1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10//  This file implements extra semantic analysis beyond what is enforced
11//  by the C type system.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/Sema/SemaInternal.h"
16#include "clang/AST/ASTContext.h"
17#include "clang/AST/CharUnits.h"
18#include "clang/AST/DeclCXX.h"
19#include "clang/AST/DeclObjC.h"
20#include "clang/AST/EvaluatedExprVisitor.h"
21#include "clang/AST/Expr.h"
22#include "clang/AST/ExprCXX.h"
23#include "clang/AST/ExprObjC.h"
24#include "clang/AST/StmtCXX.h"
25#include "clang/AST/StmtObjC.h"
26#include "clang/Analysis/Analyses/FormatString.h"
27#include "clang/Basic/CharInfo.h"
28#include "clang/Basic/TargetBuiltins.h"
29#include "clang/Basic/TargetInfo.h"
30#include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering.
31#include "clang/Sema/Initialization.h"
32#include "clang/Sema/Lookup.h"
33#include "clang/Sema/ScopeInfo.h"
34#include "clang/Sema/Sema.h"
35#include "llvm/ADT/STLExtras.h"
36#include "llvm/ADT/SmallBitVector.h"
37#include "llvm/ADT/SmallString.h"
38#include "llvm/Support/ConvertUTF.h"
39#include "llvm/Support/raw_ostream.h"
40#include <limits>
41using namespace clang;
42using namespace sema;
43
44SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL,
45                                                    unsigned ByteNo) const {
46  return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts,
47                               Context.getTargetInfo());
48}
49
50/// Checks that a call expression's argument count is the desired number.
51/// This is useful when doing custom type-checking.  Returns true on error.
52static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) {
53  unsigned argCount = call->getNumArgs();
54  if (argCount == desiredArgCount) return false;
55
56  if (argCount < desiredArgCount)
57    return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args)
58        << 0 /*function call*/ << desiredArgCount << argCount
59        << call->getSourceRange();
60
61  // Highlight all the excess arguments.
62  SourceRange range(call->getArg(desiredArgCount)->getLocStart(),
63                    call->getArg(argCount - 1)->getLocEnd());
64
65  return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args)
66    << 0 /*function call*/ << desiredArgCount << argCount
67    << call->getArg(1)->getSourceRange();
68}
69
70/// Check that the first argument to __builtin_annotation is an integer
71/// and the second argument is a non-wide string literal.
72static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) {
73  if (checkArgCount(S, TheCall, 2))
74    return true;
75
76  // First argument should be an integer.
77  Expr *ValArg = TheCall->getArg(0);
78  QualType Ty = ValArg->getType();
79  if (!Ty->isIntegerType()) {
80    S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg)
81      << ValArg->getSourceRange();
82    return true;
83  }
84
85  // Second argument should be a constant string.
86  Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts();
87  StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg);
88  if (!Literal || !Literal->isAscii()) {
89    S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg)
90      << StrArg->getSourceRange();
91    return true;
92  }
93
94  TheCall->setType(Ty);
95  return false;
96}
97
98/// Check that the argument to __builtin_addressof is a glvalue, and set the
99/// result type to the corresponding pointer type.
100static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) {
101  if (checkArgCount(S, TheCall, 1))
102    return true;
103
104  ExprResult Arg(TheCall->getArg(0));
105  QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart());
106  if (ResultType.isNull())
107    return true;
108
109  TheCall->setArg(0, Arg.get());
110  TheCall->setType(ResultType);
111  return false;
112}
113
114ExprResult
115Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) {
116  ExprResult TheCallResult(TheCall);
117
118  // Find out if any arguments are required to be integer constant expressions.
119  unsigned ICEArguments = 0;
120  ASTContext::GetBuiltinTypeError Error;
121  Context.GetBuiltinType(BuiltinID, Error, &ICEArguments);
122  if (Error != ASTContext::GE_None)
123    ICEArguments = 0;  // Don't diagnose previously diagnosed errors.
124
125  // If any arguments are required to be ICE's, check and diagnose.
126  for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) {
127    // Skip arguments not required to be ICE's.
128    if ((ICEArguments & (1 << ArgNo)) == 0) continue;
129
130    llvm::APSInt Result;
131    if (SemaBuiltinConstantArg(TheCall, ArgNo, Result))
132      return true;
133    ICEArguments &= ~(1 << ArgNo);
134  }
135
136  switch (BuiltinID) {
137  case Builtin::BI__builtin___CFStringMakeConstantString:
138    assert(TheCall->getNumArgs() == 1 &&
139           "Wrong # arguments to builtin CFStringMakeConstantString");
140    if (CheckObjCString(TheCall->getArg(0)))
141      return ExprError();
142    break;
143  case Builtin::BI__builtin_stdarg_start:
144  case Builtin::BI__builtin_va_start:
145  case Builtin::BI__va_start:
146    if (SemaBuiltinVAStart(TheCall))
147      return ExprError();
148    break;
149  case Builtin::BI__builtin_isgreater:
150  case Builtin::BI__builtin_isgreaterequal:
151  case Builtin::BI__builtin_isless:
152  case Builtin::BI__builtin_islessequal:
153  case Builtin::BI__builtin_islessgreater:
154  case Builtin::BI__builtin_isunordered:
155    if (SemaBuiltinUnorderedCompare(TheCall))
156      return ExprError();
157    break;
158  case Builtin::BI__builtin_fpclassify:
159    if (SemaBuiltinFPClassification(TheCall, 6))
160      return ExprError();
161    break;
162  case Builtin::BI__builtin_isfinite:
163  case Builtin::BI__builtin_isinf:
164  case Builtin::BI__builtin_isinf_sign:
165  case Builtin::BI__builtin_isnan:
166  case Builtin::BI__builtin_isnormal:
167    if (SemaBuiltinFPClassification(TheCall, 1))
168      return ExprError();
169    break;
170  case Builtin::BI__builtin_shufflevector:
171    return SemaBuiltinShuffleVector(TheCall);
172    // TheCall will be freed by the smart pointer here, but that's fine, since
173    // SemaBuiltinShuffleVector guts it, but then doesn't release it.
174  case Builtin::BI__builtin_prefetch:
175    if (SemaBuiltinPrefetch(TheCall))
176      return ExprError();
177    break;
178  case Builtin::BI__builtin_object_size:
179    if (SemaBuiltinConstantArgRange(TheCall, 1, 0, 3))
180      return ExprError();
181    break;
182  case Builtin::BI__builtin_longjmp:
183    if (SemaBuiltinLongjmp(TheCall))
184      return ExprError();
185    break;
186
187  case Builtin::BI__builtin_classify_type:
188    if (checkArgCount(*this, TheCall, 1)) return true;
189    TheCall->setType(Context.IntTy);
190    break;
191  case Builtin::BI__builtin_constant_p:
192    if (checkArgCount(*this, TheCall, 1)) return true;
193    TheCall->setType(Context.IntTy);
194    break;
195  case Builtin::BI__sync_fetch_and_add:
196  case Builtin::BI__sync_fetch_and_add_1:
197  case Builtin::BI__sync_fetch_and_add_2:
198  case Builtin::BI__sync_fetch_and_add_4:
199  case Builtin::BI__sync_fetch_and_add_8:
200  case Builtin::BI__sync_fetch_and_add_16:
201  case Builtin::BI__sync_fetch_and_sub:
202  case Builtin::BI__sync_fetch_and_sub_1:
203  case Builtin::BI__sync_fetch_and_sub_2:
204  case Builtin::BI__sync_fetch_and_sub_4:
205  case Builtin::BI__sync_fetch_and_sub_8:
206  case Builtin::BI__sync_fetch_and_sub_16:
207  case Builtin::BI__sync_fetch_and_or:
208  case Builtin::BI__sync_fetch_and_or_1:
209  case Builtin::BI__sync_fetch_and_or_2:
210  case Builtin::BI__sync_fetch_and_or_4:
211  case Builtin::BI__sync_fetch_and_or_8:
212  case Builtin::BI__sync_fetch_and_or_16:
213  case Builtin::BI__sync_fetch_and_and:
214  case Builtin::BI__sync_fetch_and_and_1:
215  case Builtin::BI__sync_fetch_and_and_2:
216  case Builtin::BI__sync_fetch_and_and_4:
217  case Builtin::BI__sync_fetch_and_and_8:
218  case Builtin::BI__sync_fetch_and_and_16:
219  case Builtin::BI__sync_fetch_and_xor:
220  case Builtin::BI__sync_fetch_and_xor_1:
221  case Builtin::BI__sync_fetch_and_xor_2:
222  case Builtin::BI__sync_fetch_and_xor_4:
223  case Builtin::BI__sync_fetch_and_xor_8:
224  case Builtin::BI__sync_fetch_and_xor_16:
225  case Builtin::BI__sync_add_and_fetch:
226  case Builtin::BI__sync_add_and_fetch_1:
227  case Builtin::BI__sync_add_and_fetch_2:
228  case Builtin::BI__sync_add_and_fetch_4:
229  case Builtin::BI__sync_add_and_fetch_8:
230  case Builtin::BI__sync_add_and_fetch_16:
231  case Builtin::BI__sync_sub_and_fetch:
232  case Builtin::BI__sync_sub_and_fetch_1:
233  case Builtin::BI__sync_sub_and_fetch_2:
234  case Builtin::BI__sync_sub_and_fetch_4:
235  case Builtin::BI__sync_sub_and_fetch_8:
236  case Builtin::BI__sync_sub_and_fetch_16:
237  case Builtin::BI__sync_and_and_fetch:
238  case Builtin::BI__sync_and_and_fetch_1:
239  case Builtin::BI__sync_and_and_fetch_2:
240  case Builtin::BI__sync_and_and_fetch_4:
241  case Builtin::BI__sync_and_and_fetch_8:
242  case Builtin::BI__sync_and_and_fetch_16:
243  case Builtin::BI__sync_or_and_fetch:
244  case Builtin::BI__sync_or_and_fetch_1:
245  case Builtin::BI__sync_or_and_fetch_2:
246  case Builtin::BI__sync_or_and_fetch_4:
247  case Builtin::BI__sync_or_and_fetch_8:
248  case Builtin::BI__sync_or_and_fetch_16:
249  case Builtin::BI__sync_xor_and_fetch:
250  case Builtin::BI__sync_xor_and_fetch_1:
251  case Builtin::BI__sync_xor_and_fetch_2:
252  case Builtin::BI__sync_xor_and_fetch_4:
253  case Builtin::BI__sync_xor_and_fetch_8:
254  case Builtin::BI__sync_xor_and_fetch_16:
255  case Builtin::BI__sync_val_compare_and_swap:
256  case Builtin::BI__sync_val_compare_and_swap_1:
257  case Builtin::BI__sync_val_compare_and_swap_2:
258  case Builtin::BI__sync_val_compare_and_swap_4:
259  case Builtin::BI__sync_val_compare_and_swap_8:
260  case Builtin::BI__sync_val_compare_and_swap_16:
261  case Builtin::BI__sync_bool_compare_and_swap:
262  case Builtin::BI__sync_bool_compare_and_swap_1:
263  case Builtin::BI__sync_bool_compare_and_swap_2:
264  case Builtin::BI__sync_bool_compare_and_swap_4:
265  case Builtin::BI__sync_bool_compare_and_swap_8:
266  case Builtin::BI__sync_bool_compare_and_swap_16:
267  case Builtin::BI__sync_lock_test_and_set:
268  case Builtin::BI__sync_lock_test_and_set_1:
269  case Builtin::BI__sync_lock_test_and_set_2:
270  case Builtin::BI__sync_lock_test_and_set_4:
271  case Builtin::BI__sync_lock_test_and_set_8:
272  case Builtin::BI__sync_lock_test_and_set_16:
273  case Builtin::BI__sync_lock_release:
274  case Builtin::BI__sync_lock_release_1:
275  case Builtin::BI__sync_lock_release_2:
276  case Builtin::BI__sync_lock_release_4:
277  case Builtin::BI__sync_lock_release_8:
278  case Builtin::BI__sync_lock_release_16:
279  case Builtin::BI__sync_swap:
280  case Builtin::BI__sync_swap_1:
281  case Builtin::BI__sync_swap_2:
282  case Builtin::BI__sync_swap_4:
283  case Builtin::BI__sync_swap_8:
284  case Builtin::BI__sync_swap_16:
285    return SemaBuiltinAtomicOverloaded(TheCallResult);
286#define BUILTIN(ID, TYPE, ATTRS)
287#define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \
288  case Builtin::BI##ID: \
289    return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID);
290#include "clang/Basic/Builtins.def"
291  case Builtin::BI__builtin_annotation:
292    if (SemaBuiltinAnnotation(*this, TheCall))
293      return ExprError();
294    break;
295  case Builtin::BI__builtin_addressof:
296    if (SemaBuiltinAddressof(*this, TheCall))
297      return ExprError();
298    break;
299  case Builtin::BI__builtin_operator_new:
300  case Builtin::BI__builtin_operator_delete:
301    if (!getLangOpts().CPlusPlus) {
302      Diag(TheCall->getExprLoc(), diag::err_builtin_requires_language)
303        << (BuiltinID == Builtin::BI__builtin_operator_new
304                ? "__builtin_operator_new"
305                : "__builtin_operator_delete")
306        << "C++";
307      return ExprError();
308    }
309    // CodeGen assumes it can find the global new and delete to call,
310    // so ensure that they are declared.
311    DeclareGlobalNewDelete();
312    break;
313  }
314
315  // Since the target specific builtins for each arch overlap, only check those
316  // of the arch we are compiling for.
317  if (BuiltinID >= Builtin::FirstTSBuiltin) {
318    switch (Context.getTargetInfo().getTriple().getArch()) {
319      case llvm::Triple::arm:
320      case llvm::Triple::armeb:
321      case llvm::Triple::thumb:
322      case llvm::Triple::thumbeb:
323        if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall))
324          return ExprError();
325        break;
326      case llvm::Triple::aarch64:
327      case llvm::Triple::aarch64_be:
328      case llvm::Triple::arm64:
329      case llvm::Triple::arm64_be:
330        if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall))
331          return ExprError();
332        break;
333      case llvm::Triple::mips:
334      case llvm::Triple::mipsel:
335      case llvm::Triple::mips64:
336      case llvm::Triple::mips64el:
337        if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall))
338          return ExprError();
339        break;
340      case llvm::Triple::x86:
341      case llvm::Triple::x86_64:
342        if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall))
343          return ExprError();
344        break;
345      default:
346        break;
347    }
348  }
349
350  return TheCallResult;
351}
352
353// Get the valid immediate range for the specified NEON type code.
354static unsigned RFT(unsigned t, bool shift = false, bool ForceQuad = false) {
355  NeonTypeFlags Type(t);
356  int IsQuad = ForceQuad ? true : Type.isQuad();
357  switch (Type.getEltType()) {
358  case NeonTypeFlags::Int8:
359  case NeonTypeFlags::Poly8:
360    return shift ? 7 : (8 << IsQuad) - 1;
361  case NeonTypeFlags::Int16:
362  case NeonTypeFlags::Poly16:
363    return shift ? 15 : (4 << IsQuad) - 1;
364  case NeonTypeFlags::Int32:
365    return shift ? 31 : (2 << IsQuad) - 1;
366  case NeonTypeFlags::Int64:
367  case NeonTypeFlags::Poly64:
368    return shift ? 63 : (1 << IsQuad) - 1;
369  case NeonTypeFlags::Poly128:
370    return shift ? 127 : (1 << IsQuad) - 1;
371  case NeonTypeFlags::Float16:
372    assert(!shift && "cannot shift float types!");
373    return (4 << IsQuad) - 1;
374  case NeonTypeFlags::Float32:
375    assert(!shift && "cannot shift float types!");
376    return (2 << IsQuad) - 1;
377  case NeonTypeFlags::Float64:
378    assert(!shift && "cannot shift float types!");
379    return (1 << IsQuad) - 1;
380  }
381  llvm_unreachable("Invalid NeonTypeFlag!");
382}
383
384/// getNeonEltType - Return the QualType corresponding to the elements of
385/// the vector type specified by the NeonTypeFlags.  This is used to check
386/// the pointer arguments for Neon load/store intrinsics.
387static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context,
388                               bool IsPolyUnsigned, bool IsInt64Long) {
389  switch (Flags.getEltType()) {
390  case NeonTypeFlags::Int8:
391    return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy;
392  case NeonTypeFlags::Int16:
393    return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy;
394  case NeonTypeFlags::Int32:
395    return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy;
396  case NeonTypeFlags::Int64:
397    if (IsInt64Long)
398      return Flags.isUnsigned() ? Context.UnsignedLongTy : Context.LongTy;
399    else
400      return Flags.isUnsigned() ? Context.UnsignedLongLongTy
401                                : Context.LongLongTy;
402  case NeonTypeFlags::Poly8:
403    return IsPolyUnsigned ? Context.UnsignedCharTy : Context.SignedCharTy;
404  case NeonTypeFlags::Poly16:
405    return IsPolyUnsigned ? Context.UnsignedShortTy : Context.ShortTy;
406  case NeonTypeFlags::Poly64:
407    return Context.UnsignedLongTy;
408  case NeonTypeFlags::Poly128:
409    break;
410  case NeonTypeFlags::Float16:
411    return Context.HalfTy;
412  case NeonTypeFlags::Float32:
413    return Context.FloatTy;
414  case NeonTypeFlags::Float64:
415    return Context.DoubleTy;
416  }
417  llvm_unreachable("Invalid NeonTypeFlag!");
418}
419
420bool Sema::CheckNeonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) {
421  llvm::APSInt Result;
422  uint64_t mask = 0;
423  unsigned TV = 0;
424  int PtrArgNum = -1;
425  bool HasConstPtr = false;
426  switch (BuiltinID) {
427#define GET_NEON_OVERLOAD_CHECK
428#include "clang/Basic/arm_neon.inc"
429#undef GET_NEON_OVERLOAD_CHECK
430  }
431
432  // For NEON intrinsics which are overloaded on vector element type, validate
433  // the immediate which specifies which variant to emit.
434  unsigned ImmArg = TheCall->getNumArgs()-1;
435  if (mask) {
436    if (SemaBuiltinConstantArg(TheCall, ImmArg, Result))
437      return true;
438
439    TV = Result.getLimitedValue(64);
440    if ((TV > 63) || (mask & (1ULL << TV)) == 0)
441      return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code)
442        << TheCall->getArg(ImmArg)->getSourceRange();
443  }
444
445  if (PtrArgNum >= 0) {
446    // Check that pointer arguments have the specified type.
447    Expr *Arg = TheCall->getArg(PtrArgNum);
448    if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg))
449      Arg = ICE->getSubExpr();
450    ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg);
451    QualType RHSTy = RHS.get()->getType();
452
453    llvm::Triple::ArchType Arch = Context.getTargetInfo().getTriple().getArch();
454    bool IsPolyUnsigned =
455        Arch == llvm::Triple::aarch64 || Arch == llvm::Triple::arm64;
456    bool IsInt64Long =
457        Context.getTargetInfo().getInt64Type() == TargetInfo::SignedLong;
458    QualType EltTy =
459        getNeonEltType(NeonTypeFlags(TV), Context, IsPolyUnsigned, IsInt64Long);
460    if (HasConstPtr)
461      EltTy = EltTy.withConst();
462    QualType LHSTy = Context.getPointerType(EltTy);
463    AssignConvertType ConvTy;
464    ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS);
465    if (RHS.isInvalid())
466      return true;
467    if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy,
468                                 RHS.get(), AA_Assigning))
469      return true;
470  }
471
472  // For NEON intrinsics which take an immediate value as part of the
473  // instruction, range check them here.
474  unsigned i = 0, l = 0, u = 0;
475  switch (BuiltinID) {
476  default:
477    return false;
478#define GET_NEON_IMMEDIATE_CHECK
479#include "clang/Basic/arm_neon.inc"
480#undef GET_NEON_IMMEDIATE_CHECK
481  }
482
483  return SemaBuiltinConstantArgRange(TheCall, i, l, u + l);
484}
485
486bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall,
487                                        unsigned MaxWidth) {
488  assert((BuiltinID == ARM::BI__builtin_arm_ldrex ||
489          BuiltinID == ARM::BI__builtin_arm_ldaex ||
490          BuiltinID == ARM::BI__builtin_arm_strex ||
491          BuiltinID == ARM::BI__builtin_arm_stlex ||
492          BuiltinID == AArch64::BI__builtin_arm_ldrex ||
493          BuiltinID == AArch64::BI__builtin_arm_ldaex ||
494          BuiltinID == AArch64::BI__builtin_arm_strex ||
495          BuiltinID == AArch64::BI__builtin_arm_stlex) &&
496         "unexpected ARM builtin");
497  bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex ||
498                 BuiltinID == ARM::BI__builtin_arm_ldaex ||
499                 BuiltinID == AArch64::BI__builtin_arm_ldrex ||
500                 BuiltinID == AArch64::BI__builtin_arm_ldaex;
501
502  DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
503
504  // Ensure that we have the proper number of arguments.
505  if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2))
506    return true;
507
508  // Inspect the pointer argument of the atomic builtin.  This should always be
509  // a pointer type, whose element is an integral scalar or pointer type.
510  // Because it is a pointer type, we don't have to worry about any implicit
511  // casts here.
512  Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1);
513  ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg);
514  if (PointerArgRes.isInvalid())
515    return true;
516  PointerArg = PointerArgRes.get();
517
518  const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>();
519  if (!pointerType) {
520    Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer)
521      << PointerArg->getType() << PointerArg->getSourceRange();
522    return true;
523  }
524
525  // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next
526  // task is to insert the appropriate casts into the AST. First work out just
527  // what the appropriate type is.
528  QualType ValType = pointerType->getPointeeType();
529  QualType AddrType = ValType.getUnqualifiedType().withVolatile();
530  if (IsLdrex)
531    AddrType.addConst();
532
533  // Issue a warning if the cast is dodgy.
534  CastKind CastNeeded = CK_NoOp;
535  if (!AddrType.isAtLeastAsQualifiedAs(ValType)) {
536    CastNeeded = CK_BitCast;
537    Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers)
538      << PointerArg->getType()
539      << Context.getPointerType(AddrType)
540      << AA_Passing << PointerArg->getSourceRange();
541  }
542
543  // Finally, do the cast and replace the argument with the corrected version.
544  AddrType = Context.getPointerType(AddrType);
545  PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded);
546  if (PointerArgRes.isInvalid())
547    return true;
548  PointerArg = PointerArgRes.get();
549
550  TheCall->setArg(IsLdrex ? 0 : 1, PointerArg);
551
552  // In general, we allow ints, floats and pointers to be loaded and stored.
553  if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
554      !ValType->isBlockPointerType() && !ValType->isFloatingType()) {
555    Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr)
556      << PointerArg->getType() << PointerArg->getSourceRange();
557    return true;
558  }
559
560  // But ARM doesn't have instructions to deal with 128-bit versions.
561  if (Context.getTypeSize(ValType) > MaxWidth) {
562    assert(MaxWidth == 64 && "Diagnostic unexpectedly inaccurate");
563    Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size)
564      << PointerArg->getType() << PointerArg->getSourceRange();
565    return true;
566  }
567
568  switch (ValType.getObjCLifetime()) {
569  case Qualifiers::OCL_None:
570  case Qualifiers::OCL_ExplicitNone:
571    // okay
572    break;
573
574  case Qualifiers::OCL_Weak:
575  case Qualifiers::OCL_Strong:
576  case Qualifiers::OCL_Autoreleasing:
577    Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership)
578      << ValType << PointerArg->getSourceRange();
579    return true;
580  }
581
582
583  if (IsLdrex) {
584    TheCall->setType(ValType);
585    return false;
586  }
587
588  // Initialize the argument to be stored.
589  ExprResult ValArg = TheCall->getArg(0);
590  InitializedEntity Entity = InitializedEntity::InitializeParameter(
591      Context, ValType, /*consume*/ false);
592  ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg);
593  if (ValArg.isInvalid())
594    return true;
595  TheCall->setArg(0, ValArg.get());
596
597  // __builtin_arm_strex always returns an int. It's marked as such in the .def,
598  // but the custom checker bypasses all default analysis.
599  TheCall->setType(Context.IntTy);
600  return false;
601}
602
603bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) {
604  llvm::APSInt Result;
605
606  if (BuiltinID == ARM::BI__builtin_arm_ldrex ||
607      BuiltinID == ARM::BI__builtin_arm_ldaex ||
608      BuiltinID == ARM::BI__builtin_arm_strex ||
609      BuiltinID == ARM::BI__builtin_arm_stlex) {
610    return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 64);
611  }
612
613  if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall))
614    return true;
615
616  // For intrinsics which take an immediate value as part of the instruction,
617  // range check them here.
618  unsigned i = 0, l = 0, u = 0;
619  switch (BuiltinID) {
620  default: return false;
621  case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break;
622  case ARM::BI__builtin_arm_usat: i = 1; u = 31; break;
623  case ARM::BI__builtin_arm_vcvtr_f:
624  case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break;
625  case ARM::BI__builtin_arm_dmb:
626  case ARM::BI__builtin_arm_dsb:
627  case ARM::BI__builtin_arm_isb: l = 0; u = 15; break;
628  }
629
630  // FIXME: VFP Intrinsics should error if VFP not present.
