /// CheckCastAlign - Implements -Wcast-align, which warns when a 6188 /// pointer cast increases the alignment requirements. 6189 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 6190 // This is actually a lot of work to potentially be doing on every 6191 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 6192 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 6193 TRange.getBegin()) 6194 == DiagnosticsEngine::Ignored) 6195 return; 6196 6197 // Ignore dependent types. 6198 if (T->isDependentType() || Op->getType()->isDependentType()) 6199 return; 6200 6201 // Require that the destination be a pointer type. 6202 const PointerType *DestPtr = T->getAs<PointerType>(); 6203 if (!DestPtr) return; 6204 6205 // If the destination has alignment 1, we're done. 6206 QualType DestPointee = DestPtr->getPointeeType(); 6207 if (DestPointee->isIncompleteType()) return; 6208 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 6209 if (DestAlign.isOne()) return; 6210 6211 // Require that the source be a pointer type. 6212 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 6213 if (!SrcPtr) return; 6214 QualType SrcPointee = SrcPtr->getPointeeType(); 6215 6216 // Whitelist casts from cv void*. We already implicitly 6217 // whitelisted casts to cv void*, since they have alignment 1. 6218 // Also whitelist casts involving incomplete types, which implicitly 6219 // includes 'void'. 6220 if (SrcPointee->isIncompleteType()) return; 6221 6222 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 6223 if (SrcAlign >= DestAlign) return; 6224 6225 Diag(TRange.getBegin(), diag::warn_cast_align) 6226 << Op->getType() << T 6227 << static_cast<unsigned>(SrcAlign.getQuantity()) 6228 << static_cast<unsigned>(DestAlign.getQuantity()) 6229 << TRange << Op->getSourceRange(); 6230 } 6231 6232 static const Type* getElementType(const Expr *BaseExpr) { 6233 const Type* EltType = BaseExpr->getType().getTypePtr(); 6234 if (EltType->isAnyPointerType()) 6235 return EltType->getPointeeType().getTypePtr(); 6236 else if (EltType->isArrayType()) 6237 return EltType->getBaseElementTypeUnsafe(); 6238 return EltType; 6239 } 6240 6241 /// \brief Check whether this array fits the idiom of a size-one tail padded 6242 /// array member of a struct. 6243 /// 6244 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 6245 /// commonly used to emulate flexible arrays in C89 code. 6246 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 6247 const NamedDecl *ND) { 6248 if (Size != 1 || !ND) return false; 6249 6250 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 6251 if (!FD) return false; 6252 6253 // Don't consider sizes resulting from macro expansions or template argument 6254 // substitution to form C89 tail-padded arrays. 6255 6256 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 6257 while (TInfo) { 6258 TypeLoc TL = TInfo->getTypeLoc(); 6259 // Look through typedefs. 6260 if (TypedefTypeLoc TTL = TL.getAs<TypedefTypeLoc>()) { 6261 const TypedefNameDecl *TDL = TTL.getTypedefNameDecl(); 6262 TInfo = TDL->getTypeSourceInfo(); 6263 continue; 6264 } 6265 if (ConstantArrayTypeLoc CTL = TL.getAs<ConstantArrayTypeLoc>()) { 6266 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 6267 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 6268 return false; 6269 } 6270 break; 6271 } 6272 6273 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 6274 if (!RD) return false; 6275 if (RD->isUnion()) return false; 6276 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 6277 if (!CRD->isStandardLayout()) return false; 6278 } 6279 6280 // See if this is the last field decl in the record. 6281 const Decl *D = FD; 6282 while ((D = D->getNextDeclInContext())) 6283 if (isa<FieldDecl>(D)) 6284 return false; 6285 return true; 6286 } 6287 6288 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 6289 const ArraySubscriptExpr *ASE, 6290 bool AllowOnePastEnd, bool IndexNegated) { 6291 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 6292 if (IndexExpr->isValueDependent()) 6293 return; 6294 6295 const Type *EffectiveType = getElementType(BaseExpr); 6296 BaseExpr = BaseExpr->IgnoreParenCasts(); 6297 const ConstantArrayType *ArrayTy = 6298 Context.getAsConstantArrayType(BaseExpr->getType()); 6299 if (!ArrayTy) 6300 return; 6301 6302 llvm::APSInt index; 6303 if (!IndexExpr->EvaluateAsInt(index, Context)) 6304 return; 6305 if (IndexNegated) 6306 index = -index; 6307 6308 const NamedDecl *ND = NULL; 6309 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 6310 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 6311 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 6312 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 6313 6314 if (index.isUnsigned() || !index.isNegative()) { 6315 llvm::APInt size = ArrayTy->getSize(); 6316 