SemaChecking.cpp revision 34ff062936ac78142a2c0dc8d1ae6a40df456819
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/Initialization.h" 16#include "clang/Sema/Sema.h" 17#include "clang/Sema/SemaInternal.h" 18#include "clang/Sema/Initialization.h" 19#include "clang/Sema/ScopeInfo.h" 20#include "clang/Analysis/Analyses/FormatString.h" 21#include "clang/AST/ASTContext.h" 22#include "clang/AST/CharUnits.h" 23#include "clang/AST/DeclCXX.h" 24#include "clang/AST/DeclObjC.h" 25#include "clang/AST/ExprCXX.h" 26#include "clang/AST/ExprObjC.h" 27#include "clang/AST/EvaluatedExprVisitor.h" 28#include "clang/AST/DeclObjC.h" 29#include "clang/AST/StmtCXX.h" 30#include "clang/AST/StmtObjC.h" 31#include "clang/Lex/Preprocessor.h" 32#include "llvm/ADT/BitVector.h" 33#include "llvm/ADT/STLExtras.h" 34#include "llvm/Support/raw_ostream.h" 35#include "clang/Basic/TargetBuiltins.h" 36#include "clang/Basic/TargetInfo.h" 37#include "clang/Basic/ConvertUTF.h" 38#include <limits> 39using namespace clang; 40using namespace sema; 41 42SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 43 unsigned ByteNo) const { 44 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 45 PP.getLangOptions(), PP.getTargetInfo()); 46} 47 48/// Checks that a call expression's argument count is the desired number. 49/// This is useful when doing custom type-checking. Returns true on error. 50static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 51 unsigned argCount = call->getNumArgs(); 52 if (argCount == desiredArgCount) return false; 53 54 if (argCount < desiredArgCount) 55 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 56 << 0 /*function call*/ << desiredArgCount << argCount 57 << call->getSourceRange(); 58 59 // Highlight all the excess arguments. 60 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 61 call->getArg(argCount - 1)->getLocEnd()); 62 63 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 64 << 0 /*function call*/ << desiredArgCount << argCount 65 << call->getArg(1)->getSourceRange(); 66} 67 68/// CheckBuiltinAnnotationString - Checks that string argument to the builtin 69/// annotation is a non wide string literal. 70static bool CheckBuiltinAnnotationString(Sema &S, Expr *Arg) { 71 Arg = Arg->IgnoreParenCasts(); 72 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 73 if (!Literal || !Literal->isAscii()) { 74 S.Diag(Arg->getLocStart(), diag::err_builtin_annotation_not_string_constant) 75 << Arg->getSourceRange(); 76 return true; 77 } 78 return false; 79} 80 81ExprResult 82Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 83 ExprResult TheCallResult(Owned(TheCall)); 84 85 // Find out if any arguments are required to be integer constant expressions. 86 unsigned ICEArguments = 0; 87 ASTContext::GetBuiltinTypeError Error; 88 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 89 if (Error != ASTContext::GE_None) 90 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 91 92 // If any arguments are required to be ICE's, check and diagnose. 93 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 94 // Skip arguments not required to be ICE's. 95 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 96 97 llvm::APSInt Result; 98 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 99 return true; 100 ICEArguments &= ~(1 << ArgNo); 101 } 102 103 switch (BuiltinID) { 104 case Builtin::BI__builtin___CFStringMakeConstantString: 105 assert(TheCall->getNumArgs() == 1 && 106 "Wrong # arguments to builtin CFStringMakeConstantString"); 107 if (CheckObjCString(TheCall->getArg(0))) 108 return ExprError(); 109 break; 110 case Builtin::BI__builtin_stdarg_start: 111 case Builtin::BI__builtin_va_start: 112 if (SemaBuiltinVAStart(TheCall)) 113 return ExprError(); 114 break; 115 case Builtin::BI__builtin_isgreater: 116 case Builtin::BI__builtin_isgreaterequal: 117 case Builtin::BI__builtin_isless: 118 case Builtin::BI__builtin_islessequal: 119 case Builtin::BI__builtin_islessgreater: 120 case Builtin::BI__builtin_isunordered: 121 if (SemaBuiltinUnorderedCompare(TheCall)) 122 return ExprError(); 123 break; 124 case Builtin::BI__builtin_fpclassify: 125 if (SemaBuiltinFPClassification(TheCall, 6)) 126 return ExprError(); 127 break; 128 case Builtin::BI__builtin_isfinite: 129 case Builtin::BI__builtin_isinf: 130 case Builtin::BI__builtin_isinf_sign: 131 case Builtin::BI__builtin_isnan: 132 case Builtin::BI__builtin_isnormal: 133 if (SemaBuiltinFPClassification(TheCall, 1)) 134 return ExprError(); 135 break; 136 case Builtin::BI__builtin_shufflevector: 137 return SemaBuiltinShuffleVector(TheCall); 138 // TheCall will be freed by the smart pointer here, but that's fine, since 139 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 140 case Builtin::BI__builtin_prefetch: 141 if (SemaBuiltinPrefetch(TheCall)) 142 return ExprError(); 143 break; 144 case Builtin::BI__builtin_object_size: 145 if (SemaBuiltinObjectSize(TheCall)) 146 return ExprError(); 147 break; 148 case Builtin::BI__builtin_longjmp: 149 if (SemaBuiltinLongjmp(TheCall)) 150 return ExprError(); 151 break; 152 153 case Builtin::BI__builtin_classify_type: 154 if (checkArgCount(*this, TheCall, 1)) return true; 155 TheCall->setType(Context.IntTy); 156 break; 157 case Builtin::BI__builtin_constant_p: 158 if (checkArgCount(*this, TheCall, 1)) return true; 159 TheCall->setType(Context.IntTy); 160 break; 161 case Builtin::BI__sync_fetch_and_add: 162 case Builtin::BI__sync_fetch_and_add_1: 163 case Builtin::BI__sync_fetch_and_add_2: 164 case Builtin::BI__sync_fetch_and_add_4: 165 case Builtin::BI__sync_fetch_and_add_8: 166 case Builtin::BI__sync_fetch_and_add_16: 167 case Builtin::BI__sync_fetch_and_sub: 168 case Builtin::BI__sync_fetch_and_sub_1: 169 case Builtin::BI__sync_fetch_and_sub_2: 170 case Builtin::BI__sync_fetch_and_sub_4: 171 case Builtin::BI__sync_fetch_and_sub_8: 172 case Builtin::BI__sync_fetch_and_sub_16: 173 case Builtin::BI__sync_fetch_and_or: 174 case Builtin::BI__sync_fetch_and_or_1: 175 case Builtin::BI__sync_fetch_and_or_2: 176 case Builtin::BI__sync_fetch_and_or_4: 177 case Builtin::BI__sync_fetch_and_or_8: 178 case Builtin::BI__sync_fetch_and_or_16: 179 case Builtin::BI__sync_fetch_and_and: 180 case Builtin::BI__sync_fetch_and_and_1: 181 case Builtin::BI__sync_fetch_and_and_2: 182 case Builtin::BI__sync_fetch_and_and_4: 183 case Builtin::BI__sync_fetch_and_and_8: 184 case Builtin::BI__sync_fetch_and_and_16: 185 case Builtin::BI__sync_fetch_and_xor: 186 case Builtin::BI__sync_fetch_and_xor_1: 187 case Builtin::BI__sync_fetch_and_xor_2: 188 case Builtin::BI__sync_fetch_and_xor_4: 189 case Builtin::BI__sync_fetch_and_xor_8: 190 case Builtin::BI__sync_fetch_and_xor_16: 191 case Builtin::BI__sync_add_and_fetch: 192 case Builtin::BI__sync_add_and_fetch_1: 193 case Builtin::BI__sync_add_and_fetch_2: 194 case Builtin::BI__sync_add_and_fetch_4: 195 case Builtin::BI__sync_add_and_fetch_8: 196 case Builtin::BI__sync_add_and_fetch_16: 197 case Builtin::BI__sync_sub_and_fetch: 198 case Builtin::BI__sync_sub_and_fetch_1: 199 case Builtin::BI__sync_sub_and_fetch_2: 200 case Builtin::BI__sync_sub_and_fetch_4: 201 case Builtin::BI__sync_sub_and_fetch_8: 202 case Builtin::BI__sync_sub_and_fetch_16: 203 case Builtin::BI__sync_and_and_fetch: 204 case Builtin::BI__sync_and_and_fetch_1: 205 case Builtin::BI__sync_and_and_fetch_2: 206 case Builtin::BI__sync_and_and_fetch_4: 207 case Builtin::BI__sync_and_and_fetch_8: 208 case Builtin::BI__sync_and_and_fetch_16: 209 case Builtin::BI__sync_or_and_fetch: 210 case Builtin::BI__sync_or_and_fetch_1: 211 case Builtin::BI__sync_or_and_fetch_2: 212 case Builtin::BI__sync_or_and_fetch_4: 213 case Builtin::BI__sync_or_and_fetch_8: 214 case Builtin::BI__sync_or_and_fetch_16: 215 case Builtin::BI__sync_xor_and_fetch: 216 case Builtin::BI__sync_xor_and_fetch_1: 217 case Builtin::BI__sync_xor_and_fetch_2: 218 case Builtin::BI__sync_xor_and_fetch_4: 219 case Builtin::BI__sync_xor_and_fetch_8: 220 case Builtin::BI__sync_xor_and_fetch_16: 221 case Builtin::BI__sync_val_compare_and_swap: 222 case Builtin::BI__sync_val_compare_and_swap_1: 223 case Builtin::BI__sync_val_compare_and_swap_2: 224 case Builtin::BI__sync_val_compare_and_swap_4: 225 case Builtin::BI__sync_val_compare_and_swap_8: 226 case Builtin::BI__sync_val_compare_and_swap_16: 227 case Builtin::BI__sync_bool_compare_and_swap: 228 case Builtin::BI__sync_bool_compare_and_swap_1: 229 case Builtin::BI__sync_bool_compare_and_swap_2: 230 case Builtin::BI__sync_bool_compare_and_swap_4: 231 case Builtin::BI__sync_bool_compare_and_swap_8: 232 case Builtin::BI__sync_bool_compare_and_swap_16: 233 case Builtin::BI__sync_lock_test_and_set: 234 case Builtin::BI__sync_lock_test_and_set_1: 235 case Builtin::BI__sync_lock_test_and_set_2: 236 case Builtin::BI__sync_lock_test_and_set_4: 237 case Builtin::BI__sync_lock_test_and_set_8: 238 case Builtin::BI__sync_lock_test_and_set_16: 239 case Builtin::BI__sync_lock_release: 240 case Builtin::BI__sync_lock_release_1: 241 case Builtin::BI__sync_lock_release_2: 242 case Builtin::BI__sync_lock_release_4: 243 case Builtin::BI__sync_lock_release_8: 244 case Builtin::BI__sync_lock_release_16: 245 case Builtin::BI__sync_swap: 246 case Builtin::BI__sync_swap_1: 247 case Builtin::BI__sync_swap_2: 248 case Builtin::BI__sync_swap_4: 249 case Builtin::BI__sync_swap_8: 250 case Builtin::BI__sync_swap_16: 251 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 252 case Builtin::BI__atomic_load: 253 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Load); 254 case Builtin::BI__atomic_store: 255 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Store); 256 case Builtin::BI__atomic_init: 257 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Init); 258 case Builtin::BI__atomic_exchange: 259 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xchg); 260 case Builtin::BI__atomic_compare_exchange_strong: 261 return SemaAtomicOpsOverloaded(move(TheCallResult), 262 AtomicExpr::CmpXchgStrong); 263 case Builtin::BI__atomic_compare_exchange_weak: 264 return SemaAtomicOpsOverloaded(move(TheCallResult), 265 AtomicExpr::CmpXchgWeak); 266 case Builtin::BI__atomic_fetch_add: 267 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Add); 268 case Builtin::BI__atomic_fetch_sub: 269 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Sub); 270 case Builtin::BI__atomic_fetch_and: 271 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::And); 272 case Builtin::BI__atomic_fetch_or: 273 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Or); 274 case Builtin::BI__atomic_fetch_xor: 275 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xor); 276 case Builtin::BI__builtin_annotation: 277 if (CheckBuiltinAnnotationString(*this, TheCall->getArg(1))) 278 return ExprError(); 279 break; 280 } 281 282 // Since the target specific builtins for each arch overlap, only check those 283 // of the arch we are compiling for. 284 if (BuiltinID >= Builtin::FirstTSBuiltin) { 285 switch (Context.getTargetInfo().getTriple().getArch()) { 286 case llvm::Triple::arm: 287 case llvm::Triple::thumb: 288 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 289 return ExprError(); 290 break; 291 default: 292 break; 293 } 294 } 295 296 return move(TheCallResult); 297} 298 299// Get the valid immediate range for the specified NEON type code. 300static unsigned RFT(unsigned t, bool shift = false) { 301 NeonTypeFlags Type(t); 302 int IsQuad = Type.isQuad(); 303 switch (Type.getEltType()) { 304 case NeonTypeFlags::Int8: 305 case NeonTypeFlags::Poly8: 306 return shift ? 7 : (8 << IsQuad) - 1; 307 case NeonTypeFlags::Int16: 308 case NeonTypeFlags::Poly16: 309 return shift ? 15 : (4 << IsQuad) - 1; 310 case NeonTypeFlags::Int32: 311 return shift ? 31 : (2 << IsQuad) - 1; 312 case NeonTypeFlags::Int64: 313 return shift ? 63 : (1 << IsQuad) - 1; 314 case NeonTypeFlags::Float16: 315 assert(!shift && "cannot shift float types!"); 316 return (4 << IsQuad) - 1; 317 case NeonTypeFlags::Float32: 318 assert(!shift && "cannot shift float types!"); 319 return (2 << IsQuad) - 1; 320 } 321 llvm_unreachable("Invalid NeonTypeFlag!"); 322} 323 324/// getNeonEltType - Return the QualType corresponding to the elements of 325/// the vector type specified by the NeonTypeFlags. This is used to check 326/// the pointer arguments for Neon load/store intrinsics. 327static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 328 switch (Flags.getEltType()) { 329 case NeonTypeFlags::Int8: 330 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 331 case NeonTypeFlags::Int16: 332 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 333 case NeonTypeFlags::Int32: 334 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 335 case NeonTypeFlags::Int64: 336 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 337 case NeonTypeFlags::Poly8: 338 return Context.SignedCharTy; 339 case NeonTypeFlags::Poly16: 340 return Context.ShortTy; 341 case NeonTypeFlags::Float16: 342 return Context.UnsignedShortTy; 343 case NeonTypeFlags::Float32: 344 return Context.FloatTy; 345 } 346 llvm_unreachable("Invalid NeonTypeFlag!"); 347} 348 349bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 350 llvm::APSInt Result; 351 352 unsigned mask = 0; 353 unsigned TV = 0; 354 int PtrArgNum = -1; 355 bool HasConstPtr = false; 356 switch (BuiltinID) { 357#define GET_NEON_OVERLOAD_CHECK 358#include "clang/Basic/arm_neon.inc" 359#undef GET_NEON_OVERLOAD_CHECK 360 } 361 362 // For NEON intrinsics which are overloaded on vector element type, validate 363 // the immediate which specifies which variant to emit. 364 unsigned ImmArg = TheCall->getNumArgs()-1; 365 if (mask) { 366 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 367 return true; 368 369 TV = Result.getLimitedValue(64); 370 if ((TV > 63) || (mask & (1 << TV)) == 0) 371 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 372 << TheCall->getArg(ImmArg)->getSourceRange(); 373 } 374 375 if (PtrArgNum >= 0) { 376 // Check that pointer arguments have the specified type. 377 Expr *Arg = TheCall->getArg(PtrArgNum); 378 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 379 Arg = ICE->getSubExpr(); 380 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 381 QualType RHSTy = RHS.get()->getType(); 382 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 383 if (HasConstPtr) 384 EltTy = EltTy.withConst(); 385 QualType LHSTy = Context.getPointerType(EltTy); 386 AssignConvertType ConvTy; 387 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 388 if (RHS.isInvalid()) 389 return true; 390 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 391 RHS.get(), AA_Assigning)) 392 return true; 393 } 394 395 // For NEON intrinsics which take an immediate value as part of the 396 // instruction, range check them here. 397 unsigned i = 0, l = 0, u = 0; 398 switch (BuiltinID) { 399 default: return false; 400 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 401 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 402 case ARM::BI__builtin_arm_vcvtr_f: 403 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 404#define GET_NEON_IMMEDIATE_CHECK 405#include "clang/Basic/arm_neon.inc" 406#undef GET_NEON_IMMEDIATE_CHECK 407 }; 408 409 // Check that the immediate argument is actually a constant. 410 if (SemaBuiltinConstantArg(TheCall, i, Result)) 411 return true; 412 413 // Range check against the upper/lower values for this isntruction. 414 unsigned Val = Result.getZExtValue(); 415 if (Val < l || Val > (u + l)) 416 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 417 << l << u+l << TheCall->getArg(i)->getSourceRange(); 418 419 // FIXME: VFP Intrinsics should error if VFP not present. 420 return false; 421} 422 423/// CheckFunctionCall - Check a direct function call for various correctness 424/// and safety properties not strictly enforced by the C type system. 425bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 426 // Get the IdentifierInfo* for the called function. 427 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 428 429 // None of the checks below are needed for functions that don't have 430 // simple names (e.g., C++ conversion functions). 431 if (!FnInfo) 432 return false; 433 434 // FIXME: This mechanism should be abstracted to be less fragile and 435 // more efficient. For example, just map function ids to custom 436 // handlers. 437 438 // Printf and scanf checking. 439 for (specific_attr_iterator<FormatAttr> 440 i = FDecl->specific_attr_begin<FormatAttr>(), 441 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 442 CheckFormatArguments(*i, TheCall); 443 } 444 445 for (specific_attr_iterator<NonNullAttr> 446 i = FDecl->specific_attr_begin<NonNullAttr>(), 447 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 448 CheckNonNullArguments(*i, TheCall->getArgs(), 449 TheCall->getCallee()->getLocStart()); 450 } 451 452 unsigned CMId = FDecl->getMemoryFunctionKind(); 453 if (CMId == 0) 454 return false; 455 456 // Handle memory setting and copying functions. 457 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 458 CheckStrlcpycatArguments(TheCall, FnInfo); 459 else if (CMId == Builtin::BIstrncat) 460 CheckStrncatArguments(TheCall, FnInfo); 461 else 462 CheckMemaccessArguments(TheCall, CMId, FnInfo); 463 464 return false; 465} 466 467bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 468 Expr **Args, unsigned NumArgs) { 469 for (specific_attr_iterator<FormatAttr> 470 i = Method->specific_attr_begin<FormatAttr>(), 471 e = Method->specific_attr_end<FormatAttr>(); i != e ; ++i) { 472 473 CheckFormatArguments(*i, Args, NumArgs, false, lbrac, 474 Method->getSourceRange()); 475 } 476 477 // diagnose nonnull arguments. 478 for (specific_attr_iterator<NonNullAttr> 479 i = Method->specific_attr_begin<NonNullAttr>(), 480 e = Method->specific_attr_end<NonNullAttr>(); i != e; ++i) { 481 CheckNonNullArguments(*i, Args, lbrac); 482 } 483 484 return false; 485} 486 487bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 488 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 489 if (!V) 490 return false; 491 492 QualType Ty = V->getType(); 493 if (!Ty->isBlockPointerType()) 494 return false; 495 496 // format string checking. 497 for (specific_attr_iterator<FormatAttr> 498 i = NDecl->specific_attr_begin<FormatAttr>(), 499 e = NDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 500 CheckFormatArguments(*i, TheCall); 501 } 502 503 return false; 504} 505 506ExprResult 507Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, AtomicExpr::AtomicOp Op) { 508 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 509 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 510 511 // All these operations take one of the following four forms: 512 // T __atomic_load(_Atomic(T)*, int) (loads) 513 // T* __atomic_add(_Atomic(T*)*, ptrdiff_t, int) (pointer add/sub) 514 // int __atomic_compare_exchange_strong(_Atomic(T)*, T*, T, int, int) 515 // (cmpxchg) 516 // T __atomic_exchange(_Atomic(T)*, T, int) (everything else) 517 // where T is an appropriate type, and the int paremeterss are for orderings. 518 unsigned NumVals = 1; 519 unsigned NumOrders = 1; 520 if (Op == AtomicExpr::Load) { 521 NumVals = 0; 522 } else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) { 523 NumVals = 2; 524 NumOrders = 2; 525 } 526 if (Op == AtomicExpr::Init) 527 NumOrders = 0; 528 529 if (TheCall->getNumArgs() < NumVals+NumOrders+1) { 530 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 531 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 532 << TheCall->getCallee()->getSourceRange(); 533 return ExprError(); 534 } else if (TheCall->getNumArgs() > NumVals+NumOrders+1) { 535 Diag(TheCall->getArg(NumVals+NumOrders+1)->getLocStart(), 536 diag::err_typecheck_call_too_many_args) 537 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 538 << TheCall->getCallee()->getSourceRange(); 539 return ExprError(); 540 } 541 542 // Inspect the first argument of the atomic operation. This should always be 543 // a pointer to an _Atomic type. 544 Expr *Ptr = TheCall->getArg(0); 545 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 546 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 547 if (!pointerType) { 548 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 549 << Ptr->getType() << Ptr->getSourceRange(); 550 return ExprError(); 551 } 552 553 QualType AtomTy = pointerType->getPointeeType(); 554 if (!AtomTy->isAtomicType()) { 555 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 556 << Ptr->getType() << Ptr->getSourceRange(); 557 return ExprError(); 558 } 559 QualType ValType = AtomTy->getAs<AtomicType>()->getValueType(); 560 561 if ((Op == AtomicExpr::Add || Op == AtomicExpr::Sub) && 562 !ValType->isIntegerType() && !ValType->isPointerType()) { 563 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 564 << Ptr->getType() << Ptr->getSourceRange(); 565 return ExprError(); 566 } 567 568 if (!ValType->isIntegerType() && 569 (Op == AtomicExpr::And || Op == AtomicExpr::Or || Op == AtomicExpr::Xor)){ 570 Diag(DRE->getLocStart(), diag::err_atomic_op_logical_needs_atomic_int) 571 << Ptr->getType() << Ptr->getSourceRange(); 572 return ExprError(); 573 } 574 575 switch (ValType.getObjCLifetime()) { 576 case Qualifiers::OCL_None: 577 case Qualifiers::OCL_ExplicitNone: 578 // okay 579 break; 580 581 case Qualifiers::OCL_Weak: 582 case Qualifiers::OCL_Strong: 583 case Qualifiers::OCL_Autoreleasing: 584 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 585 << ValType << Ptr->getSourceRange(); 586 return ExprError(); 587 } 588 589 QualType ResultType = ValType; 590 if (Op == AtomicExpr::Store || Op == AtomicExpr::Init) 591 ResultType = Context.VoidTy; 592 else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) 593 ResultType = Context.BoolTy; 594 595 // The first argument --- the pointer --- has a fixed type; we 596 // deduce the types of the rest of the arguments accordingly. Walk 597 // the remaining arguments, converting them to the deduced value type. 598 for (unsigned i = 1; i != NumVals+NumOrders+1; ++i) { 599 ExprResult Arg = TheCall->getArg(i); 600 QualType Ty; 601 if (i < NumVals+1) { 602 // The second argument to a cmpxchg is a pointer to the data which will 603 // be exchanged. The second argument to a pointer add/subtract is the 604 // amount to add/subtract, which must be a ptrdiff_t. The third 605 // argument to a cmpxchg and the second argument in all other cases 606 // is the type of the value. 