SemaChecking.cpp revision 186b26d01f2876e8b4b1f0f233e13fc4c613cddc
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/SemaInternal.h" 16#include "clang/AST/ASTContext.h" 17#include "clang/AST/CharUnits.h" 18#include "clang/AST/DeclCXX.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/EvaluatedExprVisitor.h" 21#include "clang/AST/Expr.h" 22#include "clang/AST/ExprCXX.h" 23#include "clang/AST/ExprObjC.h" 24#include "clang/AST/StmtCXX.h" 25#include "clang/AST/StmtObjC.h" 26#include "clang/Analysis/Analyses/FormatString.h" 27#include "clang/Basic/CharInfo.h" 28#include "clang/Basic/TargetBuiltins.h" 29#include "clang/Basic/TargetInfo.h" 30#include "clang/Lex/Preprocessor.h" 31#include "clang/Sema/Initialization.h" 32#include "clang/Sema/Lookup.h" 33#include "clang/Sema/ScopeInfo.h" 34#include "clang/Sema/Sema.h" 35#include "llvm/ADT/SmallBitVector.h" 36#include "llvm/ADT/SmallString.h" 37#include "llvm/ADT/STLExtras.h" 38#include "llvm/Support/ConvertUTF.h" 39#include "llvm/Support/raw_ostream.h" 40#include <limits> 41using namespace clang; 42using namespace sema; 43 44SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 45 unsigned ByteNo) const { 46 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 47 PP.getLangOpts(), PP.getTargetInfo()); 48} 49 50/// Checks that a call expression's argument count is the desired number. 51/// This is useful when doing custom type-checking. Returns true on error. 52static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 53 unsigned argCount = call->getNumArgs(); 54 if (argCount == desiredArgCount) return false; 55 56 if (argCount < desiredArgCount) 57 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 58 << 0 /*function call*/ << desiredArgCount << argCount 59 << call->getSourceRange(); 60 61 // Highlight all the excess arguments. 62 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 63 call->getArg(argCount - 1)->getLocEnd()); 64 65 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 66 << 0 /*function call*/ << desiredArgCount << argCount 67 << call->getArg(1)->getSourceRange(); 68} 69 70/// Check that the first argument to __builtin_annotation is an integer 71/// and the second argument is a non-wide string literal. 72static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 73 if (checkArgCount(S, TheCall, 2)) 74 return true; 75 76 // First argument should be an integer. 77 Expr *ValArg = TheCall->getArg(0); 78 QualType Ty = ValArg->getType(); 79 if (!Ty->isIntegerType()) { 80 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 81 << ValArg->getSourceRange(); 82 return true; 83 } 84 85 // Second argument should be a constant string. 86 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 87 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 88 if (!Literal || !Literal->isAscii()) { 89 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 90 << StrArg->getSourceRange(); 91 return true; 92 } 93 94 TheCall->setType(Ty); 95 return false; 96} 97 98/// Check that the argument to __builtin_addressof is a glvalue, and set the 99/// result type to the corresponding pointer type. 100static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) { 101 if (checkArgCount(S, TheCall, 1)) 102 return true; 103 104 ExprResult Arg(S.Owned(TheCall->getArg(0))); 105 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart()); 106 if (ResultType.isNull()) 107 return true; 108 109 TheCall->setArg(0, Arg.take()); 110 TheCall->setType(ResultType); 111 return false; 112} 113 114ExprResult 115Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 116 ExprResult TheCallResult(Owned(TheCall)); 117 118 // Find out if any arguments are required to be integer constant expressions. 119 unsigned ICEArguments = 0; 120 ASTContext::GetBuiltinTypeError Error; 121 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 122 if (Error != ASTContext::GE_None) 123 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 124 125 // If any arguments are required to be ICE's, check and diagnose. 126 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 127 // Skip arguments not required to be ICE's. 128 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 129 130 llvm::APSInt Result; 131 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 132 return true; 133 ICEArguments &= ~(1 << ArgNo); 134 } 135 136 switch (BuiltinID) { 137 case Builtin::BI__builtin___CFStringMakeConstantString: 138 assert(TheCall->getNumArgs() == 1 && 139 "Wrong # arguments to builtin CFStringMakeConstantString"); 140 if (CheckObjCString(TheCall->getArg(0))) 141 return ExprError(); 142 break; 143 case Builtin::BI__builtin_stdarg_start: 144 case Builtin::BI__builtin_va_start: 145 if (SemaBuiltinVAStart(TheCall)) 146 return ExprError(); 147 break; 148 case Builtin::BI__builtin_isgreater: 149 case Builtin::BI__builtin_isgreaterequal: 150 case Builtin::BI__builtin_isless: 151 case Builtin::BI__builtin_islessequal: 152 case Builtin::BI__builtin_islessgreater: 153 case Builtin::BI__builtin_isunordered: 154 if (SemaBuiltinUnorderedCompare(TheCall)) 155 return ExprError(); 156 break; 157 case Builtin::BI__builtin_fpclassify: 158 if (SemaBuiltinFPClassification(TheCall, 6)) 159 return ExprError(); 160 break; 161 case Builtin::BI__builtin_isfinite: 162 case Builtin::BI__builtin_isinf: 163 case Builtin::BI__builtin_isinf_sign: 164 case Builtin::BI__builtin_isnan: 165 case Builtin::BI__builtin_isnormal: 166 if (SemaBuiltinFPClassification(TheCall, 1)) 167 return ExprError(); 168 break; 169 case Builtin::BI__builtin_shufflevector: 170 return SemaBuiltinShuffleVector(TheCall); 171 // TheCall will be freed by the smart pointer here, but that's fine, since 172 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 173 case Builtin::BI__builtin_prefetch: 174 if (SemaBuiltinPrefetch(TheCall)) 175 return ExprError(); 176 break; 177 case Builtin::BI__builtin_object_size: 178 if (SemaBuiltinObjectSize(TheCall)) 179 return ExprError(); 180 break; 181 case Builtin::BI__builtin_longjmp: 182 if (SemaBuiltinLongjmp(TheCall)) 183 return ExprError(); 184 break; 185 186 case Builtin::BI__builtin_classify_type: 187 if (checkArgCount(*this, TheCall, 1)) return true; 188 TheCall->setType(Context.IntTy); 189 break; 190 case Builtin::BI__builtin_constant_p: 191 if (checkArgCount(*this, TheCall, 1)) return true; 192 TheCall->setType(Context.IntTy); 193 break; 194 case Builtin::BI__sync_fetch_and_add: 195 case Builtin::BI__sync_fetch_and_add_1: 196 case Builtin::BI__sync_fetch_and_add_2: 197 case Builtin::BI__sync_fetch_and_add_4: 198 case Builtin::BI__sync_fetch_and_add_8: 199 case Builtin::BI__sync_fetch_and_add_16: 200 case Builtin::BI__sync_fetch_and_sub: 201 case Builtin::BI__sync_fetch_and_sub_1: 202 case Builtin::BI__sync_fetch_and_sub_2: 203 case Builtin::BI__sync_fetch_and_sub_4: 204 case Builtin::BI__sync_fetch_and_sub_8: 205 case Builtin::BI__sync_fetch_and_sub_16: 206 case Builtin::BI__sync_fetch_and_or: 207 case Builtin::BI__sync_fetch_and_or_1: 208 case Builtin::BI__sync_fetch_and_or_2: 209 case Builtin::BI__sync_fetch_and_or_4: 210 case Builtin::BI__sync_fetch_and_or_8: 211 case Builtin::BI__sync_fetch_and_or_16: 212 case Builtin::BI__sync_fetch_and_and: 213 case Builtin::BI__sync_fetch_and_and_1: 214 case Builtin::BI__sync_fetch_and_and_2: 215 case Builtin::BI__sync_fetch_and_and_4: 216 case Builtin::BI__sync_fetch_and_and_8: 217 case Builtin::BI__sync_fetch_and_and_16: 218 case Builtin::BI__sync_fetch_and_xor: 219 case Builtin::BI__sync_fetch_and_xor_1: 220 case Builtin::BI__sync_fetch_and_xor_2: 221 case Builtin::BI__sync_fetch_and_xor_4: 222 case Builtin::BI__sync_fetch_and_xor_8: 223 case Builtin::BI__sync_fetch_and_xor_16: 224 case Builtin::BI__sync_add_and_fetch: 225 case Builtin::BI__sync_add_and_fetch_1: 226 case Builtin::BI__sync_add_and_fetch_2: 227 case Builtin::BI__sync_add_and_fetch_4: 228 case Builtin::BI__sync_add_and_fetch_8: 229 case Builtin::BI__sync_add_and_fetch_16: 230 case Builtin::BI__sync_sub_and_fetch: 231 case Builtin::BI__sync_sub_and_fetch_1: 232 case Builtin::BI__sync_sub_and_fetch_2: 233 case Builtin::BI__sync_sub_and_fetch_4: 234 case Builtin::BI__sync_sub_and_fetch_8: 235 case Builtin::BI__sync_sub_and_fetch_16: 236 case Builtin::BI__sync_and_and_fetch: 237 case Builtin::BI__sync_and_and_fetch_1: 238 case Builtin::BI__sync_and_and_fetch_2: 239 case Builtin::BI__sync_and_and_fetch_4: 240 case Builtin::BI__sync_and_and_fetch_8: 241 case Builtin::BI__sync_and_and_fetch_16: 242 case Builtin::BI__sync_or_and_fetch: 243 case Builtin::BI__sync_or_and_fetch_1: 244 case Builtin::BI__sync_or_and_fetch_2: 245 case Builtin::BI__sync_or_and_fetch_4: 246 case Builtin::BI__sync_or_and_fetch_8: 247 case Builtin::BI__sync_or_and_fetch_16: 248 case Builtin::BI__sync_xor_and_fetch: 249 case Builtin::BI__sync_xor_and_fetch_1: 250 case Builtin::BI__sync_xor_and_fetch_2: 251 case Builtin::BI__sync_xor_and_fetch_4: 252 case Builtin::BI__sync_xor_and_fetch_8: 253 case Builtin::BI__sync_xor_and_fetch_16: 254 case Builtin::BI__sync_val_compare_and_swap: 255 case Builtin::BI__sync_val_compare_and_swap_1: 256 case Builtin::BI__sync_val_compare_and_swap_2: 257 case Builtin::BI__sync_val_compare_and_swap_4: 258 case Builtin::BI__sync_val_compare_and_swap_8: 259 case Builtin::BI__sync_val_compare_and_swap_16: 260 case Builtin::BI__sync_bool_compare_and_swap: 261 case Builtin::BI__sync_bool_compare_and_swap_1: 262 case Builtin::BI__sync_bool_compare_and_swap_2: 263 case Builtin::BI__sync_bool_compare_and_swap_4: 264 case Builtin::BI__sync_bool_compare_and_swap_8: 265 case Builtin::BI__sync_bool_compare_and_swap_16: 266 case Builtin::BI__sync_lock_test_and_set: 267 case Builtin::BI__sync_lock_test_and_set_1: 268 case Builtin::BI__sync_lock_test_and_set_2: 269 case Builtin::BI__sync_lock_test_and_set_4: 270 case Builtin::BI__sync_lock_test_and_set_8: 271 case Builtin::BI__sync_lock_test_and_set_16: 272 case Builtin::BI__sync_lock_release: 273 case Builtin::BI__sync_lock_release_1: 274 case Builtin::BI__sync_lock_release_2: 275 case Builtin::BI__sync_lock_release_4: 276 case Builtin::BI__sync_lock_release_8: 277 case Builtin::BI__sync_lock_release_16: 278 case Builtin::BI__sync_swap: 279 case Builtin::BI__sync_swap_1: 280 case Builtin::BI__sync_swap_2: 281 case Builtin::BI__sync_swap_4: 282 case Builtin::BI__sync_swap_8: 283 case Builtin::BI__sync_swap_16: 284 return SemaBuiltinAtomicOverloaded(TheCallResult); 285#define BUILTIN(ID, TYPE, ATTRS) 286#define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 287 case Builtin::BI##ID: \ 288 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 289#include "clang/Basic/Builtins.def" 290 case Builtin::BI__builtin_annotation: 291 if (SemaBuiltinAnnotation(*this, TheCall)) 292 return ExprError(); 293 break; 294 case Builtin::BI__builtin_addressof: 295 if (SemaBuiltinAddressof(*this, TheCall)) 296 return ExprError(); 297 break; 298 } 299 300 // Since the target specific builtins for each arch overlap, only check those 301 // of the arch we are compiling for. 302 if (BuiltinID >= Builtin::FirstTSBuiltin) { 303 switch (Context.getTargetInfo().getTriple().getArch()) { 304 case llvm::Triple::arm: 305 case llvm::Triple::thumb: 306 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 307 return ExprError(); 308 break; 309 case llvm::Triple::aarch64: 310 if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall)) 311 return ExprError(); 312 break; 313 case llvm::Triple::mips: 314 case llvm::Triple::mipsel: 315 case llvm::Triple::mips64: 316 case llvm::Triple::mips64el: 317 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 318 return ExprError(); 319 break; 320 default: 321 break; 322 } 323 } 324 325 return TheCallResult; 326} 327 328// Get the valid immediate range for the specified NEON type code. 329static unsigned RFT(unsigned t, bool shift = false) { 330 NeonTypeFlags Type(t); 331 int IsQuad = Type.isQuad(); 332 switch (Type.getEltType()) { 333 case NeonTypeFlags::Int8: 334 case NeonTypeFlags::Poly8: 335 return shift ? 7 : (8 << IsQuad) - 1; 336 case NeonTypeFlags::Int16: 337 case NeonTypeFlags::Poly16: 338 return shift ? 15 : (4 << IsQuad) - 1; 339 case NeonTypeFlags::Int32: 340 return shift ? 31 : (2 << IsQuad) - 1; 341 case NeonTypeFlags::Int64: 342 return shift ? 63 : (1 << IsQuad) - 1; 343 case NeonTypeFlags::Float16: 344 assert(!shift && "cannot shift float types!"); 345 return (4 << IsQuad) - 1; 346 case NeonTypeFlags::Float32: 347 assert(!shift && "cannot shift float types!"); 348 return (2 << IsQuad) - 1; 349 case NeonTypeFlags::Float64: 350 assert(!shift && "cannot shift float types!"); 351 return (1 << IsQuad) - 1; 352 } 353 llvm_unreachable("Invalid NeonTypeFlag!"); 354} 355 356/// getNeonEltType - Return the QualType corresponding to the elements of 357/// the vector type specified by the NeonTypeFlags. This is used to check 358/// the pointer arguments for Neon load/store intrinsics. 359static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 360 switch (Flags.getEltType()) { 361 case NeonTypeFlags::Int8: 362 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 363 case NeonTypeFlags::Int16: 364 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 365 case NeonTypeFlags::Int32: 366 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 367 case NeonTypeFlags::Int64: 368 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 369 case NeonTypeFlags::Poly8: 370 return Context.SignedCharTy; 371 case NeonTypeFlags::Poly16: 372 return Context.ShortTy; 373 case NeonTypeFlags::Float16: 374 return Context.UnsignedShortTy; 375 case NeonTypeFlags::Float32: 376 return Context.FloatTy; 377 case NeonTypeFlags::Float64: 378 return Context.DoubleTy; 379 } 380 llvm_unreachable("Invalid NeonTypeFlag!"); 381} 382 383bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, 384 CallExpr *TheCall) { 385 386 llvm::APSInt Result; 387 388 uint64_t mask = 0; 389 unsigned TV = 0; 390 int PtrArgNum = -1; 391 bool HasConstPtr = false; 392 switch (BuiltinID) { 393#define GET_NEON_AARCH64_OVERLOAD_CHECK 394#include "clang/Basic/arm_neon.inc" 395#undef GET_NEON_AARCH64_OVERLOAD_CHECK 396 } 397 398 // For NEON intrinsics which are overloaded on vector element type, validate 399 // the immediate which specifies which variant to emit. 400 unsigned ImmArg = TheCall->getNumArgs() - 1; 401 if (mask) { 402 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 403 return true; 404 405 TV = Result.getLimitedValue(64); 406 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 407 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 408 << TheCall->getArg(ImmArg)->getSourceRange(); 409 } 410 411 if (PtrArgNum >= 0) { 412 // Check that pointer arguments have the specified type. 413 Expr *Arg = TheCall->getArg(PtrArgNum); 414 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 415 Arg = ICE->getSubExpr(); 416 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 417 QualType RHSTy = RHS.get()->getType(); 418 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 419 if (HasConstPtr) 420 EltTy = EltTy.withConst(); 421 QualType LHSTy = Context.getPointerType(EltTy); 422 AssignConvertType ConvTy; 423 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 424 if (RHS.isInvalid()) 425 return true; 426 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 427 RHS.get(), AA_Assigning)) 428 return true; 429 } 430 431 // For NEON intrinsics which take an immediate value as part of the 432 // instruction, range check them here. 433 unsigned i = 0, l = 0, u = 0; 434 switch (BuiltinID) { 435 default: 436 return false; 437#define GET_NEON_AARCH64_IMMEDIATE_CHECK 438#include "clang/Basic/arm_neon.inc" 439#undef GET_NEON_AARCH64_IMMEDIATE_CHECK 440 } 441 ; 442 443 // We can't check the value of a dependent argument. 444 if (TheCall->getArg(i)->isTypeDependent() || 445 TheCall->getArg(i)->isValueDependent()) 446 return false; 447 448 // Check that the immediate argument is actually a constant. 449 if (SemaBuiltinConstantArg(TheCall, i, Result)) 450 return true; 451 452 // Range check against the upper/lower values for this isntruction. 453 unsigned Val = Result.getZExtValue(); 454 if (Val < l || Val > (u + l)) 455 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 456 << l << u + l << TheCall->getArg(i)->getSourceRange(); 457 458 return false; 459} 460 461bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall) { 462 assert((BuiltinID == ARM::BI__builtin_arm_ldrex || 463 BuiltinID == ARM::BI__builtin_arm_strex) && 464 "unexpected ARM builtin"); 465 bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex; 466 467 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 468 469 // Ensure that we have the proper number of arguments. 470 if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2)) 471 return true; 472 473 // Inspect the pointer argument of the atomic builtin. This should always be 474 // a pointer type, whose element is an integral scalar or pointer type. 475 // Because it is a pointer type, we don't have to worry about any implicit 476 // casts here. 477 Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1); 478 ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg); 479 if (PointerArgRes.isInvalid()) 480 return true; 481 PointerArg = PointerArgRes.take(); 482 483 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 484 if (!pointerType) { 485 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 486 << PointerArg->getType() << PointerArg->getSourceRange(); 487 return true; 488 } 489 490 // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next 491 // task is to insert the appropriate casts into the AST. First work out just 492 // what the appropriate type is. 493 QualType ValType = pointerType->getPointeeType(); 494 QualType AddrType = ValType.getUnqualifiedType().withVolatile(); 495 if (IsLdrex) 496 AddrType.addConst(); 497 498 // Issue a warning if the cast is dodgy. 499 CastKind CastNeeded = CK_NoOp; 500 if (!AddrType.isAtLeastAsQualifiedAs(ValType)) { 501 CastNeeded = CK_BitCast; 502 Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers) 503 << PointerArg->getType() 504 << Context.getPointerType(AddrType) 505 << AA_Passing << PointerArg->getSourceRange(); 506 } 507 508 // Finally, do the cast and replace the argument with the corrected version. 509 AddrType = Context.getPointerType(AddrType); 510 PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded); 511 if (PointerArgRes.isInvalid()) 512 return true; 513 PointerArg = PointerArgRes.take(); 514 515 TheCall->setArg(IsLdrex ? 0 : 1, PointerArg); 516 517 // In general, we allow ints, floats and pointers to be loaded and stored. 518 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 519 !ValType->isBlockPointerType() && !ValType->isFloatingType()) { 520 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr) 521 << PointerArg->getType() << PointerArg->getSourceRange(); 522 return true; 523 } 524 525 // But ARM doesn't have instructions to deal with 128-bit versions. 526 if (Context.getTypeSize(ValType) > 64) { 527 Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size) 528 << PointerArg->getType() << PointerArg->getSourceRange(); 529 return true; 530 } 531 532 switch (ValType.getObjCLifetime()) { 533 case Qualifiers::OCL_None: 534 case Qualifiers::OCL_ExplicitNone: 535 // okay 536 break; 537 538 case Qualifiers::OCL_Weak: 539 case Qualifiers::OCL_Strong: 540 case Qualifiers::OCL_Autoreleasing: 541 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 542 << ValType << PointerArg->getSourceRange(); 543 return true; 544 } 545 546 547 if (IsLdrex) { 548 TheCall->setType(ValType); 549 return false; 550 } 551 552 // Initialize the argument to be stored. 553 ExprResult ValArg = TheCall->getArg(0); 554 InitializedEntity Entity = InitializedEntity::InitializeParameter( 555 Context, ValType, /*consume*/ false); 556 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 557 if (ValArg.isInvalid()) 558 return true; 559 TheCall->setArg(0, ValArg.get()); 560 561 // __builtin_arm_strex always returns an int. It's marked as such in the .def, 562 // but the custom checker bypasses all default analysis. 563 TheCall->setType(Context.IntTy); 564 return false; 565} 566 567bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 568 llvm::APSInt Result; 569 570 if (BuiltinID == ARM::BI__builtin_arm_ldrex || 571 BuiltinID == ARM::BI__builtin_arm_strex) { 572 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall); 573 } 574 575 uint64_t mask = 0; 576 unsigned TV = 0; 577 int PtrArgNum = -1; 578 bool HasConstPtr = false; 579 switch (BuiltinID) { 580#define GET_NEON_OVERLOAD_CHECK 581#include "clang/Basic/arm_neon.inc" 582#undef GET_NEON_OVERLOAD_CHECK 583 } 584 585 // For NEON intrinsics which are overloaded on vector element type, validate 586 // the immediate which specifies which variant to emit. 587 unsigned ImmArg = TheCall->getNumArgs()-1; 588 if (mask) { 589 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 590 return true; 591 592 TV = Result.getLimitedValue(64); 593 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 594 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 595 << TheCall->getArg(ImmArg)->getSourceRange(); 596 } 597 598 if (PtrArgNum >= 0) { 599 // Check that pointer arguments have the specified type. 600 Expr *Arg = TheCall->getArg(PtrArgNum); 601 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 602 Arg = ICE->getSubExpr(); 603 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 604 QualType RHSTy = RHS.get()->getType(); 605 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 606 if (HasConstPtr) 607 EltTy = EltTy.withConst(); 608 QualType LHSTy = Context.getPointerType(EltTy); 609 AssignConvertType ConvTy; 610 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 611 if (RHS.isInvalid()) 612 return true; 613 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 614 RHS.get(), AA_Assigning)) 615 return true; 616 } 617 618 // For NEON intrinsics which take an immediate value as part of the 619 // instruction, range check them here. 620 unsigned i = 0, l = 0, u = 0; 621 switch (BuiltinID) { 622 default: return false; 623 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 624 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 625 case ARM::BI__builtin_arm_vcvtr_f: 626 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 627 case ARM::BI__builtin_arm_dmb: 628 case ARM::BI__builtin_arm_dsb: l = 0; u = 15; break; 629#define GET_NEON_IMMEDIATE_CHECK 630#include "clang/Basic/arm_neon.inc" 631#undef GET_NEON_IMMEDIATE_CHECK 632 }; 633 634 // We can't check the value of a dependent argument. 635 if (TheCall->getArg(i)->isTypeDependent() || 636 TheCall->getArg(i)->isValueDependent()) 637 return false; 638 639 // Check that the immediate argument is actually a constant. 640 if (SemaBuiltinConstantArg(TheCall, i, Result)) 641 return true; 642 643 // Range check against the upper/lower values for this isntruction. 644 unsigned Val = Result.getZExtValue(); 645 if (Val < l || Val > (u + l)) 646 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 647 << l << u+l << TheCall->getArg(i)->getSourceRange(); 648 649 // FIXME: VFP Intrinsics should error if VFP not present. 650 return false; 651} 652 653bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 654 unsigned i = 0, l = 0, u = 0; 655 switch (BuiltinID) { 656 default: return false; 657 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 658 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 659 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 660 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 661 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 662 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 663 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 664 }; 665 666 // We can't check the value of a dependent argument. 667 if (TheCall->getArg(i)->isTypeDependent() || 668 TheCall->getArg(i)->isValueDependent()) 669 return false; 670 671 // Check that the immediate argument is actually a constant. 672 llvm::APSInt Result; 673 if (SemaBuiltinConstantArg(TheCall, i, Result)) 674 return true; 675 676 // Range check against the upper/lower values for this instruction. 677 unsigned Val = Result.getZExtValue(); 678 if (Val < l || Val > u) 679 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 680 << l << u << TheCall->getArg(i)->getSourceRange(); 681 682 return false; 683} 684 685/// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 686/// parameter with the FormatAttr's correct format_idx and firstDataArg. 687/// Returns true when the format fits the function and the FormatStringInfo has 688/// been populated. 689bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 690 FormatStringInfo *FSI) { 691 FSI->HasVAListArg = Format->getFirstArg() == 0; 692 FSI->FormatIdx = Format->getFormatIdx() - 1; 693 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 694 695 // The way the format attribute works in GCC, the implicit this argument 696 // of member functions is counted. However, it doesn't appear in our own 697 // lists, so decrement format_idx in that case. 698 if (IsCXXMember) { 699 if(FSI->FormatIdx == 0) 700 return false; 701 --FSI->FormatIdx; 702 if (FSI->FirstDataArg != 0) 703 --FSI->FirstDataArg; 704 } 705 return true; 706} 707 708/// Handles the checks for format strings, non-POD arguments to vararg 709/// functions, and NULL arguments passed to non-NULL parameters. 710void Sema::checkCall(NamedDecl *FDecl, 711 ArrayRef<const Expr *> Args, 712 unsigned NumProtoArgs, 713 bool IsMemberFunction, 714 SourceLocation Loc, 715 SourceRange Range, 716 VariadicCallType CallType) { 717 // FIXME: We should check as much as we can in the template definition. 718 if (CurContext->isDependentContext()) 719 return; 720 721 // Printf and scanf checking. 722 llvm::SmallBitVector CheckedVarArgs; 723 if (FDecl) { 724 for (specific_attr_iterator<FormatAttr> 725 I = FDecl->specific_attr_begin<FormatAttr>(), 726 E = FDecl->specific_attr_end<FormatAttr>(); 727 I != E; ++I) { 728 // Only create vector if there are format attributes. 729 CheckedVarArgs.resize(Args.size()); 730 731 CheckFormatArguments(*I, Args, IsMemberFunction, CallType, Loc, Range, 732 CheckedVarArgs); 733 } 734 } 735 736 // Refuse POD arguments that weren't caught by the format string 737 // checks above. 738 if (CallType != VariadicDoesNotApply) { 739 for (unsigned ArgIdx = NumProtoArgs; ArgIdx < Args.size(); ++ArgIdx) { 740 // Args[ArgIdx] can be null in malformed code. 741 if (const Expr *Arg = Args[ArgIdx]) { 742 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx]) 743 checkVariadicArgument(Arg, CallType); 744 } 745 } 746 } 747 748 if (FDecl) { 749 for (specific_attr_iterator<NonNullAttr> 750 I = FDecl->specific_attr_begin<NonNullAttr>(), 751 E = FDecl->specific_attr_end<NonNullAttr>(); I != E; ++I) 752 CheckNonNullArguments(*I, Args.data(), Loc); 753 754 // Type safety checking. 755 for (specific_attr_iterator<ArgumentWithTypeTagAttr> 756 i = FDecl->specific_attr_begin<ArgumentWithTypeTagAttr>(), 757 e = FDecl->specific_attr_end<ArgumentWithTypeTagAttr>(); 758 i != e; ++i) { 759 CheckArgumentWithTypeTag(*i, Args.data()); 760 } 761 } 762} 763 764/// CheckConstructorCall - Check a constructor call for correctness and safety 765/// properties not enforced by the C type system. 766void Sema::CheckConstructorCall(FunctionDecl *FDecl, 767 ArrayRef<const Expr *> Args, 768 const FunctionProtoType *Proto, 769 SourceLocation Loc) { 770 VariadicCallType CallType = 771 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 772 checkCall(FDecl, Args, Proto->getNumArgs(), 773 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 774} 775 776/// CheckFunctionCall - Check a direct function call for various correctness 777/// and safety properties not strictly enforced by the C type system. 778bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 779 const FunctionProtoType *Proto) { 780 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 781 isa<CXXMethodDecl>(FDecl); 782 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 783 IsMemberOperatorCall; 784 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 785 TheCall->getCallee()); 786 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 787 Expr** Args = TheCall->getArgs(); 788 unsigned NumArgs = TheCall->getNumArgs(); 789 if (IsMemberOperatorCall) { 790 // If this is a call to a member operator, hide the first argument 791 // from checkCall. 792 // FIXME: Our choice of AST representation here is less than ideal. 793 ++Args; 794 --NumArgs; 795 } 796 checkCall(FDecl, llvm::makeArrayRef<const Expr *>(Args, NumArgs), 797 NumProtoArgs, 798 IsMemberFunction, TheCall->getRParenLoc(), 799 TheCall->getCallee()->getSourceRange(), CallType); 800 801 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 802 // None of the checks below are needed for functions that don't have 803 // simple names (e.g., C++ conversion functions). 804 if (!FnInfo) 805 return false; 806 807 unsigned CMId = FDecl->getMemoryFunctionKind(); 808 if (CMId == 0) 809 return false; 810 811 // Handle memory setting and copying functions. 812 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 813 CheckStrlcpycatArguments(TheCall, FnInfo); 814 else if (CMId == Builtin::BIstrncat) 815 CheckStrncatArguments(TheCall, FnInfo); 816 else 817 CheckMemaccessArguments(TheCall, CMId, FnInfo); 818 819 return false; 820} 821 822bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 823 ArrayRef<const Expr *> Args) { 824 VariadicCallType CallType = 825 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 826 827 checkCall(Method, Args, Method->param_size(), 828 /*IsMemberFunction=*/false, 829 lbrac, Method->getSourceRange(), CallType); 830 831 return false; 832} 833 834bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, 835 const FunctionProtoType *Proto) { 836 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 837 if (!V) 838 return false; 839 840 QualType Ty = V->getType(); 841 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType()) 842 return false; 843 844 VariadicCallType CallType; 845 if (!Proto || !Proto->isVariadic()) { 846 CallType = VariadicDoesNotApply; 847 } else if (Ty->isBlockPointerType()) { 848 CallType = VariadicBlock; 849 } else { // Ty->isFunctionPointerType() 850 CallType = VariadicFunction; 851 } 852 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 853 854 checkCall(NDecl, 855 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 856 TheCall->getNumArgs()), 857 NumProtoArgs, /*IsMemberFunction=*/false, 858 TheCall->getRParenLoc(), 859 TheCall->getCallee()->getSourceRange(), CallType); 860 861 return false; 862} 863 864/// Checks function calls when a FunctionDecl or a NamedDecl is not available, 865/// such as function pointers returned from functions. 866bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) { 867 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/0, Proto, 868 TheCall->getCallee()); 869 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 870 871 checkCall(/*FDecl=*/0, 872 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 873 TheCall->getNumArgs()), 874 NumProtoArgs, /*IsMemberFunction=*/false, 875 TheCall->getRParenLoc(), 876 TheCall->getCallee()->getSourceRange(), CallType); 877 878 return false; 879} 880 881ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 882 AtomicExpr::AtomicOp Op) { 883 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 884 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 885 886 // All these operations take one of the following forms: 887 enum { 888 // C __c11_atomic_init(A *, C) 889 Init, 890 // C __c11_atomic_load(A *, int) 891 Load, 892 // void __atomic_load(A *, CP, int) 893 Copy, 894 // C __c11_atomic_add(A *, M, int) 895 Arithmetic, 896 // C __atomic_exchange_n(A *, CP, int) 897 Xchg, 898 // void __atomic_exchange(A *, C *, CP, int) 899 GNUXchg, 900 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 901 C11CmpXchg, 902 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 903 GNUCmpXchg 904 } Form = Init; 905 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 906 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 907 // where: 908 // C is an appropriate type, 909 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 910 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 911 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 912 // the int parameters are for orderings. 