if (!size.isStrictlyPositive()) 6317 return; 6318 6319 const Type* BaseType = getElementType(BaseExpr); 6320 if (BaseType != EffectiveType) { 6321 // Make sure we're comparing apples to apples when comparing index to size 6322 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 6323 uint64_t array_typesize = Context.getTypeSize(BaseType); 6324 // Handle ptrarith_typesize being zero, such as when casting to void* 6325 if (!ptrarith_typesize) ptrarith_typesize = 1; 6326 if (ptrarith_typesize != array_typesize) { 6327 // There's a cast to a different size type involved 6328 uint64_t ratio = array_typesize / ptrarith_typesize; 6329 // TODO: Be smarter about handling cases where array_typesize is not a 6330 // multiple of ptrarith_typesize 6331 if (ptrarith_typesize * ratio == array_typesize) 6332 size *= llvm::APInt(size.getBitWidth(), ratio); 6333 } 6334 } 6335 6336 if (size.getBitWidth() > index.getBitWidth()) 6337 index = index.zext(size.getBitWidth()); 6338 else if (size.getBitWidth() < index.getBitWidth()) 6339 size = size.zext(index.getBitWidth()); 6340 6341 // For array subscripting the index must be less than size, but for pointer 6342 // arithmetic also allow the index (offset) to be equal to size since 6343 // computing the next address after the end of the array is legal and 6344 // commonly done e.g. in C++ iterators and range-based for loops. 6345 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 6346 return; 6347 6348 // Also don't warn for arrays of size 1 which are members of some 6349 // structure. These are often used to approximate flexible arrays in C89 6350 // code. 6351 if (IsTailPaddedMemberArray(*this, size, ND)) 6352 return; 6353 6354 // Suppress the warning if the subscript expression (as identified by the 6355 // ']' location) and the index expression are both from macro expansions 6356 // within a system header. 6357 if (ASE) { 6358 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 6359 ASE->getRBracketLoc()); 6360 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 6361 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 6362 IndexExpr->getLocStart()); 6363 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc)) 6364 return; 6365 } 6366 } 6367 6368 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 6369 if (ASE) 6370 DiagID = diag::warn_array_index_exceeds_bounds; 6371 6372 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 6373 PDiag(DiagID) << index.toString(10, true) 6374 << size.toString(10, true) 6375 << (unsigned)size.getLimitedValue(~0U) 6376 << IndexExpr->getSourceRange()); 6377 } else { 6378 unsigned DiagID = diag::warn_array_index_precedes_bounds; 6379 if (!ASE) { 6380 DiagID = diag::warn_ptr_arith_precedes_bounds; 6381 if (index.isNegative()) index = -index; 6382 } 6383 6384 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 6385 PDiag(DiagID) << index.toString(10, true) 6386 << IndexExpr->getSourceRange()); 6387 } 6388 6389 if (!ND) { 6390 // Try harder to find a NamedDecl to point at in the note. 6391 while (const ArraySubscriptExpr *ASE = 6392 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 6393 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 6394 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 6395 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 6396 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 6397 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 6398 } 6399 6400 if (ND) 6401 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 6402 PDiag(diag::note_array_index_out_of_bounds) 6403 << ND->getDeclName()); 6404 } 6405 6406 void Sema::CheckArrayAccess(const Expr *expr) { 6407 int AllowOnePastEnd = 0; 6408 while (expr) { 6409 expr = expr->IgnoreParenImpCasts(); 6410 switch (expr->getStmtClass()) { 6411 case Stmt::ArraySubscriptExprClass: { 6412 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 6413 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 6414 AllowOnePastEnd > 0); 6415 return; 6416 } 6417 case Stmt::UnaryOperatorClass: { 6418 // Only unwrap the * and & unary operators 6419 const UnaryOperator *UO = cast<UnaryOperator>(expr); 6420 expr = UO->getSubExpr(); 6421 switch (UO->getOpcode()) { 6422 case UO_AddrOf: 6423 AllowOnePastEnd++; 6424 break; 6425 case UO_Deref: 6426 AllowOnePastEnd--; 6427 break; 6428 default: 6429 return; 6430 } 6431 break; 6432 } 6433 case Stmt::ConditionalOperatorClass: { 6434 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 6435 if (const Expr *lhs = cond->getLHS()) 6436 CheckArrayAccess(lhs); 6437 if (const Expr *rhs = cond->getRHS()) 6438 CheckArrayAccess(rhs); 6439 return; 6440 } 6441 default: 6442 return; 6443 } 6444 } 6445 } 6446 6447 //===--- CHECK: Objective-C retain cycles ----------------------------------// 6448 6449 namespace { 6450 struct RetainCycleOwner { 6451 RetainCycleOwner() : Variable(0), Indirect(false) {} 6452 VarDecl *Variable; 6453 SourceRange Range; 6454 SourceLocation Loc; 6455 bool Indirect; 6456 6457 void setLocsFrom(Expr *e) { 6458 Loc = e->getExprLoc(); 6459 Range = e->getSourceRange(); 6460 } 6461 }; 6462 } 6463 6464 /// Consider whether capturing the given variable can possibly lead to 6465 /// a retain cycle. 