607 if (i == 1 && (Op == AtomicExpr::CmpXchgWeak || 608 Op == AtomicExpr::CmpXchgStrong)) 609 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 610 else if (!ValType->isIntegerType() && 611 (Op == AtomicExpr::Add || Op == AtomicExpr::Sub)) 612 Ty = Context.getPointerDiffType(); 613 else 614 Ty = ValType; 615 } else { 616 // The order(s) are always converted to int. 617 Ty = Context.IntTy; 618 } 619 InitializedEntity Entity = 620 InitializedEntity::InitializeParameter(Context, Ty, false); 621 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 622 if (Arg.isInvalid()) 623 return true; 624 TheCall->setArg(i, Arg.get()); 625 } 626 627 SmallVector<Expr*, 5> SubExprs; 628 SubExprs.push_back(Ptr); 629 if (Op == AtomicExpr::Load) { 630 SubExprs.push_back(TheCall->getArg(1)); // Order 631 } else if (Op == AtomicExpr::Init) { 632 SubExprs.push_back(TheCall->getArg(1)); // Val1 633 } else if (Op != AtomicExpr::CmpXchgWeak && Op != AtomicExpr::CmpXchgStrong) { 634 SubExprs.push_back(TheCall->getArg(2)); // Order 635 SubExprs.push_back(TheCall->getArg(1)); // Val1 636 } else { 637 SubExprs.push_back(TheCall->getArg(3)); // Order 638 SubExprs.push_back(TheCall->getArg(1)); // Val1 639 SubExprs.push_back(TheCall->getArg(2)); // Val2 640 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 641 } 642 643 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 644 SubExprs.data(), SubExprs.size(), 645 ResultType, Op, 646 TheCall->getRParenLoc())); 647} 648 649 650/// checkBuiltinArgument - Given a call to a builtin function, perform 651/// normal type-checking on the given argument, updating the call in 652/// place. This is useful when a builtin function requires custom 653/// type-checking for some of its arguments but not necessarily all of 654/// them. 655/// 656/// Returns true on error. 657static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 658 FunctionDecl *Fn = E->getDirectCallee(); 659 assert(Fn && "builtin call without direct callee!"); 660 661 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 662 InitializedEntity Entity = 663 InitializedEntity::InitializeParameter(S.Context, Param); 664 665 ExprResult Arg = E->getArg(0); 666 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 667 if (Arg.isInvalid()) 668 return true; 669 670 E->setArg(ArgIndex, Arg.take()); 671 return false; 672} 673 674/// SemaBuiltinAtomicOverloaded - We have a call to a function like 675/// __sync_fetch_and_add, which is an overloaded function based on the pointer 676/// type of its first argument. The main ActOnCallExpr routines have already 677/// promoted the types of arguments because all of these calls are prototyped as 678/// void(...). 679/// 680/// This function goes through and does final semantic checking for these 681/// builtins, 682ExprResult 683Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 684 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 685 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 686 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 687 688 // Ensure that we have at least one argument to do type inference from. 689 if (TheCall->getNumArgs() < 1) { 690 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 691 << 0 << 1 << TheCall->getNumArgs() 692 << TheCall->getCallee()->getSourceRange(); 693 return ExprError(); 694 } 695 696 // Inspect the first argument of the atomic builtin. This should always be 697 // a pointer type, whose element is an integral scalar or pointer type. 698 // Because it is a pointer type, we don't have to worry about any implicit 699 // casts here. 700 // FIXME: We don't allow floating point scalars as input. 701 Expr *FirstArg = TheCall->getArg(0); 702 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 703 if (FirstArgResult.isInvalid()) 704 return ExprError(); 705 FirstArg = FirstArgResult.take(); 706 TheCall->setArg(0, FirstArg); 707 708 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 709 if (!pointerType) { 710 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 711 << FirstArg->getType() << FirstArg->getSourceRange(); 712 return ExprError(); 713 } 714 715 QualType ValType = pointerType->getPointeeType(); 716 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 717 !ValType->isBlockPointerType()) { 718 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 719 << FirstArg->getType() << FirstArg->getSourceRange(); 720 return ExprError(); 721 } 722 723 switch (ValType.getObjCLifetime()) { 724 case Qualifiers::OCL_None: 725 case Qualifiers::OCL_ExplicitNone: 726 // okay 727 break; 728 729 case Qualifiers::OCL_Weak: 730 case Qualifiers::OCL_Strong: 731 case Qualifiers::OCL_Autoreleasing: 732 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 733 << ValType << FirstArg->getSourceRange(); 734 return ExprError(); 735 } 736 737 // Strip any qualifiers off ValType. 738 ValType = ValType.getUnqualifiedType(); 739 740 // The majority of builtins return a value, but a few have special return 741 // types, so allow them to override appropriately below. 742 QualType ResultType = ValType; 743 744 // We need to figure out which concrete builtin this maps onto. For example, 745 // __sync_fetch_and_add with a 2 byte object turns into 746 // __sync_fetch_and_add_2. 747#define BUILTIN_ROW(x) \ 748 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 749 Builtin::BI##x##_8, Builtin::BI##x##_16 } 750 751 static const unsigned BuiltinIndices[][5] = { 752 BUILTIN_ROW(__sync_fetch_and_add), 753 BUILTIN_ROW(__sync_fetch_and_sub), 754 BUILTIN_ROW(__sync_fetch_and_or), 755 BUILTIN_ROW(__sync_fetch_and_and), 756 BUILTIN_ROW(__sync_fetch_and_xor), 757 758 BUILTIN_ROW(__sync_add_and_fetch), 759 BUILTIN_ROW(__sync_sub_and_fetch), 760 BUILTIN_ROW(__sync_and_and_fetch), 761 BUILTIN_ROW(__sync_or_and_fetch), 762 BUILTIN_ROW(__sync_xor_and_fetch), 763 764 BUILTIN_ROW(__sync_val_compare_and_swap), 765 BUILTIN_ROW(__sync_bool_compare_and_swap), 766 BUILTIN_ROW(__sync_lock_test_and_set), 767 BUILTIN_ROW(__sync_lock_release), 768 BUILTIN_ROW(__sync_swap) 769 }; 770#undef BUILTIN_ROW 771 772 // Determine the index of the size. 773 unsigned SizeIndex; 774 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 775 case 1: SizeIndex = 0; break; 776 case 2: SizeIndex = 1; break; 777 case 4: SizeIndex = 2; break; 778 case 8: SizeIndex = 3; break; 779 case 16: SizeIndex = 4; break; 780 default: 781 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 782 << FirstArg->getType() << FirstArg->getSourceRange(); 783 return ExprError(); 784 } 785 786 // Each of these builtins has one pointer argument, followed by some number of 787 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 788 // that we ignore. Find out which row of BuiltinIndices to read from as well 789 // as the number of fixed args. 790 unsigned BuiltinID = FDecl->getBuiltinID(); 791 unsigned BuiltinIndex, NumFixed = 1; 792 switch (BuiltinID) { 793 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 794 case Builtin::BI__sync_fetch_and_add: 795 case Builtin::BI__sync_fetch_and_add_1: 796 case Builtin::BI__sync_fetch_and_add_2: 797 case Builtin::BI__sync_fetch_and_add_4: 798 case Builtin::BI__sync_fetch_and_add_8: 799 case Builtin::BI__sync_fetch_and_add_16: 800 BuiltinIndex = 0; 801 break; 802 803 case Builtin::BI__sync_fetch_and_sub: 804 case Builtin::BI__sync_fetch_and_sub_1: 805 case Builtin::BI__sync_fetch_and_sub_2: 806 case Builtin::BI__sync_fetch_and_sub_4: 807 case Builtin::BI__sync_fetch_and_sub_8: 808 case Builtin::BI__sync_fetch_and_sub_16: 809 BuiltinIndex = 1; 810 break; 811 812 case Builtin::BI__sync_fetch_and_or: 813 case Builtin::BI__sync_fetch_and_or_1: 814 case Builtin::BI__sync_fetch_and_or_2: 815 case Builtin::BI__sync_fetch_and_or_4: 816 case Builtin::BI__sync_fetch_and_or_8: 817 case Builtin::BI__sync_fetch_and_or_16: 818 BuiltinIndex = 2; 819 break; 820 821 case Builtin::BI__sync_fetch_and_and: 822 case Builtin::BI__sync_fetch_and_and_1: 823 case Builtin::BI__sync_fetch_and_and_2: 824 case Builtin::BI__sync_fetch_and_and_4: 825 case Builtin::BI__sync_fetch_and_and_8: 826 case Builtin::BI__sync_fetch_and_and_16: 827 BuiltinIndex = 3; 828 break; 829 830 case Builtin::BI__sync_fetch_and_xor: 831 case Builtin::BI__sync_fetch_and_xor_1: 832 case Builtin::BI__sync_fetch_and_xor_2: 833 case Builtin::BI__sync_fetch_and_xor_4: 834 case Builtin::BI__sync_fetch_and_xor_8: 835 case Builtin::BI__sync_fetch_and_xor_16: 836 BuiltinIndex = 4; 837 break; 838 839 case Builtin::BI__sync_add_and_fetch: 840 case Builtin::BI__sync_add_and_fetch_1: 841 case Builtin::BI__sync_add_and_fetch_2: 842 case Builtin::BI__sync_add_and_fetch_4: 843 case Builtin::BI__sync_add_and_fetch_8: 844 case Builtin::BI__sync_add_and_fetch_16: 845 BuiltinIndex = 5; 846 break; 847 848 case Builtin::BI__sync_sub_and_fetch: 849 case Builtin::BI__sync_sub_and_fetch_1: 850 case Builtin::BI__sync_sub_and_fetch_2: 851 case Builtin::BI__sync_sub_and_fetch_4: 852 case Builtin::BI__sync_sub_and_fetch_8: 853 case Builtin::BI__sync_sub_and_fetch_16: 854 BuiltinIndex = 6; 855 break; 856 857 case Builtin::BI__sync_and_and_fetch: 858 case Builtin::BI__sync_and_and_fetch_1: 859 case Builtin::BI__sync_and_and_fetch_2: 860 case Builtin::BI__sync_and_and_fetch_4: 861 case Builtin::BI__sync_and_and_fetch_8: 862 case Builtin::BI__sync_and_and_fetch_16: 863 BuiltinIndex = 7; 864 break; 865 866 case Builtin::BI__sync_or_and_fetch: 867 case Builtin::BI__sync_or_and_fetch_1: 868 case Builtin::BI__sync_or_and_fetch_2: 869 case Builtin::BI__sync_or_and_fetch_4: 870 case Builtin::BI__sync_or_and_fetch_8: 871 case Builtin::BI__sync_or_and_fetch_16: 872 BuiltinIndex = 8; 873 break; 874 875 case Builtin::BI__sync_xor_and_fetch: 876 case Builtin::BI__sync_xor_and_fetch_1: 877 case Builtin::BI__sync_xor_and_fetch_2: 878 case Builtin::BI__sync_xor_and_fetch_4: 879 case Builtin::BI__sync_xor_and_fetch_8: 880 case Builtin::BI__sync_xor_and_fetch_16: 881 BuiltinIndex = 9; 882 break; 883 884 case Builtin::BI__sync_val_compare_and_swap: 885 case Builtin::BI__sync_val_compare_and_swap_1: 886 case Builtin::BI__sync_val_compare_and_swap_2: 887 case Builtin::BI__sync_val_compare_and_swap_4: 888 case Builtin::BI__sync_val_compare_and_swap_8: 889 case Builtin::BI__sync_val_compare_and_swap_16: 890 BuiltinIndex = 10; 891 NumFixed = 2; 892 break; 893 894 case Builtin::BI__sync_bool_compare_and_swap: 895 case Builtin::BI__sync_bool_compare_and_swap_1: 896 case Builtin::BI__sync_bool_compare_and_swap_2: 897 case Builtin::BI__sync_bool_compare_and_swap_4: 898 case Builtin::BI__sync_bool_compare_and_swap_8: 899 case Builtin::BI__sync_bool_compare_and_swap_16: 900 BuiltinIndex = 11; 901 NumFixed = 2; 902 ResultType = Context.BoolTy; 903 break; 904 905 case Builtin::BI__sync_lock_test_and_set: 906 case Builtin::BI__sync_lock_test_and_set_1: 907 case Builtin::BI__sync_lock_test_and_set_2: 908 case Builtin::BI__sync_lock_test_and_set_4: 909 case Builtin::BI__sync_lock_test_and_set_8: 910 case Builtin::BI__sync_lock_test_and_set_16: 911 BuiltinIndex = 12; 912 break; 913 914 case Builtin::BI__sync_lock_release: 915 case Builtin::BI__sync_lock_release_1: 916 case Builtin::BI__sync_lock_release_2: 917 case Builtin::BI__sync_lock_release_4: 918 case Builtin::BI__sync_lock_release_8: 919 case Builtin::BI__sync_lock_release_16: 920 BuiltinIndex = 13; 921 NumFixed = 0; 922 ResultType = Context.VoidTy; 923 break; 924 925 case Builtin::BI__sync_swap: 926 case Builtin::BI__sync_swap_1: 927 case Builtin::BI__sync_swap_2: 928 case Builtin::BI__sync_swap_4: 929 case Builtin::BI__sync_swap_8: 930 case Builtin::BI__sync_swap_16: 931 BuiltinIndex = 14; 932 break; 933 } 934 935 // Now that we know how many fixed arguments we expect, first check that we 936 // have at least that many. 937 if (TheCall->getNumArgs() < 1+NumFixed) { 938 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 939 << 0 << 1+NumFixed << TheCall->getNumArgs() 940 << TheCall->getCallee()->getSourceRange(); 941 return ExprError(); 942 } 943 944 // Get the decl for the concrete builtin from this, we can tell what the 945 // concrete integer type we should convert to is. 946 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 947 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 948 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 949 FunctionDecl *NewBuiltinDecl = 950 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 951 TUScope, false, DRE->getLocStart())); 952 953 // The first argument --- the pointer --- has a fixed type; we 954 // deduce the types of the rest of the arguments accordingly. Walk 955 // the remaining arguments, converting them to the deduced value type. 956 for (unsigned i = 0; i != NumFixed; ++i) { 957 ExprResult Arg = TheCall->getArg(i+1); 958 959 // GCC does an implicit conversion to the pointer or integer ValType. This 960 // can fail in some cases (1i -> int**), check for this error case now. 961 // Initialize the argument. 962 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 963 ValType, /*consume*/ false); 964 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 965 if (Arg.isInvalid()) 966 return ExprError(); 967 968 // Okay, we have something that *can* be converted to the right type. Check 969 // to see if there is a potentially weird extension going on here. This can 970 // happen when you do an atomic operation on something like an char* and 971 // pass in 42. The 42 gets converted to char. This is even more strange 972 // for things like 45.123 -> char, etc. 973 // FIXME: Do this check. 974 TheCall->setArg(i+1, Arg.take()); 975 } 976 977 ASTContext& Context = this->getASTContext(); 978 979 // Create a new DeclRefExpr to refer to the new decl. 980 DeclRefExpr* NewDRE = DeclRefExpr::Create( 981 Context, 982 DRE->getQualifierLoc(), 983 SourceLocation(), 984 NewBuiltinDecl, 985 DRE->getLocation(), 986 NewBuiltinDecl->getType(), 987 DRE->getValueKind()); 988 989 // Set the callee in the CallExpr. 990 // FIXME: This leaks the original parens and implicit casts. 991 ExprResult PromotedCall = UsualUnaryConversions(NewDRE); 992 if (PromotedCall.isInvalid()) 993 return ExprError(); 994 TheCall->setCallee(PromotedCall.take()); 995 996 // Change the result type of the call to match the original value type. This 997 // is arbitrary, but the codegen for these builtins ins design to handle it 998 // gracefully. 999 TheCall->setType(ResultType); 1000 1001 return move(TheCallResult); 1002} 1003 1004/// CheckObjCString - Checks that the argument to the builtin 1005/// CFString constructor is correct 1006/// Note: It might also make sense to do the UTF-16 conversion here (would 1007/// simplify the backend). 1008bool Sema::CheckObjCString(Expr *Arg) { 1009 Arg = Arg->IgnoreParenCasts(); 1010 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1011 1012 if (!Literal || !Literal->isAscii()) { 1013 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1014 << Arg->getSourceRange(); 1015 return true; 1016 } 1017 1018 if (Literal->containsNonAsciiOrNull()) { 1019 StringRef String = Literal->getString(); 1020 unsigned NumBytes = String.size(); 1021 SmallVector<UTF16, 128> ToBuf(NumBytes); 1022 const UTF8 *FromPtr = (UTF8 *)String.data(); 1023 UTF16 *ToPtr = &ToBuf[0]; 1024 1025 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1026 &ToPtr, ToPtr + NumBytes, 1027 strictConversion); 1028 // Check for conversion failure. 1029 if (Result != conversionOK) 1030 Diag(Arg->getLocStart(), 1031 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1032 } 1033 return false; 1034} 1035 1036/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1037/// Emit an error and return true on failure, return false on success. 1038bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1039 Expr *Fn = TheCall->getCallee(); 1040 if (TheCall->getNumArgs() > 2) { 1041 Diag(TheCall->getArg(2)->getLocStart(), 1042 diag::err_typecheck_call_too_many_args) 1043 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1044 << Fn->getSourceRange() 1045 << SourceRange(TheCall->getArg(2)->getLocStart(), 1046 (*(TheCall->arg_end()-1))->getLocEnd()); 1047 return true; 1048 } 1049 1050 if (TheCall->getNumArgs() < 2) { 1051 return Diag(TheCall->getLocEnd(), 1052 diag::err_typecheck_call_too_few_args_at_least) 1053 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1054 } 1055 1056 // Type-check the first argument normally. 1057 if (checkBuiltinArgument(*this, TheCall, 0)) 1058 return true; 1059 1060 // Determine whether the current function is variadic or not. 1061 BlockScopeInfo *CurBlock = getCurBlock(); 1062 bool isVariadic; 1063 if (CurBlock) 1064 isVariadic = CurBlock->TheDecl->isVariadic(); 1065 else if (FunctionDecl *FD = getCurFunctionDecl()) 1066 isVariadic = FD->isVariadic(); 1067 else 1068 isVariadic = getCurMethodDecl()->isVariadic(); 1069 1070 if (!isVariadic) { 1071 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1072 return true; 1073 } 1074 1075 // Verify that the second argument to the builtin is the last argument of the 1076 // current function or method. 1077 bool SecondArgIsLastNamedArgument = false; 1078 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1079 1080 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1081 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1082 // FIXME: This isn't correct for methods (results in bogus warning). 1083 // Get the last formal in the current function. 1084 const ParmVarDecl *LastArg; 1085 if (CurBlock) 1086 LastArg = *(CurBlock->TheDecl->param_end()-1); 1087 else if (FunctionDecl *FD = getCurFunctionDecl()) 1088 LastArg = *(FD->param_end()-1); 1089 else 1090 LastArg = *(getCurMethodDecl()->param_end()-1); 1091 SecondArgIsLastNamedArgument = PV == LastArg; 1092 } 1093 } 1094 1095 if (!SecondArgIsLastNamedArgument) 1096 Diag(TheCall->getArg(1)->getLocStart(), 1097 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1098 return false; 1099} 1100 1101/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1102/// friends. This is declared to take (...), so we have to check everything. 1103bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1104 if (TheCall->getNumArgs() < 2) 1105 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1106 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1107 if (TheCall->getNumArgs() > 2) 1108 return Diag(TheCall->getArg(2)->getLocStart(), 1109 diag::err_typecheck_call_too_many_args) 1110 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1111 << SourceRange(TheCall->getArg(2)->getLocStart(), 1112 (*(TheCall->arg_end()-1))->getLocEnd()); 1113 1114 ExprResult OrigArg0 = TheCall->getArg(0); 1115 ExprResult OrigArg1 = TheCall->getArg(1); 1116 1117 // Do standard promotions between the two arguments, returning their common 1118 // type. 1119 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1120 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1121 return true; 1122 1123 // Make sure any conversions are pushed back into the call; this is 1124 // type safe since unordered compare builtins are declared as "_Bool 1125 // foo(...)". 1126 TheCall->setArg(0, OrigArg0.get()); 1127 TheCall->setArg(1, OrigArg1.get()); 1128 1129 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1130 return false; 1131 1132 // If the common type isn't a real floating type, then the arguments were 1133 // invalid for this operation. 1134 if (!Res->isRealFloatingType()) 1135 return Diag(OrigArg0.get()->getLocStart(), 1136 diag::err_typecheck_call_invalid_ordered_compare) 1137 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1138 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1139 1140 return false; 1141} 1142 1143/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1144/// __builtin_isnan and friends. This is declared to take (...), so we have 1145/// to check everything. We expect the last argument to be a floating point 1146/// value. 1147bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1148 if (TheCall->getNumArgs() < NumArgs) 1149 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1150 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1151 if (TheCall->getNumArgs() > NumArgs) 1152 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1153 diag::err_typecheck_call_too_many_args) 1154 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1155 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1156 (*(TheCall->arg_end()-1))->getLocEnd()); 1157 1158 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1159 1160 if (OrigArg->isTypeDependent()) 1161 return false; 1162 1163 // This operation requires a non-_Complex floating-point number. 1164 if (!OrigArg->getType()->isRealFloatingType()) 1165 return Diag(OrigArg->getLocStart(), 1166 diag::err_typecheck_call_invalid_unary_fp) 1167 << OrigArg->getType() << OrigArg->getSourceRange(); 1168 1169 // If this is an implicit conversion from float -> double, remove it. 1170 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1171 Expr *CastArg = Cast->getSubExpr(); 1172 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1173 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1174 "promotion from float to double is the only expected cast here"); 1175 Cast->setSubExpr(0); 1176 TheCall->setArg(NumArgs-1, CastArg); 1177 OrigArg = CastArg; 1178 } 1179 } 1180 1181 return false; 1182} 1183 1184/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1185// This is declared to take (...), so we have to check everything. 