SemaChecking.cpp revision 56f20ae1010aa71defd7572f660b41288c56cdd1
159907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 259907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// 359907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// The LLVM Compiler Infrastructure 459907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// 50bc735ffcfb223c0186419547abaa5c84482663eChris Lattner// This file is distributed under the University of Illinois Open Source 60bc735ffcfb223c0186419547abaa5c84482663eChris Lattner// License. See LICENSE.TXT for details. 759907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// 859907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner//===----------------------------------------------------------------------===// 959907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// 1059907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// This file implements extra semantic analysis beyond what is enforced 1159907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// by the C type system. 1259907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner// 1359907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner//===----------------------------------------------------------------------===// 1459907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner 1559907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner#include "Sema.h" 1659907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner#include "clang/AST/ASTContext.h" 17c4a1dea2dc56bd1357ec91b829a0b9e68229a13eDaniel Dunbar#include "clang/AST/DeclObjC.h" 182324512285caac0332bbbc6e4cab6245d2a370a1Ted Kremenek#include "clang/AST/ExprCXX.h" 197ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek#include "clang/AST/ExprObjC.h" 2059907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner#include "clang/Lex/Preprocessor.h" 2159907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner#include "clang/Basic/Diagnostic.h" 22588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek#include "SemaUtil.h" 2359907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattnerusing namespace clang; 2459907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner 2559907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner/// CheckFunctionCall - Check a direct function call for various correctness 2659907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner/// and safety properties not strictly enforced by the C type system. 27d38617c8a50f9729c254ab76cd359af797c6739bEli FriedmanAction::ExprResult 28e801870b638e47a5734a3ea63ddfb45f1711e078Eli FriedmanSema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCallRaw) { 29e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman llvm::OwningPtr<CallExpr> TheCall(TheCallRaw); 3059907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner // Get the IdentifierInfo* for the called function. 3159907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner IdentifierInfo *FnInfo = FDecl->getIdentifier(); 322def48394f6d48bde0dec2b514193c2b533265b5Douglas Gregor 332def48394f6d48bde0dec2b514193c2b533265b5Douglas Gregor // None of the checks below are needed for functions that don't have 342def48394f6d48bde0dec2b514193c2b533265b5Douglas Gregor // simple names (e.g., C++ conversion functions). 352def48394f6d48bde0dec2b514193c2b533265b5Douglas Gregor if (!FnInfo) 362def48394f6d48bde0dec2b514193c2b533265b5Douglas Gregor return TheCall.take(); 372def48394f6d48bde0dec2b514193c2b533265b5Douglas Gregor 3830ce344307f8a8b00054021307015571f83c7364Chris Lattner switch (FnInfo->getBuiltinID()) { 3930ce344307f8a8b00054021307015571f83c7364Chris Lattner case Builtin::BI__builtin___CFStringMakeConstantString: 40925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner assert(TheCall->getNumArgs() == 1 && 411b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner "Wrong # arguments to builtin CFStringMakeConstantString"); 42e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman if (CheckBuiltinCFStringArgument(TheCall->getArg(0))) 43d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman return true; 44e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman return TheCall.take(); 4549ff7a1c8c67d56e62d3b4627463b705c0d5008cTed Kremenek case Builtin::BI__builtin_stdarg_start: 4630ce344307f8a8b00054021307015571f83c7364Chris Lattner case Builtin::BI__builtin_va_start: 47b7cfe88e88cb4f46308de89cf3f0c81bfe624128Chris Lattner if (SemaBuiltinVAStart(TheCall.get())) 48d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman return true; 49e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman return TheCall.take(); 501b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner case Builtin::BI__builtin_isgreater: 511b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner case Builtin::BI__builtin_isgreaterequal: 521b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner case Builtin::BI__builtin_isless: 531b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner case Builtin::BI__builtin_islessequal: 541b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner case Builtin::BI__builtin_islessgreater: 551b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner case Builtin::BI__builtin_isunordered: 56e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman if (SemaBuiltinUnorderedCompare(TheCall.get())) 57d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman return true; 58e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman return TheCall.take(); 596cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman case Builtin::BI__builtin_return_address: 606cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman case Builtin::BI__builtin_frame_address: 616cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman if (SemaBuiltinStackAddress(TheCall.get())) 626cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman return true; 636cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman return TheCall.take(); 64d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman case Builtin::BI__builtin_shufflevector: 65e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman return SemaBuiltinShuffleVector(TheCall.get()); 664493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar case Builtin::BI__builtin_prefetch: 674493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar if (SemaBuiltinPrefetch(TheCall.get())) 684493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar return true; 694493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar return TheCall.take(); 70d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar case Builtin::BI__builtin_object_size: 71d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar if (SemaBuiltinObjectSize(TheCall.get())) 72d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar return true; 7371993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson } 74de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar 75de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar // FIXME: This mechanism should be abstracted to be less fragile and 76de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar // more efficient. For example, just map function ids to custom 77de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar // handlers. 78de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar 7959907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner // Search the KnownFunctionIDs for the identifier. 8059907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner unsigned i = 0, e = id_num_known_functions; 8171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek for (; i != e; ++i) { if (KnownFunctionIDs[i] == FnInfo) break; } 82e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman if (i == e) return TheCall.take(); 8359907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner 8459907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner // Printf checking. 8559907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner if (i <= id_vprintf) { 8671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Retrieve the index of the format string parameter and determine 8771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // if the function is passed a va_arg argument. 8859907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner unsigned format_idx = 0; 8971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek bool HasVAListArg = false; 9071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 9159907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner switch (i) { 9230ce344307f8a8b00054021307015571f83c7364Chris Lattner default: assert(false && "No format string argument index."); 93de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_NSLog: format_idx = 0; break; 94de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_asprintf: format_idx = 1; break; 95de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_fprintf: format_idx = 1; break; 96de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_printf: format_idx = 0; break; 97de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_snprintf: format_idx = 2; break; 98de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_snprintf_chk: format_idx = 4; break; 99de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_sprintf: format_idx = 1; break; 100de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_sprintf_chk: format_idx = 3; break; 101de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_vasprintf: format_idx = 1; HasVAListArg = true; break; 102de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_vfprintf: format_idx = 1; HasVAListArg = true; break; 103de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_vsnprintf: format_idx = 2; HasVAListArg = true; break; 104de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_vsnprintf_chk: format_idx = 4; HasVAListArg = true; break; 105de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_vsprintf: format_idx = 1; HasVAListArg = true; break; 106de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_vsprintf_chk: format_idx = 3; HasVAListArg = true; break; 107de45428f923b38d80407dbb9ede0df504256f9f6Daniel Dunbar case id_vprintf: format_idx = 0; HasVAListArg = true; break; 10871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 10971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 110e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman CheckPrintfArguments(TheCall.get(), HasVAListArg, format_idx); 11159907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner } 11271993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 113e801870b638e47a5734a3ea63ddfb45f1711e078Eli Friedman return TheCall.take(); 11471993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson} 11571993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 11671993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson/// CheckBuiltinCFStringArgument - Checks that the argument to the builtin 11771993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson/// CFString constructor is correct 118cc6f65d9f210efc56d7418753e93bf5a14f3ac59Chris Lattnerbool