SemaChecking.cpp revision 3bfc5f49e0e37e235bb0d33bcbcb36af9d1f84ab
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "Sema.h" 16#include "clang/Analysis/Analyses/PrintfFormatString.h" 17#include "clang/AST/ASTContext.h" 18#include "clang/AST/CharUnits.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/ExprCXX.h" 21#include "clang/AST/ExprObjC.h" 22#include "clang/AST/DeclObjC.h" 23#include "clang/AST/StmtCXX.h" 24#include "clang/AST/StmtObjC.h" 25#include "clang/Lex/LiteralSupport.h" 26#include "clang/Lex/Preprocessor.h" 27#include "llvm/ADT/BitVector.h" 28#include "llvm/ADT/STLExtras.h" 29#include "llvm/Support/raw_ostream.h" 30#include "clang/Basic/TargetBuiltins.h" 31#include "clang/Basic/TargetInfo.h" 32#include <limits> 33using namespace clang; 34 35/// getLocationOfStringLiteralByte - Return a source location that points to the 36/// specified byte of the specified string literal. 37/// 38/// Strings are amazingly complex. They can be formed from multiple tokens and 39/// can have escape sequences in them in addition to the usual trigraph and 40/// escaped newline business. This routine handles this complexity. 41/// 42SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 43 unsigned ByteNo) const { 44 assert(!SL->isWide() && "This doesn't work for wide strings yet"); 45 46 // Loop over all of the tokens in this string until we find the one that 47 // contains the byte we're looking for. 48 unsigned TokNo = 0; 49 while (1) { 50 assert(TokNo < SL->getNumConcatenated() && "Invalid byte number!"); 51 SourceLocation StrTokLoc = SL->getStrTokenLoc(TokNo); 52 53 // Get the spelling of the string so that we can get the data that makes up 54 // the string literal, not the identifier for the macro it is potentially 55 // expanded through. 56 SourceLocation StrTokSpellingLoc = SourceMgr.getSpellingLoc(StrTokLoc); 57 58 // Re-lex the token to get its length and original spelling. 59 std::pair<FileID, unsigned> LocInfo = 60 SourceMgr.getDecomposedLoc(StrTokSpellingLoc); 61 bool Invalid = false; 62 llvm::StringRef Buffer = SourceMgr.getBufferData(LocInfo.first, &Invalid); 63 if (Invalid) 64 return StrTokSpellingLoc; 65 66 const char *StrData = Buffer.data()+LocInfo.second; 67 68 // Create a langops struct and enable trigraphs. This is sufficient for 69 // relexing tokens. 70 LangOptions LangOpts; 71 LangOpts.Trigraphs = true; 72 73 // Create a lexer starting at the beginning of this token. 74 Lexer TheLexer(StrTokSpellingLoc, LangOpts, Buffer.begin(), StrData, 75 Buffer.end()); 76 Token TheTok; 77 TheLexer.LexFromRawLexer(TheTok); 78 79 // Use the StringLiteralParser to compute the length of the string in bytes. 80 StringLiteralParser SLP(&TheTok, 1, PP, /*Complain=*/false); 81 unsigned TokNumBytes = SLP.GetStringLength(); 82 83 // If the byte is in this token, return the location of the byte. 84 if (ByteNo < TokNumBytes || 85 (ByteNo == TokNumBytes && TokNo == SL->getNumConcatenated())) { 86 unsigned Offset = 87 StringLiteralParser::getOffsetOfStringByte(TheTok, ByteNo, PP, 88 /*Complain=*/false); 89 90 // Now that we know the offset of the token in the spelling, use the 91 // preprocessor to get the offset in the original source. 92 return PP.AdvanceToTokenCharacter(StrTokLoc, Offset); 93 } 94 95 // Move to the next string token. 96 ++TokNo; 97 ByteNo -= TokNumBytes; 98 } 99} 100 101/// CheckablePrintfAttr - does a function call have a "printf" attribute 102/// and arguments that merit checking? 103bool Sema::CheckablePrintfAttr(const FormatAttr *Format, CallExpr *TheCall) { 104 if (Format->getType() == "printf") return true; 105 if (Format->getType() == "printf0") { 106 // printf0 allows null "format" string; if so don't check format/args 107 unsigned format_idx = Format->getFormatIdx() - 1; 108 // Does the index refer to the implicit object argument? 109 if (isa<CXXMemberCallExpr>(TheCall)) { 110 if (format_idx == 0) 111 return false; 112 --format_idx; 113 } 114 if (format_idx < TheCall->getNumArgs()) { 115 Expr *Format = TheCall->getArg(format_idx)->IgnoreParenCasts(); 116 if (!Format->isNullPointerConstant(Context, 117 Expr::NPC_ValueDependentIsNull)) 118 return true; 119 } 120 } 121 return false; 122} 123 124Action::OwningExprResult 125Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 126 OwningExprResult TheCallResult(Owned(TheCall)); 127 128 switch (BuiltinID) { 129 case Builtin::BI__builtin___CFStringMakeConstantString: 130 assert(TheCall->getNumArgs() == 1 && 131 "Wrong # arguments to builtin CFStringMakeConstantString"); 132 if (CheckObjCString(TheCall->getArg(0))) 133 return ExprError(); 134 break; 135 case Builtin::BI__builtin_stdarg_start: 136 case Builtin::BI__builtin_va_start: 137 if (SemaBuiltinVAStart(TheCall)) 138 return ExprError(); 139 break; 140 case Builtin::BI__builtin_isgreater: 141 case Builtin::BI__builtin_isgreaterequal: 142 case Builtin::BI__builtin_isless: 143 case Builtin::BI__builtin_islessequal: 144 case Builtin::BI__builtin_islessgreater: 145 case Builtin::BI__builtin_isunordered: 146 if (SemaBuiltinUnorderedCompare(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_fpclassify: 150 if (SemaBuiltinFPClassification(TheCall, 6)) 151 return ExprError(); 152 break; 153 case Builtin::BI__builtin_isfinite: 154 case Builtin::BI__builtin_isinf: 155 case Builtin::BI__builtin_isinf_sign: 156 case Builtin::BI__builtin_isnan: 157 case Builtin::BI__builtin_isnormal: 158 if (SemaBuiltinFPClassification(TheCall, 1)) 159 return ExprError(); 160 break; 161 case Builtin::BI__builtin_return_address: 162 case Builtin::BI__builtin_frame_address: { 163 llvm::APSInt Result; 164 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 165 return ExprError(); 166 break; 167 } 168 case Builtin::BI__builtin_eh_return_data_regno: { 169 llvm::APSInt Result; 170 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 171 return ExprError(); 172 break; 173 } 174 case Builtin::BI__builtin_shufflevector: 175 return SemaBuiltinShuffleVector(TheCall); 176 // TheCall will be freed by the smart pointer here, but that's fine, since 177 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 178 case Builtin::BI__builtin_prefetch: 179 if (SemaBuiltinPrefetch(TheCall)) 180 return ExprError(); 181 break; 182 case Builtin::BI__builtin_object_size: 183 if (SemaBuiltinObjectSize(TheCall)) 184 return ExprError(); 185 break; 186 case Builtin::BI__builtin_longjmp: 187 if (SemaBuiltinLongjmp(TheCall)) 188 return ExprError(); 189 break; 190 case Builtin::BI__sync_fetch_and_add: 191 case Builtin::BI__sync_fetch_and_sub: 192 case Builtin::BI__sync_fetch_and_or: 193 case Builtin::BI__sync_fetch_and_and: 194 case Builtin::BI__sync_fetch_and_xor: 195 case Builtin::BI__sync_add_and_fetch: 196 case Builtin::BI__sync_sub_and_fetch: 197 case Builtin::BI__sync_and_and_fetch: 198 case Builtin::BI__sync_or_and_fetch: 199 case Builtin::BI__sync_xor_and_fetch: 200 case Builtin::BI__sync_val_compare_and_swap: 201 case Builtin::BI__sync_bool_compare_and_swap: 202 case Builtin::BI__sync_lock_test_and_set: 203 case Builtin::BI__sync_lock_release: 204 if (SemaBuiltinAtomicOverloaded(TheCall)) 205 return ExprError(); 206 break; 207 } 208 209 // Since the target specific builtins for each arch overlap, only check those 210 // of the arch we are compiling for. 211 if (BuiltinID >= Builtin::FirstTSBuiltin) { 212 switch (Context.Target.getTriple().getArch()) { 213 case llvm::Triple::arm: 214 case llvm::Triple::thumb: 215 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 216 return ExprError(); 217 break; 218 case llvm::Triple::x86: 219 case llvm::Triple::x86_64: 220 if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall)) 221 return ExprError(); 222 break; 223 default: 224 break; 225 } 226 } 227 228 return move(TheCallResult); 229} 230 231bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 232 switch (BuiltinID) { 233 case X86::BI__builtin_ia32_palignr128: 234 case X86::BI__builtin_ia32_palignr: { 235 llvm::APSInt Result; 236 if (SemaBuiltinConstantArg(TheCall, 2, Result)) 237 return true; 238 break; 239 } 240 } 241 return false; 242} 243 244bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 245 llvm::APSInt Result; 246 247 switch (BuiltinID) { 248 case ARM::BI__builtin_neon_vget_lane_i8: 249 case ARM::BI__builtin_neon_vget_lane_i16: 250 case ARM::BI__builtin_neon_vget_lane_i32: 251 case ARM::BI__builtin_neon_vget_lane_f32: 252 case ARM::BI__builtin_neon_vget_lane_i64: 253 case ARM::BI__builtin_neon_vgetq_lane_i8: 254 case ARM::BI__builtin_neon_vgetq_lane_i16: 255 case ARM::BI__builtin_neon_vgetq_lane_i32: 256 case ARM::BI__builtin_neon_vgetq_lane_f32: 257 case ARM::BI__builtin_neon_vgetq_lane_i64: 258 // Check constant-ness first. 259 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 260 return true; 261 break; 262 } 263 264 // Now, range check values. 265 //unsigned lower = 0, upper = 0; 266 267 return false; 268} 269 270/// CheckFunctionCall - Check a direct function call for various correctness 271/// and safety properties not strictly enforced by the C type system. 272bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 273 // Get the IdentifierInfo* for the called function. 274 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 275 276 // None of the checks below are needed for functions that don't have 277 // simple names (e.g., C++ conversion functions). 278 if (!FnInfo) 279 return false; 280 281 // FIXME: This mechanism should be abstracted to be less fragile and 282 // more efficient. For example, just map function ids to custom 283 // handlers. 284 285 // Printf checking. 286 if (const FormatAttr *Format = FDecl->getAttr<FormatAttr>()) { 287 if (CheckablePrintfAttr(Format, TheCall)) { 288 bool HasVAListArg = Format->getFirstArg() == 0; 289 CheckPrintfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 290 HasVAListArg ? 0 : Format->getFirstArg() - 1); 291 } 292 } 293 294 for (const NonNullAttr *NonNull = FDecl->getAttr<NonNullAttr>(); NonNull; 295 NonNull = NonNull->getNext<NonNullAttr>()) 296 CheckNonNullArguments(NonNull, TheCall); 297 298 return false; 299} 300 301bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 302 // Printf checking. 303 const FormatAttr *Format = NDecl->getAttr<FormatAttr>(); 304 if (!Format) 305 return false; 306 307 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 308 if (!V) 309 return false; 310 311 QualType Ty = V->getType(); 312 if (!Ty->isBlockPointerType()) 313 return false; 314 315 if (!CheckablePrintfAttr(Format, TheCall)) 316 return false; 317 318 bool HasVAListArg = Format->getFirstArg() == 0; 319 CheckPrintfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 320 HasVAListArg ? 0 : Format->getFirstArg() - 1); 321 322 return false; 323} 324 325/// SemaBuiltinAtomicOverloaded - We have a call to a function like 326/// __sync_fetch_and_add, which is an overloaded function based on the pointer 327/// type of its first argument. The main ActOnCallExpr routines have already 328/// promoted the types of arguments because all of these calls are prototyped as 329/// void(...). 