1186ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1187 if (TheCall->getNumArgs() < 2) 1188 return ExprError(Diag(TheCall->getLocEnd(), 1189 diag::err_typecheck_call_too_few_args_at_least) 1190 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1191 << TheCall->getSourceRange()); 1192 1193 // Determine which of the following types of shufflevector we're checking: 1194 // 1) unary, vector mask: (lhs, mask) 1195 // 2) binary, vector mask: (lhs, rhs, mask) 1196 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1197 QualType resType = TheCall->getArg(0)->getType(); 1198 unsigned numElements = 0; 1199 1200 if (!TheCall->getArg(0)->isTypeDependent() && 1201 !TheCall->getArg(1)->isTypeDependent()) { 1202 QualType LHSType = TheCall->getArg(0)->getType(); 1203 QualType RHSType = TheCall->getArg(1)->getType(); 1204 1205 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 1206 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 1207 << SourceRange(TheCall->getArg(0)->getLocStart(), 1208 TheCall->getArg(1)->getLocEnd()); 1209 return ExprError(); 1210 } 1211 1212 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1213 unsigned numResElements = TheCall->getNumArgs() - 2; 1214 1215 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1216 // with mask. If so, verify that RHS is an integer vector type with the 1217 // same number of elts as lhs. 1218 if (TheCall->getNumArgs() == 2) { 1219 if (!RHSType->hasIntegerRepresentation() || 1220 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1221 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1222 << SourceRange(TheCall->getArg(1)->getLocStart(), 1223 TheCall->getArg(1)->getLocEnd()); 1224 numResElements = numElements; 1225 } 1226 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1227 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1228 << SourceRange(TheCall->getArg(0)->getLocStart(), 1229 TheCall->getArg(1)->getLocEnd()); 1230 return ExprError(); 1231 } else if (numElements != numResElements) { 1232 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1233 resType = Context.getVectorType(eltType, numResElements, 1234 VectorType::GenericVector); 1235 } 1236 } 1237 1238 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1239 if (TheCall->getArg(i)->isTypeDependent() || 1240 TheCall->getArg(i)->isValueDependent()) 1241 continue; 1242 1243 llvm::APSInt Result(32); 1244 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1245 return ExprError(Diag(TheCall->getLocStart(), 1246 diag::err_shufflevector_nonconstant_argument) 1247 << TheCall->getArg(i)->getSourceRange()); 1248 1249 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1250 return ExprError(Diag(TheCall->getLocStart(), 1251 diag::err_shufflevector_argument_too_large) 1252 << TheCall->getArg(i)->getSourceRange()); 1253 } 1254 1255 SmallVector<Expr*, 32> exprs; 1256 1257 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1258 exprs.push_back(TheCall->getArg(i)); 1259 TheCall->setArg(i, 0); 1260 } 1261 1262 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 1263 exprs.size(), resType, 1264 TheCall->getCallee()->getLocStart(), 1265 TheCall->getRParenLoc())); 1266} 1267 1268/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1269// This is declared to take (const void*, ...) and can take two 1270// optional constant int args. 1271bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1272 unsigned NumArgs = TheCall->getNumArgs(); 1273 1274 if (NumArgs > 3) 1275 return Diag(TheCall->getLocEnd(), 1276 diag::err_typecheck_call_too_many_args_at_most) 1277 << 0 /*function call*/ << 3 << NumArgs 1278 << TheCall->getSourceRange(); 1279 1280 // Argument 0 is checked for us and the remaining arguments must be 1281 // constant integers. 1282 for (unsigned i = 1; i != NumArgs; ++i) { 1283 Expr *Arg = TheCall->getArg(i); 1284 1285 llvm::APSInt Result; 1286 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1287 return true; 1288 1289 // FIXME: gcc issues a warning and rewrites these to 0. These 1290 // seems especially odd for the third argument since the default 1291 // is 3. 1292 if (i == 1) { 1293 if (Result.getLimitedValue() > 1) 1294 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1295 << "0" << "1" << Arg->getSourceRange(); 1296 } else { 1297 if (Result.getLimitedValue() > 3) 1298 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1299 << "0" << "3" << Arg->getSourceRange(); 1300 } 1301 } 1302 1303 return false; 1304} 1305 1306/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1307/// TheCall is a constant expression. 1308bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1309 llvm::APSInt &Result) { 1310 Expr *Arg = TheCall->getArg(ArgNum); 1311 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1312 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1313 1314 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1315 1316 if (!Arg->isIntegerConstantExpr(Result, Context)) 1317 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1318 << FDecl->getDeclName() << Arg->getSourceRange(); 1319 1320 return false; 1321} 1322 1323/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1324/// int type). This simply type checks that type is one of the defined 1325/// constants (0-3). 1326// For compatibility check 0-3, llvm only handles 0 and 2. 1327bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1328 llvm::APSInt Result; 1329 1330 // Check constant-ness first. 1331 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1332 return true; 1333 1334 Expr *Arg = TheCall->getArg(1); 1335 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1336 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1337 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1338 } 1339 1340 return false; 1341} 1342 1343/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1344/// This checks that val is a constant 1. 1345bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1346 Expr *Arg = TheCall->getArg(1); 1347 llvm::APSInt Result; 1348 1349 // TODO: This is less than ideal. Overload this to take a value. 1350 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1351 return true; 1352 1353 if (Result != 1) 1354 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1355 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1356 1357 return false; 1358} 1359 1360// Handle i > 1 ? "x" : "y", recursively. 1361bool Sema::SemaCheckStringLiteral(const Expr *E, Expr **Args, 1362 unsigned NumArgs, bool HasVAListArg, 1363 unsigned format_idx, unsigned firstDataArg, 1364 FormatStringType Type, bool inFunctionCall) { 1365 tryAgain: 1366 if (E->isTypeDependent() || E->isValueDependent()) 1367 return false; 1368 1369 E = E->IgnoreParenCasts(); 1370 1371 switch (E->getStmtClass()) { 1372 case Stmt::BinaryConditionalOperatorClass: 1373 case Stmt::ConditionalOperatorClass: { 1374 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 1375 return SemaCheckStringLiteral(C->getTrueExpr(), Args, NumArgs, HasVAListArg, 1376 format_idx, firstDataArg, Type, 1377 inFunctionCall) 1378 && SemaCheckStringLiteral(C->getFalseExpr(), Args, NumArgs, HasVAListArg, 1379 format_idx, firstDataArg, Type, 1380 inFunctionCall); 1381 } 1382 1383 case Stmt::IntegerLiteralClass: 1384 // Technically -Wformat-nonliteral does not warn about this case. 1385 // The behavior of printf and friends in this case is implementation 1386 // dependent. Ideally if the format string cannot be null then 1387 // it should have a 'nonnull' attribute in the function prototype. 1388 return true; 1389 1390 case Stmt::ImplicitCastExprClass: { 1391 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1392 goto tryAgain; 1393 } 1394 1395 case Stmt::OpaqueValueExprClass: 1396 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1397 E = src; 1398 goto tryAgain; 1399 } 1400 return false; 1401 1402 case Stmt::PredefinedExprClass: 1403 // While __func__, etc., are technically not string literals, they 1404 // cannot contain format specifiers and thus are not a security 1405 // liability. 1406 return true; 1407 1408 case Stmt::DeclRefExprClass: { 1409 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1410 1411 // As an exception, do not flag errors for variables binding to 1412 // const string literals. 1413 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1414 bool isConstant = false; 1415 QualType T = DR->getType(); 1416 1417 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1418 isConstant = AT->getElementType().isConstant(Context); 1419 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1420 isConstant = T.isConstant(Context) && 1421 PT->getPointeeType().isConstant(Context); 1422 } else if (T->isObjCObjectPointerType()) { 1423 // In ObjC, there is usually no "const ObjectPointer" type, 1424 // so don't check if the pointee type is constant. 1425 isConstant = T.isConstant(Context); 1426 } 1427 1428 if (isConstant) { 1429 if (const Expr *Init = VD->getAnyInitializer()) 1430 return SemaCheckStringLiteral(Init, Args, NumArgs, 1431 HasVAListArg, format_idx, firstDataArg, 1432 Type, /*inFunctionCall*/false); 1433 } 1434 1435 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1436 // special check to see if the format string is a function parameter 1437 // of the function calling the printf function. If the function 1438 // has an attribute indicating it is a printf-like function, then we 1439 // should suppress warnings concerning non-literals being used in a call 1440 // to a vprintf function. For example: 1441 // 1442 // void 1443 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1444 // va_list ap; 1445 // va_start(ap, fmt); 1446 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1447 // ... 1448 // 1449 // 1450 // FIXME: We don't have full attribute support yet, so just check to see 1451 // if the argument is a DeclRefExpr that references a parameter. We'll 1452 // add proper support for checking the attribute later. 1453 if (HasVAListArg) 1454 if (isa<ParmVarDecl>(VD)) 1455 return true; 1456 } 1457 1458 return false; 1459 } 1460 1461 case Stmt::CallExprClass: { 1462 const CallExpr *CE = cast<CallExpr>(E); 1463 if (const ImplicitCastExpr *ICE 1464 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 1465 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 1466 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 1467 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 1468 unsigned ArgIndex = FA->getFormatIdx(); 1469 const Expr *Arg = CE->getArg(ArgIndex - 1); 1470 1471 return SemaCheckStringLiteral(Arg, Args, NumArgs, HasVAListArg, 1472 format_idx, firstDataArg, Type, 1473 inFunctionCall); 1474 } 1475 } 1476 } 1477 } 1478 1479 return false; 1480 } 1481 case Stmt::ObjCStringLiteralClass: 1482 case Stmt::StringLiteralClass: { 1483 const StringLiteral *StrE = NULL; 1484 1485 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1486 StrE = ObjCFExpr->getString(); 1487 else 1488 StrE = cast<StringLiteral>(E); 1489 1490 if (StrE) { 1491 CheckFormatString(StrE, E, Args, NumArgs, HasVAListArg, format_idx, 1492 firstDataArg, Type, inFunctionCall); 1493 return true; 1494 } 1495 1496 return false; 1497 } 1498 1499 default: 1500 return false; 1501 } 1502} 1503 1504void 1505Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1506 const Expr * const *ExprArgs, 1507 SourceLocation CallSiteLoc) { 1508 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1509 e = NonNull->args_end(); 1510 i != e; ++i) { 1511 const Expr *ArgExpr = ExprArgs[*i]; 1512 if (ArgExpr->isNullPointerConstant(Context, 1513 Expr::NPC_ValueDependentIsNotNull)) 1514 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1515 } 1516} 1517 1518Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 1519 return llvm::StringSwitch<FormatStringType>(Format->getType()) 1520 .Case("scanf", FST_Scanf) 1521 .Cases("printf", "printf0", FST_Printf) 1522 .Cases("NSString", "CFString", FST_NSString) 1523 .Case("strftime", FST_Strftime) 1524 .Case("strfmon", FST_Strfmon) 1525 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 1526 .Default(FST_Unknown); 1527} 1528 1529/// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1530/// functions) for correct use of format strings. 1531void Sema::CheckFormatArguments(const FormatAttr *Format, CallExpr *TheCall) { 1532 bool IsCXXMember = false; 1533 // The way the format attribute works in GCC, the implicit this argument 1534 // of member functions is counted. However, it doesn't appear in our own 1535 // lists, so decrement format_idx in that case. 1536 if (isa<CXXMemberCallExpr>(TheCall)) { 1537 const CXXMethodDecl *method_decl = 1538 dyn_cast<CXXMethodDecl>(TheCall->getCalleeDecl()); 1539 IsCXXMember = method_decl && method_decl->isInstance(); 1540 } 1541 CheckFormatArguments(Format, TheCall->getArgs(), TheCall->getNumArgs(), 1542 IsCXXMember, TheCall->getRParenLoc(), 1543 TheCall->getCallee()->getSourceRange()); 1544} 1545 1546void Sema::CheckFormatArguments(const FormatAttr *Format, Expr **Args, 1547 unsigned NumArgs, bool IsCXXMember, 1548 SourceLocation Loc, SourceRange Range) { 1549 bool HasVAListArg = Format->getFirstArg() == 0; 1550 unsigned format_idx = Format->getFormatIdx() - 1; 1551 unsigned firstDataArg = HasVAListArg ? 0 : Format->getFirstArg() - 1; 1552 if (IsCXXMember) { 1553 if (format_idx == 0) 1554 return; 1555 --format_idx; 1556 if(firstDataArg != 0) 1557 --firstDataArg; 1558 } 1559 CheckFormatArguments(Args, NumArgs, HasVAListArg, format_idx, 1560 firstDataArg, GetFormatStringType(Format), Loc, Range); 1561} 1562 1563void Sema::CheckFormatArguments(Expr **Args, unsigned NumArgs, 1564 bool HasVAListArg, unsigned format_idx, 1565 unsigned firstDataArg, FormatStringType Type, 1566 SourceLocation Loc, SourceRange Range) { 1567 // CHECK: printf/scanf-like function is called with no format string. 1568 if (format_idx >= NumArgs) { 1569 Diag(Loc, diag::warn_missing_format_string) << Range; 1570 return; 1571 } 1572 1573 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 1574 1575 // CHECK: format string is not a string literal. 1576 // 1577 // Dynamically generated format strings are difficult to 1578 // automatically vet at compile time. Requiring that format strings 1579 // are string literals: (1) permits the checking of format strings by 1580 // the compiler and thereby (2) can practically remove the source of 1581 // many format string exploits. 1582 1583 // Format string can be either ObjC string (e.g. @"%d") or 1584 // C string (e.g. "%d") 1585 // ObjC string uses the same format specifiers as C string, so we can use 1586 // the same format string checking logic for both ObjC and C strings. 1587 if (SemaCheckStringLiteral(OrigFormatExpr, Args, NumArgs, HasVAListArg, 1588 format_idx, firstDataArg, Type)) 1589 return; // Literal format string found, check done! 1590 1591 // Do not emit diag when the string param is a macro expansion and the 1592 // format is either NSString or CFString. This is a hack to prevent 1593 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 1594 // which are usually used in place of NS and CF string literals. 1595 if (Type == FST_NSString && Args[format_idx]->getLocStart().isMacroID()) 1596 return; 1597 1598 // If there are no arguments specified, warn with -Wformat-security, otherwise 1599 // warn only with -Wformat-nonliteral. 1600 if (NumArgs == format_idx+1) 1601 Diag(Args[format_idx]->getLocStart(), 1602 diag::warn_format_nonliteral_noargs) 1603 << OrigFormatExpr->getSourceRange(); 1604 else 1605 Diag(Args[format_idx]->getLocStart(), 1606 diag::warn_format_nonliteral) 1607 << OrigFormatExpr->getSourceRange(); 1608} 1609 1610namespace { 1611class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1612protected: 1613 Sema &S; 1614 const StringLiteral *FExpr; 1615 const Expr *OrigFormatExpr; 1616 const unsigned FirstDataArg; 1617 const unsigned NumDataArgs; 1618 const bool IsObjCLiteral; 1619 const char *Beg; // Start of format string. 1620 const bool HasVAListArg; 1621 const Expr * const *Args; 1622 const unsigned NumArgs; 1623 unsigned FormatIdx; 1624 llvm::BitVector CoveredArgs; 1625 bool usesPositionalArgs; 1626 bool atFirstArg; 1627 bool inFunctionCall; 1628public: 1629 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1630 const Expr *origFormatExpr, unsigned firstDataArg, 1631 unsigned numDataArgs, bool isObjCLiteral, 1632 const char *beg, bool hasVAListArg, 1633 Expr **args, unsigned numArgs, 1634 unsigned formatIdx, bool inFunctionCall) 1635 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1636 FirstDataArg(firstDataArg), 1637 NumDataArgs(numDataArgs), 1638 IsObjCLiteral(isObjCLiteral), Beg(beg), 1639 HasVAListArg(hasVAListArg), 1640 Args(args), NumArgs(numArgs), FormatIdx(formatIdx), 1641 usesPositionalArgs(false), atFirstArg(true), 1642 inFunctionCall(inFunctionCall) { 1643 CoveredArgs.resize(numDataArgs); 1644 CoveredArgs.reset(); 1645 } 1646 1647 void DoneProcessing(); 1648 1649 void HandleIncompleteSpecifier(const char *startSpecifier, 1650 unsigned specifierLen); 1651 1652 virtual void HandleInvalidPosition(const char *startSpecifier, 1653 unsigned specifierLen, 1654 analyze_format_string::PositionContext p); 1655 1656 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1657 1658 void HandleNullChar(const char *nullCharacter); 1659 1660 template <typename Range> 1661 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 1662 const Expr *ArgumentExpr, 1663 PartialDiagnostic PDiag, 1664 SourceLocation StringLoc, 1665 bool IsStringLocation, Range StringRange, 1666 FixItHint Fixit = FixItHint()); 1667 1668protected: 1669 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1670 const char *startSpec, 1671 unsigned specifierLen, 1672 const char *csStart, unsigned csLen); 1673 1674 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 1675 const char *startSpec, 1676 unsigned specifierLen); 1677 1678 SourceRange getFormatStringRange(); 1679 CharSourceRange getSpecifierRange(const char *startSpecifier, 1680 unsigned specifierLen); 1681 SourceLocation getLocationOfByte(const char *x); 1682 1683 const Expr *getDataArg(unsigned i) const; 1684 1685 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1686 const analyze_format_string::ConversionSpecifier &CS, 1687 const char *startSpecifier, unsigned specifierLen, 1688 unsigned argIndex); 1689 1690 template <typename Range> 1691 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 1692 bool IsStringLocation, Range StringRange, 1693 FixItHint Fixit = FixItHint()); 1694 1695 void CheckPositionalAndNonpositionalArgs( 1696 const analyze_format_string::FormatSpecifier *FS); 1697}; 1698} 1699 1700SourceRange CheckFormatHandler::getFormatStringRange() { 1701 return OrigFormatExpr->getSourceRange(); 1702} 1703 1704CharSourceRange CheckFormatHandler:: 1705getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1706 SourceLocation Start = getLocationOfByte(startSpecifier); 1707 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1708 1709 // Advance the end SourceLocation by one due to half-open ranges. 1710 End = End.getLocWithOffset(1); 1711 1712 return CharSourceRange::getCharRange(Start, End); 1713} 1714 1715SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1716 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1717} 1718 1719void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1720 unsigned specifierLen){ 1721 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 1722 getLocationOfByte(startSpecifier), 1723 /*IsStringLocation*/true, 1724 getSpecifierRange(startSpecifier, specifierLen)); 1725} 1726 1727void 1728CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1729 analyze_format_string::PositionContext p) { 1730 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 1731 << (unsigned) p, 1732 getLocationOfByte(startPos), /*IsStringLocation*/true, 1733 getSpecifierRange(startPos, posLen)); 1734} 1735 1736void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1737 unsigned posLen) { 1738 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 1739 getLocationOfByte(startPos), 1740 /*IsStringLocation*/true, 1741 getSpecifierRange(startPos, posLen)); 1742} 1743 1744void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1745 if (!IsObjCLiteral) { 1746 // The presence of a null character is likely an error. 1747 EmitFormatDiagnostic( 1748 S.PDiag(diag::warn_printf_format_string_contains_null_char), 1749 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 1750 getFormatStringRange()); 1751 } 1752} 1753 1754const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1755 return Args[FirstDataArg + i]; 1756} 1757 1758void CheckFormatHandler::DoneProcessing() { 1759 // Does the number of data arguments exceed the number of 1760 // format conversions in the format string? 1761 if (!HasVAListArg) { 1762 // Find any arguments that weren't covered. 1763 CoveredArgs.flip(); 1764 signed notCoveredArg = CoveredArgs.find_first(); 1765 if (notCoveredArg >= 0) { 1766 assert((unsigned)notCoveredArg < NumDataArgs); 1767 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 1768 getDataArg((unsigned) notCoveredArg)->getLocStart(), 1769 /*IsStringLocation*/false, getFormatStringRange()); 1770 } 1771 } 1772} 1773 1774bool 1775CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1776 SourceLocation Loc, 1777 const char *startSpec, 1778 unsigned specifierLen, 1779 const char *csStart, 1780 unsigned csLen) { 1781 1782 bool keepGoing = true; 1783 if (argIndex < NumDataArgs) { 1784 // Consider the argument coverered, even though the specifier doesn't 1785 // make sense. 1786 CoveredArgs.set(argIndex); 1787 } 1788 else { 1789 // If argIndex exceeds the number of data arguments we 1790 // don't issue a warning because that is just a cascade of warnings (and 1791 // they may have intended '%%' anyway). We don't want to continue processing 1792 // the format string after this point, however, as we will like just get 1793 // gibberish when trying to match arguments. 