Sema::CheckBuiltinCFStringArgument(Expr* Arg) { 11956f349400c5932a196509c0480ff6f99a9a0b48fChris Lattner Arg = Arg->IgnoreParenCasts(); 12071993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 12171993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 12271993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 12371993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson if (!Literal || Literal->isWide()) { 124fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 125fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << Arg->getSourceRange(); 1269cdc4d3834f203dcde3ff274b8928e4620a914d5Anders Carlsson return true; 12771993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson } 12871993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 12971993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson const char *Data = Literal->getStrData(); 13071993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson unsigned Length = Literal->getByteLength(); 13171993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 13271993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson for (unsigned i = 0; i < Length; ++i) { 13371993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson if (!isascii(Data[i])) { 13471993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson Diag(PP.AdvanceToTokenCharacter(Arg->getLocStart(), i + 1), 135fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner diag::warn_cfstring_literal_contains_non_ascii_character) 136fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << Arg->getSourceRange(); 13771993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson break; 13871993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson } 13971993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 14071993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson if (!Data[i]) { 14171993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson Diag(PP.AdvanceToTokenCharacter(Arg->getLocStart(), i + 1), 142fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner diag::warn_cfstring_literal_contains_nul_character) 143fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << Arg->getSourceRange(); 14471993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson break; 14571993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson } 14671993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson } 14771993dd85eed9cc42c6b2fa61ee5c53026b74817Anders Carlsson 1489cdc4d3834f203dcde3ff274b8928e4620a914d5Anders Carlsson return false; 14959907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner} 15059907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner 151c27c665c88b49dfb212aedc7bab8b9bf67658b9eChris Lattner/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 152c27c665c88b49dfb212aedc7bab8b9bf67658b9eChris Lattner/// Emit an error and return true on failure, return false on success. 153925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattnerbool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 154925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Expr *Fn = TheCall->getCallee(); 155925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner if (TheCall->getNumArgs() > 2) { 1562c21a073525cdfa68e4439b7af551385dc2796abChris Lattner Diag(TheCall->getArg(2)->getLocStart(), 157fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner diag::err_typecheck_call_too_many_args) 1582c21a073525cdfa68e4439b7af551385dc2796abChris Lattner << 0 /*function call*/ << Fn->getSourceRange() 159fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << SourceRange(TheCall->getArg(2)->getLocStart(), 160fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner (*(TheCall->arg_end()-1))->getLocEnd()); 16130ce344307f8a8b00054021307015571f83c7364Chris Lattner return true; 16230ce344307f8a8b00054021307015571f83c7364Chris Lattner } 16356f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman 16456f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman if (TheCall->getNumArgs() < 2) { 16556f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 16656f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman << 0 /*function call*/; 16756f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman } 16856f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman 169c27c665c88b49dfb212aedc7bab8b9bf67658b9eChris Lattner // Determine whether the current function is variadic or not. 170c27c665c88b49dfb212aedc7bab8b9bf67658b9eChris Lattner bool isVariadic; 17156f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman if (getCurFunctionDecl()) { 17256f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman if (FunctionTypeProto* FTP = 17356f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman dyn_cast<FunctionTypeProto>(getCurFunctionDecl()->getType())) 17456f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman isVariadic = FTP->isVariadic(); 17556f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman else 17656f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman isVariadic = false; 17756f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman } else { 17853d0ea5f5bfa647ec23418bf3a3b7c183b51e4bdArgyrios Kyrtzidis isVariadic = getCurMethodDecl()->isVariadic(); 17956f20ae1010aa71defd7572f660b41288c56cdd1Eli Friedman } 18030ce344307f8a8b00054021307015571f83c7364Chris Lattner 181c27c665c88b49dfb212aedc7bab8b9bf67658b9eChris Lattner if (!isVariadic) { 18230ce344307f8a8b00054021307015571f83c7364Chris Lattner Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 18330ce344307f8a8b00054021307015571f83c7364Chris Lattner return true; 18430ce344307f8a8b00054021307015571f83c7364Chris Lattner } 18530ce344307f8a8b00054021307015571f83c7364Chris Lattner 18630ce344307f8a8b00054021307015571f83c7364Chris Lattner // Verify that the second argument to the builtin is the last argument of the 18730ce344307f8a8b00054021307015571f83c7364Chris Lattner // current function or method. 18830ce344307f8a8b00054021307015571f83c7364Chris Lattner bool SecondArgIsLastNamedArgument = false; 189e2c14103dec39cbd24dac9d7b3e91277b109c14fAnders Carlsson const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 19088cf226caee50956ef47edd4d44cf7b80703a26cAnders Carlsson 19188cf226caee50956ef47edd4d44cf7b80703a26cAnders Carlsson if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 19288cf226caee50956ef47edd4d44cf7b80703a26cAnders Carlsson if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 19330ce344307f8a8b00054021307015571f83c7364Chris Lattner // FIXME: This isn't correct for methods (results in bogus warning). 19430ce344307f8a8b00054021307015571f83c7364Chris Lattner // Get the last formal in the current function. 19588cf226caee50956ef47edd4d44cf7b80703a26cAnders Carlsson const ParmVarDecl *LastArg; 196371f258e61e1365b951b17931a3c5ac1530fd1a0Chris Lattner if (FunctionDecl *FD = getCurFunctionDecl()) 197371f258e61e1365b951b17931a3c5ac1530fd1a0Chris Lattner LastArg = *(FD->param_end()-1); 19830ce344307f8a8b00054021307015571f83c7364Chris Lattner else 19953d0ea5f5bfa647ec23418bf3a3b7c183b51e4bdArgyrios Kyrtzidis LastArg = *(getCurMethodDecl()->param_end()-1); 20030ce344307f8a8b00054021307015571f83c7364Chris Lattner SecondArgIsLastNamedArgument = PV == LastArg; 20130ce344307f8a8b00054021307015571f83c7364Chris Lattner } 20230ce344307f8a8b00054021307015571f83c7364Chris Lattner } 20330ce344307f8a8b00054021307015571f83c7364Chris Lattner 20430ce344307f8a8b00054021307015571f83c7364Chris Lattner if (!SecondArgIsLastNamedArgument) 205925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Diag(TheCall->getArg(1)->getLocStart(), 20630ce344307f8a8b00054021307015571f83c7364Chris Lattner diag::warn_second_parameter_of_va_start_not_last_named_argument); 20730ce344307f8a8b00054021307015571f83c7364Chris Lattner return false; 2086cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman} 20930ce344307f8a8b00054021307015571f83c7364Chris Lattner 2101b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 2111b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner/// friends. This is declared to take (...), so we have to check everything. 212925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattnerbool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 213925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner if (TheCall->getNumArgs() < 2) 2142c21a073525cdfa68e4439b7af551385dc2796abChris Lattner return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 2152c21a073525cdfa68e4439b7af551385dc2796abChris Lattner << 0 /*function call*/; 216925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner if (TheCall->getNumArgs() > 2) 217925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner return Diag(TheCall->getArg(2)->getLocStart(), 218fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner diag::err_typecheck_call_too_many_args) 2192c21a073525cdfa68e4439b7af551385dc2796abChris Lattner << 0 /*function call*/ 220fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << SourceRange(TheCall->getArg(2)->getLocStart(), 221fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner (*(TheCall->arg_end()-1))->getLocEnd()); 2221b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner 223925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Expr *OrigArg0 = TheCall->getArg(0); 224925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Expr *OrigArg1 = TheCall->getArg(1); 2251b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner 2261b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner // Do standard promotions between the two arguments, returning their common 2271b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner // type. 228925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 2291b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner 2301b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner // If the common type isn't a real floating type, then the arguments were 2311b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner // invalid for this operation. 2321b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner if (!Res->isRealFloatingType()) 233925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner return Diag(OrigArg0->getLocStart(), 234fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner diag::err_typecheck_call_invalid_ordered_compare) 235d162584991885ab004a02573a73ce06422b921fcChris Lattner << OrigArg0->getType() << OrigArg1->getType() 236fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << SourceRange(OrigArg0->getLocStart(), OrigArg1->getLocEnd()); 2371b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner 2381b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner return false; 2391b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner} 2401b9a0793955070738cac6f04b5abe9496be9b317Chris Lattner 2416cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedmanbool Sema::SemaBuiltinStackAddress(CallExpr *TheCall) { 2426cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman // The signature for these builtins is exact; the only thing we need 2436cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman // to check is that the argument is a constant. 