631  return SemaBuiltinConstantArgRange(TheCall, i, l, u + l);
632}
633
634bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID,
635                                         CallExpr *TheCall) {
636  llvm::APSInt Result;
637
638  if (BuiltinID == AArch64::BI__builtin_arm_ldrex ||
639      BuiltinID == AArch64::BI__builtin_arm_ldaex ||
640      BuiltinID == AArch64::BI__builtin_arm_strex ||
641      BuiltinID == AArch64::BI__builtin_arm_stlex) {
642    return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 128);
643  }
644
645  if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall))
646    return true;
647
648  return false;
649}
650
651bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) {
652  unsigned i = 0, l = 0, u = 0;
653  switch (BuiltinID) {
654  default: return false;
655  case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break;
656  case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break;
657  case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break;
658  case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break;
659  case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break;
660  case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break;
661  case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break;
662  }
663
664  return SemaBuiltinConstantArgRange(TheCall, i, l, u);
665}
666
667bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) {
668  switch (BuiltinID) {
669  case X86::BI_mm_prefetch:
670    // This is declared to take (const char*, int)
671    return SemaBuiltinConstantArgRange(TheCall, 1, 0, 3);
672  }
673  return false;
674}
675
676/// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo
677/// parameter with the FormatAttr's correct format_idx and firstDataArg.
678/// Returns true when the format fits the function and the FormatStringInfo has
679/// been populated.
680bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember,
681                               FormatStringInfo *FSI) {
682  FSI->HasVAListArg = Format->getFirstArg() == 0;
683  FSI->FormatIdx = Format->getFormatIdx() - 1;
684  FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1;
685
686  // The way the format attribute works in GCC, the implicit this argument
687  // of member functions is counted. However, it doesn't appear in our own
688  // lists, so decrement format_idx in that case.
689  if (IsCXXMember) {
690    if(FSI->FormatIdx == 0)
691      return false;
692    --FSI->FormatIdx;
693    if (FSI->FirstDataArg != 0)
694      --FSI->FirstDataArg;
695  }
696  return true;
697}
698
699/// Checks if a the given expression evaluates to null.
700///
701/// \brief Returns true if the value evaluates to null.
702static bool CheckNonNullExpr(Sema &S,
703                             const Expr *Expr) {
704  // As a special case, transparent unions initialized with zero are
705  // considered null for the purposes of the nonnull attribute.
706  if (const RecordType *UT = Expr->getType()->getAsUnionType()) {
707    if (UT->getDecl()->hasAttr<TransparentUnionAttr>())
708      if (const CompoundLiteralExpr *CLE =
709          dyn_cast<CompoundLiteralExpr>(Expr))
710        if (const InitListExpr *ILE =
711            dyn_cast<InitListExpr>(CLE->getInitializer()))
712          Expr = ILE->getInit(0);
713  }
714
715  bool Result;
716  return (!Expr->isValueDependent() &&
717          Expr->EvaluateAsBooleanCondition(Result, S.Context) &&
718          !Result);
719}
720
721static void CheckNonNullArgument(Sema &S,
722                                 const Expr *ArgExpr,
723                                 SourceLocation CallSiteLoc) {
724  if (CheckNonNullExpr(S, ArgExpr))
725    S.Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange();
726}
727
728static void CheckNonNullArguments(Sema &S,
729                                  const NamedDecl *FDecl,
730                                  const Expr * const *ExprArgs,
731                                  SourceLocation CallSiteLoc) {
732  // Check the attributes attached to the method/function itself.
733  for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) {
734    for (const auto &Val : NonNull->args())
735      CheckNonNullArgument(S, ExprArgs[Val], CallSiteLoc);
736  }
737
738  // Check the attributes on the parameters.
739  ArrayRef<ParmVarDecl*> parms;
740  if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl))
741    parms = FD->parameters();
742  else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(FDecl))
743    parms = MD->parameters();
744
745  unsigned argIndex = 0;
746  for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end();
747       I != E; ++I, ++argIndex) {
748    const ParmVarDecl *PVD = *I;
749    if (PVD->hasAttr<NonNullAttr>())
750      CheckNonNullArgument(S, ExprArgs[argIndex], CallSiteLoc);
751  }
752}
753
754/// Handles the checks for format strings, non-POD arguments to vararg
755/// functions, and NULL arguments passed to non-NULL parameters.
756void Sema::checkCall(NamedDecl *FDecl, ArrayRef<const Expr *> Args,
757                     unsigned NumParams, bool IsMemberFunction,
758                     SourceLocation Loc, SourceRange Range,
759                     VariadicCallType CallType) {
760  // FIXME: We should check as much as we can in the template definition.
761  if (CurContext->isDependentContext())
762    return;
763
764  // Printf and scanf checking.
765  llvm::SmallBitVector CheckedVarArgs;
766  if (FDecl) {
767    for (const auto *I : FDecl->specific_attrs<FormatAttr>()) {
768      // Only create vector if there are format attributes.
769      CheckedVarArgs.resize(Args.size());
770
771      CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range,
772                           CheckedVarArgs);
773    }
774  }
775
776  // Refuse POD arguments that weren't caught by the format string
777  // checks above.
778  if (CallType != VariadicDoesNotApply) {
779    for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) {
780      // Args[ArgIdx] can be null in malformed code.
781      if (const Expr *Arg = Args[ArgIdx]) {
782        if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx])
783          checkVariadicArgument(Arg, CallType);
784      }
785    }
786  }
787
788  if (FDecl) {
789    CheckNonNullArguments(*this, FDecl, Args.data(), Loc);
790
791    // Type safety checking.
792    for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>())
793      CheckArgumentWithTypeTag(I, Args.data());
794  }
795}
796
797/// CheckConstructorCall - Check a constructor call for correctness and safety
798/// properties not enforced by the C type system.
799void Sema::CheckConstructorCall(FunctionDecl *FDecl,
800                                ArrayRef<const Expr *> Args,
801                                const FunctionProtoType *Proto,
802                                SourceLocation Loc) {
803  VariadicCallType CallType =
804    Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply;
805  checkCall(FDecl, Args, Proto->getNumParams(),
806            /*IsMemberFunction=*/true, Loc, SourceRange(), CallType);
807}
808
809/// CheckFunctionCall - Check a direct function call for various correctness
810/// and safety properties not strictly enforced by the C type system.
811bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall,
812                             const FunctionProtoType *Proto) {
813  bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) &&
814                              isa<CXXMethodDecl>(FDecl);
815  bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) ||
816                          IsMemberOperatorCall;
817  VariadicCallType CallType = getVariadicCallType(FDecl, Proto,
818                                                  TheCall->getCallee());
819  unsigned NumParams = Proto ? Proto->getNumParams() : 0;
820  Expr** Args = TheCall->getArgs();
821  unsigned NumArgs = TheCall->getNumArgs();
822  if (IsMemberOperatorCall) {
823    // If this is a call to a member operator, hide the first argument
824    // from checkCall.
825    // FIXME: Our choice of AST representation here is less than ideal.
826    ++Args;
827    --NumArgs;
828  }
829  checkCall(FDecl, llvm::makeArrayRef<const Expr *>(Args, NumArgs), NumParams,
830            IsMemberFunction, TheCall->getRParenLoc(),
831            TheCall->getCallee()->getSourceRange(), CallType);
832
833  IdentifierInfo *FnInfo = FDecl->getIdentifier();
834  // None of the checks below are needed for functions that don't have
835  // simple names (e.g., C++ conversion functions).
836  if (!FnInfo)
837    return false;
838
839  CheckAbsoluteValueFunction(TheCall, FDecl, FnInfo);
840
841  unsigned CMId = FDecl->getMemoryFunctionKind();
842  if (CMId == 0)
843    return false;
844
845  // Handle memory setting and copying functions.
846  if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat)
847    CheckStrlcpycatArguments(TheCall, FnInfo);
848  else if (CMId == Builtin::BIstrncat)
849    CheckStrncatArguments(TheCall, FnInfo);
850  else
851    CheckMemaccessArguments(TheCall, CMId, FnInfo);
852
853  return false;
854}
855
856bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac,
857                               ArrayRef<const Expr *> Args) {
858  VariadicCallType CallType =
859      Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply;
860
861  checkCall(Method, Args, Method->param_size(),
862            /*IsMemberFunction=*/false,
863            lbrac, Method->getSourceRange(), CallType);
864
865  return false;
866}
867
868bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall,
869                            const FunctionProtoType *Proto) {
870  const VarDecl *V = dyn_cast<VarDecl>(NDecl);
871  if (!V)
872    return false;
873
874  QualType Ty = V->getType();
875  if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType())
876    return false;
877
878  VariadicCallType CallType;
879  if (!Proto || !Proto->isVariadic()) {
880    CallType = VariadicDoesNotApply;
881  } else if (Ty->isBlockPointerType()) {
882    CallType = VariadicBlock;
883  } else { // Ty->isFunctionPointerType()
884    CallType = VariadicFunction;
885  }
886  unsigned NumParams = Proto ? Proto->getNumParams() : 0;
887
888  checkCall(NDecl, llvm::makeArrayRef<const Expr *>(TheCall->getArgs(),
889                                                    TheCall->getNumArgs()),
890            NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
891            TheCall->getCallee()->getSourceRange(), CallType);
892
893  return false;
894}
895
896/// Checks function calls when a FunctionDecl or a NamedDecl is not available,
897/// such as function pointers returned from functions.
898bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) {
899  VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto,
900                                                  TheCall->getCallee());
901  unsigned NumParams = Proto ? Proto->getNumParams() : 0;
902
903  checkCall(/*FDecl=*/nullptr,
904            llvm::makeArrayRef<const Expr *>(TheCall->getArgs(),
905                                             TheCall->getNumArgs()),
906            NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
907            TheCall->getCallee()->getSourceRange(), CallType);
908
909  return false;
910}
911
912static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) {
913  if (Ordering < AtomicExpr::AO_ABI_memory_order_relaxed ||
914      Ordering > AtomicExpr::AO_ABI_memory_order_seq_cst)
915    return false;
916
917  switch (Op) {
918  case AtomicExpr::AO__c11_atomic_init:
919    llvm_unreachable("There is no ordering argument for an init");
920
921  case AtomicExpr::AO__c11_atomic_load:
922  case AtomicExpr::AO__atomic_load_n:
923  case AtomicExpr::AO__atomic_load:
924    return Ordering != AtomicExpr::AO_ABI_memory_order_release &&
925           Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel;
926
927  case AtomicExpr::AO__c11_atomic_store:
928  case AtomicExpr::AO__atomic_store:
929  case AtomicExpr::AO__atomic_store_n:
930    return Ordering != AtomicExpr::AO_ABI_memory_order_consume &&
931           Ordering != AtomicExpr::AO_ABI_memory_order_acquire &&
932           Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel;
933
934  default:
935    return true;
936  }
937}
938
939ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult,
940                                         AtomicExpr::AtomicOp Op) {
941  CallExpr *TheCall = cast<CallExpr>(TheCallResult.get());
942  DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
943
944  // All these operations take one of the following forms:
945  enum {
946    // C    __c11_atomic_init(A *, C)
947    Init,
948    // C    __c11_atomic_load(A *, int)
949    Load,
950    // void __atomic_load(A *, CP, int)
951    Copy,
952    // C    __c11_atomic_add(A *, M, int)
953    Arithmetic,
954    // C    __atomic_exchange_n(A *, CP, int)
955    Xchg,
956    // void __atomic_exchange(A *, C *, CP, int)
957    GNUXchg,
958    // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int)
959    C11CmpXchg,
960    // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int)
961    GNUCmpXchg
962  } Form = Init;
963  const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 };
964  const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 };
965  // where:
966  //   C is an appropriate type,
967  //   A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins,
968  //   CP is C for __c11 builtins and GNU _n builtins and is C * otherwise,
969  //   M is C if C is an integer, and ptrdiff_t if C is a pointer, and
970  //   the int parameters are for orderings.
971
972  assert(AtomicExpr::AO__c11_atomic_init == 0 &&
973         AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load
974         && "need to update code for modified C11 atomics");
975  bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init &&
976               Op <= AtomicExpr::AO__c11_atomic_fetch_xor;
977  bool IsN = Op == AtomicExpr::AO__atomic_load_n ||
978             Op == AtomicExpr::AO__atomic_store_n ||
979             Op == AtomicExpr::AO__atomic_exchange_n ||
980             Op == AtomicExpr::AO__atomic_compare_exchange_n;
981  bool IsAddSub = false;
982
983  switch (Op) {
984  case AtomicExpr::AO__c11_atomic_init:
985    Form = Init;
986    break;
987
988  case AtomicExpr::AO__c11_atomic_load:
989  case AtomicExpr::AO__atomic_load_n:
990    Form = Load;
991    break;
992
993  case AtomicExpr::AO__c11_atomic_store:
994  case AtomicExpr::AO__atomic_load:
995  case AtomicExpr::AO__atomic_store:
996  case AtomicExpr::AO__atomic_store_n:
997    Form = Copy;
998    break;
999
1000  case AtomicExpr::AO__c11_atomic_fetch_add:
1001  case AtomicExpr::AO__c11_atomic_fetch_sub:
1002  case AtomicExpr::AO__atomic_fetch_add:
1003  case AtomicExpr::AO__atomic_fetch_sub:
1004  case AtomicExpr::AO__atomic_add_fetch:
1005  case AtomicExpr::AO__atomic_sub_fetch:
1006    IsAddSub = true;
1007    // Fall through.
1008  case AtomicExpr::AO__c11_atomic_fetch_and:
1009  case AtomicExpr::AO__c11_atomic_fetch_or:
1010  case AtomicExpr::AO__c11_atomic_fetch_xor:
1011  case AtomicExpr::AO__atomic_fetch_and:
1012  case AtomicExpr::AO__atomic_fetch_or:
1013  case AtomicExpr::AO__atomic_fetch_xor:
1014  case AtomicExpr::AO__atomic_fetch_nand:
1015  case AtomicExpr::AO__atomic_and_fetch:
1016  case AtomicExpr::AO__atomic_or_fetch:
1017  case AtomicExpr::AO__atomic_xor_fetch:
1018  case AtomicExpr::AO__atomic_nand_fetch:
1019    Form = Arithmetic;
1020    break;
1021
1022  case AtomicExpr::AO__c11_atomic_exchange:
1023  case AtomicExpr::AO__atomic_exchange_n:
1024    Form = Xchg;
1025    break;
1026
1027  case AtomicExpr::AO__atomic_exchange:
1028    Form = GNUXchg;
1029    break;
1030
1031  case AtomicExpr::AO__c11_atomic_compare_exchange_strong:
1032  case AtomicExpr::AO__c11_atomic_compare_exchange_weak:
1033    Form = C11CmpXchg;
1034    break;
1035
1036  case AtomicExpr::AO__atomic_compare_exchange:
1037  case AtomicExpr::AO__atomic_compare_exchange_n:
1038    Form = GNUCmpXchg;
1039    break;
1040  }
1041
1042  // Check we have the right number of arguments.
1043  if (TheCall->getNumArgs() < NumArgs[Form]) {
1044    Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args)
1045      << 0 << NumArgs[Form] << TheCall->getNumArgs()
1046      << TheCall->getCallee()->getSourceRange();
1047    return ExprError();
1048  } else if (TheCall->getNumArgs() > NumArgs[Form]) {
1049    Diag(TheCall->getArg(NumArgs[Form])->getLocStart(),
1050         diag::err_typecheck_call_too_many_args)
1051      << 0 << NumArgs[Form] << TheCall->getNumArgs()
1052      << TheCall->getCallee()->getSourceRange();
1053    return ExprError();
1054  }
1055
1056  // Inspect the first argument of the atomic operation.
1057  Expr *Ptr = TheCall->getArg(0);
1058  Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get();
1059  const PointerType *pointerType = Ptr->getType()->getAs<PointerType>();
1060  if (!pointerType) {
1061    Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer)
1062      << Ptr->getType() << Ptr->getSourceRange();
1063    return ExprError();
1064  }
1065
1066  // For a __c11 builtin, this should be a pointer to an _Atomic type.
1067  QualType AtomTy = pointerType->getPointeeType(); // 'A'
1068  QualType ValType = AtomTy; // 'C'
1069  if (IsC11) {
1070    if (!AtomTy->isAtomicType()) {
1071      Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic)
1072        << Ptr->getType() << Ptr->getSourceRange();
1073      return ExprError();
1074    }
1075    if (AtomTy.isConstQualified()) {
1076      Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic)
1077        << Ptr->getType() << Ptr->getSourceRange();
1078      return ExprError();
1079    }
1080    ValType = AtomTy->getAs<AtomicType>()->getValueType();
1081  }
1082
1083  // For an arithmetic operation, the implied arithmetic must be well-formed.
1084  if (Form == Arithmetic) {
1085    // gcc does not enforce these rules for GNU atomics, but we do so for sanity.
1086    if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) {
1087      Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr)
1088        << IsC11 << Ptr->getType() << Ptr->getSourceRange();
1089      return ExprError();
1090    }
1091    if (!IsAddSub && !ValType->isIntegerType()) {
1092      Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int)
1093        << IsC11 << Ptr->getType() << Ptr->getSourceRange();
1094      return ExprError();
1095    }
1096  } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) {
1097    // For __atomic_*_n operations, the value type must be a scalar integral or
1098    // pointer type which is 1, 2, 4, 8 or 16 bytes in length.
1099    Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr)
1100      << IsC11 << Ptr->getType() << Ptr->getSourceRange();
1101    return ExprError();
1102  }
1103
1104  if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) &&
1105      !AtomTy->isScalarType()) {
1106    // For GNU atomics, require a trivially-copyable type. This is not part of
1107    // the GNU atomics specification, but we enforce it for sanity.
1108    Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy)
1109      << Ptr->getType() << Ptr->getSourceRange();
1110    return ExprError();
1111  }
1112
1113  // FIXME: For any builtin other than a load, the ValType must not be
1114  // const-qualified.
1115
1116  switch (ValType.getObjCLifetime()) {
1117  case Qualifiers::OCL_None:
1118  case Qualifiers::OCL_ExplicitNone:
1119    // okay
1120    break;
1121
1122  case Qualifiers::OCL_Weak:
1123  case Qualifiers::OCL_Strong:
1124  case Qualifiers::OCL_Autoreleasing:
1125    // FIXME: Can this happen? By this point, ValType should be known
1126    // to be trivially copyable.
1127    Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership)
1128      << ValType << Ptr->getSourceRange();
1129    return ExprError();
1130  }
1131
1132  QualType ResultType = ValType;
1133  if (Form == Copy || Form == GNUXchg || Form == Init)
1134    ResultType = Context.VoidTy;
1135  else if (Form == C11CmpXchg || Form == GNUCmpXchg)
1136    ResultType = Context.BoolTy;
1137
1138  // The type of a parameter passed 'by value'. In the GNU atomics, such
1139  // arguments are actually passed as pointers.
1140  QualType ByValType = ValType; // 'CP'
1141  if (!IsC11 && !IsN)
1142    ByValType = Ptr->getType();
1143
1144  // The first argument --- the pointer --- has a fixed type; we
1145  // deduce the types of the rest of the arguments accordingly.  Walk
1146  // the remaining arguments, converting them to the deduced value type.
1147  for (unsigned i = 1; i != NumArgs[Form]; ++i) {
1148    QualType Ty;
1149    if (i < NumVals[Form] + 1) {
1150      switch (i) {
1151      case 1:
1152        // The second argument is the non-atomic operand. For arithmetic, this
1153        // is always passed by value, and for a compare_exchange it is always
1154        // passed by address. For the rest, GNU uses by-address and C11 uses
1155        // by-value.
1156        assert(Form != Load);
1157        if (Form == Init || (Form == Arithmetic && ValType->isIntegerType()))
1158          Ty = ValType;
1159        else if (Form == Copy || Form == Xchg)
1160          Ty = ByValType;
1161        else if (Form == Arithmetic)
1162          Ty = Context.getPointerDiffType();
1163        else
1164          Ty = Context.getPointerType(ValType.getUnqualifiedType());
1165        break;
1166      case 2:
1167        // The third argument to compare_exchange / GNU exchange is a
1168        // (pointer to a) desired value.
1169        Ty = ByValType;
1170        break;
1171      case 3:
1172        // The fourth argument to GNU compare_exchange is a 'weak' flag.
1173        Ty = Context.BoolTy;
1174        break;
1175      }
1176    } else {
1177      // The order(s) are always converted to int.
1178      Ty = Context.IntTy;
1179    }
1180
1181    InitializedEntity Entity =
1182        InitializedEntity::InitializeParameter(Context, Ty, false);
1183    ExprResult Arg = TheCall->getArg(i);
1184    Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
1185    if (Arg.isInvalid())
1186      return true;
1187    TheCall->setArg(i, Arg.get());
1188  }
1189
1190  // Permute the arguments into a 'consistent' order.
1191  SmallVector<Expr*, 5> SubExprs;
1192  SubExprs.push_back(Ptr);
1193  switch (Form) {
1194  case Init:
1195    // Note, AtomicExpr::getVal1() has a special case for this atomic.
1196    SubExprs.push_back(TheCall->getArg(1)); // Val1
1197    break;
1198  case Load:
1199    SubExprs.push_back(TheCall->getArg(1)); // Order
1200    break;
1201  case Copy:
1202  case Arithmetic:
1203  case Xchg:
1204    SubExprs.push_back(TheCall->getArg(2)); // Order
1205    SubExprs.push_back(TheCall->getArg(1)); // Val1
1206    break;
1207  case GNUXchg:
1208    // Note, AtomicExpr::getVal2() has a special case for this atomic.
1209    SubExprs.push_back(TheCall->getArg(3)); // Order
1210    SubExprs.push_back(TheCall->getArg(1)); // Val1
1211    SubExprs.push_back(TheCall->getArg(2)); // Val2
1212    break;
1213  case C11CmpXchg:
1214    SubExprs.push_back(TheCall->getArg(3)); // Order
1215    SubExprs.push_back(TheCall->getArg(1)); // Val1
1216    SubExprs.push_back(TheCall->getArg(4)); // OrderFail
1217    SubExprs.push_back(TheCall->getArg(2)); // Val2
1218    break;
1219  case GNUCmpXchg:
1220    SubExprs.push_back(TheCall->getArg(4)); // Order
1221    SubExprs.push_back(TheCall->getArg(1)); // Val1
1222    SubExprs.push_back(TheCall->getArg(5)); // OrderFail
1223    SubExprs.push_back(TheCall->getArg(2)); // Val2
1224    SubExprs.push_back(TheCall->getArg(3)); // Weak
1225    break;
1226  }
1227
1228  if (SubExprs.size() >= 2 && Form != Init) {
1229    llvm::APSInt Result(32);
1230    if (SubExprs[1]->isIntegerConstantExpr(Result, Context) &&
1231        !isValidOrderingForOp(Result.getSExtValue(), Op))
1232      Diag(SubExprs[1]->getLocStart(),
1233           diag::warn_atomic_op_has_invalid_memory_order)
1234          << SubExprs[1]->getSourceRange();
1235  }
1236
1237  AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(),
1238                                            SubExprs, ResultType, Op,
1239                                            TheCall->getRParenLoc());
1240
1241  if ((Op == AtomicExpr::AO__c11_atomic_load ||
1242       (Op == AtomicExpr::AO__c11_atomic_store)) &&
1243      Context.AtomicUsesUnsupportedLibcall(AE))
1244    Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) <<
1245    ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1);
1246
1247  return AE;
1248}
1249
1250
1251/// checkBuiltinArgument - Given a call to a builtin function, perform
1252/// normal type-checking on the given argument, updating the call in
1253/// place.  This is useful when a builtin function requires custom
1254/// type-checking for some of its arguments but not necessarily all of
1255/// them.
1256///
1257/// Returns true on error.
1258static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) {
1259  FunctionDecl *Fn = E->getDirectCallee();
1260  assert(Fn && "builtin call without direct callee!");
1261
1262  ParmVarDecl *Param = Fn->getParamDecl(ArgIndex);
1263  InitializedEntity Entity =
1264    InitializedEntity::InitializeParameter(S.Context, Param);
1265
1266  ExprResult Arg = E->getArg(0);
1267  Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg);
1268  if (Arg.isInvalid())
1269    return true;
1270
1271  E->setArg(ArgIndex, Arg.get());
1272  return false;
1273}
1274
1275/// SemaBuiltinAtomicOverloaded - We have a call to a function like
1276/// __sync_fetch_and_add, which is an overloaded function based on the pointer
1277/// type of its first argument.  The main ActOnCallExpr routines have already
1278/// promoted the types of arguments because all of these calls are prototyped as
1279/// void(...).
1280///
1281/// This function goes through and does final semantic checking for these
1282/// builtins,
1283ExprResult
1284Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) {
1285  CallExpr *TheCall = (CallExpr *)TheCallResult.get();
1286  DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
1287  FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
1288
1289  // Ensure that we have at least one argument to do type inference from.
1290  if (TheCall->getNumArgs() < 1) {
1291    Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least)
1292      << 0 << 1 << TheCall->getNumArgs()
1293      << TheCall->getCallee()->getSourceRange();
1294    return ExprError();
1295  }
1296
1297  // Inspect the first argument of the atomic builtin.  This should always be
1298  // a pointer type, whose element is an integral scalar or pointer type.
1299  // Because it is a pointer type, we don't have to worry about any implicit
1300  // casts here.
1301  // FIXME: We don't allow floating point scalars as input.