1794 keepGoing = false; 1795 } 1796 1797 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 1798 << StringRef(csStart, csLen), 1799 Loc, /*IsStringLocation*/true, 1800 getSpecifierRange(startSpec, specifierLen)); 1801 1802 return keepGoing; 1803} 1804 1805void 1806CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 1807 const char *startSpec, 1808 unsigned specifierLen) { 1809 EmitFormatDiagnostic( 1810 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 1811 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 1812} 1813 1814bool 1815CheckFormatHandler::CheckNumArgs( 1816 const analyze_format_string::FormatSpecifier &FS, 1817 const analyze_format_string::ConversionSpecifier &CS, 1818 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 1819 1820 if (argIndex >= NumDataArgs) { 1821 PartialDiagnostic PDiag = FS.usesPositionalArg() 1822 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 1823 << (argIndex+1) << NumDataArgs) 1824 : S.PDiag(diag::warn_printf_insufficient_data_args); 1825 EmitFormatDiagnostic( 1826 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 1827 getSpecifierRange(startSpecifier, specifierLen)); 1828 return false; 1829 } 1830 return true; 1831} 1832 1833template<typename Range> 1834void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 1835 SourceLocation Loc, 1836 bool IsStringLocation, 1837 Range StringRange, 1838 FixItHint FixIt) { 1839 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 1840 Loc, IsStringLocation, StringRange, FixIt); 1841} 1842 1843/// \brief If the format string is not within the funcion call, emit a note 1844/// so that the function call and string are in diagnostic messages. 1845/// 1846/// \param inFunctionCall if true, the format string is within the function 1847/// call and only one diagnostic message will be produced. Otherwise, an 1848/// extra note will be emitted pointing to location of the format string. 1849/// 1850/// \param ArgumentExpr the expression that is passed as the format string 1851/// argument in the function call. Used for getting locations when two 1852/// diagnostics are emitted. 1853/// 1854/// \param PDiag the callee should already have provided any strings for the 1855/// diagnostic message. This function only adds locations and fixits 1856/// to diagnostics. 1857/// 1858/// \param Loc primary location for diagnostic. If two diagnostics are 1859/// required, one will be at Loc and a new SourceLocation will be created for 1860/// the other one. 1861/// 1862/// \param IsStringLocation if true, Loc points to the format string should be 1863/// used for the note. Otherwise, Loc points to the argument list and will 1864/// be used with PDiag. 1865/// 1866/// \param StringRange some or all of the string to highlight. This is 1867/// templated so it can accept either a CharSourceRange or a SourceRange. 1868/// 1869/// \param Fixit optional fix it hint for the format string. 1870template<typename Range> 1871void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 1872 const Expr *ArgumentExpr, 1873 PartialDiagnostic PDiag, 1874 SourceLocation Loc, 1875 bool IsStringLocation, 1876 Range StringRange, 1877 FixItHint FixIt) { 1878 if (InFunctionCall) 1879 S.Diag(Loc, PDiag) << StringRange << FixIt; 1880 else { 1881 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 1882 << ArgumentExpr->getSourceRange(); 1883 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 1884 diag::note_format_string_defined) 1885 << StringRange << FixIt; 1886 } 1887} 1888 1889//===--- CHECK: Printf format string checking ------------------------------===// 1890 1891namespace { 1892class CheckPrintfHandler : public CheckFormatHandler { 1893public: 1894 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1895 const Expr *origFormatExpr, unsigned firstDataArg, 1896 unsigned numDataArgs, bool isObjCLiteral, 1897 const char *beg, bool hasVAListArg, 1898 Expr **Args, unsigned NumArgs, 1899 unsigned formatIdx, bool inFunctionCall) 1900 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1901 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1902 Args, NumArgs, formatIdx, inFunctionCall) {} 1903 1904 1905 bool HandleInvalidPrintfConversionSpecifier( 1906 const analyze_printf::PrintfSpecifier &FS, 1907 const char *startSpecifier, 1908 unsigned specifierLen); 1909 1910 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 1911 const char *startSpecifier, 1912 unsigned specifierLen); 1913 1914 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 1915 const char *startSpecifier, unsigned specifierLen); 1916 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 1917 const analyze_printf::OptionalAmount &Amt, 1918 unsigned type, 1919 const char *startSpecifier, unsigned specifierLen); 1920 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1921 const analyze_printf::OptionalFlag &flag, 1922 const char *startSpecifier, unsigned specifierLen); 1923 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 1924 const analyze_printf::OptionalFlag &ignoredFlag, 1925 const analyze_printf::OptionalFlag &flag, 1926 const char *startSpecifier, unsigned specifierLen); 1927}; 1928} 1929 1930bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 1931 const analyze_printf::PrintfSpecifier &FS, 1932 const char *startSpecifier, 1933 unsigned specifierLen) { 1934 const analyze_printf::PrintfConversionSpecifier &CS = 1935 FS.getConversionSpecifier(); 1936 1937 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1938 getLocationOfByte(CS.getStart()), 1939 startSpecifier, specifierLen, 1940 CS.getStart(), CS.getLength()); 1941} 1942 1943bool CheckPrintfHandler::HandleAmount( 1944 const analyze_format_string::OptionalAmount &Amt, 1945 unsigned k, const char *startSpecifier, 1946 unsigned specifierLen) { 1947 1948 if (Amt.hasDataArgument()) { 1949 if (!HasVAListArg) { 1950 unsigned argIndex = Amt.getArgIndex(); 1951 if (argIndex >= NumDataArgs) { 1952 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 1953 << k, 1954 getLocationOfByte(Amt.getStart()), 1955 /*IsStringLocation*/true, 1956 getSpecifierRange(startSpecifier, specifierLen)); 1957 // Don't do any more checking. We will just emit 1958 // spurious errors. 1959 return false; 1960 } 1961 1962 // Type check the data argument. It should be an 'int'. 1963 // Although not in conformance with C99, we also allow the argument to be 1964 // an 'unsigned int' as that is a reasonably safe case. GCC also 1965 // doesn't emit a warning for that case. 1966 CoveredArgs.set(argIndex); 1967 const Expr *Arg = getDataArg(argIndex); 1968 QualType T = Arg->getType(); 1969 1970 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1971 assert(ATR.isValid()); 1972 1973 if (!ATR.matchesType(S.Context, T)) { 1974 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 1975 << k << ATR.getRepresentativeTypeName(S.Context) 1976 << T << Arg->getSourceRange(), 1977 getLocationOfByte(Amt.getStart()), 1978 /*IsStringLocation*/true, 1979 getSpecifierRange(startSpecifier, specifierLen)); 1980 // Don't do any more checking. We will just emit 1981 // spurious errors. 1982 return false; 1983 } 1984 } 1985 } 1986 return true; 1987} 1988 1989void CheckPrintfHandler::HandleInvalidAmount( 1990 const analyze_printf::PrintfSpecifier &FS, 1991 const analyze_printf::OptionalAmount &Amt, 1992 unsigned type, 1993 const char *startSpecifier, 1994 unsigned specifierLen) { 1995 const analyze_printf::PrintfConversionSpecifier &CS = 1996 FS.getConversionSpecifier(); 1997 1998 FixItHint fixit = 1999 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2000 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2001 Amt.getConstantLength())) 2002 : FixItHint(); 2003 2004 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2005 << type << CS.toString(), 2006 getLocationOfByte(Amt.getStart()), 2007 /*IsStringLocation*/true, 2008 getSpecifierRange(startSpecifier, specifierLen), 2009 fixit); 2010} 2011 2012void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2013 const analyze_printf::OptionalFlag &flag, 2014 const char *startSpecifier, 2015 unsigned specifierLen) { 2016 // Warn about pointless flag with a fixit removal. 2017 const analyze_printf::PrintfConversionSpecifier &CS = 2018 FS.getConversionSpecifier(); 2019 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2020 << flag.toString() << CS.toString(), 2021 getLocationOfByte(flag.getPosition()), 2022 /*IsStringLocation*/true, 2023 getSpecifierRange(startSpecifier, specifierLen), 2024 FixItHint::CreateRemoval( 2025 getSpecifierRange(flag.getPosition(), 1))); 2026} 2027 2028void CheckPrintfHandler::HandleIgnoredFlag( 2029 const analyze_printf::PrintfSpecifier &FS, 2030 const analyze_printf::OptionalFlag &ignoredFlag, 2031 const analyze_printf::OptionalFlag &flag, 2032 const char *startSpecifier, 2033 unsigned specifierLen) { 2034 // Warn about ignored flag with a fixit removal. 2035 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2036 << ignoredFlag.toString() << flag.toString(), 2037 getLocationOfByte(ignoredFlag.getPosition()), 2038 /*IsStringLocation*/true, 2039 getSpecifierRange(startSpecifier, specifierLen), 2040 FixItHint::CreateRemoval( 2041 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2042} 2043 2044bool 2045CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2046 &FS, 2047 const char *startSpecifier, 2048 unsigned specifierLen) { 2049 2050 using namespace analyze_format_string; 2051 using namespace analyze_printf; 2052 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2053 2054 if (FS.consumesDataArgument()) { 2055 if (atFirstArg) { 2056 atFirstArg = false; 2057 usesPositionalArgs = FS.usesPositionalArg(); 2058 } 2059 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2060 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2061 startSpecifier, specifierLen); 2062 return false; 2063 } 2064 } 2065 2066 // First check if the field width, precision, and conversion specifier 2067 // have matching data arguments. 2068 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2069 startSpecifier, specifierLen)) { 2070 return false; 2071 } 2072 2073 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2074 startSpecifier, specifierLen)) { 2075 return false; 2076 } 2077 2078 if (!CS.consumesDataArgument()) { 2079 // FIXME: Technically specifying a precision or field width here 2080 // makes no sense. Worth issuing a warning at some point. 2081 return true; 2082 } 2083 2084 // Consume the argument. 2085 unsigned argIndex = FS.getArgIndex(); 2086 if (argIndex < NumDataArgs) { 2087 // The check to see if the argIndex is valid will come later. 2088 // We set the bit here because we may exit early from this 2089 // function if we encounter some other error. 2090 CoveredArgs.set(argIndex); 2091 } 2092 2093 // Check for using an Objective-C specific conversion specifier 2094 // in a non-ObjC literal. 2095 if (!IsObjCLiteral && CS.isObjCArg()) { 2096 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2097 specifierLen); 2098 } 2099 2100 // Check for invalid use of field width 2101 if (!FS.hasValidFieldWidth()) { 2102 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2103 startSpecifier, specifierLen); 2104 } 2105 2106 // Check for invalid use of precision 2107 if (!FS.hasValidPrecision()) { 2108 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2109 startSpecifier, specifierLen); 2110 } 2111 2112 // Check each flag does not conflict with any other component. 2113 if (!FS.hasValidThousandsGroupingPrefix()) 2114 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2115 if (!FS.hasValidLeadingZeros()) 2116 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2117 if (!FS.hasValidPlusPrefix()) 2118 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2119 if (!FS.hasValidSpacePrefix()) 2120 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2121 if (!FS.hasValidAlternativeForm()) 2122 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2123 if (!FS.hasValidLeftJustified()) 2124 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2125 2126 // Check that flags are not ignored by another flag 2127 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2128 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2129 startSpecifier, specifierLen); 2130 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2131 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2132 startSpecifier, specifierLen); 2133 2134 // Check the length modifier is valid with the given conversion specifier. 2135 const LengthModifier &LM = FS.getLengthModifier(); 2136 if (!FS.hasValidLengthModifier()) 2137 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 2138 << LM.toString() << CS.toString(), 2139 getLocationOfByte(LM.getStart()), 2140 /*IsStringLocation*/true, 2141 getSpecifierRange(startSpecifier, specifierLen), 2142 FixItHint::CreateRemoval( 2143 getSpecifierRange(LM.getStart(), 2144 LM.getLength()))); 2145 2146 // Are we using '%n'? 2147 if (CS.getKind() == ConversionSpecifier::nArg) { 2148 // Issue a warning about this being a possible security issue. 2149 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_write_back), 2150 getLocationOfByte(CS.getStart()), 2151 /*IsStringLocation*/true, 2152 getSpecifierRange(startSpecifier, specifierLen)); 2153 // Continue checking the other format specifiers. 2154 return true; 2155 } 2156 2157 // The remaining checks depend on the data arguments. 2158 if (HasVAListArg) 2159 return true; 2160 2161 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2162 return false; 2163 2164 // Now type check the data expression that matches the 2165 // format specifier. 2166 const Expr *Ex = getDataArg(argIndex); 2167 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context, 2168 IsObjCLiteral); 2169 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2170 // Check if we didn't match because of an implicit cast from a 'char' 2171 // or 'short' to an 'int'. This is done because printf is a varargs 2172 // function. 2173 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 2174 if (ICE->getType() == S.Context.IntTy) { 2175 // All further checking is done on the subexpression. 2176 Ex = ICE->getSubExpr(); 2177 if (ATR.matchesType(S.Context, Ex->getType())) 2178 return true; 2179 } 2180 2181 // We may be able to offer a FixItHint if it is a supported type. 2182 PrintfSpecifier fixedFS = FS; 2183 bool success = fixedFS.fixType(Ex->getType(), S.getLangOptions()); 2184 2185 if (success) { 2186 // Get the fix string from the fixed format specifier 2187 llvm::SmallString<128> buf; 2188 llvm::raw_svector_ostream os(buf); 2189 fixedFS.toString(os); 2190 2191 EmitFormatDiagnostic( 2192 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2193 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2194 << Ex->getSourceRange(), 2195 getLocationOfByte(CS.getStart()), 2196 /*IsStringLocation*/true, 2197 getSpecifierRange(startSpecifier, specifierLen), 2198 FixItHint::CreateReplacement( 2199 getSpecifierRange(startSpecifier, specifierLen), 2200 os.str())); 2201 } 2202 else { 2203 EmitFormatDiagnostic( 2204 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2205 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2206 << getSpecifierRange(startSpecifier, specifierLen) 2207 << Ex->getSourceRange(), 2208 getLocationOfByte(CS.getStart()), 2209 true, 2210 getSpecifierRange(startSpecifier, specifierLen)); 2211 } 2212 } 2213 2214 return true; 2215} 2216 2217//===--- CHECK: Scanf format string checking ------------------------------===// 2218 2219namespace { 2220class CheckScanfHandler : public CheckFormatHandler { 2221public: 2222 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 2223 const Expr *origFormatExpr, unsigned firstDataArg, 2224 unsigned numDataArgs, bool isObjCLiteral, 2225 const char *beg, bool hasVAListArg, 2226 Expr **Args, unsigned NumArgs, 2227 unsigned formatIdx, bool inFunctionCall) 2228 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2229 numDataArgs, isObjCLiteral, beg, hasVAListArg, 2230 Args, NumArgs, formatIdx, inFunctionCall) {} 2231 2232 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 2233 const char *startSpecifier, 2234 unsigned specifierLen); 2235 2236 bool HandleInvalidScanfConversionSpecifier( 2237 const analyze_scanf::ScanfSpecifier &FS, 2238 const char *startSpecifier, 2239 unsigned specifierLen); 2240 2241 void HandleIncompleteScanList(const char *start, const char *end); 2242}; 2243} 2244 2245void CheckScanfHandler::HandleIncompleteScanList(const char *start, 2246 const char *end) { 2247 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 2248 getLocationOfByte(end), /*IsStringLocation*/true, 2249 getSpecifierRange(start, end - start)); 2250} 2251 2252bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 2253 const analyze_scanf::ScanfSpecifier &FS, 2254 const char *startSpecifier, 2255 unsigned specifierLen) { 2256 2257 const analyze_scanf::ScanfConversionSpecifier &CS = 2258 FS.getConversionSpecifier(); 2259 2260 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2261 getLocationOfByte(CS.getStart()), 2262 startSpecifier, specifierLen, 2263 CS.getStart(), CS.getLength()); 2264} 2265 2266bool CheckScanfHandler::HandleScanfSpecifier( 2267 const analyze_scanf::ScanfSpecifier &FS, 2268 const char *startSpecifier, 2269 unsigned specifierLen) { 2270 2271 using namespace analyze_scanf; 2272 using namespace analyze_format_string; 2273 2274 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 2275 2276 // Handle case where '%' and '*' don't consume an argument. These shouldn't 2277 // be used to decide if we are using positional arguments consistently. 2278 if (FS.consumesDataArgument()) { 2279 if (atFirstArg) { 2280 atFirstArg = false; 2281 usesPositionalArgs = FS.usesPositionalArg(); 2282 } 2283 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2284 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2285 startSpecifier, specifierLen); 2286 return false; 2287 } 2288 } 2289 2290 // Check if the field with is non-zero. 2291 const OptionalAmount &Amt = FS.getFieldWidth(); 2292 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 2293 if (Amt.getConstantAmount() == 0) { 2294 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 2295 Amt.getConstantLength()); 2296 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 2297 getLocationOfByte(Amt.getStart()), 2298 /*IsStringLocation*/true, R, 2299 FixItHint::CreateRemoval(R)); 2300 } 2301 } 2302 2303 if (!FS.consumesDataArgument()) { 2304 // FIXME: Technically specifying a precision or field width here 2305 // makes no sense. Worth issuing a warning at some point. 2306 return true; 2307 } 2308 2309 // Consume the argument. 2310 unsigned argIndex = FS.getArgIndex(); 2311 if (argIndex < NumDataArgs) { 2312 // The check to see if the argIndex is valid will come later. 2313 // We set the bit here because we may exit early from this 2314 // function if we encounter some other error. 2315 CoveredArgs.set(argIndex); 2316 } 2317 2318 // Check the length modifier is valid with the given conversion specifier. 2319 const LengthModifier &LM = FS.getLengthModifier(); 2320 if (!FS.hasValidLengthModifier()) { 2321 const CharSourceRange &R = getSpecifierRange(LM.getStart(), LM.getLength()); 2322 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 2323 << LM.toString() << CS.toString() 2324 << getSpecifierRange(startSpecifier, specifierLen), 2325 getLocationOfByte(LM.getStart()), 2326 /*IsStringLocation*/true, R, 2327 FixItHint::CreateRemoval(R)); 2328 } 2329 2330 // The remaining checks depend on the data arguments. 2331 if (HasVAListArg) 2332 return true; 2333 2334 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2335 return false; 2336 2337 // Check that the argument type matches the format specifier. 2338 const Expr *Ex = getDataArg(argIndex); 2339 const analyze_scanf::ScanfArgTypeResult &ATR = FS.getArgType(S.Context); 2340 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2341 ScanfSpecifier fixedFS = FS; 2342 bool success = fixedFS.fixType(Ex->getType(), S.getLangOptions()); 2343 2344 if (success) { 2345 // Get the fix string from the fixed format specifier. 2346 llvm::SmallString<128> buf; 2347 llvm::raw_svector_ostream os(buf); 2348 fixedFS.toString(os); 2349 2350 EmitFormatDiagnostic( 2351 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2352 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2353 << Ex->getSourceRange(), 2354 getLocationOfByte(CS.getStart()), 2355 /*IsStringLocation*/true, 2356 getSpecifierRange(startSpecifier, specifierLen), 2357 FixItHint::CreateReplacement( 2358 getSpecifierRange(startSpecifier, specifierLen), 2359 os.str())); 2360 } else { 2361 EmitFormatDiagnostic( 2362 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2363 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2364 << Ex->getSourceRange(), 2365 getLocationOfByte(CS.getStart()), 2366 /*IsStringLocation*/true, 2367 getSpecifierRange(startSpecifier, specifierLen)); 2368 } 2369 } 2370 2371 return true; 2372} 2373 2374void Sema::CheckFormatString(const StringLiteral *FExpr, 2375 const Expr *OrigFormatExpr, 2376 Expr **Args, unsigned NumArgs, 2377 bool HasVAListArg, unsigned format_idx, 2378 unsigned firstDataArg, FormatStringType Type, 2379 bool inFunctionCall) { 2380 2381 // CHECK: is the format string a wide literal? 2382 if (!FExpr->isAscii()) { 2383 CheckFormatHandler::EmitFormatDiagnostic( 2384 *this, inFunctionCall, Args[format_idx], 2385 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 2386 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2387 return; 2388 } 2389 2390 // Str - The format string. NOTE: this is NOT null-terminated! 2391 StringRef StrRef = FExpr->getString(); 2392 const char *Str = StrRef.data(); 2393 unsigned StrLen = StrRef.size(); 2394 const unsigned numDataArgs = NumArgs - firstDataArg; 2395 2396 // CHECK: empty format string? 