2446cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman SourceLocation Loc; 245d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner if (!TheCall->getArg(0)->isIntegerConstantExpr(Context, &Loc)) 246fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(Loc, diag::err_stack_const_level) << TheCall->getSourceRange(); 247d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner 2486cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman return false; 2496cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman} 2506cfda23b3768f93a6eb0b2a9135c8334a20125bbEli Friedman 251d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 252d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman// This is declared to take (...), so we have to check everything. 253d38617c8a50f9729c254ab76cd359af797c6739bEli FriedmanAction::ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 254d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman if (TheCall->getNumArgs() < 3) 255fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 2562c21a073525cdfa68e4439b7af551385dc2796abChris Lattner << 0 /*function call*/ << TheCall->getSourceRange(); 257d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 258d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman QualType FAType = TheCall->getArg(0)->getType(); 259d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman QualType SAType = TheCall->getArg(1)->getType(); 260d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 261d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman if (!FAType->isVectorType() || !SAType->isVectorType()) { 262fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 263fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << SourceRange(TheCall->getArg(0)->getLocStart(), 264fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner TheCall->getArg(1)->getLocEnd()); 265d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman return true; 266d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman } 267d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 268b77792eabf5882cf9af8cc810599b20432fda6c2Chris Lattner if (Context.getCanonicalType(FAType).getUnqualifiedType() != 269b77792eabf5882cf9af8cc810599b20432fda6c2Chris Lattner Context.getCanonicalType(SAType).getUnqualifiedType()) { 270fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 271fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << SourceRange(TheCall->getArg(0)->getLocStart(), 272fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner TheCall->getArg(1)->getLocEnd()); 273d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman return true; 274d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman } 275d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 276d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman unsigned numElements = FAType->getAsVectorType()->getNumElements(); 277d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman if (TheCall->getNumArgs() != numElements+2) { 278d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman if (TheCall->getNumArgs() < numElements+2) 279fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 2802c21a073525cdfa68e4439b7af551385dc2796abChris Lattner << 0 /*function call*/ << TheCall->getSourceRange(); 281fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_many_args) 2822c21a073525cdfa68e4439b7af551385dc2796abChris Lattner << 0 /*function call*/ << TheCall->getSourceRange(); 283d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman } 284d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 285d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 286d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman llvm::APSInt Result(32); 287d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 288d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner return Diag(TheCall->getLocStart(), 289fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner diag::err_shufflevector_nonconstant_argument) 290fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << TheCall->getArg(i)->getSourceRange(); 291d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner 292d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 293d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner return Diag(TheCall->getLocStart(), 294fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner diag::err_shufflevector_argument_too_large) 295fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << TheCall->getArg(i)->getSourceRange(); 296d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman } 297d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 298d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman llvm::SmallVector<Expr*, 32> exprs; 299d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 300d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 301d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman exprs.push_back(TheCall->getArg(i)); 302d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman TheCall->setArg(i, 0); 303d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman } 304d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman 305d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner return new ShuffleVectorExpr(exprs.begin(), numElements+2, FAType, 306d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner TheCall->getCallee()->getLocStart(), 307d1a0b6d3dfb208f638d3d750b588d9c0daa49289Chris Lattner TheCall->getRParenLoc()); 308d38617c8a50f9729c254ab76cd359af797c6739bEli Friedman} 30930ce344307f8a8b00054021307015571f83c7364Chris Lattner 3104493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 3114493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar// This is declared to take (const void*, ...) and can take two 3124493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar// optional constant int args. 3134493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbarbool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 314fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner unsigned NumArgs = TheCall->getNumArgs(); 3154493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar 316fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner if (NumArgs > 3) 317fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_many_args) 3182c21a073525cdfa68e4439b7af551385dc2796abChris Lattner << 0 /*function call*/ << TheCall->getSourceRange(); 3194493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar 3204493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar // Argument 0 is checked for us and the remaining arguments must be 3214493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar // constant integers. 322fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner for (unsigned i = 1; i != NumArgs; ++i) { 3234493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar Expr *Arg = TheCall->getArg(i); 3244493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar QualType RWType = Arg->getType(); 3254493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar 3264493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar const BuiltinType *BT = RWType->getAsBuiltinType(); 327d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar llvm::APSInt Result; 3284493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar if (!BT || BT->getKind() != BuiltinType::Int || 329fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner !Arg->isIntegerConstantExpr(Result, Context)) 330fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocStart(), diag::err_prefetch_invalid_argument) 331fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 3324493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar 3334493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar // FIXME: gcc issues a warning and rewrites these to 0. These 3344493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar // seems especially odd for the third argument since the default 3354493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar // is 3. 336fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner if (i == 1) { 3374493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar if (Result.getSExtValue() < 0 || Result.getSExtValue() > 1) 338fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 339fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << "0" << "1" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 3404493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar } else { 3414493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) 342fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 343fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 3444493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar } 3454493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar } 3464493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar 347fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return false; 3484493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar} 3494493f79fce48cd9cbd9f55fa9d452cde736747a0Daniel Dunbar 350d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 351d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar/// int type). This simply type checks that type is one of the defined 352d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar/// constants (0-3). 353d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbarbool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 354d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar Expr *Arg = TheCall->getArg(1); 355d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar QualType ArgType = Arg->getType(); 356d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar const BuiltinType *BT = ArgType->getAsBuiltinType(); 357d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar llvm::APSInt Result(32); 358d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar if (!BT || BT->getKind() != BuiltinType::Int || 359d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar !Arg->isIntegerConstantExpr(Result, Context)) { 360fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocStart(), diag::err_object_size_invalid_argument) 361fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 362d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar } 363d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar 364d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 365fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 366fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 367d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar } 368d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar 369d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar return false; 370d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar} 371d5f8a4fd4d6dfb0415b93bb7ab721bba5cab1332Daniel Dunbar 37259907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner/// CheckPrintfArguments - Check calls to printf (and similar functions) for 37371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// correct use of format strings. 