6466 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 6467 // In ARC, it's captured strongly iff the variable has __strong 6468 // lifetime. In MRR, it's captured strongly if the variable is 6469 // __block and has an appropriate type. 6470 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 6471 return false; 6472 6473 owner.Variable = var; 6474 if (ref) 6475 owner.setLocsFrom(ref); 6476 return true; 6477 } 6478 6479 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 6480 while (true) { 6481 e = e->IgnoreParens(); 6482 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 6483 switch (cast->getCastKind()) { 6484 case CK_BitCast: 6485 case CK_LValueBitCast: 6486 case CK_LValueToRValue: 6487 case CK_ARCReclaimReturnedObject: 6488 e = cast->getSubExpr(); 6489 continue; 6490 6491 default: 6492 return false; 6493 } 6494 } 6495 6496 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 6497 ObjCIvarDecl *ivar = ref->getDecl(); 6498 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 6499 return false; 6500 6501 // Try to find a retain cycle in the base. 6502 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 6503 return false; 6504 6505 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 6506 owner.Indirect = true; 6507 return true; 6508 } 6509 6510 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 6511 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 6512 if (!var) return false; 6513 return considerVariable(var, ref, owner); 6514 } 6515 6516 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 6517 if (member->isArrow()) return false; 6518 6519 // Don't count this as an indirect ownership. 6520 e = member->getBase(); 6521 continue; 6522 } 6523 6524 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 6525 // Only pay attention to pseudo-objects on property references. 6526 ObjCPropertyRefExpr *pre 6527 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 6528 ->IgnoreParens()); 6529 if (!pre) return false; 6530 if (pre->isImplicitProperty()) return false; 6531 ObjCPropertyDecl *property = pre->getExplicitProperty(); 6532 if (!property->isRetaining() && 6533 !(property->getPropertyIvarDecl() && 6534 property->getPropertyIvarDecl()->getType() 6535 .getObjCLifetime() == Qualifiers::OCL_Strong)) 6536 return false; 6537 6538 owner.Indirect = true; 6539 if (pre->isSuperReceiver()) { 6540 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 6541 if (!owner.Variable) 6542 return false; 6543 owner.Loc = pre->getLocation(); 6544 owner.Range = pre->getSourceRange(); 6545 return true; 6546 } 6547 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 6548 ->getSourceExpr()); 6549 continue; 6550 } 6551 6552 // Array ivars? 6553 6554 return false; 6555 } 6556 } 6557 6558 namespace { 6559 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 6560 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 6561 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 6562 Variable(variable), Capturer(0) {} 6563 6564 VarDecl *Variable; 6565 Expr *Capturer; 6566 6567 void VisitDeclRefExpr(DeclRefExpr *ref) { 6568 if (ref->getDecl() == Variable && !Capturer) 6569 Capturer = ref; 6570 } 6571 6572 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 6573 if (Capturer) return; 6574 Visit(ref->getBase()); 6575 if (Capturer && ref->isFreeIvar()) 6576 Capturer = ref; 6577 } 6578 6579 void VisitBlockExpr(BlockExpr *block) { 6580 // Look inside nested blocks 6581 if (block->getBlockDecl()->capturesVariable(Variable)) 6582 Visit(block->getBlockDecl()->getBody()); 6583 } 6584 6585 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 6586 if (Capturer) return; 6587 if (OVE->getSourceExpr()) 6588 Visit(OVE->getSourceExpr()); 6589 } 6590 }; 6591 } 6592 6593 /// Check whether the given argument is a block which captures a 6594 /// variable. 6595 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 6596 assert(owner.Variable && owner.Loc.isValid()); 6597 6598 e = e->IgnoreParenCasts(); 6599 6600 // Look through [^{...} copy] and Block_copy(^{...}). 