913 914 assert(AtomicExpr::AO__c11_atomic_init == 0 && 915 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 916 && "need to update code for modified C11 atomics"); 917 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 918 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 919 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 920 Op == AtomicExpr::AO__atomic_store_n || 921 Op == AtomicExpr::AO__atomic_exchange_n || 922 Op == AtomicExpr::AO__atomic_compare_exchange_n; 923 bool IsAddSub = false; 924 925 switch (Op) { 926 case AtomicExpr::AO__c11_atomic_init: 927 Form = Init; 928 break; 929 930 case AtomicExpr::AO__c11_atomic_load: 931 case AtomicExpr::AO__atomic_load_n: 932 Form = Load; 933 break; 934 935 case AtomicExpr::AO__c11_atomic_store: 936 case AtomicExpr::AO__atomic_load: 937 case AtomicExpr::AO__atomic_store: 938 case AtomicExpr::AO__atomic_store_n: 939 Form = Copy; 940 break; 941 942 case AtomicExpr::AO__c11_atomic_fetch_add: 943 case AtomicExpr::AO__c11_atomic_fetch_sub: 944 case AtomicExpr::AO__atomic_fetch_add: 945 case AtomicExpr::AO__atomic_fetch_sub: 946 case AtomicExpr::AO__atomic_add_fetch: 947 case AtomicExpr::AO__atomic_sub_fetch: 948 IsAddSub = true; 949 // Fall through. 950 case AtomicExpr::AO__c11_atomic_fetch_and: 951 case AtomicExpr::AO__c11_atomic_fetch_or: 952 case AtomicExpr::AO__c11_atomic_fetch_xor: 953 case AtomicExpr::AO__atomic_fetch_and: 954 case AtomicExpr::AO__atomic_fetch_or: 955 case AtomicExpr::AO__atomic_fetch_xor: 956 case AtomicExpr::AO__atomic_fetch_nand: 957 case AtomicExpr::AO__atomic_and_fetch: 958 case AtomicExpr::AO__atomic_or_fetch: 959 case AtomicExpr::AO__atomic_xor_fetch: 960 case AtomicExpr::AO__atomic_nand_fetch: 961 Form = Arithmetic; 962 break; 963 964 case AtomicExpr::AO__c11_atomic_exchange: 965 case AtomicExpr::AO__atomic_exchange_n: 966 Form = Xchg; 967 break; 968 969 case AtomicExpr::AO__atomic_exchange: 970 Form = GNUXchg; 971 break; 972 973 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 974 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 975 Form = C11CmpXchg; 976 break; 977 978 case AtomicExpr::AO__atomic_compare_exchange: 979 case AtomicExpr::AO__atomic_compare_exchange_n: 980 Form = GNUCmpXchg; 981 break; 982 } 983 984 // Check we have the right number of arguments. 985 if (TheCall->getNumArgs() < NumArgs[Form]) { 986 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 987 << 0 << NumArgs[Form] << TheCall->getNumArgs() 988 << TheCall->getCallee()->getSourceRange(); 989 return ExprError(); 990 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 991 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 992 diag::err_typecheck_call_too_many_args) 993 << 0 << NumArgs[Form] << TheCall->getNumArgs() 994 << TheCall->getCallee()->getSourceRange(); 995 return ExprError(); 996 } 997 998 // Inspect the first argument of the atomic operation. 999 Expr *Ptr = TheCall->getArg(0); 1000 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 1001 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 1002 if (!pointerType) { 1003 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1004 << Ptr->getType() << Ptr->getSourceRange(); 1005 return ExprError(); 1006 } 1007 1008 // For a __c11 builtin, this should be a pointer to an _Atomic type. 1009 QualType AtomTy = pointerType->getPointeeType(); // 'A' 1010 QualType ValType = AtomTy; // 'C' 1011 if (IsC11) { 1012 if (!AtomTy->isAtomicType()) { 1013 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 1014 << Ptr->getType() << Ptr->getSourceRange(); 1015 return ExprError(); 1016 } 1017 if (AtomTy.isConstQualified()) { 1018 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 1019 << Ptr->getType() << Ptr->getSourceRange(); 1020 return ExprError(); 1021 } 1022 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 1023 } 1024 1025 // For an arithmetic operation, the implied arithmetic must be well-formed. 1026 if (Form == Arithmetic) { 1027 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 1028 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 1029 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1030 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1031 return ExprError(); 1032 } 1033 if (!IsAddSub && !ValType->isIntegerType()) { 1034 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 1035 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1036 return ExprError(); 1037 } 1038 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 1039 // For __atomic_*_n operations, the value type must be a scalar integral or 1040 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 1041 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1042 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1043 return ExprError(); 1044 } 1045 1046 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) && 1047 !AtomTy->isScalarType()) { 1048 // For GNU atomics, require a trivially-copyable type. This is not part of 1049 // the GNU atomics specification, but we enforce it for sanity. 1050 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 1051 << Ptr->getType() << Ptr->getSourceRange(); 1052 return ExprError(); 1053 } 1054 1055 // FIXME: For any builtin other than a load, the ValType must not be 1056 // const-qualified. 1057 1058 switch (ValType.getObjCLifetime()) { 1059 case Qualifiers::OCL_None: 1060 case Qualifiers::OCL_ExplicitNone: 1061 // okay 1062 break; 1063 1064 case Qualifiers::OCL_Weak: 1065 case Qualifiers::OCL_Strong: 1066 case Qualifiers::OCL_Autoreleasing: 1067 // FIXME: Can this happen? By this point, ValType should be known 1068 // to be trivially copyable. 1069 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1070 << ValType << Ptr->getSourceRange(); 1071 return ExprError(); 1072 } 1073 1074 QualType ResultType = ValType; 1075 if (Form == Copy || Form == GNUXchg || Form == Init) 1076 ResultType = Context.VoidTy; 1077 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 1078 ResultType = Context.BoolTy; 1079 1080 // The type of a parameter passed 'by value'. In the GNU atomics, such 1081 // arguments are actually passed as pointers. 1082 QualType ByValType = ValType; // 'CP' 1083 if (!IsC11 && !IsN) 1084 ByValType = Ptr->getType(); 1085 1086 // The first argument --- the pointer --- has a fixed type; we 1087 // deduce the types of the rest of the arguments accordingly. Walk 1088 // the remaining arguments, converting them to the deduced value type. 1089 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 1090 QualType Ty; 1091 if (i < NumVals[Form] + 1) { 1092 switch (i) { 1093 case 1: 1094 // The second argument is the non-atomic operand. For arithmetic, this 1095 // is always passed by value, and for a compare_exchange it is always 1096 // passed by address. For the rest, GNU uses by-address and C11 uses 1097 // by-value. 1098 assert(Form != Load); 1099 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 1100 Ty = ValType; 1101 else if (Form == Copy || Form == Xchg) 1102 Ty = ByValType; 1103 else if (Form == Arithmetic) 1104 Ty = Context.getPointerDiffType(); 1105 else 1106 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 1107 break; 1108 case 2: 1109 // The third argument to compare_exchange / GNU exchange is a 1110 // (pointer to a) desired value. 1111 Ty = ByValType; 1112 break; 1113 case 3: 1114 // The fourth argument to GNU compare_exchange is a 'weak' flag. 1115 Ty = Context.BoolTy; 1116 break; 1117 } 1118 } else { 1119 // The order(s) are always converted to int. 1120 Ty = Context.IntTy; 1121 } 1122 1123 InitializedEntity Entity = 1124 InitializedEntity::InitializeParameter(Context, Ty, false); 1125 ExprResult Arg = TheCall->getArg(i); 1126 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1127 if (Arg.isInvalid()) 1128 return true; 1129 TheCall->setArg(i, Arg.get()); 1130 } 1131 1132 // Permute the arguments into a 'consistent' order. 1133 SmallVector<Expr*, 5> SubExprs; 1134 SubExprs.push_back(Ptr); 1135 switch (Form) { 1136 case Init: 1137 // Note, AtomicExpr::getVal1() has a special case for this atomic. 1138 SubExprs.push_back(TheCall->getArg(1)); // Val1 1139 break; 1140 case Load: 1141 SubExprs.push_back(TheCall->getArg(1)); // Order 1142 break; 1143 case Copy: 1144 case Arithmetic: 1145 case Xchg: 1146 SubExprs.push_back(TheCall->getArg(2)); // Order 1147 SubExprs.push_back(TheCall->getArg(1)); // Val1 1148 break; 1149 case GNUXchg: 1150 // Note, AtomicExpr::getVal2() has a special case for this atomic. 1151 SubExprs.push_back(TheCall->getArg(3)); // Order 1152 SubExprs.push_back(TheCall->getArg(1)); // Val1 1153 SubExprs.push_back(TheCall->getArg(2)); // Val2 1154 break; 1155 case C11CmpXchg: 1156 SubExprs.push_back(TheCall->getArg(3)); // Order 1157 SubExprs.push_back(TheCall->getArg(1)); // Val1 1158 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 1159 SubExprs.push_back(TheCall->getArg(2)); // Val2 1160 break; 1161 case GNUCmpXchg: 1162 SubExprs.push_back(TheCall->getArg(4)); // Order 1163 SubExprs.push_back(TheCall->getArg(1)); // Val1 1164 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 1165 SubExprs.push_back(TheCall->getArg(2)); // Val2 1166 SubExprs.push_back(TheCall->getArg(3)); // Weak 1167 break; 1168 } 1169 1170 AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 1171 SubExprs, ResultType, Op, 1172 TheCall->getRParenLoc()); 1173 1174 if ((Op == AtomicExpr::AO__c11_atomic_load || 1175 (Op == AtomicExpr::AO__c11_atomic_store)) && 1176 Context.AtomicUsesUnsupportedLibcall(AE)) 1177 Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) << 1178 ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1); 1179 1180 return Owned(AE); 1181} 1182 1183 1184/// checkBuiltinArgument - Given a call to a builtin function, perform 1185/// normal type-checking on the given argument, updating the call in 1186/// place. This is useful when a builtin function requires custom 1187/// type-checking for some of its arguments but not necessarily all of 1188/// them. 1189/// 1190/// Returns true on error. 1191static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 1192 FunctionDecl *Fn = E->getDirectCallee(); 1193 assert(Fn && "builtin call without direct callee!"); 1194 1195 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 1196 InitializedEntity Entity = 1197 InitializedEntity::InitializeParameter(S.Context, Param); 1198 1199 ExprResult Arg = E->getArg(0); 1200 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 1201 if (Arg.isInvalid()) 1202 return true; 1203 1204 E->setArg(ArgIndex, Arg.take()); 1205 return false; 1206} 1207 1208/// SemaBuiltinAtomicOverloaded - We have a call to a function like 1209/// __sync_fetch_and_add, which is an overloaded function based on the pointer 1210/// type of its first argument. The main ActOnCallExpr routines have already 1211/// promoted the types of arguments because all of these calls are prototyped as 1212/// void(...). 1213/// 1214/// This function goes through and does final semantic checking for these 1215/// builtins, 1216ExprResult 1217Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 1218 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 1219 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1220 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1221 1222 // Ensure that we have at least one argument to do type inference from. 1223 if (TheCall->getNumArgs() < 1) { 1224 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1225 << 0 << 1 << TheCall->getNumArgs() 1226 << TheCall->getCallee()->getSourceRange(); 1227 return ExprError(); 1228 } 1229 1230 // Inspect the first argument of the atomic builtin. This should always be 1231 // a pointer type, whose element is an integral scalar or pointer type. 1232 // Because it is a pointer type, we don't have to worry about any implicit 1233 // casts here. 1234 // FIXME: We don't allow floating point scalars as input. 1235 Expr *FirstArg = TheCall->getArg(0); 1236 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 1237 if (FirstArgResult.isInvalid()) 1238 return ExprError(); 1239 FirstArg = FirstArgResult.take(); 1240 TheCall->setArg(0, FirstArg); 1241 1242 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 1243 if (!pointerType) { 1244 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1245 << FirstArg->getType() << FirstArg->getSourceRange(); 1246 return ExprError(); 1247 } 1248 1249 QualType ValType = pointerType->getPointeeType(); 1250 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 1251 !ValType->isBlockPointerType()) { 1252 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 1253 << FirstArg->getType() << FirstArg->getSourceRange(); 1254 return ExprError(); 1255 } 1256 1257 switch (ValType.getObjCLifetime()) { 1258 case Qualifiers::OCL_None: 1259 case Qualifiers::OCL_ExplicitNone: 1260 // okay 1261 break; 1262 1263 case Qualifiers::OCL_Weak: 1264 case Qualifiers::OCL_Strong: 1265 case Qualifiers::OCL_Autoreleasing: 1266 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1267 << ValType << FirstArg->getSourceRange(); 1268 return ExprError(); 1269 } 1270 1271 // Strip any qualifiers off ValType. 1272 ValType = ValType.getUnqualifiedType(); 1273 1274 // The majority of builtins return a value, but a few have special return 1275 // types, so allow them to override appropriately below. 1276 QualType ResultType = ValType; 1277 1278 // We need to figure out which concrete builtin this maps onto. For example, 1279 // __sync_fetch_and_add with a 2 byte object turns into 1280 // __sync_fetch_and_add_2. 1281#define BUILTIN_ROW(x) \ 1282 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1283 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1284 1285 static const unsigned BuiltinIndices[][5] = { 1286 BUILTIN_ROW(__sync_fetch_and_add), 1287 BUILTIN_ROW(__sync_fetch_and_sub), 1288 BUILTIN_ROW(__sync_fetch_and_or), 1289 BUILTIN_ROW(__sync_fetch_and_and), 1290 BUILTIN_ROW(__sync_fetch_and_xor), 1291 1292 BUILTIN_ROW(__sync_add_and_fetch), 1293 BUILTIN_ROW(__sync_sub_and_fetch), 1294 BUILTIN_ROW(__sync_and_and_fetch), 1295 BUILTIN_ROW(__sync_or_and_fetch), 1296 BUILTIN_ROW(__sync_xor_and_fetch), 1297 1298 BUILTIN_ROW(__sync_val_compare_and_swap), 1299 BUILTIN_ROW(__sync_bool_compare_and_swap), 1300 BUILTIN_ROW(__sync_lock_test_and_set), 1301 BUILTIN_ROW(__sync_lock_release), 1302 BUILTIN_ROW(__sync_swap) 1303 }; 1304#undef BUILTIN_ROW 1305 1306 // Determine the index of the size. 1307 unsigned SizeIndex; 1308 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1309 case 1: SizeIndex = 0; break; 1310 case 2: SizeIndex = 1; break; 1311 case 4: SizeIndex = 2; break; 1312 case 8: SizeIndex = 3; break; 1313 case 16: SizeIndex = 4; break; 1314 default: 1315 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1316 << FirstArg->getType() << FirstArg->getSourceRange(); 1317 return ExprError(); 1318 } 1319 1320 // Each of these builtins has one pointer argument, followed by some number of 1321 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1322 // that we ignore. Find out which row of BuiltinIndices to read from as well 1323 // as the number of fixed args. 1324 unsigned BuiltinID = FDecl->getBuiltinID(); 1325 unsigned BuiltinIndex, NumFixed = 1; 1326 switch (BuiltinID) { 1327 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1328 case Builtin::BI__sync_fetch_and_add: 1329 case Builtin::BI__sync_fetch_and_add_1: 1330 case Builtin::BI__sync_fetch_and_add_2: 1331 case Builtin::BI__sync_fetch_and_add_4: 1332 case Builtin::BI__sync_fetch_and_add_8: 1333 case Builtin::BI__sync_fetch_and_add_16: 1334 BuiltinIndex = 0; 1335 break; 1336 1337 case Builtin::BI__sync_fetch_and_sub: 1338 case Builtin::BI__sync_fetch_and_sub_1: 1339 case Builtin::BI__sync_fetch_and_sub_2: 1340 case Builtin::BI__sync_fetch_and_sub_4: 1341 case Builtin::BI__sync_fetch_and_sub_8: 1342 case Builtin::BI__sync_fetch_and_sub_16: 1343 BuiltinIndex = 1; 1344 break; 1345 1346 case Builtin::BI__sync_fetch_and_or: 1347 case Builtin::BI__sync_fetch_and_or_1: 1348 case Builtin::BI__sync_fetch_and_or_2: 1349 case Builtin::BI__sync_fetch_and_or_4: 1350 case Builtin::BI__sync_fetch_and_or_8: 1351 case Builtin::BI__sync_fetch_and_or_16: 1352 BuiltinIndex = 2; 1353 break; 1354 1355 case Builtin::BI__sync_fetch_and_and: 1356 case Builtin::BI__sync_fetch_and_and_1: 1357 case Builtin::BI__sync_fetch_and_and_2: 1358 case Builtin::BI__sync_fetch_and_and_4: 1359 case Builtin::BI__sync_fetch_and_and_8: 1360 case Builtin::BI__sync_fetch_and_and_16: 1361 BuiltinIndex = 3; 1362 break; 1363 1364 case Builtin::BI__sync_fetch_and_xor: 1365 case Builtin::BI__sync_fetch_and_xor_1: 1366 case Builtin::BI__sync_fetch_and_xor_2: 1367 case Builtin::BI__sync_fetch_and_xor_4: 1368 case Builtin::BI__sync_fetch_and_xor_8: 1369 case Builtin::BI__sync_fetch_and_xor_16: 1370 BuiltinIndex = 4; 1371 break; 1372 1373 case Builtin::BI__sync_add_and_fetch: 1374 case Builtin::BI__sync_add_and_fetch_1: 1375 case Builtin::BI__sync_add_and_fetch_2: 1376 case Builtin::BI__sync_add_and_fetch_4: 1377 case Builtin::BI__sync_add_and_fetch_8: 1378 case Builtin::BI__sync_add_and_fetch_16: 1379 BuiltinIndex = 5; 1380 break; 1381 1382 case Builtin::BI__sync_sub_and_fetch: 1383 case Builtin::BI__sync_sub_and_fetch_1: 1384 case Builtin::BI__sync_sub_and_fetch_2: 1385 case Builtin::BI__sync_sub_and_fetch_4: 1386 case Builtin::BI__sync_sub_and_fetch_8: 1387 case Builtin::BI__sync_sub_and_fetch_16: 1388 BuiltinIndex = 6; 1389 break; 1390 1391 case Builtin::BI__sync_and_and_fetch: 1392 case Builtin::BI__sync_and_and_fetch_1: 1393 case Builtin::BI__sync_and_and_fetch_2: 1394 case Builtin::BI__sync_and_and_fetch_4: 1395 case Builtin::BI__sync_and_and_fetch_8: 1396 case Builtin::BI__sync_and_and_fetch_16: 1397 BuiltinIndex = 7; 1398 break; 1399 1400 case Builtin::BI__sync_or_and_fetch: 1401 case Builtin::BI__sync_or_and_fetch_1: 1402 case Builtin::BI__sync_or_and_fetch_2: 1403 case Builtin::BI__sync_or_and_fetch_4: 1404 case Builtin::BI__sync_or_and_fetch_8: 1405 case Builtin::BI__sync_or_and_fetch_16: 1406 BuiltinIndex = 8; 1407 break; 1408 1409 case Builtin::BI__sync_xor_and_fetch: 1410 case Builtin::BI__sync_xor_and_fetch_1: 1411 case Builtin::BI__sync_xor_and_fetch_2: 1412 case Builtin::BI__sync_xor_and_fetch_4: 1413 case Builtin::BI__sync_xor_and_fetch_8: 1414 case Builtin::BI__sync_xor_and_fetch_16: 1415 BuiltinIndex = 9; 1416 break; 1417 1418 case Builtin::BI__sync_val_compare_and_swap: 1419 case Builtin::BI__sync_val_compare_and_swap_1: 1420 case Builtin::BI__sync_val_compare_and_swap_2: 1421 case Builtin::BI__sync_val_compare_and_swap_4: 1422 case Builtin::BI__sync_val_compare_and_swap_8: 1423 case Builtin::BI__sync_val_compare_and_swap_16: 1424 BuiltinIndex = 10; 1425 NumFixed = 2; 1426 break; 1427 1428 case Builtin::BI__sync_bool_compare_and_swap: 1429 case Builtin::BI__sync_bool_compare_and_swap_1: 1430 case Builtin::BI__sync_bool_compare_and_swap_2: 1431 case Builtin::BI__sync_bool_compare_and_swap_4: 1432 case Builtin::BI__sync_bool_compare_and_swap_8: 1433 case Builtin::BI__sync_bool_compare_and_swap_16: 1434 BuiltinIndex = 11; 1435 NumFixed = 2; 1436 ResultType = Context.BoolTy; 1437 break; 1438 1439 case Builtin::BI__sync_lock_test_and_set: 1440 case Builtin::BI__sync_lock_test_and_set_1: 1441 case Builtin::BI__sync_lock_test_and_set_2: 1442 case Builtin::BI__sync_lock_test_and_set_4: 1443 case Builtin::BI__sync_lock_test_and_set_8: 1444 case Builtin::BI__sync_lock_test_and_set_16: 1445 BuiltinIndex = 12; 1446 break; 1447 1448 case Builtin::BI__sync_lock_release: 1449 case Builtin::BI__sync_lock_release_1: 1450 case Builtin::BI__sync_lock_release_2: 1451 case Builtin::BI__sync_lock_release_4: 1452 case Builtin::BI__sync_lock_release_8: 1453 case Builtin::BI__sync_lock_release_16: 1454 BuiltinIndex = 13; 1455 NumFixed = 0; 1456 ResultType = Context.VoidTy; 1457 break; 1458 1459 case Builtin::BI__sync_swap: 1460 case Builtin::BI__sync_swap_1: 1461 case Builtin::BI__sync_swap_2: 1462 case Builtin::BI__sync_swap_4: 1463 case Builtin::BI__sync_swap_8: 1464 case Builtin::BI__sync_swap_16: 1465 BuiltinIndex = 14; 1466 break; 1467 } 1468 1469 // Now that we know how many fixed arguments we expect, first check that we 1470 // have at least that many. 1471 if (TheCall->getNumArgs() < 1+NumFixed) { 1472 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1473 << 0 << 1+NumFixed << TheCall->getNumArgs() 1474 << TheCall->getCallee()->getSourceRange(); 1475 return ExprError(); 1476 } 1477 1478 // Get the decl for the concrete builtin from this, we can tell what the 1479 // concrete integer type we should convert to is. 1480 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1481 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1482 FunctionDecl *NewBuiltinDecl; 1483 if (NewBuiltinID == BuiltinID) 1484 NewBuiltinDecl = FDecl; 1485 else { 1486 // Perform builtin lookup to avoid redeclaring it. 1487 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 1488 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 1489 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 1490 assert(Res.getFoundDecl()); 1491 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 1492 if (NewBuiltinDecl == 0) 1493 return ExprError(); 1494 } 1495 1496 // The first argument --- the pointer --- has a fixed type; we 1497 // deduce the types of the rest of the arguments accordingly. Walk 1498 // the remaining arguments, converting them to the deduced value type. 1499 for (unsigned i = 0; i != NumFixed; ++i) { 1500 ExprResult Arg = TheCall->getArg(i+1); 1501 1502 // GCC does an implicit conversion to the pointer or integer ValType. This 1503 // can fail in some cases (1i -> int**), check for this error case now. 1504 // Initialize the argument. 1505 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1506 ValType, /*consume*/ false); 1507 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1508 if (Arg.isInvalid()) 1509 return ExprError(); 1510 1511 // Okay, we have something that *can* be converted to the right type. Check 1512 // to see if there is a potentially weird extension going on here. This can 1513 // happen when you do an atomic operation on something like an char* and 1514 // pass in 42. The 42 gets converted to char. This is even more strange 1515 // for things like 45.123 -> char, etc. 1516 // FIXME: Do this check. 1517 TheCall->setArg(i+1, Arg.take()); 1518 } 1519 1520 ASTContext& Context = this->getASTContext(); 1521 1522 // Create a new DeclRefExpr to refer to the new decl. 1523 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1524 Context, 1525 DRE->getQualifierLoc(), 1526 SourceLocation(), 1527 NewBuiltinDecl, 1528 /*enclosing*/ false, 1529 DRE->getLocation(), 1530 Context.BuiltinFnTy, 1531 DRE->getValueKind()); 1532 1533 // Set the callee in the CallExpr. 1534 // FIXME: This loses syntactic information. 1535 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1536 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1537 CK_BuiltinFnToFnPtr); 1538 TheCall->setCallee(PromotedCall.take()); 1539 1540 // Change the result type of the call to match the original value type. This 1541 // is arbitrary, but the codegen for these builtins ins design to handle it 1542 // gracefully. 1543 TheCall->setType(ResultType); 1544 1545 return TheCallResult; 1546} 1547 1548/// CheckObjCString - Checks that the argument to the builtin 1549/// CFString constructor is correct 1550/// Note: It might also make sense to do the UTF-16 conversion here (would 1551/// simplify the backend). 1552bool Sema::CheckObjCString(Expr *Arg) { 1553 Arg = Arg->IgnoreParenCasts(); 1554 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1555 1556 if (!Literal || !Literal->isAscii()) { 1557 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1558 << Arg->getSourceRange(); 1559 return true; 1560 } 1561 1562 if (Literal->containsNonAsciiOrNull()) { 1563 StringRef String = Literal->getString(); 1564 unsigned NumBytes = String.size(); 1565 SmallVector<UTF16, 128> ToBuf(NumBytes); 1566 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1567 UTF16 *ToPtr = &ToBuf[0]; 1568 1569 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1570 &ToPtr, ToPtr + NumBytes, 1571 strictConversion); 1572 // Check for conversion failure. 1573 if (Result != conversionOK) 1574 Diag(Arg->getLocStart(), 1575 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1576 } 1577 return false; 1578} 1579 1580/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1581/// Emit an error and return true on failure, return false on success. 1582bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1583 Expr *Fn = TheCall->getCallee(); 1584 if (TheCall->getNumArgs() > 2) { 1585 Diag(TheCall->getArg(2)->getLocStart(), 1586 diag::err_typecheck_call_too_many_args) 1587 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1588 << Fn->getSourceRange() 1589 << SourceRange(TheCall->getArg(2)->getLocStart(), 1590 (*(TheCall->arg_end()-1))->getLocEnd()); 1591 return true; 1592 } 1593 1594 if (TheCall->getNumArgs() < 2) { 1595 return Diag(TheCall->getLocEnd(), 1596 diag::err_typecheck_call_too_few_args_at_least) 1597 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1598 } 1599 1600 // Type-check the first argument normally. 1601 if (checkBuiltinArgument(*this, TheCall, 0)) 1602 return true; 1603 1604 // Determine whether the current function is variadic or not. 1605 BlockScopeInfo *CurBlock = getCurBlock(); 1606 bool isVariadic; 1607 if (CurBlock) 1608 isVariadic = CurBlock->TheDecl->isVariadic(); 1609 else if (FunctionDecl *FD = getCurFunctionDecl()) 1610 isVariadic = FD->isVariadic(); 1611 else 1612 isVariadic = getCurMethodDecl()->isVariadic(); 1613 1614 if (!isVariadic) { 1615 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1616 return true; 1617 } 1618 1619 // Verify that the second argument to the builtin is the last argument of the 1620 // current function or method. 1621 bool SecondArgIsLastNamedArgument = false; 1622 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1623 1624 // These are valid if SecondArgIsLastNamedArgument is false after the next 1625 // block. 1626 QualType Type; 1627 SourceLocation ParamLoc; 1628 1629 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1630 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1631 // FIXME: This isn't correct for methods (results in bogus warning). 1632 // Get the last formal in the current function. 1633 const ParmVarDecl *LastArg; 1634 if (CurBlock) 1635 LastArg = *(CurBlock->TheDecl->param_end()-1); 1636 else if (FunctionDecl *FD = getCurFunctionDecl()) 1637 LastArg = *(FD->param_end()-1); 1638 else 1639 LastArg = *(getCurMethodDecl()->param_end()-1); 1640 SecondArgIsLastNamedArgument = PV == LastArg; 1641 1642 Type = PV->getType(); 1643 ParamLoc = PV->getLocation(); 1644 } 1645 } 1646 1647 if (!SecondArgIsLastNamedArgument) 1648 Diag(TheCall->getArg(1)->getLocStart(), 1649 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1650 else if (Type->isReferenceType()) { 1651 Diag(Arg->getLocStart(), 1652 diag::warn_va_start_of_reference_type_is_undefined); 1653 Diag(ParamLoc, diag::note_parameter_type) << Type; 1654 } 1655 1656 TheCall->setType(Context.VoidTy); 1657 return false; 1658} 1659 1660/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1661/// friends. This is declared to take (...), so we have to check everything. 1662bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1663 if (TheCall->getNumArgs() < 2) 1664 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1665 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1666 if (TheCall->getNumArgs() > 2) 1667 return Diag(TheCall->getArg(2)->getLocStart(), 1668 diag::err_typecheck_call_too_many_args) 1669 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1670 << SourceRange(TheCall->getArg(2)->getLocStart(), 1671 (*(TheCall->arg_end()-1))->getLocEnd()); 1672 1673 ExprResult OrigArg0 = TheCall->getArg(0); 1674 ExprResult OrigArg1 = TheCall->getArg(1); 1675 1676 // Do standard promotions between the two arguments, returning their common 1677 // type. 1678 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1679 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1680 return true; 1681 1682 // Make sure any conversions are pushed back into the call; this is 1683 // type safe since unordered compare builtins are declared as "_Bool 1684 // foo(...)". 1685 TheCall->setArg(0, OrigArg0.get()); 1686 TheCall->setArg(1, OrigArg1.get()); 1687 1688 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1689 return false; 1690 1691 // If the common type isn't a real floating type, then the arguments were 1692 // invalid for this operation. 1693 if (Res.isNull() || !Res->isRealFloatingType()) 1694 return Diag(OrigArg0.get()->getLocStart(), 1695 diag::err_typecheck_call_invalid_ordered_compare) 1696 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1697 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1698 1699 return false; 1700} 1701 1702/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1703/// __builtin_isnan and friends. This is declared to take (...), so we have 1704/// to check everything. We expect the last argument to be a floating point 1705/// value. 1706bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1707 if (TheCall->getNumArgs() < NumArgs) 1708 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1709 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1710 if (TheCall->getNumArgs() > NumArgs) 1711 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1712 diag::err_typecheck_call_too_many_args) 1713 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1714 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1715 (*(TheCall->arg_end()-1))->getLocEnd()); 1716 1717 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1718 1719 if (OrigArg->isTypeDependent()) 1720 return false; 1721 1722 // This operation requires a non-_Complex floating-point number. 1723 if (!OrigArg->getType()->isRealFloatingType()) 1724 return Diag(OrigArg->getLocStart(), 1725 diag::err_typecheck_call_invalid_unary_fp) 1726 << OrigArg->getType() << OrigArg->getSourceRange(); 1727 1728 // If this is an implicit conversion from float -> double, remove it. 1729 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1730 Expr *CastArg = Cast->getSubExpr(); 1731 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1732 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1733 "promotion from float to double is the only expected cast here"); 1734 Cast->setSubExpr(0); 1735 TheCall->setArg(NumArgs-1, CastArg); 1736 } 1737 } 1738 1739 return false; 1740} 1741 1742/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1743// This is declared to take (...), so we have to check everything. 1744ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1745 if (TheCall->getNumArgs() < 2) 1746 return ExprError(Diag(TheCall->getLocEnd(), 1747 diag::err_typecheck_call_too_few_args_at_least) 1748 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1749 << TheCall->getSourceRange()); 1750 1751 // Determine which of the following types of shufflevector we're checking: 1752 // 1) unary, vector mask: (lhs, mask) 1753 // 2) binary, vector mask: (lhs, rhs, mask) 1754 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1755 QualType resType = TheCall->getArg(0)->getType(); 1756 unsigned numElements = 0; 1757 1758 if (!TheCall->getArg(0)->isTypeDependent() && 1759 !TheCall->getArg(1)->isTypeDependent()) { 1760 QualType LHSType = TheCall->getArg(0)->getType(); 1761 QualType RHSType = TheCall->getArg(1)->getType(); 1762 1763 if (!LHSType->isVectorType() || !RHSType->isVectorType()) 1764 return ExprError(Diag(TheCall->getLocStart(), 1765 diag::err_shufflevector_non_vector) 1766 << SourceRange(TheCall->getArg(0)->getLocStart(), 1767 TheCall->getArg(1)->getLocEnd())); 1768 1769 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1770 unsigned numResElements = TheCall->getNumArgs() - 2; 1771 1772 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1773 // with mask. If so, verify that RHS is an integer vector type with the 1774 // same number of elts as lhs. 1775 if (TheCall->getNumArgs() == 2) { 1776 if (!RHSType->hasIntegerRepresentation() || 1777 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1778 return ExprError(Diag(TheCall->getLocStart(), 1779 diag::err_shufflevector_incompatible_vector) 1780 << SourceRange(TheCall->getArg(1)->getLocStart(), 1781 TheCall->getArg(1)->getLocEnd())); 1782 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1783 return ExprError(Diag(TheCall->getLocStart(), 1784 diag::err_shufflevector_incompatible_vector) 1785 << SourceRange(TheCall->getArg(0)->getLocStart(), 1786 TheCall->getArg(1)->getLocEnd())); 1787 } else if (numElements != numResElements) { 1788 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1789 resType = Context.getVectorType(eltType, numResElements, 1790 VectorType::GenericVector); 1791 } 1792 } 1793 1794 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1795 if (TheCall->getArg(i)->isTypeDependent() || 1796 TheCall->getArg(i)->isValueDependent()) 1797 continue; 1798 1799 llvm::APSInt Result(32); 1800 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1801 return ExprError(Diag(TheCall->getLocStart(), 1802 diag::err_shufflevector_nonconstant_argument) 1803 << TheCall->getArg(i)->getSourceRange()); 1804 1805 // Allow -1 which will be translated to undef in the IR. 1806 if (Result.isSigned() && Result.isAllOnesValue()) 1807 continue; 1808 1809 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1810 return ExprError(Diag(TheCall->getLocStart(), 1811 diag::err_shufflevector_argument_too_large) 1812 << TheCall->getArg(i)->getSourceRange()); 1813 } 1814 1815 SmallVector<Expr*, 32> exprs; 1816 1817 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1818 exprs.push_back(TheCall->getArg(i)); 1819 TheCall->setArg(i, 0); 1820 } 1821 1822 return Owned(new (Context) ShuffleVectorExpr(Context, exprs, resType, 1823 TheCall->getCallee()->getLocStart(), 1824 TheCall->getRParenLoc())); 1825} 1826 1827/// SemaConvertVectorExpr - Handle __builtin_convertvector 1828ExprResult Sema::SemaConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo, 1829 SourceLocation BuiltinLoc, 1830 SourceLocation RParenLoc) { 1831 ExprValueKind VK = VK_RValue; 1832 ExprObjectKind OK = OK_Ordinary; 1833 QualType DstTy = TInfo->getType(); 1834 QualType SrcTy = E->getType(); 1835 1836 if (!SrcTy->isVectorType() && !SrcTy->isDependentType()) 1837 return ExprError(Diag(BuiltinLoc, 1838 diag::err_convertvector_non_vector) 1839 << E->getSourceRange()); 1840 if (!DstTy->isVectorType() && !DstTy->isDependentType()) 1841 return ExprError(Diag(BuiltinLoc, 1842 diag::err_convertvector_non_vector_type)); 1843 1844 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) { 1845 unsigned SrcElts = SrcTy->getAs<VectorType>()->getNumElements(); 1846 unsigned DstElts = DstTy->getAs<VectorType>()->getNumElements(); 1847 if (SrcElts != DstElts) 1848 return ExprError(Diag(BuiltinLoc, 1849 diag::err_convertvector_incompatible_vector) 1850 << E->getSourceRange()); 1851 } 1852 1853 return Owned(new (Context) ConvertVectorExpr(E, TInfo, DstTy, VK, OK, 1854 BuiltinLoc, RParenLoc)); 1855 1856} 1857 1858/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1859// This is declared to take (const void*, ...) and can take two 1860// optional constant int args. 1861bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1862 unsigned NumArgs = TheCall->getNumArgs(); 1863 1864 if (NumArgs > 3) 1865 return Diag(TheCall->getLocEnd(), 1866 diag::err_typecheck_call_too_many_args_at_most) 1867 << 0 /*function call*/ << 3 << NumArgs 1868 << TheCall->getSourceRange(); 1869 1870 // Argument 0 is checked for us and the remaining arguments must be 1871 // constant integers. 