37471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 37571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// HasVAListArg - A predicate indicating whether the printf-like 37671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// function is passed an explicit va_arg argument (e.g., vprintf) 37771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 37871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// format_idx - The index into Args for the format string. 37971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 38071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// Improper format strings to functions in the printf family can be 38171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// the source of bizarre bugs and very serious security holes. A 38271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// good source of information is available in the following paper 38371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (which includes additional references): 38459907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner/// 38559907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner/// FormatGuard: Automatic Protection From printf Format String 38659907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner/// Vulnerabilities, Proceedings of the 10th USENIX Security Symposium, 2001. 38771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 38871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// Functionality implemented: 38971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 39071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// We can statically check the following properties for string 39171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// literal format strings for non v.*printf functions (where the 39271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// arguments are passed directly): 39371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek// 39471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (1) Are the number of format conversions equal to the number of 39571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// data arguments? 39671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 39771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (2) Does each format conversion correctly match the type of the 39871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// corresponding data argument? (TODO) 39971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 40071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// Moreover, for all printf functions we can: 40171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 40271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (3) Check for a missing format string (when not caught by type checking). 40371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 40471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (4) Check for no-operation flags; e.g. using "#" with format 40571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// conversion 'c' (TODO) 40671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 40771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (5) Check the use of '%n', a major source of security holes. 40871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 40971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (6) Check for malformed format conversions that don't specify anything. 41071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 41171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (7) Check for empty format strings. e.g: printf(""); 41271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 41371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// (8) Check that the format string is a wide literal. 41471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 4156d43959ad845a43f27e00d2720f6bc3d3219d632Ted Kremenek/// (9) Also check the arguments of functions with the __format__ attribute. 4166d43959ad845a43f27e00d2720f6bc3d3219d632Ted Kremenek/// (TODO). 4176d43959ad845a43f27e00d2720f6bc3d3219d632Ted Kremenek/// 41871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// All of these checks can be done by parsing the format string. 41971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// 42071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek/// For now, we ONLY do (1), (3), (5), (6), (7), and (8). 42159907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattnervoid 422925e60d3fa706f31886027c876989af79eb0e0d2Chris LattnerSema::CheckPrintfArguments(CallExpr *TheCall, bool HasVAListArg, 423925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner unsigned format_idx) { 424925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Expr *Fn = TheCall->getCallee(); 425925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner 42671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // CHECK: printf-like function is called with no format string. 427925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner if (format_idx >= TheCall->getNumArgs()) { 428dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(TheCall->getRParenLoc(), diag::warn_printf_missing_format_string) 429dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << Fn->getSourceRange(); 43071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek return; 43171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 43271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 43356f349400c5932a196509c0480ff6f99a9a0b48fChris Lattner Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 434459e8488046be5df0bf57f0a8677316abf253167Chris Lattner 43559907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner // CHECK: format string is not a string literal. 43659907c4d8f6fc8aacfdaa0273bd7a9c140fbb45fChris Lattner // 43771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Dynamically generated format strings are difficult to 43871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // automatically vet at compile time. Requiring that format strings 43971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // are string literals: (1) permits the checking of format strings by 44071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // the compiler and thereby (2) can practically remove the source of 44171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // many format string exploits. 4427ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek 4437ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek // Format string can be either ObjC string (e.g. @"%d") or 4447ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek // C string (e.g. "%d") 4457ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek // ObjC string uses the same format specifiers as C string, so we can use 4467ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek // the same format string checking logic for both ObjC and C strings. 4477ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(OrigFormatExpr); 4487ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek StringLiteral *FExpr = NULL; 4497ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek 4507ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek if(ObjCFExpr != NULL) 4517ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek FExpr = ObjCFExpr->getString(); 4527ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek else 4537ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek FExpr = dyn_cast<StringLiteral>(OrigFormatExpr); 4547ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek 45571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (FExpr == NULL) { 4564a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // For vprintf* functions (i.e., HasVAListArg==true), we add a 4574a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // special check to see if the format string is a function parameter 4584a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // of the function calling the printf function. If the function 4594a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // has an attribute indicating it is a printf-like function, then we 4604a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // should suppress warnings concerning non-literals being used in a call 4614a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // to a vprintf function. For example: 4624a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // 4634a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // void 4644a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...) { 4654a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // va_list ap; 4664a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // va_start(ap, fmt); 4674a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 4684a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // ... 4694a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // 4704a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // 4714a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // FIXME: We don't have full attribute support yet, so just check to see 4724a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // if the argument is a DeclRefExpr that references a parameter. We'll 4734a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek // add proper support for checking the attribute later. 4744a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek if (HasVAListArg) 475998568f24d6665b8a9bf26b42a04e5f80d14668fChris Lattner if (DeclRefExpr* DR = dyn_cast<DeclRefExpr>(OrigFormatExpr)) 476998568f24d6665b8a9bf26b42a04e5f80d14668fChris Lattner if (isa<ParmVarDecl>(DR->getDecl())) 4774a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek return; 4784a33646560c4faf8fb82a681360eb2dc0573d558Ted Kremenek 479925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Diag(TheCall->getArg(format_idx)->getLocStart(), 480dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner diag::warn_printf_not_string_constant) 481dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 48271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek return; 48371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 48471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 48571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // CHECK: is the format string a wide literal? 48671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (FExpr->isWide()) { 487925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Diag(FExpr->getLocStart(), 488dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner diag::warn_printf_format_string_is_wide_literal) 489dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 49071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek return; 49171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 49271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 49371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Str - The format string. NOTE: this is NOT null-terminated! 49471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek const char * const Str = FExpr->getStrData(); 49571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 49671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // CHECK: empty format string? 