6601 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 6602 Selector Cmd = ME->getSelector(); 6603 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 6604 e = ME->getInstanceReceiver(); 6605 if (!e) 6606 return 0; 6607 e = e->IgnoreParenCasts(); 6608 } 6609 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 6610 if (CE->getNumArgs() == 1) { 6611 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 6612 if (Fn) { 6613 const IdentifierInfo *FnI = Fn->getIdentifier(); 6614 if (FnI && FnI->isStr("_Block_copy")) { 6615 e = CE->getArg(0)->IgnoreParenCasts(); 6616 } 6617 } 6618 } 6619 } 6620 6621 BlockExpr *block = dyn_cast<BlockExpr>(e); 6622 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 6623 return 0; 6624 6625 FindCaptureVisitor visitor(S.Context, owner.Variable); 6626 visitor.Visit(block->getBlockDecl()->getBody()); 6627 return visitor.Capturer; 6628 } 6629 6630 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 6631 RetainCycleOwner &owner) { 6632 assert(capturer); 6633 assert(owner.Variable && owner.Loc.isValid()); 6634 6635 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 6636 << owner.Variable << capturer->getSourceRange(); 6637 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 6638 << owner.Indirect << owner.Range; 6639 } 6640 6641 /// Check for a keyword selector that starts with the word 'add' or 6642 /// 'set'. 6643 static bool isSetterLikeSelector(Selector sel) { 6644 if (sel.isUnarySelector()) return false; 6645 6646 StringRef str = sel.getNameForSlot(0); 6647 while (!str.empty() && str.front() == '_') str = str.substr(1); 6648 if (str.startswith("set")) 6649 str = str.substr(3); 6650 else if (str.startswith("add")) { 6651 // Specially whitelist 'addOperationWithBlock:'. 6652 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 6653 return false; 6654 str = str.substr(3); 6655 } 6656 else 6657 return false; 6658 6659 if (str.empty()) return true; 6660 return !isLowercase(str.front()); 6661 } 6662 6663 /// Check a message send to see if it's likely to cause a retain cycle. 6664 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 6665 // Only check instance methods whose selector looks like a setter. 6666 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 6667 return; 6668 6669 // Try to find a variable that the receiver is strongly owned by. 6670 RetainCycleOwner owner; 6671 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 6672 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 6673 return; 6674 } else { 6675 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 6676 owner.Variable = getCurMethodDecl()->getSelfDecl(); 6677 owner.Loc = msg->getSuperLoc(); 6678 owner.Range = msg->getSuperLoc(); 6679 } 6680 6681 // Check whether the receiver is captured by any of the arguments. 6682 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 6683 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 6684 return diagnoseRetainCycle(*this, capturer, owner); 6685 } 6686 6687 /// Check a property assign to see if it's likely to cause a retain cycle. 6688 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 6689 RetainCycleOwner owner; 6690 if (!findRetainCycleOwner(*this, receiver, owner)) 6691 return; 6692 6693 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 6694 diagnoseRetainCycle(*this, capturer, owner); 6695 } 6696 6697 void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 6698 RetainCycleOwner Owner; 6699 if (!considerVariable(Var, /*DeclRefExpr=*/0, Owner)) 6700 return; 6701 6702 // Because we don't have an expression for the variable, we have to set the 6703 // location explicitly here. 6704 Owner.Loc = Var->getLocation(); 6705 Owner.Range = Var->getSourceRange(); 6706 6707 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 6708 diagnoseRetainCycle(*this, Capturer, Owner); 6709 } 6710 6711 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 6712 Expr *RHS, bool isProperty) { 6713 // Check if RHS is an Objective-C object literal, which also can get 6714 // immediately zapped in a weak reference. Note that we explicitly 6715 // allow ObjCStringLiterals, since those are designed to never really die. 6716 RHS = RHS->IgnoreParenImpCasts(); 6717 6718 // This enum needs to match with the 'select' in 6719 // warn_objc_arc_literal_assign (off-by-1). 6720 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 6721 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 6722 return false; 6723 6724 S.Diag(Loc, diag::warn_arc_literal_assign) 6725 << (unsigned) Kind 6726 << (isProperty ? 0 : 1) 6727 << RHS->getSourceRange(); 6728 6729 return true; 6730 } 6731 6732 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 6733 Qualifiers::ObjCLifetime LT, 6734 Expr *RHS, bool isProperty) { 6735 // Strip off any implicit cast added to get to the one ARC-specific. 6736 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 6737 if (cast->getCastKind() == CK_ARCConsumeObject) { 6738 S.Diag(Loc, diag::warn_arc_retained_assign) 6739 << (LT == Qualifiers::OCL_ExplicitNone) 6740 << (isProperty ? 