2397 if (StrLen == 0 && numDataArgs > 0) { 2398 CheckFormatHandler::EmitFormatDiagnostic( 2399 *this, inFunctionCall, Args[format_idx], 2400 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 2401 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2402 return; 2403 } 2404 2405 if (Type == FST_Printf || Type == FST_NSString) { 2406 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2407 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2408 Str, HasVAListArg, Args, NumArgs, format_idx, 2409 inFunctionCall); 2410 2411 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 2412 getLangOptions())) 2413 H.DoneProcessing(); 2414 } else if (Type == FST_Scanf) { 2415 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2416 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2417 Str, HasVAListArg, Args, NumArgs, format_idx, 2418 inFunctionCall); 2419 2420 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 2421 getLangOptions())) 2422 H.DoneProcessing(); 2423 } // TODO: handle other formats 2424} 2425 2426//===--- CHECK: Standard memory functions ---------------------------------===// 2427 2428/// \brief Determine whether the given type is a dynamic class type (e.g., 2429/// whether it has a vtable). 2430static bool isDynamicClassType(QualType T) { 2431 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 2432 if (CXXRecordDecl *Definition = Record->getDefinition()) 2433 if (Definition->isDynamicClass()) 2434 return true; 2435 2436 return false; 2437} 2438 2439/// \brief If E is a sizeof expression, returns its argument expression, 2440/// otherwise returns NULL. 2441static const Expr *getSizeOfExprArg(const Expr* E) { 2442 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2443 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2444 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 2445 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 2446 2447 return 0; 2448} 2449 2450/// \brief If E is a sizeof expression, returns its argument type. 2451static QualType getSizeOfArgType(const Expr* E) { 2452 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2453 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2454 if (SizeOf->getKind() == clang::UETT_SizeOf) 2455 return SizeOf->getTypeOfArgument(); 2456 2457 return QualType(); 2458} 2459 2460/// \brief Check for dangerous or invalid arguments to memset(). 2461/// 2462/// This issues warnings on known problematic, dangerous or unspecified 2463/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 2464/// function calls. 2465/// 2466/// \param Call The call expression to diagnose. 2467void Sema::CheckMemaccessArguments(const CallExpr *Call, 2468 unsigned BId, 2469 IdentifierInfo *FnName) { 2470 assert(BId != 0); 2471 2472 // It is possible to have a non-standard definition of memset. Validate 2473 // we have enough arguments, and if not, abort further checking. 2474 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 2475 if (Call->getNumArgs() < ExpectedNumArgs) 2476 return; 2477 2478 unsigned LastArg = (BId == Builtin::BImemset || 2479 BId == Builtin::BIstrndup ? 1 : 2); 2480 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 2481 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 2482 2483 // We have special checking when the length is a sizeof expression. 2484 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 2485 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 2486 llvm::FoldingSetNodeID SizeOfArgID; 2487 2488 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 2489 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 2490 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 2491 2492 QualType DestTy = Dest->getType(); 2493 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 2494 QualType PointeeTy = DestPtrTy->getPointeeType(); 2495 2496 // Never warn about void type pointers. This can be used to suppress 2497 // false positives. 2498 if (PointeeTy->isVoidType()) 2499 continue; 2500 2501 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 2502 // actually comparing the expressions for equality. Because computing the 2503 // expression IDs can be expensive, we only do this if the diagnostic is 2504 // enabled. 2505 if (SizeOfArg && 2506 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 2507 SizeOfArg->getExprLoc())) { 2508 // We only compute IDs for expressions if the warning is enabled, and 2509 // cache the sizeof arg's ID. 2510 if (SizeOfArgID == llvm::FoldingSetNodeID()) 2511 SizeOfArg->Profile(SizeOfArgID, Context, true); 2512 llvm::FoldingSetNodeID DestID; 2513 Dest->Profile(DestID, Context, true); 2514 if (DestID == SizeOfArgID) { 2515 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 2516 // over sizeof(src) as well. 2517 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 2518 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 2519 if (UnaryOp->getOpcode() == UO_AddrOf) 2520 ActionIdx = 1; // If its an address-of operator, just remove it. 2521 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 2522 ActionIdx = 2; // If the pointee's size is sizeof(char), 2523 // suggest an explicit length. 2524 unsigned DestSrcSelect = 2525 (BId == Builtin::BIstrndup ? 1 : ArgIdx); 2526 DiagRuntimeBehavior(SizeOfArg->getExprLoc(), Dest, 2527 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 2528 << FnName << DestSrcSelect << ActionIdx 2529 << Dest->getSourceRange() 2530 << SizeOfArg->getSourceRange()); 2531 break; 2532 } 2533 } 2534 2535 // Also check for cases where the sizeof argument is the exact same 2536 // type as the memory argument, and where it points to a user-defined 2537 // record type. 2538 if (SizeOfArgTy != QualType()) { 2539 if (PointeeTy->isRecordType() && 2540 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 2541 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 2542 PDiag(diag::warn_sizeof_pointer_type_memaccess) 2543 << FnName << SizeOfArgTy << ArgIdx 2544 << PointeeTy << Dest->getSourceRange() 2545 << LenExpr->getSourceRange()); 2546 break; 2547 } 2548 } 2549 2550 // Always complain about dynamic classes. 2551 if (isDynamicClassType(PointeeTy)) { 2552 2553 unsigned OperationType = 0; 2554 // "overwritten" if we're warning about the destination for any call 2555 // but memcmp; otherwise a verb appropriate to the call. 2556 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 2557 if (BId == Builtin::BImemcpy) 2558 OperationType = 1; 2559 else if(BId == Builtin::BImemmove) 2560 OperationType = 2; 2561 else if (BId == Builtin::BImemcmp) 2562 OperationType = 3; 2563 } 2564 2565 DiagRuntimeBehavior( 2566 Dest->getExprLoc(), Dest, 2567 PDiag(diag::warn_dyn_class_memaccess) 2568 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 2569 << FnName << PointeeTy 2570 << OperationType 2571 << Call->getCallee()->getSourceRange()); 2572 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 2573 BId != Builtin::BImemset) 2574 DiagRuntimeBehavior( 2575 Dest->getExprLoc(), Dest, 2576 PDiag(diag::warn_arc_object_memaccess) 2577 << ArgIdx << FnName << PointeeTy 2578 << Call->getCallee()->getSourceRange()); 2579 else 2580 continue; 2581 2582 DiagRuntimeBehavior( 2583 Dest->getExprLoc(), Dest, 2584 PDiag(diag::note_bad_memaccess_silence) 2585 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 2586 break; 2587 } 2588 } 2589} 2590 2591// A little helper routine: ignore addition and subtraction of integer literals. 2592// This intentionally does not ignore all integer constant expressions because 2593// we don't want to remove sizeof(). 2594static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 2595 Ex = Ex->IgnoreParenCasts(); 2596 2597 for (;;) { 2598 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 2599 if (!BO || !BO->isAdditiveOp()) 2600 break; 2601 2602 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 2603 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 2604 2605 if (isa<IntegerLiteral>(RHS)) 2606 Ex = LHS; 2607 else if (isa<IntegerLiteral>(LHS)) 2608 Ex = RHS; 2609 else 2610 break; 2611 } 2612 2613 return Ex; 2614} 2615 2616// Warn if the user has made the 'size' argument to strlcpy or strlcat 2617// be the size of the source, instead of the destination. 2618void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 2619 IdentifierInfo *FnName) { 2620 2621 // Don't crash if the user has the wrong number of arguments 2622 if (Call->getNumArgs() != 3) 2623 return; 2624 2625 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 2626 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 2627 const Expr *CompareWithSrc = NULL; 2628 2629 // Look for 'strlcpy(dst, x, sizeof(x))' 2630 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 2631 CompareWithSrc = Ex; 2632 else { 2633 // Look for 'strlcpy(dst, x, strlen(x))' 2634 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 2635 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 2636 && SizeCall->getNumArgs() == 1) 2637 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 2638 } 2639 } 2640 2641 if (!CompareWithSrc) 2642 return; 2643 2644 // Determine if the argument to sizeof/strlen is equal to the source 2645 // argument. In principle there's all kinds of things you could do 2646 // here, for instance creating an == expression and evaluating it with 2647 // EvaluateAsBooleanCondition, but this uses a more direct technique: 2648 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 2649 if (!SrcArgDRE) 2650 return; 2651 2652 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 2653 if (!CompareWithSrcDRE || 2654 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 2655 return; 2656 2657 const Expr *OriginalSizeArg = Call->getArg(2); 2658 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 2659 << OriginalSizeArg->getSourceRange() << FnName; 2660 2661 // Output a FIXIT hint if the destination is an array (rather than a 2662 // pointer to an array). This could be enhanced to handle some 2663 // pointers if we know the actual size, like if DstArg is 'array+2' 2664 // we could say 'sizeof(array)-2'. 2665 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 2666 QualType DstArgTy = DstArg->getType(); 2667 2668 // Only handle constant-sized or VLAs, but not flexible members. 2669 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2670 // Only issue the FIXIT for arrays of size > 1. 2671 if (CAT->getSize().getSExtValue() <= 1) 2672 return; 2673 } else if (!DstArgTy->isVariableArrayType()) { 2674 return; 2675 } 2676 2677 llvm::SmallString<128> sizeString; 2678 llvm::raw_svector_ostream OS(sizeString); 2679 OS << "sizeof("; 2680 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2681 OS << ")"; 2682 2683 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 2684 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 2685 OS.str()); 2686} 2687 2688/// Check if two expressions refer to the same declaration. 2689static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 2690 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 2691 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 2692 return D1->getDecl() == D2->getDecl(); 2693 return false; 2694} 2695 2696static const Expr *getStrlenExprArg(const Expr *E) { 2697 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 2698 const FunctionDecl *FD = CE->getDirectCallee(); 2699 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 2700 return 0; 2701 return CE->getArg(0)->IgnoreParenCasts(); 2702 } 2703 return 0; 2704} 2705 2706// Warn on anti-patterns as the 'size' argument to strncat. 2707// The correct size argument should look like following: 2708// strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 2709void Sema::CheckStrncatArguments(const CallExpr *CE, 2710 IdentifierInfo *FnName) { 2711 // Don't crash if the user has the wrong number of arguments. 2712 if (CE->getNumArgs() < 3) 2713 return; 2714 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 2715 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 2716 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 2717 2718 // Identify common expressions, which are wrongly used as the size argument 2719 // to strncat and may lead to buffer overflows. 2720 unsigned PatternType = 0; 2721 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 2722 // - sizeof(dst) 2723 if (referToTheSameDecl(SizeOfArg, DstArg)) 2724 PatternType = 1; 2725 // - sizeof(src) 2726 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 2727 PatternType = 2; 2728 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 2729 if (BE->getOpcode() == BO_Sub) { 2730 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 2731 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 2732 // - sizeof(dst) - strlen(dst) 2733 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 2734 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 2735 PatternType = 1; 2736 // - sizeof(src) - (anything) 2737 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 2738 PatternType = 2; 2739 } 2740 } 2741 2742 if (PatternType == 0) 2743 return; 2744 2745 if (PatternType == 1) 2746 Diag(DstArg->getLocStart(), diag::warn_strncat_large_size) 2747 << LenArg->getSourceRange(); 2748 else 2749 Diag(DstArg->getLocStart(), diag::warn_strncat_src_size) 2750 << LenArg->getSourceRange(); 2751 2752 // Output a FIXIT hint if the destination is an array (rather than a 2753 // pointer to an array). This could be enhanced to handle some 2754 // pointers if we know the actual size, like if DstArg is 'array+2' 2755 // we could say 'sizeof(array)-2'. 2756 QualType DstArgTy = DstArg->getType(); 2757 2758 // Only handle constant-sized or VLAs, but not flexible members. 2759 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2760 // Only issue the FIXIT for arrays of size > 1. 2761 if (CAT->getSize().getSExtValue() <= 1) 2762 return; 2763 } else if (!DstArgTy->isVariableArrayType()) { 2764 return; 2765 } 2766 2767 llvm::SmallString<128> sizeString; 2768 llvm::raw_svector_ostream OS(sizeString); 2769 OS << "sizeof("; 2770 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2771 OS << ") - "; 2772 OS << "strlen("; 2773 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2774 OS << ") - 1"; 2775 2776 Diag(LenArg->getLocStart(), diag::note_strncat_wrong_size) 2777 << FixItHint::CreateReplacement(LenArg->getSourceRange(), 2778 OS.str()); 2779} 2780 2781//===--- CHECK: Return Address of Stack Variable --------------------------===// 2782 2783static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars); 2784static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars); 2785 2786/// CheckReturnStackAddr - Check if a return statement returns the address 2787/// of a stack variable. 2788void 2789Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 2790 SourceLocation ReturnLoc) { 2791 2792 Expr *stackE = 0; 2793 SmallVector<DeclRefExpr *, 8> refVars; 2794 2795 // Perform checking for returned stack addresses, local blocks, 2796 // label addresses or references to temporaries. 2797 if (lhsType->isPointerType() || 2798 (!getLangOptions().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 2799 stackE = EvalAddr(RetValExp, refVars); 2800 } else if (lhsType->isReferenceType()) { 2801 stackE = EvalVal(RetValExp, refVars); 2802 } 2803 2804 if (stackE == 0) 2805 return; // Nothing suspicious was found. 2806 2807 SourceLocation diagLoc; 2808 SourceRange diagRange; 2809 if (refVars.empty()) { 2810 diagLoc = stackE->getLocStart(); 2811 diagRange = stackE->getSourceRange(); 2812 } else { 2813 // We followed through a reference variable. 'stackE' contains the 2814 // problematic expression but we will warn at the return statement pointing 2815 // at the reference variable. We will later display the "trail" of 2816 // reference variables using notes. 2817 diagLoc = refVars[0]->getLocStart(); 2818 diagRange = refVars[0]->getSourceRange(); 2819 } 2820 2821 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 2822 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 2823 : diag::warn_ret_stack_addr) 2824 << DR->getDecl()->getDeclName() << diagRange; 2825 } else if (isa<BlockExpr>(stackE)) { // local block. 2826 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 2827 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 2828 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 2829 } else { // local temporary. 2830 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 2831 : diag::warn_ret_local_temp_addr) 2832 << diagRange; 2833 } 2834 2835 // Display the "trail" of reference variables that we followed until we 2836 // found the problematic expression using notes. 2837 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 2838 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 2839 // If this var binds to another reference var, show the range of the next 2840 // var, otherwise the var binds to the problematic expression, in which case 2841 // show the range of the expression. 2842 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 2843 : stackE->getSourceRange(); 2844 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 2845 << VD->getDeclName() << range; 2846 } 2847} 2848 2849/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 2850/// check if the expression in a return statement evaluates to an address 2851/// to a location on the stack, a local block, an address of a label, or a 2852/// reference to local temporary. The recursion is used to traverse the 2853/// AST of the return expression, with recursion backtracking when we 2854/// encounter a subexpression that (1) clearly does not lead to one of the 2855/// above problematic expressions (2) is something we cannot determine leads to 2856/// a problematic expression based on such local checking. 2857/// 2858/// Both EvalAddr and EvalVal follow through reference variables to evaluate 2859/// the expression that they point to. Such variables are added to the 2860/// 'refVars' vector so that we know what the reference variable "trail" was. 2861/// 2862/// EvalAddr processes expressions that are pointers that are used as 2863/// references (and not L-values). EvalVal handles all other values. 2864/// At the base case of the recursion is a check for the above problematic 2865/// expressions. 2866/// 2867/// This implementation handles: 2868/// 2869/// * pointer-to-pointer casts 2870/// * implicit conversions from array references to pointers 2871/// * taking the address of fields 2872/// * arbitrary interplay between "&" and "*" operators 2873/// * pointer arithmetic from an address of a stack variable 2874/// * taking the address of an array element where the array is on the stack 2875static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2876 if (E->isTypeDependent()) 2877 return NULL; 2878 2879 // We should only be called for evaluating pointer expressions. 2880 assert((E->getType()->isAnyPointerType() || 2881 E->getType()->isBlockPointerType() || 2882 E->getType()->isObjCQualifiedIdType()) && 2883 "EvalAddr only works on pointers"); 2884 2885 E = E->IgnoreParens(); 2886 2887 // Our "symbolic interpreter" is just a dispatch off the currently 2888 // viewed AST node. We then recursively traverse the AST by calling 2889 // EvalAddr and EvalVal appropriately. 2890 switch (E->getStmtClass()) { 2891 case Stmt::DeclRefExprClass: { 2892 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2893 2894 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2895 // If this is a reference variable, follow through to the expression that 2896 // it points to. 2897 if (V->hasLocalStorage() && 2898 V->getType()->isReferenceType() && V->hasInit()) { 2899 // Add the reference variable to the "trail". 2900 refVars.push_back(DR); 2901 return EvalAddr(V->getInit(), refVars); 2902 } 2903 2904 return NULL; 2905 } 2906 2907 case Stmt::UnaryOperatorClass: { 2908 // The only unary operator that make sense to handle here 2909 // is AddrOf. All others don't make sense as pointers. 2910 UnaryOperator *U = cast<UnaryOperator>(E); 2911 2912 if (U->getOpcode() == UO_AddrOf) 2913 return EvalVal(U->getSubExpr(), refVars); 2914 else 2915 return NULL; 2916 } 2917 2918 case Stmt::BinaryOperatorClass: { 2919 // Handle pointer arithmetic. All other binary operators are not valid 2920 // in this context. 2921 BinaryOperator *B = cast<BinaryOperator>(E); 2922 BinaryOperatorKind op = B->getOpcode(); 2923 2924 if (op != BO_Add && op != BO_Sub) 2925 return NULL; 2926 2927 Expr *Base = B->getLHS(); 2928 2929 // Determine which argument is the real pointer base. It could be 2930 // the RHS argument instead of the LHS. 2931 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 2932 2933 assert (Base->getType()->isPointerType()); 2934 return EvalAddr(Base, refVars); 2935 } 2936 2937 // For conditional operators we need to see if either the LHS or RHS are 2938 // valid DeclRefExpr*s. If one of them is valid, we return it. 2939 case Stmt::ConditionalOperatorClass: { 2940 ConditionalOperator *C = cast<ConditionalOperator>(E); 2941 2942 // Handle the GNU extension for missing LHS. 2943 if (Expr *lhsExpr = C->getLHS()) { 2944 // In C++, we can have a throw-expression, which has 'void' type. 2945 if (!lhsExpr->getType()->isVoidType()) 2946 if (Expr* LHS = EvalAddr(lhsExpr, refVars)) 2947 return LHS; 2948 } 2949 2950 // In C++, we can have a throw-expression, which has 'void' type. 2951 if (C->getRHS()->getType()->isVoidType()) 2952 return NULL; 2953 2954 return EvalAddr(C->getRHS(), refVars); 2955 } 2956 2957 case Stmt::BlockExprClass: 2958 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 2959 return E; // local block. 2960 return NULL; 2961 2962 case Stmt::AddrLabelExprClass: 2963 return E; // address of label. 2964 2965 case Stmt::ExprWithCleanupsClass: 2966 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 2967 2968 // For casts, we need to handle conversions from arrays to 2969 // pointer values, and pointer-to-pointer conversions. 