1872 for (unsigned i = 1; i != NumArgs; ++i) { 1873 Expr *Arg = TheCall->getArg(i); 1874 1875 // We can't check the value of a dependent argument. 1876 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1877 continue; 1878 1879 llvm::APSInt Result; 1880 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1881 return true; 1882 1883 // FIXME: gcc issues a warning and rewrites these to 0. These 1884 // seems especially odd for the third argument since the default 1885 // is 3. 1886 if (i == 1) { 1887 if (Result.getLimitedValue() > 1) 1888 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1889 << "0" << "1" << Arg->getSourceRange(); 1890 } else { 1891 if (Result.getLimitedValue() > 3) 1892 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1893 << "0" << "3" << Arg->getSourceRange(); 1894 } 1895 } 1896 1897 return false; 1898} 1899 1900/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1901/// TheCall is a constant expression. 1902bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1903 llvm::APSInt &Result) { 1904 Expr *Arg = TheCall->getArg(ArgNum); 1905 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1906 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1907 1908 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1909 1910 if (!Arg->isIntegerConstantExpr(Result, Context)) 1911 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1912 << FDecl->getDeclName() << Arg->getSourceRange(); 1913 1914 return false; 1915} 1916 1917/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1918/// int type). This simply type checks that type is one of the defined 1919/// constants (0-3). 1920// For compatibility check 0-3, llvm only handles 0 and 2. 1921bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1922 llvm::APSInt Result; 1923 1924 // We can't check the value of a dependent argument. 1925 if (TheCall->getArg(1)->isTypeDependent() || 1926 TheCall->getArg(1)->isValueDependent()) 1927 return false; 1928 1929 // Check constant-ness first. 1930 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1931 return true; 1932 1933 Expr *Arg = TheCall->getArg(1); 1934 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1935 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1936 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1937 } 1938 1939 return false; 1940} 1941 1942/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1943/// This checks that val is a constant 1. 1944bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1945 Expr *Arg = TheCall->getArg(1); 1946 llvm::APSInt Result; 1947 1948 // TODO: This is less than ideal. Overload this to take a value. 1949 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1950 return true; 1951 1952 if (Result != 1) 1953 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1954 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1955 1956 return false; 1957} 1958 1959namespace { 1960enum StringLiteralCheckType { 1961 SLCT_NotALiteral, 1962 SLCT_UncheckedLiteral, 1963 SLCT_CheckedLiteral 1964}; 1965} 1966 1967// Determine if an expression is a string literal or constant string. 1968// If this function returns false on the arguments to a function expecting a 1969// format string, we will usually need to emit a warning. 1970// True string literals are then checked by CheckFormatString. 1971static StringLiteralCheckType 1972checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, 1973 bool HasVAListArg, unsigned format_idx, 1974 unsigned firstDataArg, Sema::FormatStringType Type, 1975 Sema::VariadicCallType CallType, bool InFunctionCall, 1976 llvm::SmallBitVector &CheckedVarArgs) { 1977 tryAgain: 1978 if (E->isTypeDependent() || E->isValueDependent()) 1979 return SLCT_NotALiteral; 1980 1981 E = E->IgnoreParenCasts(); 1982 1983 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) 1984 // Technically -Wformat-nonliteral does not warn about this case. 1985 // The behavior of printf and friends in this case is implementation 1986 // dependent. Ideally if the format string cannot be null then 1987 // it should have a 'nonnull' attribute in the function prototype. 1988 return SLCT_UncheckedLiteral; 1989 1990 switch (E->getStmtClass()) { 1991 case Stmt::BinaryConditionalOperatorClass: 1992 case Stmt::ConditionalOperatorClass: { 1993 // The expression is a literal if both sub-expressions were, and it was 1994 // completely checked only if both sub-expressions were checked. 1995 const AbstractConditionalOperator *C = 1996 cast<AbstractConditionalOperator>(E); 1997 StringLiteralCheckType Left = 1998 checkFormatStringExpr(S, C->getTrueExpr(), Args, 1999 HasVAListArg, format_idx, firstDataArg, 2000 Type, CallType, InFunctionCall, CheckedVarArgs); 2001 if (Left == SLCT_NotALiteral) 2002 return SLCT_NotALiteral; 2003 StringLiteralCheckType Right = 2004 checkFormatStringExpr(S, C->getFalseExpr(), Args, 2005 HasVAListArg, format_idx, firstDataArg, 2006 Type, CallType, InFunctionCall, CheckedVarArgs); 2007 return Left < Right ? Left : Right; 2008 } 2009 2010 case Stmt::ImplicitCastExprClass: { 2011 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 2012 goto tryAgain; 2013 } 2014 2015 case Stmt::OpaqueValueExprClass: 2016 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 2017 E = src; 2018 goto tryAgain; 2019 } 2020 return SLCT_NotALiteral; 2021 2022 case Stmt::PredefinedExprClass: 2023 // While __func__, etc., are technically not string literals, they 2024 // cannot contain format specifiers and thus are not a security 2025 // liability. 2026 return SLCT_UncheckedLiteral; 2027 2028 case Stmt::DeclRefExprClass: { 2029 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 2030 2031 // As an exception, do not flag errors for variables binding to 2032 // const string literals. 2033 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 2034 bool isConstant = false; 2035 QualType T = DR->getType(); 2036 2037 if (const ArrayType *AT = S.Context.getAsArrayType(T)) { 2038 isConstant = AT->getElementType().isConstant(S.Context); 2039 } else if (const PointerType *PT = T->getAs<PointerType>()) { 2040 isConstant = T.isConstant(S.Context) && 2041 PT->getPointeeType().isConstant(S.Context); 2042 } else if (T->isObjCObjectPointerType()) { 2043 // In ObjC, there is usually no "const ObjectPointer" type, 2044 // so don't check if the pointee type is constant. 2045 isConstant = T.isConstant(S.Context); 2046 } 2047 2048 if (isConstant) { 2049 if (const Expr *Init = VD->getAnyInitializer()) { 2050 // Look through initializers like const char c[] = { "foo" } 2051 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 2052 if (InitList->isStringLiteralInit()) 2053 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 2054 } 2055 return checkFormatStringExpr(S, Init, Args, 2056 HasVAListArg, format_idx, 2057 firstDataArg, Type, CallType, 2058 /*InFunctionCall*/false, CheckedVarArgs); 2059 } 2060 } 2061 2062 // For vprintf* functions (i.e., HasVAListArg==true), we add a 2063 // special check to see if the format string is a function parameter 2064 // of the function calling the printf function. If the function 2065 // has an attribute indicating it is a printf-like function, then we 2066 // should suppress warnings concerning non-literals being used in a call 2067 // to a vprintf function. For example: 2068 // 2069 // void 2070 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 2071 // va_list ap; 2072 // va_start(ap, fmt); 2073 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 2074 // ... 2075 // } 2076 if (HasVAListArg) { 2077 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 2078 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 2079 int PVIndex = PV->getFunctionScopeIndex() + 1; 2080 for (specific_attr_iterator<FormatAttr> 2081 i = ND->specific_attr_begin<FormatAttr>(), 2082 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 2083 FormatAttr *PVFormat = *i; 2084 // adjust for implicit parameter 2085 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2086 if (MD->isInstance()) 2087 ++PVIndex; 2088 // We also check if the formats are compatible. 2089 // We can't pass a 'scanf' string to a 'printf' function. 2090 if (PVIndex == PVFormat->getFormatIdx() && 2091 Type == S.GetFormatStringType(PVFormat)) 2092 return SLCT_UncheckedLiteral; 2093 } 2094 } 2095 } 2096 } 2097 } 2098 2099 return SLCT_NotALiteral; 2100 } 2101 2102 case Stmt::CallExprClass: 2103 case Stmt::CXXMemberCallExprClass: { 2104 const CallExpr *CE = cast<CallExpr>(E); 2105 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 2106 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2107 unsigned ArgIndex = FA->getFormatIdx(); 2108 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2109 if (MD->isInstance()) 2110 --ArgIndex; 2111 const Expr *Arg = CE->getArg(ArgIndex - 1); 2112 2113 return checkFormatStringExpr(S, Arg, Args, 2114 HasVAListArg, format_idx, firstDataArg, 2115 Type, CallType, InFunctionCall, 2116 CheckedVarArgs); 2117 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 2118 unsigned BuiltinID = FD->getBuiltinID(); 2119 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 2120 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 2121 const Expr *Arg = CE->getArg(0); 2122 return checkFormatStringExpr(S, Arg, Args, 2123 HasVAListArg, format_idx, 2124 firstDataArg, Type, CallType, 2125 InFunctionCall, CheckedVarArgs); 2126 } 2127 } 2128 } 2129 2130 return SLCT_NotALiteral; 2131 } 2132 2133 case Stmt::ObjCMessageExprClass: { 2134 const ObjCMessageExpr *ME = cast<ObjCMessageExpr>(E); 2135 if (const ObjCMethodDecl *MDecl = ME->getMethodDecl()) { 2136 if (const NamedDecl *ND = dyn_cast<NamedDecl>(MDecl)) { 2137 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2138 unsigned ArgIndex = FA->getFormatIdx(); 2139 if (ArgIndex <= ME->getNumArgs()) { 2140 const Expr *Arg = ME->getArg(ArgIndex-1); 2141 return checkFormatStringExpr(S, Arg, Args, 2142 HasVAListArg, format_idx, 2143 firstDataArg, Type, CallType, 2144 InFunctionCall, CheckedVarArgs); 2145 } 2146 } 2147 } 2148 } 2149 2150 return SLCT_NotALiteral; 2151 } 2152 2153 case Stmt::ObjCStringLiteralClass: 2154 case Stmt::StringLiteralClass: { 2155 const StringLiteral *StrE = NULL; 2156 2157 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 2158 StrE = ObjCFExpr->getString(); 2159 else 2160 StrE = cast<StringLiteral>(E); 2161 2162 if (StrE) { 2163 S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg, 2164 Type, InFunctionCall, CallType, CheckedVarArgs); 2165 return SLCT_CheckedLiteral; 2166 } 2167 2168 return SLCT_NotALiteral; 2169 } 2170 2171 default: 2172 return SLCT_NotALiteral; 2173 } 2174} 2175 2176void 2177Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 2178 const Expr * const *ExprArgs, 2179 SourceLocation CallSiteLoc) { 2180 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 2181 e = NonNull->args_end(); 2182 i != e; ++i) { 2183 const Expr *ArgExpr = ExprArgs[*i]; 2184 2185 // As a special case, transparent unions initialized with zero are 2186 // considered null for the purposes of the nonnull attribute. 2187 if (const RecordType *UT = ArgExpr->getType()->getAsUnionType()) { 2188 if (UT->getDecl()->hasAttr<TransparentUnionAttr>()) 2189 if (const CompoundLiteralExpr *CLE = 2190 dyn_cast<CompoundLiteralExpr>(ArgExpr)) 2191 if (const InitListExpr *ILE = 2192 dyn_cast<InitListExpr>(CLE->getInitializer())) 2193 ArgExpr = ILE->getInit(0); 2194 } 2195 2196 bool Result; 2197 if (ArgExpr->EvaluateAsBooleanCondition(Result, Context) && !Result) 2198 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 2199 } 2200} 2201 2202Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 2203 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName()) 2204 .Case("scanf", FST_Scanf) 2205 .Cases("printf", "printf0", FST_Printf) 2206 .Cases("NSString", "CFString", FST_NSString) 2207 .Case("strftime", FST_Strftime) 2208 .Case("strfmon", FST_Strfmon) 2209 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 2210 .Default(FST_Unknown); 2211} 2212 2213/// CheckFormatArguments - Check calls to printf and scanf (and similar 2214/// functions) for correct use of format strings. 2215/// Returns true if a format string has been fully checked. 2216bool Sema::CheckFormatArguments(const FormatAttr *Format, 2217 ArrayRef<const Expr *> Args, 2218 bool IsCXXMember, 2219 VariadicCallType CallType, 2220 SourceLocation Loc, SourceRange Range, 2221 llvm::SmallBitVector &CheckedVarArgs) { 2222 FormatStringInfo FSI; 2223 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 2224 return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, 2225 FSI.FirstDataArg, GetFormatStringType(Format), 2226 CallType, Loc, Range, CheckedVarArgs); 2227 return false; 2228} 2229 2230bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, 2231 bool HasVAListArg, unsigned format_idx, 2232 unsigned firstDataArg, FormatStringType Type, 2233 VariadicCallType CallType, 2234 SourceLocation Loc, SourceRange Range, 2235 llvm::SmallBitVector &CheckedVarArgs) { 2236 // CHECK: printf/scanf-like function is called with no format string. 2237 if (format_idx >= Args.size()) { 2238 Diag(Loc, diag::warn_missing_format_string) << Range; 2239 return false; 2240 } 2241 2242 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 2243 2244 // CHECK: format string is not a string literal. 2245 // 2246 // Dynamically generated format strings are difficult to 2247 // automatically vet at compile time. Requiring that format strings 2248 // are string literals: (1) permits the checking of format strings by 2249 // the compiler and thereby (2) can practically remove the source of 2250 // many format string exploits. 2251 2252 // Format string can be either ObjC string (e.g. @"%d") or 2253 // C string (e.g. "%d") 2254 // ObjC string uses the same format specifiers as C string, so we can use 2255 // the same format string checking logic for both ObjC and C strings. 2256 StringLiteralCheckType CT = 2257 checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, 2258 format_idx, firstDataArg, Type, CallType, 2259 /*IsFunctionCall*/true, CheckedVarArgs); 2260 if (CT != SLCT_NotALiteral) 2261 // Literal format string found, check done! 2262 return CT == SLCT_CheckedLiteral; 2263 2264 // Strftime is particular as it always uses a single 'time' argument, 2265 // so it is safe to pass a non-literal string. 2266 if (Type == FST_Strftime) 2267 return false; 2268 2269 // Do not emit diag when the string param is a macro expansion and the 2270 // format is either NSString or CFString. This is a hack to prevent 2271 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 2272 // which are usually used in place of NS and CF string literals. 2273 if (Type == FST_NSString && 2274 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 2275 return false; 2276 2277 // If there are no arguments specified, warn with -Wformat-security, otherwise 2278 // warn only with -Wformat-nonliteral. 2279 if (Args.size() == firstDataArg) 2280 Diag(Args[format_idx]->getLocStart(), 2281 diag::warn_format_nonliteral_noargs) 2282 << OrigFormatExpr->getSourceRange(); 2283 else 2284 Diag(Args[format_idx]->getLocStart(), 2285 diag::warn_format_nonliteral) 2286 << OrigFormatExpr->getSourceRange(); 2287 return false; 2288} 2289 2290namespace { 2291class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 2292protected: 2293 Sema &S; 2294 const StringLiteral *FExpr; 2295 const Expr *OrigFormatExpr; 2296 const unsigned FirstDataArg; 2297 const unsigned NumDataArgs; 2298 const char *Beg; // Start of format string. 2299 const bool HasVAListArg; 2300 ArrayRef<const Expr *> Args; 2301 unsigned FormatIdx; 2302 llvm::SmallBitVector CoveredArgs; 2303 bool usesPositionalArgs; 2304 bool atFirstArg; 2305 bool inFunctionCall; 2306 Sema::VariadicCallType CallType; 2307 llvm::SmallBitVector &CheckedVarArgs; 2308public: 2309 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 2310 const Expr *origFormatExpr, unsigned firstDataArg, 2311 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2312 ArrayRef<const Expr *> Args, 2313 unsigned formatIdx, bool inFunctionCall, 2314 Sema::VariadicCallType callType, 2315 llvm::SmallBitVector &CheckedVarArgs) 2316 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 2317 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 2318 Beg(beg), HasVAListArg(hasVAListArg), 2319 Args(Args), FormatIdx(formatIdx), 2320 usesPositionalArgs(false), atFirstArg(true), 2321 inFunctionCall(inFunctionCall), CallType(callType), 2322 CheckedVarArgs(CheckedVarArgs) { 2323 CoveredArgs.resize(numDataArgs); 2324 CoveredArgs.reset(); 2325 } 2326 2327 void DoneProcessing(); 2328 2329 void HandleIncompleteSpecifier(const char *startSpecifier, 2330 unsigned specifierLen); 2331 2332 void HandleInvalidLengthModifier( 2333 const analyze_format_string::FormatSpecifier &FS, 2334 const analyze_format_string::ConversionSpecifier &CS, 2335 const char *startSpecifier, unsigned specifierLen, unsigned DiagID); 2336 2337 void HandleNonStandardLengthModifier( 2338 const analyze_format_string::FormatSpecifier &FS, 2339 const char *startSpecifier, unsigned specifierLen); 2340 2341 void HandleNonStandardConversionSpecifier( 2342 const analyze_format_string::ConversionSpecifier &CS, 2343 const char *startSpecifier, unsigned specifierLen); 2344 2345 virtual void HandlePosition(const char *startPos, unsigned posLen); 2346 2347 virtual void HandleInvalidPosition(const char *startSpecifier, 2348 unsigned specifierLen, 2349 analyze_format_string::PositionContext p); 2350 2351 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 2352 2353 void HandleNullChar(const char *nullCharacter); 2354 2355 template <typename Range> 2356 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 2357 const Expr *ArgumentExpr, 2358 PartialDiagnostic PDiag, 2359 SourceLocation StringLoc, 2360 bool IsStringLocation, Range StringRange, 2361 ArrayRef<FixItHint> Fixit = None); 2362 2363protected: 2364 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 2365 const char *startSpec, 2366 unsigned specifierLen, 2367 const char *csStart, unsigned csLen); 2368 2369 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 2370 const char *startSpec, 2371 unsigned specifierLen); 2372 2373 SourceRange getFormatStringRange(); 2374 CharSourceRange getSpecifierRange(const char *startSpecifier, 2375 unsigned specifierLen); 2376 SourceLocation getLocationOfByte(const char *x); 2377 2378 const Expr *getDataArg(unsigned i) const; 2379 2380 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 2381 const analyze_format_string::ConversionSpecifier &CS, 2382 const char *startSpecifier, unsigned specifierLen, 2383 unsigned argIndex); 2384 2385 template <typename Range> 2386 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 2387 bool IsStringLocation, Range StringRange, 2388 ArrayRef<FixItHint> Fixit = None); 2389 2390 void CheckPositionalAndNonpositionalArgs( 2391 const analyze_format_string::FormatSpecifier *FS); 2392}; 2393} 2394 2395SourceRange CheckFormatHandler::getFormatStringRange() { 2396 return OrigFormatExpr->getSourceRange(); 2397} 2398 2399CharSourceRange CheckFormatHandler:: 2400getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2401 SourceLocation Start = getLocationOfByte(startSpecifier); 2402 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2403 2404 // Advance the end SourceLocation by one due to half-open ranges. 2405 End = End.getLocWithOffset(1); 2406 2407 return CharSourceRange::getCharRange(Start, End); 2408} 2409 2410SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2411 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2412} 2413 2414void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2415 unsigned specifierLen){ 2416 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2417 getLocationOfByte(startSpecifier), 2418 /*IsStringLocation*/true, 2419 getSpecifierRange(startSpecifier, specifierLen)); 2420} 2421 2422void CheckFormatHandler::HandleInvalidLengthModifier( 2423 const analyze_format_string::FormatSpecifier &FS, 2424 const analyze_format_string::ConversionSpecifier &CS, 2425 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2426 using namespace analyze_format_string; 2427 2428 const LengthModifier &LM = FS.getLengthModifier(); 2429 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2430 2431 // See if we know how to fix this length modifier. 2432 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2433 if (FixedLM) { 2434 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2435 getLocationOfByte(LM.getStart()), 2436 /*IsStringLocation*/true, 2437 getSpecifierRange(startSpecifier, specifierLen)); 2438 2439 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2440 << FixedLM->toString() 2441 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2442 2443 } else { 2444 FixItHint Hint; 2445 if (DiagID == diag::warn_format_nonsensical_length) 2446 Hint = FixItHint::CreateRemoval(LMRange); 2447 2448 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2449 getLocationOfByte(LM.getStart()), 2450 /*IsStringLocation*/true, 2451 getSpecifierRange(startSpecifier, specifierLen), 2452 Hint); 2453 } 2454} 2455 2456void CheckFormatHandler::HandleNonStandardLengthModifier( 2457 const analyze_format_string::FormatSpecifier &FS, 2458 const char *startSpecifier, unsigned specifierLen) { 2459 using namespace analyze_format_string; 2460 2461 const LengthModifier &LM = FS.getLengthModifier(); 2462 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2463 2464 // See if we know how to fix this length modifier. 2465 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2466 if (FixedLM) { 2467 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2468 << LM.toString() << 0, 2469 getLocationOfByte(LM.getStart()), 2470 /*IsStringLocation*/true, 2471 getSpecifierRange(startSpecifier, specifierLen)); 2472 2473 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2474 << FixedLM->toString() 2475 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2476 2477 } else { 2478 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2479 << LM.toString() << 0, 2480 getLocationOfByte(LM.getStart()), 2481 /*IsStringLocation*/true, 2482 getSpecifierRange(startSpecifier, specifierLen)); 2483 } 2484} 2485 2486void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2487 const analyze_format_string::ConversionSpecifier &CS, 2488 const char *startSpecifier, unsigned specifierLen) { 2489 using namespace analyze_format_string; 2490 2491 // See if we know how to fix this conversion specifier. 2492 Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 2493 if (FixedCS) { 2494 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2495 << CS.toString() << /*conversion specifier*/1, 2496 getLocationOfByte(CS.getStart()), 2497 /*IsStringLocation*/true, 2498 getSpecifierRange(startSpecifier, specifierLen)); 2499 2500 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 2501 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 2502 << FixedCS->toString() 2503 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 2504 } else { 2505 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2506 << CS.toString() << /*conversion specifier*/1, 2507 getLocationOfByte(CS.getStart()), 2508 /*IsStringLocation*/true, 2509 getSpecifierRange(startSpecifier, specifierLen)); 2510 } 2511} 2512 2513void CheckFormatHandler::HandlePosition(const char *startPos, 2514 unsigned posLen) { 2515 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2516 getLocationOfByte(startPos), 2517 /*IsStringLocation*/true, 2518 getSpecifierRange(startPos, posLen)); 2519} 2520 2521void 2522CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2523 analyze_format_string::PositionContext p) { 2524 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2525 << (unsigned) p, 2526 getLocationOfByte(startPos), /*IsStringLocation*/true, 2527 getSpecifierRange(startPos, posLen)); 2528} 2529 2530void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2531 unsigned posLen) { 2532 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2533 getLocationOfByte(startPos), 2534 /*IsStringLocation*/true, 2535 getSpecifierRange(startPos, posLen)); 2536} 2537 2538void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2539 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2540 // The presence of a null character is likely an error. 2541 EmitFormatDiagnostic( 2542 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2543 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2544 getFormatStringRange()); 2545 } 2546} 2547 2548// Note that this may return NULL if there was an error parsing or building 2549// one of the argument expressions. 2550const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2551 return Args[FirstDataArg + i]; 2552} 2553 2554void CheckFormatHandler::DoneProcessing() { 2555 // Does the number of data arguments exceed the number of 2556 // format conversions in the format string? 2557 if (!HasVAListArg) { 2558 // Find any arguments that weren't covered. 2559 CoveredArgs.flip(); 2560 signed notCoveredArg = CoveredArgs.find_first(); 2561 if (notCoveredArg >= 0) { 2562 assert((unsigned)notCoveredArg < NumDataArgs); 2563 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2564 SourceLocation Loc = E->getLocStart(); 2565 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2566 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2567 Loc, /*IsStringLocation*/false, 2568 getFormatStringRange()); 2569 } 2570 } 2571 } 2572 } 2573} 2574 2575bool 2576CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2577 SourceLocation Loc, 2578 const char *startSpec, 2579 unsigned specifierLen, 2580 const char *csStart, 2581 unsigned csLen) { 2582 2583 bool keepGoing = true; 2584 if (argIndex < NumDataArgs) { 2585 // Consider the argument coverered, even though the specifier doesn't 2586 // make sense. 2587 CoveredArgs.set(argIndex); 2588 } 2589 else { 2590 // If argIndex exceeds the number of data arguments we 2591 // don't issue a warning because that is just a cascade of warnings (and 2592 // they may have intended '%%' anyway). We don't want to continue processing 2593 // the format string after this point, however, as we will like just get 2594 // gibberish when trying to match arguments. 2595 keepGoing = false; 2596 } 2597 2598 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2599 << StringRef(csStart, csLen), 2600 Loc, /*IsStringLocation*/true, 2601 getSpecifierRange(startSpec, specifierLen)); 2602 2603 return keepGoing; 2604} 2605 2606void 2607CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2608 const char *startSpec, 2609 unsigned specifierLen) { 2610 EmitFormatDiagnostic( 2611 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2612 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2613} 2614 2615bool 2616CheckFormatHandler::CheckNumArgs( 2617 const analyze_format_string::FormatSpecifier &FS, 2618 const analyze_format_string::ConversionSpecifier &CS, 2619 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2620 2621 if (argIndex >= NumDataArgs) { 2622 PartialDiagnostic PDiag = FS.usesPositionalArg() 2623 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2624 << (argIndex+1) << NumDataArgs) 2625 : S.PDiag(diag::warn_printf_insufficient_data_args); 2626 EmitFormatDiagnostic( 2627 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2628 getSpecifierRange(startSpecifier, specifierLen)); 2629 return false; 2630 } 2631 return true; 2632} 2633 2634template<typename Range> 2635void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2636 SourceLocation Loc, 2637 bool IsStringLocation, 2638 Range StringRange, 2639 ArrayRef<FixItHint> FixIt) { 2640 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2641 Loc, IsStringLocation, StringRange, FixIt); 2642} 2643 2644/// \brief If the format string is not within the funcion call, emit a note 2645/// so that the function call and string are in diagnostic messages. 2646/// 2647/// \param InFunctionCall if true, the format string is within the function 2648/// call and only one diagnostic message will be produced. Otherwise, an 2649/// extra note will be emitted pointing to location of the format string. 2650/// 2651/// \param ArgumentExpr the expression that is passed as the format string 2652/// argument in the function call. Used for getting locations when two 2653/// diagnostics are emitted. 2654/// 2655/// \param PDiag the callee should already have provided any strings for the 2656/// diagnostic message. This function only adds locations and fixits 2657/// to diagnostics. 2658/// 2659/// \param Loc primary location for diagnostic. If two diagnostics are 2660/// required, one will be at Loc and a new SourceLocation will be created for 2661/// the other one. 2662/// 2663/// \param IsStringLocation if true, Loc points to the format string should be 2664/// used for the note. Otherwise, Loc points to the argument list and will 2665/// be used with PDiag. 2666/// 2667/// \param StringRange some or all of the string to highlight. This is 2668/// templated so it can accept either a CharSourceRange or a SourceRange. 2669/// 2670/// \param FixIt optional fix it hint for the format string. 