0 : 1) 6741 << RHS->getSourceRange(); 6742 return true; 6743 } 6744 RHS = cast->getSubExpr(); 6745 } 6746 6747 if (LT == Qualifiers::OCL_Weak && 6748 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 6749 return true; 6750 6751 return false; 6752 } 6753 6754 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 6755 QualType LHS, Expr *RHS) { 6756 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 6757 6758 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 6759 return false; 6760 6761 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 6762 return true; 6763 6764 return false; 6765 } 6766 6767 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 6768 Expr *LHS, Expr *RHS) { 6769 QualType LHSType; 6770 // PropertyRef on LHS type need be directly obtained from 6771 // its declaration as it has a PsuedoType. 6772 ObjCPropertyRefExpr *PRE 6773 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 6774 if (PRE && !PRE->isImplicitProperty()) { 6775 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 6776 if (PD) 6777 LHSType = PD->getType(); 6778 } 6779 6780 if (LHSType.isNull()) 6781 LHSType = LHS->getType(); 6782 6783 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 6784 6785 if (LT == Qualifiers::OCL_Weak) { 6786 DiagnosticsEngine::Level Level = 6787 Diags.getDiagnosticLevel(diag::warn_arc_repeated_use_of_weak, Loc); 6788 if (Level != DiagnosticsEngine::Ignored) 6789 getCurFunction()->markSafeWeakUse(LHS); 6790 } 6791 6792 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 6793 return; 6794 6795 // FIXME. Check for other life times. 6796 if (LT != Qualifiers::OCL_None) 6797 return; 6798 6799 if (PRE) { 6800 if (PRE->isImplicitProperty()) 6801 return; 6802 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 6803 if (!PD) 6804 return; 6805 6806 unsigned Attributes = PD->getPropertyAttributes(); 6807 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 6808 // when 'assign' attribute was not explicitly specified 6809 // by user, ignore it and rely on property type itself 6810 // for lifetime info. 6811 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 6812 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 6813 LHSType->isObjCRetainableType()) 6814 return; 6815 6816 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 6817 if (cast->getCastKind() == CK_ARCConsumeObject) { 6818 Diag(Loc, diag::warn_arc_retained_property_assign) 6819 << RHS->getSourceRange(); 6820 return; 6821 } 6822 RHS = cast->getSubExpr(); 6823 } 6824 } 6825 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 6826 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 6827 return; 6828 } 6829 } 6830 } 6831 6832 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 6833 6834 namespace { 6835 bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 6836 SourceLocation StmtLoc, 6837 const NullStmt *Body) { 6838 // Do not warn if the body is a macro that expands to nothing, e.g: 6839 // 6840 // #define CALL(x) 6841 // if (condition) 6842 // CALL(0); 6843 // 6844 if (Body->hasLeadingEmptyMacro()) 6845 return false; 6846 6847 // Get line numbers of statement and body. 6848 bool StmtLineInvalid; 6849 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 6850 &StmtLineInvalid); 6851 if (StmtLineInvalid) 6852 return false; 6853 6854 bool BodyLineInvalid; 6855 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 6856 &BodyLineInvalid); 6857 if (BodyLineInvalid) 6858 return false; 6859 6860 // Warn if null statement and body are on the same line. 6861 if (StmtLine != BodyLine) 6862 return false; 6863 6864 return true; 6865 } 6866 } // Unnamed namespace 6867 6868 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 6869 const Stmt *Body, 6870 unsigned DiagID) { 6871 // Since this is a syntactic check, don't emit diagnostic for template 6872 // instantiations, this just adds noise. 6873 if (CurrentInstantiationScope) 6874 return; 6875 6876 // The body should be a null statement. 6877 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 6878 if (!NBody) 6879 return; 6880 6881 // Do the usual checks. 6882 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 6883 return; 6884 6885 Diag(NBody->getSemiLoc(), DiagID); 6886 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 6887 } 6888 6889 void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 6890 const Stmt *PossibleBody) { 6891 assert(!CurrentInstantiationScope); // Ensured by caller 6892 6893 SourceLocation StmtLoc; 6894 const Stmt *Body; 6895 unsigned DiagID; 6896 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 6897 StmtLoc = FS->getRParenLoc(); 6898 Body = FS->getBody(); 6899 DiagID = diag::warn_empty_for_body; 6900 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 6901 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 6902 Body = WS->getBody(); 6903 DiagID = diag::warn_empty_while_body; 6904 } else 6905 return; // Neither `for' nor `while'. 6906 6907 // The body should be a null statement. 