330/// 331/// This function goes through and does final semantic checking for these 332/// builtins, 333bool Sema::SemaBuiltinAtomicOverloaded(CallExpr *TheCall) { 334 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 335 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 336 337 // Ensure that we have at least one argument to do type inference from. 338 if (TheCall->getNumArgs() < 1) 339 return Diag(TheCall->getLocEnd(), 340 diag::err_typecheck_call_too_few_args_at_least) 341 << 0 << 1 << TheCall->getNumArgs() 342 << TheCall->getCallee()->getSourceRange(); 343 344 // Inspect the first argument of the atomic builtin. This should always be 345 // a pointer type, whose element is an integral scalar or pointer type. 346 // Because it is a pointer type, we don't have to worry about any implicit 347 // casts here. 348 Expr *FirstArg = TheCall->getArg(0); 349 if (!FirstArg->getType()->isPointerType()) 350 return Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 351 << FirstArg->getType() << FirstArg->getSourceRange(); 352 353 QualType ValType = FirstArg->getType()->getAs<PointerType>()->getPointeeType(); 354 if (!ValType->isIntegerType() && !ValType->isPointerType() && 355 !ValType->isBlockPointerType()) 356 return Diag(DRE->getLocStart(), 357 diag::err_atomic_builtin_must_be_pointer_intptr) 358 << FirstArg->getType() << FirstArg->getSourceRange(); 359 360 // We need to figure out which concrete builtin this maps onto. For example, 361 // __sync_fetch_and_add with a 2 byte object turns into 362 // __sync_fetch_and_add_2. 363#define BUILTIN_ROW(x) \ 364 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 365 Builtin::BI##x##_8, Builtin::BI##x##_16 } 366 367 static const unsigned BuiltinIndices[][5] = { 368 BUILTIN_ROW(__sync_fetch_and_add), 369 BUILTIN_ROW(__sync_fetch_and_sub), 370 BUILTIN_ROW(__sync_fetch_and_or), 371 BUILTIN_ROW(__sync_fetch_and_and), 372 BUILTIN_ROW(__sync_fetch_and_xor), 373 374 BUILTIN_ROW(__sync_add_and_fetch), 375 BUILTIN_ROW(__sync_sub_and_fetch), 376 BUILTIN_ROW(__sync_and_and_fetch), 377 BUILTIN_ROW(__sync_or_and_fetch), 378 BUILTIN_ROW(__sync_xor_and_fetch), 379 380 BUILTIN_ROW(__sync_val_compare_and_swap), 381 BUILTIN_ROW(__sync_bool_compare_and_swap), 382 BUILTIN_ROW(__sync_lock_test_and_set), 383 BUILTIN_ROW(__sync_lock_release) 384 }; 385#undef BUILTIN_ROW 386 387 // Determine the index of the size. 388 unsigned SizeIndex; 389 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 390 case 1: SizeIndex = 0; break; 391 case 2: SizeIndex = 1; break; 392 case 4: SizeIndex = 2; break; 393 case 8: SizeIndex = 3; break; 394 case 16: SizeIndex = 4; break; 395 default: 396 return Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 397 << FirstArg->getType() << FirstArg->getSourceRange(); 398 } 399 400 // Each of these builtins has one pointer argument, followed by some number of 401 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 402 // that we ignore. Find out which row of BuiltinIndices to read from as well 403 // as the number of fixed args. 404 unsigned BuiltinID = FDecl->getBuiltinID(); 405 unsigned BuiltinIndex, NumFixed = 1; 406 switch (BuiltinID) { 407 default: assert(0 && "Unknown overloaded atomic builtin!"); 408 case Builtin::BI__sync_fetch_and_add: BuiltinIndex = 0; break; 409 case Builtin::BI__sync_fetch_and_sub: BuiltinIndex = 1; break; 410 case Builtin::BI__sync_fetch_and_or: BuiltinIndex = 2; break; 411 case Builtin::BI__sync_fetch_and_and: BuiltinIndex = 3; break; 412 case Builtin::BI__sync_fetch_and_xor: BuiltinIndex = 4; break; 413 414 case Builtin::BI__sync_add_and_fetch: BuiltinIndex = 5; break; 415 case Builtin::BI__sync_sub_and_fetch: BuiltinIndex = 6; break; 416 case Builtin::BI__sync_and_and_fetch: BuiltinIndex = 7; break; 417 case Builtin::BI__sync_or_and_fetch: BuiltinIndex = 8; break; 418 case Builtin::BI__sync_xor_and_fetch: BuiltinIndex = 9; break; 419 420 case Builtin::BI__sync_val_compare_and_swap: 421 BuiltinIndex = 10; 422 NumFixed = 2; 423 break; 424 case Builtin::BI__sync_bool_compare_and_swap: 425 BuiltinIndex = 11; 426 NumFixed = 2; 427 break; 428 case Builtin::BI__sync_lock_test_and_set: BuiltinIndex = 12; break; 429 case Builtin::BI__sync_lock_release: 430 BuiltinIndex = 13; 431 NumFixed = 0; 432 break; 433 } 434 435 // Now that we know how many fixed arguments we expect, first check that we 436 // have at least that many. 437 if (TheCall->getNumArgs() < 1+NumFixed) 438 return Diag(TheCall->getLocEnd(), 439 diag::err_typecheck_call_too_few_args_at_least) 440 << 0 << 1+NumFixed << TheCall->getNumArgs() 441 << TheCall->getCallee()->getSourceRange(); 442 443 444 // Get the decl for the concrete builtin from this, we can tell what the 445 // concrete integer type we should convert to is. 446 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 447 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 448 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 449 FunctionDecl *NewBuiltinDecl = 450 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 451 TUScope, false, DRE->getLocStart())); 452 const FunctionProtoType *BuiltinFT = 453 NewBuiltinDecl->getType()->getAs<FunctionProtoType>(); 454 ValType = BuiltinFT->getArgType(0)->getAs<PointerType>()->getPointeeType(); 455 456 // If the first type needs to be converted (e.g. void** -> int*), do it now. 457 if (BuiltinFT->getArgType(0) != FirstArg->getType()) { 458 ImpCastExprToType(FirstArg, BuiltinFT->getArgType(0), CastExpr::CK_BitCast); 459 TheCall->setArg(0, FirstArg); 460 } 461 462 // Next, walk the valid ones promoting to the right type. 463 for (unsigned i = 0; i != NumFixed; ++i) { 464 Expr *Arg = TheCall->getArg(i+1); 465 466 // If the argument is an implicit cast, then there was a promotion due to 467 // "...", just remove it now. 468 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) { 469 Arg = ICE->getSubExpr(); 470 ICE->setSubExpr(0); 471 ICE->Destroy(Context); 472 TheCall->setArg(i+1, Arg); 473 } 474 475 // GCC does an implicit conversion to the pointer or integer ValType. This 476 // can fail in some cases (1i -> int**), check for this error case now. 477 CastExpr::CastKind Kind = CastExpr::CK_Unknown; 478 CXXBaseSpecifierArray BasePath; 479 if (CheckCastTypes(Arg->getSourceRange(), ValType, Arg, Kind, BasePath)) 480 return true; 481 482 // Okay, we have something that *can* be converted to the right type. Check 483 // to see if there is a potentially weird extension going on here. This can 484 // happen when you do an atomic operation on something like an char* and 485 // pass in 42. The 42 gets converted to char. This is even more strange 486 // for things like 45.123 -> char, etc. 487 // FIXME: Do this check. 488 ImpCastExprToType(Arg, ValType, Kind); 489 TheCall->setArg(i+1, Arg); 490 } 491 492 // Switch the DeclRefExpr to refer to the new decl. 493 DRE->setDecl(NewBuiltinDecl); 494 DRE->setType(NewBuiltinDecl->getType()); 495 496 // Set the callee in the CallExpr. 497 // FIXME: This leaks the original parens and implicit casts. 498 Expr *PromotedCall = DRE; 499 UsualUnaryConversions(PromotedCall); 500 TheCall->setCallee(PromotedCall); 501 502 503 // Change the result type of the call to match the result type of the decl. 504 TheCall->setType(NewBuiltinDecl->getResultType()); 505 return false; 506} 507 508 509/// CheckObjCString - Checks that the argument to the builtin 510/// CFString constructor is correct 511/// FIXME: GCC currently emits the following warning: 512/// "warning: input conversion stopped due to an input byte that does not 513/// belong to the input codeset UTF-8" 514/// Note: It might also make sense to do the UTF-16 conversion here (would 515/// simplify the backend). 516bool Sema::CheckObjCString(Expr *Arg) { 517 Arg = Arg->IgnoreParenCasts(); 518 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 519 520 if (!Literal || Literal->isWide()) { 521 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 522 << Arg->getSourceRange(); 523 return true; 524 } 525 526 const char *Data = Literal->getStrData(); 527 unsigned Length = Literal->getByteLength(); 528 529 for (unsigned i = 0; i < Length; ++i) { 530 if (!Data[i]) { 531 Diag(getLocationOfStringLiteralByte(Literal, i), 532 diag::warn_cfstring_literal_contains_nul_character) 533 << Arg->getSourceRange(); 534 break; 535 } 536 } 537 538 return false; 539} 540 541/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 542/// Emit an error and return true on failure, return false on success. 543bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 544 Expr *Fn = TheCall->getCallee(); 545 if (TheCall->getNumArgs() > 2) { 546 Diag(TheCall->getArg(2)->getLocStart(), 547 diag::err_typecheck_call_too_many_args) 548 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 549 << Fn->getSourceRange() 550 << SourceRange(TheCall->getArg(2)->getLocStart(), 551 (*(TheCall->arg_end()-1))->getLocEnd()); 552 return true; 553 } 554 555 if (TheCall->getNumArgs() < 2) { 556 return Diag(TheCall->getLocEnd(), 557 diag::err_typecheck_call_too_few_args_at_least) 558 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 559 } 560 561 // Determine whether the current function is variadic or not. 562 BlockScopeInfo *CurBlock = getCurBlock(); 563 bool isVariadic; 564 if (CurBlock) 565 isVariadic = CurBlock->TheDecl->isVariadic(); 566 else if (FunctionDecl *FD = getCurFunctionDecl()) 567 isVariadic = FD->isVariadic(); 568 else 569 isVariadic = getCurMethodDecl()->isVariadic(); 570 571 if (!isVariadic) { 572 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 573 return true; 574 } 575 576 // Verify that the second argument to the builtin is the last argument of the 577 // current function or method. 578 bool SecondArgIsLastNamedArgument = false; 579 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 580 581 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 582 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 583 // FIXME: This isn't correct for methods (results in bogus warning). 584 // Get the last formal in the current function. 585 const ParmVarDecl *LastArg; 586 if (CurBlock) 587 LastArg = *(CurBlock->TheDecl->param_end()-1); 588 else if (FunctionDecl *FD = getCurFunctionDecl()) 589 LastArg = *(FD->param_end()-1); 590 else 591 LastArg = *(getCurMethodDecl()->param_end()-1); 592 SecondArgIsLastNamedArgument = PV == LastArg; 593 } 594 } 595 596 if (!SecondArgIsLastNamedArgument) 597 Diag(TheCall->getArg(1)->getLocStart(), 598 diag::warn_second_parameter_of_va_start_not_last_named_argument); 599 return false; 600} 601 602/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 603/// friends. This is declared to take (...), so we have to check everything. 604bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 605 if (TheCall->getNumArgs() < 2) 606 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 607 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 608 if (TheCall->getNumArgs() > 2) 609 return Diag(TheCall->getArg(2)->getLocStart(), 610 diag::err_typecheck_call_too_many_args) 611 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 612 << SourceRange(TheCall->getArg(2)->getLocStart(), 613 (*(TheCall->arg_end()-1))->getLocEnd()); 614 615 Expr *OrigArg0 = TheCall->getArg(0); 616 Expr *OrigArg1 = TheCall->getArg(1); 617 618 // Do standard promotions between the two arguments, returning their common 619 // type. 620 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 621 622 // Make sure any conversions are pushed back into the call; this is 623 // type safe since unordered compare builtins are declared as "_Bool 624 // foo(...)". 625 TheCall->setArg(0, OrigArg0); 626 TheCall->setArg(1, OrigArg1); 627 628 if (OrigArg0->isTypeDependent() || OrigArg1->isTypeDependent()) 629 return false; 630 631 // If the common type isn't a real floating type, then the arguments were 632 // invalid for this operation. 633 if (!Res->isRealFloatingType()) 634 return Diag(OrigArg0->getLocStart(), 635 diag::err_typecheck_call_invalid_ordered_compare) 636 << OrigArg0->getType() << OrigArg1->getType() 637 << SourceRange(OrigArg0->getLocStart(), OrigArg1->getLocEnd()); 638 639 return false; 640} 641 642/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 643/// __builtin_isnan and friends. This is declared to take (...), so we have 644/// to check everything. We expect the last argument to be a floating point 645/// value. 646bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 647 if (TheCall->getNumArgs() < NumArgs) 648 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 649 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 650 if (TheCall->getNumArgs() > NumArgs) 651 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 652 diag::err_typecheck_call_too_many_args) 653 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 654 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 655 (*(TheCall->arg_end()-1))->getLocEnd()); 656 657 Expr *OrigArg = TheCall->getArg(NumArgs-1); 658 659 if (OrigArg->isTypeDependent()) 660 return false; 661 662 // This operation requires a non-_Complex floating-point number. 663 if (!OrigArg->getType()->isRealFloatingType()) 664 return Diag(OrigArg->getLocStart(), 665 diag::err_typecheck_call_invalid_unary_fp) 666 << OrigArg->getType() << OrigArg->getSourceRange(); 667 668 // If this is an implicit conversion from float -> double, remove it. 669 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 670 Expr *CastArg = Cast->getSubExpr(); 671 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 672 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 673 "promotion from float to double is the only expected cast here"); 674 Cast->setSubExpr(0); 675 Cast->Destroy(Context); 676 TheCall->setArg(NumArgs-1, CastArg); 677 OrigArg = CastArg; 678 } 679 } 680 681 return false; 682} 683 684/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 685// This is declared to take (...), so we have to check everything. 686Action::OwningExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 687 if (TheCall->getNumArgs() < 2) 688 return ExprError(Diag(TheCall->getLocEnd(), 689 diag::err_typecheck_call_too_few_args_at_least) 690 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 691 << TheCall->getSourceRange()); 692 693 // Determine which of the following types of shufflevector we're checking: 694 // 1) unary, vector mask: (lhs, mask) 695 // 2) binary, vector mask: (lhs, rhs, mask) 696 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 697 QualType resType = TheCall->getArg(0)->getType(); 698 unsigned numElements = 0; 699 700 if (!TheCall->getArg(0)->isTypeDependent() && 701 !TheCall->getArg(1)->isTypeDependent()) { 702 QualType LHSType = TheCall->getArg(0)->getType(); 703 QualType RHSType = TheCall->getArg(1)->getType(); 704 705 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 706 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 707 << SourceRange(TheCall->getArg(0)->getLocStart(), 708 TheCall->getArg(1)->getLocEnd()); 709 return ExprError(); 710 } 711 712 numElements = LHSType->getAs<VectorType>()->getNumElements(); 713 unsigned numResElements = TheCall->getNumArgs() - 2; 714 715 // Check to see if we have a call with 2 vector arguments, the unary shuffle 716 // with mask. If so, verify that RHS is an integer vector type with the 717 // same number of elts as lhs. 718 if (TheCall->getNumArgs() == 2) { 719 if (!RHSType->isIntegerType() || 720 RHSType->getAs<VectorType>()->getNumElements() != numElements) 721 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 722 << SourceRange(TheCall->getArg(1)->getLocStart(), 723 TheCall->getArg(1)->getLocEnd()); 724 numResElements = numElements; 725 } 726 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 727 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 728 << SourceRange(TheCall->getArg(0)->getLocStart(), 729 TheCall->getArg(1)->getLocEnd()); 730 return ExprError(); 731 } else if (numElements != numResElements) { 732 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 733 resType = Context.getVectorType(eltType, numResElements, false, false); 734 } 735 } 736 737 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 738 if (TheCall->getArg(i)->isTypeDependent() || 739 TheCall->getArg(i)->isValueDependent()) 740 continue; 741 742 llvm::APSInt Result(32); 743 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 744 return ExprError(Diag(TheCall->getLocStart(), 745 diag::err_shufflevector_nonconstant_argument) 746 << TheCall->getArg(i)->getSourceRange()); 747 748 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 749 return ExprError(Diag(TheCall->getLocStart(), 750 diag::err_shufflevector_argument_too_large) 751 << TheCall->getArg(i)->getSourceRange()); 752 } 753 754 llvm::SmallVector<Expr*, 32> exprs; 755 756 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 757 exprs.push_back(TheCall->getArg(i)); 758 TheCall->setArg(i, 0); 759 } 760 761 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 762 exprs.size(), resType, 763 TheCall->getCallee()->getLocStart(), 764 TheCall->getRParenLoc())); 765} 766 767/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 768// This is declared to take (const void*, ...) and can take two 769// optional constant int args. 770bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 771 unsigned NumArgs = TheCall->getNumArgs(); 772 773 if (NumArgs > 3) 774 return Diag(TheCall->getLocEnd(), 775 diag::err_typecheck_call_too_many_args_at_most) 776 << 0 /*function call*/ << 3 << NumArgs 777 << TheCall->getSourceRange(); 778 779 // Argument 0 is checked for us and the remaining arguments must be 780 // constant integers. 781 for (unsigned i = 1; i != NumArgs; ++i) { 782 Expr *Arg = TheCall->getArg(i); 783 784 llvm::APSInt Result; 785 if (SemaBuiltinConstantArg(TheCall, i, Result)) 786 return true; 787 788 // FIXME: gcc issues a warning and rewrites these to 0. These 789 // seems especially odd for the third argument since the default 790 // is 3. 791 if (i == 1) { 792 if (Result.getLimitedValue() > 1) 793 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 794 << "0" << "1" << Arg->getSourceRange(); 795 } else { 796 if (Result.getLimitedValue() > 3) 797 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 798 << "0" << "3" << Arg->getSourceRange(); 799 } 800 } 801 802 return false; 803} 804 805/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 806/// TheCall is a constant expression. 807bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 808 llvm::APSInt &Result) { 809 Expr *Arg = TheCall->getArg(ArgNum); 810 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 811 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 812 813 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 814 815 if (!Arg->isIntegerConstantExpr(Result, Context)) 816 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 817 << FDecl->getDeclName() << Arg->getSourceRange(); 818 819 return false; 820} 821 822/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 823/// int type). This simply type checks that type is one of the defined 824/// constants (0-3). 825// For compatability check 0-3, llvm only handles 0 and 2. 826bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 827 llvm::APSInt Result; 828 829 // Check constant-ness first. 830 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 831 return true; 832 833 Expr *Arg = TheCall->getArg(1); 834 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 835 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 836 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 837 } 838 839 return false; 840} 841 842/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 843/// This checks that val is a constant 1. 844bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 845 Expr *Arg = TheCall->getArg(1); 846 llvm::APSInt Result; 847 848 // TODO: This is less than ideal. Overload this to take a value. 849 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 850 return true; 851 852 if (Result != 1) 853 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 854 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 855 856 return false; 857} 858 859// Handle i > 1 ? "x" : "y", recursivelly 860bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall, 861 bool HasVAListArg, 862 unsigned format_idx, unsigned firstDataArg) { 863 if (E->isTypeDependent() || E->isValueDependent()) 864 return false; 865 866 switch (E->getStmtClass()) { 867 case Stmt::ConditionalOperatorClass: { 868 const ConditionalOperator *C = cast<ConditionalOperator>(E); 869 return SemaCheckStringLiteral(C->getTrueExpr(), TheCall, 870 HasVAListArg, format_idx, firstDataArg) 871 && SemaCheckStringLiteral(C->getRHS(), TheCall, 872 HasVAListArg, format_idx, firstDataArg); 873 } 874 875 case Stmt::ImplicitCastExprClass: { 876 const ImplicitCastExpr *Expr = cast<ImplicitCastExpr>(E); 877 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 878 format_idx, firstDataArg); 879 } 880 881 case Stmt::ParenExprClass: { 882 const ParenExpr *Expr = cast<ParenExpr>(E); 883 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 884 format_idx, firstDataArg); 885 } 886 887 case Stmt::DeclRefExprClass: { 888 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 889 890 // As an exception, do not flag errors for variables binding to 891 // const string literals. 892 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 893 bool isConstant = false; 894 QualType T = DR->getType(); 895 896 if (const ArrayType *AT = Context.getAsArrayType(T)) { 897 isConstant = AT->getElementType().isConstant(Context); 898 } else if (const PointerType *PT = T->getAs<PointerType>()) { 899 isConstant = T.isConstant(Context) && 900 PT->getPointeeType().isConstant(Context); 901 } 902 903 if (isConstant) { 904 if (const Expr *Init = VD->getAnyInitializer()) 905 return SemaCheckStringLiteral(Init, TheCall, 906 HasVAListArg, format_idx, firstDataArg); 907 } 908 909 // For vprintf* functions (i.e., HasVAListArg==true), we add a 910 // special check to see if the format string is a function parameter 911 // of the function calling the printf function. If the function 912 // has an attribute indicating it is a printf-like function, then we 913 // should suppress warnings concerning non-literals being used in a call 914 // to a vprintf function. For example: 915 // 916 // void 917 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 918 // va_list ap; 919 // va_start(ap, fmt); 920 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 921 // ... 