1302  Expr *FirstArg = TheCall->getArg(0);
1303  ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg);
1304  if (FirstArgResult.isInvalid())
1305    return ExprError();
1306  FirstArg = FirstArgResult.get();
1307  TheCall->setArg(0, FirstArg);
1308
1309  const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>();
1310  if (!pointerType) {
1311    Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer)
1312      << FirstArg->getType() << FirstArg->getSourceRange();
1313    return ExprError();
1314  }
1315
1316  QualType ValType = pointerType->getPointeeType();
1317  if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
1318      !ValType->isBlockPointerType()) {
1319    Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr)
1320      << FirstArg->getType() << FirstArg->getSourceRange();
1321    return ExprError();
1322  }
1323
1324  switch (ValType.getObjCLifetime()) {
1325  case Qualifiers::OCL_None:
1326  case Qualifiers::OCL_ExplicitNone:
1327    // okay
1328    break;
1329
1330  case Qualifiers::OCL_Weak:
1331  case Qualifiers::OCL_Strong:
1332  case Qualifiers::OCL_Autoreleasing:
1333    Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership)
1334      << ValType << FirstArg->getSourceRange();
1335    return ExprError();
1336  }
1337
1338  // Strip any qualifiers off ValType.
1339  ValType = ValType.getUnqualifiedType();
1340
1341  // The majority of builtins return a value, but a few have special return
1342  // types, so allow them to override appropriately below.
1343  QualType ResultType = ValType;
1344
1345  // We need to figure out which concrete builtin this maps onto.  For example,
1346  // __sync_fetch_and_add with a 2 byte object turns into
1347  // __sync_fetch_and_add_2.
1348#define BUILTIN_ROW(x) \
1349  { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \
1350    Builtin::BI##x##_8, Builtin::BI##x##_16 }
1351
1352  static const unsigned BuiltinIndices[][5] = {
1353    BUILTIN_ROW(__sync_fetch_and_add),
1354    BUILTIN_ROW(__sync_fetch_and_sub),
1355    BUILTIN_ROW(__sync_fetch_and_or),
1356    BUILTIN_ROW(__sync_fetch_and_and),
1357    BUILTIN_ROW(__sync_fetch_and_xor),
1358
1359    BUILTIN_ROW(__sync_add_and_fetch),
1360    BUILTIN_ROW(__sync_sub_and_fetch),
1361    BUILTIN_ROW(__sync_and_and_fetch),
1362    BUILTIN_ROW(__sync_or_and_fetch),
1363    BUILTIN_ROW(__sync_xor_and_fetch),
1364
1365    BUILTIN_ROW(__sync_val_compare_and_swap),
1366    BUILTIN_ROW(__sync_bool_compare_and_swap),
1367    BUILTIN_ROW(__sync_lock_test_and_set),
1368    BUILTIN_ROW(__sync_lock_release),
1369    BUILTIN_ROW(__sync_swap)
1370  };
1371#undef BUILTIN_ROW
1372
1373  // Determine the index of the size.
1374  unsigned SizeIndex;
1375  switch (Context.getTypeSizeInChars(ValType).getQuantity()) {
1376  case 1: SizeIndex = 0; break;
1377  case 2: SizeIndex = 1; break;
1378  case 4: SizeIndex = 2; break;
1379  case 8: SizeIndex = 3; break;
1380  case 16: SizeIndex = 4; break;
1381  default:
1382    Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size)
1383      << FirstArg->getType() << FirstArg->getSourceRange();
1384    return ExprError();
1385  }
1386
1387  // Each of these builtins has one pointer argument, followed by some number of
1388  // values (0, 1 or 2) followed by a potentially empty varags list of stuff
1389  // that we ignore.  Find out which row of BuiltinIndices to read from as well
1390  // as the number of fixed args.
1391  unsigned BuiltinID = FDecl->getBuiltinID();
1392  unsigned BuiltinIndex, NumFixed = 1;
1393  switch (BuiltinID) {
1394  default: llvm_unreachable("Unknown overloaded atomic builtin!");
1395  case Builtin::BI__sync_fetch_and_add:
1396  case Builtin::BI__sync_fetch_and_add_1:
1397  case Builtin::BI__sync_fetch_and_add_2:
1398  case Builtin::BI__sync_fetch_and_add_4:
1399  case Builtin::BI__sync_fetch_and_add_8:
1400  case Builtin::BI__sync_fetch_and_add_16:
1401    BuiltinIndex = 0;
1402    break;
1403
1404  case Builtin::BI__sync_fetch_and_sub:
1405  case Builtin::BI__sync_fetch_and_sub_1:
1406  case Builtin::BI__sync_fetch_and_sub_2:
1407  case Builtin::BI__sync_fetch_and_sub_4:
1408  case Builtin::BI__sync_fetch_and_sub_8:
1409  case Builtin::BI__sync_fetch_and_sub_16:
1410    BuiltinIndex = 1;
1411    break;
1412
1413  case Builtin::BI__sync_fetch_and_or:
1414  case Builtin::BI__sync_fetch_and_or_1:
1415  case Builtin::BI__sync_fetch_and_or_2:
1416  case Builtin::BI__sync_fetch_and_or_4:
1417  case Builtin::BI__sync_fetch_and_or_8:
1418  case Builtin::BI__sync_fetch_and_or_16:
1419    BuiltinIndex = 2;
1420    break;
1421
1422  case Builtin::BI__sync_fetch_and_and:
1423  case Builtin::BI__sync_fetch_and_and_1:
1424  case Builtin::BI__sync_fetch_and_and_2:
1425  case Builtin::BI__sync_fetch_and_and_4:
1426  case Builtin::BI__sync_fetch_and_and_8:
1427  case Builtin::BI__sync_fetch_and_and_16:
1428    BuiltinIndex = 3;
1429    break;
1430
1431  case Builtin::BI__sync_fetch_and_xor:
1432  case Builtin::BI__sync_fetch_and_xor_1:
1433  case Builtin::BI__sync_fetch_and_xor_2:
1434  case Builtin::BI__sync_fetch_and_xor_4:
1435  case Builtin::BI__sync_fetch_and_xor_8:
1436  case Builtin::BI__sync_fetch_and_xor_16:
1437    BuiltinIndex = 4;
1438    break;
1439
1440  case Builtin::BI__sync_add_and_fetch:
1441  case Builtin::BI__sync_add_and_fetch_1:
1442  case Builtin::BI__sync_add_and_fetch_2:
1443  case Builtin::BI__sync_add_and_fetch_4:
1444  case Builtin::BI__sync_add_and_fetch_8:
1445  case Builtin::BI__sync_add_and_fetch_16:
1446    BuiltinIndex = 5;
1447    break;
1448
1449  case Builtin::BI__sync_sub_and_fetch:
1450  case Builtin::BI__sync_sub_and_fetch_1:
1451  case Builtin::BI__sync_sub_and_fetch_2:
1452  case Builtin::BI__sync_sub_and_fetch_4:
1453  case Builtin::BI__sync_sub_and_fetch_8:
1454  case Builtin::BI__sync_sub_and_fetch_16:
1455    BuiltinIndex = 6;
1456    break;
1457
1458  case Builtin::BI__sync_and_and_fetch:
1459  case Builtin::BI__sync_and_and_fetch_1:
1460  case Builtin::BI__sync_and_and_fetch_2:
1461  case Builtin::BI__sync_and_and_fetch_4:
1462  case Builtin::BI__sync_and_and_fetch_8:
1463  case Builtin::BI__sync_and_and_fetch_16:
1464    BuiltinIndex = 7;
1465    break;
1466
1467  case Builtin::BI__sync_or_and_fetch:
1468  case Builtin::BI__sync_or_and_fetch_1:
1469  case Builtin::BI__sync_or_and_fetch_2:
1470  case Builtin::BI__sync_or_and_fetch_4:
1471  case Builtin::BI__sync_or_and_fetch_8:
1472  case Builtin::BI__sync_or_and_fetch_16:
1473    BuiltinIndex = 8;
1474    break;
1475
1476  case Builtin::BI__sync_xor_and_fetch:
1477  case Builtin::BI__sync_xor_and_fetch_1:
1478  case Builtin::BI__sync_xor_and_fetch_2:
1479  case Builtin::BI__sync_xor_and_fetch_4:
1480  case Builtin::BI__sync_xor_and_fetch_8:
1481  case Builtin::BI__sync_xor_and_fetch_16:
1482    BuiltinIndex = 9;
1483    break;
1484
1485  case Builtin::BI__sync_val_compare_and_swap:
1486  case Builtin::BI__sync_val_compare_and_swap_1:
1487  case Builtin::BI__sync_val_compare_and_swap_2:
1488  case Builtin::BI__sync_val_compare_and_swap_4:
1489  case Builtin::BI__sync_val_compare_and_swap_8:
1490  case Builtin::BI__sync_val_compare_and_swap_16:
1491    BuiltinIndex = 10;
1492    NumFixed = 2;
1493    break;
1494
1495  case Builtin::BI__sync_bool_compare_and_swap:
1496  case Builtin::BI__sync_bool_compare_and_swap_1:
1497  case Builtin::BI__sync_bool_compare_and_swap_2:
1498  case Builtin::BI__sync_bool_compare_and_swap_4:
1499  case Builtin::BI__sync_bool_compare_and_swap_8:
1500  case Builtin::BI__sync_bool_compare_and_swap_16:
1501    BuiltinIndex = 11;
1502    NumFixed = 2;
1503    ResultType = Context.BoolTy;
1504    break;
1505
1506  case Builtin::BI__sync_lock_test_and_set:
1507  case Builtin::BI__sync_lock_test_and_set_1:
1508  case Builtin::BI__sync_lock_test_and_set_2:
1509  case Builtin::BI__sync_lock_test_and_set_4:
1510  case Builtin::BI__sync_lock_test_and_set_8:
1511  case Builtin::BI__sync_lock_test_and_set_16:
1512    BuiltinIndex = 12;
1513    break;
1514
1515  case Builtin::BI__sync_lock_release:
1516  case Builtin::BI__sync_lock_release_1:
1517  case Builtin::BI__sync_lock_release_2:
1518  case Builtin::BI__sync_lock_release_4:
1519  case Builtin::BI__sync_lock_release_8:
1520  case Builtin::BI__sync_lock_release_16:
1521    BuiltinIndex = 13;
1522    NumFixed = 0;
1523    ResultType = Context.VoidTy;
1524    break;
1525
1526  case Builtin::BI__sync_swap:
1527  case Builtin::BI__sync_swap_1:
1528  case Builtin::BI__sync_swap_2:
1529  case Builtin::BI__sync_swap_4:
1530  case Builtin::BI__sync_swap_8:
1531  case Builtin::BI__sync_swap_16:
1532    BuiltinIndex = 14;
1533    break;
1534  }
1535
1536  // Now that we know how many fixed arguments we expect, first check that we
1537  // have at least that many.
1538  if (TheCall->getNumArgs() < 1+NumFixed) {
1539    Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least)
1540      << 0 << 1+NumFixed << TheCall->getNumArgs()
1541      << TheCall->getCallee()->getSourceRange();
1542    return ExprError();
1543  }
1544
1545  // Get the decl for the concrete builtin from this, we can tell what the
1546  // concrete integer type we should convert to is.
1547  unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex];
1548  const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID);
1549  FunctionDecl *NewBuiltinDecl;
1550  if (NewBuiltinID == BuiltinID)
1551    NewBuiltinDecl = FDecl;
1552  else {
1553    // Perform builtin lookup to avoid redeclaring it.
1554    DeclarationName DN(&Context.Idents.get(NewBuiltinName));
1555    LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName);
1556    LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true);
1557    assert(Res.getFoundDecl());
1558    NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl());
1559    if (!NewBuiltinDecl)
1560      return ExprError();
1561  }
1562
1563  // The first argument --- the pointer --- has a fixed type; we
1564  // deduce the types of the rest of the arguments accordingly.  Walk
1565  // the remaining arguments, converting them to the deduced value type.
1566  for (unsigned i = 0; i != NumFixed; ++i) {
1567    ExprResult Arg = TheCall->getArg(i+1);
1568
1569    // GCC does an implicit conversion to the pointer or integer ValType.  This
1570    // can fail in some cases (1i -> int**), check for this error case now.
1571    // Initialize the argument.
1572    InitializedEntity Entity = InitializedEntity::InitializeParameter(Context,
1573                                                   ValType, /*consume*/ false);
1574    Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
1575    if (Arg.isInvalid())
1576      return ExprError();
1577
1578    // Okay, we have something that *can* be converted to the right type.  Check
1579    // to see if there is a potentially weird extension going on here.  This can
1580    // happen when you do an atomic operation on something like an char* and
1581    // pass in 42.  The 42 gets converted to char.  This is even more strange
1582    // for things like 45.123 -> char, etc.
1583    // FIXME: Do this check.
1584    TheCall->setArg(i+1, Arg.get());
1585  }
1586
1587  ASTContext& Context = this->getASTContext();
1588
1589  // Create a new DeclRefExpr to refer to the new decl.
1590  DeclRefExpr* NewDRE = DeclRefExpr::Create(
1591      Context,
1592      DRE->getQualifierLoc(),
1593      SourceLocation(),
1594      NewBuiltinDecl,
1595      /*enclosing*/ false,
1596      DRE->getLocation(),
1597      Context.BuiltinFnTy,
1598      DRE->getValueKind());
1599
1600  // Set the callee in the CallExpr.
1601  // FIXME: This loses syntactic information.
1602  QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType());
1603  ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy,
1604                                              CK_BuiltinFnToFnPtr);
1605  TheCall->setCallee(PromotedCall.get());
1606
1607  // Change the result type of the call to match the original value type. This
1608  // is arbitrary, but the codegen for these builtins ins design to handle it
1609  // gracefully.
1610  TheCall->setType(ResultType);
1611
1612  return TheCallResult;
1613}
1614
1615/// CheckObjCString - Checks that the argument to the builtin
1616/// CFString constructor is correct
1617/// Note: It might also make sense to do the UTF-16 conversion here (would
1618/// simplify the backend).
1619bool Sema::CheckObjCString(Expr *Arg) {
1620  Arg = Arg->IgnoreParenCasts();
1621  StringLiteral *Literal = dyn_cast<StringLiteral>(Arg);
1622
1623  if (!Literal || !Literal->isAscii()) {
1624    Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant)
1625      << Arg->getSourceRange();
1626    return true;
1627  }
1628
1629  if (Literal->containsNonAsciiOrNull()) {
1630    StringRef String = Literal->getString();
1631    unsigned NumBytes = String.size();
1632    SmallVector<UTF16, 128> ToBuf(NumBytes);
1633    const UTF8 *FromPtr = (const UTF8 *)String.data();
1634    UTF16 *ToPtr = &ToBuf[0];
1635
1636    ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes,
1637                                                 &ToPtr, ToPtr + NumBytes,
1638                                                 strictConversion);
1639    // Check for conversion failure.
1640    if (Result != conversionOK)
1641      Diag(Arg->getLocStart(),
1642           diag::warn_cfstring_truncated) << Arg->getSourceRange();
1643  }
1644  return false;
1645}
1646
1647/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity.
1648/// Emit an error and return true on failure, return false on success.
1649bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) {
1650  Expr *Fn = TheCall->getCallee();
1651  if (TheCall->getNumArgs() > 2) {
1652    Diag(TheCall->getArg(2)->getLocStart(),
1653         diag::err_typecheck_call_too_many_args)
1654      << 0 /*function call*/ << 2 << TheCall->getNumArgs()
1655      << Fn->getSourceRange()
1656      << SourceRange(TheCall->getArg(2)->getLocStart(),
1657                     (*(TheCall->arg_end()-1))->getLocEnd());
1658    return true;
1659  }
1660
1661  if (TheCall->getNumArgs() < 2) {
1662    return Diag(TheCall->getLocEnd(),
1663      diag::err_typecheck_call_too_few_args_at_least)
1664      << 0 /*function call*/ << 2 << TheCall->getNumArgs();
1665  }
1666
1667  // Type-check the first argument normally.
1668  if (checkBuiltinArgument(*this, TheCall, 0))
1669    return true;
1670
1671  // Determine whether the current function is variadic or not.
1672  BlockScopeInfo *CurBlock = getCurBlock();
1673  bool isVariadic;
1674  if (CurBlock)
1675    isVariadic = CurBlock->TheDecl->isVariadic();
1676  else if (FunctionDecl *FD = getCurFunctionDecl())
1677    isVariadic = FD->isVariadic();
1678  else
1679    isVariadic = getCurMethodDecl()->isVariadic();
1680
1681  if (!isVariadic) {
1682    Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function);
1683    return true;
1684  }
1685
1686  // Verify that the second argument to the builtin is the last argument of the
1687  // current function or method.
1688  bool SecondArgIsLastNamedArgument = false;
1689  const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts();
1690
1691  // These are valid if SecondArgIsLastNamedArgument is false after the next
1692  // block.
1693  QualType Type;
1694  SourceLocation ParamLoc;
1695
1696  if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) {
1697    if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) {
1698      // FIXME: This isn't correct for methods (results in bogus warning).
1699      // Get the last formal in the current function.
1700      const ParmVarDecl *LastArg;
1701      if (CurBlock)
1702        LastArg = *(CurBlock->TheDecl->param_end()-1);
1703      else if (FunctionDecl *FD = getCurFunctionDecl())
1704        LastArg = *(FD->param_end()-1);
1705      else
1706        LastArg = *(getCurMethodDecl()->param_end()-1);
1707      SecondArgIsLastNamedArgument = PV == LastArg;
1708
1709      Type = PV->getType();
1710      ParamLoc = PV->getLocation();
1711    }
1712  }
1713
1714  if (!SecondArgIsLastNamedArgument)
1715    Diag(TheCall->getArg(1)->getLocStart(),
1716         diag::warn_second_parameter_of_va_start_not_last_named_argument);
1717  else if (Type->isReferenceType()) {
1718    Diag(Arg->getLocStart(),
1719         diag::warn_va_start_of_reference_type_is_undefined);
1720    Diag(ParamLoc, diag::note_parameter_type) << Type;
1721  }
1722
1723  TheCall->setType(Context.VoidTy);
1724  return false;
1725}
1726
1727/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and
1728/// friends.  This is declared to take (...), so we have to check everything.
1729bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) {
1730  if (TheCall->getNumArgs() < 2)
1731    return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args)
1732      << 0 << 2 << TheCall->getNumArgs()/*function call*/;
1733  if (TheCall->getNumArgs() > 2)
1734    return Diag(TheCall->getArg(2)->getLocStart(),
1735                diag::err_typecheck_call_too_many_args)
1736      << 0 /*function call*/ << 2 << TheCall->getNumArgs()
1737      << SourceRange(TheCall->getArg(2)->getLocStart(),
1738                     (*(TheCall->arg_end()-1))->getLocEnd());
1739
1740  ExprResult OrigArg0 = TheCall->getArg(0);
1741  ExprResult OrigArg1 = TheCall->getArg(1);
1742
1743  // Do standard promotions between the two arguments, returning their common
1744  // type.
1745  QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false);
1746  if (OrigArg0.isInvalid() || OrigArg1.isInvalid())
1747    return true;
1748
1749  // Make sure any conversions are pushed back into the call; this is
1750  // type safe since unordered compare builtins are declared as "_Bool
1751  // foo(...)".
1752  TheCall->setArg(0, OrigArg0.get());
1753  TheCall->setArg(1, OrigArg1.get());
1754
1755  if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent())
1756    return false;
1757
1758  // If the common type isn't a real floating type, then the arguments were
1759  // invalid for this operation.
1760  if (Res.isNull() || !Res->isRealFloatingType())
1761    return Diag(OrigArg0.get()->getLocStart(),
1762                diag::err_typecheck_call_invalid_ordered_compare)
1763      << OrigArg0.get()->getType() << OrigArg1.get()->getType()
1764      << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd());
1765
1766  return false;
1767}
1768
1769/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like
1770/// __builtin_isnan and friends.  This is declared to take (...), so we have
1771/// to check everything. We expect the last argument to be a floating point
1772/// value.
1773bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) {
1774  if (TheCall->getNumArgs() < NumArgs)
1775    return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args)
1776      << 0 << NumArgs << TheCall->getNumArgs()/*function call*/;
1777  if (TheCall->getNumArgs() > NumArgs)
1778    return Diag(TheCall->getArg(NumArgs)->getLocStart(),
1779                diag::err_typecheck_call_too_many_args)
1780      << 0 /*function call*/ << NumArgs << TheCall->getNumArgs()
1781      << SourceRange(TheCall->getArg(NumArgs)->getLocStart(),
1782                     (*(TheCall->arg_end()-1))->getLocEnd());
1783
1784  Expr *OrigArg = TheCall->getArg(NumArgs-1);
1785
1786  if (OrigArg->isTypeDependent())
1787    return false;
1788
1789  // This operation requires a non-_Complex floating-point number.
1790  if (!OrigArg->getType()->isRealFloatingType())
1791    return Diag(OrigArg->getLocStart(),
1792                diag::err_typecheck_call_invalid_unary_fp)
1793      << OrigArg->getType() << OrigArg->getSourceRange();
1794
1795  // If this is an implicit conversion from float -> double, remove it.
1796  if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) {
1797    Expr *CastArg = Cast->getSubExpr();
1798    if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) {
1799      assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) &&
1800             "promotion from float to double is the only expected cast here");
1801      Cast->setSubExpr(nullptr);
1802      TheCall->setArg(NumArgs-1, CastArg);
1803    }
1804  }
1805
1806  return false;
1807}
1808
1809/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector.
1810// This is declared to take (...), so we have to check everything.
1811ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) {
1812  if (TheCall->getNumArgs() < 2)
1813    return ExprError(Diag(TheCall->getLocEnd(),
1814                          diag::err_typecheck_call_too_few_args_at_least)
1815                     << 0 /*function call*/ << 2 << TheCall->getNumArgs()
1816                     << TheCall->getSourceRange());
1817
1818  // Determine which of the following types of shufflevector we're checking:
1819  // 1) unary, vector mask: (lhs, mask)
1820  // 2) binary, vector mask: (lhs, rhs, mask)
1821  // 3) binary, scalar mask: (lhs, rhs, index, ..., index)
1822  QualType resType = TheCall->getArg(0)->getType();
1823  unsigned numElements = 0;
1824
1825  if (!TheCall->getArg(0)->isTypeDependent() &&
1826      !TheCall->getArg(1)->isTypeDependent()) {
1827    QualType LHSType = TheCall->getArg(0)->getType();
1828    QualType RHSType = TheCall->getArg(1)->getType();
1829
1830    if (!LHSType->isVectorType() || !RHSType->isVectorType())
1831      return ExprError(Diag(TheCall->getLocStart(),
1832                            diag::err_shufflevector_non_vector)
1833                       << SourceRange(TheCall->getArg(0)->getLocStart(),
1834                                      TheCall->getArg(1)->getLocEnd()));
1835
1836    numElements = LHSType->getAs<VectorType>()->getNumElements();
1837    unsigned numResElements = TheCall->getNumArgs() - 2;
1838
1839    // Check to see if we have a call with 2 vector arguments, the unary shuffle
1840    // with mask.  If so, verify that RHS is an integer vector type with the
1841    // same number of elts as lhs.
1842    if (TheCall->getNumArgs() == 2) {
1843      if (!RHSType->hasIntegerRepresentation() ||
1844          RHSType->getAs<VectorType>()->getNumElements() != numElements)
1845        return ExprError(Diag(TheCall->getLocStart(),
1846                              diag::err_shufflevector_incompatible_vector)
1847                         << SourceRange(TheCall->getArg(1)->getLocStart(),
1848                                        TheCall->getArg(1)->getLocEnd()));
1849    } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) {
1850      return ExprError(Diag(TheCall->getLocStart(),
1851                            diag::err_shufflevector_incompatible_vector)
1852                       << SourceRange(TheCall->getArg(0)->getLocStart(),
1853                                      TheCall->getArg(1)->getLocEnd()));
1854    } else if (numElements != numResElements) {
1855      QualType eltType = LHSType->getAs<VectorType>()->getElementType();
1856      resType = Context.getVectorType(eltType, numResElements,
1857                                      VectorType::GenericVector);
1858    }
1859  }
1860
1861  for (unsigned i = 2; i < TheCall->getNumArgs(); i++) {
1862    if (TheCall->getArg(i)->isTypeDependent() ||
1863        TheCall->getArg(i)->isValueDependent())
1864      continue;
1865
1866    llvm::APSInt Result(32);
1867    if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context))
1868      return ExprError(Diag(TheCall->getLocStart(),
1869                            diag::err_shufflevector_nonconstant_argument)
1870                       << TheCall->getArg(i)->getSourceRange());
1871
1872    // Allow -1 which will be translated to undef in the IR.