6908 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 6909 if (!NBody) 6910 return; 6911 6912 // Skip expensive checks if diagnostic is disabled. 6913 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 6914 DiagnosticsEngine::Ignored) 6915 return; 6916 6917 // Do the usual checks. 6918 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 6919 return; 6920 6921 // `for(...);' and `while(...);' are popular idioms, so in order to keep 6922 // noise level low, emit diagnostics only if for/while is followed by a 6923 // CompoundStmt, e.g.: 6924 // for (int i = 0; i < n; i++); 6925 // { 6926 // a(i); 6927 // } 6928 // or if for/while is followed by a statement with more indentation 6929 // than for/while itself: 6930 // for (int i = 0; i < n; i++); 6931 // a(i); 6932 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 6933 if (!ProbableTypo) { 6934 bool BodyColInvalid; 6935 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 6936 PossibleBody->getLocStart(), 6937 &BodyColInvalid); 6938 if (BodyColInvalid) 6939 return; 6940 6941 bool StmtColInvalid; 6942 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 6943 S->getLocStart(), 6944 &StmtColInvalid); 6945 if (StmtColInvalid) 6946 return; 6947 6948 if (BodyCol > StmtCol) 6949 ProbableTypo = true; 6950 } 6951 6952 if (ProbableTypo) { 6953 Diag(NBody->getSemiLoc(), DiagID); 6954 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 6955 } 6956 } 6957 6958 //===--- Layout compatibility ----------------------------------------------// 6959 6960 namespace { 6961 6962 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 6963 6964 /// \brief Check if two enumeration types are layout-compatible. 6965 bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 6966 // C++11 [dcl.enum] p8: 6967 // Two enumeration types are layout-compatible if they have the same 6968 // underlying type. 6969 return ED1->isComplete() && ED2->isComplete() && 6970 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 6971 } 6972 6973 /// \brief Check if two fields are layout-compatible. 6974 bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 6975 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 6976 return false; 6977 6978 if (Field1->isBitField() != Field2->isBitField()) 6979 return false; 6980 6981 if (Field1->isBitField()) { 6982 // Make sure that the bit-fields are the same length. 6983 unsigned Bits1 = Field1->getBitWidthValue(C); 6984 unsigned Bits2 = Field2->getBitWidthValue(C); 6985 6986 if (Bits1 != Bits2) 6987 return false; 6988 } 6989 6990 return true; 6991 } 6992 6993 /// \brief Check if two standard-layout structs are layout-compatible. 6994 /// (C++11 [class.mem] p17) 6995 bool isLayoutCompatibleStruct(ASTContext &C, 6996 RecordDecl *RD1, 6997 RecordDecl *RD2) { 6998 // If both records are C++ classes, check that base classes match. 6999 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 7000 // If one of records is a CXXRecordDecl we are in C++ mode, 7001 // thus the other one is a CXXRecordDecl, too. 7002 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 7003 // Check number of base classes. 7004 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 7005 return false; 7006 7007 // Check the base classes. 7008 for (CXXRecordDecl::base_class_const_iterator 7009 Base1 = D1CXX->bases_begin(), 7010 BaseEnd1 = D1CXX->bases_end(), 7011 Base2 = D2CXX->bases_begin(); 7012 Base1 != BaseEnd1; 7013 ++Base1, ++Base2) { 7014 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 7015 return false; 7016 } 7017 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 7018 // If only RD2 is a C++ class, it should have zero base classes. 7019 if (D2CXX->getNumBases() > 0) 7020 return false; 7021 } 7022 7023 // Check the fields. 7024 RecordDecl::field_iterator Field2 = RD2->field_begin(), 7025 Field2End = RD2->field_end(), 7026 Field1 = RD1->field_begin(), 7027 Field1End = RD1->field_end(); 7028 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 7029 if (!isLayoutCompatible(C, *Field1, *Field2)) 7030 return false; 7031 } 7032 if (Field1 != Field1End || Field2 != Field2End) 7033 return false; 7034 7035 return true; 7036 } 7037 7038 /// \brief Check if two standard-layout unions are layout-compatible. 