922 // 923 // 924 // FIXME: We don't have full attribute support yet, so just check to see 925 // if the argument is a DeclRefExpr that references a parameter. We'll 926 // add proper support for checking the attribute later. 927 if (HasVAListArg) 928 if (isa<ParmVarDecl>(VD)) 929 return true; 930 } 931 932 return false; 933 } 934 935 case Stmt::CallExprClass: { 936 const CallExpr *CE = cast<CallExpr>(E); 937 if (const ImplicitCastExpr *ICE 938 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 939 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 940 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 941 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 942 unsigned ArgIndex = FA->getFormatIdx(); 943 const Expr *Arg = CE->getArg(ArgIndex - 1); 944 945 return SemaCheckStringLiteral(Arg, TheCall, HasVAListArg, 946 format_idx, firstDataArg); 947 } 948 } 949 } 950 } 951 952 return false; 953 } 954 case Stmt::ObjCStringLiteralClass: 955 case Stmt::StringLiteralClass: { 956 const StringLiteral *StrE = NULL; 957 958 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 959 StrE = ObjCFExpr->getString(); 960 else 961 StrE = cast<StringLiteral>(E); 962 963 if (StrE) { 964 CheckPrintfString(StrE, E, TheCall, HasVAListArg, format_idx, 965 firstDataArg); 966 return true; 967 } 968 969 return false; 970 } 971 972 default: 973 return false; 974 } 975} 976 977void 978Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 979 const CallExpr *TheCall) { 980 for (NonNullAttr::iterator i = NonNull->begin(), e = NonNull->end(); 981 i != e; ++i) { 982 const Expr *ArgExpr = TheCall->getArg(*i); 983 if (ArgExpr->isNullPointerConstant(Context, 984 Expr::NPC_ValueDependentIsNotNull)) 985 Diag(TheCall->getCallee()->getLocStart(), diag::warn_null_arg) 986 << ArgExpr->getSourceRange(); 987 } 988} 989 990/// CheckPrintfArguments - Check calls to printf (and similar functions) for 991/// correct use of format strings. 992/// 993/// HasVAListArg - A predicate indicating whether the printf-like 994/// function is passed an explicit va_arg argument (e.g., vprintf) 995/// 996/// format_idx - The index into Args for the format string. 997/// 998/// Improper format strings to functions in the printf family can be 999/// the source of bizarre bugs and very serious security holes. A 1000/// good source of information is available in the following paper 1001/// (which includes additional references): 1002/// 1003/// FormatGuard: Automatic Protection From printf Format String 1004/// Vulnerabilities, Proceedings of the 10th USENIX Security Symposium, 2001. 1005/// 1006/// TODO: 1007/// Functionality implemented: 1008/// 1009/// We can statically check the following properties for string 1010/// literal format strings for non v.*printf functions (where the 1011/// arguments are passed directly): 1012// 1013/// (1) Are the number of format conversions equal to the number of 1014/// data arguments? 1015/// 1016/// (2) Does each format conversion correctly match the type of the 1017/// corresponding data argument? 1018/// 1019/// Moreover, for all printf functions we can: 1020/// 1021/// (3) Check for a missing format string (when not caught by type checking). 1022/// 1023/// (4) Check for no-operation flags; e.g. using "#" with format 1024/// conversion 'c' (TODO) 1025/// 1026/// (5) Check the use of '%n', a major source of security holes. 1027/// 1028/// (6) Check for malformed format conversions that don't specify anything. 1029/// 1030/// (7) Check for empty format strings. e.g: printf(""); 1031/// 1032/// (8) Check that the format string is a wide literal. 1033/// 1034/// All of these checks can be done by parsing the format string. 1035/// 1036void 1037Sema::CheckPrintfArguments(const CallExpr *TheCall, bool HasVAListArg, 1038 unsigned format_idx, unsigned firstDataArg) { 1039 const Expr *Fn = TheCall->getCallee(); 1040 1041 // The way the format attribute works in GCC, the implicit this argument 1042 // of member functions is counted. However, it doesn't appear in our own 1043 // lists, so decrement format_idx in that case. 1044 if (isa<CXXMemberCallExpr>(TheCall)) { 1045 // Catch a format attribute mistakenly referring to the object argument. 1046 if (format_idx == 0) 1047 return; 1048 --format_idx; 1049 if(firstDataArg != 0) 1050 --firstDataArg; 1051 } 1052 1053 // CHECK: printf-like function is called with no format string. 1054 if (format_idx >= TheCall->getNumArgs()) { 1055 Diag(TheCall->getRParenLoc(), diag::warn_printf_missing_format_string) 1056 << Fn->getSourceRange(); 1057 return; 1058 } 1059 1060 const Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 1061 1062 // CHECK: format string is not a string literal. 1063 // 1064 // Dynamically generated format strings are difficult to 1065 // automatically vet at compile time. Requiring that format strings 1066 // are string literals: (1) permits the checking of format strings by 1067 // the compiler and thereby (2) can practically remove the source of 1068 // many format string exploits. 1069 1070 // Format string can be either ObjC string (e.g. @"%d") or 1071 // C string (e.g. "%d") 1072 // ObjC string uses the same format specifiers as C string, so we can use 1073 // the same format string checking logic for both ObjC and C strings. 1074 if (SemaCheckStringLiteral(OrigFormatExpr, TheCall, HasVAListArg, format_idx, 1075 firstDataArg)) 1076 return; // Literal format string found, check done! 1077 1078 // If there are no arguments specified, warn with -Wformat-security, otherwise 1079 // warn only with -Wformat-nonliteral. 1080 if (TheCall->getNumArgs() == format_idx+1) 1081 Diag(TheCall->getArg(format_idx)->getLocStart(), 1082 diag::warn_printf_nonliteral_noargs) 1083 << OrigFormatExpr->getSourceRange(); 1084 else 1085 Diag(TheCall->getArg(format_idx)->getLocStart(), 1086 diag::warn_printf_nonliteral) 1087 << OrigFormatExpr->getSourceRange(); 1088} 1089 1090namespace { 1091class CheckPrintfHandler : public analyze_printf::FormatStringHandler { 1092 Sema &S; 1093 const StringLiteral *FExpr; 1094 const Expr *OrigFormatExpr; 1095 const unsigned FirstDataArg; 1096 const unsigned NumDataArgs; 1097 const bool IsObjCLiteral; 1098 const char *Beg; // Start of format string. 1099 const bool HasVAListArg; 1100 const CallExpr *TheCall; 1101 unsigned FormatIdx; 1102 llvm::BitVector CoveredArgs; 1103 bool usesPositionalArgs; 1104 bool atFirstArg; 1105public: 1106 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1107 const Expr *origFormatExpr, unsigned firstDataArg, 1108 unsigned numDataArgs, bool isObjCLiteral, 1109 const char *beg, bool hasVAListArg, 1110 const CallExpr *theCall, unsigned formatIdx) 1111 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1112 FirstDataArg(firstDataArg), 1113 NumDataArgs(numDataArgs), 1114 IsObjCLiteral(isObjCLiteral), Beg(beg), 1115 HasVAListArg(hasVAListArg), 1116 TheCall(theCall), FormatIdx(formatIdx), 1117 usesPositionalArgs(false), atFirstArg(true) { 1118 CoveredArgs.resize(numDataArgs); 1119 CoveredArgs.reset(); 1120 } 1121 1122 void DoneProcessing(); 1123 1124 void HandleIncompleteFormatSpecifier(const char *startSpecifier, 1125 unsigned specifierLen); 1126 1127 bool 1128 HandleInvalidConversionSpecifier(const analyze_printf::FormatSpecifier &FS, 1129 const char *startSpecifier, 1130 unsigned specifierLen); 1131 1132 virtual void HandleInvalidPosition(const char *startSpecifier, 1133 unsigned specifierLen, 1134 analyze_printf::PositionContext p); 1135 1136 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1137 1138 void HandleNullChar(const char *nullCharacter); 1139 1140 bool HandleFormatSpecifier(const analyze_printf::FormatSpecifier &FS, 1141 const char *startSpecifier, 1142 unsigned specifierLen); 1143private: 1144 SourceRange getFormatStringRange(); 1145 SourceRange getFormatSpecifierRange(const char *startSpecifier, 1146 unsigned specifierLen); 1147 SourceLocation getLocationOfByte(const char *x); 1148 1149 bool HandleAmount(const analyze_printf::OptionalAmount &Amt, unsigned k, 1150 const char *startSpecifier, unsigned specifierLen); 1151 void HandleFlags(const analyze_printf::FormatSpecifier &FS, 1152 llvm::StringRef flag, llvm::StringRef cspec, 1153 const char *startSpecifier, unsigned specifierLen); 1154 1155 const Expr *getDataArg(unsigned i) const; 1156}; 1157} 1158 1159SourceRange CheckPrintfHandler::getFormatStringRange() { 1160 return OrigFormatExpr->getSourceRange(); 1161} 1162 1163SourceRange CheckPrintfHandler:: 1164getFormatSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1165 return SourceRange(getLocationOfByte(startSpecifier), 1166 getLocationOfByte(startSpecifier+specifierLen-1)); 1167} 1168 1169SourceLocation CheckPrintfHandler::getLocationOfByte(const char *x) { 1170 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1171} 1172 1173void CheckPrintfHandler:: 1174HandleIncompleteFormatSpecifier(const char *startSpecifier, 1175 unsigned specifierLen) { 1176 SourceLocation Loc = getLocationOfByte(startSpecifier); 1177 S.Diag(Loc, diag::warn_printf_incomplete_specifier) 1178 << getFormatSpecifierRange(startSpecifier, specifierLen); 1179} 1180 1181void 1182CheckPrintfHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1183 analyze_printf::PositionContext p) { 1184 SourceLocation Loc = getLocationOfByte(startPos); 1185 S.Diag(Loc, diag::warn_printf_invalid_positional_specifier) 1186 << (unsigned) p << getFormatSpecifierRange(startPos, posLen); 1187} 1188 1189void CheckPrintfHandler::HandleZeroPosition(const char *startPos, 1190 unsigned posLen) { 1191 SourceLocation Loc = getLocationOfByte(startPos); 1192 S.Diag(Loc, diag::warn_printf_zero_positional_specifier) 1193 << getFormatSpecifierRange(startPos, posLen); 1194} 1195 1196bool CheckPrintfHandler:: 1197HandleInvalidConversionSpecifier(const analyze_printf::FormatSpecifier &FS, 1198 const char *startSpecifier, 1199 unsigned specifierLen) { 1200 1201 unsigned argIndex = FS.getArgIndex(); 1202 bool keepGoing = true; 1203 if (argIndex < NumDataArgs) { 1204 // Consider the argument coverered, even though the specifier doesn't 1205 // make sense. 1206 CoveredArgs.set(argIndex); 1207 } 1208 else { 1209 // If argIndex exceeds the number of data arguments we 1210 // don't issue a warning because that is just a cascade of warnings (and 1211 // they may have intended '%%' anyway). We don't want to continue processing 1212 // the format string after this point, however, as we will like just get 1213 // gibberish when trying to match arguments. 