2970 case Stmt::ImplicitCastExprClass: 2971 case Stmt::CStyleCastExprClass: 2972 case Stmt::CXXFunctionalCastExprClass: 2973 case Stmt::ObjCBridgedCastExprClass: { 2974 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 2975 QualType T = SubExpr->getType(); 2976 2977 if (SubExpr->getType()->isPointerType() || 2978 SubExpr->getType()->isBlockPointerType() || 2979 SubExpr->getType()->isObjCQualifiedIdType()) 2980 return EvalAddr(SubExpr, refVars); 2981 else if (T->isArrayType()) 2982 return EvalVal(SubExpr, refVars); 2983 else 2984 return 0; 2985 } 2986 2987 // C++ casts. For dynamic casts, static casts, and const casts, we 2988 // are always converting from a pointer-to-pointer, so we just blow 2989 // through the cast. In the case the dynamic cast doesn't fail (and 2990 // return NULL), we take the conservative route and report cases 2991 // where we return the address of a stack variable. For Reinterpre 2992 // FIXME: The comment about is wrong; we're not always converting 2993 // from pointer to pointer. I'm guessing that this code should also 2994 // handle references to objects. 2995 case Stmt::CXXStaticCastExprClass: 2996 case Stmt::CXXDynamicCastExprClass: 2997 case Stmt::CXXConstCastExprClass: 2998 case Stmt::CXXReinterpretCastExprClass: { 2999 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 3000 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 3001 return EvalAddr(S, refVars); 3002 else 3003 return NULL; 3004 } 3005 3006 case Stmt::MaterializeTemporaryExprClass: 3007 if (Expr *Result = EvalAddr( 3008 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3009 refVars)) 3010 return Result; 3011 3012 return E; 3013 3014 // Everything else: we simply don't reason about them. 3015 default: 3016 return NULL; 3017 } 3018} 3019 3020 3021/// EvalVal - This function is complements EvalAddr in the mutual recursion. 3022/// See the comments for EvalAddr for more details. 3023static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 3024do { 3025 // We should only be called for evaluating non-pointer expressions, or 3026 // expressions with a pointer type that are not used as references but instead 3027 // are l-values (e.g., DeclRefExpr with a pointer type). 3028 3029 // Our "symbolic interpreter" is just a dispatch off the currently 3030 // viewed AST node. We then recursively traverse the AST by calling 3031 // EvalAddr and EvalVal appropriately. 3032 3033 E = E->IgnoreParens(); 3034 switch (E->getStmtClass()) { 3035 case Stmt::ImplicitCastExprClass: { 3036 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 3037 if (IE->getValueKind() == VK_LValue) { 3038 E = IE->getSubExpr(); 3039 continue; 3040 } 3041 return NULL; 3042 } 3043 3044 case Stmt::ExprWithCleanupsClass: 3045 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 3046 3047 case Stmt::DeclRefExprClass: { 3048 // When we hit a DeclRefExpr we are looking at code that refers to a 3049 // variable's name. If it's not a reference variable we check if it has 3050 // local storage within the function, and if so, return the expression. 3051 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3052 3053 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 3054 if (V->hasLocalStorage()) { 3055 if (!V->getType()->isReferenceType()) 3056 return DR; 3057 3058 // Reference variable, follow through to the expression that 3059 // it points to. 3060 if (V->hasInit()) { 3061 // Add the reference variable to the "trail". 3062 refVars.push_back(DR); 3063 return EvalVal(V->getInit(), refVars); 3064 } 3065 } 3066 3067 return NULL; 3068 } 3069 3070 case Stmt::UnaryOperatorClass: { 3071 // The only unary operator that make sense to handle here 3072 // is Deref. All others don't resolve to a "name." This includes 3073 // handling all sorts of rvalues passed to a unary operator. 3074 UnaryOperator *U = cast<UnaryOperator>(E); 3075 3076 if (U->getOpcode() == UO_Deref) 3077 return EvalAddr(U->getSubExpr(), refVars); 3078 3079 return NULL; 3080 } 3081 3082 case Stmt::ArraySubscriptExprClass: { 3083 // Array subscripts are potential references to data on the stack. We 3084 // retrieve the DeclRefExpr* for the array variable if it indeed 3085 // has local storage. 3086 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars); 3087 } 3088 3089 case Stmt::ConditionalOperatorClass: { 3090 // For conditional operators we need to see if either the LHS or RHS are 3091 // non-NULL Expr's. If one is non-NULL, we return it. 3092 ConditionalOperator *C = cast<ConditionalOperator>(E); 3093 3094 // Handle the GNU extension for missing LHS. 3095 if (Expr *lhsExpr = C->getLHS()) 3096 if (Expr *LHS = EvalVal(lhsExpr, refVars)) 3097 return LHS; 3098 3099 return EvalVal(C->getRHS(), refVars); 3100 } 3101 3102 // Accesses to members are potential references to data on the stack. 3103 case Stmt::MemberExprClass: { 3104 MemberExpr *M = cast<MemberExpr>(E); 3105 3106 // Check for indirect access. We only want direct field accesses. 3107 if (M->isArrow()) 3108 return NULL; 3109 3110 // Check whether the member type is itself a reference, in which case 3111 // we're not going to refer to the member, but to what the member refers to. 3112 if (M->getMemberDecl()->getType()->isReferenceType()) 3113 return NULL; 3114 3115 return EvalVal(M->getBase(), refVars); 3116 } 3117 3118 case Stmt::MaterializeTemporaryExprClass: 3119 if (Expr *Result = EvalVal( 3120 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3121 refVars)) 3122 return Result; 3123 3124 return E; 3125 3126 default: 3127 // Check that we don't return or take the address of a reference to a 3128 // temporary. This is only useful in C++. 3129 if (!E->isTypeDependent() && E->isRValue()) 3130 return E; 3131 3132 // Everything else: we simply don't reason about them. 3133 return NULL; 3134 } 3135} while (true); 3136} 3137 3138//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 3139 3140/// Check for comparisons of floating point operands using != and ==. 3141/// Issue a warning if these are no self-comparisons, as they are not likely 3142/// to do what the programmer intended. 3143void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 3144 bool EmitWarning = true; 3145 3146 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 3147 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 3148 3149 // Special case: check for x == x (which is OK). 3150 // Do not emit warnings for such cases. 3151 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 3152 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 3153 if (DRL->getDecl() == DRR->getDecl()) 3154 EmitWarning = false; 3155 3156 3157 // Special case: check for comparisons against literals that can be exactly 3158 // represented by APFloat. In such cases, do not emit a warning. This 3159 // is a heuristic: often comparison against such literals are used to 3160 // detect if a value in a variable has not changed. This clearly can 3161 // lead to false negatives. 3162 if (EmitWarning) { 3163 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 3164 if (FLL->isExact()) 3165 EmitWarning = false; 3166 } else 3167 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 3168 if (FLR->isExact()) 3169 EmitWarning = false; 3170 } 3171 } 3172 3173 // Check for comparisons with builtin types. 3174 if (EmitWarning) 3175 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 3176 if (CL->isBuiltinCall()) 3177 EmitWarning = false; 3178 3179 if (EmitWarning) 3180 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 3181 if (CR->isBuiltinCall()) 3182 EmitWarning = false; 3183 3184 // Emit the diagnostic. 3185 if (EmitWarning) 3186 Diag(Loc, diag::warn_floatingpoint_eq) 3187 << LHS->getSourceRange() << RHS->getSourceRange(); 3188} 3189 3190//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 3191//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 3192 3193namespace { 3194 3195/// Structure recording the 'active' range of an integer-valued 3196/// expression. 3197struct IntRange { 3198 /// The number of bits active in the int. 3199 unsigned Width; 3200 3201 /// True if the int is known not to have negative values. 3202 bool NonNegative; 3203 3204 IntRange(unsigned Width, bool NonNegative) 3205 : Width(Width), NonNegative(NonNegative) 3206 {} 3207 3208 /// Returns the range of the bool type. 3209 static IntRange forBoolType() { 3210 return IntRange(1, true); 3211 } 3212 3213 /// Returns the range of an opaque value of the given integral type. 3214 static IntRange forValueOfType(ASTContext &C, QualType T) { 3215 return forValueOfCanonicalType(C, 3216 T->getCanonicalTypeInternal().getTypePtr()); 3217 } 3218 3219 /// Returns the range of an opaque value of a canonical integral type. 3220 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 3221 assert(T->isCanonicalUnqualified()); 3222 3223 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3224 T = VT->getElementType().getTypePtr(); 3225 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3226 T = CT->getElementType().getTypePtr(); 3227 3228 // For enum types, use the known bit width of the enumerators. 3229 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 3230 EnumDecl *Enum = ET->getDecl(); 3231 if (!Enum->isCompleteDefinition()) 3232 return IntRange(C.getIntWidth(QualType(T, 0)), false); 3233 3234 unsigned NumPositive = Enum->getNumPositiveBits(); 3235 unsigned NumNegative = Enum->getNumNegativeBits(); 3236 3237 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 3238 } 3239 3240 const BuiltinType *BT = cast<BuiltinType>(T); 3241 assert(BT->isInteger()); 3242 3243 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3244 } 3245 3246 /// Returns the "target" range of a canonical integral type, i.e. 3247 /// the range of values expressible in the type. 3248 /// 3249 /// This matches forValueOfCanonicalType except that enums have the 3250 /// full range of their type, not the range of their enumerators. 3251 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 3252 assert(T->isCanonicalUnqualified()); 3253 3254 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3255 T = VT->getElementType().getTypePtr(); 3256 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3257 T = CT->getElementType().getTypePtr(); 3258 if (const EnumType *ET = dyn_cast<EnumType>(T)) 3259 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 3260 3261 const BuiltinType *BT = cast<BuiltinType>(T); 3262 assert(BT->isInteger()); 3263 3264 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3265 } 3266 3267 /// Returns the supremum of two ranges: i.e. their conservative merge. 3268 static IntRange join(IntRange L, IntRange R) { 3269 return IntRange(std::max(L.Width, R.Width), 3270 L.NonNegative && R.NonNegative); 3271 } 3272 3273 /// Returns the infinum of two ranges: i.e. their aggressive merge. 3274 static IntRange meet(IntRange L, IntRange R) { 3275 return IntRange(std::min(L.Width, R.Width), 3276 L.NonNegative || R.NonNegative); 3277 } 3278}; 3279 3280static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 3281 unsigned MaxWidth) { 3282 if (value.isSigned() && value.isNegative()) 3283 return IntRange(value.getMinSignedBits(), false); 3284 3285 if (value.getBitWidth() > MaxWidth) 3286 value = value.trunc(MaxWidth); 3287 3288 // isNonNegative() just checks the sign bit without considering 3289 // signedness. 3290 return IntRange(value.getActiveBits(), true); 3291} 3292 3293static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 3294 unsigned MaxWidth) { 3295 if (result.isInt()) 3296 return GetValueRange(C, result.getInt(), MaxWidth); 3297 3298 if (result.isVector()) { 3299 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 3300 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 3301 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 3302 R = IntRange::join(R, El); 3303 } 3304 return R; 3305 } 3306 3307 if (result.isComplexInt()) { 3308 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 3309 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 3310 return IntRange::join(R, I); 3311 } 3312 3313 // This can happen with lossless casts to intptr_t of "based" lvalues. 3314 // Assume it might use arbitrary bits. 3315 // FIXME: The only reason we need to pass the type in here is to get 3316 // the sign right on this one case. It would be nice if APValue 3317 // preserved this. 3318 assert(result.isLValue() || result.isAddrLabelDiff()); 3319 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 3320} 3321 3322/// Pseudo-evaluate the given integer expression, estimating the 3323/// range of values it might take. 3324/// 3325/// \param MaxWidth - the width to which the value will be truncated 3326static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 3327 E = E->IgnoreParens(); 3328 3329 // Try a full evaluation first. 3330 Expr::EvalResult result; 3331 if (E->EvaluateAsRValue(result, C)) 3332 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 3333 3334 // I think we only want to look through implicit casts here; if the 3335 // user has an explicit widening cast, we should treat the value as 3336 // being of the new, wider type. 3337 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 3338 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 3339 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 3340 3341 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 3342 3343 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 3344 3345 // Assume that non-integer casts can span the full range of the type. 3346 if (!isIntegerCast) 3347 return OutputTypeRange; 3348 3349 IntRange SubRange 3350 = GetExprRange(C, CE->getSubExpr(), 3351 std::min(MaxWidth, OutputTypeRange.Width)); 3352 3353 // Bail out if the subexpr's range is as wide as the cast type. 3354 if (SubRange.Width >= OutputTypeRange.Width) 3355 return OutputTypeRange; 3356 3357 // Otherwise, we take the smaller width, and we're non-negative if 3358 // either the output type or the subexpr is. 3359 return IntRange(SubRange.Width, 3360 SubRange.NonNegative || OutputTypeRange.NonNegative); 3361 } 3362 3363 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 3364 // If we can fold the condition, just take that operand. 3365 bool CondResult; 3366 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 3367 return GetExprRange(C, CondResult ? CO->getTrueExpr() 3368 : CO->getFalseExpr(), 3369 MaxWidth); 3370 3371 // Otherwise, conservatively merge. 3372 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 3373 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 3374 return IntRange::join(L, R); 3375 } 3376 3377 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3378 switch (BO->getOpcode()) { 3379 3380 // Boolean-valued operations are single-bit and positive. 3381 case BO_LAnd: 3382 case BO_LOr: 3383 case BO_LT: 3384 case BO_GT: 3385 case BO_LE: 3386 case BO_GE: 3387 case BO_EQ: 3388 case BO_NE: 3389 return IntRange::forBoolType(); 3390 3391 // The type of the assignments is the type of the LHS, so the RHS 3392 // is not necessarily the same type. 3393 case BO_MulAssign: 3394 case BO_DivAssign: 3395 case BO_RemAssign: 3396 case BO_AddAssign: 3397 case BO_SubAssign: 3398 case BO_XorAssign: 3399 case BO_OrAssign: 3400 // TODO: bitfields? 3401 return IntRange::forValueOfType(C, E->getType()); 3402 3403 // Simple assignments just pass through the RHS, which will have 3404 // been coerced to the LHS type. 3405 case BO_Assign: 3406 // TODO: bitfields? 3407 return GetExprRange(C, BO->getRHS(), MaxWidth); 3408 3409 // Operations with opaque sources are black-listed. 3410 case BO_PtrMemD: 3411 case BO_PtrMemI: 3412 return IntRange::forValueOfType(C, E->getType()); 3413 3414 // Bitwise-and uses the *infinum* of the two source ranges. 3415 case BO_And: 3416 case BO_AndAssign: 3417 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 3418 GetExprRange(C, BO->getRHS(), MaxWidth)); 3419 3420 // Left shift gets black-listed based on a judgement call. 3421 case BO_Shl: 3422 // ...except that we want to treat '1 << (blah)' as logically 3423 // positive. It's an important idiom. 3424 if (IntegerLiteral *I 3425 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 3426 if (I->getValue() == 1) { 3427 IntRange R = IntRange::forValueOfType(C, E->getType()); 3428 return IntRange(R.Width, /*NonNegative*/ true); 3429 } 3430 } 3431 // fallthrough 3432 3433 case BO_ShlAssign: 3434 return IntRange::forValueOfType(C, E->getType()); 3435 3436 // Right shift by a constant can narrow its left argument. 3437 case BO_Shr: 3438 case BO_ShrAssign: { 3439 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3440 3441 // If the shift amount is a positive constant, drop the width by 3442 // that much. 3443 llvm::APSInt shift; 3444 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 3445 shift.isNonNegative()) { 3446 unsigned zext = shift.getZExtValue(); 3447 if (zext >= L.Width) 3448 L.Width = (L.NonNegative ? 0 : 1); 3449 else 3450 L.Width -= zext; 3451 } 3452 3453 return L; 3454 } 3455 3456 // Comma acts as its right operand. 3457 case BO_Comma: 3458 return GetExprRange(C, BO->getRHS(), MaxWidth); 3459 3460 // Black-list pointer subtractions. 3461 case BO_Sub: 3462 if (BO->getLHS()->getType()->isPointerType()) 3463 return IntRange::forValueOfType(C, E->getType()); 3464 break; 3465 3466 // The width of a division result is mostly determined by the size 3467 // of the LHS. 3468 case BO_Div: { 3469 // Don't 'pre-truncate' the operands. 3470 unsigned opWidth = C.getIntWidth(E->getType()); 3471 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3472 3473 // If the divisor is constant, use that. 3474 llvm::APSInt divisor; 3475 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 3476 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 3477 if (log2 >= L.Width) 3478 L.Width = (L.NonNegative ? 0 : 1); 3479 else 3480 L.Width = std::min(L.Width - log2, MaxWidth); 3481 return L; 3482 } 3483 3484 // Otherwise, just use the LHS's width. 3485 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3486 return IntRange(L.Width, L.NonNegative && R.NonNegative); 3487 } 3488 3489 // The result of a remainder can't be larger than the result of 3490 // either side. 3491 case BO_Rem: { 3492 // Don't 'pre-truncate' the operands. 3493 unsigned opWidth = C.getIntWidth(E->getType()); 3494 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3495 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3496 3497 IntRange meet = IntRange::meet(L, R); 3498 meet.Width = std::min(meet.Width, MaxWidth); 3499 return meet; 3500 } 3501 3502 // The default behavior is okay for these. 3503 case BO_Mul: 3504 case BO_Add: 3505 case BO_Xor: 3506 case BO_Or: 3507 break; 3508 } 3509 3510 // The default case is to treat the operation as if it were closed 3511 // on the narrowest type that encompasses both operands. 3512 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3513 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 3514 return IntRange::join(L, R); 3515 } 3516 3517 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 3518 switch (UO->getOpcode()) { 3519 // Boolean-valued operations are white-listed. 3520 case UO_LNot: 3521 return IntRange::forBoolType(); 3522 3523 // Operations with opaque sources are black-listed. 3524 case UO_Deref: 3525 case UO_AddrOf: // should be impossible 3526 return IntRange::forValueOfType(C, E->getType()); 3527 3528 default: 3529 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 3530 } 3531 } 3532 3533 if (dyn_cast<OffsetOfExpr>(E)) { 3534 IntRange::forValueOfType(C, E->getType()); 3535 } 3536 3537 if (FieldDecl *BitField = E->getBitField()) 3538 return IntRange(BitField->getBitWidthValue(C), 3539 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 3540 3541 return IntRange::forValueOfType(C, E->getType()); 3542} 3543 3544static IntRange GetExprRange(ASTContext &C, Expr *E) { 3545 return GetExprRange(C, E, C.getIntWidth(E->getType())); 3546} 3547 3548/// Checks whether the given value, which currently has the given 3549/// source semantics, has the same value when coerced through the 3550/// target semantics. 3551static bool IsSameFloatAfterCast(const llvm::APFloat &value, 3552 const llvm::fltSemantics &Src, 3553 const llvm::fltSemantics &Tgt) { 3554 llvm::APFloat truncated = value; 3555 3556 bool ignored; 3557 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 3558 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 3559 3560 return truncated.bitwiseIsEqual(value); 3561} 3562 3563/// Checks whether the given value, which currently has the given 3564/// source semantics, has the same value when coerced through the 3565/// target semantics. 3566/// 3567/// The value might be a vector of floats (or a complex number). 3568static bool IsSameFloatAfterCast(const APValue &value, 3569 const llvm::fltSemantics &Src, 3570 const llvm::fltSemantics &Tgt) { 3571 if (value.isFloat()) 3572 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 3573 3574 if (value.isVector()) { 3575 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 3576 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 3577 return false; 3578 return true; 3579 } 3580 3581 assert(value.isComplexFloat()); 3582 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 3583 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 3584} 3585 3586static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 3587 3588static bool IsZero(Sema &S, Expr *E) { 3589 // Suppress cases where we are comparing against an enum constant. 3590 if (const DeclRefExpr *DR = 3591 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 3592 if (isa<EnumConstantDecl>(DR->getDecl())) 3593 return false; 3594 3595 // Suppress cases where the '0' value is expanded from a macro. 3596 if (E->getLocStart().isMacroID()) 3597 return false; 3598 3599 llvm::APSInt Value; 3600 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 3601} 3602 3603static bool HasEnumType(Expr *E) { 3604 // Strip off implicit integral promotions. 