7039 /// (C++11 [class.mem] p18) 7040 bool isLayoutCompatibleUnion(ASTContext &C, 7041 RecordDecl *RD1, 7042 RecordDecl *RD2) { 7043 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 7044 for (RecordDecl::field_iterator Field2 = RD2->field_begin(), 7045 Field2End = RD2->field_end(); 7046 Field2 != Field2End; ++Field2) { 7047 UnmatchedFields.insert(*Field2); 7048 } 7049 7050 for (RecordDecl::field_iterator Field1 = RD1->field_begin(), 7051 Field1End = RD1->field_end(); 7052 Field1 != Field1End; ++Field1) { 7053 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 7054 I = UnmatchedFields.begin(), 7055 E = UnmatchedFields.end(); 7056 7057 for ( ; I != E; ++I) { 7058 if (isLayoutCompatible(C, *Field1, *I)) { 7059 bool Result = UnmatchedFields.erase(*I); 7060 (void) Result; 7061 assert(Result); 7062 break; 7063 } 7064 } 7065 if (I == E) 7066 return false; 7067 } 7068 7069 return UnmatchedFields.empty(); 7070 } 7071 7072 bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 7073 if (RD1->isUnion() != RD2->isUnion()) 7074 return false; 7075 7076 if (RD1->isUnion()) 7077 return isLayoutCompatibleUnion(C, RD1, RD2); 7078 else 7079 return isLayoutCompatibleStruct(C, RD1, RD2); 7080 } 7081 7082 /// \brief Check if two types are layout-compatible in C++11 sense. 7083 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 7084 if (T1.isNull() || T2.isNull()) 7085 return false; 7086 7087 // C++11 [basic.types] p11: 7088 // If two types T1 and T2 are the same type, then T1 and T2 are 7089 // layout-compatible types. 7090 if (C.hasSameType(T1, T2)) 7091 return true; 7092 7093 T1 = T1.getCanonicalType().getUnqualifiedType(); 7094 T2 = T2.getCanonicalType().getUnqualifiedType(); 7095 7096 const Type::TypeClass TC1 = T1->getTypeClass(); 7097 const Type::TypeClass TC2 = T2->getTypeClass(); 7098 7099 if (TC1 != TC2) 7100 return false; 7101 7102 if (TC1 == Type::Enum) { 7103 return isLayoutCompatible(C, 7104 cast<EnumType>(T1)->getDecl(), 7105 cast<EnumType>(T2)->getDecl()); 7106 } else if (TC1 == Type::Record) { 7107 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 7108 return false; 7109 7110 return isLayoutCompatible(C, 7111 cast<RecordType>(T1)->getDecl(), 7112 cast<RecordType>(T2)->getDecl()); 7113 } 7114 7115 return false; 7116 } 7117 } 7118 7119 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 7120 7121 namespace { 7122 /// \brief Given a type tag expression find the type tag itself. 7123 /// 7124 /// \param TypeExpr Type tag expression, as it appears in user's code. 7125 /// 7126 /// \param VD Declaration of an identifier that appears in a type tag. 7127 /// 7128 /// \param MagicValue Type tag magic value. 7129 bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 7130 const ValueDecl **VD, uint64_t *MagicValue) { 7131 while(true) { 7132 if (!TypeExpr) 7133 return false; 7134 7135 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 7136 7137 switch (TypeExpr->getStmtClass()) { 7138 case Stmt::UnaryOperatorClass: { 7139 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 7140 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 7141 TypeExpr = UO->getSubExpr(); 7142 continue; 7143 } 7144 return false; 7145 } 7146 7147 case Stmt::DeclRefExprClass: { 7148 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 7149 *VD = DRE->getDecl(); 7150 return true; 7151 } 7152 7153 case Stmt::IntegerLiteralClass: { 7154 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 7155 llvm::APInt MagicValueAPInt = IL->getValue(); 7156 if (MagicValueAPInt.getActiveBits() <= 64) { 7157 *MagicValue = MagicValueAPInt.getZExtValue(); 7158 return true; 7159 } else 7160 return false; 7161 } 7162 7163 case Stmt::BinaryConditionalOperatorClass: 7164 case Stmt::ConditionalOperatorClass: { 7165 const AbstractConditionalOperator *ACO = 7166 cast<AbstractConditionalOperator>(TypeExpr); 7167 bool Result; 7168 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 7169 if (Result) 7170 TypeExpr = ACO->getTrueExpr(); 7171 else 7172 TypeExpr = ACO->getFalseExpr(); 7173 continue; 7174 } 7175 return false; 7176 } 7177 7178 case Stmt::BinaryOperatorClass: { 7179 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 7180 if (BO->getOpcode() == BO_Comma) { 7181 TypeExpr = BO->getRHS(); 7182 continue; 7183 } 7184 return false; 7185 } 7186 7187 default: 7188 return false; 7189 } 7190 } 7191 } 7192 7193 /// \brief Retrieve the C type corresponding to type tag TypeExpr. 7194 /// 7195 /// \param TypeExpr Expression that specifies a type tag. 7196 /// 7197 /// \param MagicValues Registered magic values. 7198 /// 7199 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 7200 /// kind. 7201 /// 7202 /// \param TypeInfo Information about the corresponding C type. 7203 /// 7204 /// \returns true if the corresponding C type was found. 7205 bool GetMatchingCType( 7206 const IdentifierInfo *ArgumentKind, 7207 const Expr *TypeExpr, const ASTContext &Ctx, 7208 const llvm::DenseMap<Sema::TypeTagMagicValue, 7209 Sema::TypeTagData> *MagicValues, 7210 bool &FoundWrongKind, 7211 Sema::TypeTagData &TypeInfo) { 7212 FoundWrongKind = false; 7213 7214 // Variable declaration that has type_tag_for_datatype attribute. 