1214 keepGoing = false; 1215 } 1216 1217 const analyze_printf::ConversionSpecifier &CS = 1218 FS.getConversionSpecifier(); 1219 SourceLocation Loc = getLocationOfByte(CS.getStart()); 1220 S.Diag(Loc, diag::warn_printf_invalid_conversion) 1221 << llvm::StringRef(CS.getStart(), CS.getLength()) 1222 << getFormatSpecifierRange(startSpecifier, specifierLen); 1223 1224 return keepGoing; 1225} 1226 1227void CheckPrintfHandler::HandleNullChar(const char *nullCharacter) { 1228 // The presence of a null character is likely an error. 1229 S.Diag(getLocationOfByte(nullCharacter), 1230 diag::warn_printf_format_string_contains_null_char) 1231 << getFormatStringRange(); 1232} 1233 1234const Expr *CheckPrintfHandler::getDataArg(unsigned i) const { 1235 return TheCall->getArg(FirstDataArg + i); 1236} 1237 1238void CheckPrintfHandler::HandleFlags(const analyze_printf::FormatSpecifier &FS, 1239 llvm::StringRef flag, 1240 llvm::StringRef cspec, 1241 const char *startSpecifier, 1242 unsigned specifierLen) { 1243 const analyze_printf::ConversionSpecifier &CS = FS.getConversionSpecifier(); 1244 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_nonsensical_flag) 1245 << flag << cspec << getFormatSpecifierRange(startSpecifier, specifierLen); 1246} 1247 1248bool 1249CheckPrintfHandler::HandleAmount(const analyze_printf::OptionalAmount &Amt, 1250 unsigned k, const char *startSpecifier, 1251 unsigned specifierLen) { 1252 1253 if (Amt.hasDataArgument()) { 1254 if (!HasVAListArg) { 1255 unsigned argIndex = Amt.getArgIndex(); 1256 if (argIndex >= NumDataArgs) { 1257 S.Diag(getLocationOfByte(Amt.getStart()), 1258 diag::warn_printf_asterisk_missing_arg) 1259 << k << getFormatSpecifierRange(startSpecifier, specifierLen); 1260 // Don't do any more checking. We will just emit 1261 // spurious errors. 1262 return false; 1263 } 1264 1265 // Type check the data argument. It should be an 'int'. 1266 // Although not in conformance with C99, we also allow the argument to be 1267 // an 'unsigned int' as that is a reasonably safe case. GCC also 1268 // doesn't emit a warning for that case. 1269 CoveredArgs.set(argIndex); 1270 const Expr *Arg = getDataArg(argIndex); 1271 QualType T = Arg->getType(); 1272 1273 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1274 assert(ATR.isValid()); 1275 1276 if (!ATR.matchesType(S.Context, T)) { 1277 S.Diag(getLocationOfByte(Amt.getStart()), 1278 diag::warn_printf_asterisk_wrong_type) 1279 << k 1280 << ATR.getRepresentativeType(S.Context) << T 1281 << getFormatSpecifierRange(startSpecifier, specifierLen) 1282 << Arg->getSourceRange(); 1283 // Don't do any more checking. We will just emit 1284 // spurious errors. 1285 return false; 1286 } 1287 } 1288 } 1289 return true; 1290} 1291 1292bool 1293CheckPrintfHandler::HandleFormatSpecifier(const analyze_printf::FormatSpecifier 1294 &FS, 1295 const char *startSpecifier, 1296 unsigned specifierLen) { 1297 1298 using namespace analyze_printf; 1299 const ConversionSpecifier &CS = FS.getConversionSpecifier(); 1300 1301 if (atFirstArg) { 1302 atFirstArg = false; 1303 usesPositionalArgs = FS.usesPositionalArg(); 1304 } 1305 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1306 // Cannot mix-and-match positional and non-positional arguments. 1307 S.Diag(getLocationOfByte(CS.getStart()), 1308 diag::warn_printf_mix_positional_nonpositional_args) 1309 << getFormatSpecifierRange(startSpecifier, specifierLen); 1310 return false; 1311 } 1312 1313 // First check if the field width, precision, and conversion specifier 1314 // have matching data arguments. 1315 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 1316 startSpecifier, specifierLen)) { 1317 return false; 1318 } 1319 1320 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 1321 startSpecifier, specifierLen)) { 1322 return false; 1323 } 1324 1325 if (!CS.consumesDataArgument()) { 1326 // FIXME: Technically specifying a precision or field width here 1327 // makes no sense. Worth issuing a warning at some point. 1328 return true; 1329 } 1330 1331 // Consume the argument. 1332 unsigned argIndex = FS.getArgIndex(); 1333 if (argIndex < NumDataArgs) { 1334 // The check to see if the argIndex is valid will come later. 1335 // We set the bit here because we may exit early from this 1336 // function if we encounter some other error. 1337 CoveredArgs.set(argIndex); 1338 } 1339 1340 // Check for using an Objective-C specific conversion specifier 1341 // in a non-ObjC literal. 1342 if (!IsObjCLiteral && CS.isObjCArg()) { 1343 return HandleInvalidConversionSpecifier(FS, startSpecifier, specifierLen); 1344 } 1345 1346 // Are we using '%n'? Issue a warning about this being 1347 // a possible security issue. 1348 if (CS.getKind() == ConversionSpecifier::OutIntPtrArg) { 1349 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back) 1350 << getFormatSpecifierRange(startSpecifier, specifierLen); 1351 // Continue checking the other format specifiers. 1352 return true; 1353 } 1354 1355 if (CS.getKind() == ConversionSpecifier::VoidPtrArg) { 1356 if (FS.getPrecision().getHowSpecified() != OptionalAmount::NotSpecified) 1357 S.Diag(getLocationOfByte(CS.getStart()), 1358 diag::warn_printf_nonsensical_precision) 1359 << CS.getCharacters() 1360 << getFormatSpecifierRange(startSpecifier, specifierLen); 1361 } 1362 if (CS.getKind() == ConversionSpecifier::VoidPtrArg || 1363 CS.getKind() == ConversionSpecifier::CStrArg) { 1364 // FIXME: Instead of using "0", "+", etc., eventually get them from 1365 // the FormatSpecifier. 1366 if (FS.hasLeadingZeros()) 1367 HandleFlags(FS, "0", CS.getCharacters(), startSpecifier, specifierLen); 1368 if (FS.hasPlusPrefix()) 1369 HandleFlags(FS, "+", CS.getCharacters(), startSpecifier, specifierLen); 1370 if (FS.hasSpacePrefix()) 1371 HandleFlags(FS, " ", CS.getCharacters(), startSpecifier, specifierLen); 1372 } 1373 1374 // The remaining checks depend on the data arguments. 1375 if (HasVAListArg) 1376 return true; 1377 1378 if (argIndex >= NumDataArgs) { 1379 if (FS.usesPositionalArg()) { 1380 S.Diag(getLocationOfByte(CS.getStart()), 1381 diag::warn_printf_positional_arg_exceeds_data_args) 1382 << (argIndex+1) << NumDataArgs 1383 << getFormatSpecifierRange(startSpecifier, specifierLen); 1384 } 1385 else { 1386 S.Diag(getLocationOfByte(CS.getStart()), 1387 diag::warn_printf_insufficient_data_args) 1388 << getFormatSpecifierRange(startSpecifier, specifierLen); 1389 } 1390 1391 // Don't do any more checking. 1392 return false; 1393 } 1394 1395 // Now type check the data expression that matches the 1396 // format specifier. 1397 const Expr *Ex = getDataArg(argIndex); 1398 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 1399 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 1400 // Check if we didn't match because of an implicit cast from a 'char' 1401 // or 'short' to an 'int'. This is done because printf is a varargs 1402 // function. 1403 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 1404 if (ICE->getType() == S.Context.IntTy) 1405 if (ATR.matchesType(S.Context, ICE->getSubExpr()->getType())) 1406 return true; 1407 1408 // We may be able to offer a FixItHint if it is a supported type. 1409 FormatSpecifier fixedFS = FS; 1410 bool success = fixedFS.fixType(Ex->getType()); 1411 1412 if (success) { 1413 // Get the fix string from the fixed format specifier 1414 llvm::SmallString<128> buf; 1415 llvm::raw_svector_ostream os(buf); 1416 fixedFS.toString(os); 1417 1418 S.Diag(getLocationOfByte(CS.getStart()), 1419 diag::warn_printf_conversion_argument_type_mismatch) 1420 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1421 << getFormatSpecifierRange(startSpecifier, specifierLen) 1422 << Ex->getSourceRange() 1423 << FixItHint::CreateReplacement( 1424 getFormatSpecifierRange(startSpecifier, specifierLen), 1425 os.str()); 1426 } 1427 else { 1428 S.Diag(getLocationOfByte(CS.getStart()), 1429 diag::warn_printf_conversion_argument_type_mismatch) 1430 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1431 << getFormatSpecifierRange(startSpecifier, specifierLen) 1432 << Ex->getSourceRange(); 1433 } 1434 } 1435 1436 return true; 1437} 1438 1439void CheckPrintfHandler::DoneProcessing() { 1440 // Does the number of data arguments exceed the number of 1441 // format conversions in the format string? 1442 if (!HasVAListArg) { 1443 // Find any arguments that weren't covered. 1444 CoveredArgs.flip(); 1445 signed notCoveredArg = CoveredArgs.find_first(); 1446 if (notCoveredArg >= 0) { 1447 assert((unsigned)notCoveredArg < NumDataArgs); 1448 S.Diag(getDataArg((unsigned) notCoveredArg)->getLocStart(), 1449 diag::warn_printf_data_arg_not_used) 1450 << getFormatStringRange(); 1451 } 1452 } 1453} 1454 1455void Sema::CheckPrintfString(const StringLiteral *FExpr, 1456 const Expr *OrigFormatExpr, 1457 const CallExpr *TheCall, bool HasVAListArg, 1458 unsigned format_idx, unsigned firstDataArg) { 1459 1460 // CHECK: is the format string a wide literal? 1461 if (FExpr->isWide()) { 1462 Diag(FExpr->getLocStart(), 1463 diag::warn_printf_format_string_is_wide_literal) 1464 << OrigFormatExpr->getSourceRange(); 1465 return; 1466 } 1467 1468 // Str - The format string. NOTE: this is NOT null-terminated! 1469 const char *Str = FExpr->getStrData(); 1470 1471 // CHECK: empty format string? 1472 unsigned StrLen = FExpr->getByteLength(); 1473 1474 if (StrLen == 0) { 1475 Diag(FExpr->getLocStart(), diag::warn_printf_empty_format_string) 1476 << OrigFormatExpr->getSourceRange(); 1477 return; 1478 } 1479 1480 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1481 TheCall->getNumArgs() - firstDataArg, 1482 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1483 HasVAListArg, TheCall, format_idx); 1484 1485 if (!analyze_printf::ParseFormatString(H, Str, Str + StrLen)) 1486 H.DoneProcessing(); 1487} 1488 1489//===--- CHECK: Return Address of Stack Variable --------------------------===// 1490 1491static DeclRefExpr* EvalVal(Expr *E); 1492static DeclRefExpr* EvalAddr(Expr* E); 1493 1494/// CheckReturnStackAddr - Check if a return statement returns the address 1495/// of a stack variable. 1496void 1497Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 1498 SourceLocation ReturnLoc) { 1499 1500 // Perform checking for returned stack addresses. 1501 if (lhsType->isPointerType() || lhsType->isBlockPointerType()) { 1502 if (DeclRefExpr *DR = EvalAddr(RetValExp)) 1503 Diag(DR->getLocStart(), diag::warn_ret_stack_addr) 1504 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1505 1506 // Skip over implicit cast expressions when checking for block expressions. 1507 RetValExp = RetValExp->IgnoreParenCasts(); 1508 1509 if (BlockExpr *C = dyn_cast<BlockExpr>(RetValExp)) 1510 if (C->hasBlockDeclRefExprs()) 1511 Diag(C->getLocStart(), diag::err_ret_local_block) 1512 << C->getSourceRange(); 1513 1514 if (AddrLabelExpr *ALE = dyn_cast<AddrLabelExpr>(RetValExp)) 1515 Diag(ALE->getLocStart(), diag::warn_ret_addr_label) 1516 << ALE->getSourceRange(); 1517 1518 } else if (lhsType->isReferenceType()) { 1519 // Perform checking for stack values returned by reference. 