2671template<typename Range> 2672void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2673 const Expr *ArgumentExpr, 2674 PartialDiagnostic PDiag, 2675 SourceLocation Loc, 2676 bool IsStringLocation, 2677 Range StringRange, 2678 ArrayRef<FixItHint> FixIt) { 2679 if (InFunctionCall) { 2680 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2681 D << StringRange; 2682 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2683 I != E; ++I) { 2684 D << *I; 2685 } 2686 } else { 2687 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2688 << ArgumentExpr->getSourceRange(); 2689 2690 const Sema::SemaDiagnosticBuilder &Note = 2691 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2692 diag::note_format_string_defined); 2693 2694 Note << StringRange; 2695 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2696 I != E; ++I) { 2697 Note << *I; 2698 } 2699 } 2700} 2701 2702//===--- CHECK: Printf format string checking ------------------------------===// 2703 2704namespace { 2705class CheckPrintfHandler : public CheckFormatHandler { 2706 bool ObjCContext; 2707public: 2708 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2709 const Expr *origFormatExpr, unsigned firstDataArg, 2710 unsigned numDataArgs, bool isObjC, 2711 const char *beg, bool hasVAListArg, 2712 ArrayRef<const Expr *> Args, 2713 unsigned formatIdx, bool inFunctionCall, 2714 Sema::VariadicCallType CallType, 2715 llvm::SmallBitVector &CheckedVarArgs) 2716 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2717 numDataArgs, beg, hasVAListArg, Args, 2718 formatIdx, inFunctionCall, CallType, CheckedVarArgs), 2719 ObjCContext(isObjC) 2720 {} 2721 2722 2723 bool HandleInvalidPrintfConversionSpecifier( 2724 const analyze_printf::PrintfSpecifier &FS, 2725 const char *startSpecifier, 2726 unsigned specifierLen); 2727 2728 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2729 const char *startSpecifier, 2730 unsigned specifierLen); 2731 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2732 const char *StartSpecifier, 2733 unsigned SpecifierLen, 2734 const Expr *E); 2735 2736 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2737 const char *startSpecifier, unsigned specifierLen); 2738 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2739 const analyze_printf::OptionalAmount &Amt, 2740 unsigned type, 2741 const char *startSpecifier, unsigned specifierLen); 2742 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2743 const analyze_printf::OptionalFlag &flag, 2744 const char *startSpecifier, unsigned specifierLen); 2745 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2746 const analyze_printf::OptionalFlag &ignoredFlag, 2747 const analyze_printf::OptionalFlag &flag, 2748 const char *startSpecifier, unsigned specifierLen); 2749 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2750 const Expr *E, const CharSourceRange &CSR); 2751 2752}; 2753} 2754 2755bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2756 const analyze_printf::PrintfSpecifier &FS, 2757 const char *startSpecifier, 2758 unsigned specifierLen) { 2759 const analyze_printf::PrintfConversionSpecifier &CS = 2760 FS.getConversionSpecifier(); 2761 2762 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2763 getLocationOfByte(CS.getStart()), 2764 startSpecifier, specifierLen, 2765 CS.getStart(), CS.getLength()); 2766} 2767 2768bool CheckPrintfHandler::HandleAmount( 2769 const analyze_format_string::OptionalAmount &Amt, 2770 unsigned k, const char *startSpecifier, 2771 unsigned specifierLen) { 2772 2773 if (Amt.hasDataArgument()) { 2774 if (!HasVAListArg) { 2775 unsigned argIndex = Amt.getArgIndex(); 2776 if (argIndex >= NumDataArgs) { 2777 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2778 << k, 2779 getLocationOfByte(Amt.getStart()), 2780 /*IsStringLocation*/true, 2781 getSpecifierRange(startSpecifier, specifierLen)); 2782 // Don't do any more checking. We will just emit 2783 // spurious errors. 2784 return false; 2785 } 2786 2787 // Type check the data argument. It should be an 'int'. 2788 // Although not in conformance with C99, we also allow the argument to be 2789 // an 'unsigned int' as that is a reasonably safe case. GCC also 2790 // doesn't emit a warning for that case. 2791 CoveredArgs.set(argIndex); 2792 const Expr *Arg = getDataArg(argIndex); 2793 if (!Arg) 2794 return false; 2795 2796 QualType T = Arg->getType(); 2797 2798 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2799 assert(AT.isValid()); 2800 2801 if (!AT.matchesType(S.Context, T)) { 2802 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2803 << k << AT.getRepresentativeTypeName(S.Context) 2804 << T << Arg->getSourceRange(), 2805 getLocationOfByte(Amt.getStart()), 2806 /*IsStringLocation*/true, 2807 getSpecifierRange(startSpecifier, specifierLen)); 2808 // Don't do any more checking. We will just emit 2809 // spurious errors. 2810 return false; 2811 } 2812 } 2813 } 2814 return true; 2815} 2816 2817void CheckPrintfHandler::HandleInvalidAmount( 2818 const analyze_printf::PrintfSpecifier &FS, 2819 const analyze_printf::OptionalAmount &Amt, 2820 unsigned type, 2821 const char *startSpecifier, 2822 unsigned specifierLen) { 2823 const analyze_printf::PrintfConversionSpecifier &CS = 2824 FS.getConversionSpecifier(); 2825 2826 FixItHint fixit = 2827 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2828 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2829 Amt.getConstantLength())) 2830 : FixItHint(); 2831 2832 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2833 << type << CS.toString(), 2834 getLocationOfByte(Amt.getStart()), 2835 /*IsStringLocation*/true, 2836 getSpecifierRange(startSpecifier, specifierLen), 2837 fixit); 2838} 2839 2840void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2841 const analyze_printf::OptionalFlag &flag, 2842 const char *startSpecifier, 2843 unsigned specifierLen) { 2844 // Warn about pointless flag with a fixit removal. 2845 const analyze_printf::PrintfConversionSpecifier &CS = 2846 FS.getConversionSpecifier(); 2847 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2848 << flag.toString() << CS.toString(), 2849 getLocationOfByte(flag.getPosition()), 2850 /*IsStringLocation*/true, 2851 getSpecifierRange(startSpecifier, specifierLen), 2852 FixItHint::CreateRemoval( 2853 getSpecifierRange(flag.getPosition(), 1))); 2854} 2855 2856void CheckPrintfHandler::HandleIgnoredFlag( 2857 const analyze_printf::PrintfSpecifier &FS, 2858 const analyze_printf::OptionalFlag &ignoredFlag, 2859 const analyze_printf::OptionalFlag &flag, 2860 const char *startSpecifier, 2861 unsigned specifierLen) { 2862 // Warn about ignored flag with a fixit removal. 2863 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2864 << ignoredFlag.toString() << flag.toString(), 2865 getLocationOfByte(ignoredFlag.getPosition()), 2866 /*IsStringLocation*/true, 2867 getSpecifierRange(startSpecifier, specifierLen), 2868 FixItHint::CreateRemoval( 2869 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2870} 2871 2872// Determines if the specified is a C++ class or struct containing 2873// a member with the specified name and kind (e.g. a CXXMethodDecl named 2874// "c_str()"). 2875template<typename MemberKind> 2876static llvm::SmallPtrSet<MemberKind*, 1> 2877CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2878 const RecordType *RT = Ty->getAs<RecordType>(); 2879 llvm::SmallPtrSet<MemberKind*, 1> Results; 2880 2881 if (!RT) 2882 return Results; 2883 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2884 if (!RD) 2885 return Results; 2886 2887 LookupResult R(S, &S.PP.getIdentifierTable().get(Name), SourceLocation(), 2888 Sema::LookupMemberName); 2889 2890 // We just need to include all members of the right kind turned up by the 2891 // filter, at this point. 2892 if (S.LookupQualifiedName(R, RT->getDecl())) 2893 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2894 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2895 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2896 Results.insert(FK); 2897 } 2898 return Results; 2899} 2900 2901// Check if a (w)string was passed when a (w)char* was needed, and offer a 2902// better diagnostic if so. AT is assumed to be valid. 2903// Returns true when a c_str() conversion method is found. 2904bool CheckPrintfHandler::checkForCStrMembers( 2905 const analyze_printf::ArgType &AT, const Expr *E, 2906 const CharSourceRange &CSR) { 2907 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2908 2909 MethodSet Results = 2910 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2911 2912 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2913 MI != ME; ++MI) { 2914 const CXXMethodDecl *Method = *MI; 2915 if (Method->getNumParams() == 0 && 2916 AT.matchesType(S.Context, Method->getResultType())) { 2917 // FIXME: Suggest parens if the expression needs them. 2918 SourceLocation EndLoc = 2919 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()); 2920 S.Diag(E->getLocStart(), diag::note_printf_c_str) 2921 << "c_str()" 2922 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 2923 return true; 2924 } 2925 } 2926 2927 return false; 2928} 2929 2930bool 2931CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2932 &FS, 2933 const char *startSpecifier, 2934 unsigned specifierLen) { 2935 2936 using namespace analyze_format_string; 2937 using namespace analyze_printf; 2938 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2939 2940 if (FS.consumesDataArgument()) { 2941 if (atFirstArg) { 2942 atFirstArg = false; 2943 usesPositionalArgs = FS.usesPositionalArg(); 2944 } 2945 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2946 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2947 startSpecifier, specifierLen); 2948 return false; 2949 } 2950 } 2951 2952 // First check if the field width, precision, and conversion specifier 2953 // have matching data arguments. 2954 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2955 startSpecifier, specifierLen)) { 2956 return false; 2957 } 2958 2959 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2960 startSpecifier, specifierLen)) { 2961 return false; 2962 } 2963 2964 if (!CS.consumesDataArgument()) { 2965 // FIXME: Technically specifying a precision or field width here 2966 // makes no sense. Worth issuing a warning at some point. 2967 return true; 2968 } 2969 2970 // Consume the argument. 2971 unsigned argIndex = FS.getArgIndex(); 2972 if (argIndex < NumDataArgs) { 2973 // The check to see if the argIndex is valid will come later. 2974 // We set the bit here because we may exit early from this 2975 // function if we encounter some other error. 2976 CoveredArgs.set(argIndex); 2977 } 2978 2979 // Check for using an Objective-C specific conversion specifier 2980 // in a non-ObjC literal. 2981 if (!ObjCContext && CS.isObjCArg()) { 2982 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2983 specifierLen); 2984 } 2985 2986 // Check for invalid use of field width 2987 if (!FS.hasValidFieldWidth()) { 2988 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2989 startSpecifier, specifierLen); 2990 } 2991 2992 // Check for invalid use of precision 2993 if (!FS.hasValidPrecision()) { 2994 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2995 startSpecifier, specifierLen); 2996 } 2997 2998 // Check each flag does not conflict with any other component. 2999 if (!FS.hasValidThousandsGroupingPrefix()) 3000 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 3001 if (!FS.hasValidLeadingZeros()) 3002 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 3003 if (!FS.hasValidPlusPrefix()) 3004 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 3005 if (!FS.hasValidSpacePrefix()) 3006 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 3007 if (!FS.hasValidAlternativeForm()) 3008 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 3009 if (!FS.hasValidLeftJustified()) 3010 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 3011 3012 // Check that flags are not ignored by another flag 3013 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 3014 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 3015 startSpecifier, specifierLen); 3016 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 3017 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 3018 startSpecifier, specifierLen); 3019 3020 // Check the length modifier is valid with the given conversion specifier. 3021 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3022 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3023 diag::warn_format_nonsensical_length); 3024 else if (!FS.hasStandardLengthModifier()) 3025 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3026 else if (!FS.hasStandardLengthConversionCombination()) 3027 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3028 diag::warn_format_non_standard_conversion_spec); 3029 3030 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3031 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3032 3033 // The remaining checks depend on the data arguments. 3034 if (HasVAListArg) 3035 return true; 3036 3037 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3038 return false; 3039 3040 const Expr *Arg = getDataArg(argIndex); 3041 if (!Arg) 3042 return true; 3043 3044 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 3045} 3046 3047static bool requiresParensToAddCast(const Expr *E) { 3048 // FIXME: We should have a general way to reason about operator 3049 // precedence and whether parens are actually needed here. 3050 // Take care of a few common cases where they aren't. 3051 const Expr *Inside = E->IgnoreImpCasts(); 3052 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 3053 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 3054 3055 switch (Inside->getStmtClass()) { 3056 case Stmt::ArraySubscriptExprClass: 3057 case Stmt::CallExprClass: 3058 case Stmt::CharacterLiteralClass: 3059 case Stmt::CXXBoolLiteralExprClass: 3060 case Stmt::DeclRefExprClass: 3061 case Stmt::FloatingLiteralClass: 3062 case Stmt::IntegerLiteralClass: 3063 case Stmt::MemberExprClass: 3064 case Stmt::ObjCArrayLiteralClass: 3065 case Stmt::ObjCBoolLiteralExprClass: 3066 case Stmt::ObjCBoxedExprClass: 3067 case Stmt::ObjCDictionaryLiteralClass: 3068 case Stmt::ObjCEncodeExprClass: 3069 case Stmt::ObjCIvarRefExprClass: 3070 case Stmt::ObjCMessageExprClass: 3071 case Stmt::ObjCPropertyRefExprClass: 3072 case Stmt::ObjCStringLiteralClass: 3073 case Stmt::ObjCSubscriptRefExprClass: 3074 case Stmt::ParenExprClass: 3075 case Stmt::StringLiteralClass: 3076 case Stmt::UnaryOperatorClass: 3077 return false; 3078 default: 3079 return true; 3080 } 3081} 3082 3083bool 3084CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 3085 const char *StartSpecifier, 3086 unsigned SpecifierLen, 3087 const Expr *E) { 3088 using namespace analyze_format_string; 3089 using namespace analyze_printf; 3090 // Now type check the data expression that matches the 3091 // format specifier. 3092 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 3093 ObjCContext); 3094 if (!AT.isValid()) 3095 return true; 3096 3097 QualType ExprTy = E->getType(); 3098 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { 3099 ExprTy = TET->getUnderlyingExpr()->getType(); 3100 } 3101 3102 if (AT.matchesType(S.Context, ExprTy)) 3103 return true; 3104 3105 // Look through argument promotions for our error message's reported type. 3106 // This includes the integral and floating promotions, but excludes array 3107 // and function pointer decay; seeing that an argument intended to be a 3108 // string has type 'char [6]' is probably more confusing than 'char *'. 3109 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3110 if (ICE->getCastKind() == CK_IntegralCast || 3111 ICE->getCastKind() == CK_FloatingCast) { 3112 E = ICE->getSubExpr(); 3113 ExprTy = E->getType(); 3114 3115 // Check if we didn't match because of an implicit cast from a 'char' 3116 // or 'short' to an 'int'. This is done because printf is a varargs 3117 // function. 3118 if (ICE->getType() == S.Context.IntTy || 3119 ICE->getType() == S.Context.UnsignedIntTy) { 3120 // All further checking is done on the subexpression. 3121 if (AT.matchesType(S.Context, ExprTy)) 3122 return true; 3123 } 3124 } 3125 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 3126 // Special case for 'a', which has type 'int' in C. 3127 // Note, however, that we do /not/ want to treat multibyte constants like 3128 // 'MooV' as characters! This form is deprecated but still exists. 3129 if (ExprTy == S.Context.IntTy) 3130 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 3131 ExprTy = S.Context.CharTy; 3132 } 3133 3134 // %C in an Objective-C context prints a unichar, not a wchar_t. 3135 // If the argument is an integer of some kind, believe the %C and suggest 3136 // a cast instead of changing the conversion specifier. 3137 QualType IntendedTy = ExprTy; 3138 if (ObjCContext && 3139 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 3140 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 3141 !ExprTy->isCharType()) { 3142 // 'unichar' is defined as a typedef of unsigned short, but we should 3143 // prefer using the typedef if it is visible. 3144 IntendedTy = S.Context.UnsignedShortTy; 3145 3146 // While we are here, check if the value is an IntegerLiteral that happens 3147 // to be within the valid range. 3148 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) { 3149 const llvm::APInt &V = IL->getValue(); 3150 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy)) 3151 return true; 3152 } 3153 3154 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 3155 Sema::LookupOrdinaryName); 3156 if (S.LookupName(Result, S.getCurScope())) { 3157 NamedDecl *ND = Result.getFoundDecl(); 3158 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 3159 if (TD->getUnderlyingType() == IntendedTy) 3160 IntendedTy = S.Context.getTypedefType(TD); 3161 } 3162 } 3163 } 3164 3165 // Special-case some of Darwin's platform-independence types by suggesting 3166 // casts to primitive types that are known to be large enough. 3167 bool ShouldNotPrintDirectly = false; 3168 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 3169 // Use a 'while' to peel off layers of typedefs. 3170 QualType TyTy = IntendedTy; 3171 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) { 3172 StringRef Name = UserTy->getDecl()->getName(); 3173 QualType CastTy = llvm::StringSwitch<QualType>(Name) 3174 .Case("NSInteger", S.Context.LongTy) 3175 .Case("NSUInteger", S.Context.UnsignedLongTy) 3176 .Case("SInt32", S.Context.IntTy) 3177 .Case("UInt32", S.Context.UnsignedIntTy) 3178 .Default(QualType()); 3179 3180 if (!CastTy.isNull()) { 3181 ShouldNotPrintDirectly = true; 3182 IntendedTy = CastTy; 3183 break; 3184 } 3185 TyTy = UserTy->desugar(); 3186 } 3187 } 3188 3189 // We may be able to offer a FixItHint if it is a supported type. 3190 PrintfSpecifier fixedFS = FS; 3191 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 3192 S.Context, ObjCContext); 3193 3194 if (success) { 3195 // Get the fix string from the fixed format specifier 3196 SmallString<16> buf; 3197 llvm::raw_svector_ostream os(buf); 3198 fixedFS.toString(os); 3199 3200 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 3201 3202 if (IntendedTy == ExprTy) { 3203 // In this case, the specifier is wrong and should be changed to match 3204 // the argument. 3205 EmitFormatDiagnostic( 3206 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3207 << AT.getRepresentativeTypeName(S.Context) << IntendedTy 3208 << E->getSourceRange(), 3209 E->getLocStart(), 3210 /*IsStringLocation*/false, 3211 SpecRange, 3212 FixItHint::CreateReplacement(SpecRange, os.str())); 3213 3214 } else { 3215 // The canonical type for formatting this value is different from the 3216 // actual type of the expression. (This occurs, for example, with Darwin's 3217 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 3218 // should be printed as 'long' for 64-bit compatibility.) 3219 // Rather than emitting a normal format/argument mismatch, we want to 3220 // add a cast to the recommended type (and correct the format string 3221 // if necessary). 3222 SmallString<16> CastBuf; 3223 llvm::raw_svector_ostream CastFix(CastBuf); 3224 CastFix << "("; 3225 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 3226 CastFix << ")"; 3227 3228 SmallVector<FixItHint,4> Hints; 3229 if (!AT.matchesType(S.Context, IntendedTy)) 3230 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 3231 3232 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 3233 // If there's already a cast present, just replace it. 3234 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 3235 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 3236 3237 } else if (!requiresParensToAddCast(E)) { 3238 // If the expression has high enough precedence, 3239 // just write the C-style cast. 3240 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3241 CastFix.str())); 3242 } else { 3243 // Otherwise, add parens around the expression as well as the cast. 3244 CastFix << "("; 3245 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3246 CastFix.str())); 3247 3248 SourceLocation After = S.PP.getLocForEndOfToken(E->getLocEnd()); 3249 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 3250 } 3251 3252 if (ShouldNotPrintDirectly) { 3253 // The expression has a type that should not be printed directly. 3254 // We extract the name from the typedef because we don't want to show 3255 // the underlying type in the diagnostic. 3256 StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName(); 3257 3258 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 3259 << Name << IntendedTy 3260 << E->getSourceRange(), 3261 E->getLocStart(), /*IsStringLocation=*/false, 3262 SpecRange, Hints); 3263 } else { 3264 // In this case, the expression could be printed using a different 3265 // specifier, but we've decided that the specifier is probably correct 3266 // and we should cast instead. Just use the normal warning message. 3267 EmitFormatDiagnostic( 3268 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3269 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3270 << E->getSourceRange(), 3271 E->getLocStart(), /*IsStringLocation*/false, 3272 SpecRange, Hints); 3273 } 3274 } 3275 } else { 3276 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 3277 SpecifierLen); 3278 // Since the warning for passing non-POD types to variadic functions 3279 // was deferred until now, we emit a warning for non-POD 3280 // arguments here. 3281 switch (S.isValidVarArgType(ExprTy)) { 3282 case Sema::VAK_Valid: 3283 case Sema::VAK_ValidInCXX11: 3284 EmitFormatDiagnostic( 3285 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3286 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3287 << CSR 3288 << E->getSourceRange(), 3289 E->getLocStart(), /*IsStringLocation*/false, CSR); 3290 break; 3291 3292 case Sema::VAK_Undefined: 3293 EmitFormatDiagnostic( 3294 S.PDiag(diag::warn_non_pod_vararg_with_format_string) 3295 << S.getLangOpts().CPlusPlus11 3296 << ExprTy 3297 << CallType 3298 << AT.getRepresentativeTypeName(S.Context) 3299 << CSR 3300 << E->getSourceRange(), 3301 E->getLocStart(), /*IsStringLocation*/false, CSR); 3302 checkForCStrMembers(AT, E, CSR); 3303 break; 3304 3305 case Sema::VAK_Invalid: 3306 if (ExprTy->isObjCObjectType()) 3307 EmitFormatDiagnostic( 3308 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) 3309 << S.getLangOpts().CPlusPlus11 3310 << ExprTy 3311 << CallType 3312 << AT.getRepresentativeTypeName(S.Context) 3313 << CSR 3314 << E->getSourceRange(), 3315 E->getLocStart(), /*IsStringLocation*/false, CSR); 3316 else 3317 // FIXME: If this is an initializer list, suggest removing the braces 3318 // or inserting a cast to the target type. 3319 S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format) 3320 << isa<InitListExpr>(E) << ExprTy << CallType 3321 << AT.getRepresentativeTypeName(S.Context) 3322 << E->getSourceRange(); 3323 break; 3324 } 3325 3326 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && 3327 "format string specifier index out of range"); 3328 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; 3329 } 3330 3331 return true; 3332} 3333 3334//===--- CHECK: Scanf format string checking ------------------------------===// 3335 3336namespace { 3337class CheckScanfHandler : public CheckFormatHandler { 3338public: 3339 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 3340 const Expr *origFormatExpr, unsigned firstDataArg, 3341 unsigned numDataArgs, const char *beg, bool hasVAListArg, 3342 ArrayRef<const Expr *> Args, 3343 unsigned formatIdx, bool inFunctionCall, 3344 Sema::VariadicCallType CallType, 3345 llvm::SmallBitVector &CheckedVarArgs) 3346 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 3347 numDataArgs, beg, hasVAListArg, 3348 Args, formatIdx, inFunctionCall, CallType, 3349 CheckedVarArgs) 3350 {} 3351 3352 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 3353 const char *startSpecifier, 3354 unsigned specifierLen); 3355 3356 bool HandleInvalidScanfConversionSpecifier( 3357 const analyze_scanf::ScanfSpecifier &FS, 3358 const char *startSpecifier, 3359 unsigned specifierLen); 3360 3361 void HandleIncompleteScanList(const char *start, const char *end); 3362}; 3363} 3364 3365void CheckScanfHandler::HandleIncompleteScanList(const char *start, 3366 const char *end) { 3367 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 3368 getLocationOfByte(end), /*IsStringLocation*/true, 3369 getSpecifierRange(start, end - start)); 3370} 3371 3372bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 3373 const analyze_scanf::ScanfSpecifier &FS, 3374 const char *startSpecifier, 3375 unsigned specifierLen) { 3376 3377 const analyze_scanf::ScanfConversionSpecifier &CS = 3378 FS.getConversionSpecifier(); 3379 3380 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 3381 getLocationOfByte(CS.getStart()), 3382 startSpecifier, specifierLen, 3383 CS.getStart(), CS.getLength()); 3384} 3385 3386bool CheckScanfHandler::HandleScanfSpecifier( 3387 const analyze_scanf::ScanfSpecifier &FS, 3388 const char *startSpecifier, 3389 unsigned specifierLen) { 3390 3391 using namespace analyze_scanf; 3392 using namespace analyze_format_string; 3393 3394 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 3395 3396 // Handle case where '%' and '*' don't consume an argument. These shouldn't 3397 // be used to decide if we are using positional arguments consistently. 3398 if (FS.consumesDataArgument()) { 3399 if (atFirstArg) { 3400 atFirstArg = false; 3401 usesPositionalArgs = FS.usesPositionalArg(); 3402 } 3403 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3404 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3405 startSpecifier, specifierLen); 3406 return false; 3407 } 3408 } 3409 3410 // Check if the field with is non-zero. 3411 const OptionalAmount &Amt = FS.getFieldWidth(); 3412 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 3413 if (Amt.getConstantAmount() == 0) { 3414 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 3415 Amt.getConstantLength()); 3416 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 3417 getLocationOfByte(Amt.getStart()), 3418 /*IsStringLocation*/true, R, 3419 FixItHint::CreateRemoval(R)); 3420 } 3421 } 3422 3423 if (!FS.consumesDataArgument()) { 3424 // FIXME: Technically specifying a precision or field width here 3425 // makes no sense. Worth issuing a warning at some point. 3426 return true; 3427 } 3428 3429 // Consume the argument. 3430 unsigned argIndex = FS.getArgIndex(); 3431 if (argIndex < NumDataArgs) { 3432 // The check to see if the argIndex is valid will come later. 3433 // We set the bit here because we may exit early from this 3434 // function if we encounter some other error. 3435 CoveredArgs.set(argIndex); 3436 } 3437 3438 // Check the length modifier is valid with the given conversion specifier. 3439 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3440 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3441 diag::warn_format_nonsensical_length); 3442 else if (!FS.hasStandardLengthModifier()) 3443 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3444 else if (!FS.hasStandardLengthConversionCombination()) 3445 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3446 diag::warn_format_non_standard_conversion_spec); 3447 3448 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3449 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3450 3451 // The remaining checks depend on the data arguments. 3452 if (HasVAListArg) 3453 return true; 3454 3455 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3456 return false; 3457 3458 // Check that the argument type matches the format specifier. 3459 const Expr *Ex = getDataArg(argIndex); 3460 if (!Ex) 3461 return true; 3462 3463 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 3464 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 3465 ScanfSpecifier fixedFS = FS; 3466 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 3467 S.Context); 3468 3469 if (success) { 3470 // Get the fix string from the fixed format specifier. 3471 SmallString<128> buf; 3472 llvm::raw_svector_ostream os(buf); 3473 fixedFS.toString(os); 3474 3475 EmitFormatDiagnostic( 3476 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3477 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3478 << Ex->getSourceRange(), 3479 Ex->getLocStart(), 3480 /*IsStringLocation*/false, 3481 getSpecifierRange(startSpecifier, specifierLen), 3482 FixItHint::CreateReplacement( 3483 getSpecifierRange(startSpecifier, specifierLen), 3484 os.str())); 3485 } else { 3486 EmitFormatDiagnostic( 3487 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3488 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3489 << Ex->getSourceRange(), 3490 Ex->getLocStart(), 3491 /*IsStringLocation*/false, 3492 getSpecifierRange(startSpecifier, specifierLen)); 3493 } 3494 } 3495 3496 return true; 3497} 3498 3499void Sema::CheckFormatString(const StringLiteral *FExpr, 3500 const Expr *OrigFormatExpr, 3501 ArrayRef<const Expr *> Args, 3502 bool HasVAListArg, unsigned format_idx, 3503 unsigned firstDataArg, FormatStringType Type, 3504 bool inFunctionCall, VariadicCallType CallType, 3505 llvm::SmallBitVector &CheckedVarArgs) { 3506 3507 // CHECK: is the format string a wide literal? 3508 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 3509 CheckFormatHandler::EmitFormatDiagnostic( 3510 *this, inFunctionCall, Args[format_idx], 3511 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 3512 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3513 return; 3514 } 3515 3516 // Str - The format string. NOTE: this is NOT null-terminated! 3517 StringRef StrRef = FExpr->getString(); 3518 const char *Str = StrRef.data(); 3519 unsigned StrLen = StrRef.size(); 3520 const unsigned numDataArgs = Args.size() - firstDataArg; 3521 3522 // CHECK: empty format string? 3523 if (StrLen == 0 && numDataArgs > 0) { 3524 CheckFormatHandler::EmitFormatDiagnostic( 3525 *this, inFunctionCall, Args[format_idx], 3526 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3527 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3528 return; 3529 } 3530 3531 if (Type == FST_Printf || Type == FST_NSString) { 3532 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3533 numDataArgs, (Type == FST_NSString), 3534 Str, HasVAListArg, Args, format_idx, 3535 inFunctionCall, CallType, CheckedVarArgs); 3536 3537 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3538 getLangOpts(), 3539 Context.getTargetInfo())) 3540 H.DoneProcessing(); 3541 } else if (Type == FST_Scanf) { 3542 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3543 Str, HasVAListArg, Args, format_idx, 3544 inFunctionCall, CallType, CheckedVarArgs); 3545 3546 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3547 getLangOpts(), 3548 Context.getTargetInfo())) 3549 H.DoneProcessing(); 3550 } // TODO: handle other formats 3551} 3552 3553//===--- CHECK: Standard memory functions ---------------------------------===// 3554 3555/// \brief Determine whether the given type is a dynamic class type (e.g., 3556/// whether it has a vtable). 3557static bool isDynamicClassType(QualType T) { 3558 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 3559 if (CXXRecordDecl *Definition = Record->getDefinition()) 3560 if (Definition->isDynamicClass()) 3561 return true; 3562 3563 return false; 3564} 3565 3566/// \brief If E is a sizeof expression, returns its argument expression, 3567/// otherwise returns NULL. 3568static const Expr *getSizeOfExprArg(const Expr* E) { 3569 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3570 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3571 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 3572 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 3573 3574 return 0; 3575} 3576 3577/// \brief If E is a sizeof expression, returns its argument type. 3578static QualType getSizeOfArgType(const Expr* E) { 3579 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3580 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3581 if (SizeOf->getKind() == clang::UETT_SizeOf) 3582 return SizeOf->getTypeOfArgument(); 3583 3584 return QualType(); 3585} 3586 3587/// \brief Check for dangerous or invalid arguments to memset(). 3588/// 3589/// This issues warnings on known problematic, dangerous or unspecified 3590/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 3591/// function calls. 3592/// 3593/// \param Call The call expression to diagnose. 3594void Sema::CheckMemaccessArguments(const CallExpr *Call, 3595 unsigned BId, 3596 IdentifierInfo *FnName) { 3597 assert(BId != 0); 3598 3599 // It is possible to have a non-standard definition of memset. Validate 3600 // we have enough arguments, and if not, abort further checking. 3601 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 3602 if (Call->getNumArgs() < ExpectedNumArgs) 3603 return; 3604 3605 unsigned LastArg = (BId == Builtin::BImemset || 3606 BId == Builtin::BIstrndup ? 1 : 2); 3607 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 3608 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 3609 3610 // We have special checking when the length is a sizeof expression. 