1873    if (Result.isSigned() && Result.isAllOnesValue())
1874      continue;
1875
1876    if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2)
1877      return ExprError(Diag(TheCall->getLocStart(),
1878                            diag::err_shufflevector_argument_too_large)
1879                       << TheCall->getArg(i)->getSourceRange());
1880  }
1881
1882  SmallVector<Expr*, 32> exprs;
1883
1884  for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) {
1885    exprs.push_back(TheCall->getArg(i));
1886    TheCall->setArg(i, nullptr);
1887  }
1888
1889  return new (Context) ShuffleVectorExpr(Context, exprs, resType,
1890                                         TheCall->getCallee()->getLocStart(),
1891                                         TheCall->getRParenLoc());
1892}
1893
1894/// SemaConvertVectorExpr - Handle __builtin_convertvector
1895ExprResult Sema::SemaConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo,
1896                                       SourceLocation BuiltinLoc,
1897                                       SourceLocation RParenLoc) {
1898  ExprValueKind VK = VK_RValue;
1899  ExprObjectKind OK = OK_Ordinary;
1900  QualType DstTy = TInfo->getType();
1901  QualType SrcTy = E->getType();
1902
1903  if (!SrcTy->isVectorType() && !SrcTy->isDependentType())
1904    return ExprError(Diag(BuiltinLoc,
1905                          diag::err_convertvector_non_vector)
1906                     << E->getSourceRange());
1907  if (!DstTy->isVectorType() && !DstTy->isDependentType())
1908    return ExprError(Diag(BuiltinLoc,
1909                          diag::err_convertvector_non_vector_type));
1910
1911  if (!SrcTy->isDependentType() && !DstTy->isDependentType()) {
1912    unsigned SrcElts = SrcTy->getAs<VectorType>()->getNumElements();
1913    unsigned DstElts = DstTy->getAs<VectorType>()->getNumElements();
1914    if (SrcElts != DstElts)
1915      return ExprError(Diag(BuiltinLoc,
1916                            diag::err_convertvector_incompatible_vector)
1917                       << E->getSourceRange());
1918  }
1919
1920  return new (Context)
1921      ConvertVectorExpr(E, TInfo, DstTy, VK, OK, BuiltinLoc, RParenLoc);
1922}
1923
1924/// SemaBuiltinPrefetch - Handle __builtin_prefetch.
1925// This is declared to take (const void*, ...) and can take two
1926// optional constant int args.
1927bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) {
1928  unsigned NumArgs = TheCall->getNumArgs();
1929
1930  if (NumArgs > 3)
1931    return Diag(TheCall->getLocEnd(),
1932             diag::err_typecheck_call_too_many_args_at_most)
1933             << 0 /*function call*/ << 3 << NumArgs
1934             << TheCall->getSourceRange();
1935
1936  // Argument 0 is checked for us and the remaining arguments must be
1937  // constant integers.
1938  for (unsigned i = 1; i != NumArgs; ++i)
1939    if (SemaBuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3))
1940      return true;
1941
1942  return false;
1943}
1944
1945/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr
1946/// TheCall is a constant expression.
1947bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum,
1948                                  llvm::APSInt &Result) {
1949  Expr *Arg = TheCall->getArg(ArgNum);
1950  DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
1951  FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
1952
1953  if (Arg->isTypeDependent() || Arg->isValueDependent()) return false;
1954
1955  if (!Arg->isIntegerConstantExpr(Result, Context))
1956    return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type)
1957                << FDecl->getDeclName() <<  Arg->getSourceRange();
1958
1959  return false;
1960}
1961
1962/// SemaBuiltinConstantArgRange - Handle a check if argument ArgNum of CallExpr
1963/// TheCall is a constant expression in the range [Low, High].
1964bool Sema::SemaBuiltinConstantArgRange(CallExpr *TheCall, int ArgNum,
1965                                       int Low, int High) {
1966  llvm::APSInt Result;
1967
1968  // We can't check the value of a dependent argument.
1969  Expr *Arg = TheCall->getArg(ArgNum);
1970  if (Arg->isTypeDependent() || Arg->isValueDependent())
1971    return false;
1972
1973  // Check constant-ness first.
1974  if (SemaBuiltinConstantArg(TheCall, ArgNum, Result))
1975    return true;
1976
1977  if (Result.getSExtValue() < Low || Result.getSExtValue() > High)
1978    return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range)
1979      << Low << High << Arg->getSourceRange();
1980
1981  return false;
1982}
1983
1984/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val).
1985/// This checks that val is a constant 1.
1986bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) {
1987  Expr *Arg = TheCall->getArg(1);
1988  llvm::APSInt Result;
1989
1990  // TODO: This is less than ideal. Overload this to take a value.
1991  if (SemaBuiltinConstantArg(TheCall, 1, Result))
1992    return true;
1993
1994  if (Result != 1)
1995    return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val)
1996             << SourceRange(Arg->getLocStart(), Arg->getLocEnd());
1997
1998  return false;
1999}
2000
2001namespace {
2002enum StringLiteralCheckType {
2003  SLCT_NotALiteral,
2004  SLCT_UncheckedLiteral,
2005  SLCT_CheckedLiteral
2006};
2007}
2008
2009// Determine if an expression is a string literal or constant string.
2010// If this function returns false on the arguments to a function expecting a
2011// format string, we will usually need to emit a warning.
2012// True string literals are then checked by CheckFormatString.
2013static StringLiteralCheckType
2014checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args,
2015                      bool HasVAListArg, unsigned format_idx,
2016                      unsigned firstDataArg, Sema::FormatStringType Type,
2017                      Sema::VariadicCallType CallType, bool InFunctionCall,
2018                      llvm::SmallBitVector &CheckedVarArgs) {
2019 tryAgain:
2020  if (E->isTypeDependent() || E->isValueDependent())
2021    return SLCT_NotALiteral;
2022
2023  E = E->IgnoreParenCasts();
2024
2025  if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull))
2026    // Technically -Wformat-nonliteral does not warn about this case.
2027    // The behavior of printf and friends in this case is implementation
2028    // dependent.  Ideally if the format string cannot be null then
2029    // it should have a 'nonnull' attribute in the function prototype.
2030    return SLCT_UncheckedLiteral;
2031
2032  switch (E->getStmtClass()) {
2033  case Stmt::BinaryConditionalOperatorClass:
2034  case Stmt::ConditionalOperatorClass: {
2035    // The expression is a literal if both sub-expressions were, and it was
2036    // completely checked only if both sub-expressions were checked.
2037    const AbstractConditionalOperator *C =
2038        cast<AbstractConditionalOperator>(E);
2039    StringLiteralCheckType Left =
2040        checkFormatStringExpr(S, C->getTrueExpr(), Args,
2041                              HasVAListArg, format_idx, firstDataArg,
2042                              Type, CallType, InFunctionCall, CheckedVarArgs);
2043    if (Left == SLCT_NotALiteral)
2044      return SLCT_NotALiteral;
2045    StringLiteralCheckType Right =
2046        checkFormatStringExpr(S, C->getFalseExpr(), Args,
2047                              HasVAListArg, format_idx, firstDataArg,
2048                              Type, CallType, InFunctionCall, CheckedVarArgs);
2049    return Left < Right ? Left : Right;
2050  }
2051
2052  case Stmt::ImplicitCastExprClass: {
2053    E = cast<ImplicitCastExpr>(E)->getSubExpr();
2054    goto tryAgain;
2055  }
2056
2057  case Stmt::OpaqueValueExprClass:
2058    if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) {
2059      E = src;
2060      goto tryAgain;
2061    }
2062    return SLCT_NotALiteral;
2063
2064  case Stmt::PredefinedExprClass:
2065    // While __func__, etc., are technically not string literals, they
2066    // cannot contain format specifiers and thus are not a security
2067    // liability.
2068    return SLCT_UncheckedLiteral;
2069
2070  case Stmt::DeclRefExprClass: {
2071    const DeclRefExpr *DR = cast<DeclRefExpr>(E);
2072
2073    // As an exception, do not flag errors for variables binding to
2074    // const string literals.
2075    if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
2076      bool isConstant = false;
2077      QualType T = DR->getType();
2078
2079      if (const ArrayType *AT = S.Context.getAsArrayType(T)) {
2080        isConstant = AT->getElementType().isConstant(S.Context);
2081      } else if (const PointerType *PT = T->getAs<PointerType>()) {
2082        isConstant = T.isConstant(S.Context) &&
2083                     PT->getPointeeType().isConstant(S.Context);
2084      } else if (T->isObjCObjectPointerType()) {
2085        // In ObjC, there is usually no "const ObjectPointer" type,
2086        // so don't check if the pointee type is constant.
2087        isConstant = T.isConstant(S.Context);
2088      }
2089
2090      if (isConstant) {
2091        if (const Expr *Init = VD->getAnyInitializer()) {
2092          // Look through initializers like const char c[] = { "foo" }
2093          if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) {
2094            if (InitList->isStringLiteralInit())
2095              Init = InitList->getInit(0)->IgnoreParenImpCasts();
2096          }
2097          return checkFormatStringExpr(S, Init, Args,
2098                                       HasVAListArg, format_idx,
2099                                       firstDataArg, Type, CallType,
2100                                       /*InFunctionCall*/false, CheckedVarArgs);
2101        }
2102      }
2103
2104      // For vprintf* functions (i.e., HasVAListArg==true), we add a
2105      // special check to see if the format string is a function parameter
2106      // of the function calling the printf function.  If the function
2107      // has an attribute indicating it is a printf-like function, then we
2108      // should suppress warnings concerning non-literals being used in a call
2109      // to a vprintf function.  For example:
2110      //
2111      // void
2112      // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){
2113      //      va_list ap;
2114      //      va_start(ap, fmt);
2115      //      vprintf(fmt, ap);  // Do NOT emit a warning about "fmt".
2116      //      ...
2117      // }
2118      if (HasVAListArg) {
2119        if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) {
2120          if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) {
2121            int PVIndex = PV->getFunctionScopeIndex() + 1;
2122            for (const auto *PVFormat : ND->specific_attrs<FormatAttr>()) {
2123              // adjust for implicit parameter
2124              if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND))
2125                if (MD->isInstance())
2126                  ++PVIndex;
2127              // We also check if the formats are compatible.
2128              // We can't pass a 'scanf' string to a 'printf' function.
2129              if (PVIndex == PVFormat->getFormatIdx() &&
2130                  Type == S.GetFormatStringType(PVFormat))
2131                return SLCT_UncheckedLiteral;
2132            }
2133          }
2134        }
2135      }
2136    }
2137
2138    return SLCT_NotALiteral;
2139  }
2140
2141  case Stmt::CallExprClass:
2142  case Stmt::CXXMemberCallExprClass: {
2143    const CallExpr *CE = cast<CallExpr>(E);
2144    if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) {
2145      if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) {
2146        unsigned ArgIndex = FA->getFormatIdx();
2147        if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND))
2148          if (MD->isInstance())
2149            --ArgIndex;
2150        const Expr *Arg = CE->getArg(ArgIndex - 1);
2151
2152        return checkFormatStringExpr(S, Arg, Args,
2153                                     HasVAListArg, format_idx, firstDataArg,
2154                                     Type, CallType, InFunctionCall,
2155                                     CheckedVarArgs);
2156      } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) {
2157        unsigned BuiltinID = FD->getBuiltinID();
2158        if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString ||
2159            BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) {
2160          const Expr *Arg = CE->getArg(0);
2161          return checkFormatStringExpr(S, Arg, Args,
2162                                       HasVAListArg, format_idx,
2163                                       firstDataArg, Type, CallType,
2164                                       InFunctionCall, CheckedVarArgs);
2165        }
2166      }
2167    }
2168
2169    return SLCT_NotALiteral;
2170  }
2171  case Stmt::ObjCStringLiteralClass:
2172  case Stmt::StringLiteralClass: {
2173    const StringLiteral *StrE = nullptr;
2174
2175    if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E))
2176      StrE = ObjCFExpr->getString();
2177    else
2178      StrE = cast<StringLiteral>(E);
2179
2180    if (StrE) {
2181      S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg,
2182                          Type, InFunctionCall, CallType, CheckedVarArgs);
2183      return SLCT_CheckedLiteral;
2184    }
2185
2186    return SLCT_NotALiteral;
2187  }
2188
2189  default:
2190    return SLCT_NotALiteral;
2191  }
2192}
2193
2194Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) {
2195  return llvm::StringSwitch<FormatStringType>(Format->getType()->getName())
2196  .Case("scanf", FST_Scanf)
2197  .Cases("printf", "printf0", FST_Printf)
2198  .Cases("NSString", "CFString", FST_NSString)
2199  .Case("strftime", FST_Strftime)
2200  .Case("strfmon", FST_Strfmon)
2201  .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf)
2202  .Default(FST_Unknown);
2203}
2204
2205/// CheckFormatArguments - Check calls to printf and scanf (and similar
2206/// functions) for correct use of format strings.
2207/// Returns true if a format string has been fully checked.
2208bool Sema::CheckFormatArguments(const FormatAttr *Format,
2209                                ArrayRef<const Expr *> Args,
2210                                bool IsCXXMember,
2211                                VariadicCallType CallType,
2212                                SourceLocation Loc, SourceRange Range,
2213                                llvm::SmallBitVector &CheckedVarArgs) {
2214  FormatStringInfo FSI;
2215  if (getFormatStringInfo(Format, IsCXXMember, &FSI))
2216    return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx,
2217                                FSI.FirstDataArg, GetFormatStringType(Format),
2218                                CallType, Loc, Range, CheckedVarArgs);
2219  return false;
2220}
2221
2222bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
2223                                bool HasVAListArg, unsigned format_idx,
2224                                unsigned firstDataArg, FormatStringType Type,
2225                                VariadicCallType CallType,
2226                                SourceLocation Loc, SourceRange Range,
2227                                llvm::SmallBitVector &CheckedVarArgs) {
2228  // CHECK: printf/scanf-like function is called with no format string.
2229  if (format_idx >= Args.size()) {
2230    Diag(Loc, diag::warn_missing_format_string) << Range;
2231    return false;
2232  }
2233
2234  const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts();
2235
2236  // CHECK: format string is not a string literal.
2237  //
2238  // Dynamically generated format strings are difficult to
2239  // automatically vet at compile time.  Requiring that format strings
2240  // are string literals: (1) permits the checking of format strings by
2241  // the compiler and thereby (2) can practically remove the source of
2242  // many format string exploits.
2243
2244  // Format string can be either ObjC string (e.g. @"%d") or
2245  // C string (e.g. "%d")
2246  // ObjC string uses the same format specifiers as C string, so we can use
2247  // the same format string checking logic for both ObjC and C strings.
2248  StringLiteralCheckType CT =
2249      checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg,
2250                            format_idx, firstDataArg, Type, CallType,
2251                            /*IsFunctionCall*/true, CheckedVarArgs);
2252  if (CT != SLCT_NotALiteral)
2253    // Literal format string found, check done!
2254    return CT == SLCT_CheckedLiteral;
2255
2256  // Strftime is particular as it always uses a single 'time' argument,
2257  // so it is safe to pass a non-literal string.
2258  if (Type == FST_Strftime)
2259    return false;
2260
2261  // Do not emit diag when the string param is a macro expansion and the
2262  // format is either NSString or CFString. This is a hack to prevent
2263  // diag when using the NSLocalizedString and CFCopyLocalizedString macros
2264  // which are usually used in place of NS and CF string literals.
2265  if (Type == FST_NSString &&
2266      SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart()))
2267    return false;
2268
2269  // If there are no arguments specified, warn with -Wformat-security, otherwise
2270  // warn only with -Wformat-nonliteral.
2271  if (Args.size() == firstDataArg)
2272    Diag(Args[format_idx]->getLocStart(),
2273         diag::warn_format_nonliteral_noargs)
2274      << OrigFormatExpr->getSourceRange();
2275  else
2276    Diag(Args[format_idx]->getLocStart(),
2277         diag::warn_format_nonliteral)
2278           << OrigFormatExpr->getSourceRange();
2279  return false;
2280}
2281
2282namespace {
2283class CheckFormatHandler : public analyze_format_string::FormatStringHandler {
2284protected:
2285  Sema &S;
2286  const StringLiteral *FExpr;
2287  const Expr *OrigFormatExpr;
2288  const unsigned FirstDataArg;
2289  const unsigned NumDataArgs;
2290  const char *Beg; // Start of format string.
2291  const bool HasVAListArg;
2292  ArrayRef<const Expr *> Args;
2293  unsigned FormatIdx;
2294  llvm::SmallBitVector CoveredArgs;
2295  bool usesPositionalArgs;
2296  bool atFirstArg;
2297  bool inFunctionCall;
2298  Sema::VariadicCallType CallType;
2299  llvm::SmallBitVector &CheckedVarArgs;
2300public:
2301  CheckFormatHandler(Sema &s, const StringLiteral *fexpr,
2302                     const Expr *origFormatExpr, unsigned firstDataArg,
2303                     unsigned numDataArgs, const char *beg, bool hasVAListArg,
2304                     ArrayRef<const Expr *> Args,
2305                     unsigned formatIdx, bool inFunctionCall,
2306                     Sema::VariadicCallType callType,
2307                     llvm::SmallBitVector &CheckedVarArgs)
2308    : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr),
2309      FirstDataArg(firstDataArg), NumDataArgs(numDataArgs),
2310      Beg(beg), HasVAListArg(hasVAListArg),
2311      Args(Args), FormatIdx(formatIdx),
2312      usesPositionalArgs(false), atFirstArg(true),
2313      inFunctionCall(inFunctionCall), CallType(callType),
2314      CheckedVarArgs(CheckedVarArgs) {
2315    CoveredArgs.resize(numDataArgs);
2316    CoveredArgs.reset();
2317  }
2318
2319  void DoneProcessing();
2320
2321  void HandleIncompleteSpecifier(const char *startSpecifier,
2322                                 unsigned specifierLen) override;
2323
2324  void HandleInvalidLengthModifier(
2325                           const analyze_format_string::FormatSpecifier &FS,
2326                           const analyze_format_string::ConversionSpecifier &CS,
2327                           const char *startSpecifier, unsigned specifierLen,
2328                           unsigned DiagID);
2329
2330  void HandleNonStandardLengthModifier(
2331                    const analyze_format_string::FormatSpecifier &FS,
2332                    const char *startSpecifier, unsigned specifierLen);
2333
2334  void HandleNonStandardConversionSpecifier(
2335                    const analyze_format_string::ConversionSpecifier &CS,
2336                    const char *startSpecifier, unsigned specifierLen);
2337
2338  void HandlePosition(const char *startPos, unsigned posLen) override;
2339
2340  void HandleInvalidPosition(const char *startSpecifier,
2341                             unsigned specifierLen,
2342                             analyze_format_string::PositionContext p) override;
2343
2344  void HandleZeroPosition(const char *startPos, unsigned posLen) override;
2345
2346  void HandleNullChar(const char *nullCharacter) override;
2347
2348  template <typename Range>
2349  static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall,
2350                                   const Expr *ArgumentExpr,
2351                                   PartialDiagnostic PDiag,
2352                                   SourceLocation StringLoc,
2353                                   bool IsStringLocation, Range StringRange,
2354                                   ArrayRef<FixItHint> Fixit = None);
2355
2356protected:
2357  bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc,
2358                                        const char *startSpec,
2359                                        unsigned specifierLen,
2360                                        const char *csStart, unsigned csLen);
2361
2362  void HandlePositionalNonpositionalArgs(SourceLocation Loc,
2363                                         const char *startSpec,
2364                                         unsigned specifierLen);
2365
2366  SourceRange getFormatStringRange();
2367  CharSourceRange getSpecifierRange(const char *startSpecifier,
2368                                    unsigned specifierLen);
2369  SourceLocation getLocationOfByte(const char *x);
2370
2371  const Expr *getDataArg(unsigned i) const;
2372
2373  bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS,
2374                    const analyze_format_string::ConversionSpecifier &CS,
2375                    const char *startSpecifier, unsigned specifierLen,
2376                    unsigned argIndex);
2377
2378  template <typename Range>
2379  void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc,
2380                            bool IsStringLocation, Range StringRange,
2381                            ArrayRef<FixItHint> Fixit = None);
2382};
2383}
2384
2385SourceRange CheckFormatHandler::getFormatStringRange() {
2386  return OrigFormatExpr->getSourceRange();
2387}
2388
2389CharSourceRange CheckFormatHandler::
2390getSpecifierRange(const char *startSpecifier, unsigned specifierLen) {
2391  SourceLocation Start = getLocationOfByte(startSpecifier);
2392  SourceLocation End   = getLocationOfByte(startSpecifier + specifierLen - 1);
2393
2394  // Advance the end SourceLocation by one due to half-open ranges.
2395  End = End.getLocWithOffset(1);
2396
2397  return CharSourceRange::getCharRange(Start, End);
2398}
2399
2400SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) {
2401  return S.getLocationOfStringLiteralByte(FExpr, x - Beg);
2402}
2403
2404void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier,
2405                                                   unsigned specifierLen){
2406  EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier),
2407                       getLocationOfByte(startSpecifier),
2408                       /*IsStringLocation*/true,
2409                       getSpecifierRange(startSpecifier, specifierLen));
2410}
2411
2412void CheckFormatHandler::HandleInvalidLengthModifier(
2413    const analyze_format_string::FormatSpecifier &FS,
2414    const analyze_format_string::ConversionSpecifier &CS,
2415    const char *startSpecifier, unsigned specifierLen, unsigned DiagID) {
2416  using namespace analyze_format_string;
2417
2418  const LengthModifier &LM = FS.getLengthModifier();
2419  CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
2420
2421  // See if we know how to fix this length modifier.
2422  Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
2423  if (FixedLM) {
2424    EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
2425                         getLocationOfByte(LM.getStart()),
2426                         /*IsStringLocation*/true,
2427                         getSpecifierRange(startSpecifier, specifierLen));
2428
2429    S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
2430      << FixedLM->toString()
2431      << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
2432
2433  } else {
2434    FixItHint Hint;
2435    if (DiagID == diag::warn_format_nonsensical_length)
2436      Hint = FixItHint::CreateRemoval(LMRange);
2437
2438    EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
2439                         getLocationOfByte(LM.getStart()),
2440                         /*IsStringLocation*/true,
2441                         getSpecifierRange(startSpecifier, specifierLen),
2442                         Hint);
2443  }
2444}
2445
2446void CheckFormatHandler::HandleNonStandardLengthModifier(
2447    const analyze_format_string::FormatSpecifier &FS,
2448    const char *startSpecifier, unsigned specifierLen) {
2449  using namespace analyze_format_string;
2450
2451  const LengthModifier &LM = FS.getLengthModifier();
2452  CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
2453
2454  // See if we know how to fix this length modifier.
2455  Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
2456  if (FixedLM) {
2457    EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
2458                           << LM.toString() << 0,
2459                         getLocationOfByte(LM.getStart()),
2460                         /*IsStringLocation*/true,
2461                         getSpecifierRange(startSpecifier, specifierLen));
2462
2463    S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
2464      << FixedLM->toString()
2465      << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
2466
2467  } else {
2468    EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
2469                           << LM.toString() << 0,
2470                         getLocationOfByte(LM.getStart()),
2471                         /*IsStringLocation*/true,
2472                         getSpecifierRange(startSpecifier, specifierLen));
2473  }
2474}
2475
2476void CheckFormatHandler::HandleNonStandardConversionSpecifier(
2477    const analyze_format_string::ConversionSpecifier &CS,
2478    const char *startSpecifier, unsigned specifierLen) {
2479  using namespace analyze_format_string;
2480
2481  // See if we know how to fix this conversion specifier.
2482  Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier();
2483  if (FixedCS) {
2484    EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
2485                          << CS.toString() << /*conversion specifier*/1,
2486                         getLocationOfByte(CS.getStart()),
2487                         /*IsStringLocation*/true,
2488                         getSpecifierRange(startSpecifier, specifierLen));
2489
2490    CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength());
2491    S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier)
2492      << FixedCS->toString()
2493      << FixItHint::CreateReplacement(CSRange, FixedCS->toString());
2494  } else {
2495    EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
2496                          << CS.toString() << /*conversion specifier*/1,
2497                         getLocationOfByte(CS.getStart()),
2498                         /*IsStringLocation*/true,
2499                         getSpecifierRange(startSpecifier, specifierLen));
2500  }
2501}
2502
2503void CheckFormatHandler::HandlePosition(const char *startPos,
2504                                        unsigned posLen) {
2505  EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg),
2506                               getLocationOfByte(startPos),
2507                               /*IsStringLocation*/true,
2508                               getSpecifierRange(startPos, posLen));
2509}
2510
2511void
2512CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen,
2513                                     analyze_format_string::PositionContext p) {
2514  EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier)
2515                         << (unsigned) p,
2516                       getLocationOfByte(startPos), /*IsStringLocation*/true,
2517                       getSpecifierRange(startPos, posLen));
2518}
2519
2520void CheckFormatHandler::HandleZeroPosition(const char *startPos,
2521                                            unsigned posLen) {
2522  EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier),
2523                               getLocationOfByte(startPos),
2524                               /*IsStringLocation*/true,
2525                               getSpecifierRange(startPos, posLen));
2526}
2527
2528void CheckFormatHandler::HandleNullChar(const char *nullCharacter) {
2529  if (!isa<ObjCStringLiteral>(OrigFormatExpr)) {
2530    // The presence of a null character is likely an error.
2531    EmitFormatDiagnostic(
2532      S.PDiag(diag::warn_printf_format_string_contains_null_char),
2533      getLocationOfByte(nullCharacter), /*IsStringLocation*/true,
2534      getFormatStringRange());
2535  }
2536}
2537
2538// Note that this may return NULL if there was an error parsing or building
2539// one of the argument expressions.
2540const Expr *CheckFormatHandler::getDataArg(unsigned i) const {
2541  return Args[FirstDataArg + i];
2542}
2543
2544void CheckFormatHandler::DoneProcessing() {
2545    // Does the number of data arguments exceed the number of
2546    // format conversions in the format string?
2547  if (!HasVAListArg) {
2548      // Find any arguments that weren't covered.