49771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek const unsigned StrLen = FExpr->getByteLength(); 49871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 49971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (StrLen == 0) { 500dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(FExpr->getLocStart(), diag::warn_printf_empty_format_string) 501dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 50271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek return; 50371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 50471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 50571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // We process the format string using a binary state machine. The 50671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // current state is stored in CurrentState. 50771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek enum { 50871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek state_OrdChr, 50971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek state_Conversion 51071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } CurrentState = state_OrdChr; 51171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 51271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // numConversions - The number of conversions seen so far. This is 51371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // incremented as we traverse the format string. 51471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek unsigned numConversions = 0; 51571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 51671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // numDataArgs - The number of data arguments after the format 51771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // string. This can only be determined for non vprintf-like 51871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // functions. For those functions, this value is 1 (the sole 51971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // va_arg argument). 520925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner unsigned numDataArgs = TheCall->getNumArgs()-(format_idx+1); 52171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 52271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Inspect the format string. 52371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek unsigned StrIdx = 0; 52471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 52571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // LastConversionIdx - Index within the format string where we last saw 52671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // a '%' character that starts a new format conversion. 52771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek unsigned LastConversionIdx = 0; 52871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 529925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner for (; StrIdx < StrLen; ++StrIdx) { 530998568f24d6665b8a9bf26b42a04e5f80d14668fChris Lattner 53171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Is the number of detected conversion conversions greater than 53271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // the number of matching data arguments? If so, stop. 53371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (!HasVAListArg && numConversions > numDataArgs) break; 53471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 53571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Handle "\0" 536925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner if (Str[StrIdx] == '\0') { 53771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // The string returned by getStrData() is not null-terminated, 53871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // so the presence of a null character is likely an error. 539998568f24d6665b8a9bf26b42a04e5f80d14668fChris Lattner Diag(PP.AdvanceToTokenCharacter(FExpr->getLocStart(), StrIdx+1), 540dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner diag::warn_printf_format_string_contains_null_char) 541dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 54271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek return; 54371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 54471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 54571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Ordinary characters (not processing a format conversion). 54671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (CurrentState == state_OrdChr) { 54771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (Str[StrIdx] == '%') { 54871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek CurrentState = state_Conversion; 54971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek LastConversionIdx = StrIdx; 55071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 55171895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek continue; 55271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 55371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 55471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Seen '%'. Now processing a format conversion. 55571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek switch (Str[StrIdx]) { 556fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Handle dynamic precision or width specifier. 557fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case '*': { 558fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner ++numConversions; 559fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 560fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (!HasVAListArg && numConversions > numDataArgs) { 561fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner SourceLocation Loc = FExpr->getLocStart(); 562fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner Loc = PP.AdvanceToTokenCharacter(Loc, StrIdx+1); 563580b664e9c2acd3bffddfea79b1ce2863cfd9dd0Ted Kremenek 564580b664e9c2acd3bffddfea79b1ce2863cfd9dd0Ted Kremenek if (Str[StrIdx-1] == '.') 565dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(Loc, diag::warn_printf_asterisk_precision_missing_arg) 566dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 567580b664e9c2acd3bffddfea79b1ce2863cfd9dd0Ted Kremenek else 568dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(Loc, diag::warn_printf_asterisk_width_missing_arg) 569dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 570580b664e9c2acd3bffddfea79b1ce2863cfd9dd0Ted Kremenek 571fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Don't do any more checking. We'll just emit spurious errors. 572fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return; 573580b664e9c2acd3bffddfea79b1ce2863cfd9dd0Ted Kremenek } 574fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 575fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Perform type checking on width/precision specifier. 576fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner Expr *E = TheCall->getArg(format_idx+numConversions); 577fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (const BuiltinType *BT = E->getType()->getAsBuiltinType()) 578fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (BT->getKind() == BuiltinType::Int) 579fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner break; 580fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 581fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner SourceLocation Loc = 582fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner PP.AdvanceToTokenCharacter(FExpr->getLocStart(), StrIdx+1); 583fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 584fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (Str[StrIdx-1] == '.') 585dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(Loc, diag::warn_printf_asterisk_precision_wrong_type) 586d162584991885ab004a02573a73ce06422b921fcChris Lattner << E->getType() << E->getSourceRange(); 587fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner else 588dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(Loc, diag::warn_printf_asterisk_width_wrong_type) 589d162584991885ab004a02573a73ce06422b921fcChris Lattner << E->getType() << E->getSourceRange(); 590fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 591fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner break; 592fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner } 593fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 594fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Characters which can terminate a format conversion 595fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // (e.g. "%d"). Characters that specify length modifiers or 596fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // other flags are handled by the default case below. 597fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // 598fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // FIXME: additional checks will go into the following cases. 599fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'i': 600fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'd': 601fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'o': 602fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'u': 603fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'x': 604fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'X': 605fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'D': 606fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'O': 607fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'U': 608fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'e': 609fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'E': 610fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'f': 611fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'F': 612fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'g': 613fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'G': 614fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'a': 615fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'A': 616fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'c': 617fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'C': 618fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'S': 619fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 's': 620fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'p': 621fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner ++numConversions; 622fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner CurrentState = state_OrdChr; 623fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner break; 62471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 625fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // CHECK: Are we using "%n"? Issue a warning. 626fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case 'n': { 627fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner ++numConversions; 628fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner CurrentState = state_OrdChr; 629fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner SourceLocation Loc = PP.AdvanceToTokenCharacter(FExpr->getLocStart(), 630fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner LastConversionIdx+1); 631fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 632dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(Loc, diag::warn_printf_write_back)<<OrigFormatExpr->getSourceRange(); 633fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner break; 634fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner } 6357ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek 6367ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek // Handle "%@" 6377ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek case '@': 6387ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek // %@ is allowed in ObjC format strings only. 6397ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek if(ObjCFExpr != NULL) 6407ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek CurrentState = state_OrdChr; 6417ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek else { 6427ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek // Issue a warning: invalid format conversion. 6437ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek SourceLocation Loc = PP.AdvanceToTokenCharacter(FExpr->getLocStart(), 6447ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek LastConversionIdx+1); 6457ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek 646d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner Diag(Loc, diag::warn_printf_invalid_conversion) 647d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner << std::string(Str+LastConversionIdx, 648d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner Str+std::min(LastConversionIdx+2, StrLen)) 649d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner << OrigFormatExpr->getSourceRange(); 6507ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek } 6517ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek ++numConversions; 6527ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek break; 6537ff22b259d4d4729f701679e3a7f0e242365e07fTed Kremenek 654fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Handle "%%" 655fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case '%': 656fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Sanity check: Was the first "%" character the previous one? 657fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // If not, we will assume that we have a malformed format 658fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // conversion, and that the current "%" character is the start 659fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // of a new conversion. 660fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (StrIdx - LastConversionIdx == 1) 661fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner CurrentState = state_OrdChr; 662fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner else { 663fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Issue a warning: invalid format conversion. 664925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner SourceLocation Loc = PP.AdvanceToTokenCharacter(FExpr->getLocStart(), 665925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner LastConversionIdx+1); 666fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 667d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner Diag(Loc, diag::warn_printf_invalid_conversion) 668d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner << std::string(Str+LastConversionIdx, Str+StrIdx) 669d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner << OrigFormatExpr->getSourceRange(); 670fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 671fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // This conversion is broken. Advance to the next format 672fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // conversion. 673fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner LastConversionIdx = StrIdx; 674fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner ++numConversions; 67571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 676fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner break; 67771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 678fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner default: 679fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // This case catches all other characters: flags, widths, etc. 680fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // We should eventually process those as well. 681fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner break; 68271895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 68371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 68471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 68571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (CurrentState == state_Conversion) { 68671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // Issue a warning: invalid format conversion. 687925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner SourceLocation Loc = PP.AdvanceToTokenCharacter(FExpr->getLocStart(), 688925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner LastConversionIdx+1); 68971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 690d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner Diag(Loc, diag::warn_printf_invalid_conversion) 691d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner << std::string(Str+LastConversionIdx, 692d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner Str+std::min(LastConversionIdx+2, StrLen)) 693d3a94e24ddf3fb90de76b17bd176d9ed61e66f2cChris Lattner << OrigFormatExpr->getSourceRange(); 69471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek return; 69571895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 69671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 69771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (!HasVAListArg) { 69871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // CHECK: Does the number of format conversions exceed the number 69971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // of data arguments? 70071895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek if (numConversions > numDataArgs) { 701925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner SourceLocation Loc = PP.AdvanceToTokenCharacter(FExpr->getLocStart(), 702925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner LastConversionIdx); 70371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek 704dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(Loc, diag::warn_printf_insufficient_data_args) 705dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 70671895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 70771895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // CHECK: Does the number of data arguments exceed the number of 70871895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek // format conversions in the format string? 70971895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek else if (numConversions < numDataArgs) 710925e60d3fa706f31886027c876989af79eb0e0d2Chris Lattner Diag(TheCall->getArg(format_idx+numConversions+1)->getLocStart(), 711dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner diag::warn_printf_too_many_data_args) 712dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << OrigFormatExpr->getSourceRange(); 71371895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek } 71471895b9aa3ad71957359497e136b50fcb6136bdfTed Kremenek} 71506de276fff91264437fa75111ed76de43097e089Ted Kremenek 71606de276fff91264437fa75111ed76de43097e089Ted Kremenek//===--- CHECK: Return Address of Stack Variable --------------------------===// 71706de276fff91264437fa75111ed76de43097e089Ted Kremenek 71806de276fff91264437fa75111ed76de43097e089Ted Kremenekstatic DeclRefExpr* EvalVal(Expr *E); 71906de276fff91264437fa75111ed76de43097e089Ted Kremenekstatic DeclRefExpr* EvalAddr(Expr* E); 72006de276fff91264437fa75111ed76de43097e089Ted Kremenek 72106de276fff91264437fa75111ed76de43097e089Ted Kremenek/// CheckReturnStackAddr - Check if a return statement returns the address 72206de276fff91264437fa75111ed76de43097e089Ted Kremenek/// of a stack variable. 72306de276fff91264437fa75111ed76de43097e089Ted Kremenekvoid 72406de276fff91264437fa75111ed76de43097e089Ted KremenekSema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 72506de276fff91264437fa75111ed76de43097e089Ted Kremenek SourceLocation ReturnLoc) { 72656f349400c5932a196509c0480ff6f99a9a0b48fChris Lattner 72706de276fff91264437fa75111ed76de43097e089Ted Kremenek // Perform checking for returned stack addresses. 728dd972f20dc2bd3609d833893e5c6544ac09b59a9Steve Naroff if (lhsType->isPointerType() || lhsType->isBlockPointerType()) { 72906de276fff91264437fa75111ed76de43097e089Ted Kremenek if (DeclRefExpr *DR = EvalAddr(RetValExp)) 7303c73c41cefcfe76f36b7bed72c9f1ec195490951Chris Lattner Diag(DR->getLocStart(), diag::warn_ret_stack_addr) 73108631c5fa053867146b5ee8be658c229f6bf127cChris Lattner << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 732c50a4a5f2eac14ac4c631d50b0a55cadc87700ceSteve Naroff 733c50a4a5f2eac14ac4c631d50b0a55cadc87700ceSteve Naroff // Skip over implicit cast expressions when checking for block expressions. 734c50a4a5f2eac14ac4c631d50b0a55cadc87700ceSteve Naroff if (ImplicitCastExpr *IcExpr = 735c50a4a5f2eac14ac4c631d50b0a55cadc87700ceSteve Naroff dyn_cast_or_null<ImplicitCastExpr>(RetValExp)) 736c50a4a5f2eac14ac4c631d50b0a55cadc87700ceSteve Naroff RetValExp = IcExpr->getSubExpr(); 737c50a4a5f2eac14ac4c631d50b0a55cadc87700ceSteve Naroff 73861f40a2b67fc2046768e14f66b617e564cbcc3d8Steve Naroff if (BlockExpr *C = dyn_cast_or_null<BlockExpr>(RetValExp)) 739dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(C->getLocStart(), diag::err_ret_local_block) 740dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner << C->getSourceRange(); 74106de276fff91264437fa75111ed76de43097e089Ted Kremenek } 74206de276fff91264437fa75111ed76de43097e089Ted Kremenek // Perform checking for stack values returned by reference. 74306de276fff91264437fa75111ed76de43097e089Ted Kremenek else if (lhsType->isReferenceType()) { 74449badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor // Check for a reference to the stack 74549badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor if (DeclRefExpr *DR = EvalVal(RetValExp)) 746dcd5ef12488e4c7ea844327835896ca86b609a97Chris Lattner Diag(DR->getLocStart(), diag::warn_ret_stack_ref) 74708631c5fa053867146b5ee8be658c229f6bf127cChris Lattner << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 74806de276fff91264437fa75111ed76de43097e089Ted Kremenek } 74906de276fff91264437fa75111ed76de43097e089Ted Kremenek} 75006de276fff91264437fa75111ed76de43097e089Ted Kremenek 75106de276fff91264437fa75111ed76de43097e089Ted Kremenek/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 75206de276fff91264437fa75111ed76de43097e089Ted Kremenek/// check if the expression in a return statement evaluates to an address 75306de276fff91264437fa75111ed76de43097e089Ted Kremenek/// to a location on the stack. The recursion is used to traverse the 75406de276fff91264437fa75111ed76de43097e089Ted Kremenek/// AST of the return expression, with recursion backtracking when we 75506de276fff91264437fa75111ed76de43097e089Ted Kremenek/// encounter a subexpression that (1) clearly does not lead to the address 75606de276fff91264437fa75111ed76de43097e089Ted Kremenek/// of a stack variable or (2) is something we cannot determine leads to 75706de276fff91264437fa75111ed76de43097e089Ted Kremenek/// the address of a stack variable based on such local checking. 