3611 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 3612 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 3613 llvm::FoldingSetNodeID SizeOfArgID; 3614 3615 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 3616 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 3617 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 3618 3619 QualType DestTy = Dest->getType(); 3620 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 3621 QualType PointeeTy = DestPtrTy->getPointeeType(); 3622 3623 // Never warn about void type pointers. This can be used to suppress 3624 // false positives. 3625 if (PointeeTy->isVoidType()) 3626 continue; 3627 3628 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 3629 // actually comparing the expressions for equality. Because computing the 3630 // expression IDs can be expensive, we only do this if the diagnostic is 3631 // enabled. 3632 if (SizeOfArg && 3633 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 3634 SizeOfArg->getExprLoc())) { 3635 // We only compute IDs for expressions if the warning is enabled, and 3636 // cache the sizeof arg's ID. 3637 if (SizeOfArgID == llvm::FoldingSetNodeID()) 3638 SizeOfArg->Profile(SizeOfArgID, Context, true); 3639 llvm::FoldingSetNodeID DestID; 3640 Dest->Profile(DestID, Context, true); 3641 if (DestID == SizeOfArgID) { 3642 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 3643 // over sizeof(src) as well. 3644 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 3645 StringRef ReadableName = FnName->getName(); 3646 3647 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 3648 if (UnaryOp->getOpcode() == UO_AddrOf) 3649 ActionIdx = 1; // If its an address-of operator, just remove it. 3650 if (!PointeeTy->isIncompleteType() && 3651 (Context.getTypeSize(PointeeTy) == Context.getCharWidth())) 3652 ActionIdx = 2; // If the pointee's size is sizeof(char), 3653 // suggest an explicit length. 3654 3655 // If the function is defined as a builtin macro, do not show macro 3656 // expansion. 3657 SourceLocation SL = SizeOfArg->getExprLoc(); 3658 SourceRange DSR = Dest->getSourceRange(); 3659 SourceRange SSR = SizeOfArg->getSourceRange(); 3660 SourceManager &SM = PP.getSourceManager(); 3661 3662 if (SM.isMacroArgExpansion(SL)) { 3663 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 3664 SL = SM.getSpellingLoc(SL); 3665 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 3666 SM.getSpellingLoc(DSR.getEnd())); 3667 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 3668 SM.getSpellingLoc(SSR.getEnd())); 3669 } 3670 3671 DiagRuntimeBehavior(SL, SizeOfArg, 3672 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 3673 << ReadableName 3674 << PointeeTy 3675 << DestTy 3676 << DSR 3677 << SSR); 3678 DiagRuntimeBehavior(SL, SizeOfArg, 3679 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 3680 << ActionIdx 3681 << SSR); 3682 3683 break; 3684 } 3685 } 3686 3687 // Also check for cases where the sizeof argument is the exact same 3688 // type as the memory argument, and where it points to a user-defined 3689 // record type. 3690 if (SizeOfArgTy != QualType()) { 3691 if (PointeeTy->isRecordType() && 3692 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 3693 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 3694 PDiag(diag::warn_sizeof_pointer_type_memaccess) 3695 << FnName << SizeOfArgTy << ArgIdx 3696 << PointeeTy << Dest->getSourceRange() 3697 << LenExpr->getSourceRange()); 3698 break; 3699 } 3700 } 3701 3702 // Always complain about dynamic classes. 3703 if (isDynamicClassType(PointeeTy)) { 3704 3705 unsigned OperationType = 0; 3706 // "overwritten" if we're warning about the destination for any call 3707 // but memcmp; otherwise a verb appropriate to the call. 3708 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 3709 if (BId == Builtin::BImemcpy) 3710 OperationType = 1; 3711 else if(BId == Builtin::BImemmove) 3712 OperationType = 2; 3713 else if (BId == Builtin::BImemcmp) 3714 OperationType = 3; 3715 } 3716 3717 DiagRuntimeBehavior( 3718 Dest->getExprLoc(), Dest, 3719 PDiag(diag::warn_dyn_class_memaccess) 3720 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 3721 << FnName << PointeeTy 3722 << OperationType 3723 << Call->getCallee()->getSourceRange()); 3724 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 3725 BId != Builtin::BImemset) 3726 DiagRuntimeBehavior( 3727 Dest->getExprLoc(), Dest, 3728 PDiag(diag::warn_arc_object_memaccess) 3729 << ArgIdx << FnName << PointeeTy 3730 << Call->getCallee()->getSourceRange()); 3731 else 3732 continue; 3733 3734 DiagRuntimeBehavior( 3735 Dest->getExprLoc(), Dest, 3736 PDiag(diag::note_bad_memaccess_silence) 3737 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 3738 break; 3739 } 3740 } 3741} 3742 3743// A little helper routine: ignore addition and subtraction of integer literals. 3744// This intentionally does not ignore all integer constant expressions because 3745// we don't want to remove sizeof(). 3746static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 3747 Ex = Ex->IgnoreParenCasts(); 3748 3749 for (;;) { 3750 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 3751 if (!BO || !BO->isAdditiveOp()) 3752 break; 3753 3754 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 3755 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 3756 3757 if (isa<IntegerLiteral>(RHS)) 3758 Ex = LHS; 3759 else if (isa<IntegerLiteral>(LHS)) 3760 Ex = RHS; 3761 else 3762 break; 3763 } 3764 3765 return Ex; 3766} 3767 3768static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 3769 ASTContext &Context) { 3770 // Only handle constant-sized or VLAs, but not flexible members. 3771 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 3772 // Only issue the FIXIT for arrays of size > 1. 3773 if (CAT->getSize().getSExtValue() <= 1) 3774 return false; 3775 } else if (!Ty->isVariableArrayType()) { 3776 return false; 3777 } 3778 return true; 3779} 3780 3781// Warn if the user has made the 'size' argument to strlcpy or strlcat 3782// be the size of the source, instead of the destination. 3783void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 3784 IdentifierInfo *FnName) { 3785 3786 // Don't crash if the user has the wrong number of arguments 3787 if (Call->getNumArgs() != 3) 3788 return; 3789 3790 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 3791 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 3792 const Expr *CompareWithSrc = NULL; 3793 3794 // Look for 'strlcpy(dst, x, sizeof(x))' 3795 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 3796 CompareWithSrc = Ex; 3797 else { 3798 // Look for 'strlcpy(dst, x, strlen(x))' 3799 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 3800 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 3801 && SizeCall->getNumArgs() == 1) 3802 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 3803 } 3804 } 3805 3806 if (!CompareWithSrc) 3807 return; 3808 3809 // Determine if the argument to sizeof/strlen is equal to the source 3810 // argument. In principle there's all kinds of things you could do 3811 // here, for instance creating an == expression and evaluating it with 3812 // EvaluateAsBooleanCondition, but this uses a more direct technique: 3813 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 3814 if (!SrcArgDRE) 3815 return; 3816 3817 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 3818 if (!CompareWithSrcDRE || 3819 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 3820 return; 3821 3822 const Expr *OriginalSizeArg = Call->getArg(2); 3823 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 3824 << OriginalSizeArg->getSourceRange() << FnName; 3825 3826 // Output a FIXIT hint if the destination is an array (rather than a 3827 // pointer to an array). This could be enhanced to handle some 3828 // pointers if we know the actual size, like if DstArg is 'array+2' 3829 // we could say 'sizeof(array)-2'. 3830 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 3831 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 3832 return; 3833 3834 SmallString<128> sizeString; 3835 llvm::raw_svector_ostream OS(sizeString); 3836 OS << "sizeof("; 3837 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3838 OS << ")"; 3839 3840 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 3841 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 3842 OS.str()); 3843} 3844 3845/// Check if two expressions refer to the same declaration. 3846static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 3847 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 3848 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 3849 return D1->getDecl() == D2->getDecl(); 3850 return false; 3851} 3852 3853static const Expr *getStrlenExprArg(const Expr *E) { 3854 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 3855 const FunctionDecl *FD = CE->getDirectCallee(); 3856 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 3857 return 0; 3858 return CE->getArg(0)->IgnoreParenCasts(); 3859 } 3860 return 0; 3861} 3862 3863// Warn on anti-patterns as the 'size' argument to strncat. 3864// The correct size argument should look like following: 3865// strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 3866void Sema::CheckStrncatArguments(const CallExpr *CE, 3867 IdentifierInfo *FnName) { 3868 // Don't crash if the user has the wrong number of arguments. 3869 if (CE->getNumArgs() < 3) 3870 return; 3871 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 3872 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 3873 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 3874 3875 // Identify common expressions, which are wrongly used as the size argument 3876 // to strncat and may lead to buffer overflows. 3877 unsigned PatternType = 0; 3878 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 3879 // - sizeof(dst) 3880 if (referToTheSameDecl(SizeOfArg, DstArg)) 3881 PatternType = 1; 3882 // - sizeof(src) 3883 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 3884 PatternType = 2; 3885 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 3886 if (BE->getOpcode() == BO_Sub) { 3887 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 3888 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 3889 // - sizeof(dst) - strlen(dst) 3890 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 3891 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 3892 PatternType = 1; 3893 // - sizeof(src) - (anything) 3894 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 3895 PatternType = 2; 3896 } 3897 } 3898 3899 if (PatternType == 0) 3900 return; 3901 3902 // Generate the diagnostic. 3903 SourceLocation SL = LenArg->getLocStart(); 3904 SourceRange SR = LenArg->getSourceRange(); 3905 SourceManager &SM = PP.getSourceManager(); 3906 3907 // If the function is defined as a builtin macro, do not show macro expansion. 3908 if (SM.isMacroArgExpansion(SL)) { 3909 SL = SM.getSpellingLoc(SL); 3910 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 3911 SM.getSpellingLoc(SR.getEnd())); 3912 } 3913 3914 // Check if the destination is an array (rather than a pointer to an array). 3915 QualType DstTy = DstArg->getType(); 3916 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 3917 Context); 3918 if (!isKnownSizeArray) { 3919 if (PatternType == 1) 3920 Diag(SL, diag::warn_strncat_wrong_size) << SR; 3921 else 3922 Diag(SL, diag::warn_strncat_src_size) << SR; 3923 return; 3924 } 3925 3926 if (PatternType == 1) 3927 Diag(SL, diag::warn_strncat_large_size) << SR; 3928 else 3929 Diag(SL, diag::warn_strncat_src_size) << SR; 3930 3931 SmallString<128> sizeString; 3932 llvm::raw_svector_ostream OS(sizeString); 3933 OS << "sizeof("; 3934 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3935 OS << ") - "; 3936 OS << "strlen("; 3937 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3938 OS << ") - 1"; 3939 3940 Diag(SL, diag::note_strncat_wrong_size) 3941 << FixItHint::CreateReplacement(SR, OS.str()); 3942} 3943 3944//===--- CHECK: Return Address of Stack Variable --------------------------===// 3945 3946static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3947 Decl *ParentDecl); 3948static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 3949 Decl *ParentDecl); 3950 3951/// CheckReturnStackAddr - Check if a return statement returns the address 3952/// of a stack variable. 3953void 3954Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 3955 SourceLocation ReturnLoc) { 3956 3957 Expr *stackE = 0; 3958 SmallVector<DeclRefExpr *, 8> refVars; 3959 3960 // Perform checking for returned stack addresses, local blocks, 3961 // label addresses or references to temporaries. 3962 if (lhsType->isPointerType() || 3963 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 3964 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/0); 3965 } else if (lhsType->isReferenceType()) { 3966 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/0); 3967 } 3968 3969 if (stackE == 0) 3970 return; // Nothing suspicious was found. 3971 3972 SourceLocation diagLoc; 3973 SourceRange diagRange; 3974 if (refVars.empty()) { 3975 diagLoc = stackE->getLocStart(); 3976 diagRange = stackE->getSourceRange(); 3977 } else { 3978 // We followed through a reference variable. 'stackE' contains the 3979 // problematic expression but we will warn at the return statement pointing 3980 // at the reference variable. We will later display the "trail" of 3981 // reference variables using notes. 3982 diagLoc = refVars[0]->getLocStart(); 3983 diagRange = refVars[0]->getSourceRange(); 3984 } 3985 3986 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 3987 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 3988 : diag::warn_ret_stack_addr) 3989 << DR->getDecl()->getDeclName() << diagRange; 3990 } else if (isa<BlockExpr>(stackE)) { // local block. 3991 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 3992 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 3993 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 3994 } else { // local temporary. 3995 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 3996 : diag::warn_ret_local_temp_addr) 3997 << diagRange; 3998 } 3999 4000 // Display the "trail" of reference variables that we followed until we 4001 // found the problematic expression using notes. 4002 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 4003 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 4004 // If this var binds to another reference var, show the range of the next 4005 // var, otherwise the var binds to the problematic expression, in which case 4006 // show the range of the expression. 4007 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 4008 : stackE->getSourceRange(); 4009 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 4010 << VD->getDeclName() << range; 4011 } 4012} 4013 4014/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 4015/// check if the expression in a return statement evaluates to an address 4016/// to a location on the stack, a local block, an address of a label, or a 4017/// reference to local temporary. The recursion is used to traverse the 4018/// AST of the return expression, with recursion backtracking when we 4019/// encounter a subexpression that (1) clearly does not lead to one of the 4020/// above problematic expressions (2) is something we cannot determine leads to 4021/// a problematic expression based on such local checking. 4022/// 4023/// Both EvalAddr and EvalVal follow through reference variables to evaluate 4024/// the expression that they point to. Such variables are added to the 4025/// 'refVars' vector so that we know what the reference variable "trail" was. 4026/// 4027/// EvalAddr processes expressions that are pointers that are used as 4028/// references (and not L-values). EvalVal handles all other values. 4029/// At the base case of the recursion is a check for the above problematic 4030/// expressions. 4031/// 4032/// This implementation handles: 4033/// 4034/// * pointer-to-pointer casts 4035/// * implicit conversions from array references to pointers 4036/// * taking the address of fields 4037/// * arbitrary interplay between "&" and "*" operators 4038/// * pointer arithmetic from an address of a stack variable 4039/// * taking the address of an array element where the array is on the stack 4040static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4041 Decl *ParentDecl) { 4042 if (E->isTypeDependent()) 4043 return NULL; 4044 4045 // We should only be called for evaluating pointer expressions. 4046 assert((E->getType()->isAnyPointerType() || 4047 E->getType()->isBlockPointerType() || 4048 E->getType()->isObjCQualifiedIdType()) && 4049 "EvalAddr only works on pointers"); 4050 4051 E = E->IgnoreParens(); 4052 4053 // Our "symbolic interpreter" is just a dispatch off the currently 4054 // viewed AST node. We then recursively traverse the AST by calling 4055 // EvalAddr and EvalVal appropriately. 4056 switch (E->getStmtClass()) { 4057 case Stmt::DeclRefExprClass: { 4058 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4059 4060 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 4061 // If this is a reference variable, follow through to the expression that 4062 // it points to. 4063 if (V->hasLocalStorage() && 4064 V->getType()->isReferenceType() && V->hasInit()) { 4065 // Add the reference variable to the "trail". 4066 refVars.push_back(DR); 4067 return EvalAddr(V->getInit(), refVars, ParentDecl); 4068 } 4069 4070 return NULL; 4071 } 4072 4073 case Stmt::UnaryOperatorClass: { 4074 // The only unary operator that make sense to handle here 4075 // is AddrOf. All others don't make sense as pointers. 4076 UnaryOperator *U = cast<UnaryOperator>(E); 4077 4078 if (U->getOpcode() == UO_AddrOf) 4079 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 4080 else 4081 return NULL; 4082 } 4083 4084 case Stmt::BinaryOperatorClass: { 4085 // Handle pointer arithmetic. All other binary operators are not valid 4086 // in this context. 4087 BinaryOperator *B = cast<BinaryOperator>(E); 4088 BinaryOperatorKind op = B->getOpcode(); 4089 4090 if (op != BO_Add && op != BO_Sub) 4091 return NULL; 4092 4093 Expr *Base = B->getLHS(); 4094 4095 // Determine which argument is the real pointer base. It could be 4096 // the RHS argument instead of the LHS. 4097 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 4098 4099 assert (Base->getType()->isPointerType()); 4100 return EvalAddr(Base, refVars, ParentDecl); 4101 } 4102 4103 // For conditional operators we need to see if either the LHS or RHS are 4104 // valid DeclRefExpr*s. If one of them is valid, we return it. 4105 case Stmt::ConditionalOperatorClass: { 4106 ConditionalOperator *C = cast<ConditionalOperator>(E); 4107 4108 // Handle the GNU extension for missing LHS. 4109 if (Expr *lhsExpr = C->getLHS()) { 4110 // In C++, we can have a throw-expression, which has 'void' type. 4111 if (!lhsExpr->getType()->isVoidType()) 4112 if (Expr* LHS = EvalAddr(lhsExpr, refVars, ParentDecl)) 4113 return LHS; 4114 } 4115 4116 // In C++, we can have a throw-expression, which has 'void' type. 4117 if (C->getRHS()->getType()->isVoidType()) 4118 return NULL; 4119 4120 return EvalAddr(C->getRHS(), refVars, ParentDecl); 4121 } 4122 4123 case Stmt::BlockExprClass: 4124 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 4125 return E; // local block. 4126 return NULL; 4127 4128 case Stmt::AddrLabelExprClass: 4129 return E; // address of label. 4130 4131 case Stmt::ExprWithCleanupsClass: 4132 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 4133 ParentDecl); 4134 4135 // For casts, we need to handle conversions from arrays to 4136 // pointer values, and pointer-to-pointer conversions. 4137 case Stmt::ImplicitCastExprClass: 4138 case Stmt::CStyleCastExprClass: 4139 case Stmt::CXXFunctionalCastExprClass: 4140 case Stmt::ObjCBridgedCastExprClass: 4141 case Stmt::CXXStaticCastExprClass: 4142 case Stmt::CXXDynamicCastExprClass: 4143 case Stmt::CXXConstCastExprClass: 4144 case Stmt::CXXReinterpretCastExprClass: { 4145 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 4146 switch (cast<CastExpr>(E)->getCastKind()) { 4147 case CK_BitCast: 4148 case CK_LValueToRValue: 4149 case CK_NoOp: 4150 case CK_BaseToDerived: 4151 case CK_DerivedToBase: 4152 case CK_UncheckedDerivedToBase: 4153 case CK_Dynamic: 4154 case CK_CPointerToObjCPointerCast: 4155 case CK_BlockPointerToObjCPointerCast: 4156 case CK_AnyPointerToBlockPointerCast: 4157 return EvalAddr(SubExpr, refVars, ParentDecl); 4158 4159 case CK_ArrayToPointerDecay: 4160 return EvalVal(SubExpr, refVars, ParentDecl); 4161 4162 default: 4163 return 0; 4164 } 4165 } 4166 4167 case Stmt::MaterializeTemporaryExprClass: 4168 if (Expr *Result = EvalAddr( 4169 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4170 refVars, ParentDecl)) 4171 return Result; 4172 4173 return E; 4174 4175 // Everything else: we simply don't reason about them. 4176 default: 4177 return NULL; 4178 } 4179} 4180 4181 4182/// EvalVal - This function is complements EvalAddr in the mutual recursion. 4183/// See the comments for EvalAddr for more details. 4184static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4185 Decl *ParentDecl) { 4186do { 4187 // We should only be called for evaluating non-pointer expressions, or 4188 // expressions with a pointer type that are not used as references but instead 4189 // are l-values (e.g., DeclRefExpr with a pointer type). 4190 4191 // Our "symbolic interpreter" is just a dispatch off the currently 4192 // viewed AST node. We then recursively traverse the AST by calling 4193 // EvalAddr and EvalVal appropriately. 4194 4195 E = E->IgnoreParens(); 4196 switch (E->getStmtClass()) { 4197 case Stmt::ImplicitCastExprClass: { 4198 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 4199 if (IE->getValueKind() == VK_LValue) { 4200 E = IE->getSubExpr(); 4201 continue; 4202 } 4203 return NULL; 4204 } 4205 4206 case Stmt::ExprWithCleanupsClass: 4207 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 4208 4209 case Stmt::DeclRefExprClass: { 4210 // When we hit a DeclRefExpr we are looking at code that refers to a 4211 // variable's name. If it's not a reference variable we check if it has 4212 // local storage within the function, and if so, return the expression. 4213 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4214 4215 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 4216 // Check if it refers to itself, e.g. "int& i = i;". 4217 if (V == ParentDecl) 4218 return DR; 4219 4220 if (V->hasLocalStorage()) { 4221 if (!V->getType()->isReferenceType()) 4222 return DR; 4223 4224 // Reference variable, follow through to the expression that 4225 // it points to. 4226 if (V->hasInit()) { 4227 // Add the reference variable to the "trail". 4228 refVars.push_back(DR); 4229 return EvalVal(V->getInit(), refVars, V); 4230 } 4231 } 4232 } 4233 4234 return NULL; 4235 } 4236 4237 case Stmt::UnaryOperatorClass: { 4238 // The only unary operator that make sense to handle here 4239 // is Deref. All others don't resolve to a "name." This includes 4240 // handling all sorts of rvalues passed to a unary operator. 4241 UnaryOperator *U = cast<UnaryOperator>(E); 4242 4243 if (U->getOpcode() == UO_Deref) 4244 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 4245 4246 return NULL; 4247 } 4248 4249 case Stmt::ArraySubscriptExprClass: { 4250 // Array subscripts are potential references to data on the stack. We 4251 // retrieve the DeclRefExpr* for the array variable if it indeed 4252 // has local storage. 4253 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 4254 } 4255 4256 case Stmt::ConditionalOperatorClass: { 4257 // For conditional operators we need to see if either the LHS or RHS are 4258 // non-NULL Expr's. If one is non-NULL, we return it. 4259 ConditionalOperator *C = cast<ConditionalOperator>(E); 4260 4261 // Handle the GNU extension for missing LHS. 4262 if (Expr *lhsExpr = C->getLHS()) 4263 if (Expr *LHS = EvalVal(lhsExpr, refVars, ParentDecl)) 4264 return LHS; 4265 4266 return EvalVal(C->getRHS(), refVars, ParentDecl); 4267 } 4268 4269 // Accesses to members are potential references to data on the stack. 4270 case Stmt::MemberExprClass: { 4271 MemberExpr *M = cast<MemberExpr>(E); 4272 4273 // Check for indirect access. We only want direct field accesses. 4274 if (M->isArrow()) 4275 return NULL; 4276 4277 // Check whether the member type is itself a reference, in which case 4278 // we're not going to refer to the member, but to what the member refers to. 4279 if (M->getMemberDecl()->getType()->isReferenceType()) 4280 return NULL; 4281 4282 return EvalVal(M->getBase(), refVars, ParentDecl); 4283 } 4284 4285 case Stmt::MaterializeTemporaryExprClass: 4286 if (Expr *Result = EvalVal( 4287 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4288 refVars, ParentDecl)) 4289 return Result; 4290 4291 return E; 4292 4293 default: 4294 // Check that we don't return or take the address of a reference to a 4295 // temporary. This is only useful in C++. 4296 if (!E->isTypeDependent() && E->isRValue()) 4297 return E; 4298 4299 // Everything else: we simply don't reason about them. 4300 return NULL; 4301 } 4302} while (true); 4303} 4304 4305//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 4306 4307/// Check for comparisons of floating point operands using != and ==. 4308/// Issue a warning if these are no self-comparisons, as they are not likely 4309/// to do what the programmer intended. 4310void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 4311 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 4312 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 4313 4314 // Special case: check for x == x (which is OK). 4315 // Do not emit warnings for such cases. 4316 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 4317 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 4318 if (DRL->getDecl() == DRR->getDecl()) 4319 return; 4320 4321 4322 // Special case: check for comparisons against literals that can be exactly 4323 // represented by APFloat. In such cases, do not emit a warning. This 4324 // is a heuristic: often comparison against such literals are used to 4325 // detect if a value in a variable has not changed. This clearly can 4326 // lead to false negatives. 4327 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 4328 if (FLL->isExact()) 4329 return; 4330 } else 4331 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 4332 if (FLR->isExact()) 4333 return; 4334 4335 // Check for comparisons with builtin types. 4336 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 4337 if (CL->isBuiltinCall()) 4338 return; 4339 4340 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 4341 if (CR->isBuiltinCall()) 4342 return; 4343 4344 // Emit the diagnostic. 4345 Diag(Loc, diag::warn_floatingpoint_eq) 4346 << LHS->getSourceRange() << RHS->getSourceRange(); 4347} 4348 4349//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 4350//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 4351 4352namespace { 4353 4354/// Structure recording the 'active' range of an integer-valued 4355/// expression. 4356struct IntRange { 4357 /// The number of bits active in the int. 4358 unsigned Width; 4359 4360 /// True if the int is known not to have negative values. 4361 bool NonNegative; 4362 4363 IntRange(unsigned Width, bool NonNegative) 4364 : Width(Width), NonNegative(NonNegative) 4365 {} 4366 4367 /// Returns the range of the bool type. 4368 static IntRange forBoolType() { 4369 return IntRange(1, true); 4370 } 4371 4372 /// Returns the range of an opaque value of the given integral type. 4373 static IntRange forValueOfType(ASTContext &C, QualType T) { 4374 return forValueOfCanonicalType(C, 4375 T->getCanonicalTypeInternal().getTypePtr()); 4376 } 4377 4378 /// Returns the range of an opaque value of a canonical integral type. 4379 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 4380 assert(T->isCanonicalUnqualified()); 4381 4382 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4383 T = VT->getElementType().getTypePtr(); 4384 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4385 T = CT->getElementType().getTypePtr(); 4386 4387 // For enum types, use the known bit width of the enumerators. 4388 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 4389 EnumDecl *Enum = ET->getDecl(); 4390 if (!Enum->isCompleteDefinition()) 4391 return IntRange(C.getIntWidth(QualType(T, 0)), false); 4392 4393 unsigned NumPositive = Enum->getNumPositiveBits(); 4394 unsigned NumNegative = Enum->getNumNegativeBits(); 4395 4396 if (NumNegative == 0) 4397 return IntRange(NumPositive, true/*NonNegative*/); 4398 else 4399 return IntRange(std::max(NumPositive + 1, NumNegative), 4400 false/*NonNegative*/); 4401 } 4402 4403 const BuiltinType *BT = cast<BuiltinType>(T); 4404 assert(BT->isInteger()); 4405 4406 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4407 } 4408 4409 /// Returns the "target" range of a canonical integral type, i.e. 4410 /// the range of values expressible in the type. 4411 /// 4412 /// This matches forValueOfCanonicalType except that enums have the 4413 /// full range of their type, not the range of their enumerators. 4414 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 4415 assert(T->isCanonicalUnqualified()); 4416 4417 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4418 T = VT->getElementType().getTypePtr(); 4419 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4420 T = CT->getElementType().getTypePtr(); 4421 if (const EnumType *ET = dyn_cast<EnumType>(T)) 4422 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 4423 4424 const BuiltinType *BT = cast<BuiltinType>(T); 4425 assert(BT->isInteger()); 4426 4427 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4428 } 4429 4430 /// Returns the supremum of two ranges: i.e. their conservative merge. 4431 static IntRange join(IntRange L, IntRange R) { 4432 return IntRange(std::max(L.Width, R.Width), 4433 L.NonNegative && R.NonNegative); 4434 } 4435 4436 /// Returns the infinum of two ranges: i.e. their aggressive merge. 4437 static IntRange meet(IntRange L, IntRange R) { 4438 return IntRange(std::min(L.Width, R.Width), 4439 L.NonNegative || R.NonNegative); 4440 } 4441}; 4442 4443static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 4444 unsigned MaxWidth) { 4445 if (value.isSigned() && value.isNegative()) 4446 return IntRange(value.getMinSignedBits(), false); 4447 4448 if (value.getBitWidth() > MaxWidth) 4449 value = value.trunc(MaxWidth); 4450 4451 // isNonNegative() just checks the sign bit without considering 4452 // signedness. 4453 return IntRange(value.getActiveBits(), true); 4454} 4455 4456static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 4457 unsigned MaxWidth) { 4458 if (result.isInt()) 4459 return GetValueRange(C, result.getInt(), MaxWidth); 4460 4461 if (result.isVector()) { 4462 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 4463 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 4464 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 4465 R = IntRange::join(R, El); 4466 } 4467 return R; 4468 } 4469 4470 if (result.isComplexInt()) { 4471 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 4472 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 4473 return IntRange::join(R, I); 4474 } 4475 4476 // This can happen with lossless casts to intptr_t of "based" lvalues. 4477 // Assume it might use arbitrary bits. 4478 // FIXME: The only reason we need to pass the type in here is to get 4479 // the sign right on this one case. It would be nice if APValue 4480 // preserved this. 4481 assert(result.isLValue() || result.isAddrLabelDiff()); 4482 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 4483} 4484 4485static QualType GetExprType(Expr *E) { 4486 QualType Ty = E->getType(); 4487 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>()) 4488 Ty = AtomicRHS->getValueType(); 4489 return Ty; 4490} 4491 4492/// Pseudo-evaluate the given integer expression, estimating the 4493/// range of values it might take. 4494/// 4495/// \param MaxWidth - the width to which the value will be truncated 4496static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 4497 E = E->IgnoreParens(); 4498 4499 // Try a full evaluation first. 4500 Expr::EvalResult result; 4501 if (E->EvaluateAsRValue(result, C)) 4502 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth); 4503 4504 // I think we only want to look through implicit casts here; if the 4505 // user has an explicit widening cast, we should treat the value as 4506 // being of the new, wider type. 4507 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 4508 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 4509 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 4510 4511 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE)); 4512 4513 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 4514 4515 // Assume that non-integer casts can span the full range of the type. 4516 if (!isIntegerCast) 4517 return OutputTypeRange; 4518 4519 IntRange SubRange 4520 = GetExprRange(C, CE->getSubExpr(), 4521 std::min(MaxWidth, OutputTypeRange.Width)); 4522 4523 // Bail out if the subexpr's range is as wide as the cast type. 4524 if (SubRange.Width >= OutputTypeRange.Width) 4525 return OutputTypeRange; 4526 4527 // Otherwise, we take the smaller width, and we're non-negative if 4528 // either the output type or the subexpr is. 4529 return IntRange(SubRange.Width, 4530 SubRange.NonNegative || OutputTypeRange.NonNegative); 4531 } 4532 4533 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 4534 // If we can fold the condition, just take that operand. 