2549    CoveredArgs.flip();
2550    signed notCoveredArg = CoveredArgs.find_first();
2551    if (notCoveredArg >= 0) {
2552      assert((unsigned)notCoveredArg < NumDataArgs);
2553      if (const Expr *E = getDataArg((unsigned) notCoveredArg)) {
2554        SourceLocation Loc = E->getLocStart();
2555        if (!S.getSourceManager().isInSystemMacro(Loc)) {
2556          EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used),
2557                               Loc, /*IsStringLocation*/false,
2558                               getFormatStringRange());
2559        }
2560      }
2561    }
2562  }
2563}
2564
2565bool
2566CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex,
2567                                                     SourceLocation Loc,
2568                                                     const char *startSpec,
2569                                                     unsigned specifierLen,
2570                                                     const char *csStart,
2571                                                     unsigned csLen) {
2572
2573  bool keepGoing = true;
2574  if (argIndex < NumDataArgs) {
2575    // Consider the argument coverered, even though the specifier doesn't
2576    // make sense.
2577    CoveredArgs.set(argIndex);
2578  }
2579  else {
2580    // If argIndex exceeds the number of data arguments we
2581    // don't issue a warning because that is just a cascade of warnings (and
2582    // they may have intended '%%' anyway). We don't want to continue processing
2583    // the format string after this point, however, as we will like just get
2584    // gibberish when trying to match arguments.
2585    keepGoing = false;
2586  }
2587
2588  EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion)
2589                         << StringRef(csStart, csLen),
2590                       Loc, /*IsStringLocation*/true,
2591                       getSpecifierRange(startSpec, specifierLen));
2592
2593  return keepGoing;
2594}
2595
2596void
2597CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc,
2598                                                      const char *startSpec,
2599                                                      unsigned specifierLen) {
2600  EmitFormatDiagnostic(
2601    S.PDiag(diag::warn_format_mix_positional_nonpositional_args),
2602    Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen));
2603}
2604
2605bool
2606CheckFormatHandler::CheckNumArgs(
2607  const analyze_format_string::FormatSpecifier &FS,
2608  const analyze_format_string::ConversionSpecifier &CS,
2609  const char *startSpecifier, unsigned specifierLen, unsigned argIndex) {
2610
2611  if (argIndex >= NumDataArgs) {
2612    PartialDiagnostic PDiag = FS.usesPositionalArg()
2613      ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args)
2614           << (argIndex+1) << NumDataArgs)
2615      : S.PDiag(diag::warn_printf_insufficient_data_args);
2616    EmitFormatDiagnostic(
2617      PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true,
2618      getSpecifierRange(startSpecifier, specifierLen));
2619    return false;
2620  }
2621  return true;
2622}
2623
2624template<typename Range>
2625void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag,
2626                                              SourceLocation Loc,
2627                                              bool IsStringLocation,
2628                                              Range StringRange,
2629                                              ArrayRef<FixItHint> FixIt) {
2630  EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag,
2631                       Loc, IsStringLocation, StringRange, FixIt);
2632}
2633
2634/// \brief If the format string is not within the funcion call, emit a note
2635/// so that the function call and string are in diagnostic messages.
2636///
2637/// \param InFunctionCall if true, the format string is within the function
2638/// call and only one diagnostic message will be produced.  Otherwise, an
2639/// extra note will be emitted pointing to location of the format string.
2640///
2641/// \param ArgumentExpr the expression that is passed as the format string
2642/// argument in the function call.  Used for getting locations when two
2643/// diagnostics are emitted.
2644///
2645/// \param PDiag the callee should already have provided any strings for the
2646/// diagnostic message.  This function only adds locations and fixits
2647/// to diagnostics.
2648///
2649/// \param Loc primary location for diagnostic.  If two diagnostics are
2650/// required, one will be at Loc and a new SourceLocation will be created for
2651/// the other one.
2652///
2653/// \param IsStringLocation if true, Loc points to the format string should be
2654/// used for the note.  Otherwise, Loc points to the argument list and will
2655/// be used with PDiag.
2656///
2657/// \param StringRange some or all of the string to highlight.  This is
2658/// templated so it can accept either a CharSourceRange or a SourceRange.
2659///
2660/// \param FixIt optional fix it hint for the format string.
2661template<typename Range>
2662void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall,
2663                                              const Expr *ArgumentExpr,
2664                                              PartialDiagnostic PDiag,
2665                                              SourceLocation Loc,
2666                                              bool IsStringLocation,
2667                                              Range StringRange,
2668                                              ArrayRef<FixItHint> FixIt) {
2669  if (InFunctionCall) {
2670    const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag);
2671    D << StringRange;
2672    for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end();
2673         I != E; ++I) {
2674      D << *I;
2675    }
2676  } else {
2677    S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag)
2678      << ArgumentExpr->getSourceRange();
2679
2680    const Sema::SemaDiagnosticBuilder &Note =
2681      S.Diag(IsStringLocation ? Loc : StringRange.getBegin(),
2682             diag::note_format_string_defined);
2683
2684    Note << StringRange;
2685    for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end();
2686         I != E; ++I) {
2687      Note << *I;
2688    }
2689  }
2690}
2691
2692//===--- CHECK: Printf format string checking ------------------------------===//
2693
2694namespace {
2695class CheckPrintfHandler : public CheckFormatHandler {
2696  bool ObjCContext;
2697public:
2698  CheckPrintfHandler(Sema &s, const StringLiteral *fexpr,
2699                     const Expr *origFormatExpr, unsigned firstDataArg,
2700                     unsigned numDataArgs, bool isObjC,
2701                     const char *beg, bool hasVAListArg,
2702                     ArrayRef<const Expr *> Args,
2703                     unsigned formatIdx, bool inFunctionCall,
2704                     Sema::VariadicCallType CallType,
2705                     llvm::SmallBitVector &CheckedVarArgs)
2706    : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg,
2707                         numDataArgs, beg, hasVAListArg, Args,
2708                         formatIdx, inFunctionCall, CallType, CheckedVarArgs),
2709      ObjCContext(isObjC)
2710  {}
2711
2712
2713  bool HandleInvalidPrintfConversionSpecifier(
2714                                      const analyze_printf::PrintfSpecifier &FS,
2715                                      const char *startSpecifier,
2716                                      unsigned specifierLen) override;
2717
2718  bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
2719                             const char *startSpecifier,
2720                             unsigned specifierLen) override;
2721  bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
2722                       const char *StartSpecifier,
2723                       unsigned SpecifierLen,
2724                       const Expr *E);
2725
2726  bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k,
2727                    const char *startSpecifier, unsigned specifierLen);
2728  void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS,
2729                           const analyze_printf::OptionalAmount &Amt,
2730                           unsigned type,
2731                           const char *startSpecifier, unsigned specifierLen);
2732  void HandleFlag(const analyze_printf::PrintfSpecifier &FS,
2733                  const analyze_printf::OptionalFlag &flag,
2734                  const char *startSpecifier, unsigned specifierLen);
2735  void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS,
2736                         const analyze_printf::OptionalFlag &ignoredFlag,
2737                         const analyze_printf::OptionalFlag &flag,
2738                         const char *startSpecifier, unsigned specifierLen);
2739  bool checkForCStrMembers(const analyze_printf::ArgType &AT,
2740                           const Expr *E);
2741
2742};
2743}
2744
2745bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier(
2746                                      const analyze_printf::PrintfSpecifier &FS,
2747                                      const char *startSpecifier,
2748                                      unsigned specifierLen) {
2749  const analyze_printf::PrintfConversionSpecifier &CS =
2750    FS.getConversionSpecifier();
2751
2752  return HandleInvalidConversionSpecifier(FS.getArgIndex(),
2753                                          getLocationOfByte(CS.getStart()),
2754                                          startSpecifier, specifierLen,
2755                                          CS.getStart(), CS.getLength());
2756}
2757
2758bool CheckPrintfHandler::HandleAmount(
2759                               const analyze_format_string::OptionalAmount &Amt,
2760                               unsigned k, const char *startSpecifier,
2761                               unsigned specifierLen) {
2762
2763  if (Amt.hasDataArgument()) {
2764    if (!HasVAListArg) {
2765      unsigned argIndex = Amt.getArgIndex();
2766      if (argIndex >= NumDataArgs) {
2767        EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg)
2768                               << k,
2769                             getLocationOfByte(Amt.getStart()),
2770                             /*IsStringLocation*/true,
2771                             getSpecifierRange(startSpecifier, specifierLen));
2772        // Don't do any more checking.  We will just emit
2773        // spurious errors.
2774        return false;
2775      }
2776
2777      // Type check the data argument.  It should be an 'int'.
2778      // Although not in conformance with C99, we also allow the argument to be
2779      // an 'unsigned int' as that is a reasonably safe case.  GCC also
2780      // doesn't emit a warning for that case.
2781      CoveredArgs.set(argIndex);
2782      const Expr *Arg = getDataArg(argIndex);
2783      if (!Arg)
2784        return false;
2785
2786      QualType T = Arg->getType();
2787
2788      const analyze_printf::ArgType &AT = Amt.getArgType(S.Context);
2789      assert(AT.isValid());
2790
2791      if (!AT.matchesType(S.Context, T)) {
2792        EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type)
2793                               << k << AT.getRepresentativeTypeName(S.Context)
2794                               << T << Arg->getSourceRange(),
2795                             getLocationOfByte(Amt.getStart()),
2796                             /*IsStringLocation*/true,
2797                             getSpecifierRange(startSpecifier, specifierLen));
2798        // Don't do any more checking.  We will just emit
2799        // spurious errors.
2800        return false;
2801      }
2802    }
2803  }
2804  return true;
2805}
2806
2807void CheckPrintfHandler::HandleInvalidAmount(
2808                                      const analyze_printf::PrintfSpecifier &FS,
2809                                      const analyze_printf::OptionalAmount &Amt,
2810                                      unsigned type,
2811                                      const char *startSpecifier,
2812                                      unsigned specifierLen) {
2813  const analyze_printf::PrintfConversionSpecifier &CS =
2814    FS.getConversionSpecifier();
2815
2816  FixItHint fixit =
2817    Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant
2818      ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(),
2819                                 Amt.getConstantLength()))
2820      : FixItHint();
2821
2822  EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount)
2823                         << type << CS.toString(),
2824                       getLocationOfByte(Amt.getStart()),
2825                       /*IsStringLocation*/true,
2826                       getSpecifierRange(startSpecifier, specifierLen),
2827                       fixit);
2828}
2829
2830void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS,
2831                                    const analyze_printf::OptionalFlag &flag,
2832                                    const char *startSpecifier,
2833                                    unsigned specifierLen) {
2834  // Warn about pointless flag with a fixit removal.
2835  const analyze_printf::PrintfConversionSpecifier &CS =
2836    FS.getConversionSpecifier();
2837  EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag)
2838                         << flag.toString() << CS.toString(),
2839                       getLocationOfByte(flag.getPosition()),
2840                       /*IsStringLocation*/true,
2841                       getSpecifierRange(startSpecifier, specifierLen),
2842                       FixItHint::CreateRemoval(
2843                         getSpecifierRange(flag.getPosition(), 1)));
2844}
2845
2846void CheckPrintfHandler::HandleIgnoredFlag(
2847                                const analyze_printf::PrintfSpecifier &FS,
2848                                const analyze_printf::OptionalFlag &ignoredFlag,
2849                                const analyze_printf::OptionalFlag &flag,
2850                                const char *startSpecifier,
2851                                unsigned specifierLen) {
2852  // Warn about ignored flag with a fixit removal.
2853  EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag)
2854                         << ignoredFlag.toString() << flag.toString(),
2855                       getLocationOfByte(ignoredFlag.getPosition()),
2856                       /*IsStringLocation*/true,
2857                       getSpecifierRange(startSpecifier, specifierLen),
2858                       FixItHint::CreateRemoval(
2859                         getSpecifierRange(ignoredFlag.getPosition(), 1)));
2860}
2861
2862// Determines if the specified is a C++ class or struct containing
2863// a member with the specified name and kind (e.g. a CXXMethodDecl named
2864// "c_str()").
2865template<typename MemberKind>
2866static llvm::SmallPtrSet<MemberKind*, 1>
2867CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) {
2868  const RecordType *RT = Ty->getAs<RecordType>();
2869  llvm::SmallPtrSet<MemberKind*, 1> Results;
2870
2871  if (!RT)
2872    return Results;
2873  const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl());
2874  if (!RD || !RD->getDefinition())
2875    return Results;
2876
2877  LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(),
2878                 Sema::LookupMemberName);
2879  R.suppressDiagnostics();
2880
2881  // We just need to include all members of the right kind turned up by the
2882  // filter, at this point.
2883  if (S.LookupQualifiedName(R, RT->getDecl()))
2884    for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) {
2885      NamedDecl *decl = (*I)->getUnderlyingDecl();
2886      if (MemberKind *FK = dyn_cast<MemberKind>(decl))
2887        Results.insert(FK);
2888    }
2889  return Results;
2890}
2891
2892/// Check if we could call '.c_str()' on an object.
2893///
2894/// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't
2895/// allow the call, or if it would be ambiguous).
2896bool Sema::hasCStrMethod(const Expr *E) {
2897  typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet;
2898  MethodSet Results =
2899      CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType());
2900  for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
2901       MI != ME; ++MI)
2902    if ((*MI)->getMinRequiredArguments() == 0)
2903      return true;
2904  return false;
2905}
2906
2907// Check if a (w)string was passed when a (w)char* was needed, and offer a
2908// better diagnostic if so. AT is assumed to be valid.
2909// Returns true when a c_str() conversion method is found.
2910bool CheckPrintfHandler::checkForCStrMembers(
2911    const analyze_printf::ArgType &AT, const Expr *E) {
2912  typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet;
2913
2914  MethodSet Results =
2915      CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType());
2916
2917  for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
2918       MI != ME; ++MI) {
2919    const CXXMethodDecl *Method = *MI;
2920    if (Method->getMinRequiredArguments() == 0 &&
2921        AT.matchesType(S.Context, Method->getReturnType())) {
2922      // FIXME: Suggest parens if the expression needs them.
2923      SourceLocation EndLoc = S.getLocForEndOfToken(E->getLocEnd());
2924      S.Diag(E->getLocStart(), diag::note_printf_c_str)
2925          << "c_str()"
2926          << FixItHint::CreateInsertion(EndLoc, ".c_str()");
2927      return true;
2928    }
2929  }
2930
2931  return false;
2932}
2933
2934bool
2935CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier
2936                                            &FS,
2937                                          const char *startSpecifier,
2938                                          unsigned specifierLen) {
2939
2940  using namespace analyze_format_string;
2941  using namespace analyze_printf;
2942  const PrintfConversionSpecifier &CS = FS.getConversionSpecifier();
2943
2944  if (FS.consumesDataArgument()) {
2945    if (atFirstArg) {
2946        atFirstArg = false;
2947        usesPositionalArgs = FS.usesPositionalArg();
2948    }
2949    else if (usesPositionalArgs != FS.usesPositionalArg()) {
2950      HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
2951                                        startSpecifier, specifierLen);
2952      return false;
2953    }
2954  }
2955
2956  // First check if the field width, precision, and conversion specifier
2957  // have matching data arguments.
2958  if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0,
2959                    startSpecifier, specifierLen)) {
2960    return false;
2961  }
2962
2963  if (!HandleAmount(FS.getPrecision(), /* precision */ 1,
2964                    startSpecifier, specifierLen)) {
2965    return false;
2966  }
2967
2968  if (!CS.consumesDataArgument()) {
2969    // FIXME: Technically specifying a precision or field width here
2970    // makes no sense.  Worth issuing a warning at some point.
2971    return true;
2972  }
2973
2974  // Consume the argument.
2975  unsigned argIndex = FS.getArgIndex();
2976  if (argIndex < NumDataArgs) {
2977    // The check to see if the argIndex is valid will come later.
2978    // We set the bit here because we may exit early from this
2979    // function if we encounter some other error.
2980    CoveredArgs.set(argIndex);
2981  }
2982
2983  // Check for using an Objective-C specific conversion specifier
2984  // in a non-ObjC literal.
2985  if (!ObjCContext && CS.isObjCArg()) {
2986    return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
2987                                                  specifierLen);
2988  }
2989
2990  // Check for invalid use of field width
2991  if (!FS.hasValidFieldWidth()) {
2992    HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0,
2993        startSpecifier, specifierLen);
2994  }
2995
2996  // Check for invalid use of precision
2997  if (!FS.hasValidPrecision()) {
2998    HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1,
2999        startSpecifier, specifierLen);
3000  }
3001
3002  // Check each flag does not conflict with any other component.
3003  if (!FS.hasValidThousandsGroupingPrefix())
3004    HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen);
3005  if (!FS.hasValidLeadingZeros())
3006    HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen);
3007  if (!FS.hasValidPlusPrefix())
3008    HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen);
3009  if (!FS.hasValidSpacePrefix())
3010    HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen);
3011  if (!FS.hasValidAlternativeForm())
3012    HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen);
3013  if (!FS.hasValidLeftJustified())
3014    HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen);
3015
3016  // Check that flags are not ignored by another flag
3017  if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+'
3018    HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(),
3019        startSpecifier, specifierLen);
3020  if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-'
3021    HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(),
3022            startSpecifier, specifierLen);
3023
3024  // Check the length modifier is valid with the given conversion specifier.
3025  if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo()))
3026    HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
3027                                diag::warn_format_nonsensical_length);
3028  else if (!FS.hasStandardLengthModifier())
3029    HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
3030  else if (!FS.hasStandardLengthConversionCombination())
3031    HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
3032                                diag::warn_format_non_standard_conversion_spec);
3033
3034  if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
3035    HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
3036
3037  // The remaining checks depend on the data arguments.
3038  if (HasVAListArg)
3039    return true;
3040
3041  if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
3042    return false;
3043
3044  const Expr *Arg = getDataArg(argIndex);
3045  if (!Arg)
3046    return true;
3047
3048  return checkFormatExpr(FS, startSpecifier, specifierLen, Arg);
3049}
3050
3051static bool requiresParensToAddCast(const Expr *E) {
3052  // FIXME: We should have a general way to reason about operator
3053  // precedence and whether parens are actually needed here.
3054  // Take care of a few common cases where they aren't.
3055  const Expr *Inside = E->IgnoreImpCasts();
3056  if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside))
3057    Inside = POE->getSyntacticForm()->IgnoreImpCasts();
3058
3059  switch (Inside->getStmtClass()) {
3060  case Stmt::ArraySubscriptExprClass:
3061  case Stmt::CallExprClass:
3062  case Stmt::CharacterLiteralClass:
3063  case Stmt::CXXBoolLiteralExprClass:
3064  case Stmt::DeclRefExprClass:
3065  case Stmt::FloatingLiteralClass:
3066  case Stmt::IntegerLiteralClass:
3067  case Stmt::MemberExprClass:
3068  case Stmt::ObjCArrayLiteralClass:
3069  case Stmt::ObjCBoolLiteralExprClass:
3070  case Stmt::ObjCBoxedExprClass:
3071  case Stmt::ObjCDictionaryLiteralClass:
3072  case Stmt::ObjCEncodeExprClass:
3073  case Stmt::ObjCIvarRefExprClass:
3074  case Stmt::ObjCMessageExprClass:
3075  case Stmt::ObjCPropertyRefExprClass:
3076  case Stmt::ObjCStringLiteralClass:
3077  case Stmt::ObjCSubscriptRefExprClass:
3078  case Stmt::ParenExprClass:
3079  case Stmt::StringLiteralClass:
3080  case Stmt::UnaryOperatorClass:
3081    return false;
3082  default:
3083    return true;
3084  }
3085}
3086
3087bool
3088CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
3089                                    const char *StartSpecifier,
3090                                    unsigned SpecifierLen,
3091                                    const Expr *E) {
3092  using namespace analyze_format_string;
3093  using namespace analyze_printf;
3094  // Now type check the data expression that matches the
3095  // format specifier.
3096  const analyze_printf::ArgType &AT = FS.getArgType(S.Context,
3097                                                    ObjCContext);
3098  if (!AT.isValid())
3099    return true;
3100
3101  QualType ExprTy = E->getType();
3102  while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) {
3103    ExprTy = TET->getUnderlyingExpr()->getType();
3104  }
3105
3106  if (AT.matchesType(S.Context, ExprTy))
3107    return true;
3108
3109  // Look through argument promotions for our error message's reported type.
3110  // This includes the integral and floating promotions, but excludes array
3111  // and function pointer decay; seeing that an argument intended to be a
3112  // string has type 'char [6]' is probably more confusing than 'char *'.
3113  if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
3114    if (ICE->getCastKind() == CK_IntegralCast ||
3115        ICE->getCastKind() == CK_FloatingCast) {
3116      E = ICE->getSubExpr();
3117      ExprTy = E->getType();
3118
3119      // Check if we didn't match because of an implicit cast from a 'char'
3120      // or 'short' to an 'int'.  This is done because printf is a varargs
3121      // function.
3122      if (ICE->getType() == S.Context.IntTy ||
3123          ICE->getType() == S.Context.UnsignedIntTy) {
3124        // All further checking is done on the subexpression.
3125        if (AT.matchesType(S.Context, ExprTy))
3126          return true;
3127      }
3128    }
3129  } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) {
3130    // Special case for 'a', which has type 'int' in C.
3131    // Note, however, that we do /not/ want to treat multibyte constants like
3132    // 'MooV' as characters! This form is deprecated but still exists.
3133    if (ExprTy == S.Context.IntTy)
3134      if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue()))
3135        ExprTy = S.Context.CharTy;
3136  }
3137
3138  // Look through enums to their underlying type.
3139  bool IsEnum = false;
3140  if (auto EnumTy = ExprTy->getAs<EnumType>()) {
3141    ExprTy = EnumTy->getDecl()->getIntegerType();
3142    IsEnum = true;
3143  }
3144
3145  // %C in an Objective-C context prints a unichar, not a wchar_t.
3146  // If the argument is an integer of some kind, believe the %C and suggest
3147  // a cast instead of changing the conversion specifier.
3148  QualType IntendedTy = ExprTy;
3149  if (ObjCContext &&
3150      FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) {
3151    if (ExprTy->isIntegralOrUnscopedEnumerationType() &&
3152        !ExprTy->isCharType()) {
3153      // 'unichar' is defined as a typedef of unsigned short, but we should
3154      // prefer using the typedef if it is visible.
3155      IntendedTy = S.Context.UnsignedShortTy;
3156
3157      // While we are here, check if the value is an IntegerLiteral that happens
3158      // to be within the valid range.
3159      if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) {
3160        const llvm::APInt &V = IL->getValue();
3161        if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy))
3162          return true;
3163      }
3164
3165      LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(),
3166                          Sema::LookupOrdinaryName);
3167      if (S.LookupName(Result, S.getCurScope())) {
3168        NamedDecl *ND = Result.getFoundDecl();
3169        if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND))
3170          if (TD->getUnderlyingType() == IntendedTy)
3171            IntendedTy = S.Context.getTypedefType(TD);
3172      }
3173    }
3174  }
3175
3176  // Special-case some of Darwin's platform-independence types by suggesting
3177  // casts to primitive types that are known to be large enough.
3178  bool ShouldNotPrintDirectly = false;
3179  if (S.Context.getTargetInfo().getTriple().isOSDarwin()) {
3180    // Use a 'while' to peel off layers of typedefs.
3181    QualType TyTy = IntendedTy;
3182    while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) {
3183      StringRef Name = UserTy->getDecl()->getName();
3184      QualType CastTy = llvm::StringSwitch<QualType>(Name)
3185        .Case("NSInteger", S.Context.LongTy)
3186        .Case("NSUInteger", S.Context.UnsignedLongTy)
3187        .Case("SInt32", S.Context.IntTy)
3188        .Case("UInt32", S.Context.UnsignedIntTy)
3189        .Default(QualType());
3190
3191      if (!CastTy.isNull()) {
3192        ShouldNotPrintDirectly = true;
3193        IntendedTy = CastTy;
3194        break;
3195      }
3196      TyTy = UserTy->desugar();
3197    }
3198  }
3199
3200  // We may be able to offer a FixItHint if it is a supported type.
3201  PrintfSpecifier fixedFS = FS;
3202  bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(),
3203                                 S.Context, ObjCContext);
3204
3205  if (success) {
3206    // Get the fix string from the fixed format specifier
3207    SmallString<16> buf;
3208    llvm::raw_svector_ostream os(buf);
3209    fixedFS.toString(os);
3210
3211    CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen);
3212
3213    if (IntendedTy == ExprTy) {
3214      // In this case, the specifier is wrong and should be changed to match
3215      // the argument.
3216      EmitFormatDiagnostic(
3217        S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
3218          << AT.getRepresentativeTypeName(S.Context) << IntendedTy << IsEnum
3219          << E->getSourceRange(),
3220        E->getLocStart(),
3221        /*IsStringLocation*/false,
3222        SpecRange,
3223        FixItHint::CreateReplacement(SpecRange, os.str()));
3224
3225    } else {
3226      // The canonical type for formatting this value is different from the
3227      // actual type of the expression. (This occurs, for example, with Darwin's
3228      // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but
3229      // should be printed as 'long' for 64-bit compatibility.)
3230      // Rather than emitting a normal format/argument mismatch, we want to
3231      // add a cast to the recommended type (and correct the format string
3232      // if necessary).
3233      SmallString<16> CastBuf;
3234      llvm::raw_svector_ostream CastFix(CastBuf);
3235      CastFix << "(";
3236      IntendedTy.print(CastFix, S.Context.getPrintingPolicy());
3237      CastFix << ")";
3238
3239      SmallVector<FixItHint,4> Hints;
3240      if (!AT.matchesType(S.Context, IntendedTy))
3241        Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str()));
3242
3243      if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) {
3244        // If there's already a cast present, just replace it.