75806de276fff91264437fa75111ed76de43097e089Ted Kremenek/// 759e8c600f9fedf2cfd69cdd2cb4bde4a9b39ce2873Ted Kremenek/// EvalAddr processes expressions that are pointers that are used as 760e8c600f9fedf2cfd69cdd2cb4bde4a9b39ce2873Ted Kremenek/// references (and not L-values). EvalVal handles all other values. 76106de276fff91264437fa75111ed76de43097e089Ted Kremenek/// At the base case of the recursion is a check for a DeclRefExpr* in 76206de276fff91264437fa75111ed76de43097e089Ted Kremenek/// the refers to a stack variable. 76306de276fff91264437fa75111ed76de43097e089Ted Kremenek/// 76406de276fff91264437fa75111ed76de43097e089Ted Kremenek/// This implementation handles: 76506de276fff91264437fa75111ed76de43097e089Ted Kremenek/// 76606de276fff91264437fa75111ed76de43097e089Ted Kremenek/// * pointer-to-pointer casts 76706de276fff91264437fa75111ed76de43097e089Ted Kremenek/// * implicit conversions from array references to pointers 76806de276fff91264437fa75111ed76de43097e089Ted Kremenek/// * taking the address of fields 76906de276fff91264437fa75111ed76de43097e089Ted Kremenek/// * arbitrary interplay between "&" and "*" operators 77006de276fff91264437fa75111ed76de43097e089Ted Kremenek/// * pointer arithmetic from an address of a stack variable 77106de276fff91264437fa75111ed76de43097e089Ted Kremenek/// * taking the address of an array element where the array is on the stack 77206de276fff91264437fa75111ed76de43097e089Ted Kremenekstatic DeclRefExpr* EvalAddr(Expr *E) { 77306de276fff91264437fa75111ed76de43097e089Ted Kremenek // We should only be called for evaluating pointer expressions. 774dd972f20dc2bd3609d833893e5c6544ac09b59a9Steve Naroff assert((E->getType()->isPointerType() || 775dd972f20dc2bd3609d833893e5c6544ac09b59a9Steve Naroff E->getType()->isBlockPointerType() || 776a526c5c67e5a0473c340903ee542ce570119665fTed Kremenek E->getType()->isObjCQualifiedIdType()) && 777fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner "EvalAddr only works on pointers"); 77806de276fff91264437fa75111ed76de43097e089Ted Kremenek 77906de276fff91264437fa75111ed76de43097e089Ted Kremenek // Our "symbolic interpreter" is just a dispatch off the currently 78006de276fff91264437fa75111ed76de43097e089Ted Kremenek // viewed AST node. We then recursively traverse the AST by calling 78106de276fff91264437fa75111ed76de43097e089Ted Kremenek // EvalAddr and EvalVal appropriately. 78206de276fff91264437fa75111ed76de43097e089Ted Kremenek switch (E->getStmtClass()) { 783fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case Stmt::ParenExprClass: 784fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Ignore parentheses. 785fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return EvalAddr(cast<ParenExpr>(E)->getSubExpr()); 78606de276fff91264437fa75111ed76de43097e089Ted Kremenek 787fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case Stmt::UnaryOperatorClass: { 788fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // The only unary operator that make sense to handle here 789fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // is AddrOf. All others don't make sense as pointers. 790fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner UnaryOperator *U = cast<UnaryOperator>(E); 79106de276fff91264437fa75111ed76de43097e089Ted Kremenek 792fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (U->getOpcode() == UnaryOperator::AddrOf) 793fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return EvalVal(U->getSubExpr()); 794fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner else 795fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return NULL; 796fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner } 797fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 798fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case Stmt::BinaryOperatorClass: { 799fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Handle pointer arithmetic. All other binary operators are not valid 800fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // in this context. 801fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner BinaryOperator *B = cast<BinaryOperator>(E); 802fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner BinaryOperator::Opcode op = B->getOpcode(); 80306de276fff91264437fa75111ed76de43097e089Ted Kremenek 804fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (op != BinaryOperator::Add && op != BinaryOperator::Sub) 805fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return NULL; 80606de276fff91264437fa75111ed76de43097e089Ted Kremenek 807fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner Expr *Base = B->getLHS(); 8083907323dd6665c0c4e383435cb145233f4533406Anders Carlsson 809fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Determine which argument is the real pointer base. It could be 810fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // the RHS argument instead of the LHS. 811fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (!Base->getType()->isPointerType()) Base = B->getRHS(); 81206de276fff91264437fa75111ed76de43097e089Ted Kremenek 813fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner assert (Base->getType()->isPointerType()); 814fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return EvalAddr(Base); 815fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner } 81661f40a2b67fc2046768e14f66b617e564cbcc3d8Steve Naroff 817fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // For conditional operators we need to see if either the LHS or RHS are 818fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // valid DeclRefExpr*s. If one of them is valid, we return it. 819fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner case Stmt::ConditionalOperatorClass: { 820fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner ConditionalOperator *C = cast<ConditionalOperator>(E); 821fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 822fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Handle the GNU extension for missing LHS. 823fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (Expr *lhsExpr = C->getLHS()) 824fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner if (DeclRefExpr* LHS = EvalAddr(lhsExpr)) 825fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return LHS; 82606de276fff91264437fa75111ed76de43097e089Ted Kremenek 827fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return EvalAddr(C->getRHS()); 828fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner } 829fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 83054b5274f2c190331438375ad114dad12ae098b57Ted Kremenek // For casts, we need to handle conversions from arrays to 83154b5274f2c190331438375ad114dad12ae098b57Ted Kremenek // pointer values, and pointer-to-pointer conversions. 83249badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor case Stmt::ImplicitCastExprClass: 8336eec8e883de118b431e3ead5b1e604a6ac68ff6bDouglas Gregor case Stmt::CStyleCastExprClass: 83449badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor case Stmt::CXXFunctionalCastExprClass: { 8350835a3cdeefe714b4959d31127ea155e56393125Argyrios Kyrtzidis Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 83654b5274f2c190331438375ad114dad12ae098b57Ted Kremenek QualType T = SubExpr->getType(); 837fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 838dd972f20dc2bd3609d833893e5c6544ac09b59a9Steve Naroff if (SubExpr->getType()->isPointerType() || 839dd972f20dc2bd3609d833893e5c6544ac09b59a9Steve Naroff SubExpr->getType()->isBlockPointerType() || 840dd972f20dc2bd3609d833893e5c6544ac09b59a9Steve Naroff SubExpr->getType()->isObjCQualifiedIdType()) 841fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return EvalAddr(SubExpr); 84254b5274f2c190331438375ad114dad12ae098b57Ted Kremenek else if (T->isArrayType()) 84354b5274f2c190331438375ad114dad12ae098b57Ted Kremenek return EvalVal(SubExpr); 844fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner else 84554b5274f2c190331438375ad114dad12ae098b57Ted Kremenek return 0; 846fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner } 847fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 848fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // C++ casts. For dynamic casts, static casts, and const casts, we 849fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // are always converting from a pointer-to-pointer, so we just blow 85049badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor // through the cast. In the case the dynamic cast doesn't fail (and 85149badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor // return NULL), we take the conservative route and report cases 852fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // where we return the address of a stack variable. For Reinterpre 85349badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor // FIXME: The comment about is wrong; we're not always converting 85449badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor // from pointer to pointer. I'm guessing that this code should also 85549badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor // handle references to objects. 85649badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor case Stmt::CXXStaticCastExprClass: 85749badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor case Stmt::CXXDynamicCastExprClass: 85849badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor case Stmt::CXXConstCastExprClass: 85949badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor case Stmt::CXXReinterpretCastExprClass: { 86049badde06e066d058d6c7fcf4e628a72999b65a9Douglas Gregor Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 861dd972f20dc2bd3609d833893e5c6544ac09b59a9Steve Naroff if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 862fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return EvalAddr(S); 86306de276fff91264437fa75111ed76de43097e089Ted Kremenek else 86406de276fff91264437fa75111ed76de43097e089Ted Kremenek return NULL; 865fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner } 866fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner 867fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner // Everything else: we simply don't reason about them. 868fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner default: 869fae3f1f6565c74d3238747b58357a6e56fbb0e9cChris Lattner return NULL; 87006de276fff91264437fa75111ed76de43097e089Ted Kremenek } 87106de276fff91264437fa75111ed76de43097e089Ted Kremenek} 87206de276fff91264437fa75111ed76de43097e089Ted Kremenek 87306de276fff91264437fa75111ed76de43097e089Ted Kremenek 87406de276fff91264437fa75111ed76de43097e089Ted Kremenek/// EvalVal - This function is complements EvalAddr in the mutual recursion. 