1520 // Check for a reference to the stack 1521 if (DeclRefExpr *DR = EvalVal(RetValExp)) 1522 Diag(DR->getLocStart(), diag::warn_ret_stack_ref) 1523 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1524 } 1525} 1526 1527/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 1528/// check if the expression in a return statement evaluates to an address 1529/// to a location on the stack. The recursion is used to traverse the 1530/// AST of the return expression, with recursion backtracking when we 1531/// encounter a subexpression that (1) clearly does not lead to the address 1532/// of a stack variable or (2) is something we cannot determine leads to 1533/// the address of a stack variable based on such local checking. 1534/// 1535/// EvalAddr processes expressions that are pointers that are used as 1536/// references (and not L-values). EvalVal handles all other values. 1537/// At the base case of the recursion is a check for a DeclRefExpr* in 1538/// the refers to a stack variable. 1539/// 1540/// This implementation handles: 1541/// 1542/// * pointer-to-pointer casts 1543/// * implicit conversions from array references to pointers 1544/// * taking the address of fields 1545/// * arbitrary interplay between "&" and "*" operators 1546/// * pointer arithmetic from an address of a stack variable 1547/// * taking the address of an array element where the array is on the stack 1548static DeclRefExpr* EvalAddr(Expr *E) { 1549 // We should only be called for evaluating pointer expressions. 1550 assert((E->getType()->isAnyPointerType() || 1551 E->getType()->isBlockPointerType() || 1552 E->getType()->isObjCQualifiedIdType()) && 1553 "EvalAddr only works on pointers"); 1554 1555 // Our "symbolic interpreter" is just a dispatch off the currently 1556 // viewed AST node. We then recursively traverse the AST by calling 1557 // EvalAddr and EvalVal appropriately. 1558 switch (E->getStmtClass()) { 1559 case Stmt::ParenExprClass: 1560 // Ignore parentheses. 1561 return EvalAddr(cast<ParenExpr>(E)->getSubExpr()); 1562 1563 case Stmt::UnaryOperatorClass: { 1564 // The only unary operator that make sense to handle here 1565 // is AddrOf. All others don't make sense as pointers. 1566 UnaryOperator *U = cast<UnaryOperator>(E); 1567 1568 if (U->getOpcode() == UnaryOperator::AddrOf) 1569 return EvalVal(U->getSubExpr()); 1570 else 1571 return NULL; 1572 } 1573 1574 case Stmt::BinaryOperatorClass: { 1575 // Handle pointer arithmetic. All other binary operators are not valid 1576 // in this context. 1577 BinaryOperator *B = cast<BinaryOperator>(E); 1578 BinaryOperator::Opcode op = B->getOpcode(); 1579 1580 if (op != BinaryOperator::Add && op != BinaryOperator::Sub) 1581 return NULL; 1582 1583 Expr *Base = B->getLHS(); 1584 1585 // Determine which argument is the real pointer base. It could be 1586 // the RHS argument instead of the LHS. 1587 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 1588 1589 assert (Base->getType()->isPointerType()); 1590 return EvalAddr(Base); 1591 } 1592 1593 // For conditional operators we need to see if either the LHS or RHS are 1594 // valid DeclRefExpr*s. If one of them is valid, we return it. 1595 case Stmt::ConditionalOperatorClass: { 1596 ConditionalOperator *C = cast<ConditionalOperator>(E); 1597 1598 // Handle the GNU extension for missing LHS. 1599 if (Expr *lhsExpr = C->getLHS()) 1600 if (DeclRefExpr* LHS = EvalAddr(lhsExpr)) 1601 return LHS; 1602 1603 return EvalAddr(C->getRHS()); 1604 } 1605 1606 // For casts, we need to handle conversions from arrays to 1607 // pointer values, and pointer-to-pointer conversions. 1608 case Stmt::ImplicitCastExprClass: 1609 case Stmt::CStyleCastExprClass: 1610 case Stmt::CXXFunctionalCastExprClass: { 1611 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 1612 QualType T = SubExpr->getType(); 1613 1614 if (SubExpr->getType()->isPointerType() || 1615 SubExpr->getType()->isBlockPointerType() || 1616 SubExpr->getType()->isObjCQualifiedIdType()) 1617 return EvalAddr(SubExpr); 1618 else if (T->isArrayType()) 1619 return EvalVal(SubExpr); 1620 else 1621 return 0; 1622 } 1623 1624 // C++ casts. For dynamic casts, static casts, and const casts, we 1625 // are always converting from a pointer-to-pointer, so we just blow 1626 // through the cast. In the case the dynamic cast doesn't fail (and 1627 // return NULL), we take the conservative route and report cases 1628 // where we return the address of a stack variable. For Reinterpre 1629 // FIXME: The comment about is wrong; we're not always converting 1630 // from pointer to pointer. I'm guessing that this code should also 1631 // handle references to objects. 1632 case Stmt::CXXStaticCastExprClass: 1633 case Stmt::CXXDynamicCastExprClass: 1634 case Stmt::CXXConstCastExprClass: 1635 case Stmt::CXXReinterpretCastExprClass: { 1636 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 1637 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 1638 return EvalAddr(S); 1639 else 1640 return NULL; 1641 } 1642 1643 // Everything else: we simply don't reason about them. 1644 default: 1645 return NULL; 1646 } 1647} 1648 1649 1650/// EvalVal - This function is complements EvalAddr in the mutual recursion. 1651/// See the comments for EvalAddr for more details. 1652static DeclRefExpr* EvalVal(Expr *E) { 1653 1654 // We should only be called for evaluating non-pointer expressions, or 1655 // expressions with a pointer type that are not used as references but instead 1656 // are l-values (e.g., DeclRefExpr with a pointer type). 1657 1658 // Our "symbolic interpreter" is just a dispatch off the currently 1659 // viewed AST node. We then recursively traverse the AST by calling 1660 // EvalAddr and EvalVal appropriately. 1661 switch (E->getStmtClass()) { 1662 case Stmt::DeclRefExprClass: { 1663 // DeclRefExpr: the base case. When we hit a DeclRefExpr we are looking 1664 // at code that refers to a variable's name. We check if it has local 1665 // storage within the function, and if so, return the expression. 1666 DeclRefExpr *DR = cast<DeclRefExpr>(E); 1667 1668 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 1669 if (V->hasLocalStorage() && !V->getType()->isReferenceType()) return DR; 1670 1671 return NULL; 1672 } 1673 1674 case Stmt::ParenExprClass: 1675 // Ignore parentheses. 1676 return EvalVal(cast<ParenExpr>(E)->getSubExpr()); 1677 1678 case Stmt::UnaryOperatorClass: { 1679 // The only unary operator that make sense to handle here 1680 // is Deref. All others don't resolve to a "name." This includes 1681 // handling all sorts of rvalues passed to a unary operator. 1682 UnaryOperator *U = cast<UnaryOperator>(E); 1683 1684 if (U->getOpcode() == UnaryOperator::Deref) 1685 return EvalAddr(U->getSubExpr()); 1686 1687 return NULL; 1688 } 1689 1690 case Stmt::ArraySubscriptExprClass: { 1691 // Array subscripts are potential references to data on the stack. We 1692 // retrieve the DeclRefExpr* for the array variable if it indeed 1693 // has local storage. 1694 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase()); 1695 } 1696 1697 case Stmt::ConditionalOperatorClass: { 1698 // For conditional operators we need to see if either the LHS or RHS are 1699 // non-NULL DeclRefExpr's. If one is non-NULL, we return it. 1700 ConditionalOperator *C = cast<ConditionalOperator>(E); 1701 1702 // Handle the GNU extension for missing LHS. 1703 if (Expr *lhsExpr = C->getLHS()) 1704 if (DeclRefExpr *LHS = EvalVal(lhsExpr)) 1705 return LHS; 1706 1707 return EvalVal(C->getRHS()); 1708 } 1709 1710 // Accesses to members are potential references to data on the stack. 1711 case Stmt::MemberExprClass: { 1712 MemberExpr *M = cast<MemberExpr>(E); 1713 1714 // Check for indirect access. We only want direct field accesses. 1715 if (!M->isArrow()) 1716 return EvalVal(M->getBase()); 1717 else 1718 return NULL; 1719 } 1720 1721 // Everything else: we simply don't reason about them. 1722 default: 1723 return NULL; 1724 } 1725} 1726 1727//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 1728 1729/// Check for comparisons of floating point operands using != and ==. 1730/// Issue a warning if these are no self-comparisons, as they are not likely 1731/// to do what the programmer intended. 1732void Sema::CheckFloatComparison(SourceLocation loc, Expr* lex, Expr *rex) { 1733 bool EmitWarning = true; 1734 1735 Expr* LeftExprSansParen = lex->IgnoreParens(); 1736 Expr* RightExprSansParen = rex->IgnoreParens(); 1737 1738 // Special case: check for x == x (which is OK). 1739 // Do not emit warnings for such cases. 1740 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 1741 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 1742 if (DRL->getDecl() == DRR->getDecl()) 1743 EmitWarning = false; 1744 1745 1746 // Special case: check for comparisons against literals that can be exactly 1747 // represented by APFloat. In such cases, do not emit a warning. This 1748 // is a heuristic: often comparison against such literals are used to 1749 // detect if a value in a variable has not changed. This clearly can 1750 // lead to false negatives. 1751 if (EmitWarning) { 1752 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 1753 if (FLL->isExact()) 1754 EmitWarning = false; 1755 } else 1756 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 1757 if (FLR->isExact()) 1758 EmitWarning = false; 1759 } 1760 } 1761 1762 // Check for comparisons with builtin types. 1763 if (EmitWarning) 1764 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 1765 if (CL->isBuiltinCall(Context)) 1766 EmitWarning = false; 1767 1768 if (EmitWarning) 1769 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 1770 if (CR->isBuiltinCall(Context)) 1771 EmitWarning = false; 1772 1773 // Emit the diagnostic. 1774 if (EmitWarning) 1775 Diag(loc, diag::warn_floatingpoint_eq) 1776 << lex->getSourceRange() << rex->getSourceRange(); 1777} 1778 1779//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 1780//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 1781 1782namespace { 1783 1784/// Structure recording the 'active' range of an integer-valued 1785/// expression. 1786struct IntRange { 1787 /// The number of bits active in the int. 1788 unsigned Width; 1789 1790 /// True if the int is known not to have negative values. 1791 bool NonNegative; 1792 1793 IntRange() {} 1794 IntRange(unsigned Width, bool NonNegative) 1795 : Width(Width), NonNegative(NonNegative) 1796 {} 1797 1798 // Returns the range of the bool type. 1799 static IntRange forBoolType() { 1800 return IntRange(1, true); 1801 } 1802 1803 // Returns the range of an integral type. 1804 static IntRange forType(ASTContext &C, QualType T) { 1805 return forCanonicalType(C, T->getCanonicalTypeInternal().getTypePtr()); 1806 } 1807 1808 // Returns the range of an integeral type based on its canonical 1809 // representation. 