3245        SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc());
3246        Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str()));
3247
3248      } else if (!requiresParensToAddCast(E)) {
3249        // If the expression has high enough precedence,
3250        // just write the C-style cast.
3251        Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(),
3252                                                   CastFix.str()));
3253      } else {
3254        // Otherwise, add parens around the expression as well as the cast.
3255        CastFix << "(";
3256        Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(),
3257                                                   CastFix.str()));
3258
3259        SourceLocation After = S.getLocForEndOfToken(E->getLocEnd());
3260        Hints.push_back(FixItHint::CreateInsertion(After, ")"));
3261      }
3262
3263      if (ShouldNotPrintDirectly) {
3264        // The expression has a type that should not be printed directly.
3265        // We extract the name from the typedef because we don't want to show
3266        // the underlying type in the diagnostic.
3267        StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName();
3268
3269        EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast)
3270                               << Name << IntendedTy << IsEnum
3271                               << E->getSourceRange(),
3272                             E->getLocStart(), /*IsStringLocation=*/false,
3273                             SpecRange, Hints);
3274      } else {
3275        // In this case, the expression could be printed using a different
3276        // specifier, but we've decided that the specifier is probably correct
3277        // and we should cast instead. Just use the normal warning message.
3278        EmitFormatDiagnostic(
3279          S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
3280            << AT.getRepresentativeTypeName(S.Context) << ExprTy << IsEnum
3281            << E->getSourceRange(),
3282          E->getLocStart(), /*IsStringLocation*/false,
3283          SpecRange, Hints);
3284      }
3285    }
3286  } else {
3287    const CharSourceRange &CSR = getSpecifierRange(StartSpecifier,
3288                                                   SpecifierLen);
3289    // Since the warning for passing non-POD types to variadic functions
3290    // was deferred until now, we emit a warning for non-POD
3291    // arguments here.
3292    switch (S.isValidVarArgType(ExprTy)) {
3293    case Sema::VAK_Valid:
3294    case Sema::VAK_ValidInCXX11:
3295      EmitFormatDiagnostic(
3296        S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
3297          << AT.getRepresentativeTypeName(S.Context) << ExprTy << IsEnum
3298          << CSR
3299          << E->getSourceRange(),
3300        E->getLocStart(), /*IsStringLocation*/false, CSR);
3301      break;
3302
3303    case Sema::VAK_Undefined:
3304      EmitFormatDiagnostic(
3305        S.PDiag(diag::warn_non_pod_vararg_with_format_string)
3306          << S.getLangOpts().CPlusPlus11
3307          << ExprTy
3308          << CallType
3309          << AT.getRepresentativeTypeName(S.Context)
3310          << CSR
3311          << E->getSourceRange(),
3312        E->getLocStart(), /*IsStringLocation*/false, CSR);
3313      checkForCStrMembers(AT, E);
3314      break;
3315
3316    case Sema::VAK_Invalid:
3317      if (ExprTy->isObjCObjectType())
3318        EmitFormatDiagnostic(
3319          S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format)
3320            << S.getLangOpts().CPlusPlus11
3321            << ExprTy
3322            << CallType
3323            << AT.getRepresentativeTypeName(S.Context)
3324            << CSR
3325            << E->getSourceRange(),
3326          E->getLocStart(), /*IsStringLocation*/false, CSR);
3327      else
3328        // FIXME: If this is an initializer list, suggest removing the braces
3329        // or inserting a cast to the target type.
3330        S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format)
3331          << isa<InitListExpr>(E) << ExprTy << CallType
3332          << AT.getRepresentativeTypeName(S.Context)
3333          << E->getSourceRange();
3334      break;
3335    }
3336
3337    assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() &&
3338           "format string specifier index out of range");
3339    CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true;
3340  }
3341
3342  return true;
3343}
3344
3345//===--- CHECK: Scanf format string checking ------------------------------===//
3346
3347namespace {
3348class CheckScanfHandler : public CheckFormatHandler {
3349public:
3350  CheckScanfHandler(Sema &s, const StringLiteral *fexpr,
3351                    const Expr *origFormatExpr, unsigned firstDataArg,
3352                    unsigned numDataArgs, const char *beg, bool hasVAListArg,
3353                    ArrayRef<const Expr *> Args,
3354                    unsigned formatIdx, bool inFunctionCall,
3355                    Sema::VariadicCallType CallType,
3356                    llvm::SmallBitVector &CheckedVarArgs)
3357    : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg,
3358                         numDataArgs, beg, hasVAListArg,
3359                         Args, formatIdx, inFunctionCall, CallType,
3360                         CheckedVarArgs)
3361  {}
3362
3363  bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
3364                            const char *startSpecifier,
3365                            unsigned specifierLen) override;
3366
3367  bool HandleInvalidScanfConversionSpecifier(
3368          const analyze_scanf::ScanfSpecifier &FS,
3369          const char *startSpecifier,
3370          unsigned specifierLen) override;
3371
3372  void HandleIncompleteScanList(const char *start, const char *end) override;
3373};
3374}
3375
3376void CheckScanfHandler::HandleIncompleteScanList(const char *start,
3377                                                 const char *end) {
3378  EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete),
3379                       getLocationOfByte(end), /*IsStringLocation*/true,
3380                       getSpecifierRange(start, end - start));
3381}
3382
3383bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier(
3384                                        const analyze_scanf::ScanfSpecifier &FS,
3385                                        const char *startSpecifier,
3386                                        unsigned specifierLen) {
3387
3388  const analyze_scanf::ScanfConversionSpecifier &CS =
3389    FS.getConversionSpecifier();
3390
3391  return HandleInvalidConversionSpecifier(FS.getArgIndex(),
3392                                          getLocationOfByte(CS.getStart()),
3393                                          startSpecifier, specifierLen,
3394                                          CS.getStart(), CS.getLength());
3395}
3396
3397bool CheckScanfHandler::HandleScanfSpecifier(
3398                                       const analyze_scanf::ScanfSpecifier &FS,
3399                                       const char *startSpecifier,
3400                                       unsigned specifierLen) {
3401
3402  using namespace analyze_scanf;
3403  using namespace analyze_format_string;
3404
3405  const ScanfConversionSpecifier &CS = FS.getConversionSpecifier();
3406
3407  // Handle case where '%' and '*' don't consume an argument.  These shouldn't
3408  // be used to decide if we are using positional arguments consistently.
3409  if (FS.consumesDataArgument()) {
3410    if (atFirstArg) {
3411      atFirstArg = false;
3412      usesPositionalArgs = FS.usesPositionalArg();
3413    }
3414    else if (usesPositionalArgs != FS.usesPositionalArg()) {
3415      HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
3416                                        startSpecifier, specifierLen);
3417      return false;
3418    }
3419  }
3420
3421  // Check if the field with is non-zero.
3422  const OptionalAmount &Amt = FS.getFieldWidth();
3423  if (Amt.getHowSpecified() == OptionalAmount::Constant) {
3424    if (Amt.getConstantAmount() == 0) {
3425      const CharSourceRange &R = getSpecifierRange(Amt.getStart(),
3426                                                   Amt.getConstantLength());
3427      EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width),
3428                           getLocationOfByte(Amt.getStart()),
3429                           /*IsStringLocation*/true, R,
3430                           FixItHint::CreateRemoval(R));
3431    }
3432  }
3433
3434  if (!FS.consumesDataArgument()) {
3435    // FIXME: Technically specifying a precision or field width here
3436    // makes no sense.  Worth issuing a warning at some point.
3437    return true;
3438  }
3439
3440  // Consume the argument.
3441  unsigned argIndex = FS.getArgIndex();
3442  if (argIndex < NumDataArgs) {
3443      // The check to see if the argIndex is valid will come later.
3444      // We set the bit here because we may exit early from this
3445      // function if we encounter some other error.
3446    CoveredArgs.set(argIndex);
3447  }
3448
3449  // Check the length modifier is valid with the given conversion specifier.
3450  if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo()))
3451    HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
3452                                diag::warn_format_nonsensical_length);
3453  else if (!FS.hasStandardLengthModifier())
3454    HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
3455  else if (!FS.hasStandardLengthConversionCombination())
3456    HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
3457                                diag::warn_format_non_standard_conversion_spec);
3458
3459  if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
3460    HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
3461
3462  // The remaining checks depend on the data arguments.
3463  if (HasVAListArg)
3464    return true;
3465
3466  if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
3467    return false;
3468
3469  // Check that the argument type matches the format specifier.
3470  const Expr *Ex = getDataArg(argIndex);
3471  if (!Ex)
3472    return true;
3473
3474  const analyze_format_string::ArgType &AT = FS.getArgType(S.Context);
3475  if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) {
3476    ScanfSpecifier fixedFS = FS;
3477    bool success = fixedFS.fixType(Ex->getType(),
3478                                   Ex->IgnoreImpCasts()->getType(),
3479                                   S.getLangOpts(), S.Context);
3480
3481    if (success) {
3482      // Get the fix string from the fixed format specifier.
3483      SmallString<128> buf;
3484      llvm::raw_svector_ostream os(buf);
3485      fixedFS.toString(os);
3486
3487      EmitFormatDiagnostic(
3488        S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
3489          << AT.getRepresentativeTypeName(S.Context) << Ex->getType() << false
3490          << Ex->getSourceRange(),
3491        Ex->getLocStart(),
3492        /*IsStringLocation*/false,
3493        getSpecifierRange(startSpecifier, specifierLen),
3494        FixItHint::CreateReplacement(
3495          getSpecifierRange(startSpecifier, specifierLen),
3496          os.str()));
3497    } else {
3498      EmitFormatDiagnostic(
3499        S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
3500          << AT.getRepresentativeTypeName(S.Context) << Ex->getType() << false
3501          << Ex->getSourceRange(),
3502        Ex->getLocStart(),
3503        /*IsStringLocation*/false,
3504        getSpecifierRange(startSpecifier, specifierLen));
3505    }
3506  }
3507
3508  return true;
3509}
3510
3511void Sema::CheckFormatString(const StringLiteral *FExpr,
3512                             const Expr *OrigFormatExpr,
3513                             ArrayRef<const Expr *> Args,
3514                             bool HasVAListArg, unsigned format_idx,
3515                             unsigned firstDataArg, FormatStringType Type,
3516                             bool inFunctionCall, VariadicCallType CallType,
3517                             llvm::SmallBitVector &CheckedVarArgs) {
3518
3519  // CHECK: is the format string a wide literal?
3520  if (!FExpr->isAscii() && !FExpr->isUTF8()) {
3521    CheckFormatHandler::EmitFormatDiagnostic(
3522      *this, inFunctionCall, Args[format_idx],
3523      PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(),
3524      /*IsStringLocation*/true, OrigFormatExpr->getSourceRange());
3525    return;
3526  }
3527
3528  // Str - The format string.  NOTE: this is NOT null-terminated!
3529  StringRef StrRef = FExpr->getString();
3530  const char *Str = StrRef.data();
3531  // Account for cases where the string literal is truncated in a declaration.
3532  const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType());
3533  assert(T && "String literal not of constant array type!");
3534  size_t TypeSize = T->getSize().getZExtValue();
3535  size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
3536  const unsigned numDataArgs = Args.size() - firstDataArg;
3537
3538  // Emit a warning if the string literal is truncated and does not contain an
3539  // embedded null character.
3540  if (TypeSize <= StrRef.size() &&
3541      StrRef.substr(0, TypeSize).find('\0') == StringRef::npos) {
3542    CheckFormatHandler::EmitFormatDiagnostic(
3543        *this, inFunctionCall, Args[format_idx],
3544        PDiag(diag::warn_printf_format_string_not_null_terminated),
3545        FExpr->getLocStart(),
3546        /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange());
3547    return;
3548  }
3549
3550  // CHECK: empty format string?
3551  if (StrLen == 0 && numDataArgs > 0) {
3552    CheckFormatHandler::EmitFormatDiagnostic(
3553      *this, inFunctionCall, Args[format_idx],
3554      PDiag(diag::warn_empty_format_string), FExpr->getLocStart(),
3555      /*IsStringLocation*/true, OrigFormatExpr->getSourceRange());
3556    return;
3557  }
3558
3559  if (Type == FST_Printf || Type == FST_NSString) {
3560    CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg,
3561                         numDataArgs, (Type == FST_NSString),
3562                         Str, HasVAListArg, Args, format_idx,
3563                         inFunctionCall, CallType, CheckedVarArgs);
3564
3565    if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen,
3566                                                  getLangOpts(),
3567                                                  Context.getTargetInfo()))
3568      H.DoneProcessing();
3569  } else if (Type == FST_Scanf) {
3570    CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs,
3571                        Str, HasVAListArg, Args, format_idx,
3572                        inFunctionCall, CallType, CheckedVarArgs);
3573
3574    if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen,
3575                                                 getLangOpts(),
3576                                                 Context.getTargetInfo()))
3577      H.DoneProcessing();
3578  } // TODO: handle other formats
3579}
3580
3581//===--- CHECK: Warn on use of wrong absolute value function. -------------===//
3582
3583// Returns the related absolute value function that is larger, of 0 if one
3584// does not exist.
3585static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) {
3586  switch (AbsFunction) {
3587  default:
3588    return 0;
3589
3590  case Builtin::BI__builtin_abs:
3591    return Builtin::BI__builtin_labs;
3592  case Builtin::BI__builtin_labs:
3593    return Builtin::BI__builtin_llabs;
3594  case Builtin::BI__builtin_llabs:
3595    return 0;
3596
3597  case Builtin::BI__builtin_fabsf:
3598    return Builtin::BI__builtin_fabs;
3599  case Builtin::BI__builtin_fabs:
3600    return Builtin::BI__builtin_fabsl;
3601  case Builtin::BI__builtin_fabsl:
3602    return 0;
3603
3604  case Builtin::BI__builtin_cabsf:
3605    return Builtin::BI__builtin_cabs;
3606  case Builtin::BI__builtin_cabs:
3607    return Builtin::BI__builtin_cabsl;
3608  case Builtin::BI__builtin_cabsl:
3609    return 0;
3610
3611  case Builtin::BIabs:
3612    return Builtin::BIlabs;
3613  case Builtin::BIlabs:
3614    return Builtin::BIllabs;
3615  case Builtin::BIllabs:
3616    return 0;
3617
3618  case Builtin::BIfabsf:
3619    return Builtin::BIfabs;
3620  case Builtin::BIfabs:
3621    return Builtin::BIfabsl;
3622  case Builtin::BIfabsl:
3623    return 0;
3624
3625  case Builtin::BIcabsf:
3626   return Builtin::BIcabs;
3627  case Builtin::BIcabs:
3628    return Builtin::BIcabsl;
3629  case Builtin::BIcabsl:
3630    return 0;
3631  }
3632}
3633
3634// Returns the argument type of the absolute value function.
3635static QualType getAbsoluteValueArgumentType(ASTContext &Context,
3636                                             unsigned AbsType) {
3637  if (AbsType == 0)
3638    return QualType();
3639
3640  ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None;
3641  QualType BuiltinType = Context.GetBuiltinType(AbsType, Error);
3642  if (Error != ASTContext::GE_None)
3643    return QualType();
3644
3645  const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>();
3646  if (!FT)
3647    return QualType();
3648
3649  if (FT->getNumParams() != 1)
3650    return QualType();
3651
3652  return FT->getParamType(0);
3653}
3654
3655// Returns the best absolute value function, or zero, based on type and
3656// current absolute value function.
3657static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType,
3658                                   unsigned AbsFunctionKind) {
3659  unsigned BestKind = 0;
3660  uint64_t ArgSize = Context.getTypeSize(ArgType);
3661  for (unsigned Kind = AbsFunctionKind; Kind != 0;
3662       Kind = getLargerAbsoluteValueFunction(Kind)) {
3663    QualType ParamType = getAbsoluteValueArgumentType(Context, Kind);
3664    if (Context.getTypeSize(ParamType) >= ArgSize) {
3665      if (BestKind == 0)
3666        BestKind = Kind;
3667      else if (Context.hasSameType(ParamType, ArgType)) {
3668        BestKind = Kind;
3669        break;
3670      }
3671    }
3672  }
3673  return BestKind;
3674}
3675
3676enum AbsoluteValueKind {
3677  AVK_Integer,
3678  AVK_Floating,
3679  AVK_Complex
3680};
3681
3682static AbsoluteValueKind getAbsoluteValueKind(QualType T) {
3683  if (T->isIntegralOrEnumerationType())
3684    return AVK_Integer;
3685  if (T->isRealFloatingType())
3686    return AVK_Floating;
3687  if (T->isAnyComplexType())
3688    return AVK_Complex;
3689
3690  llvm_unreachable("Type not integer, floating, or complex");
3691}
3692
3693// Changes the absolute value function to a different type.  Preserves whether
3694// the function is a builtin.
3695static unsigned changeAbsFunction(unsigned AbsKind,
3696                                  AbsoluteValueKind ValueKind) {
3697  switch (ValueKind) {
3698  case AVK_Integer:
3699    switch (AbsKind) {
3700    default:
3701      return 0;
3702    case Builtin::BI__builtin_fabsf:
3703    case Builtin::BI__builtin_fabs:
3704    case Builtin::BI__builtin_fabsl:
3705    case Builtin::BI__builtin_cabsf:
3706    case Builtin::BI__builtin_cabs:
3707    case Builtin::BI__builtin_cabsl:
3708      return Builtin::BI__builtin_abs;
3709    case Builtin::BIfabsf:
3710    case Builtin::BIfabs:
3711    case Builtin::BIfabsl:
3712    case Builtin::BIcabsf:
3713    case Builtin::BIcabs:
3714    case Builtin::BIcabsl:
3715      return Builtin::BIabs;
3716    }
3717  case AVK_Floating:
3718    switch (AbsKind) {
3719    default:
3720      return 0;
3721    case Builtin::BI__builtin_abs:
3722    case Builtin::BI__builtin_labs:
3723    case Builtin::BI__builtin_llabs:
3724    case Builtin::BI__builtin_cabsf:
3725    case Builtin::BI__builtin_cabs:
3726    case Builtin::BI__builtin_cabsl:
3727      return Builtin::BI__builtin_fabsf;
3728    case Builtin::BIabs:
3729    case Builtin::BIlabs:
3730    case Builtin::BIllabs:
3731    case Builtin::BIcabsf:
3732    case Builtin::BIcabs:
3733    case Builtin::BIcabsl:
3734      return Builtin::BIfabsf;
3735    }
3736  case AVK_Complex:
3737    switch (AbsKind) {
3738    default:
3739      return 0;
3740    case Builtin::BI__builtin_abs:
3741    case Builtin::BI__builtin_labs:
3742    case Builtin::BI__builtin_llabs:
3743    case Builtin::BI__builtin_fabsf:
3744    case Builtin::BI__builtin_fabs:
3745    case Builtin::BI__builtin_fabsl:
3746      return Builtin::BI__builtin_cabsf;
3747    case Builtin::BIabs:
3748    case Builtin::BIlabs:
3749    case Builtin::BIllabs:
3750    case Builtin::BIfabsf:
3751    case Builtin::BIfabs:
3752    case Builtin::BIfabsl:
3753      return Builtin::BIcabsf;
3754    }
3755  }
3756  llvm_unreachable("Unable to convert function");
3757}
3758
3759static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) {
3760  const IdentifierInfo *FnInfo = FDecl->getIdentifier();
3761  if (!FnInfo)
3762    return 0;
3763
3764  switch (FDecl->getBuiltinID()) {
3765  default:
3766    return 0;
3767  case Builtin::BI__builtin_abs:
3768  case Builtin::BI__builtin_fabs:
3769  case Builtin::BI__builtin_fabsf:
3770  case Builtin::BI__builtin_fabsl:
3771  case Builtin::BI__builtin_labs:
3772  case Builtin::BI__builtin_llabs:
3773  case Builtin::BI__builtin_cabs:
3774  case Builtin::BI__builtin_cabsf:
3775  case Builtin::BI__builtin_cabsl:
3776  case Builtin::BIabs:
3777  case Builtin::BIlabs:
3778  case Builtin::BIllabs:
3779  case Builtin::BIfabs:
3780  case Builtin::BIfabsf:
3781  case Builtin::BIfabsl:
3782  case Builtin::BIcabs:
3783  case Builtin::BIcabsf:
3784  case Builtin::BIcabsl:
3785    return FDecl->getBuiltinID();
3786  }
3787  llvm_unreachable("Unknown Builtin type");
3788}
3789
3790// If the replacement is valid, emit a note with replacement function.
3791// Additionally, suggest including the proper header if not already included.
3792static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range,
3793                            unsigned AbsKind, QualType ArgType) {
3794  bool EmitHeaderHint = true;
3795  const char *HeaderName = nullptr;
3796  const char *FunctionName = nullptr;
3797  if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) {
3798    FunctionName = "std::abs";
3799    if (ArgType->isIntegralOrEnumerationType()) {
3800      HeaderName = "cstdlib";
3801    } else if (ArgType->isRealFloatingType()) {
3802      HeaderName = "cmath";
3803    } else {
3804      llvm_unreachable("Invalid Type");
3805    }
3806
3807    // Lookup all std::abs
3808    if (NamespaceDecl *Std = S.getStdNamespace()) {
3809      LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName);
3810      R.suppressDiagnostics();
3811      S.LookupQualifiedName(R, Std);
3812
3813      for (const auto *I : R) {
3814        const FunctionDecl *FDecl = nullptr;
3815        if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) {
3816          FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl());
3817        } else {
3818          FDecl = dyn_cast<FunctionDecl>(I);
3819        }
3820        if (!FDecl)
3821          continue;
3822
3823        // Found std::abs(), check that they are the right ones.
3824        if (FDecl->getNumParams() != 1)
3825          continue;
3826
3827        // Check that the parameter type can handle the argument.
3828        QualType ParamType = FDecl->getParamDecl(0)->getType();
3829        if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) &&
3830            S.Context.getTypeSize(ArgType) <=
3831                S.Context.getTypeSize(ParamType)) {
3832          // Found a function, don't need the header hint.
3833          EmitHeaderHint = false;
3834          break;
3835        }
3836      }
3837    }
3838  } else {
3839    FunctionName = S.Context.BuiltinInfo.GetName(AbsKind);
3840    HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind);
3841
3842    if (HeaderName) {
3843      DeclarationName DN(&S.Context.Idents.get(FunctionName));
3844      LookupResult R(S, DN, Loc, Sema::LookupAnyName);
3845      R.suppressDiagnostics();
3846      S.LookupName(R, S.getCurScope());
3847
3848      if (R.isSingleResult()) {
3849        FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl());
3850        if (FD && FD->getBuiltinID() == AbsKind) {
3851          EmitHeaderHint = false;
3852        } else {
3853          return;
3854        }
3855      } else if (!R.empty()) {
3856        return;
3857      }
3858    }
3859  }
3860
3861  S.Diag(Loc, diag::note_replace_abs_function)
3862      << FunctionName << FixItHint::CreateReplacement(Range, FunctionName);
3863
3864  if (!HeaderName)
3865    return;
3866
3867  if (!EmitHeaderHint)
3868    return;
3869
3870  S.Diag(Loc, diag::note_please_include_header) << HeaderName << FunctionName;
3871}
3872
3873static bool IsFunctionStdAbs(const FunctionDecl *FDecl) {
3874  if (!FDecl)
3875    return false;
3876
3877  if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr("abs"))
3878    return false;
3879
3880  const NamespaceDecl *ND = dyn_cast<NamespaceDecl>(FDecl->getDeclContext());
3881
3882  while (ND && ND->isInlineNamespace()) {
3883    ND = dyn_cast<NamespaceDecl>(ND->getDeclContext());
3884  }
3885
3886  if (!ND || !ND->getIdentifier() || !ND->getIdentifier()->isStr("std"))
3887    return false;
3888
3889  if (!isa<TranslationUnitDecl>(ND->getDeclContext()))
3890    return false;
3891
3892  return true;
3893}
3894
3895// Warn when using the wrong abs() function.
3896void Sema::CheckAbsoluteValueFunction(const CallExpr *Call,
3897                                      const FunctionDecl *FDecl,
3898                                      IdentifierInfo *FnInfo) {
3899  if (Call->getNumArgs() != 1)
3900    return;
3901
3902  unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl);
3903  bool IsStdAbs = IsFunctionStdAbs(FDecl);
3904  if (AbsKind == 0 && !IsStdAbs)
3905    return;
3906
3907  QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType();
3908  QualType ParamType = Call->getArg(0)->getType();
3909
3910  // Unsigned types can not be negative.  Suggest to drop the absolute value
3911  // function.
3912  if (ArgType->isUnsignedIntegerType()) {
3913    const char *FunctionName =
3914        IsStdAbs ? "std::abs" : Context.BuiltinInfo.GetName(AbsKind);
3915    Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType;
3916    Diag(Call->getExprLoc(), diag::note_remove_abs)
3917        << FunctionName
3918        << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange());
3919    return;
3920  }
3921
3922  // std::abs has overloads which prevent most of the absolute value problems
3923  // from occurring.
3924  if (IsStdAbs)
3925    return;
3926
3927  AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType);
3928  AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType);
3929
3930  // The argument and parameter are the same kind.  Check if they are the right
3931  // size.