7215 const ValueDecl *VD = NULL; 7216 7217 uint64_t MagicValue; 7218 7219 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 7220 return false; 7221 7222 if (VD) { 7223 for (specific_attr_iterator<TypeTagForDatatypeAttr> 7224 I = VD->specific_attr_begin<TypeTagForDatatypeAttr>(), 7225 E = VD->specific_attr_end<TypeTagForDatatypeAttr>(); 7226 I != E; ++I) { 7227 if (I->getArgumentKind() != ArgumentKind) { 7228 FoundWrongKind = true; 7229 return false; 7230 } 7231 TypeInfo.Type = I->getMatchingCType(); 7232 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 7233 TypeInfo.MustBeNull = I->getMustBeNull(); 7234 return true; 7235 } 7236 return false; 7237 } 7238 7239 if (!MagicValues) 7240 return false; 7241 7242 llvm::DenseMap<Sema::TypeTagMagicValue, 7243 Sema::TypeTagData>::const_iterator I = 7244 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 7245 if (I == MagicValues->end()) 7246 return false; 7247 7248 TypeInfo = I->second; 7249 return true; 7250 } 7251 } // unnamed namespace 7252 7253 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 7254 uint64_t MagicValue, QualType Type, 7255 bool LayoutCompatible, 7256 bool MustBeNull) { 7257 if (!TypeTagForDatatypeMagicValues) 7258 TypeTagForDatatypeMagicValues.reset( 7259 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 7260 7261 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 7262 (*TypeTagForDatatypeMagicValues)[Magic] = 7263 TypeTagData(Type, LayoutCompatible, MustBeNull); 7264 } 7265 7266 namespace { 7267 bool IsSameCharType(QualType T1, QualType T2) { 7268 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 7269 if (!BT1) 7270 return false; 7271 7272 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 7273 if (!BT2) 7274 return false; 7275 7276 BuiltinType::Kind T1Kind = BT1->getKind(); 7277 BuiltinType::Kind T2Kind = BT2->getKind(); 7278 7279 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 7280 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 7281 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 7282 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 7283 } 7284 } // unnamed namespace 7285 7286 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 7287 const Expr * const *ExprArgs) { 7288 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 7289 bool IsPointerAttr = Attr->getIsPointer(); 7290 7291 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 7292 bool FoundWrongKind; 7293 TypeTagData TypeInfo; 7294 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 7295 TypeTagForDatatypeMagicValues.get(), 7296 FoundWrongKind, TypeInfo)) { 7297 if (FoundWrongKind) 7298 Diag(TypeTagExpr->getExprLoc(), 7299 diag::warn_type_tag_for_datatype_wrong_kind) 7300 << TypeTagExpr->getSourceRange(); 7301 return; 7302 } 7303 7304 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 7305 if (IsPointerAttr) { 7306 // Skip implicit cast of pointer to `void *' (as a function argument). 7307 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 7308 if (ICE->getType()->isVoidPointerType() && 7309 ICE->getCastKind() == CK_BitCast) 7310 ArgumentExpr = ICE->getSubExpr(); 7311 } 7312 QualType ArgumentType = ArgumentExpr->getType(); 7313 7314 // Passing a `void*' pointer shouldn't trigger a warning. 7315 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 7316 return; 7317 7318 if (TypeInfo.MustBeNull) { 7319 // Type tag with matching void type requires a null pointer. 7320 if (!ArgumentExpr->isNullPointerConstant(Context, 7321 Expr::NPC_ValueDependentIsNotNull)) { 7322 Diag(ArgumentExpr->getExprLoc(), 7323 diag::warn_type_safety_null_pointer_required) 7324 << ArgumentKind->getName() 7325 << ArgumentExpr->getSourceRange() 7326 << TypeTagExpr->getSourceRange(); 7327 } 7328 return; 7329 } 7330 7331 QualType RequiredType = TypeInfo.Type; 7332 if (IsPointerAttr) 7333 RequiredType = Context.getPointerType(RequiredType); 7334 7335 bool mismatch = false; 7336 if (!TypeInfo.LayoutCompatible) { 7337 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 7338 7339 // C++11 [basic.fundamental] p1: 7340 // Plain char, signed char, and unsigned char are three distinct types. 7341 // 7342 // But we treat plain `char' as equivalent to `signed char' or `unsigned 7343 // char' depending on the current char signedness mode. 7344 if (mismatch) 7345 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 7346 RequiredType->getPointeeType())) || 7347 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 7348 mismatch = false; 7349 } else 7350 if (IsPointerAttr) 7351 mismatch = !isLayoutCompatible(Context, 7352 ArgumentType->getPointeeType(), 7353 RequiredType->getPointeeType()); 7354 else 7355 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 7356 7357 if (mismatch) 7358 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 7359 << ArgumentType << ArgumentKind->getName() 7360 << TypeInfo.LayoutCompatible << RequiredType 7361 << ArgumentExpr->getSourceRange() 7362 << TypeTagExpr->getSourceRange(); 7363 } 7364