1810 static IntRange forCanonicalType(ASTContext &C, const Type *T) { 1811 assert(T->isCanonicalUnqualified()); 1812 1813 if (const VectorType *VT = dyn_cast<VectorType>(T)) 1814 T = VT->getElementType().getTypePtr(); 1815 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 1816 T = CT->getElementType().getTypePtr(); 1817 1818 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 1819 EnumDecl *Enum = ET->getDecl(); 1820 unsigned NumPositive = Enum->getNumPositiveBits(); 1821 unsigned NumNegative = Enum->getNumNegativeBits(); 1822 1823 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 1824 } 1825 1826 const BuiltinType *BT = cast<BuiltinType>(T); 1827 assert(BT->isInteger()); 1828 1829 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 1830 } 1831 1832 // Returns the supremum of two ranges: i.e. their conservative merge. 1833 static IntRange join(IntRange L, IntRange R) { 1834 return IntRange(std::max(L.Width, R.Width), 1835 L.NonNegative && R.NonNegative); 1836 } 1837 1838 // Returns the infinum of two ranges: i.e. their aggressive merge. 1839 static IntRange meet(IntRange L, IntRange R) { 1840 return IntRange(std::min(L.Width, R.Width), 1841 L.NonNegative || R.NonNegative); 1842 } 1843}; 1844 1845IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 1846 if (value.isSigned() && value.isNegative()) 1847 return IntRange(value.getMinSignedBits(), false); 1848 1849 if (value.getBitWidth() > MaxWidth) 1850 value.trunc(MaxWidth); 1851 1852 // isNonNegative() just checks the sign bit without considering 1853 // signedness. 1854 return IntRange(value.getActiveBits(), true); 1855} 1856 1857IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 1858 unsigned MaxWidth) { 1859 if (result.isInt()) 1860 return GetValueRange(C, result.getInt(), MaxWidth); 1861 1862 if (result.isVector()) { 1863 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 1864 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 1865 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 1866 R = IntRange::join(R, El); 1867 } 1868 return R; 1869 } 1870 1871 if (result.isComplexInt()) { 1872 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 1873 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 1874 return IntRange::join(R, I); 1875 } 1876 1877 // This can happen with lossless casts to intptr_t of "based" lvalues. 1878 // Assume it might use arbitrary bits. 1879 // FIXME: The only reason we need to pass the type in here is to get 1880 // the sign right on this one case. It would be nice if APValue 1881 // preserved this. 1882 assert(result.isLValue()); 1883 return IntRange(MaxWidth, Ty->isUnsignedIntegerType()); 1884} 1885 1886/// Pseudo-evaluate the given integer expression, estimating the 1887/// range of values it might take. 1888/// 1889/// \param MaxWidth - the width to which the value will be truncated 1890IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 1891 E = E->IgnoreParens(); 1892 1893 // Try a full evaluation first. 1894 Expr::EvalResult result; 1895 if (E->Evaluate(result, C)) 1896 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 1897 1898 // I think we only want to look through implicit casts here; if the 1899 // user has an explicit widening cast, we should treat the value as 1900 // being of the new, wider type. 1901 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 1902 if (CE->getCastKind() == CastExpr::CK_NoOp) 1903 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 1904 1905 IntRange OutputTypeRange = IntRange::forType(C, CE->getType()); 1906 1907 bool isIntegerCast = (CE->getCastKind() == CastExpr::CK_IntegralCast); 1908 if (!isIntegerCast && CE->getCastKind() == CastExpr::CK_Unknown) 1909 isIntegerCast = CE->getSubExpr()->getType()->isIntegerType(); 1910 1911 // Assume that non-integer casts can span the full range of the type. 1912 if (!isIntegerCast) 1913 return OutputTypeRange; 1914 1915 IntRange SubRange 1916 = GetExprRange(C, CE->getSubExpr(), 1917 std::min(MaxWidth, OutputTypeRange.Width)); 1918 1919 // Bail out if the subexpr's range is as wide as the cast type. 1920 if (SubRange.Width >= OutputTypeRange.Width) 1921 return OutputTypeRange; 1922 1923 // Otherwise, we take the smaller width, and we're non-negative if 1924 // either the output type or the subexpr is. 1925 return IntRange(SubRange.Width, 1926 SubRange.NonNegative || OutputTypeRange.NonNegative); 1927 } 1928 1929 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 1930 // If we can fold the condition, just take that operand. 1931 bool CondResult; 1932 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 1933 return GetExprRange(C, CondResult ? CO->getTrueExpr() 1934 : CO->getFalseExpr(), 1935 MaxWidth); 1936 1937 // Otherwise, conservatively merge. 1938 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 1939 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 1940 return IntRange::join(L, R); 1941 } 1942 1943 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 1944 switch (BO->getOpcode()) { 1945 1946 // Boolean-valued operations are single-bit and positive. 1947 case BinaryOperator::LAnd: 1948 case BinaryOperator::LOr: 1949 case BinaryOperator::LT: 1950 case BinaryOperator::GT: 1951 case BinaryOperator::LE: 1952 case BinaryOperator::GE: 1953 case BinaryOperator::EQ: 1954 case BinaryOperator::NE: 1955 return IntRange::forBoolType(); 1956 1957 // The type of these compound assignments is the type of the LHS, 1958 // so the RHS is not necessarily an integer. 1959 case BinaryOperator::MulAssign: 1960 case BinaryOperator::DivAssign: 1961 case BinaryOperator::RemAssign: 1962 case BinaryOperator::AddAssign: 1963 case BinaryOperator::SubAssign: 1964 return IntRange::forType(C, E->getType()); 1965 1966 // Operations with opaque sources are black-listed. 1967 case BinaryOperator::PtrMemD: 1968 case BinaryOperator::PtrMemI: 1969 return IntRange::forType(C, E->getType()); 1970 1971 // Bitwise-and uses the *infinum* of the two source ranges. 1972 case BinaryOperator::And: 1973 case BinaryOperator::AndAssign: 1974 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 1975 GetExprRange(C, BO->getRHS(), MaxWidth)); 1976 1977 // Left shift gets black-listed based on a judgement call. 1978 case BinaryOperator::Shl: 1979 // ...except that we want to treat '1 << (blah)' as logically 1980 // positive. It's an important idiom. 1981 if (IntegerLiteral *I 1982 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 1983 if (I->getValue() == 1) { 1984 IntRange R = IntRange::forType(C, E->getType()); 1985 return IntRange(R.Width, /*NonNegative*/ true); 1986 } 1987 } 1988 // fallthrough 1989 1990 case BinaryOperator::ShlAssign: 1991 return IntRange::forType(C, E->getType()); 1992 1993 // Right shift by a constant can narrow its left argument. 1994 case BinaryOperator::Shr: 1995 case BinaryOperator::ShrAssign: { 1996 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 1997 1998 // If the shift amount is a positive constant, drop the width by 1999 // that much. 2000 llvm::APSInt shift; 2001 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 2002 shift.isNonNegative()) { 2003 unsigned zext = shift.getZExtValue(); 2004 if (zext >= L.Width) 2005 L.Width = (L.NonNegative ? 0 : 1); 2006 else 2007 L.Width -= zext; 2008 } 2009 2010 return L; 2011 } 2012 2013 // Comma acts as its right operand. 2014 case BinaryOperator::Comma: 2015 return GetExprRange(C, BO->getRHS(), MaxWidth); 2016 2017 // Black-list pointer subtractions. 2018 case BinaryOperator::Sub: 2019 if (BO->getLHS()->getType()->isPointerType()) 2020 return IntRange::forType(C, E->getType()); 2021 // fallthrough 2022 2023 default: 2024 break; 2025 } 2026 2027 // Treat every other operator as if it were closed on the 2028 // narrowest type that encompasses both operands. 2029 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2030 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 2031 return IntRange::join(L, R); 2032 } 2033 2034 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 2035 switch (UO->getOpcode()) { 2036 // Boolean-valued operations are white-listed. 2037 case UnaryOperator::LNot: 2038 return IntRange::forBoolType(); 2039 2040 // Operations with opaque sources are black-listed. 2041 case UnaryOperator::Deref: 2042 case UnaryOperator::AddrOf: // should be impossible 2043 case UnaryOperator::OffsetOf: 2044 return IntRange::forType(C, E->getType()); 2045 2046 default: 2047 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 2048 } 2049 } 2050 2051 if (dyn_cast<OffsetOfExpr>(E)) { 2052 IntRange::forType(C, E->getType()); 2053 } 2054 2055 FieldDecl *BitField = E->getBitField(); 2056 if (BitField) { 2057 llvm::APSInt BitWidthAP = BitField->getBitWidth()->EvaluateAsInt(C); 2058 unsigned BitWidth = BitWidthAP.getZExtValue(); 2059 2060 return IntRange(BitWidth, BitField->getType()->isUnsignedIntegerType()); 2061 } 2062 2063 return IntRange::forType(C, E->getType()); 2064} 2065 2066IntRange GetExprRange(ASTContext &C, Expr *E) { 2067 return GetExprRange(C, E, C.getIntWidth(E->getType())); 2068} 2069 2070/// Checks whether the given value, which currently has the given 2071/// source semantics, has the same value when coerced through the 2072/// target semantics. 2073bool IsSameFloatAfterCast(const llvm::APFloat &value, 2074 const llvm::fltSemantics &Src, 2075 const llvm::fltSemantics &Tgt) { 2076 llvm::APFloat truncated = value; 2077 2078 bool ignored; 2079 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 2080 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 2081 2082 return truncated.bitwiseIsEqual(value); 2083} 2084 2085/// Checks whether the given value, which currently has the given 2086/// source semantics, has the same value when coerced through the 2087/// target semantics. 2088/// 2089/// The value might be a vector of floats (or a complex number). 2090bool IsSameFloatAfterCast(const APValue &value, 2091 const llvm::fltSemantics &Src, 2092 const llvm::fltSemantics &Tgt) { 2093 if (value.isFloat()) 2094 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 2095 2096 if (value.isVector()) { 2097 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 2098 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 2099 return false; 2100 return true; 2101 } 2102 2103 assert(value.isComplexFloat()); 2104 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 2105 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 2106} 2107 2108void AnalyzeImplicitConversions(Sema &S, Expr *E); 2109 2110bool IsZero(Sema &S, Expr *E) { 2111 llvm::APSInt Value; 2112 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 2113} 2114 2115void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 2116 BinaryOperator::Opcode op = E->getOpcode(); 2117 if (op == BinaryOperator::LT && IsZero(S, E->getRHS())) { 2118 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2119 << "< 0" << "false" 2120 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2121 } else if (op == BinaryOperator::GE && IsZero(S, E->getRHS())) { 2122 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2123 << ">= 0" << "true" 2124 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2125 } else if (op == BinaryOperator::GT && IsZero(S, E->getLHS())) { 2126 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2127 << "0 >" << "false" 2128 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2129 } else if (op == BinaryOperator::LE && IsZero(S, E->getLHS())) { 2130 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2131 << "0 <=" << "true" 2132 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2133 } 2134} 2135 2136/// Analyze the operands of the given comparison. Implements the 2137/// fallback case from AnalyzeComparison. 