3932  if (ArgValueKind == ParamValueKind) {
3933    if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType))
3934      return;
3935
3936    unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind);
3937    Diag(Call->getExprLoc(), diag::warn_abs_too_small)
3938        << FDecl << ArgType << ParamType;
3939
3940    if (NewAbsKind == 0)
3941      return;
3942
3943    emitReplacement(*this, Call->getExprLoc(),
3944                    Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
3945    return;
3946  }
3947
3948  // ArgValueKind != ParamValueKind
3949  // The wrong type of absolute value function was used.  Attempt to find the
3950  // proper one.
3951  unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind);
3952  NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind);
3953  if (NewAbsKind == 0)
3954    return;
3955
3956  Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type)
3957      << FDecl << ParamValueKind << ArgValueKind;
3958
3959  emitReplacement(*this, Call->getExprLoc(),
3960                  Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
3961  return;
3962}
3963
3964//===--- CHECK: Standard memory functions ---------------------------------===//
3965
3966/// \brief Takes the expression passed to the size_t parameter of functions
3967/// such as memcmp, strncat, etc and warns if it's a comparison.
3968///
3969/// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`.
3970static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E,
3971                                           IdentifierInfo *FnName,
3972                                           SourceLocation FnLoc,
3973                                           SourceLocation RParenLoc) {
3974  const BinaryOperator *Size = dyn_cast<BinaryOperator>(E);
3975  if (!Size)
3976    return false;
3977
3978  // if E is binop and op is >, <, >=, <=, ==, &&, ||:
3979  if (!Size->isComparisonOp() && !Size->isEqualityOp() && !Size->isLogicalOp())
3980    return false;
3981
3982  SourceRange SizeRange = Size->getSourceRange();
3983  S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison)
3984      << SizeRange << FnName;
3985  S.Diag(FnLoc, diag::note_memsize_comparison_paren)
3986      << FnName << FixItHint::CreateInsertion(
3987                       S.getLocForEndOfToken(Size->getLHS()->getLocEnd()), ")")
3988      << FixItHint::CreateRemoval(RParenLoc);
3989  S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence)
3990      << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(")
3991      << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()),
3992                                    ")");
3993
3994  return true;
3995}
3996
3997/// \brief Determine whether the given type is or contains a dynamic class type
3998/// (e.g., whether it has a vtable).
3999static const CXXRecordDecl *getContainedDynamicClass(QualType T,
4000                                                     bool &IsContained) {
4001  // Look through array types while ignoring qualifiers.
4002  const Type *Ty = T->getBaseElementTypeUnsafe();
4003  IsContained = false;
4004
4005  const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl();
4006  RD = RD ? RD->getDefinition() : nullptr;
4007  if (!RD)
4008    return nullptr;
4009
4010  if (RD->isDynamicClass())
4011    return RD;
4012
4013  // Check all the fields.  If any bases were dynamic, the class is dynamic.
4014  // It's impossible for a class to transitively contain itself by value, so
4015  // infinite recursion is impossible.
4016  for (auto *FD : RD->fields()) {
4017    bool SubContained;
4018    if (const CXXRecordDecl *ContainedRD =
4019            getContainedDynamicClass(FD->getType(), SubContained)) {
4020      IsContained = true;
4021      return ContainedRD;
4022    }
4023  }
4024
4025  return nullptr;
4026}
4027
4028/// \brief If E is a sizeof expression, returns its argument expression,
4029/// otherwise returns NULL.
4030static const Expr *getSizeOfExprArg(const Expr* E) {
4031  if (const UnaryExprOrTypeTraitExpr *SizeOf =
4032      dyn_cast<UnaryExprOrTypeTraitExpr>(E))
4033    if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType())
4034      return SizeOf->getArgumentExpr()->IgnoreParenImpCasts();
4035
4036  return nullptr;
4037}
4038
4039/// \brief If E is a sizeof expression, returns its argument type.
4040static QualType getSizeOfArgType(const Expr* E) {
4041  if (const UnaryExprOrTypeTraitExpr *SizeOf =
4042      dyn_cast<UnaryExprOrTypeTraitExpr>(E))
4043    if (SizeOf->getKind() == clang::UETT_SizeOf)
4044      return SizeOf->getTypeOfArgument();
4045
4046  return QualType();
4047}
4048
4049/// \brief Check for dangerous or invalid arguments to memset().
4050///
4051/// This issues warnings on known problematic, dangerous or unspecified
4052/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp'
4053/// function calls.
4054///
4055/// \param Call The call expression to diagnose.
4056void Sema::CheckMemaccessArguments(const CallExpr *Call,
4057                                   unsigned BId,
4058                                   IdentifierInfo *FnName) {
4059  assert(BId != 0);
4060
4061  // It is possible to have a non-standard definition of memset.  Validate
4062  // we have enough arguments, and if not, abort further checking.
4063  unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3);
4064  if (Call->getNumArgs() < ExpectedNumArgs)
4065    return;
4066
4067  unsigned LastArg = (BId == Builtin::BImemset ||
4068                      BId == Builtin::BIstrndup ? 1 : 2);
4069  unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2);
4070  const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts();
4071
4072  if (CheckMemorySizeofForComparison(*this, LenExpr, FnName,
4073                                     Call->getLocStart(), Call->getRParenLoc()))
4074    return;
4075
4076  // We have special checking when the length is a sizeof expression.
4077  QualType SizeOfArgTy = getSizeOfArgType(LenExpr);
4078  const Expr *SizeOfArg = getSizeOfExprArg(LenExpr);
4079  llvm::FoldingSetNodeID SizeOfArgID;
4080
4081  for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) {
4082    const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts();
4083    SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange();
4084
4085    QualType DestTy = Dest->getType();
4086    if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) {
4087      QualType PointeeTy = DestPtrTy->getPointeeType();
4088
4089      // Never warn about void type pointers. This can be used to suppress
4090      // false positives.
4091      if (PointeeTy->isVoidType())
4092        continue;
4093
4094      // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by
4095      // actually comparing the expressions for equality. Because computing the
4096      // expression IDs can be expensive, we only do this if the diagnostic is
4097      // enabled.
4098      if (SizeOfArg &&
4099          !Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess,
4100                           SizeOfArg->getExprLoc())) {
4101        // We only compute IDs for expressions if the warning is enabled, and
4102        // cache the sizeof arg's ID.
4103        if (SizeOfArgID == llvm::FoldingSetNodeID())
4104          SizeOfArg->Profile(SizeOfArgID, Context, true);
4105        llvm::FoldingSetNodeID DestID;
4106        Dest->Profile(DestID, Context, true);
4107        if (DestID == SizeOfArgID) {
4108          // TODO: For strncpy() and friends, this could suggest sizeof(dst)
4109          //       over sizeof(src) as well.
4110          unsigned ActionIdx = 0; // Default is to suggest dereferencing.
4111          StringRef ReadableName = FnName->getName();
4112
4113          if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest))
4114            if (UnaryOp->getOpcode() == UO_AddrOf)
4115              ActionIdx = 1; // If its an address-of operator, just remove it.
4116          if (!PointeeTy->isIncompleteType() &&
4117              (Context.getTypeSize(PointeeTy) == Context.getCharWidth()))
4118            ActionIdx = 2; // If the pointee's size is sizeof(char),
4119                           // suggest an explicit length.
4120
4121          // If the function is defined as a builtin macro, do not show macro
4122          // expansion.
4123          SourceLocation SL = SizeOfArg->getExprLoc();
4124          SourceRange DSR = Dest->getSourceRange();
4125          SourceRange SSR = SizeOfArg->getSourceRange();
4126          SourceManager &SM = getSourceManager();
4127
4128          if (SM.isMacroArgExpansion(SL)) {
4129            ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts);
4130            SL = SM.getSpellingLoc(SL);
4131            DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()),
4132                             SM.getSpellingLoc(DSR.getEnd()));
4133            SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()),
4134                             SM.getSpellingLoc(SSR.getEnd()));
4135          }
4136
4137          DiagRuntimeBehavior(SL, SizeOfArg,
4138                              PDiag(diag::warn_sizeof_pointer_expr_memaccess)
4139                                << ReadableName
4140                                << PointeeTy
4141                                << DestTy
4142                                << DSR
4143                                << SSR);
4144          DiagRuntimeBehavior(SL, SizeOfArg,
4145                         PDiag(diag::warn_sizeof_pointer_expr_memaccess_note)
4146                                << ActionIdx
4147                                << SSR);
4148
4149          break;
4150        }
4151      }
4152
4153      // Also check for cases where the sizeof argument is the exact same
4154      // type as the memory argument, and where it points to a user-defined
4155      // record type.
4156      if (SizeOfArgTy != QualType()) {
4157        if (PointeeTy->isRecordType() &&
4158            Context.typesAreCompatible(SizeOfArgTy, DestTy)) {
4159          DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest,
4160                              PDiag(diag::warn_sizeof_pointer_type_memaccess)
4161                                << FnName << SizeOfArgTy << ArgIdx
4162                                << PointeeTy << Dest->getSourceRange()
4163                                << LenExpr->getSourceRange());
4164          break;
4165        }
4166      }
4167
4168      // Always complain about dynamic classes.
4169      bool IsContained;
4170      if (const CXXRecordDecl *ContainedRD =
4171              getContainedDynamicClass(PointeeTy, IsContained)) {
4172
4173        unsigned OperationType = 0;
4174        // "overwritten" if we're warning about the destination for any call
4175        // but memcmp; otherwise a verb appropriate to the call.
4176        if (ArgIdx != 0 || BId == Builtin::BImemcmp) {
4177          if (BId == Builtin::BImemcpy)
4178            OperationType = 1;
4179          else if(BId == Builtin::BImemmove)
4180            OperationType = 2;
4181          else if (BId == Builtin::BImemcmp)
4182            OperationType = 3;
4183        }
4184
4185        DiagRuntimeBehavior(
4186          Dest->getExprLoc(), Dest,
4187          PDiag(diag::warn_dyn_class_memaccess)
4188            << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx)
4189            << FnName << IsContained << ContainedRD << OperationType
4190            << Call->getCallee()->getSourceRange());
4191      } else if (PointeeTy.hasNonTrivialObjCLifetime() &&
4192               BId != Builtin::BImemset)
4193        DiagRuntimeBehavior(
4194          Dest->getExprLoc(), Dest,
4195          PDiag(diag::warn_arc_object_memaccess)
4196            << ArgIdx << FnName << PointeeTy
4197            << Call->getCallee()->getSourceRange());
4198      else
4199        continue;
4200
4201      DiagRuntimeBehavior(
4202        Dest->getExprLoc(), Dest,
4203        PDiag(diag::note_bad_memaccess_silence)
4204          << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)"));
4205      break;
4206    }
4207  }
4208}
4209
4210// A little helper routine: ignore addition and subtraction of integer literals.
4211// This intentionally does not ignore all integer constant expressions because
4212// we don't want to remove sizeof().
4213static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) {
4214  Ex = Ex->IgnoreParenCasts();
4215
4216  for (;;) {
4217    const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex);
4218    if (!BO || !BO->isAdditiveOp())
4219      break;
4220
4221    const Expr *RHS = BO->getRHS()->IgnoreParenCasts();
4222    const Expr *LHS = BO->getLHS()->IgnoreParenCasts();
4223
4224    if (isa<IntegerLiteral>(RHS))
4225      Ex = LHS;
4226    else if (isa<IntegerLiteral>(LHS))
4227      Ex = RHS;
4228    else
4229      break;
4230  }
4231
4232  return Ex;
4233}
4234
4235static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty,
4236                                                      ASTContext &Context) {
4237  // Only handle constant-sized or VLAs, but not flexible members.
4238  if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) {
4239    // Only issue the FIXIT for arrays of size > 1.
4240    if (CAT->getSize().getSExtValue() <= 1)
4241      return false;
4242  } else if (!Ty->isVariableArrayType()) {
4243    return false;
4244  }
4245  return true;
4246}
4247
4248// Warn if the user has made the 'size' argument to strlcpy or strlcat
4249// be the size of the source, instead of the destination.
4250void Sema::CheckStrlcpycatArguments(const CallExpr *Call,
4251                                    IdentifierInfo *FnName) {
4252
4253  // Don't crash if the user has the wrong number of arguments
4254  if (Call->getNumArgs() != 3)
4255    return;
4256
4257  const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context);
4258  const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context);
4259  const Expr *CompareWithSrc = nullptr;
4260
4261  if (CheckMemorySizeofForComparison(*this, SizeArg, FnName,
4262                                     Call->getLocStart(), Call->getRParenLoc()))
4263    return;
4264
4265  // Look for 'strlcpy(dst, x, sizeof(x))'
4266  if (const Expr *Ex = getSizeOfExprArg(SizeArg))
4267    CompareWithSrc = Ex;
4268  else {
4269    // Look for 'strlcpy(dst, x, strlen(x))'
4270    if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) {
4271      if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen &&
4272          SizeCall->getNumArgs() == 1)
4273        CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context);
4274    }
4275  }
4276
4277  if (!CompareWithSrc)
4278    return;
4279
4280  // Determine if the argument to sizeof/strlen is equal to the source
4281  // argument.  In principle there's all kinds of things you could do
4282  // here, for instance creating an == expression and evaluating it with
4283  // EvaluateAsBooleanCondition, but this uses a more direct technique:
4284  const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg);
4285  if (!SrcArgDRE)
4286    return;
4287
4288  const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc);
4289  if (!CompareWithSrcDRE ||
4290      SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl())
4291    return;
4292
4293  const Expr *OriginalSizeArg = Call->getArg(2);
4294  Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size)
4295    << OriginalSizeArg->getSourceRange() << FnName;
4296
4297  // Output a FIXIT hint if the destination is an array (rather than a
4298  // pointer to an array).  This could be enhanced to handle some
4299  // pointers if we know the actual size, like if DstArg is 'array+2'
4300  // we could say 'sizeof(array)-2'.
4301  const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts();
4302  if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context))
4303    return;
4304
4305  SmallString<128> sizeString;
4306  llvm::raw_svector_ostream OS(sizeString);
4307  OS << "sizeof(";
4308  DstArg->printPretty(OS, nullptr, getPrintingPolicy());
4309  OS << ")";
4310
4311  Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size)
4312    << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(),
4313                                    OS.str());
4314}
4315
4316/// Check if two expressions refer to the same declaration.
4317static bool referToTheSameDecl(const Expr *E1, const Expr *E2) {
4318  if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1))
4319    if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2))
4320      return D1->getDecl() == D2->getDecl();
4321  return false;
4322}
4323
4324static const Expr *getStrlenExprArg(const Expr *E) {
4325  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
4326    const FunctionDecl *FD = CE->getDirectCallee();
4327    if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen)
4328      return nullptr;
4329    return CE->getArg(0)->IgnoreParenCasts();
4330  }
4331  return nullptr;
4332}
4333
4334// Warn on anti-patterns as the 'size' argument to strncat.
4335// The correct size argument should look like following:
4336//   strncat(dst, src, sizeof(dst) - strlen(dest) - 1);
4337void Sema::CheckStrncatArguments(const CallExpr *CE,
4338                                 IdentifierInfo *FnName) {
4339  // Don't crash if the user has the wrong number of arguments.
4340  if (CE->getNumArgs() < 3)
4341    return;
4342  const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts();
4343  const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts();
4344  const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts();
4345
4346  if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getLocStart(),
4347                                     CE->getRParenLoc()))
4348    return;
4349
4350  // Identify common expressions, which are wrongly used as the size argument
4351  // to strncat and may lead to buffer overflows.
4352  unsigned PatternType = 0;
4353  if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) {
4354    // - sizeof(dst)
4355    if (referToTheSameDecl(SizeOfArg, DstArg))
4356      PatternType = 1;
4357    // - sizeof(src)
4358    else if (referToTheSameDecl(SizeOfArg, SrcArg))
4359      PatternType = 2;
4360  } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) {
4361    if (BE->getOpcode() == BO_Sub) {
4362      const Expr *L = BE->getLHS()->IgnoreParenCasts();
4363      const Expr *R = BE->getRHS()->IgnoreParenCasts();
4364      // - sizeof(dst) - strlen(dst)
4365      if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) &&
4366          referToTheSameDecl(DstArg, getStrlenExprArg(R)))
4367        PatternType = 1;
4368      // - sizeof(src) - (anything)
4369      else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L)))
4370        PatternType = 2;
4371    }
4372  }
4373
4374  if (PatternType == 0)
4375    return;
4376
4377  // Generate the diagnostic.
4378  SourceLocation SL = LenArg->getLocStart();
4379  SourceRange SR = LenArg->getSourceRange();
4380  SourceManager &SM = getSourceManager();
4381
4382  // If the function is defined as a builtin macro, do not show macro expansion.
4383  if (SM.isMacroArgExpansion(SL)) {
4384    SL = SM.getSpellingLoc(SL);
4385    SR = SourceRange(SM.getSpellingLoc(SR.getBegin()),
4386                     SM.getSpellingLoc(SR.getEnd()));
4387  }
4388
4389  // Check if the destination is an array (rather than a pointer to an array).
4390  QualType DstTy = DstArg->getType();
4391  bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy,
4392                                                                    Context);
4393  if (!isKnownSizeArray) {
4394    if (PatternType == 1)
4395      Diag(SL, diag::warn_strncat_wrong_size) << SR;
4396    else
4397      Diag(SL, diag::warn_strncat_src_size) << SR;
4398    return;
4399  }
4400
4401  if (PatternType == 1)
4402    Diag(SL, diag::warn_strncat_large_size) << SR;
4403  else
4404    Diag(SL, diag::warn_strncat_src_size) << SR;
4405
4406  SmallString<128> sizeString;
4407  llvm::raw_svector_ostream OS(sizeString);
4408  OS << "sizeof(";
4409  DstArg->printPretty(OS, nullptr, getPrintingPolicy());
4410  OS << ") - ";
4411  OS << "strlen(";
4412  DstArg->printPretty(OS, nullptr, getPrintingPolicy());
4413  OS << ") - 1";
4414
4415  Diag(SL, diag::note_strncat_wrong_size)
4416    << FixItHint::CreateReplacement(SR, OS.str());
4417}
4418
4419//===--- CHECK: Return Address of Stack Variable --------------------------===//
4420
4421static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars,
4422                     Decl *ParentDecl);
4423static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars,
4424                      Decl *ParentDecl);
4425
4426/// CheckReturnStackAddr - Check if a return statement returns the address
4427///   of a stack variable.
4428static void
4429CheckReturnStackAddr(Sema &S, Expr *RetValExp, QualType lhsType,
4430                     SourceLocation ReturnLoc) {
4431
4432  Expr *stackE = nullptr;
4433  SmallVector<DeclRefExpr *, 8> refVars;
4434
4435  // Perform checking for returned stack addresses, local blocks,
4436  // label addresses or references to temporaries.
4437  if (lhsType->isPointerType() ||
4438      (!S.getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) {
4439    stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/nullptr);
4440  } else if (lhsType->isReferenceType()) {
4441    stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/nullptr);
4442  }
4443
4444  if (!stackE)
4445    return; // Nothing suspicious was found.
4446
4447  SourceLocation diagLoc;
4448  SourceRange diagRange;
4449  if (refVars.empty()) {
4450    diagLoc = stackE->getLocStart();
4451    diagRange = stackE->getSourceRange();
4452  } else {
4453    // We followed through a reference variable. 'stackE' contains the
4454    // problematic expression but we will warn at the return statement pointing
4455    // at the reference variable. We will later display the "trail" of
4456    // reference variables using notes.
4457    diagLoc = refVars[0]->getLocStart();
4458    diagRange = refVars[0]->getSourceRange();
4459  }
4460
4461  if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var.
4462    S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref
4463                                             : diag::warn_ret_stack_addr)
4464     << DR->getDecl()->getDeclName() << diagRange;
4465  } else if (isa<BlockExpr>(stackE)) { // local block.
4466    S.Diag(diagLoc, diag::err_ret_local_block) << diagRange;
4467  } else if (isa<AddrLabelExpr>(stackE)) { // address of label.
4468    S.Diag(diagLoc, diag::warn_ret_addr_label) << diagRange;
4469  } else { // local temporary.
4470    S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref
4471                                               : diag::warn_ret_local_temp_addr)
4472     << diagRange;
4473  }
4474
4475  // Display the "trail" of reference variables that we followed until we
4476  // found the problematic expression using notes.
4477  for (unsigned i = 0, e = refVars.size(); i != e; ++i) {
4478    VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl());
4479    // If this var binds to another reference var, show the range of the next
4480    // var, otherwise the var binds to the problematic expression, in which case
4481    // show the range of the expression.
4482    SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange()
4483                                  : stackE->getSourceRange();
4484    S.Diag(VD->getLocation(), diag::note_ref_var_local_bind)
4485        << VD->getDeclName() << range;
4486  }
4487}
4488
4489/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that
4490///  check if the expression in a return statement evaluates to an address
4491///  to a location on the stack, a local block, an address of a label, or a
4492///  reference to local temporary. The recursion is used to traverse the
4493///  AST of the return expression, with recursion backtracking when we
4494///  encounter a subexpression that (1) clearly does not lead to one of the
4495///  above problematic expressions (2) is something we cannot determine leads to
4496///  a problematic expression based on such local checking.
4497///
4498///  Both EvalAddr and EvalVal follow through reference variables to evaluate
4499///  the expression that they point to. Such variables are added to the
4500///  'refVars' vector so that we know what the reference variable "trail" was.
4501///
4502///  EvalAddr processes expressions that are pointers that are used as
4503///  references (and not L-values).  EvalVal handles all other values.
4504///  At the base case of the recursion is a check for the above problematic
4505///  expressions.
4506///
4507///  This implementation handles:
4508///
4509///   * pointer-to-pointer casts
4510///   * implicit conversions from array references to pointers
4511///   * taking the address of fields
4512///   * arbitrary interplay between "&" and "*" operators
4513///   * pointer arithmetic from an address of a stack variable
4514///   * taking the address of an array element where the array is on the stack
4515static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars,
4516                      Decl *ParentDecl) {
4517  if (E->isTypeDependent())
4518    return nullptr;
4519
4520  // We should only be called for evaluating pointer expressions.
4521  assert((E->getType()->isAnyPointerType() ||
4522          E->getType()->isBlockPointerType() ||
4523          E->getType()->isObjCQualifiedIdType()) &&
4524         "EvalAddr only works on pointers");
4525
4526  E = E->IgnoreParens();
4527
4528  // Our "symbolic interpreter" is just a dispatch off the currently
4529  // viewed AST node.  We then recursively traverse the AST by calling
4530  // EvalAddr and EvalVal appropriately.
4531  switch (E->getStmtClass()) {
4532  case Stmt::DeclRefExprClass: {
4533    DeclRefExpr *DR = cast<DeclRefExpr>(E);
4534
4535    // If we leave the immediate function, the lifetime isn't about to end.
4536    if (DR->refersToEnclosingLocal())
4537      return nullptr;
4538
4539    if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl()))
4540      // If this is a reference variable, follow through to the expression that
4541      // it points to.
4542      if (V->hasLocalStorage() &&
4543          V->getType()->isReferenceType() && V->hasInit()) {
4544        // Add the reference variable to the "trail".
4545        refVars.push_back(DR);
4546        return EvalAddr(V->getInit(), refVars, ParentDecl);
4547      }
4548
4549    return nullptr;
4550  }
4551
4552  case Stmt::UnaryOperatorClass: {
4553    // The only unary operator that make sense to handle here
4554    // is AddrOf.  All others don't make sense as pointers.
4555    UnaryOperator *U = cast<UnaryOperator>(E);
4556
4557    if (U->getOpcode() == UO_AddrOf)
4558      return EvalVal(U->getSubExpr(), refVars, ParentDecl);
4559    else
4560      return nullptr;
4561  }
4562
4563  case Stmt::BinaryOperatorClass: {
4564    // Handle pointer arithmetic.  All other binary operators are not valid
4565    // in this context.
4566    BinaryOperator *B = cast<BinaryOperator>(E);
4567    BinaryOperatorKind op = B->getOpcode();
4568
4569    if (op != BO_Add && op != BO_Sub)
4570      return nullptr;
4571
4572    Expr *Base = B->getLHS();
4573
4574    // Determine which argument is the real pointer base.  It could be
4575    // the RHS argument instead of the LHS.
4576    if (!Base->getType()->isPointerType()) Base = B->getRHS();
4577
4578    assert (Base->getType()->isPointerType());
4579    return EvalAddr(Base, refVars, ParentDecl);
4580  }
4581
4582  // For conditional operators we need to see if either the LHS or RHS are
4583  // valid DeclRefExpr*s.  If one of them is valid, we return it.
4584  case Stmt::ConditionalOperatorClass: {
4585    ConditionalOperator *C = cast<ConditionalOperator>(E);
4586
4587    // Handle the GNU extension for missing LHS.
4588    // FIXME: That isn't a ConditionalOperator, so doesn't get here.
4589    if (Expr *LHSExpr = C->getLHS()) {
4590      // In C++, we can have a throw-expression, which has 'void' type.
4591      if (!LHSExpr->getType()->isVoidType())
4592        if (Expr *LHS = EvalAddr(LHSExpr, refVars, ParentDecl))
4593          return LHS;
4594    }
4595
4596    // In C++, we can have a throw-expression, which has 'void' type.
4597    if (C->getRHS()->getType()->isVoidType())
4598      return nullptr;
4599
4600    return EvalAddr(C->getRHS(), refVars, ParentDecl);
4601  }
4602
4603  case Stmt::BlockExprClass:
4604    if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures())
4605      return E; // local block.
4606    return nullptr;
4607
4608  case Stmt::AddrLabelExprClass:
4609    return E; // address of label.