4535 bool CondResult; 4536 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 4537 return GetExprRange(C, CondResult ? CO->getTrueExpr() 4538 : CO->getFalseExpr(), 4539 MaxWidth); 4540 4541 // Otherwise, conservatively merge. 4542 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 4543 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 4544 return IntRange::join(L, R); 4545 } 4546 4547 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4548 switch (BO->getOpcode()) { 4549 4550 // Boolean-valued operations are single-bit and positive. 4551 case BO_LAnd: 4552 case BO_LOr: 4553 case BO_LT: 4554 case BO_GT: 4555 case BO_LE: 4556 case BO_GE: 4557 case BO_EQ: 4558 case BO_NE: 4559 return IntRange::forBoolType(); 4560 4561 // The type of the assignments is the type of the LHS, so the RHS 4562 // is not necessarily the same type. 4563 case BO_MulAssign: 4564 case BO_DivAssign: 4565 case BO_RemAssign: 4566 case BO_AddAssign: 4567 case BO_SubAssign: 4568 case BO_XorAssign: 4569 case BO_OrAssign: 4570 // TODO: bitfields? 4571 return IntRange::forValueOfType(C, GetExprType(E)); 4572 4573 // Simple assignments just pass through the RHS, which will have 4574 // been coerced to the LHS type. 4575 case BO_Assign: 4576 // TODO: bitfields? 4577 return GetExprRange(C, BO->getRHS(), MaxWidth); 4578 4579 // Operations with opaque sources are black-listed. 4580 case BO_PtrMemD: 4581 case BO_PtrMemI: 4582 return IntRange::forValueOfType(C, GetExprType(E)); 4583 4584 // Bitwise-and uses the *infinum* of the two source ranges. 4585 case BO_And: 4586 case BO_AndAssign: 4587 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 4588 GetExprRange(C, BO->getRHS(), MaxWidth)); 4589 4590 // Left shift gets black-listed based on a judgement call. 4591 case BO_Shl: 4592 // ...except that we want to treat '1 << (blah)' as logically 4593 // positive. It's an important idiom. 4594 if (IntegerLiteral *I 4595 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 4596 if (I->getValue() == 1) { 4597 IntRange R = IntRange::forValueOfType(C, GetExprType(E)); 4598 return IntRange(R.Width, /*NonNegative*/ true); 4599 } 4600 } 4601 // fallthrough 4602 4603 case BO_ShlAssign: 4604 return IntRange::forValueOfType(C, GetExprType(E)); 4605 4606 // Right shift by a constant can narrow its left argument. 4607 case BO_Shr: 4608 case BO_ShrAssign: { 4609 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4610 4611 // If the shift amount is a positive constant, drop the width by 4612 // that much. 4613 llvm::APSInt shift; 4614 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 4615 shift.isNonNegative()) { 4616 unsigned zext = shift.getZExtValue(); 4617 if (zext >= L.Width) 4618 L.Width = (L.NonNegative ? 0 : 1); 4619 else 4620 L.Width -= zext; 4621 } 4622 4623 return L; 4624 } 4625 4626 // Comma acts as its right operand. 4627 case BO_Comma: 4628 return GetExprRange(C, BO->getRHS(), MaxWidth); 4629 4630 // Black-list pointer subtractions. 4631 case BO_Sub: 4632 if (BO->getLHS()->getType()->isPointerType()) 4633 return IntRange::forValueOfType(C, GetExprType(E)); 4634 break; 4635 4636 // The width of a division result is mostly determined by the size 4637 // of the LHS. 4638 case BO_Div: { 4639 // Don't 'pre-truncate' the operands. 4640 unsigned opWidth = C.getIntWidth(GetExprType(E)); 4641 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4642 4643 // If the divisor is constant, use that. 4644 llvm::APSInt divisor; 4645 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 4646 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 4647 if (log2 >= L.Width) 4648 L.Width = (L.NonNegative ? 0 : 1); 4649 else 4650 L.Width = std::min(L.Width - log2, MaxWidth); 4651 return L; 4652 } 4653 4654 // Otherwise, just use the LHS's width. 4655 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4656 return IntRange(L.Width, L.NonNegative && R.NonNegative); 4657 } 4658 4659 // The result of a remainder can't be larger than the result of 4660 // either side. 4661 case BO_Rem: { 4662 // Don't 'pre-truncate' the operands. 4663 unsigned opWidth = C.getIntWidth(GetExprType(E)); 4664 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4665 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4666 4667 IntRange meet = IntRange::meet(L, R); 4668 meet.Width = std::min(meet.Width, MaxWidth); 4669 return meet; 4670 } 4671 4672 // The default behavior is okay for these. 4673 case BO_Mul: 4674 case BO_Add: 4675 case BO_Xor: 4676 case BO_Or: 4677 break; 4678 } 4679 4680 // The default case is to treat the operation as if it were closed 4681 // on the narrowest type that encompasses both operands. 4682 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4683 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 4684 return IntRange::join(L, R); 4685 } 4686 4687 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 4688 switch (UO->getOpcode()) { 4689 // Boolean-valued operations are white-listed. 4690 case UO_LNot: 4691 return IntRange::forBoolType(); 4692 4693 // Operations with opaque sources are black-listed. 4694 case UO_Deref: 4695 case UO_AddrOf: // should be impossible 4696 return IntRange::forValueOfType(C, GetExprType(E)); 4697 4698 default: 4699 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 4700 } 4701 } 4702 4703 if (OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 4704 return GetExprRange(C, OVE->getSourceExpr(), MaxWidth); 4705 4706 if (FieldDecl *BitField = E->getSourceBitField()) 4707 return IntRange(BitField->getBitWidthValue(C), 4708 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 4709 4710 return IntRange::forValueOfType(C, GetExprType(E)); 4711} 4712 4713static IntRange GetExprRange(ASTContext &C, Expr *E) { 4714 return GetExprRange(C, E, C.getIntWidth(GetExprType(E))); 4715} 4716 4717/// Checks whether the given value, which currently has the given 4718/// source semantics, has the same value when coerced through the 4719/// target semantics. 4720static bool IsSameFloatAfterCast(const llvm::APFloat &value, 4721 const llvm::fltSemantics &Src, 4722 const llvm::fltSemantics &Tgt) { 4723 llvm::APFloat truncated = value; 4724 4725 bool ignored; 4726 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 4727 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 4728 4729 return truncated.bitwiseIsEqual(value); 4730} 4731 4732/// Checks whether the given value, which currently has the given 4733/// source semantics, has the same value when coerced through the 4734/// target semantics. 4735/// 4736/// The value might be a vector of floats (or a complex number). 4737static bool IsSameFloatAfterCast(const APValue &value, 4738 const llvm::fltSemantics &Src, 4739 const llvm::fltSemantics &Tgt) { 4740 if (value.isFloat()) 4741 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 4742 4743 if (value.isVector()) { 4744 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 4745 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 4746 return false; 4747 return true; 4748 } 4749 4750 assert(value.isComplexFloat()); 4751 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 4752 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 4753} 4754 4755static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 4756 4757static bool IsZero(Sema &S, Expr *E) { 4758 // Suppress cases where we are comparing against an enum constant. 4759 if (const DeclRefExpr *DR = 4760 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 4761 if (isa<EnumConstantDecl>(DR->getDecl())) 4762 return false; 4763 4764 // Suppress cases where the '0' value is expanded from a macro. 4765 if (E->getLocStart().isMacroID()) 4766 return false; 4767 4768 llvm::APSInt Value; 4769 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 4770} 4771 4772static bool HasEnumType(Expr *E) { 4773 // Strip off implicit integral promotions. 4774 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 4775 if (ICE->getCastKind() != CK_IntegralCast && 4776 ICE->getCastKind() != CK_NoOp) 4777 break; 4778 E = ICE->getSubExpr(); 4779 } 4780 4781 return E->getType()->isEnumeralType(); 4782} 4783 4784static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 4785 // Disable warning in template instantiations. 4786 if (!S.ActiveTemplateInstantiations.empty()) 4787 return; 4788 4789 BinaryOperatorKind op = E->getOpcode(); 4790 if (E->isValueDependent()) 4791 return; 4792 4793 if (op == BO_LT && IsZero(S, E->getRHS())) { 4794 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4795 << "< 0" << "false" << HasEnumType(E->getLHS()) 4796 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4797 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 4798 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4799 << ">= 0" << "true" << HasEnumType(E->getLHS()) 4800 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4801 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 4802 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4803 << "0 >" << "false" << HasEnumType(E->getRHS()) 4804 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4805 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 4806 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4807 << "0 <=" << "true" << HasEnumType(E->getRHS()) 4808 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4809 } 4810} 4811 4812static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 4813 Expr *Constant, Expr *Other, 4814 llvm::APSInt Value, 4815 bool RhsConstant) { 4816 // Disable warning in template instantiations. 4817 if (!S.ActiveTemplateInstantiations.empty()) 4818 return; 4819 4820 // 0 values are handled later by CheckTrivialUnsignedComparison(). 4821 if (Value == 0) 4822 return; 4823 4824 BinaryOperatorKind op = E->getOpcode(); 4825 QualType OtherT = Other->getType(); 4826 QualType ConstantT = Constant->getType(); 4827 QualType CommonT = E->getLHS()->getType(); 4828 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 4829 return; 4830 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) 4831 && "comparison with non-integer type"); 4832 4833 bool ConstantSigned = ConstantT->isSignedIntegerType(); 4834 bool CommonSigned = CommonT->isSignedIntegerType(); 4835 4836 bool EqualityOnly = false; 4837 4838 // TODO: Investigate using GetExprRange() to get tighter bounds on 4839 // on the bit ranges. 4840 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 4841 unsigned OtherWidth = OtherRange.Width; 4842 4843 if (CommonSigned) { 4844 // The common type is signed, therefore no signed to unsigned conversion. 4845 if (!OtherRange.NonNegative) { 4846 // Check that the constant is representable in type OtherT. 4847 if (ConstantSigned) { 4848 if (OtherWidth >= Value.getMinSignedBits()) 4849 return; 4850 } else { // !ConstantSigned 4851 if (OtherWidth >= Value.getActiveBits() + 1) 4852 return; 4853 } 4854 } else { // !OtherSigned 4855 // Check that the constant is representable in type OtherT. 4856 // Negative values are out of range. 4857 if (ConstantSigned) { 4858 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 4859 return; 4860 } else { // !ConstantSigned 4861 if (OtherWidth >= Value.getActiveBits()) 4862 return; 4863 } 4864 } 4865 } else { // !CommonSigned 4866 if (OtherRange.NonNegative) { 4867 if (OtherWidth >= Value.getActiveBits()) 4868 return; 4869 } else if (!OtherRange.NonNegative && !ConstantSigned) { 4870 // Check to see if the constant is representable in OtherT. 4871 if (OtherWidth > Value.getActiveBits()) 4872 return; 4873 // Check to see if the constant is equivalent to a negative value 4874 // cast to CommonT. 4875 if (S.Context.getIntWidth(ConstantT) == S.Context.getIntWidth(CommonT) && 4876 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 4877 return; 4878 // The constant value rests between values that OtherT can represent after 4879 // conversion. Relational comparison still works, but equality 4880 // comparisons will be tautological. 4881 EqualityOnly = true; 4882 } else { // OtherSigned && ConstantSigned 4883 assert(0 && "Two signed types converted to unsigned types."); 4884 } 4885 } 4886 4887 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 4888 4889 bool IsTrue = true; 4890 if (op == BO_EQ || op == BO_NE) { 4891 IsTrue = op == BO_NE; 4892 } else if (EqualityOnly) { 4893 return; 4894 } else if (RhsConstant) { 4895 if (op == BO_GT || op == BO_GE) 4896 IsTrue = !PositiveConstant; 4897 else // op == BO_LT || op == BO_LE 4898 IsTrue = PositiveConstant; 4899 } else { 4900 if (op == BO_LT || op == BO_LE) 4901 IsTrue = !PositiveConstant; 4902 else // op == BO_GT || op == BO_GE 4903 IsTrue = PositiveConstant; 4904 } 4905 4906 // If this is a comparison to an enum constant, include that 4907 // constant in the diagnostic. 4908 const EnumConstantDecl *ED = 0; 4909 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant)) 4910 ED = dyn_cast<EnumConstantDecl>(DR->getDecl()); 4911 4912 SmallString<64> PrettySourceValue; 4913 llvm::raw_svector_ostream OS(PrettySourceValue); 4914 if (ED) 4915 OS << '\'' << *ED << "' (" << Value << ")"; 4916 else 4917 OS << Value; 4918 4919 S.Diag(E->getOperatorLoc(), diag::warn_out_of_range_compare) 4920 << OS.str() << OtherT << IsTrue 4921 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4922} 4923 4924/// Analyze the operands of the given comparison. Implements the 4925/// fallback case from AnalyzeComparison. 4926static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 4927 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 4928 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4929} 4930 4931/// \brief Implements -Wsign-compare. 4932/// 4933/// \param E the binary operator to check for warnings 4934static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 4935 // The type the comparison is being performed in. 4936 QualType T = E->getLHS()->getType(); 4937 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 4938 && "comparison with mismatched types"); 4939 if (E->isValueDependent()) 4940 return AnalyzeImpConvsInComparison(S, E); 4941 4942 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 4943 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 4944 4945 bool IsComparisonConstant = false; 4946 4947 // Check whether an integer constant comparison results in a value 4948 // of 'true' or 'false'. 4949 if (T->isIntegralType(S.Context)) { 4950 llvm::APSInt RHSValue; 4951 bool IsRHSIntegralLiteral = 4952 RHS->isIntegerConstantExpr(RHSValue, S.Context); 4953 llvm::APSInt LHSValue; 4954 bool IsLHSIntegralLiteral = 4955 LHS->isIntegerConstantExpr(LHSValue, S.Context); 4956 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 4957 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 4958 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 4959 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 4960 else 4961 IsComparisonConstant = 4962 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 4963 } else if (!T->hasUnsignedIntegerRepresentation()) 4964 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 4965 4966 // We don't do anything special if this isn't an unsigned integral 4967 // comparison: we're only interested in integral comparisons, and 4968 // signed comparisons only happen in cases we don't care to warn about. 4969 // 4970 // We also don't care about value-dependent expressions or expressions 4971 // whose result is a constant. 4972 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 4973 return AnalyzeImpConvsInComparison(S, E); 4974 4975 // Check to see if one of the (unmodified) operands is of different 4976 // signedness. 4977 Expr *signedOperand, *unsignedOperand; 4978 if (LHS->getType()->hasSignedIntegerRepresentation()) { 4979 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 4980 "unsigned comparison between two signed integer expressions?"); 4981 signedOperand = LHS; 4982 unsignedOperand = RHS; 4983 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 4984 signedOperand = RHS; 4985 unsignedOperand = LHS; 4986 } else { 4987 CheckTrivialUnsignedComparison(S, E); 4988 return AnalyzeImpConvsInComparison(S, E); 4989 } 4990 4991 // Otherwise, calculate the effective range of the signed operand. 4992 IntRange signedRange = GetExprRange(S.Context, signedOperand); 4993 4994 // Go ahead and analyze implicit conversions in the operands. Note 4995 // that we skip the implicit conversions on both sides. 4996 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 4997 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 4998 4999 // If the signed range is non-negative, -Wsign-compare won't fire, 5000 // but we should still check for comparisons which are always true 5001 // or false. 5002 if (signedRange.NonNegative) 5003 return CheckTrivialUnsignedComparison(S, E); 5004 5005 // For (in)equality comparisons, if the unsigned operand is a 5006 // constant which cannot collide with a overflowed signed operand, 5007 // then reinterpreting the signed operand as unsigned will not 5008 // change the result of the comparison. 5009 if (E->isEqualityOp()) { 5010 unsigned comparisonWidth = S.Context.getIntWidth(T); 5011 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 5012 5013 // We should never be unable to prove that the unsigned operand is 5014 // non-negative. 5015 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 5016 5017 if (unsignedRange.Width < comparisonWidth) 5018 return; 5019 } 5020 5021 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 5022 S.PDiag(diag::warn_mixed_sign_comparison) 5023 << LHS->getType() << RHS->getType() 5024 << LHS->getSourceRange() << RHS->getSourceRange()); 5025} 5026 5027/// Analyzes an attempt to assign the given value to a bitfield. 5028/// 5029/// Returns true if there was something fishy about the attempt. 5030static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 5031 SourceLocation InitLoc) { 5032 assert(Bitfield->isBitField()); 5033 if (Bitfield->isInvalidDecl()) 5034 return false; 5035 5036 // White-list bool bitfields. 5037 if (Bitfield->getType()->isBooleanType()) 5038 return false; 5039 5040 // Ignore value- or type-dependent expressions. 5041 if (Bitfield->getBitWidth()->isValueDependent() || 5042 Bitfield->getBitWidth()->isTypeDependent() || 5043 Init->isValueDependent() || 5044 Init->isTypeDependent()) 5045 return false; 5046 5047 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 5048 5049 llvm::APSInt Value; 5050 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 5051 return false; 5052 5053 unsigned OriginalWidth = Value.getBitWidth(); 5054 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 5055 5056 if (OriginalWidth <= FieldWidth) 5057 return false; 5058 5059 // Compute the value which the bitfield will contain. 5060 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 5061 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 5062 5063 // Check whether the stored value is equal to the original value. 5064 TruncatedValue = TruncatedValue.extend(OriginalWidth); 5065 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 5066 return false; 5067 5068 // Special-case bitfields of width 1: booleans are naturally 0/1, and 5069 // therefore don't strictly fit into a signed bitfield of width 1. 5070 if (FieldWidth == 1 && Value == 1) 5071 return false; 5072 5073 std::string PrettyValue = Value.toString(10); 5074 std::string PrettyTrunc = TruncatedValue.toString(10); 5075 5076 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 5077 << PrettyValue << PrettyTrunc << OriginalInit->getType() 5078 << Init->getSourceRange(); 5079 5080 return true; 5081} 5082 5083/// Analyze the given simple or compound assignment for warning-worthy 5084/// operations. 5085static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 5086 // Just recurse on the LHS. 5087 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5088 5089 // We want to recurse on the RHS as normal unless we're assigning to 5090 // a bitfield. 5091 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) { 5092 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 5093 E->getOperatorLoc())) { 5094 // Recurse, ignoring any implicit conversions on the RHS. 5095 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 5096 E->getOperatorLoc()); 5097 } 5098 } 5099 5100 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5101} 5102 5103/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5104static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 5105 SourceLocation CContext, unsigned diag, 5106 bool pruneControlFlow = false) { 5107 if (pruneControlFlow) { 5108 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5109 S.PDiag(diag) 5110 << SourceType << T << E->getSourceRange() 5111 << SourceRange(CContext)); 5112 return; 5113 } 5114 S.Diag(E->getExprLoc(), diag) 5115 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 5116} 5117 5118/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5119static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 5120 SourceLocation CContext, unsigned diag, 5121 bool pruneControlFlow = false) { 5122 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 5123} 5124 5125/// Diagnose an implicit cast from a literal expression. Does not warn when the 5126/// cast wouldn't lose information. 5127void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 5128 SourceLocation CContext) { 5129 // Try to convert the literal exactly to an integer. If we can, don't warn. 5130 bool isExact = false; 5131 const llvm::APFloat &Value = FL->getValue(); 5132 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 5133 T->hasUnsignedIntegerRepresentation()); 5134 if (Value.convertToInteger(IntegerValue, 5135 llvm::APFloat::rmTowardZero, &isExact) 5136 == llvm::APFloat::opOK && isExact) 5137 return; 5138 5139 // FIXME: Force the precision of the source value down so we don't print 5140 // digits which are usually useless (we don't really care here if we 5141 // truncate a digit by accident in edge cases). Ideally, APFloat::toString 5142 // would automatically print the shortest representation, but it's a bit 5143 // tricky to implement. 5144 SmallString<16> PrettySourceValue; 5145 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics()); 5146 precision = (precision * 59 + 195) / 196; 5147 Value.toString(PrettySourceValue, precision); 5148 5149 SmallString<16> PrettyTargetValue; 5150 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 5151 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 5152 else 5153 IntegerValue.toString(PrettyTargetValue); 5154 5155 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 5156 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 5157 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 5158} 5159 5160std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 5161 if (!Range.Width) return "0"; 5162 5163 llvm::APSInt ValueInRange = Value; 5164 ValueInRange.setIsSigned(!Range.NonNegative); 5165 ValueInRange = ValueInRange.trunc(Range.Width); 5166 return ValueInRange.toString(10); 5167} 5168 5169static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 5170 if (!isa<ImplicitCastExpr>(Ex)) 5171 return false; 5172 5173 Expr *InnerE = Ex->IgnoreParenImpCasts(); 5174 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 5175 const Type *Source = 5176 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5177 if (Target->isDependentType()) 5178 return false; 5179 5180 const BuiltinType *FloatCandidateBT = 5181 dyn_cast<BuiltinType>(ToBool ? Source : Target); 5182 const Type *BoolCandidateType = ToBool ? Target : Source; 5183 5184 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 5185 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 5186} 5187 5188void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 5189 SourceLocation CC) { 5190 unsigned NumArgs = TheCall->getNumArgs(); 5191 for (unsigned i = 0; i < NumArgs; ++i) { 5192 Expr *CurrA = TheCall->getArg(i); 5193 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 5194 continue; 5195 5196 bool IsSwapped = ((i > 0) && 5197 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 5198 IsSwapped |= ((i < (NumArgs - 1)) && 5199 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 5200 if (IsSwapped) { 5201 // Warn on this floating-point to bool conversion. 5202 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 5203 CurrA->getType(), CC, 5204 diag::warn_impcast_floating_point_to_bool); 5205 } 5206 } 5207} 5208 5209void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 5210 SourceLocation CC, bool *ICContext = 0) { 5211 if (E->isTypeDependent() || E->isValueDependent()) return; 5212 5213 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 5214 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 5215 if (Source == Target) return; 5216 if (Target->isDependentType()) return; 5217 5218 // If the conversion context location is invalid don't complain. We also 5219 // don't want to emit a warning if the issue occurs from the expansion of 5220 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 5221 // delay this check as long as possible. Once we detect we are in that 5222 // scenario, we just return. 5223 if (CC.isInvalid()) 5224 return; 5225 5226 // Diagnose implicit casts to bool. 5227 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 5228 if (isa<StringLiteral>(E)) 5229 // Warn on string literal to bool. Checks for string literals in logical 5230 // expressions, for instances, assert(0 && "error here"), is prevented 5231 // by a check in AnalyzeImplicitConversions(). 5232 return DiagnoseImpCast(S, E, T, CC, 5233 diag::warn_impcast_string_literal_to_bool); 5234 if (Source->isFunctionType()) { 5235 // Warn on function to bool. Checks free functions and static member 5236 // functions. Weakly imported functions are excluded from the check, 5237 // since it's common to test their value to check whether the linker 5238 // found a definition for them. 5239 ValueDecl *D = 0; 5240 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 5241 D = R->getDecl(); 5242 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 5243 D = M->getMemberDecl(); 5244 } 5245 5246 if (D && !D->isWeak()) { 5247 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 5248 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 5249 << F << E->getSourceRange() << SourceRange(CC); 5250 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 5251 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 5252 QualType ReturnType; 5253 UnresolvedSet<4> NonTemplateOverloads; 5254 S.tryExprAsCall(*E, ReturnType, NonTemplateOverloads); 5255 if (!ReturnType.isNull() 5256 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 5257 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 5258 << FixItHint::CreateInsertion( 5259 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 5260 return; 5261 } 5262 } 5263 } 5264 } 5265 5266 // Strip vector types. 5267 if (isa<VectorType>(Source)) { 5268 if (!isa<VectorType>(Target)) { 5269 if (S.SourceMgr.isInSystemMacro(CC)) 5270 return; 5271 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 5272 } 5273 5274 // If the vector cast is cast between two vectors of the same size, it is 5275 // a bitcast, not a conversion. 5276 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 5277 return; 5278 5279 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 5280 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 5281 } 5282 5283 // Strip complex types. 5284 if (isa<ComplexType>(Source)) { 5285 if (!isa<ComplexType>(Target)) { 5286 if (S.SourceMgr.isInSystemMacro(CC)) 5287 return; 5288 5289 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 5290 } 5291 5292 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 5293 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 5294 } 5295 5296 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 5297 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 5298 5299 // If the source is floating point... 5300 if (SourceBT && SourceBT->isFloatingPoint()) { 5301 // ...and the target is floating point... 5302 if (TargetBT && TargetBT->isFloatingPoint()) { 5303 // ...then warn if we're dropping FP rank. 5304 5305 // Builtin FP kinds are ordered by increasing FP rank. 5306 if (SourceBT->getKind() > TargetBT->getKind()) { 5307 // Don't warn about float constants that are precisely 5308 // representable in the target type. 5309 Expr::EvalResult result; 5310 if (E->EvaluateAsRValue(result, S.Context)) { 5311 // Value might be a float, a float vector, or a float complex. 5312 if (IsSameFloatAfterCast(result.Val, 5313 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 5314 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 5315 return; 5316 } 5317 5318 if (S.SourceMgr.isInSystemMacro(CC)) 5319 return; 5320 5321 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 5322 } 5323 return; 5324 } 5325 5326 // If the target is integral, always warn. 5327 if (TargetBT && TargetBT->isInteger()) { 5328 if (S.SourceMgr.isInSystemMacro(CC)) 5329 return; 5330 5331 Expr *InnerE = E->IgnoreParenImpCasts(); 5332 // We also want to warn on, e.g., "int i = -1.234" 5333 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 5334 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 5335 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 5336 5337 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 5338 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 5339 } else { 5340 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 5341 } 5342 } 5343 5344 // If the target is bool, warn if expr is a function or method call. 5345 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 5346 isa<CallExpr>(E)) { 5347 // Check last argument of function call to see if it is an 5348 // implicit cast from a type matching the type the result 5349 // is being cast to. 5350 CallExpr *CEx = cast<CallExpr>(E); 5351 unsigned NumArgs = CEx->getNumArgs(); 5352 if (NumArgs > 0) { 5353 Expr *LastA = CEx->getArg(NumArgs - 1); 5354 Expr *InnerE = LastA->IgnoreParenImpCasts(); 5355 const Type *InnerType = 5356 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5357 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 5358 // Warn on this floating-point to bool conversion 5359 DiagnoseImpCast(S, E, T, CC, 5360 diag::warn_impcast_floating_point_to_bool); 5361 } 5362 } 5363 } 5364 return; 5365 } 5366 5367 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 5368 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 5369 && !Target->isBlockPointerType() && !Target->isMemberPointerType() 5370 && Target->isScalarType() && !Target->isNullPtrType()) { 5371 SourceLocation Loc = E->getSourceRange().getBegin(); 5372 if (Loc.isMacroID()) 5373 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 5374 if (!Loc.isMacroID() || CC.isMacroID()) 5375 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 5376 << T << clang::SourceRange(CC) 5377 << FixItHint::CreateReplacement(Loc, 5378 S.getFixItZeroLiteralForType(T, Loc)); 5379 } 5380 5381 if (!Source->isIntegerType() || !Target->isIntegerType()) 5382 return; 5383 5384 // TODO: remove this early return once the false positives for constant->bool 5385 // in templates, macros, etc, are reduced or removed. 5386 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 5387 return; 5388 5389 IntRange SourceRange = GetExprRange(S.Context, E); 5390 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 5391 5392 if (SourceRange.Width > TargetRange.Width) { 5393 // If the source is a constant, use a default-on diagnostic. 5394 // TODO: this should happen for bitfield stores, too. 5395 llvm::APSInt Value(32); 5396 if (E->isIntegerConstantExpr(Value, S.Context)) { 5397 if (S.SourceMgr.isInSystemMacro(CC)) 5398 return; 5399 5400 std::string PrettySourceValue = Value.toString(10); 5401 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 5402 5403 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5404 S.PDiag(diag::warn_impcast_integer_precision_constant) 5405 << PrettySourceValue << PrettyTargetValue 5406 << E->getType() << T << E->getSourceRange() 5407 << clang::SourceRange(CC)); 5408 return; 5409 } 5410 5411 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 5412 if (S.SourceMgr.isInSystemMacro(CC)) 5413 return; 5414 5415 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 5416 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 5417 /* pruneControlFlow */ true); 5418 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 5419 } 5420 5421 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 5422 (!TargetRange.NonNegative && SourceRange.NonNegative && 5423 SourceRange.Width == TargetRange.Width)) { 5424 5425 if (S.SourceMgr.isInSystemMacro(CC)) 5426 return; 5427 5428 unsigned DiagID = diag::warn_impcast_integer_sign; 5429 5430 // Traditionally, gcc has warned about this under -Wsign-compare. 