3605 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3606 if (ICE->getCastKind() != CK_IntegralCast && 3607 ICE->getCastKind() != CK_NoOp) 3608 break; 3609 E = ICE->getSubExpr(); 3610 } 3611 3612 return E->getType()->isEnumeralType(); 3613} 3614 3615static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 3616 BinaryOperatorKind op = E->getOpcode(); 3617 if (E->isValueDependent()) 3618 return; 3619 3620 if (op == BO_LT && IsZero(S, E->getRHS())) { 3621 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3622 << "< 0" << "false" << HasEnumType(E->getLHS()) 3623 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3624 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 3625 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3626 << ">= 0" << "true" << HasEnumType(E->getLHS()) 3627 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3628 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 3629 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3630 << "0 >" << "false" << HasEnumType(E->getRHS()) 3631 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3632 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 3633 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3634 << "0 <=" << "true" << HasEnumType(E->getRHS()) 3635 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3636 } 3637} 3638 3639/// Analyze the operands of the given comparison. Implements the 3640/// fallback case from AnalyzeComparison. 3641static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 3642 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3643 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3644} 3645 3646/// \brief Implements -Wsign-compare. 3647/// 3648/// \param E the binary operator to check for warnings 3649static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 3650 // The type the comparison is being performed in. 3651 QualType T = E->getLHS()->getType(); 3652 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 3653 && "comparison with mismatched types"); 3654 3655 // We don't do anything special if this isn't an unsigned integral 3656 // comparison: we're only interested in integral comparisons, and 3657 // signed comparisons only happen in cases we don't care to warn about. 3658 // 3659 // We also don't care about value-dependent expressions or expressions 3660 // whose result is a constant. 3661 if (!T->hasUnsignedIntegerRepresentation() 3662 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 3663 return AnalyzeImpConvsInComparison(S, E); 3664 3665 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 3666 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 3667 3668 // Check to see if one of the (unmodified) operands is of different 3669 // signedness. 3670 Expr *signedOperand, *unsignedOperand; 3671 if (LHS->getType()->hasSignedIntegerRepresentation()) { 3672 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 3673 "unsigned comparison between two signed integer expressions?"); 3674 signedOperand = LHS; 3675 unsignedOperand = RHS; 3676 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 3677 signedOperand = RHS; 3678 unsignedOperand = LHS; 3679 } else { 3680 CheckTrivialUnsignedComparison(S, E); 3681 return AnalyzeImpConvsInComparison(S, E); 3682 } 3683 3684 // Otherwise, calculate the effective range of the signed operand. 3685 IntRange signedRange = GetExprRange(S.Context, signedOperand); 3686 3687 // Go ahead and analyze implicit conversions in the operands. Note 3688 // that we skip the implicit conversions on both sides. 3689 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 3690 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 3691 3692 // If the signed range is non-negative, -Wsign-compare won't fire, 3693 // but we should still check for comparisons which are always true 3694 // or false. 3695 if (signedRange.NonNegative) 3696 return CheckTrivialUnsignedComparison(S, E); 3697 3698 // For (in)equality comparisons, if the unsigned operand is a 3699 // constant which cannot collide with a overflowed signed operand, 3700 // then reinterpreting the signed operand as unsigned will not 3701 // change the result of the comparison. 3702 if (E->isEqualityOp()) { 3703 unsigned comparisonWidth = S.Context.getIntWidth(T); 3704 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 3705 3706 // We should never be unable to prove that the unsigned operand is 3707 // non-negative. 3708 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 3709 3710 if (unsignedRange.Width < comparisonWidth) 3711 return; 3712 } 3713 3714 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 3715 << LHS->getType() << RHS->getType() 3716 << LHS->getSourceRange() << RHS->getSourceRange(); 3717} 3718 3719/// Analyzes an attempt to assign the given value to a bitfield. 3720/// 3721/// Returns true if there was something fishy about the attempt. 3722static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 3723 SourceLocation InitLoc) { 3724 assert(Bitfield->isBitField()); 3725 if (Bitfield->isInvalidDecl()) 3726 return false; 3727 3728 // White-list bool bitfields. 3729 if (Bitfield->getType()->isBooleanType()) 3730 return false; 3731 3732 // Ignore value- or type-dependent expressions. 3733 if (Bitfield->getBitWidth()->isValueDependent() || 3734 Bitfield->getBitWidth()->isTypeDependent() || 3735 Init->isValueDependent() || 3736 Init->isTypeDependent()) 3737 return false; 3738 3739 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 3740 3741 llvm::APSInt Value; 3742 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 3743 return false; 3744 3745 unsigned OriginalWidth = Value.getBitWidth(); 3746 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 3747 3748 if (OriginalWidth <= FieldWidth) 3749 return false; 3750 3751 // Compute the value which the bitfield will contain. 3752 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 3753 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 3754 3755 // Check whether the stored value is equal to the original value. 3756 TruncatedValue = TruncatedValue.extend(OriginalWidth); 3757 if (Value == TruncatedValue) 3758 return false; 3759 3760 // Special-case bitfields of width 1: booleans are naturally 0/1, and 3761 // therefore don't strictly fit into a signed bitfield of width 1. 3762 if (FieldWidth == 1 && Value == 1) 3763 return false; 3764 3765 std::string PrettyValue = Value.toString(10); 3766 std::string PrettyTrunc = TruncatedValue.toString(10); 3767 3768 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 3769 << PrettyValue << PrettyTrunc << OriginalInit->getType() 3770 << Init->getSourceRange(); 3771 3772 return true; 3773} 3774 3775/// Analyze the given simple or compound assignment for warning-worthy 3776/// operations. 3777static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 3778 // Just recurse on the LHS. 3779 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3780 3781 // We want to recurse on the RHS as normal unless we're assigning to 3782 // a bitfield. 3783 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 3784 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 3785 E->getOperatorLoc())) { 3786 // Recurse, ignoring any implicit conversions on the RHS. 3787 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 3788 E->getOperatorLoc()); 3789 } 3790 } 3791 3792 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3793} 3794 3795/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3796static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 3797 SourceLocation CContext, unsigned diag, 3798 bool pruneControlFlow = false) { 3799 if (pruneControlFlow) { 3800 S.DiagRuntimeBehavior(E->getExprLoc(), E, 3801 S.PDiag(diag) 3802 << SourceType << T << E->getSourceRange() 3803 << SourceRange(CContext)); 3804 return; 3805 } 3806 S.Diag(E->getExprLoc(), diag) 3807 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 3808} 3809 3810/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3811static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 3812 SourceLocation CContext, unsigned diag, 3813 bool pruneControlFlow = false) { 3814 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 3815} 3816 3817/// Diagnose an implicit cast from a literal expression. Does not warn when the 3818/// cast wouldn't lose information. 3819void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 3820 SourceLocation CContext) { 3821 // Try to convert the literal exactly to an integer. If we can, don't warn. 3822 bool isExact = false; 3823 const llvm::APFloat &Value = FL->getValue(); 3824 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 3825 T->hasUnsignedIntegerRepresentation()); 3826 if (Value.convertToInteger(IntegerValue, 3827 llvm::APFloat::rmTowardZero, &isExact) 3828 == llvm::APFloat::opOK && isExact) 3829 return; 3830 3831 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 3832 << FL->getType() << T << FL->getSourceRange() << SourceRange(CContext); 3833} 3834 3835std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 3836 if (!Range.Width) return "0"; 3837 3838 llvm::APSInt ValueInRange = Value; 3839 ValueInRange.setIsSigned(!Range.NonNegative); 3840 ValueInRange = ValueInRange.trunc(Range.Width); 3841 return ValueInRange.toString(10); 3842} 3843 3844void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 3845 SourceLocation CC, bool *ICContext = 0) { 3846 if (E->isTypeDependent() || E->isValueDependent()) return; 3847 3848 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 3849 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 3850 if (Source == Target) return; 3851 if (Target->isDependentType()) return; 3852 3853 // If the conversion context location is invalid don't complain. We also 3854 // don't want to emit a warning if the issue occurs from the expansion of 3855 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 3856 // delay this check as long as possible. Once we detect we are in that 3857 // scenario, we just return. 3858 if (CC.isInvalid()) 3859 return; 3860 3861 // Diagnose implicit casts to bool. 3862 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 3863 if (isa<StringLiteral>(E)) 3864 // Warn on string literal to bool. Checks for string literals in logical 3865 // expressions, for instances, assert(0 && "error here"), is prevented 3866 // by a check in AnalyzeImplicitConversions(). 3867 return DiagnoseImpCast(S, E, T, CC, 3868 diag::warn_impcast_string_literal_to_bool); 3869 if (Source->isFunctionType()) { 3870 // Warn on function to bool. Checks free functions and static member 3871 // functions. Weakly imported functions are excluded from the check, 3872 // since it's common to test their value to check whether the linker 3873 // found a definition for them. 3874 ValueDecl *D = 0; 3875 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 3876 D = R->getDecl(); 3877 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 3878 D = M->getMemberDecl(); 3879 } 3880 3881 if (D && !D->isWeak()) { 3882 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 3883 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 3884 << F << E->getSourceRange() << SourceRange(CC); 3885 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 3886 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 3887 QualType ReturnType; 3888 UnresolvedSet<4> NonTemplateOverloads; 3889 S.isExprCallable(*E, ReturnType, NonTemplateOverloads); 3890 if (!ReturnType.isNull() 3891 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 3892 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 3893 << FixItHint::CreateInsertion( 3894 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 3895 return; 3896 } 3897 } 3898 } 3899 return; // Other casts to bool are not checked. 3900 } 3901 3902 // Strip vector types. 3903 if (isa<VectorType>(Source)) { 3904 if (!isa<VectorType>(Target)) { 3905 if (S.SourceMgr.isInSystemMacro(CC)) 3906 return; 3907 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 3908 } 3909 3910 // If the vector cast is cast between two vectors of the same size, it is 3911 // a bitcast, not a conversion. 3912 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 3913 return; 3914 3915 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 3916 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 3917 } 3918 3919 // Strip complex types. 3920 if (isa<ComplexType>(Source)) { 3921 if (!isa<ComplexType>(Target)) { 3922 if (S.SourceMgr.isInSystemMacro(CC)) 3923 return; 3924 3925 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 3926 } 3927 3928 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 3929 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 3930 } 3931 3932 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 3933 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 3934 3935 // If the source is floating point... 3936 if (SourceBT && SourceBT->isFloatingPoint()) { 3937 // ...and the target is floating point... 3938 if (TargetBT && TargetBT->isFloatingPoint()) { 3939 // ...then warn if we're dropping FP rank. 3940 3941 // Builtin FP kinds are ordered by increasing FP rank. 3942 if (SourceBT->getKind() > TargetBT->getKind()) { 3943 // Don't warn about float constants that are precisely 3944 // representable in the target type. 3945 Expr::EvalResult result; 3946 if (E->EvaluateAsRValue(result, S.Context)) { 3947 // Value might be a float, a float vector, or a float complex. 3948 if (IsSameFloatAfterCast(result.Val, 3949 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 3950 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 3951 return; 3952 } 3953 3954 if (S.SourceMgr.isInSystemMacro(CC)) 3955 return; 3956 3957 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 3958 } 3959 return; 3960 } 3961 3962 // If the target is integral, always warn. 3963 if ((TargetBT && TargetBT->isInteger())) { 3964 if (S.SourceMgr.isInSystemMacro(CC)) 3965 return; 3966 3967 Expr *InnerE = E->IgnoreParenImpCasts(); 3968 // We also want to warn on, e.g., "int i = -1.234" 3969 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 3970 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 3971 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 3972 3973 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 3974 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 3975 } else { 3976 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 3977 } 3978 } 3979 3980 return; 3981 } 3982 3983 if (!Source->isIntegerType() || !Target->isIntegerType()) 3984 return; 3985 3986 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 3987 == Expr::NPCK_GNUNull) && Target->isIntegerType()) { 3988 S.Diag(E->getExprLoc(), diag::warn_impcast_null_pointer_to_integer) 3989 << E->getSourceRange() << clang::SourceRange(CC); 3990 return; 3991 } 3992 3993 IntRange SourceRange = GetExprRange(S.Context, E); 3994 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 3995 3996 if (SourceRange.Width > TargetRange.Width) { 3997 // If the source is a constant, use a default-on diagnostic. 3998 // TODO: this should happen for bitfield stores, too. 3999 llvm::APSInt Value(32); 4000 if (E->isIntegerConstantExpr(Value, S.Context)) { 4001 if (S.SourceMgr.isInSystemMacro(CC)) 4002 return; 4003 4004 std::string PrettySourceValue = Value.toString(10); 4005 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 4006 4007 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4008 S.PDiag(diag::warn_impcast_integer_precision_constant) 4009 << PrettySourceValue << PrettyTargetValue 4010 << E->getType() << T << E->getSourceRange() 4011 << clang::SourceRange(CC)); 4012 return; 4013 } 4014 4015 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 4016 if (S.SourceMgr.isInSystemMacro(CC)) 4017 return; 4018 4019 if (SourceRange.Width == 64 && TargetRange.Width == 32) 4020 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 4021 /* pruneControlFlow */ true); 4022 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 4023 } 4024 4025 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 4026 (!TargetRange.NonNegative && SourceRange.NonNegative && 4027 SourceRange.Width == TargetRange.Width)) { 4028 4029 if (S.SourceMgr.isInSystemMacro(CC)) 4030 return; 4031 4032 unsigned DiagID = diag::warn_impcast_integer_sign; 4033 4034 // Traditionally, gcc has warned about this under -Wsign-compare. 4035 // We also want to warn about it in -Wconversion. 4036 // So if -Wconversion is off, use a completely identical diagnostic 4037 // in the sign-compare group. 4038 // The conditional-checking code will 4039 if (ICContext) { 4040 DiagID = diag::warn_impcast_integer_sign_conditional; 4041 *ICContext = true; 4042 } 4043 4044 return DiagnoseImpCast(S, E, T, CC, DiagID); 4045 } 4046 4047 // Diagnose conversions between different enumeration types. 4048 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 4049 // type, to give us better diagnostics. 4050 QualType SourceType = E->getType(); 4051 if (!S.getLangOptions().CPlusPlus) { 4052 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 4053 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 4054 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 4055 SourceType = S.Context.getTypeDeclType(Enum); 4056 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 4057 } 4058 } 4059 4060 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 4061 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 4062 if ((SourceEnum->getDecl()->getIdentifier() || 4063 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 4064 (TargetEnum->getDecl()->getIdentifier() || 4065 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 4066 SourceEnum != TargetEnum) { 4067 if (S.SourceMgr.isInSystemMacro(CC)) 4068 return; 4069 4070 return DiagnoseImpCast(S, E, SourceType, T, CC, 4071 diag::warn_impcast_different_enum_types); 4072 } 4073 4074 return; 4075} 4076 4077void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 4078 4079void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 4080 SourceLocation CC, bool &ICContext) { 4081 E = E->IgnoreParenImpCasts(); 4082 4083 if (isa<ConditionalOperator>(E)) 4084 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 4085 4086 AnalyzeImplicitConversions(S, E, CC); 4087 if (E->getType() != T) 4088 return CheckImplicitConversion(S, E, T, CC, &ICContext); 4089 return; 4090} 4091 4092void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 4093 SourceLocation CC = E->getQuestionLoc(); 4094 4095 AnalyzeImplicitConversions(S, E->getCond(), CC); 4096 4097 bool Suspicious = false; 4098 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 4099 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 4100 4101 // If -Wconversion would have warned about either of the candidates 4102 // for a signedness conversion to the context type... 4103 if (!Suspicious) return; 4104 4105 // ...but it's currently ignored... 4106 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 4107 CC)) 4108 return; 4109 4110 // ...then check whether it would have warned about either of the 4111 // candidates for a signedness conversion to the condition type. 4112 if (E->getType() == T) return; 4113 4114 Suspicious = false; 4115 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 4116 E->getType(), CC, &Suspicious); 4117 if (!Suspicious) 4118 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 4119 E->getType(), CC, &Suspicious); 4120} 4121 4122/// AnalyzeImplicitConversions - Find and report any interesting 4123/// implicit conversions in the given expression. There are a couple 4124/// of competing diagnostics here, -Wconversion and -Wsign-compare. 4125void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 4126 QualType T = OrigE->getType(); 4127 Expr *E = OrigE->IgnoreParenImpCasts(); 4128 4129 if (E->isTypeDependent() || E->isValueDependent()) 4130 return; 4131 4132 // For conditional operators, we analyze the arguments as if they 4133 // were being fed directly into the output. 4134 if (isa<ConditionalOperator>(E)) { 4135 ConditionalOperator *CO = cast<ConditionalOperator>(E); 4136 CheckConditionalOperator(S, CO, T); 4137 return; 4138 } 4139 4140 // Go ahead and check any implicit conversions we might have skipped. 4141 // The non-canonical typecheck is just an optimization; 4142 // CheckImplicitConversion will filter out dead implicit conversions. 4143 if (E->getType() != T) 4144 CheckImplicitConversion(S, E, T, CC); 4145 4146 // Now continue drilling into this expression. 4147 4148 // Skip past explicit casts. 4149 if (isa<ExplicitCastExpr>(E)) { 4150 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 4151 return AnalyzeImplicitConversions(S, E, CC); 4152 } 4153 4154 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4155 // Do a somewhat different check with comparison operators. 4156 if (BO->isComparisonOp()) 4157 return AnalyzeComparison(S, BO); 4158 4159 // And with simple assignments. 4160 if (BO->getOpcode() == BO_Assign) 4161 return AnalyzeAssignment(S, BO); 4162 } 4163 4164 // These break the otherwise-useful invariant below. Fortunately, 4165 // we don't really need to recurse into them, because any internal 4166 // expressions should have been analyzed already when they were 4167 // built into statements. 4168 if (isa<StmtExpr>(E)) return; 4169 4170 // Don't descend into unevaluated contexts. 4171 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 4172 4173 // Now just recurse over the expression's children. 4174 CC = E->getExprLoc(); 4175 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 4176 bool IsLogicalOperator = BO && BO->isLogicalOp(); 4177 for (Stmt::child_range I = E->children(); I; ++I) { 4178 Expr *ChildExpr = cast<Expr>(*I); 4179 if (IsLogicalOperator && 4180 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 4181 // Ignore checking string literals that are in logical operators. 4182 continue; 4183 AnalyzeImplicitConversions(S, ChildExpr, CC); 4184 } 4185} 4186 4187} // end anonymous namespace 4188 4189/// Diagnoses "dangerous" implicit conversions within the given 4190/// expression (which is a full expression). Implements -Wconversion 4191/// and -Wsign-compare. 