4610
4611  case Stmt::ExprWithCleanupsClass:
4612    return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,
4613                    ParentDecl);
4614
4615  // For casts, we need to handle conversions from arrays to
4616  // pointer values, and pointer-to-pointer conversions.
4617  case Stmt::ImplicitCastExprClass:
4618  case Stmt::CStyleCastExprClass:
4619  case Stmt::CXXFunctionalCastExprClass:
4620  case Stmt::ObjCBridgedCastExprClass:
4621  case Stmt::CXXStaticCastExprClass:
4622  case Stmt::CXXDynamicCastExprClass:
4623  case Stmt::CXXConstCastExprClass:
4624  case Stmt::CXXReinterpretCastExprClass: {
4625    Expr* SubExpr = cast<CastExpr>(E)->getSubExpr();
4626    switch (cast<CastExpr>(E)->getCastKind()) {
4627    case CK_LValueToRValue:
4628    case CK_NoOp:
4629    case CK_BaseToDerived:
4630    case CK_DerivedToBase:
4631    case CK_UncheckedDerivedToBase:
4632    case CK_Dynamic:
4633    case CK_CPointerToObjCPointerCast:
4634    case CK_BlockPointerToObjCPointerCast:
4635    case CK_AnyPointerToBlockPointerCast:
4636      return EvalAddr(SubExpr, refVars, ParentDecl);
4637
4638    case CK_ArrayToPointerDecay:
4639      return EvalVal(SubExpr, refVars, ParentDecl);
4640
4641    case CK_BitCast:
4642      if (SubExpr->getType()->isAnyPointerType() ||
4643          SubExpr->getType()->isBlockPointerType() ||
4644          SubExpr->getType()->isObjCQualifiedIdType())
4645        return EvalAddr(SubExpr, refVars, ParentDecl);
4646      else
4647        return nullptr;
4648
4649    default:
4650      return nullptr;
4651    }
4652  }
4653
4654  case Stmt::MaterializeTemporaryExprClass:
4655    if (Expr *Result = EvalAddr(
4656                         cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(),
4657                                refVars, ParentDecl))
4658      return Result;
4659
4660    return E;
4661
4662  // Everything else: we simply don't reason about them.
4663  default:
4664    return nullptr;
4665  }
4666}
4667
4668
4669///  EvalVal - This function is complements EvalAddr in the mutual recursion.
4670///   See the comments for EvalAddr for more details.
4671static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars,
4672                     Decl *ParentDecl) {
4673do {
4674  // We should only be called for evaluating non-pointer expressions, or
4675  // expressions with a pointer type that are not used as references but instead
4676  // are l-values (e.g., DeclRefExpr with a pointer type).
4677
4678  // Our "symbolic interpreter" is just a dispatch off the currently
4679  // viewed AST node.  We then recursively traverse the AST by calling
4680  // EvalAddr and EvalVal appropriately.
4681
4682  E = E->IgnoreParens();
4683  switch (E->getStmtClass()) {
4684  case Stmt::ImplicitCastExprClass: {
4685    ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E);
4686    if (IE->getValueKind() == VK_LValue) {
4687      E = IE->getSubExpr();
4688      continue;
4689    }
4690    return nullptr;
4691  }
4692
4693  case Stmt::ExprWithCleanupsClass:
4694    return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl);
4695
4696  case Stmt::DeclRefExprClass: {
4697    // When we hit a DeclRefExpr we are looking at code that refers to a
4698    // variable's name. If it's not a reference variable we check if it has
4699    // local storage within the function, and if so, return the expression.
4700    DeclRefExpr *DR = cast<DeclRefExpr>(E);
4701
4702    // If we leave the immediate function, the lifetime isn't about to end.
4703    if (DR->refersToEnclosingLocal())
4704      return nullptr;
4705
4706    if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) {
4707      // Check if it refers to itself, e.g. "int& i = i;".
4708      if (V == ParentDecl)
4709        return DR;
4710
4711      if (V->hasLocalStorage()) {
4712        if (!V->getType()->isReferenceType())
4713          return DR;
4714
4715        // Reference variable, follow through to the expression that
4716        // it points to.
4717        if (V->hasInit()) {
4718          // Add the reference variable to the "trail".
4719          refVars.push_back(DR);
4720          return EvalVal(V->getInit(), refVars, V);
4721        }
4722      }
4723    }
4724
4725    return nullptr;
4726  }
4727
4728  case Stmt::UnaryOperatorClass: {
4729    // The only unary operator that make sense to handle here
4730    // is Deref.  All others don't resolve to a "name."  This includes
4731    // handling all sorts of rvalues passed to a unary operator.
4732    UnaryOperator *U = cast<UnaryOperator>(E);
4733
4734    if (U->getOpcode() == UO_Deref)
4735      return EvalAddr(U->getSubExpr(), refVars, ParentDecl);
4736
4737    return nullptr;
4738  }
4739
4740  case Stmt::ArraySubscriptExprClass: {
4741    // Array subscripts are potential references to data on the stack.  We
4742    // retrieve the DeclRefExpr* for the array variable if it indeed
4743    // has local storage.
4744    return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl);
4745  }
4746
4747  case Stmt::ConditionalOperatorClass: {
4748    // For conditional operators we need to see if either the LHS or RHS are
4749    // non-NULL Expr's.  If one is non-NULL, we return it.
4750    ConditionalOperator *C = cast<ConditionalOperator>(E);
4751
4752    // Handle the GNU extension for missing LHS.
4753    if (Expr *LHSExpr = C->getLHS()) {
4754      // In C++, we can have a throw-expression, which has 'void' type.
4755      if (!LHSExpr->getType()->isVoidType())
4756        if (Expr *LHS = EvalVal(LHSExpr, refVars, ParentDecl))
4757          return LHS;
4758    }
4759
4760    // In C++, we can have a throw-expression, which has 'void' type.
4761    if (C->getRHS()->getType()->isVoidType())
4762      return nullptr;
4763
4764    return EvalVal(C->getRHS(), refVars, ParentDecl);
4765  }
4766
4767  // Accesses to members are potential references to data on the stack.
4768  case Stmt::MemberExprClass: {
4769    MemberExpr *M = cast<MemberExpr>(E);
4770
4771    // Check for indirect access.  We only want direct field accesses.
4772    if (M->isArrow())
4773      return nullptr;
4774
4775    // Check whether the member type is itself a reference, in which case
4776    // we're not going to refer to the member, but to what the member refers to.
4777    if (M->getMemberDecl()->getType()->isReferenceType())
4778      return nullptr;
4779
4780    return EvalVal(M->getBase(), refVars, ParentDecl);
4781  }
4782
4783  case Stmt::MaterializeTemporaryExprClass:
4784    if (Expr *Result = EvalVal(
4785                          cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(),
4786                               refVars, ParentDecl))
4787      return Result;
4788
4789    return E;
4790
4791  default:
4792    // Check that we don't return or take the address of a reference to a
4793    // temporary. This is only useful in C++.
4794    if (!E->isTypeDependent() && E->isRValue())
4795      return E;
4796
4797    // Everything else: we simply don't reason about them.
4798    return nullptr;
4799  }
4800} while (true);
4801}
4802
4803void
4804Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType,
4805                         SourceLocation ReturnLoc,
4806                         bool isObjCMethod,
4807                         const AttrVec *Attrs,
4808                         const FunctionDecl *FD) {
4809  CheckReturnStackAddr(*this, RetValExp, lhsType, ReturnLoc);
4810
4811  // Check if the return value is null but should not be.
4812  if (Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs) &&
4813      CheckNonNullExpr(*this, RetValExp))
4814    Diag(ReturnLoc, diag::warn_null_ret)
4815      << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange();
4816
4817  // C++11 [basic.stc.dynamic.allocation]p4:
4818  //   If an allocation function declared with a non-throwing
4819  //   exception-specification fails to allocate storage, it shall return
4820  //   a null pointer. Any other allocation function that fails to allocate
4821  //   storage shall indicate failure only by throwing an exception [...]
4822  if (FD) {
4823    OverloadedOperatorKind Op = FD->getOverloadedOperator();
4824    if (Op == OO_New || Op == OO_Array_New) {
4825      const FunctionProtoType *Proto
4826        = FD->getType()->castAs<FunctionProtoType>();
4827      if (!Proto->isNothrow(Context, /*ResultIfDependent*/true) &&
4828          CheckNonNullExpr(*this, RetValExp))
4829        Diag(ReturnLoc, diag::warn_operator_new_returns_null)
4830          << FD << getLangOpts().CPlusPlus11;
4831    }
4832  }
4833}
4834
4835//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===//
4836
4837/// Check for comparisons of floating point operands using != and ==.
4838/// Issue a warning if these are no self-comparisons, as they are not likely
4839/// to do what the programmer intended.
4840void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) {
4841  Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts();
4842  Expr* RightExprSansParen = RHS->IgnoreParenImpCasts();
4843
4844  // Special case: check for x == x (which is OK).
4845  // Do not emit warnings for such cases.
4846  if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen))
4847    if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen))
4848      if (DRL->getDecl() == DRR->getDecl())
4849        return;
4850
4851
4852  // Special case: check for comparisons against literals that can be exactly
4853  //  represented by APFloat.  In such cases, do not emit a warning.  This
4854  //  is a heuristic: often comparison against such literals are used to
4855  //  detect if a value in a variable has not changed.  This clearly can
4856  //  lead to false negatives.
4857  if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) {
4858    if (FLL->isExact())
4859      return;
4860  } else
4861    if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen))
4862      if (FLR->isExact())
4863        return;
4864
4865  // Check for comparisons with builtin types.
4866  if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen))
4867    if (CL->getBuiltinCallee())
4868      return;
4869
4870  if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen))
4871    if (CR->getBuiltinCallee())
4872      return;
4873
4874  // Emit the diagnostic.
4875  Diag(Loc, diag::warn_floatingpoint_eq)
4876    << LHS->getSourceRange() << RHS->getSourceRange();
4877}
4878
4879//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===//
4880//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===//
4881
4882namespace {
4883
4884/// Structure recording the 'active' range of an integer-valued
4885/// expression.
4886struct IntRange {
4887  /// The number of bits active in the int.
4888  unsigned Width;
4889
4890  /// True if the int is known not to have negative values.
4891  bool NonNegative;
4892
4893  IntRange(unsigned Width, bool NonNegative)
4894    : Width(Width), NonNegative(NonNegative)
4895  {}
4896
4897  /// Returns the range of the bool type.
4898  static IntRange forBoolType() {
4899    return IntRange(1, true);
4900  }
4901
4902  /// Returns the range of an opaque value of the given integral type.
4903  static IntRange forValueOfType(ASTContext &C, QualType T) {
4904    return forValueOfCanonicalType(C,
4905                          T->getCanonicalTypeInternal().getTypePtr());
4906  }
4907
4908  /// Returns the range of an opaque value of a canonical integral type.
4909  static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) {
4910    assert(T->isCanonicalUnqualified());
4911
4912    if (const VectorType *VT = dyn_cast<VectorType>(T))
4913      T = VT->getElementType().getTypePtr();
4914    if (const ComplexType *CT = dyn_cast<ComplexType>(T))
4915      T = CT->getElementType().getTypePtr();
4916
4917    // For enum types, use the known bit width of the enumerators.
4918    if (const EnumType *ET = dyn_cast<EnumType>(T)) {
4919      EnumDecl *Enum = ET->getDecl();
4920      if (!Enum->isCompleteDefinition())
4921        return IntRange(C.getIntWidth(QualType(T, 0)), false);
4922
4923      unsigned NumPositive = Enum->getNumPositiveBits();
4924      unsigned NumNegative = Enum->getNumNegativeBits();
4925
4926      if (NumNegative == 0)
4927        return IntRange(NumPositive, true/*NonNegative*/);
4928      else
4929        return IntRange(std::max(NumPositive + 1, NumNegative),
4930                        false/*NonNegative*/);
4931    }
4932
4933    const BuiltinType *BT = cast<BuiltinType>(T);
4934    assert(BT->isInteger());
4935
4936    return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
4937  }
4938
4939  /// Returns the "target" range of a canonical integral type, i.e.
4940  /// the range of values expressible in the type.
4941  ///
4942  /// This matches forValueOfCanonicalType except that enums have the
4943  /// full range of their type, not the range of their enumerators.
4944  static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) {
4945    assert(T->isCanonicalUnqualified());
4946
4947    if (const VectorType *VT = dyn_cast<VectorType>(T))
4948      T = VT->getElementType().getTypePtr();
4949    if (const ComplexType *CT = dyn_cast<ComplexType>(T))
4950      T = CT->getElementType().getTypePtr();
4951    if (const EnumType *ET = dyn_cast<EnumType>(T))
4952      T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr();
4953
4954    const BuiltinType *BT = cast<BuiltinType>(T);
4955    assert(BT->isInteger());
4956
4957    return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
4958  }
4959
4960  /// Returns the supremum of two ranges: i.e. their conservative merge.
4961  static IntRange join(IntRange L, IntRange R) {
4962    return IntRange(std::max(L.Width, R.Width),
4963                    L.NonNegative && R.NonNegative);
4964  }
4965
4966  /// Returns the infinum of two ranges: i.e. their aggressive merge.
4967  static IntRange meet(IntRange L, IntRange R) {
4968    return IntRange(std::min(L.Width, R.Width),
4969                    L.NonNegative || R.NonNegative);
4970  }
4971};
4972
4973static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value,
4974                              unsigned MaxWidth) {
4975  if (value.isSigned() && value.isNegative())
4976    return IntRange(value.getMinSignedBits(), false);
4977
4978  if (value.getBitWidth() > MaxWidth)
4979    value = value.trunc(MaxWidth);
4980
4981  // isNonNegative() just checks the sign bit without considering
4982  // signedness.
4983  return IntRange(value.getActiveBits(), true);
4984}
4985
4986static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty,
4987                              unsigned MaxWidth) {
4988  if (result.isInt())
4989    return GetValueRange(C, result.getInt(), MaxWidth);
4990
4991  if (result.isVector()) {
4992    IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth);
4993    for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) {
4994      IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth);
4995      R = IntRange::join(R, El);
4996    }
4997    return R;
4998  }
4999
5000  if (result.isComplexInt()) {
5001    IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth);
5002    IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth);
5003    return IntRange::join(R, I);
5004  }
5005
5006  // This can happen with lossless casts to intptr_t of "based" lvalues.
5007  // Assume it might use arbitrary bits.
5008  // FIXME: The only reason we need to pass the type in here is to get
5009  // the sign right on this one case.  It would be nice if APValue
5010  // preserved this.
5011  assert(result.isLValue() || result.isAddrLabelDiff());
5012  return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType());
5013}
5014
5015static QualType GetExprType(Expr *E) {
5016  QualType Ty = E->getType();
5017  if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>())
5018    Ty = AtomicRHS->getValueType();
5019  return Ty;
5020}
5021
5022/// Pseudo-evaluate the given integer expression, estimating the
5023/// range of values it might take.
5024///
5025/// \param MaxWidth - the width to which the value will be truncated
5026static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) {
5027  E = E->IgnoreParens();
5028
5029  // Try a full evaluation first.
5030  Expr::EvalResult result;
5031  if (E->EvaluateAsRValue(result, C))
5032    return GetValueRange(C, result.Val, GetExprType(E), MaxWidth);
5033
5034  // I think we only want to look through implicit casts here; if the
5035  // user has an explicit widening cast, we should treat the value as
5036  // being of the new, wider type.
5037  if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) {
5038    if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue)
5039      return GetExprRange(C, CE->getSubExpr(), MaxWidth);
5040
5041    IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE));
5042
5043    bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast);
5044
5045    // Assume that non-integer casts can span the full range of the type.
5046    if (!isIntegerCast)
5047      return OutputTypeRange;
5048
5049    IntRange SubRange
5050      = GetExprRange(C, CE->getSubExpr(),
5051                     std::min(MaxWidth, OutputTypeRange.Width));
5052
5053    // Bail out if the subexpr's range is as wide as the cast type.
5054    if (SubRange.Width >= OutputTypeRange.Width)
5055      return OutputTypeRange;
5056
5057    // Otherwise, we take the smaller width, and we're non-negative if
5058    // either the output type or the subexpr is.
5059    return IntRange(SubRange.Width,
5060                    SubRange.NonNegative || OutputTypeRange.NonNegative);
5061  }
5062
5063  if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) {
5064    // If we can fold the condition, just take that operand.
5065    bool CondResult;
5066    if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C))
5067      return GetExprRange(C, CondResult ? CO->getTrueExpr()
5068                                        : CO->getFalseExpr(),
5069                          MaxWidth);
5070
5071    // Otherwise, conservatively merge.
5072    IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth);
5073    IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth);
5074    return IntRange::join(L, R);
5075  }
5076
5077  if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
5078    switch (BO->getOpcode()) {
5079
5080    // Boolean-valued operations are single-bit and positive.
5081    case BO_LAnd:
5082    case BO_LOr:
5083    case BO_LT:
5084    case BO_GT:
5085    case BO_LE:
5086    case BO_GE:
5087    case BO_EQ:
5088    case BO_NE:
5089      return IntRange::forBoolType();
5090
5091    // The type of the assignments is the type of the LHS, so the RHS
5092    // is not necessarily the same type.
5093    case BO_MulAssign:
5094    case BO_DivAssign:
5095    case BO_RemAssign:
5096    case BO_AddAssign:
5097    case BO_SubAssign:
5098    case BO_XorAssign:
5099    case BO_OrAssign:
5100      // TODO: bitfields?
5101      return IntRange::forValueOfType(C, GetExprType(E));
5102
5103    // Simple assignments just pass through the RHS, which will have
5104    // been coerced to the LHS type.
5105    case BO_Assign:
5106      // TODO: bitfields?
5107      return GetExprRange(C, BO->getRHS(), MaxWidth);
5108
5109    // Operations with opaque sources are black-listed.
5110    case BO_PtrMemD:
5111    case BO_PtrMemI:
5112      return IntRange::forValueOfType(C, GetExprType(E));
5113
5114    // Bitwise-and uses the *infinum* of the two source ranges.
5115    case BO_And:
5116    case BO_AndAssign:
5117      return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth),
5118                            GetExprRange(C, BO->getRHS(), MaxWidth));
5119
5120    // Left shift gets black-listed based on a judgement call.
5121    case BO_Shl:
5122      // ...except that we want to treat '1 << (blah)' as logically
5123      // positive.  It's an important idiom.
5124      if (IntegerLiteral *I
5125            = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) {
5126        if (I->getValue() == 1) {
5127          IntRange R = IntRange::forValueOfType(C, GetExprType(E));
5128          return IntRange(R.Width, /*NonNegative*/ true);
5129        }
5130      }
5131      // fallthrough
5132
5133    case BO_ShlAssign:
5134      return IntRange::forValueOfType(C, GetExprType(E));
5135
5136    // Right shift by a constant can narrow its left argument.
5137    case BO_Shr:
5138    case BO_ShrAssign: {
5139      IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth);
5140
5141      // If the shift amount is a positive constant, drop the width by
5142      // that much.
5143      llvm::APSInt shift;
5144      if (BO->getRHS()->isIntegerConstantExpr(shift, C) &&
5145          shift.isNonNegative()) {
5146        unsigned zext = shift.getZExtValue();
5147        if (zext >= L.Width)
5148          L.Width = (L.NonNegative ? 0 : 1);
5149        else
5150          L.Width -= zext;
5151      }
5152
5153      return L;
5154    }
5155
5156    // Comma acts as its right operand.
5157    case BO_Comma:
5158      return GetExprRange(C, BO->getRHS(), MaxWidth);
5159
5160    // Black-list pointer subtractions.
5161    case BO_Sub:
5162      if (BO->getLHS()->getType()->isPointerType())
5163        return IntRange::forValueOfType(C, GetExprType(E));
5164      break;
5165
5166    // The width of a division result is mostly determined by the size
5167    // of the LHS.
5168    case BO_Div: {
5169      // Don't 'pre-truncate' the operands.
5170      unsigned opWidth = C.getIntWidth(GetExprType(E));
5171      IntRange L = GetExprRange(C, BO->getLHS(), opWidth);
5172
5173      // If the divisor is constant, use that.
5174      llvm::APSInt divisor;
5175      if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) {
5176        unsigned log2 = divisor.logBase2(); // floor(log_2(divisor))
5177        if (log2 >= L.Width)
5178          L.Width = (L.NonNegative ? 0 : 1);
5179        else
5180          L.Width = std::min(L.Width - log2, MaxWidth);
5181        return L;
5182      }
5183
5184      // Otherwise, just use the LHS's width.
5185      IntRange R = GetExprRange(C, BO->getRHS(), opWidth);
5186      return IntRange(L.Width, L.NonNegative && R.NonNegative);
5187    }
5188
5189    // The result of a remainder can't be larger than the result of
5190    // either side.
5191    case BO_Rem: {
5192      // Don't 'pre-truncate' the operands.
5193      unsigned opWidth = C.getIntWidth(GetExprType(E));
5194      IntRange L = GetExprRange(C, BO->getLHS(), opWidth);
5195      IntRange R = GetExprRange(C, BO->getRHS(), opWidth);
5196
5197      IntRange meet = IntRange::meet(L, R);
5198      meet.Width = std::min(meet.Width, MaxWidth);
5199      return meet;
5200    }
5201
5202    // The default behavior is okay for these.
5203    case BO_Mul:
5204    case BO_Add:
5205    case BO_Xor:
5206    case BO_Or:
5207      break;
5208    }
5209
5210    // The default case is to treat the operation as if it were closed
5211    // on the narrowest type that encompasses both operands.
5212    IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth);
5213    IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth);
5214    return IntRange::join(L, R);
5215  }
5216
5217  if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) {
5218    switch (UO->getOpcode()) {
5219    // Boolean-valued operations are white-listed.
5220    case UO_LNot:
5221      return IntRange::forBoolType();
5222
5223    // Operations with opaque sources are black-listed.
5224    case UO_Deref:
5225    case UO_AddrOf: // should be impossible
5226      return IntRange::forValueOfType(C, GetExprType(E));
5227
5228    default:
5229      return GetExprRange(C, UO->getSubExpr(), MaxWidth);
5230    }
5231  }
5232
5233  if (OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E))
5234    return GetExprRange(C, OVE->getSourceExpr(), MaxWidth);
5235
5236  if (FieldDecl *BitField = E->getSourceBitField())
5237    return IntRange(BitField->getBitWidthValue(C),
5238                    BitField->getType()->isUnsignedIntegerOrEnumerationType());
5239
5240  return IntRange::forValueOfType(C, GetExprType(E));
5241}
5242
5243static IntRange GetExprRange(ASTContext &C, Expr *E) {
5244  return GetExprRange(C, E, C.getIntWidth(GetExprType(E)));
5245}
5246
5247/// Checks whether the given value, which currently has the given
5248/// source semantics, has the same value when coerced through the
5249/// target semantics.
5250static bool IsSameFloatAfterCast(const llvm::APFloat &value,
5251                                 const llvm::fltSemantics &Src,
5252                                 const llvm::fltSemantics &Tgt) {
5253  llvm::APFloat truncated = value;
5254
5255  bool ignored;
5256  truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored);
5257  truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored);
5258
5259  return truncated.bitwiseIsEqual(value);
5260}
5261
5262/// Checks whether the given value, which currently has the given
5263/// source semantics, has the same value when coerced through the
5264/// target semantics.
5265///
5266/// The value might be a vector of floats (or a complex number).
5267static bool IsSameFloatAfterCast(const APValue &value,
5268                                 const llvm::fltSemantics &Src,
5269                                 const llvm::fltSemantics &Tgt) {
5270  if (value.isFloat())
5271    return IsSameFloatAfterCast(value.getFloat(), Src, Tgt);
5272
5273  if (value.isVector()) {
5274    for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i)
5275      if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt))
5276        return false;
5277    return true;
5278  }
5279
5280  assert(value.isComplexFloat());
5281  return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) &&
5282          IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt));
5283}
5284
5285static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC);
5286
5287static bool IsZero(Sema &S, Expr *E) {
5288  // Suppress cases where we are comparing against an enum constant.
5289  if (const DeclRefExpr *DR =
5290      dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts()))
5291    if (isa<EnumConstantDecl>(DR->getDecl()))
5292      return false;
5293
5294  // Suppress cases where the '0' value is expanded from a macro.
5295  if (E->getLocStart().isMacroID())
5296    return false;
5297
5298  llvm::APSInt Value;
5299  return E->isIntegerConstantExpr(Value, S.Context) && Value == 0;
5300}
5301
5302static bool HasEnumType(Expr *E) {
5303  // Strip off implicit integral promotions.
5304  while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
5305    if (ICE->getCastKind() != CK_IntegralCast &&
5306        ICE->getCastKind() != CK_NoOp)
5307      break;
5308    E = ICE->getSubExpr();
5309  }
5310
5311  return E->getType()->isEnumeralType();
5312}
5313
5314static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) {
5315  // Disable warning in template instantiations.
5316  if (!S.ActiveTemplateInstantiations.empty())
5317    return;
5318
5319  BinaryOperatorKind op = E->getOpcode();
5320  if (E->isValueDependent())
5321    return;
5322
5323  if (op == BO_LT && IsZero(S, E->getRHS())) {
5324    S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison)
5325      << "< 0" << "false" << HasEnumType(E->getLHS())
5326      << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
5327  } else if (op == BO_GE && IsZero(S, E->getRHS())) {
5328    S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison)
5329      << ">= 0" << "true" << HasEnumType(E->