5431 // We also want to warn about it in -Wconversion. 5432 // So if -Wconversion is off, use a completely identical diagnostic 5433 // in the sign-compare group. 5434 // The conditional-checking code will 5435 if (ICContext) { 5436 DiagID = diag::warn_impcast_integer_sign_conditional; 5437 *ICContext = true; 5438 } 5439 5440 return DiagnoseImpCast(S, E, T, CC, DiagID); 5441 } 5442 5443 // Diagnose conversions between different enumeration types. 5444 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 5445 // type, to give us better diagnostics. 5446 QualType SourceType = E->getType(); 5447 if (!S.getLangOpts().CPlusPlus) { 5448 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5449 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 5450 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 5451 SourceType = S.Context.getTypeDeclType(Enum); 5452 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 5453 } 5454 } 5455 5456 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 5457 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 5458 if (SourceEnum->getDecl()->hasNameForLinkage() && 5459 TargetEnum->getDecl()->hasNameForLinkage() && 5460 SourceEnum != TargetEnum) { 5461 if (S.SourceMgr.isInSystemMacro(CC)) 5462 return; 5463 5464 return DiagnoseImpCast(S, E, SourceType, T, CC, 5465 diag::warn_impcast_different_enum_types); 5466 } 5467 5468 return; 5469} 5470 5471void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5472 SourceLocation CC, QualType T); 5473 5474void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 5475 SourceLocation CC, bool &ICContext) { 5476 E = E->IgnoreParenImpCasts(); 5477 5478 if (isa<ConditionalOperator>(E)) 5479 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 5480 5481 AnalyzeImplicitConversions(S, E, CC); 5482 if (E->getType() != T) 5483 return CheckImplicitConversion(S, E, T, CC, &ICContext); 5484 return; 5485} 5486 5487void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5488 SourceLocation CC, QualType T) { 5489 AnalyzeImplicitConversions(S, E->getCond(), CC); 5490 5491 bool Suspicious = false; 5492 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 5493 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 5494 5495 // If -Wconversion would have warned about either of the candidates 5496 // for a signedness conversion to the context type... 5497 if (!Suspicious) return; 5498 5499 // ...but it's currently ignored... 5500 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 5501 CC)) 5502 return; 5503 5504 // ...then check whether it would have warned about either of the 5505 // candidates for a signedness conversion to the condition type. 5506 if (E->getType() == T) return; 5507 5508 Suspicious = false; 5509 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 5510 E->getType(), CC, &Suspicious); 5511 if (!Suspicious) 5512 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 5513 E->getType(), CC, &Suspicious); 5514} 5515 5516/// AnalyzeImplicitConversions - Find and report any interesting 5517/// implicit conversions in the given expression. There are a couple 5518/// of competing diagnostics here, -Wconversion and -Wsign-compare. 5519void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 5520 QualType T = OrigE->getType(); 5521 Expr *E = OrigE->IgnoreParenImpCasts(); 5522 5523 if (E->isTypeDependent() || E->isValueDependent()) 5524 return; 5525 5526 // For conditional operators, we analyze the arguments as if they 5527 // were being fed directly into the output. 5528 if (isa<ConditionalOperator>(E)) { 5529 ConditionalOperator *CO = cast<ConditionalOperator>(E); 5530 CheckConditionalOperator(S, CO, CC, T); 5531 return; 5532 } 5533 5534 // Check implicit argument conversions for function calls. 5535 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 5536 CheckImplicitArgumentConversions(S, Call, CC); 5537 5538 // Go ahead and check any implicit conversions we might have skipped. 5539 // The non-canonical typecheck is just an optimization; 5540 // CheckImplicitConversion will filter out dead implicit conversions. 5541 if (E->getType() != T) 5542 CheckImplicitConversion(S, E, T, CC); 5543 5544 // Now continue drilling into this expression. 5545 5546 if (PseudoObjectExpr * POE = dyn_cast<PseudoObjectExpr>(E)) { 5547 if (POE->getResultExpr()) 5548 E = POE->getResultExpr(); 5549 } 5550 5551 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 5552 return AnalyzeImplicitConversions(S, OVE->getSourceExpr(), CC); 5553 5554 // Skip past explicit casts. 5555 if (isa<ExplicitCastExpr>(E)) { 5556 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 5557 return AnalyzeImplicitConversions(S, E, CC); 5558 } 5559 5560 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5561 // Do a somewhat different check with comparison operators. 5562 if (BO->isComparisonOp()) 5563 return AnalyzeComparison(S, BO); 5564 5565 // And with simple assignments. 5566 if (BO->getOpcode() == BO_Assign) 5567 return AnalyzeAssignment(S, BO); 5568 } 5569 5570 // These break the otherwise-useful invariant below. Fortunately, 5571 // we don't really need to recurse into them, because any internal 5572 // expressions should have been analyzed already when they were 5573 // built into statements. 5574 if (isa<StmtExpr>(E)) return; 5575 5576 // Don't descend into unevaluated contexts. 5577 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 5578 5579 // Now just recurse over the expression's children. 5580 CC = E->getExprLoc(); 5581 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 5582 bool IsLogicalOperator = BO && BO->isLogicalOp(); 5583 for (Stmt::child_range I = E->children(); I; ++I) { 5584 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 5585 if (!ChildExpr) 5586 continue; 5587 5588 if (IsLogicalOperator && 5589 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 5590 // Ignore checking string literals that are in logical operators. 5591 continue; 5592 AnalyzeImplicitConversions(S, ChildExpr, CC); 5593 } 5594} 5595 5596} // end anonymous namespace 5597 5598/// Diagnoses "dangerous" implicit conversions within the given 5599/// expression (which is a full expression). Implements -Wconversion 5600/// and -Wsign-compare. 5601/// 5602/// \param CC the "context" location of the implicit conversion, i.e. 5603/// the most location of the syntactic entity requiring the implicit 5604/// conversion 5605void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 5606 // Don't diagnose in unevaluated contexts. 5607 if (isUnevaluatedContext()) 5608 return; 5609 5610 // Don't diagnose for value- or type-dependent expressions. 5611 if (E->isTypeDependent() || E->isValueDependent()) 5612 return; 5613 5614 // Check for array bounds violations in cases where the check isn't triggered 5615 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 5616 // ArraySubscriptExpr is on the RHS of a variable initialization. 5617 CheckArrayAccess(E); 5618 5619 // This is not the right CC for (e.g.) a variable initialization. 5620 AnalyzeImplicitConversions(*this, E, CC); 5621} 5622 5623/// Diagnose when expression is an integer constant expression and its evaluation 5624/// results in integer overflow 5625void Sema::CheckForIntOverflow (Expr *E) { 5626 if (isa<BinaryOperator>(E->IgnoreParens())) 5627 E->EvaluateForOverflow(Context); 5628} 5629 5630namespace { 5631/// \brief Visitor for expressions which looks for unsequenced operations on the 5632/// same object. 5633class SequenceChecker : public EvaluatedExprVisitor<SequenceChecker> { 5634 typedef EvaluatedExprVisitor<SequenceChecker> Base; 5635 5636 /// \brief A tree of sequenced regions within an expression. Two regions are 5637 /// unsequenced if one is an ancestor or a descendent of the other. When we 5638 /// finish processing an expression with sequencing, such as a comma 5639 /// expression, we fold its tree nodes into its parent, since they are 5640 /// unsequenced with respect to nodes we will visit later. 5641 class SequenceTree { 5642 struct Value { 5643 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {} 5644 unsigned Parent : 31; 5645 bool Merged : 1; 5646 }; 5647 SmallVector<Value, 8> Values; 5648 5649 public: 5650 /// \brief A region within an expression which may be sequenced with respect 5651 /// to some other region. 5652 class Seq { 5653 explicit Seq(unsigned N) : Index(N) {} 5654 unsigned Index; 5655 friend class SequenceTree; 5656 public: 5657 Seq() : Index(0) {} 5658 }; 5659 5660 SequenceTree() { Values.push_back(Value(0)); } 5661 Seq root() const { return Seq(0); } 5662 5663 /// \brief Create a new sequence of operations, which is an unsequenced 5664 /// subset of \p Parent. This sequence of operations is sequenced with 5665 /// respect to other children of \p Parent. 5666 Seq allocate(Seq Parent) { 5667 Values.push_back(Value(Parent.Index)); 5668 return Seq(Values.size() - 1); 5669 } 5670 5671 /// \brief Merge a sequence of operations into its parent. 5672 void merge(Seq S) { 5673 Values[S.Index].Merged = true; 5674 } 5675 5676 /// \brief Determine whether two operations are unsequenced. This operation 5677 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old 5678 /// should have been merged into its parent as appropriate. 5679 bool isUnsequenced(Seq Cur, Seq Old) { 5680 unsigned C = representative(Cur.Index); 5681 unsigned Target = representative(Old.Index); 5682 while (C >= Target) { 5683 if (C == Target) 5684 return true; 5685 C = Values[C].Parent; 5686 } 5687 return false; 5688 } 5689 5690 private: 5691 /// \brief Pick a representative for a sequence. 5692 unsigned representative(unsigned K) { 5693 if (Values[K].Merged) 5694 // Perform path compression as we go. 5695 return Values[K].Parent = representative(Values[K].Parent); 5696 return K; 5697 } 5698 }; 5699 5700 /// An object for which we can track unsequenced uses. 5701 typedef NamedDecl *Object; 5702 5703 /// Different flavors of object usage which we track. We only track the 5704 /// least-sequenced usage of each kind. 5705 enum UsageKind { 5706 /// A read of an object. Multiple unsequenced reads are OK. 5707 UK_Use, 5708 /// A modification of an object which is sequenced before the value 5709 /// computation of the expression, such as ++n in C++. 5710 UK_ModAsValue, 5711 /// A modification of an object which is not sequenced before the value 5712 /// computation of the expression, such as n++. 5713 UK_ModAsSideEffect, 5714 5715 UK_Count = UK_ModAsSideEffect + 1 5716 }; 5717 5718 struct Usage { 5719 Usage() : Use(0), Seq() {} 5720 Expr *Use; 5721 SequenceTree::Seq Seq; 5722 }; 5723 5724 struct UsageInfo { 5725 UsageInfo() : Diagnosed(false) {} 5726 Usage Uses[UK_Count]; 5727 /// Have we issued a diagnostic for this variable already? 5728 bool Diagnosed; 5729 }; 5730 typedef llvm::SmallDenseMap<Object, UsageInfo, 16> UsageInfoMap; 5731 5732 Sema &SemaRef; 5733 /// Sequenced regions within the expression. 5734 SequenceTree Tree; 5735 /// Declaration modifications and references which we have seen. 5736 UsageInfoMap UsageMap; 5737 /// The region we are currently within. 5738 SequenceTree::Seq Region; 5739 /// Filled in with declarations which were modified as a side-effect 5740 /// (that is, post-increment operations). 5741 SmallVectorImpl<std::pair<Object, Usage> > *ModAsSideEffect; 5742 /// Expressions to check later. We defer checking these to reduce 5743 /// stack usage. 5744 SmallVectorImpl<Expr *> &WorkList; 5745 5746 /// RAII object wrapping the visitation of a sequenced subexpression of an 5747 /// expression. At the end of this process, the side-effects of the evaluation 5748 /// become sequenced with respect to the value computation of the result, so 5749 /// we downgrade any UK_ModAsSideEffect within the evaluation to 5750 /// UK_ModAsValue. 5751 struct SequencedSubexpression { 5752 SequencedSubexpression(SequenceChecker &Self) 5753 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) { 5754 Self.ModAsSideEffect = &ModAsSideEffect; 5755 } 5756 ~SequencedSubexpression() { 5757 for (unsigned I = 0, E = ModAsSideEffect.size(); I != E; ++I) { 5758 UsageInfo &U = Self.UsageMap[ModAsSideEffect[I].first]; 5759 U.Uses[UK_ModAsSideEffect] = ModAsSideEffect[I].second; 5760 Self.addUsage(U, ModAsSideEffect[I].first, 5761 ModAsSideEffect[I].second.Use, UK_ModAsValue); 5762 } 5763 Self.ModAsSideEffect = OldModAsSideEffect; 5764 } 5765 5766 SequenceChecker &Self; 5767 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect; 5768 SmallVectorImpl<std::pair<Object, Usage> > *OldModAsSideEffect; 5769 }; 5770 5771 /// RAII object wrapping the visitation of a subexpression which we might 5772 /// choose to evaluate as a constant. If any subexpression is evaluated and 5773 /// found to be non-constant, this allows us to suppress the evaluation of 5774 /// the outer expression. 5775 class EvaluationTracker { 5776 public: 5777 EvaluationTracker(SequenceChecker &Self) 5778 : Self(Self), Prev(Self.EvalTracker), EvalOK(true) { 5779 Self.EvalTracker = this; 5780 } 5781 ~EvaluationTracker() { 5782 Self.EvalTracker = Prev; 5783 if (Prev) 5784 Prev->EvalOK &= EvalOK; 5785 } 5786 5787 bool evaluate(const Expr *E, bool &Result) { 5788 if (!EvalOK || E->isValueDependent()) 5789 return false; 5790 EvalOK = E->EvaluateAsBooleanCondition(Result, Self.SemaRef.Context); 5791 return EvalOK; 5792 } 5793 5794 private: 5795 SequenceChecker &Self; 5796 EvaluationTracker *Prev; 5797 bool EvalOK; 5798 } *EvalTracker; 5799 5800 /// \brief Find the object which is produced by the specified expression, 5801 /// if any. 5802 Object getObject(Expr *E, bool Mod) const { 5803 E = E->IgnoreParenCasts(); 5804 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 5805 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec)) 5806 return getObject(UO->getSubExpr(), Mod); 5807 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5808 if (BO->getOpcode() == BO_Comma) 5809 return getObject(BO->getRHS(), Mod); 5810 if (Mod && BO->isAssignmentOp()) 5811 return getObject(BO->getLHS(), Mod); 5812 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(E)) { 5813 // FIXME: Check for more interesting cases, like "x.n = ++x.n". 5814 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts())) 5815 return ME->getMemberDecl(); 5816 } else if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5817 // FIXME: If this is a reference, map through to its value. 5818 return DRE->getDecl(); 5819 return 0; 5820 } 5821 5822 /// \brief Note that an object was modified or used by an expression. 5823 void addUsage(UsageInfo &UI, Object O, Expr *Ref, UsageKind UK) { 5824 Usage &U = UI.Uses[UK]; 5825 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) { 5826 if (UK == UK_ModAsSideEffect && ModAsSideEffect) 5827 ModAsSideEffect->push_back(std::make_pair(O, U)); 5828 U.Use = Ref; 5829 U.Seq = Region; 5830 } 5831 } 5832 /// \brief Check whether a modification or use conflicts with a prior usage. 5833 void checkUsage(Object O, UsageInfo &UI, Expr *Ref, UsageKind OtherKind, 5834 bool IsModMod) { 5835 if (UI.Diagnosed) 5836 return; 5837 5838 const Usage &U = UI.Uses[OtherKind]; 5839 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) 5840 return; 5841 5842 Expr *Mod = U.Use; 5843 Expr *ModOrUse = Ref; 5844 if (OtherKind == UK_Use) 5845 std::swap(Mod, ModOrUse); 5846 5847 SemaRef.Diag(Mod->getExprLoc(), 5848 IsModMod ? diag::warn_unsequenced_mod_mod 5849 : diag::warn_unsequenced_mod_use) 5850 << O << SourceRange(ModOrUse->getExprLoc()); 5851 UI.Diagnosed = true; 5852 } 5853 5854 void notePreUse(Object O, Expr *Use) { 5855 UsageInfo &U = UsageMap[O]; 5856 // Uses conflict with other modifications. 5857 checkUsage(O, U, Use, UK_ModAsValue, false); 5858 } 5859 void notePostUse(Object O, Expr *Use) { 5860 UsageInfo &U = UsageMap[O]; 5861 checkUsage(O, U, Use, UK_ModAsSideEffect, false); 5862 addUsage(U, O, Use, UK_Use); 5863 } 5864 5865 void notePreMod(Object O, Expr *Mod) { 5866 UsageInfo &U = UsageMap[O]; 5867 // Modifications conflict with other modifications and with uses. 5868 checkUsage(O, U, Mod, UK_ModAsValue, true); 5869 checkUsage(O, U, Mod, UK_Use, false); 5870 } 5871 void notePostMod(Object O, Expr *Use, UsageKind UK) { 5872 UsageInfo &U = UsageMap[O]; 5873 checkUsage(O, U, Use, UK_ModAsSideEffect, true); 5874 addUsage(U, O, Use, UK); 5875 } 5876 5877public: 5878 SequenceChecker(Sema &S, Expr *E, SmallVectorImpl<Expr *> &WorkList) 5879 : Base(S.Context), SemaRef(S), Region(Tree.root()), ModAsSideEffect(0), 5880 WorkList(WorkList), EvalTracker(0) { 5881 Visit(E); 5882 } 5883 5884 void VisitStmt(Stmt *S) { 5885 // Skip all statements which aren't expressions for now. 5886 } 5887 5888 void VisitExpr(Expr *E) { 5889 // By default, just recurse to evaluated subexpressions. 5890 Base::VisitStmt(E); 5891 } 5892 5893 void VisitCastExpr(CastExpr *E) { 5894 Object O = Object(); 5895 if (E->getCastKind() == CK_LValueToRValue) 5896 O = getObject(E->getSubExpr(), false); 5897 5898 if (O) 5899 notePreUse(O, E); 5900 VisitExpr(E); 5901 if (O) 5902 notePostUse(O, E); 5903 } 5904 5905 void VisitBinComma(BinaryOperator *BO) { 5906 // C++11 [expr.comma]p1: 5907 // Every value computation and side effect associated with the left 5908 // expression is sequenced before every value computation and side 5909 // effect associated with the right expression. 5910 SequenceTree::Seq LHS = Tree.allocate(Region); 5911 SequenceTree::Seq RHS = Tree.allocate(Region); 5912 SequenceTree::Seq OldRegion = Region; 5913 5914 { 5915 SequencedSubexpression SeqLHS(*this); 5916 Region = LHS; 5917 Visit(BO->getLHS()); 5918 } 5919 5920 Region = RHS; 5921 Visit(BO->getRHS()); 5922 5923 Region = OldRegion; 5924 5925 // Forget that LHS and RHS are sequenced. They are both unsequenced 5926 // with respect to other stuff. 5927 Tree.merge(LHS); 5928 Tree.merge(RHS); 5929 } 5930 5931 void VisitBinAssign(BinaryOperator *BO) { 5932 // The modification is sequenced after the value computation of the LHS 5933 // and RHS, so check it before inspecting the operands and update the 5934 // map afterwards. 5935 Object O = getObject(BO->getLHS(), true); 5936 if (!O) 5937 return VisitExpr(BO); 5938 5939 notePreMod(O, BO); 5940 5941 // C++11 [expr.ass]p7: 5942 // E1 op= E2 is equivalent to E1 = E1 op E2, except that E1 is evaluated 5943 // only once. 5944 // 5945 // Therefore, for a compound assignment operator, O is considered used 5946 // everywhere except within the evaluation of E1 itself. 5947 if (isa<CompoundAssignOperator>(BO)) 5948 notePreUse(O, BO); 5949 5950 Visit(BO->getLHS()); 5951 5952 if (isa<CompoundAssignOperator>(BO)) 5953 notePostUse(O, BO); 5954 5955 Visit(BO->getRHS()); 5956 5957 // C++11 [expr.ass]p1: 5958 // the assignment is sequenced [...] before the value computation of the 5959 // assignment expression. 5960 // C11 6.5.16/3 has no such rule. 5961 notePostMod(O, BO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 5962 : UK_ModAsSideEffect); 5963 } 5964 void VisitCompoundAssignOperator(CompoundAssignOperator *CAO) { 5965 VisitBinAssign(CAO); 5966 } 5967 5968 void VisitUnaryPreInc(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 5969 void VisitUnaryPreDec(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 5970 void VisitUnaryPreIncDec(UnaryOperator *UO) { 5971 Object O = getObject(UO->getSubExpr(), true); 5972 if (!O) 5973 return VisitExpr(UO); 5974 5975 notePreMod(O, UO); 5976 Visit(UO->getSubExpr()); 5977 // C++11 [expr.pre.incr]p1: 5978 // the expression ++x is equivalent to x+=1 5979 notePostMod(O, UO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 5980 : UK_ModAsSideEffect); 5981 } 5982 5983 void VisitUnaryPostInc(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 5984 void VisitUnaryPostDec(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 5985 void VisitUnaryPostIncDec(UnaryOperator *UO) { 5986 Object O = getObject(UO->getSubExpr(), true); 5987 if (!O) 5988 return VisitExpr(UO); 5989 5990 notePreMod(O, UO); 5991 Visit(UO->getSubExpr()); 5992 notePostMod(O, UO, UK_ModAsSideEffect); 5993 } 5994 5995 /// Don't visit the RHS of '&&' or '||' if it might not be evaluated. 5996 void VisitBinLOr(BinaryOperator *BO) { 5997 // The side-effects of the LHS of an '&&' are sequenced before the 5998 // value computation of the RHS, and hence before the value computation 5999 // of the '&&' itself, unless the LHS evaluates to zero. We treat them 6000 // as if they were unconditionally sequenced. 6001 EvaluationTracker Eval(*this); 6002 { 6003 SequencedSubexpression Sequenced(*this); 6004 Visit(BO->getLHS()); 6005 } 6006 6007 bool Result; 6008 if (Eval.evaluate(BO->getLHS(), Result)) { 6009 if (!Result) 6010 Visit(BO->getRHS()); 6011 } else { 6012 // Check for unsequenced operations in the RHS, treating it as an 6013 // entirely separate evaluation. 6014 // 6015 // FIXME: If there are operations in the RHS which are unsequenced 6016 // with respect to operations outside the RHS, and those operations 6017 // are unconditionally evaluated, diagnose them. 6018 WorkList.push_back(BO->getRHS()); 6019 } 6020 } 6021 void VisitBinLAnd(BinaryOperator *BO) { 6022 EvaluationTracker Eval(*this); 6023 { 6024 SequencedSubexpression Sequenced(*this); 6025 Visit(BO->getLHS()); 6026 } 6027 6028 bool Result; 6029 if (Eval.evaluate(BO->getLHS(), Result)) { 6030 if (Result) 6031 Visit(BO->getRHS()); 6032 } else { 6033 WorkList.push_back(BO->getRHS()); 6034 } 6035 } 6036 6037 // Only visit the condition, unless we can be sure which subexpression will 6038 // be chosen. 6039 void VisitAbstractConditionalOperator(AbstractConditionalOperator *CO) { 6040 EvaluationTracker Eval(*this); 6041 { 6042 SequencedSubexpression Sequenced(*this); 6043 Visit(CO->getCond()); 6044 } 6045 6046 bool Result; 6047 if (Eval.evaluate(CO->getCond(), Result)) 6048 Visit(Result ? CO->getTrueExpr() : CO->getFalseExpr()); 6049 else { 6050 WorkList.push_back(CO->getTrueExpr()); 6051 WorkList.push_back(CO->getFalseExpr()); 6052 } 6053 } 6054 6055 void VisitCallExpr(CallExpr *CE) { 6056 // C++11 [intro.execution]p15: 6057 // When calling a function [...], every value computation and side effect 6058 // associated with any argument expression, or with the postfix expression 6059 // designating the called function, is sequenced before execution of every 6060 // expression or statement in the body of the function [and thus before 6061 // the value computation of its result]. 6062 SequencedSubexpression Sequenced(*this); 6063 Base::VisitCallExpr(CE); 6064 6065 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions. 6066 } 6067 6068 void VisitCXXConstructExpr(CXXConstructExpr *CCE) { 6069 // This is a call, so all subexpressions are sequenced before the result. 6070 SequencedSubexpression Sequenced(*this); 6071 6072 if (!CCE->isListInitialization()) 6073 return VisitExpr(CCE); 6074 6075 // In C++11, list initializations are sequenced. 6076 SmallVector<SequenceTree::Seq, 32> Elts; 6077 SequenceTree::Seq Parent = Region; 6078 for (CXXConstructExpr::arg_iterator I = CCE->arg_begin(), 6079 E = CCE->arg_end(); 6080 I != E; ++I) { 6081 Region = Tree.allocate(Parent); 6082 Elts.push_back(Region); 6083 Visit(*I); 6084 } 6085 6086 // Forget that the initializers are sequenced. 6087 Region = Parent; 6088 for (unsigned I = 0; I < Elts.size(); ++I) 6089 Tree.merge(Elts[I]); 6090 } 6091 6092 void VisitInitListExpr(InitListExpr *ILE) { 6093 if (!SemaRef.getLangOpts().CPlusPlus11) 6094 return VisitExpr(ILE); 6095 6096 // In C++11, list initializations are sequenced. 6097 SmallVector<SequenceTree::Seq, 32> Elts; 6098 SequenceTree::Seq Parent = Region; 6099 for (unsigned I = 0; I < ILE->getNumInits(); ++I) { 6100 Expr *E = ILE->getInit(I); 6101 if (!E) continue; 6102 Region = Tree.allocate(Parent); 6103 Elts.push_back(Region); 6104 Visit(E); 6105 } 6106 6107 // Forget that the initializers are sequenced. 6108 Region = Parent; 6109 for (unsigned I = 0; I < Elts.size(); ++I) 6110 Tree.merge(Elts[I]); 6111 } 6112}; 6113} 6114 6115void Sema::CheckUnsequencedOperations(Expr *E) { 6116 SmallVector<Expr *, 8> WorkList; 6117 WorkList.push_back(E); 6118 while (!WorkList.empty()) { 6119 Expr *Item = WorkList.pop_back_val(); 6120 SequenceChecker(*this, Item, WorkList); 6121 } 6122} 6123 6124void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc, 6125 bool IsConstexpr) { 6126 CheckImplicitConversions(E, CheckLoc); 6127 CheckUnsequencedOperations(E); 6128 if (!IsConstexpr && !E->isValueDependent()) 6129 CheckForIntOverflow(E); 6130} 6131 6132void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 6133 FieldDecl *BitField, 6134 Expr *Init) { 6135 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 6136} 6137 6138/// CheckParmsForFunctionDef - Check that the parameters of the given 6139/// function are appropriate for the definition of a function. This 6140/// takes care of any checks that cannot be performed on the 6141/// declaration itself, e.g., that the types of each of the function 6142/// parameters are complete. 6143bool Sema::CheckParmsForFunctionDef(ParmVarDecl *const *P, 6144 ParmVarDecl *const *PEnd, 6145 bool CheckParameterNames) { 6146 bool HasInvalidParm = false; 6147 for (; P != PEnd; ++P) { 6148 ParmVarDecl *Param = *P; 6149 6150 // C99 6.7.5.3p4: the parameters in a parameter type list in a 6151 // function declarator that is part of a function definition of 6152 // that function shall not have incomplete type. 6153 // 6154 // This is also C++ [dcl.fct]p6. 6155 if (!Param->isInvalidDecl() && 6156 RequireCompleteType(Param->getLocation(), Param->getType(), 6157 diag::err_typecheck_decl_incomplete_type)) { 6158 Param->setInvalidDecl(); 6159 HasInvalidParm = true; 6160 } 6161 6162 // C99 6.9.1p5: If the declarator includes a parameter type list, the 6163 // declaration of each parameter shall include an identifier. 6164 if (CheckParameterNames && 6165 Param->getIdentifier() == 0 && 6166 !Param->isImplicit() && 6167 !getLangOpts().CPlusPlus) 6168 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 6169 6170 // C99 6.7.5.3p12: 6171 // If the function declarator is not part of a definition of that 6172 // function, parameters may have incomplete type and may use the [*] 6173 // notation in their sequences of declarator specifiers to specify 6174 // variable length array types. 6175 QualType PType = Param->getOriginalType(); 6176 while (const ArrayType *AT = Context.getAsArrayType(PType)) { 6177 if (AT->getSizeModifier() == ArrayType::Star) { 6178 // FIXME: This diagnostic should point the '[*]' if source-location 6179 // information is added for it. 6180 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 6181 break; 6182 } 6183 PType= AT->getElementType(); 6184 } 6185 6186 // MSVC destroys objects passed by value in the callee. Therefore a 6187 // function definition which takes such a parameter must be able to call the 6188 // object's destructor. 6189 if (getLangOpts().CPlusPlus && 6190 Context.getTargetInfo().getCXXABI().isArgumentDestroyedByCallee()) { 6191 if (const RecordType *RT = Param->getType()->getAs<RecordType>()) 6192 FinalizeVarWithDestructor(Param, RT); 6193 } 6194 } 6195 6196 return HasInvalidParm; 6197} 6198 6199/// CheckCastAlign - Implements -Wcast-align, which warns when a 6200/// pointer cast increases the alignment requirements. 6201void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 6202 // This is actually a lot of work to potentially be doing on every 6203 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 6204 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 6205 TRange.getBegin()) 6206 == DiagnosticsEngine::Ignored) 6207 return; 6208 6209 // Ignore dependent types. 6210 if (T->isDependentType() || Op->getType()->isDependentType()) 6211 return; 6212 6213 // Require that the destination be a pointer type. 6214 const PointerType *DestPtr = T->getAs<PointerType>(); 6215 if (!DestPtr) return; 6216 6217 // If the destination has alignment 1, we're done. 6218 QualType DestPointee = DestPtr->getPointeeType(); 6219 if (DestPointee->isIncompleteType()) return; 6220 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 6221 if (DestAlign.isOne()) return; 6222 6223 // Require that the source be a pointer type. 6224 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 6225 if (!SrcPtr) return; 6226 QualType SrcPointee = SrcPtr->getPointeeType(); 6227 6228 // Whitelist casts from cv void*. We already implicitly 6229 // whitelisted casts to cv void*, since they have alignment 1. 6230 // Also whitelist casts involving incomplete types, which implicitly 6231 // includes 'void'. 6232 if (SrcPointee->isIncompleteType()) return; 6233 6234 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 6235 if (SrcAlign >= DestAlign) return; 6236 6237 Diag(TRange.getBegin(), diag::warn_cast_align) 6238 << Op->getType() << T 6239 << static_cast<unsigned>(SrcAlign.getQuantity()) 6240 << static_cast<unsigned>(DestAlign.getQuantity()) 6241 << TRange << Op->getSourceRange(); 6242} 6243 6244static const Type* getElementType(const Expr *BaseExpr) { 6245 const Type* EltType = BaseExpr->getType().getTypePtr(); 6246 if (EltType->isAnyPointerType()) 6247 return EltType->getPointeeType().getTypePtr(); 6248 else if (EltType->isArrayType()) 6249 return EltType->getBaseElementTypeUnsafe(); 6250 return EltType; 6251} 6252 6253/// \brief Check whether this array fits the idiom of a size-one tail padded 6254/// array member of a struct. 6255/// 6256/// We avoid emitting out-of-bounds access warnings for such arrays as they are 6257/// commonly used to emulate flexible arrays in C89 code. 6258static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 6259 const NamedDecl *ND) { 6260 if (Size != 1 || !ND) return false; 6261 6262 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 6263 if (!FD) return false; 6264 6265 // Don't consider sizes resulting from macro expansions or template argument 6266 // substitution to form C89 tail-padded arrays. 6267 6268 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 6269 while (TInfo) { 6270 TypeLoc TL = TInfo->getTypeLoc(); 6271 // Look through typedefs. 6272 if (TypedefTypeLoc TTL = TL.getAs<TypedefTypeLoc>()) { 6273 const TypedefNameDecl *TDL = TTL.getTypedefNameDecl(); 6274 TInfo = TDL->getTypeSourceInfo(); 6275 continue; 6276 } 6277 if (ConstantArrayTypeLoc CTL = TL.getAs<ConstantArrayTypeLoc>()) { 6278 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 6279 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 6280 return false; 6281 } 6282 break; 6283 } 6284 6285 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 6286 if (!RD) return false; 6287 if (RD->isUnion()) return false; 6288 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 6289 if (!CRD->isStandardLayout()) return false; 6290 } 6291 6292 // See if this is the last field decl in the record. 6293 const Decl *D = FD; 6294 while ((D = D->getNextDeclInContext())) 6295 if (isa<FieldDecl>(D)) 6296 return false; 6297 return true; 6298} 6299 6300void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 6301 const ArraySubscriptExpr *ASE, 6302 bool AllowOnePastEnd, bool IndexNegated) { 6303 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 6304 if (IndexExpr->isValueDependent()) 6305 return; 6306 6307 const Type *EffectiveType = getElementType(BaseExpr); 6308 BaseExpr = BaseExpr->IgnoreParenCasts(); 6309 const ConstantArrayType *ArrayTy = 6310 Context.getAsConstantArrayType(BaseExpr->getType()); 6311 if (!ArrayTy) 6312 return; 6313 6314 llvm::APSInt index; 6315 if (!IndexExpr->EvaluateAsInt(index, Context)) 6316 return; 6317 if (IndexNegated) 6318 index = -index; 6319 6320 const NamedDecl *ND = NULL; 6321 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 6322 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 6323 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 6324 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 6325 6326 if (index.isUnsigned() || !index.isNegative()) { 6327 llvm::APInt size = ArrayTy->getSize(); 6328 if (!size.isStrictlyPositive()) 6329 return; 6330 6331 const Type* BaseType = getElementType(BaseExpr); 6332 if (BaseType != EffectiveType) { 6333 // Make sure we're comparing apples to apples when comparing index to size 6334 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 6335 uint64_t array_typesize = Context.getTypeSize(BaseType); 6336 // Handle ptrarith_typesize being zero, such as when casting to void* 6337 if (!ptrarith_typesize) ptrarith_typesize = 1; 6338 if (ptrarith_typesize != array_typesize) { 6339 // There's a cast to a different size type involved 6340 uint64_t ratio = array_typesize / ptrarith_typesize; 6341 // TODO: Be smarter about handling cases where array_typesize is not a 6342 // multiple of ptrarith_typesize 6343 if (ptrarith_typesize * ratio == array_typesize) 6344 size *= llvm::APInt(size.getBitWidth(), ratio); 6345 } 6346 } 6347 6348 if (size.getBitWidth() > index.getBitWidth()) 6349 index = index.zext(size.getBitWidth()); 6350 else if (size.getBitWidth() < index.getBitWidth()) 6351 size = size.zext(index.getBitWidth()); 6352 6353 // For array subscripting the index must be less than size, but for pointer 6354 // arithmetic also allow the index (offset) to be equal to size since 6355 // computing the next address after the end of the array is legal and 6356 // commonly done e.g. in C++ iterators and range-based for loops. 