87506de276fff91264437fa75111ed76de43097e089Ted Kremenek/// See the comments for EvalAddr for more details. 87606de276fff91264437fa75111ed76de43097e089Ted Kremenekstatic DeclRefExpr* EvalVal(Expr *E) { 87706de276fff91264437fa75111ed76de43097e089Ted Kremenek 878e8c600f9fedf2cfd69cdd2cb4bde4a9b39ce2873Ted Kremenek // We should only be called for evaluating non-pointer expressions, or 879e8c600f9fedf2cfd69cdd2cb4bde4a9b39ce2873Ted Kremenek // expressions with a pointer type that are not used as references but instead 880e8c600f9fedf2cfd69cdd2cb4bde4a9b39ce2873Ted Kremenek // are l-values (e.g., DeclRefExpr with a pointer type). 881e8c600f9fedf2cfd69cdd2cb4bde4a9b39ce2873Ted Kremenek 88206de276fff91264437fa75111ed76de43097e089Ted Kremenek // Our "symbolic interpreter" is just a dispatch off the currently 88306de276fff91264437fa75111ed76de43097e089Ted Kremenek // viewed AST node. We then recursively traverse the AST by calling 88406de276fff91264437fa75111ed76de43097e089Ted Kremenek // EvalAddr and EvalVal appropriately. 88506de276fff91264437fa75111ed76de43097e089Ted Kremenek switch (E->getStmtClass()) { 88606de276fff91264437fa75111ed76de43097e089Ted Kremenek case Stmt::DeclRefExprClass: { 88706de276fff91264437fa75111ed76de43097e089Ted Kremenek // DeclRefExpr: the base case. When we hit a DeclRefExpr we are looking 88806de276fff91264437fa75111ed76de43097e089Ted Kremenek // at code that refers to a variable's name. We check if it has local 88906de276fff91264437fa75111ed76de43097e089Ted Kremenek // storage within the function, and if so, return the expression. 89006de276fff91264437fa75111ed76de43097e089Ted Kremenek DeclRefExpr *DR = cast<DeclRefExpr>(E); 89106de276fff91264437fa75111ed76de43097e089Ted Kremenek 89206de276fff91264437fa75111ed76de43097e089Ted Kremenek if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 89327c8dc06f65d7abcf6a7e7f64a7960c9a150ca01Douglas Gregor if(V->hasLocalStorage() && !V->getType()->isReferenceType()) return DR; 89406de276fff91264437fa75111ed76de43097e089Ted Kremenek 89506de276fff91264437fa75111ed76de43097e089Ted Kremenek return NULL; 89606de276fff91264437fa75111ed76de43097e089Ted Kremenek } 89706de276fff91264437fa75111ed76de43097e089Ted Kremenek 89806de276fff91264437fa75111ed76de43097e089Ted Kremenek case Stmt::ParenExprClass: 89906de276fff91264437fa75111ed76de43097e089Ted Kremenek // Ignore parentheses. 90006de276fff91264437fa75111ed76de43097e089Ted Kremenek return EvalVal(cast<ParenExpr>(E)->getSubExpr()); 90106de276fff91264437fa75111ed76de43097e089Ted Kremenek 90206de276fff91264437fa75111ed76de43097e089Ted Kremenek case Stmt::UnaryOperatorClass: { 90306de276fff91264437fa75111ed76de43097e089Ted Kremenek // The only unary operator that make sense to handle here 90406de276fff91264437fa75111ed76de43097e089Ted Kremenek // is Deref. All others don't resolve to a "name." This includes 90506de276fff91264437fa75111ed76de43097e089Ted Kremenek // handling all sorts of rvalues passed to a unary operator. 90606de276fff91264437fa75111ed76de43097e089Ted Kremenek UnaryOperator *U = cast<UnaryOperator>(E); 90706de276fff91264437fa75111ed76de43097e089Ted Kremenek 90806de276fff91264437fa75111ed76de43097e089Ted Kremenek if (U->getOpcode() == UnaryOperator::Deref) 90906de276fff91264437fa75111ed76de43097e089Ted Kremenek return EvalAddr(U->getSubExpr()); 91006de276fff91264437fa75111ed76de43097e089Ted Kremenek 91106de276fff91264437fa75111ed76de43097e089Ted Kremenek return NULL; 91206de276fff91264437fa75111ed76de43097e089Ted Kremenek } 91306de276fff91264437fa75111ed76de43097e089Ted Kremenek 91406de276fff91264437fa75111ed76de43097e089Ted Kremenek case Stmt::ArraySubscriptExprClass: { 91506de276fff91264437fa75111ed76de43097e089Ted Kremenek // Array subscripts are potential references to data on the stack. We 91606de276fff91264437fa75111ed76de43097e089Ted Kremenek // retrieve the DeclRefExpr* for the array variable if it indeed 91706de276fff91264437fa75111ed76de43097e089Ted Kremenek // has local storage. 9182324512285caac0332bbbc6e4cab6245d2a370a1Ted Kremenek return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase()); 91906de276fff91264437fa75111ed76de43097e089Ted Kremenek } 92006de276fff91264437fa75111ed76de43097e089Ted Kremenek 92106de276fff91264437fa75111ed76de43097e089Ted Kremenek case Stmt::ConditionalOperatorClass: { 92206de276fff91264437fa75111ed76de43097e089Ted Kremenek // For conditional operators we need to see if either the LHS or RHS are 92306de276fff91264437fa75111ed76de43097e089Ted Kremenek // non-NULL DeclRefExpr's. If one is non-NULL, we return it. 92406de276fff91264437fa75111ed76de43097e089Ted Kremenek ConditionalOperator *C = cast<ConditionalOperator>(E); 92506de276fff91264437fa75111ed76de43097e089Ted Kremenek 9263907323dd6665c0c4e383435cb145233f4533406Anders Carlsson // Handle the GNU extension for missing LHS. 9273907323dd6665c0c4e383435cb145233f4533406Anders Carlsson if (Expr *lhsExpr = C->getLHS()) 9283907323dd6665c0c4e383435cb145233f4533406Anders Carlsson if (DeclRefExpr *LHS = EvalVal(lhsExpr)) 9293907323dd6665c0c4e383435cb145233f4533406Anders Carlsson return LHS; 9303907323dd6665c0c4e383435cb145233f4533406Anders Carlsson 9313907323dd6665c0c4e383435cb145233f4533406Anders Carlsson return EvalVal(C->getRHS()); 93206de276fff91264437fa75111ed76de43097e089Ted Kremenek } 93306de276fff91264437fa75111ed76de43097e089Ted Kremenek 93406de276fff91264437fa75111ed76de43097e089Ted Kremenek // Accesses to members are potential references to data on the stack. 93506de276fff91264437fa75111ed76de43097e089Ted Kremenek case Stmt::MemberExprClass: { 93606de276fff91264437fa75111ed76de43097e089Ted Kremenek MemberExpr *M = cast<MemberExpr>(E); 93706de276fff91264437fa75111ed76de43097e089Ted Kremenek 93806de276fff91264437fa75111ed76de43097e089Ted Kremenek // Check for indirect access. We only want direct field accesses. 93906de276fff91264437fa75111ed76de43097e089Ted Kremenek if (!M->isArrow()) 94006de276fff91264437fa75111ed76de43097e089Ted Kremenek return EvalVal(M->getBase()); 94106de276fff91264437fa75111ed76de43097e089Ted Kremenek else 94206de276fff91264437fa75111ed76de43097e089Ted Kremenek return NULL; 94306de276fff91264437fa75111ed76de43097e089Ted Kremenek } 94406de276fff91264437fa75111ed76de43097e089Ted Kremenek 94506de276fff91264437fa75111ed76de43097e089Ted Kremenek // Everything else: we simply don't reason about them. 94606de276fff91264437fa75111ed76de43097e089Ted Kremenek default: 94706de276fff91264437fa75111ed76de43097e089Ted Kremenek return NULL; 94806de276fff91264437fa75111ed76de43097e089Ted Kremenek } 94906de276fff91264437fa75111ed76de43097e089Ted Kremenek} 950588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek 951588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 952588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek 953588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek/// Check for comparisons of floating point operands using != and ==. 954588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek/// Issue a warning if these are no self-comparisons, as they are not likely 955588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek/// to do what the programmer intended. 956588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenekvoid Sema::CheckFloatComparison(SourceLocation loc, Expr* lex, Expr *rex) { 957588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek bool EmitWarning = true; 958588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek 9594e99a5fc3b203397a91136c6e695e405fb8fc606Ted Kremenek Expr* LeftExprSansParen = lex->IgnoreParens(); 96032e97b66bbce16c9e81c877794fb7a0aeeb66ccbTed Kremenek Expr* RightExprSansParen = rex->IgnoreParens(); 961588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek 962588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek // Special case: check for x == x (which is OK). 963588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek // Do not emit warnings for such cases. 964588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 965588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 966588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (DRL->getDecl() == DRR->getDecl()) 967588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek EmitWarning = false; 968588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek 9691b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek 9701b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek // Special case: check for comparisons against literals that can be exactly 9711b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek // represented by APFloat. In such cases, do not emit a warning. This 9721b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek // is a heuristic: often comparison against such literals are used to 9731b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek // detect if a value in a variable has not changed. This clearly can 9741b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek // lead to false negatives. 9751b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek if (EmitWarning) { 9761b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 9771b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek if (FLL->isExact()) 9781b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek EmitWarning = false; 9791b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek } 9801b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek else 9811b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 9821b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek if (FLR->isExact()) 9831b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek EmitWarning = false; 9841b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek } 9851b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek } 9861b500bb0d40aa3ebf1ace47340bb5f401a9ae99cTed Kremenek 987588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek // Check for comparisons with builtin types. 988588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (EmitWarning) 989588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 990588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (isCallBuiltin(CL)) 991588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek EmitWarning = false; 992588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek 993588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (EmitWarning) 994588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 995588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (isCallBuiltin(CR)) 996588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek EmitWarning = false; 997588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek 998588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek // Emit the diagnostic. 999588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek if (EmitWarning) 1000fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner Diag(loc, diag::warn_floatingpoint_eq) 1001fa25bbb351f4fdd977f51254119cdfc2b525ce90Chris Lattner << lex->getSourceRange() << rex->getSourceRange(); 1002588e5ebee2db045c3611e0c8f601bc4495ebd0f3Ted Kremenek} 1003