4192/// 4193/// \param CC the "context" location of the implicit conversion, i.e. 4194/// the most location of the syntactic entity requiring the implicit 4195/// conversion 4196void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 4197 // Don't diagnose in unevaluated contexts. 4198 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 4199 return; 4200 4201 // Don't diagnose for value- or type-dependent expressions. 4202 if (E->isTypeDependent() || E->isValueDependent()) 4203 return; 4204 4205 // Check for array bounds violations in cases where the check isn't triggered 4206 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 4207 // ArraySubscriptExpr is on the RHS of a variable initialization. 4208 CheckArrayAccess(E); 4209 4210 // This is not the right CC for (e.g.) a variable initialization. 4211 AnalyzeImplicitConversions(*this, E, CC); 4212} 4213 4214void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 4215 FieldDecl *BitField, 4216 Expr *Init) { 4217 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 4218} 4219 4220/// CheckParmsForFunctionDef - Check that the parameters of the given 4221/// function are appropriate for the definition of a function. This 4222/// takes care of any checks that cannot be performed on the 4223/// declaration itself, e.g., that the types of each of the function 4224/// parameters are complete. 4225bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 4226 bool CheckParameterNames) { 4227 bool HasInvalidParm = false; 4228 for (; P != PEnd; ++P) { 4229 ParmVarDecl *Param = *P; 4230 4231 // C99 6.7.5.3p4: the parameters in a parameter type list in a 4232 // function declarator that is part of a function definition of 4233 // that function shall not have incomplete type. 4234 // 4235 // This is also C++ [dcl.fct]p6. 4236 if (!Param->isInvalidDecl() && 4237 RequireCompleteType(Param->getLocation(), Param->getType(), 4238 diag::err_typecheck_decl_incomplete_type)) { 4239 Param->setInvalidDecl(); 4240 HasInvalidParm = true; 4241 } 4242 4243 // C99 6.9.1p5: If the declarator includes a parameter type list, the 4244 // declaration of each parameter shall include an identifier. 4245 if (CheckParameterNames && 4246 Param->getIdentifier() == 0 && 4247 !Param->isImplicit() && 4248 !getLangOptions().CPlusPlus) 4249 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 4250 4251 // C99 6.7.5.3p12: 4252 // If the function declarator is not part of a definition of that 4253 // function, parameters may have incomplete type and may use the [*] 4254 // notation in their sequences of declarator specifiers to specify 4255 // variable length array types. 4256 QualType PType = Param->getOriginalType(); 4257 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 4258 if (AT->getSizeModifier() == ArrayType::Star) { 4259 // FIXME: This diagnosic should point the the '[*]' if source-location 4260 // information is added for it. 4261 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 4262 } 4263 } 4264 } 4265 4266 return HasInvalidParm; 4267} 4268 4269/// CheckCastAlign - Implements -Wcast-align, which warns when a 4270/// pointer cast increases the alignment requirements. 4271void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 4272 // This is actually a lot of work to potentially be doing on every 4273 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 4274 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 4275 TRange.getBegin()) 4276 == DiagnosticsEngine::Ignored) 4277 return; 4278 4279 // Ignore dependent types. 4280 if (T->isDependentType() || Op->getType()->isDependentType()) 4281 return; 4282 4283 // Require that the destination be a pointer type. 4284 const PointerType *DestPtr = T->getAs<PointerType>(); 4285 if (!DestPtr) return; 4286 4287 // If the destination has alignment 1, we're done. 4288 QualType DestPointee = DestPtr->getPointeeType(); 4289 if (DestPointee->isIncompleteType()) return; 4290 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 4291 if (DestAlign.isOne()) return; 4292 4293 // Require that the source be a pointer type. 4294 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 4295 if (!SrcPtr) return; 4296 QualType SrcPointee = SrcPtr->getPointeeType(); 4297 4298 // Whitelist casts from cv void*. We already implicitly 4299 // whitelisted casts to cv void*, since they have alignment 1. 4300 // Also whitelist casts involving incomplete types, which implicitly 4301 // includes 'void'. 4302 if (SrcPointee->isIncompleteType()) return; 4303 4304 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 4305 if (SrcAlign >= DestAlign) return; 4306 4307 Diag(TRange.getBegin(), diag::warn_cast_align) 4308 << Op->getType() << T 4309 << static_cast<unsigned>(SrcAlign.getQuantity()) 4310 << static_cast<unsigned>(DestAlign.getQuantity()) 4311 << TRange << Op->getSourceRange(); 4312} 4313 4314static const Type* getElementType(const Expr *BaseExpr) { 4315 const Type* EltType = BaseExpr->getType().getTypePtr(); 4316 if (EltType->isAnyPointerType()) 4317 return EltType->getPointeeType().getTypePtr(); 4318 else if (EltType->isArrayType()) 4319 return EltType->getBaseElementTypeUnsafe(); 4320 return EltType; 4321} 4322 4323/// \brief Check whether this array fits the idiom of a size-one tail padded 4324/// array member of a struct. 4325/// 4326/// We avoid emitting out-of-bounds access warnings for such arrays as they are 4327/// commonly used to emulate flexible arrays in C89 code. 4328static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 4329 const NamedDecl *ND) { 4330 if (Size != 1 || !ND) return false; 4331 4332 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 4333 if (!FD) return false; 4334 4335 // Don't consider sizes resulting from macro expansions or template argument 4336 // substitution to form C89 tail-padded arrays. 4337 ConstantArrayTypeLoc TL = 4338 cast<ConstantArrayTypeLoc>(FD->getTypeSourceInfo()->getTypeLoc()); 4339 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(TL.getSizeExpr()); 4340 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 4341 return false; 4342 4343 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 4344 if (!RD) return false; 4345 if (RD->isUnion()) return false; 4346 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 4347 if (!CRD->isStandardLayout()) return false; 4348 } 4349 4350 // See if this is the last field decl in the record. 4351 const Decl *D = FD; 4352 while ((D = D->getNextDeclInContext())) 4353 if (isa<FieldDecl>(D)) 4354 return false; 4355 return true; 4356} 4357 4358void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 4359 const ArraySubscriptExpr *ASE, 4360 bool AllowOnePastEnd, bool IndexNegated) { 4361 IndexExpr = IndexExpr->IgnoreParenCasts(); 4362 if (IndexExpr->isValueDependent()) 4363 return; 4364 4365 const Type *EffectiveType = getElementType(BaseExpr); 4366 BaseExpr = BaseExpr->IgnoreParenCasts(); 4367 const ConstantArrayType *ArrayTy = 4368 Context.getAsConstantArrayType(BaseExpr->getType()); 4369 if (!ArrayTy) 4370 return; 4371 4372 llvm::APSInt index; 4373 if (!IndexExpr->EvaluateAsInt(index, Context)) 4374 return; 4375 if (IndexNegated) 4376 index = -index; 4377 4378 const NamedDecl *ND = NULL; 4379 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4380 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4381 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4382 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4383 4384 if (index.isUnsigned() || !index.isNegative()) { 4385 llvm::APInt size = ArrayTy->getSize(); 4386 if (!size.isStrictlyPositive()) 4387 return; 4388 4389 const Type* BaseType = getElementType(BaseExpr); 4390 if (BaseType != EffectiveType) { 4391 // Make sure we're comparing apples to apples when comparing index to size 4392 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 4393 uint64_t array_typesize = Context.getTypeSize(BaseType); 4394 // Handle ptrarith_typesize being zero, such as when casting to void* 4395 if (!ptrarith_typesize) ptrarith_typesize = 1; 4396 if (ptrarith_typesize != array_typesize) { 4397 // There's a cast to a different size type involved 4398 uint64_t ratio = array_typesize / ptrarith_typesize; 4399 // TODO: Be smarter about handling cases where array_typesize is not a 4400 // multiple of ptrarith_typesize 4401 if (ptrarith_typesize * ratio == array_typesize) 4402 size *= llvm::APInt(size.getBitWidth(), ratio); 4403 } 4404 } 4405 4406 if (size.getBitWidth() > index.getBitWidth()) 4407 index = index.sext(size.getBitWidth()); 4408 else if (size.getBitWidth() < index.getBitWidth()) 4409 size = size.sext(index.getBitWidth()); 4410 4411 // For array subscripting the index must be less than size, but for pointer 4412 // arithmetic also allow the index (offset) to be equal to size since 4413 // computing the next address after the end of the array is legal and 4414 // commonly done e.g. in C++ iterators and range-based for loops. 4415 if (AllowOnePastEnd ? index.sle(size) : index.slt(size)) 4416 return; 4417 4418 // Also don't warn for arrays of size 1 which are members of some 4419 // structure. These are often used to approximate flexible arrays in C89 4420 // code. 4421 if (IsTailPaddedMemberArray(*this, size, ND)) 4422 return; 4423 4424 // Suppress the warning if the subscript expression (as identified by the 4425 // ']' location) and the index expression are both from macro expansions 4426 // within a system header. 4427 if (ASE) { 4428 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 4429 ASE->getRBracketLoc()); 4430 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 4431 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 4432 IndexExpr->getLocStart()); 4433 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 4434 return; 4435 } 4436 } 4437 4438 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 4439 if (ASE) 4440 DiagID = diag::warn_array_index_exceeds_bounds; 4441 4442 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4443 PDiag(DiagID) << index.toString(10, true) 4444 << size.toString(10, true) 4445 << (unsigned)size.getLimitedValue(~0U) 4446 << IndexExpr->getSourceRange()); 4447 } else { 4448 unsigned DiagID = diag::warn_array_index_precedes_bounds; 4449 if (!ASE) { 4450 DiagID = diag::warn_ptr_arith_precedes_bounds; 4451 if (index.isNegative()) index = -index; 4452 } 4453 4454 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4455 PDiag(DiagID) << index.toString(10, true) 4456 << IndexExpr->getSourceRange()); 4457 } 4458 4459 if (!ND) { 4460 // Try harder to find a NamedDecl to point at in the note. 4461 while (const ArraySubscriptExpr *ASE = 4462 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 4463 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 4464 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4465 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4466 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4467 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4468 } 4469 4470 if (ND) 4471 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 4472 PDiag(diag::note_array_index_out_of_bounds) 4473 << ND->getDeclName()); 4474} 4475 4476void Sema::CheckArrayAccess(const Expr *expr) { 4477 int AllowOnePastEnd = 0; 4478 while (expr) { 4479 expr = expr->IgnoreParenImpCasts(); 4480 switch (expr->getStmtClass()) { 4481 case Stmt::ArraySubscriptExprClass: { 4482 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 4483 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 4484 AllowOnePastEnd > 0); 4485 return; 4486 } 4487 case Stmt::UnaryOperatorClass: { 4488 // Only unwrap the * and & unary operators 4489 const UnaryOperator *UO = cast<UnaryOperator>(expr); 4490 expr = UO->getSubExpr(); 4491 switch (UO->getOpcode()) { 4492 case UO_AddrOf: 4493 AllowOnePastEnd++; 4494 break; 4495 case UO_Deref: 4496 AllowOnePastEnd--; 4497 break; 4498 default: 4499 return; 4500 } 4501 break; 4502 } 4503 case Stmt::ConditionalOperatorClass: { 4504 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 4505 if (const Expr *lhs = cond->getLHS()) 4506 CheckArrayAccess(lhs); 4507 if (const Expr *rhs = cond->getRHS()) 4508 CheckArrayAccess(rhs); 4509 return; 4510 } 4511 default: 4512 return; 4513 } 4514 } 4515} 4516 4517//===--- CHECK: Objective-C retain cycles ----------------------------------// 4518 4519namespace { 4520 struct RetainCycleOwner { 4521 RetainCycleOwner() : Variable(0), Indirect(false) {} 4522 VarDecl *Variable; 4523 SourceRange Range; 4524 SourceLocation Loc; 4525 bool Indirect; 4526 4527 void setLocsFrom(Expr *e) { 4528 Loc = e->getExprLoc(); 4529 Range = e->getSourceRange(); 4530 } 4531 }; 4532} 4533 4534/// Consider whether capturing the given variable can possibly lead to 4535/// a retain cycle. 4536static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 4537 // In ARC, it's captured strongly iff the variable has __strong 4538 // lifetime. In MRR, it's captured strongly if the variable is 4539 // __block and has an appropriate type. 4540 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4541 return false; 4542 4543 owner.Variable = var; 4544 owner.setLocsFrom(ref); 4545 return true; 4546} 4547 4548static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 4549 while (true) { 4550 e = e->IgnoreParens(); 4551 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 4552 switch (cast->getCastKind()) { 4553 case CK_BitCast: 4554 case CK_LValueBitCast: 4555 case CK_LValueToRValue: 4556 case CK_ARCReclaimReturnedObject: 4557 e = cast->getSubExpr(); 4558 continue; 4559 4560 default: 4561 return false; 4562 } 4563 } 4564 4565 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 4566 ObjCIvarDecl *ivar = ref->getDecl(); 4567 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4568 return false; 4569 4570 // Try to find a retain cycle in the base. 4571 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 4572 return false; 4573 4574 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 4575 owner.Indirect = true; 4576 return true; 4577 } 4578 4579 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 4580 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 4581 if (!var) return false; 4582 return considerVariable(var, ref, owner); 4583 } 4584 4585 if (BlockDeclRefExpr *ref = dyn_cast<BlockDeclRefExpr>(e)) { 4586 owner.Variable = ref->getDecl(); 4587 owner.setLocsFrom(ref); 4588 return true; 4589 } 4590 4591 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 4592 if (member->isArrow()) return false; 4593 4594 // Don't count this as an indirect ownership. 4595 e = member->getBase(); 4596 continue; 4597 } 4598 4599 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 4600 // Only pay attention to pseudo-objects on property references. 4601 ObjCPropertyRefExpr *pre 4602 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 4603 ->IgnoreParens()); 4604 if (!pre) return false; 4605 if (pre->isImplicitProperty()) return false; 4606 ObjCPropertyDecl *property = pre->getExplicitProperty(); 4607 if (!property->isRetaining() && 4608 !(property->getPropertyIvarDecl() && 4609 property->getPropertyIvarDecl()->getType() 4610 .getObjCLifetime() == Qualifiers::OCL_Strong)) 4611 return false; 4612 4613 owner.Indirect = true; 4614 if (pre->isSuperReceiver()) { 4615 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 4616 if (!owner.Variable) 4617 return false; 4618 owner.Loc = pre->getLocation(); 4619 owner.Range = pre->getSourceRange(); 4620 return true; 4621 } 4622 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 4623 ->getSourceExpr()); 4624 continue; 4625 } 4626 4627 // Array ivars? 4628 4629 return false; 4630 } 4631} 4632 4633namespace { 4634 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 4635 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 4636 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 4637 Variable(variable), Capturer(0) {} 4638 4639 VarDecl *Variable; 4640 Expr *Capturer; 4641 4642 void VisitDeclRefExpr(DeclRefExpr *ref) { 4643 if (ref->getDecl() == Variable && !Capturer) 4644 Capturer = ref; 4645 } 4646 4647 void VisitBlockDeclRefExpr(BlockDeclRefExpr *ref) { 4648 if (ref->getDecl() == Variable && !Capturer) 4649 Capturer = ref; 4650 } 4651 4652 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 4653 if (Capturer) return; 4654 Visit(ref->getBase()); 4655 if (Capturer && ref->isFreeIvar()) 4656 Capturer = ref; 4657 } 4658 4659 void VisitBlockExpr(BlockExpr *block) { 4660 // Look inside nested blocks 4661 if (block->getBlockDecl()->capturesVariable(Variable)) 4662 Visit(block->getBlockDecl()->getBody()); 4663 } 4664 }; 4665} 4666 4667/// Check whether the given argument is a block which captures a 4668/// variable. 4669static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 4670 assert(owner.Variable && owner.Loc.isValid()); 4671 4672 e = e->IgnoreParenCasts(); 4673 BlockExpr *block = dyn_cast<BlockExpr>(e); 4674 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 4675 return 0; 4676 4677 FindCaptureVisitor visitor(S.Context, owner.Variable); 4678 visitor.Visit(block->getBlockDecl()->getBody()); 4679 return visitor.Capturer; 4680} 4681 4682static void diagnoseRetainCycle(Sema &S, Expr *capturer, 4683 RetainCycleOwner &owner) { 4684 assert(capturer); 4685 assert(owner.Variable && owner.Loc.isValid()); 4686 4687 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 4688 << owner.Variable << capturer->getSourceRange(); 4689 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 4690 << owner.Indirect << owner.Range; 4691} 4692 4693/// Check for a keyword selector that starts with the word 'add' or 4694/// 'set'. 4695static bool isSetterLikeSelector(Selector sel) { 4696 if (sel.isUnarySelector()) return false; 4697 4698 StringRef str = sel.getNameForSlot(0); 4699 while (!str.empty() && str.front() == '_') str = str.substr(1); 4700 if (str.startswith("set")) 4701 str = str.substr(3); 4702 else if (str.startswith("add")) { 4703 // Specially whitelist 'addOperationWithBlock:'. 4704 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 4705 return false; 4706 str = str.substr(3); 4707 } 4708 else 4709 return false; 4710 4711 if (str.empty()) return true; 4712 return !islower(str.front()); 4713} 4714 4715/// Check a message send to see if it's likely to cause a retain cycle. 4716void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 4717 // Only check instance methods whose selector looks like a setter. 4718 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 4719 return; 4720 4721 // Try to find a variable that the receiver is strongly owned by. 4722 RetainCycleOwner owner; 4723 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 4724 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 4725 return; 4726 } else { 4727 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 4728 owner.Variable = getCurMethodDecl()->getSelfDecl(); 4729 owner.Loc = msg->getSuperLoc(); 4730 owner.Range = msg->getSuperLoc(); 4731 } 4732 4733 // Check whether the receiver is captured by any of the arguments. 4734 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 4735 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 4736 return diagnoseRetainCycle(*this, capturer, owner); 4737} 4738 4739/// Check a property assign to see if it's likely to cause a retain cycle. 4740void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 4741 RetainCycleOwner owner; 4742 if (!findRetainCycleOwner(*this, receiver, owner)) 4743 return; 4744 4745 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 4746 diagnoseRetainCycle(*this, capturer, owner); 4747} 4748 4749bool Sema::checkUnsafeAssigns(SourceLocation Loc, 4750 QualType LHS, Expr *RHS) { 4751 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 4752 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 4753 return false; 4754 // strip off any implicit cast added to get to the one arc-specific 4755 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4756 if (cast->getCastKind() == CK_ARCConsumeObject) { 4757 Diag(Loc, diag::warn_arc_retained_assign) 4758 << (LT == Qualifiers::OCL_ExplicitNone) 4759 << RHS->getSourceRange(); 4760 return true; 4761 } 4762 RHS = cast->getSubExpr(); 4763 } 4764 return false; 4765} 4766 4767void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 4768 Expr *LHS, Expr *RHS) { 4769 QualType LHSType; 4770 // PropertyRef on LHS type need be directly obtained from 4771 // its declaration as it has a PsuedoType. 4772 ObjCPropertyRefExpr *PRE 4773 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 4774 if (PRE && !PRE->isImplicitProperty()) { 4775 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4776 if (PD) 4777 LHSType = PD->getType(); 4778 } 4779 4780 if (LHSType.isNull()) 4781 LHSType = LHS->getType(); 4782 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 4783 return; 4784 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 4785 // FIXME. Check for other life times. 4786 if (LT != Qualifiers::OCL_None) 4787 return; 4788 4789 if (PRE) { 4790 if (PRE->isImplicitProperty()) 4791 return; 4792 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4793 if (!PD) 4794 return; 4795 4796 unsigned Attributes = PD->getPropertyAttributes(); 4797 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 4798 // when 'assign' attribute was not explicitly specified 4799 // by user, ignore it and rely on property type itself 4800 // for lifetime info. 4801 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 4802 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 4803 LHSType->isObjCRetainableType()) 4804 return; 4805 4806 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4807 if (cast->getCastKind() == CK_ARCConsumeObject) { 4808 Diag(Loc, diag::warn_arc_retained_property_assign) 4809 << RHS->getSourceRange(); 4810 return; 4811 } 4812 RHS = cast->getSubExpr(); 4813 } 4814 } 4815 } 4816} 4817