6357 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 6358 return; 6359 6360 // Also don't warn for arrays of size 1 which are members of some 6361 // structure. These are often used to approximate flexible arrays in C89 6362 // code. 6363 if (IsTailPaddedMemberArray(*this, size, ND)) 6364 return; 6365 6366 // Suppress the warning if the subscript expression (as identified by the 6367 // ']' location) and the index expression are both from macro expansions 6368 // within a system header. 6369 if (ASE) { 6370 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 6371 ASE->getRBracketLoc()); 6372 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 6373 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 6374 IndexExpr->getLocStart()); 6375 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc)) 6376 return; 6377 } 6378 } 6379 6380 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 6381 if (ASE) 6382 DiagID = diag::warn_array_index_exceeds_bounds; 6383 6384 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 6385 PDiag(DiagID) << index.toString(10, true) 6386 << size.toString(10, true) 6387 << (unsigned)size.getLimitedValue(~0U) 6388 << IndexExpr->getSourceRange()); 6389 } else { 6390 unsigned DiagID = diag::warn_array_index_precedes_bounds; 6391 if (!ASE) { 6392 DiagID = diag::warn_ptr_arith_precedes_bounds; 6393 if (index.isNegative()) index = -index; 6394 } 6395 6396 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 6397 PDiag(DiagID) << index.toString(10, true) 6398 << IndexExpr->getSourceRange()); 6399 } 6400 6401 if (!ND) { 6402 // Try harder to find a NamedDecl to point at in the note. 6403 while (const ArraySubscriptExpr *ASE = 6404 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 6405 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 6406 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 6407 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 6408 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 6409 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 6410 } 6411 6412 if (ND) 6413 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 6414 PDiag(diag::note_array_index_out_of_bounds) 6415 << ND->getDeclName()); 6416} 6417 6418void Sema::CheckArrayAccess(const Expr *expr) { 6419 int AllowOnePastEnd = 0; 6420 while (expr) { 6421 expr = expr->IgnoreParenImpCasts(); 6422 switch (expr->getStmtClass()) { 6423 case Stmt::ArraySubscriptExprClass: { 6424 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 6425 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 6426 AllowOnePastEnd > 0); 6427 return; 6428 } 6429 case Stmt::UnaryOperatorClass: { 6430 // Only unwrap the * and & unary operators 6431 const UnaryOperator *UO = cast<UnaryOperator>(expr); 6432 expr = UO->getSubExpr(); 6433 switch (UO->getOpcode()) { 6434 case UO_AddrOf: 6435 AllowOnePastEnd++; 6436 break; 6437 case UO_Deref: 6438 AllowOnePastEnd--; 6439 break; 6440 default: 6441 return; 6442 } 6443 break; 6444 } 6445 case Stmt::ConditionalOperatorClass: { 6446 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 6447 if (const Expr *lhs = cond->getLHS()) 6448 CheckArrayAccess(lhs); 6449 if (const Expr *rhs = cond->getRHS()) 6450 CheckArrayAccess(rhs); 6451 return; 6452 } 6453 default: 6454 return; 6455 } 6456 } 6457} 6458 6459//===--- CHECK: Objective-C retain cycles ----------------------------------// 6460 6461namespace { 6462 struct RetainCycleOwner { 6463 RetainCycleOwner() : Variable(0), Indirect(false) {} 6464 VarDecl *Variable; 6465 SourceRange Range; 6466 SourceLocation Loc; 6467 bool Indirect; 6468 6469 void setLocsFrom(Expr *e) { 6470 Loc = e->getExprLoc(); 6471 Range = e->getSourceRange(); 6472 } 6473 }; 6474} 6475 6476/// Consider whether capturing the given variable can possibly lead to 6477/// a retain cycle. 6478static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 6479 // In ARC, it's captured strongly iff the variable has __strong 6480 // lifetime. In MRR, it's captured strongly if the variable is 6481 // __block and has an appropriate type. 6482 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 6483 return false; 6484 6485 owner.Variable = var; 6486 if (ref) 6487 owner.setLocsFrom(ref); 6488 return true; 6489} 6490 6491static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 6492 while (true) { 6493 e = e->IgnoreParens(); 6494 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 6495 switch (cast->getCastKind()) { 6496 case CK_BitCast: 6497 case CK_LValueBitCast: 6498 case CK_LValueToRValue: 6499 case CK_ARCReclaimReturnedObject: 6500 e = cast->getSubExpr(); 6501 continue; 6502 6503 default: 6504 return false; 6505 } 6506 } 6507 6508 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 6509 ObjCIvarDecl *ivar = ref->getDecl(); 6510 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 6511 return false; 6512 6513 // Try to find a retain cycle in the base. 6514 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 6515 return false; 6516 6517 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 6518 owner.Indirect = true; 6519 return true; 6520 } 6521 6522 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 6523 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 6524 if (!var) return false; 6525 return considerVariable(var, ref, owner); 6526 } 6527 6528 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 6529 if (member->isArrow()) return false; 6530 6531 // Don't count this as an indirect ownership. 6532 e = member->getBase(); 6533 continue; 6534 } 6535 6536 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 6537 // Only pay attention to pseudo-objects on property references. 6538 ObjCPropertyRefExpr *pre 6539 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 6540 ->IgnoreParens()); 6541 if (!pre) return false; 6542 if (pre->isImplicitProperty()) return false; 6543 ObjCPropertyDecl *property = pre->getExplicitProperty(); 6544 if (!property->isRetaining() && 6545 !(property->getPropertyIvarDecl() && 6546 property->getPropertyIvarDecl()->getType() 6547 .getObjCLifetime() == Qualifiers::OCL_Strong)) 6548 return false; 6549 6550 owner.Indirect = true; 6551 if (pre->isSuperReceiver()) { 6552 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 6553 if (!owner.Variable) 6554 return false; 6555 owner.Loc = pre->getLocation(); 6556 owner.Range = pre->getSourceRange(); 6557 return true; 6558 } 6559 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 6560 ->getSourceExpr()); 6561 continue; 6562 } 6563 6564 // Array ivars? 6565 6566 return false; 6567 } 6568} 6569 6570namespace { 6571 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 6572 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 6573 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 6574 Variable(variable), Capturer(0) {} 6575 6576 VarDecl *Variable; 6577 Expr *Capturer; 6578 6579 void VisitDeclRefExpr(DeclRefExpr *ref) { 6580 if (ref->getDecl() == Variable && !Capturer) 6581 Capturer = ref; 6582 } 6583 6584 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 6585 if (Capturer) return; 6586 Visit(ref->getBase()); 6587 if (Capturer && ref->isFreeIvar()) 6588 Capturer = ref; 6589 } 6590 6591 void VisitBlockExpr(BlockExpr *block) { 6592 // Look inside nested blocks 6593 if (block->getBlockDecl()->capturesVariable(Variable)) 6594 Visit(block->getBlockDecl()->getBody()); 6595 } 6596 6597 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 6598 if (Capturer) return; 6599 if (OVE->getSourceExpr()) 6600 Visit(OVE->getSourceExpr()); 6601 } 6602 }; 6603} 6604 6605/// Check whether the given argument is a block which captures a 6606/// variable. 6607static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 6608 assert(owner.Variable && owner.Loc.isValid()); 6609 6610 e = e->IgnoreParenCasts(); 6611 6612 // Look through [^{...} copy] and Block_copy(^{...}). 6613 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 6614 Selector Cmd = ME->getSelector(); 6615 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 6616 e = ME->getInstanceReceiver(); 6617 if (!e) 6618 return 0; 6619 e = e->IgnoreParenCasts(); 6620 } 6621 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 6622 if (CE->getNumArgs() == 1) { 6623 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 6624 if (Fn) { 6625 const IdentifierInfo *FnI = Fn->getIdentifier(); 6626 if (FnI && FnI->isStr("_Block_copy")) { 6627 e = CE->getArg(0)->IgnoreParenCasts(); 6628 } 6629 } 6630 } 6631 } 6632 6633 BlockExpr *block = dyn_cast<BlockExpr>(e); 6634 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 6635 return 0; 6636 6637 FindCaptureVisitor visitor(S.Context, owner.Variable); 6638 visitor.Visit(block->getBlockDecl()->getBody()); 6639 return visitor.Capturer; 6640} 6641 6642static void diagnoseRetainCycle(Sema &S, Expr *capturer, 6643 RetainCycleOwner &owner) { 6644 assert(capturer); 6645 assert(owner.Variable && owner.Loc.isValid()); 6646 6647 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 6648 << owner.Variable << capturer->getSourceRange(); 6649 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 6650 << owner.Indirect << owner.Range; 6651} 6652 6653/// Check for a keyword selector that starts with the word 'add' or 6654/// 'set'. 6655static bool isSetterLikeSelector(Selector sel) { 6656 if (sel.isUnarySelector()) return false; 6657 6658 StringRef str = sel.getNameForSlot(0); 6659 while (!str.empty() && str.front() == '_') str = str.substr(1); 6660 if (str.startswith("set")) 6661 str = str.substr(3); 6662 else if (str.startswith("add")) { 6663 // Specially whitelist 'addOperationWithBlock:'. 6664 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 6665 return false; 6666 str = str.substr(3); 6667 } 6668 else 6669 return false; 6670 6671 if (str.empty()) return true; 6672 return !isLowercase(str.front()); 6673} 6674 6675/// Check a message send to see if it's likely to cause a retain cycle. 6676void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 6677 // Only check instance methods whose selector looks like a setter. 6678 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 6679 return; 6680 6681 // Try to find a variable that the receiver is strongly owned by. 6682 RetainCycleOwner owner; 6683 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 6684 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 6685 return; 6686 } else { 6687 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 6688 owner.Variable = getCurMethodDecl()->getSelfDecl(); 6689 owner.Loc = msg->getSuperLoc(); 6690 owner.Range = msg->getSuperLoc(); 6691 } 6692 6693 // Check whether the receiver is captured by any of the arguments. 6694 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 6695 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 6696 return diagnoseRetainCycle(*this, capturer, owner); 6697} 6698 6699/// Check a property assign to see if it's likely to cause a retain cycle. 6700void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 6701 RetainCycleOwner owner; 6702 if (!findRetainCycleOwner(*this, receiver, owner)) 6703 return; 6704 6705 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 6706 diagnoseRetainCycle(*this, capturer, owner); 6707} 6708 6709void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 6710 RetainCycleOwner Owner; 6711 if (!considerVariable(Var, /*DeclRefExpr=*/0, Owner)) 6712 return; 6713 6714 // Because we don't have an expression for the variable, we have to set the 6715 // location explicitly here. 6716 Owner.Loc = Var->getLocation(); 6717 Owner.Range = Var->getSourceRange(); 6718 6719 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 6720 diagnoseRetainCycle(*this, Capturer, Owner); 6721} 6722 6723static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 6724 Expr *RHS, bool isProperty) { 6725 // Check if RHS is an Objective-C object literal, which also can get 6726 // immediately zapped in a weak reference. Note that we explicitly 6727 // allow ObjCStringLiterals, since those are designed to never really die. 6728 RHS = RHS->IgnoreParenImpCasts(); 6729 6730 // This enum needs to match with the 'select' in 6731 // warn_objc_arc_literal_assign (off-by-1). 6732 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 6733 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 6734 return false; 6735 6736 S.Diag(Loc, diag::warn_arc_literal_assign) 6737 << (unsigned) Kind 6738 << (isProperty ? 0 : 1) 6739 << RHS->getSourceRange(); 6740 6741 return true; 6742} 6743 6744static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 6745 Qualifiers::ObjCLifetime LT, 6746 Expr *RHS, bool isProperty) { 6747 // Strip off any implicit cast added to get to the one ARC-specific. 6748 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 6749 if (cast->getCastKind() == CK_ARCConsumeObject) { 6750 S.Diag(Loc, diag::warn_arc_retained_assign) 6751 << (LT == Qualifiers::OCL_ExplicitNone) 6752 << (isProperty ? 0 : 1) 6753 << RHS->getSourceRange(); 6754 return true; 6755 } 6756 RHS = cast->getSubExpr(); 6757 } 6758 6759 if (LT == Qualifiers::OCL_Weak && 6760 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 6761 return true; 6762 6763 return false; 6764} 6765 6766bool Sema::checkUnsafeAssigns(SourceLocation Loc, 6767 QualType LHS, Expr *RHS) { 6768 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 6769 6770 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 6771 return false; 6772 6773 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 6774 return true; 6775 6776 return false; 6777} 6778 6779void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 6780 Expr *LHS, Expr *RHS) { 6781 QualType LHSType; 6782 // PropertyRef on LHS type need be directly obtained from 6783 // its declaration as it has a PsuedoType. 6784 ObjCPropertyRefExpr *PRE 6785 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 6786 if (PRE && !PRE->isImplicitProperty()) { 6787 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 6788 if (PD) 6789 LHSType = PD->getType(); 6790 } 6791 6792 if (LHSType.isNull()) 6793 LHSType = LHS->getType(); 6794 6795 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 6796 6797 if (LT == Qualifiers::OCL_Weak) { 6798 DiagnosticsEngine::Level Level = 6799 Diags.getDiagnosticLevel(diag::warn_arc_repeated_use_of_weak, Loc); 6800 if (Level != DiagnosticsEngine::Ignored) 6801 getCurFunction()->markSafeWeakUse(LHS); 6802 } 6803 6804 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 6805 return; 6806 6807 // FIXME. Check for other life times. 6808 if (LT != Qualifiers::OCL_None) 6809 return; 6810 6811 if (PRE) { 6812 if (PRE->isImplicitProperty()) 6813 return; 6814 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 6815 if (!PD) 6816 return; 6817 6818 unsigned Attributes = PD->getPropertyAttributes(); 6819 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 6820 // when 'assign' attribute was not explicitly specified 6821 // by user, ignore it and rely on property type itself 6822 // for lifetime info. 6823 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 6824 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 6825 LHSType->isObjCRetainableType()) 6826 return; 6827 6828 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 6829 if (cast->getCastKind() == CK_ARCConsumeObject) { 6830 Diag(Loc, diag::warn_arc_retained_property_assign) 6831 << RHS->getSourceRange(); 6832 return; 6833 } 6834 RHS = cast->getSubExpr(); 6835 } 6836 } 6837 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 6838 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 6839 return; 6840 } 6841 } 6842} 6843 6844//===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 6845 6846namespace { 6847bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 6848 SourceLocation StmtLoc, 6849 const NullStmt *Body) { 6850 // Do not warn if the body is a macro that expands to nothing, e.g: 6851 // 6852 // #define CALL(x) 6853 // if (condition) 6854 // CALL(0); 6855 // 6856 if (Body->hasLeadingEmptyMacro()) 6857 return false; 6858 6859 // Get line numbers of statement and body. 6860 bool StmtLineInvalid; 6861 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 6862 &StmtLineInvalid); 6863 if (StmtLineInvalid) 6864 return false; 6865 6866 bool BodyLineInvalid; 6867 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 6868 &BodyLineInvalid); 6869 if (BodyLineInvalid) 6870 return false; 6871 6872 // Warn if null statement and body are on the same line. 6873 if (StmtLine != BodyLine) 6874 return false; 6875 6876 return true; 6877} 6878} // Unnamed namespace 6879 6880void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 6881 const Stmt *Body, 6882 unsigned DiagID) { 6883 // Since this is a syntactic check, don't emit diagnostic for template 6884 // instantiations, this just adds noise. 6885 if (CurrentInstantiationScope) 6886 return; 6887 6888 // The body should be a null statement. 6889 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 6890 if (!NBody) 6891 return; 6892 6893 // Do the usual checks. 6894 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 6895 return; 6896 6897 Diag(NBody->getSemiLoc(), DiagID); 6898 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 6899} 6900 6901void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 6902 const Stmt *PossibleBody) { 6903 assert(!CurrentInstantiationScope); // Ensured by caller 6904 6905 SourceLocation StmtLoc; 6906 const Stmt *Body; 6907 unsigned DiagID; 6908 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 6909 StmtLoc = FS->getRParenLoc(); 6910 Body = FS->getBody(); 6911 DiagID = diag::warn_empty_for_body; 6912 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 6913 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 6914 Body = WS->getBody(); 6915 DiagID = diag::warn_empty_while_body; 6916 } else 6917 return; // Neither `for' nor `while'. 6918 6919 // The body should be a null statement. 6920 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 6921 if (!NBody) 6922 return; 6923 6924 // Skip expensive checks if diagnostic is disabled. 6925 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 6926 DiagnosticsEngine::Ignored) 6927 return; 6928 6929 // Do the usual checks. 6930 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 6931 return; 6932 6933 // `for(...);' and `while(...);' are popular idioms, so in order to keep 6934 // noise level low, emit diagnostics only if for/while is followed by a 6935 // CompoundStmt, e.g.: 6936 // for (int i = 0; i < n; i++); 6937 // { 6938 // a(i); 6939 // } 6940 // or if for/while is followed by a statement with more indentation 6941 // than for/while itself: 6942 // for (int i = 0; i < n; i++); 6943 // a(i); 6944 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 6945 if (!ProbableTypo) { 6946 bool BodyColInvalid; 6947 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 6948 PossibleBody->getLocStart(), 6949 &BodyColInvalid); 6950 if (BodyColInvalid) 6951 return; 6952 6953 bool StmtColInvalid; 6954 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 6955 S->getLocStart(), 6956 &StmtColInvalid); 6957 if (StmtColInvalid) 6958 return; 6959 6960 if (BodyCol > StmtCol) 6961 ProbableTypo = true; 6962 } 6963 6964 if (ProbableTypo) { 6965 Diag(NBody->getSemiLoc(), DiagID); 6966 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 6967 } 6968} 6969 6970//===--- Layout compatibility ----------------------------------------------// 6971 6972namespace { 6973 6974bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 6975 6976/// \brief Check if two enumeration types are layout-compatible. 6977bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 6978 // C++11 [dcl.enum] p8: 6979 // Two enumeration types are layout-compatible if they have the same 6980 // underlying type. 6981 return ED1->isComplete() && ED2->isComplete() && 6982 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 6983} 6984 6985/// \brief Check if two fields are layout-compatible. 6986bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 6987 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 6988 return false; 6989 6990 if (Field1->isBitField() != Field2->isBitField()) 6991 return false; 6992 6993 if (Field1->isBitField()) { 6994 // Make sure that the bit-fields are the same length. 6995 unsigned Bits1 = Field1->getBitWidthValue(C); 6996 unsigned Bits2 = Field2->getBitWidthValue(C); 6997 6998 if (Bits1 != Bits2) 6999 return false; 7000 } 7001 7002 return true; 7003} 7004 7005/// \brief Check if two standard-layout structs are layout-compatible. 7006/// (C++11 [class.mem] p17) 7007bool isLayoutCompatibleStruct(ASTContext &C, 7008 RecordDecl *RD1, 7009 RecordDecl *RD2) { 7010 // If both records are C++ classes, check that base classes match. 7011 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 7012 // If one of records is a CXXRecordDecl we are in C++ mode, 7013 // thus the other one is a CXXRecordDecl, too. 7014 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 7015 // Check number of base classes. 7016 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 7017 return false; 7018 7019 // Check the base classes. 7020 for (CXXRecordDecl::base_class_const_iterator 7021 Base1 = D1CXX->bases_begin(), 7022 BaseEnd1 = D1CXX->bases_end(), 7023 Base2 = D2CXX->bases_begin(); 7024 Base1 != BaseEnd1; 7025 ++Base1, ++Base2) { 7026 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 7027 return false; 7028 } 7029 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 7030 // If only RD2 is a C++ class, it should have zero base classes. 7031 if (D2CXX->getNumBases() > 0) 7032 return false; 7033 } 7034 7035 // Check the fields. 7036 RecordDecl::field_iterator Field2 = RD2->field_begin(), 7037 Field2End = RD2->field_end(), 7038 Field1 = RD1->field_begin(), 7039 Field1End = RD1->field_end(); 7040 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 7041 if (!isLayoutCompatible(C, *Field1, *Field2)) 7042 return false; 7043 } 7044 if (Field1 != Field1End || Field2 != Field2End) 7045 return false; 7046 7047 return true; 7048} 7049 7050/// \brief Check if two standard-layout unions are layout-compatible. 7051/// (C++11 [class.mem] p18) 7052bool isLayoutCompatibleUnion(ASTContext &C, 7053 RecordDecl *RD1, 7054 RecordDecl *RD2) { 7055 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 7056 for (RecordDecl::field_iterator Field2 = RD2->field_begin(), 7057 Field2End = RD2->field_end(); 7058 Field2 != Field2End; ++Field2) { 7059 UnmatchedFields.insert(*Field2); 7060 } 7061 7062 for (RecordDecl::field_iterator Field1 = RD1->field_begin(), 7063 Field1End = RD1->field_end(); 7064 Field1 != Field1End; ++Field1) { 7065 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 7066 I = UnmatchedFields.begin(), 7067 E = UnmatchedFields.end(); 7068 7069 for ( ; I != E; ++I) { 7070 if (isLayoutCompatible(C, *Field1, *I)) { 7071 bool Result = UnmatchedFields.erase(*I); 7072 (void) Result; 7073 assert(Result); 7074 break; 7075 } 7076 } 7077 if (I == E) 7078 return false; 7079 } 7080 7081 return UnmatchedFields.empty(); 7082} 7083 7084bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 7085 if (RD1->isUnion() != RD2->isUnion()) 7086 return false; 7087 7088 if (RD1->isUnion()) 7089 return isLayoutCompatibleUnion(C, RD1, RD2); 7090 else 7091 return isLayoutCompatibleStruct(C, RD1, RD2); 7092} 7093 7094/// \brief Check if two types are layout-compatible in C++11 sense. 7095bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 7096 if (T1.isNull() || T2.isNull()) 7097 return false; 7098 7099 // C++11 [basic.types] p11: 7100 // If two types T1 and T2 are the same type, then T1 and T2 are 7101 // layout-compatible types. 7102 if (C.hasSameType(T1, T2)) 7103 return true; 7104 7105 T1 = T1.getCanonicalType().getUnqualifiedType(); 7106 T2 = T2.getCanonicalType().getUnqualifiedType(); 7107 7108 const Type::TypeClass TC1 = T1->getTypeClass(); 7109 const Type::TypeClass TC2 = T2->getTypeClass(); 7110 7111 if (TC1 != TC2) 7112 return false; 7113 7114 if (TC1 == Type::Enum) { 7115 return isLayoutCompatible(C, 7116 cast<EnumType>(T1)->getDecl(), 7117 cast<EnumType>(T2)->getDecl()); 7118 } else if (TC1 == Type::Record) { 7119 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 7120 return false; 7121 7122 return isLayoutCompatible(C, 7123 cast<RecordType>(T1)->getDecl(), 7124 cast<RecordType>(T2)->getDecl()); 7125 } 7126 7127 return false; 7128} 7129} 7130 7131//===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 7132 7133namespace { 7134/// \brief Given a type tag expression find the type tag itself. 7135/// 7136/// \param TypeExpr Type tag expression, as it appears in user's code. 7137/// 7138/// \param VD Declaration of an identifier that appears in a type tag. 7139/// 7140/// \param MagicValue Type tag magic value. 7141bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 7142 const ValueDecl **VD, uint64_t *MagicValue) { 7143 while(true) { 7144 if (!TypeExpr) 7145 return false; 7146 7147 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 7148 7149 switch (TypeExpr->getStmtClass()) { 7150 case Stmt::UnaryOperatorClass: { 7151 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 7152 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 7153 TypeExpr = UO->getSubExpr(); 7154 continue; 7155 } 7156 return false; 7157 } 7158 7159 case Stmt::DeclRefExprClass: { 7160 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 7161 *VD = DRE->getDecl(); 7162 return true; 7163 } 7164 7165 case Stmt::IntegerLiteralClass: { 7166 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 7167 llvm::APInt MagicValueAPInt = IL->getValue(); 7168 if (MagicValueAPInt.getActiveBits() <= 64) { 7169 *MagicValue = MagicValueAPInt.getZExtValue(); 7170 return true; 7171 } else 7172 return false; 7173 } 7174 7175 case Stmt::BinaryConditionalOperatorClass: 7176 case Stmt::ConditionalOperatorClass: { 7177 const AbstractConditionalOperator *ACO = 7178 cast<AbstractConditionalOperator>(TypeExpr); 7179 bool Result; 7180 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 7181 if (Result) 7182 TypeExpr = ACO->getTrueExpr(); 7183 else 7184 TypeExpr = ACO->getFalseExpr(); 7185 continue; 7186 } 7187 return false; 7188 } 7189 7190 case Stmt::BinaryOperatorClass: { 7191 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 7192 if (BO->getOpcode() == BO_Comma) { 7193 TypeExpr = BO->getRHS(); 7194 continue; 7195 } 7196 return false; 7197 } 7198 7199 default: 7200 return false; 7201 } 7202 } 7203} 7204 7205/// \brief Retrieve the C type corresponding to type tag TypeExpr. 7206/// 7207/// \param TypeExpr Expression that specifies a type tag. 7208/// 7209/// \param MagicValues Registered magic values. 7210/// 7211/// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 7212/// kind. 7213/// 7214/// \param TypeInfo Information about the corresponding C type. 7215/// 7216/// \returns true if the corresponding C type was found. 7217bool GetMatchingCType( 7218 const IdentifierInfo *ArgumentKind, 7219 const Expr *TypeExpr, const ASTContext &Ctx, 7220 const llvm::DenseMap<Sema::TypeTagMagicValue, 7221 Sema::TypeTagData> *MagicValues, 7222 bool &FoundWrongKind, 7223 Sema::TypeTagData &TypeInfo) { 7224 FoundWrongKind = false; 7225 7226 // Variable declaration that has type_tag_for_datatype attribute. 7227 const ValueDecl *VD = NULL; 7228 7229 uint64_t MagicValue; 7230 7231 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 7232 return false; 7233 7234 if (VD) { 7235 for (specific_attr_iterator<TypeTagForDatatypeAttr> 7236 I = VD->specific_attr_begin<TypeTagForDatatypeAttr>(), 7237 E = VD->specific_attr_end<TypeTagForDatatypeAttr>(); 7238 I != E; ++I) { 7239 if (I->getArgumentKind() != ArgumentKind) { 7240 FoundWrongKind = true; 7241 return false; 7242 } 7243 TypeInfo.Type = I->getMatchingCType(); 7244 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 7245 TypeInfo.MustBeNull = I->getMustBeNull(); 7246 return true; 7247 } 7248 return false; 7249 } 7250 7251 if (!MagicValues) 7252 return false; 7253 7254 llvm::DenseMap<Sema::TypeTagMagicValue, 7255 Sema::TypeTagData>::const_iterator I = 7256 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 7257 if (I == MagicValues->end()) 7258 return false; 7259 7260 TypeInfo = I->second; 7261 return true; 7262} 7263} // unnamed namespace 7264 7265void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 7266 uint64_t MagicValue, QualType Type, 7267 bool LayoutCompatible, 7268 bool MustBeNull) { 7269 if (!TypeTagForDatatypeMagicValues) 7270 TypeTagForDatatypeMagicValues.reset( 7271 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 7272 7273 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 7274 (*TypeTagForDatatypeMagicValues)[Magic] = 7275 TypeTagData(Type, LayoutCompatible, MustBeNull); 7276} 7277 7278namespace { 7279bool IsSameCharType(QualType T1, QualType T2) { 7280 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 7281 if (!BT1) 7282 return false; 7283 7284 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 7285 if (!BT2) 7286 return false; 7287 7288 BuiltinType::Kind T1Kind = BT1->getKind(); 7289 BuiltinType::Kind T2Kind = BT2->getKind(); 7290 7291 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 7292 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 7293 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 7294 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 7295} 7296} // unnamed namespace 7297 7298void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 7299 const Expr * const *ExprArgs) { 7300 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 7301 bool IsPointerAttr = Attr->getIsPointer(); 7302 7303 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 7304 bool FoundWrongKind; 7305 TypeTagData TypeInfo; 7306 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 7307 TypeTagForDatatypeMagicValues.get(), 7308 FoundWrongKind, TypeInfo)) { 7309 if (FoundWrongKind) 7310 Diag(TypeTagExpr->getExprLoc(), 7311 diag::warn_type_tag_for_datatype_wrong_kind) 7312 << TypeTagExpr->getSourceRange(); 7313 return; 7314 } 7315 7316 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 7317 if (IsPointerAttr) { 7318 // Skip implicit cast of pointer to `void *' (as a function argument). 7319 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 7320 if (ICE->getType()->isVoidPointerType() && 7321 ICE->getCastKind() == CK_BitCast) 7322 ArgumentExpr = ICE->getSubExpr(); 7323 } 7324 QualType ArgumentType = ArgumentExpr->getType(); 7325 7326 // Passing a `void*' pointer shouldn't trigger a warning. 7327 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 7328 return; 7329 7330 if (TypeInfo.MustBeNull) { 7331 // Type tag with matching void type requires a null pointer. 7332 if (!ArgumentExpr->isNullPointerConstant(Context, 7333 Expr::NPC_ValueDependentIsNotNull)) { 7334 Diag(ArgumentExpr->getExprLoc(), 7335 diag::warn_type_safety_null_pointer_required) 7336 << ArgumentKind->getName() 7337 << ArgumentExpr->getSourceRange() 7338 << TypeTagExpr->getSourceRange(); 7339 } 7340 return; 7341 } 7342 7343 QualType RequiredType = TypeInfo.Type; 7344 if (IsPointerAttr) 7345 RequiredType = Context.getPointerType(RequiredType); 7346 7347 bool mismatch = false; 7348 if (!TypeInfo.LayoutCompatible) { 7349 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 7350 7351 // C++11 [basic.fundamental] p1: 7352 // Plain char, signed char, and unsigned char are three distinct types. 7353 // 7354 // But we treat plain `char' as equivalent to `signed char' or `unsigned 7355 // char' depending on the current char signedness mode. 7356 if (mismatch) 7357 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 7358 RequiredType->getPointeeType())) || 7359 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 7360 mismatch = false; 7361 } else 7362 if (IsPointerAttr) 7363 mismatch = !isLayoutCompatible(Context, 7364 ArgumentType->getPointeeType(), 7365 RequiredType->getPointeeType()); 7366 else 7367 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 7368 7369 if (mismatch) 7370 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 7371 << ArgumentType << ArgumentKind->getName() 7372 << TypeInfo.LayoutCompatible << RequiredType 7373 << ArgumentExpr->getSourceRange() 7374 << TypeTagExpr->getSourceRange(); 7375} 7376