2138void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 2139 AnalyzeImplicitConversions(S, E->getLHS()); 2140 AnalyzeImplicitConversions(S, E->getRHS()); 2141} 2142 2143/// \brief Implements -Wsign-compare. 2144/// 2145/// \param lex the left-hand expression 2146/// \param rex the right-hand expression 2147/// \param OpLoc the location of the joining operator 2148/// \param BinOpc binary opcode or 0 2149void AnalyzeComparison(Sema &S, BinaryOperator *E) { 2150 // The type the comparison is being performed in. 2151 QualType T = E->getLHS()->getType(); 2152 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 2153 && "comparison with mismatched types"); 2154 2155 // We don't do anything special if this isn't an unsigned integral 2156 // comparison: we're only interested in integral comparisons, and 2157 // signed comparisons only happen in cases we don't care to warn about. 2158 if (!T->isUnsignedIntegerType()) 2159 return AnalyzeImpConvsInComparison(S, E); 2160 2161 Expr *lex = E->getLHS()->IgnoreParenImpCasts(); 2162 Expr *rex = E->getRHS()->IgnoreParenImpCasts(); 2163 2164 // Check to see if one of the (unmodified) operands is of different 2165 // signedness. 2166 Expr *signedOperand, *unsignedOperand; 2167 if (lex->getType()->isSignedIntegerType()) { 2168 assert(!rex->getType()->isSignedIntegerType() && 2169 "unsigned comparison between two signed integer expressions?"); 2170 signedOperand = lex; 2171 unsignedOperand = rex; 2172 } else if (rex->getType()->isSignedIntegerType()) { 2173 signedOperand = rex; 2174 unsignedOperand = lex; 2175 } else { 2176 CheckTrivialUnsignedComparison(S, E); 2177 return AnalyzeImpConvsInComparison(S, E); 2178 } 2179 2180 // Otherwise, calculate the effective range of the signed operand. 2181 IntRange signedRange = GetExprRange(S.Context, signedOperand); 2182 2183 // Go ahead and analyze implicit conversions in the operands. Note 2184 // that we skip the implicit conversions on both sides. 2185 AnalyzeImplicitConversions(S, lex); 2186 AnalyzeImplicitConversions(S, rex); 2187 2188 // If the signed range is non-negative, -Wsign-compare won't fire, 2189 // but we should still check for comparisons which are always true 2190 // or false. 2191 if (signedRange.NonNegative) 2192 return CheckTrivialUnsignedComparison(S, E); 2193 2194 // For (in)equality comparisons, if the unsigned operand is a 2195 // constant which cannot collide with a overflowed signed operand, 2196 // then reinterpreting the signed operand as unsigned will not 2197 // change the result of the comparison. 2198 if (E->isEqualityOp()) { 2199 unsigned comparisonWidth = S.Context.getIntWidth(T); 2200 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 2201 2202 // We should never be unable to prove that the unsigned operand is 2203 // non-negative. 2204 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 2205 2206 if (unsignedRange.Width < comparisonWidth) 2207 return; 2208 } 2209 2210 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 2211 << lex->getType() << rex->getType() 2212 << lex->getSourceRange() << rex->getSourceRange(); 2213} 2214 2215/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 2216void DiagnoseImpCast(Sema &S, Expr *E, QualType T, unsigned diag) { 2217 S.Diag(E->getExprLoc(), diag) << E->getType() << T << E->getSourceRange(); 2218} 2219 2220void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 2221 bool *ICContext = 0) { 2222 if (E->isTypeDependent() || E->isValueDependent()) return; 2223 2224 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 2225 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 2226 if (Source == Target) return; 2227 if (Target->isDependentType()) return; 2228 2229 // Never diagnose implicit casts to bool. 2230 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 2231 return; 2232 2233 // Strip vector types. 2234 if (isa<VectorType>(Source)) { 2235 if (!isa<VectorType>(Target)) 2236 return DiagnoseImpCast(S, E, T, diag::warn_impcast_vector_scalar); 2237 2238 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 2239 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 2240 } 2241 2242 // Strip complex types. 2243 if (isa<ComplexType>(Source)) { 2244 if (!isa<ComplexType>(Target)) 2245 return DiagnoseImpCast(S, E, T, diag::warn_impcast_complex_scalar); 2246 2247 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 2248 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 2249 } 2250 2251 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 2252 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 2253 2254 // If the source is floating point... 2255 if (SourceBT && SourceBT->isFloatingPoint()) { 2256 // ...and the target is floating point... 2257 if (TargetBT && TargetBT->isFloatingPoint()) { 2258 // ...then warn if we're dropping FP rank. 2259 2260 // Builtin FP kinds are ordered by increasing FP rank. 2261 if (SourceBT->getKind() > TargetBT->getKind()) { 2262 // Don't warn about float constants that are precisely 2263 // representable in the target type. 2264 Expr::EvalResult result; 2265 if (E->Evaluate(result, S.Context)) { 2266 // Value might be a float, a float vector, or a float complex. 2267 if (IsSameFloatAfterCast(result.Val, 2268 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 2269 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 2270 return; 2271 } 2272 2273 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_precision); 2274 } 2275 return; 2276 } 2277 2278 // If the target is integral, always warn. 2279 if ((TargetBT && TargetBT->isInteger())) 2280 // TODO: don't warn for integer values? 2281 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_integer); 2282 2283 return; 2284 } 2285 2286 if (!Source->isIntegerType() || !Target->isIntegerType()) 2287 return; 2288 2289 IntRange SourceRange = GetExprRange(S.Context, E); 2290 IntRange TargetRange = IntRange::forCanonicalType(S.Context, Target); 2291 2292 if (SourceRange.Width > TargetRange.Width) { 2293 // People want to build with -Wshorten-64-to-32 and not -Wconversion 2294 // and by god we'll let them. 2295 if (SourceRange.Width == 64 && TargetRange.Width == 32) 2296 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_64_32); 2297 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_precision); 2298 } 2299 2300 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 2301 (!TargetRange.NonNegative && SourceRange.NonNegative && 2302 SourceRange.Width == TargetRange.Width)) { 2303 unsigned DiagID = diag::warn_impcast_integer_sign; 2304 2305 // Traditionally, gcc has warned about this under -Wsign-compare. 2306 // We also want to warn about it in -Wconversion. 2307 // So if -Wconversion is off, use a completely identical diagnostic 2308 // in the sign-compare group. 2309 // The conditional-checking code will 2310 if (ICContext) { 2311 DiagID = diag::warn_impcast_integer_sign_conditional; 2312 *ICContext = true; 2313 } 2314 2315 return DiagnoseImpCast(S, E, T, DiagID); 2316 } 2317 2318 return; 2319} 2320 2321void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 2322 2323void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 2324 bool &ICContext) { 2325 E = E->IgnoreParenImpCasts(); 2326 2327 if (isa<ConditionalOperator>(E)) 2328 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 2329 2330 AnalyzeImplicitConversions(S, E); 2331 if (E->getType() != T) 2332 return CheckImplicitConversion(S, E, T, &ICContext); 2333 return; 2334} 2335 2336void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 2337 AnalyzeImplicitConversions(S, E->getCond()); 2338 2339 bool Suspicious = false; 2340 CheckConditionalOperand(S, E->getTrueExpr(), T, Suspicious); 2341 CheckConditionalOperand(S, E->getFalseExpr(), T, Suspicious); 2342 2343 // If -Wconversion would have warned about either of the candidates 2344 // for a signedness conversion to the context type... 2345 if (!Suspicious) return; 2346 2347 // ...but it's currently ignored... 2348 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional)) 2349 return; 2350 2351 // ...and -Wsign-compare isn't... 2352 if (!S.Diags.getDiagnosticLevel(diag::warn_mixed_sign_conditional)) 2353 return; 2354 2355 // ...then check whether it would have warned about either of the 2356 // candidates for a signedness conversion to the condition type. 2357 if (E->getType() != T) { 2358 Suspicious = false; 2359 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 2360 E->getType(), &Suspicious); 2361 if (!Suspicious) 2362 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 2363 E->getType(), &Suspicious); 2364 if (!Suspicious) 2365 return; 2366 } 2367 2368 // If so, emit a diagnostic under -Wsign-compare. 2369 Expr *lex = E->getTrueExpr()->IgnoreParenImpCasts(); 2370 Expr *rex = E->getFalseExpr()->IgnoreParenImpCasts(); 2371 S.Diag(E->getQuestionLoc(), diag::warn_mixed_sign_conditional) 2372 << lex->getType() << rex->getType() 2373 << lex->getSourceRange() << rex->getSourceRange(); 2374} 2375 2376/// AnalyzeImplicitConversions - Find and report any interesting 2377/// implicit conversions in the given expression. There are a couple 2378/// of competing diagnostics here, -Wconversion and -Wsign-compare. 2379void AnalyzeImplicitConversions(Sema &S, Expr *OrigE) { 2380 QualType T = OrigE->getType(); 2381 Expr *E = OrigE->IgnoreParenImpCasts(); 2382 2383 // For conditional operators, we analyze the arguments as if they 2384 // were being fed directly into the output. 2385 if (isa<ConditionalOperator>(E)) { 2386 ConditionalOperator *CO = cast<ConditionalOperator>(E); 2387 CheckConditionalOperator(S, CO, T); 2388 return; 2389 } 2390 2391 // Go ahead and check any implicit conversions we might have skipped. 2392 // The non-canonical typecheck is just an optimization; 2393 // CheckImplicitConversion will filter out dead implicit conversions. 2394 if (E->getType() != T) 2395 CheckImplicitConversion(S, E, T); 2396 2397 // Now continue drilling into this expression. 2398 2399 // Skip past explicit casts. 2400 if (isa<ExplicitCastExpr>(E)) { 2401 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 2402 return AnalyzeImplicitConversions(S, E); 2403 } 2404 2405 // Do a somewhat different check with comparison operators. 2406 if (isa<BinaryOperator>(E) && cast<BinaryOperator>(E)->isComparisonOp()) 2407 return AnalyzeComparison(S, cast<BinaryOperator>(E)); 2408 2409 // These break the otherwise-useful invariant below. Fortunately, 2410 // we don't really need to recurse into them, because any internal 2411 // expressions should have been analyzed already when they were 2412 // built into statements. 2413 if (isa<StmtExpr>(E)) return; 2414 2415 // Don't descend into unevaluated contexts. 2416 if (isa<SizeOfAlignOfExpr>(E)) return; 2417 2418 // Now just recurse over the expression's children. 2419 for (Stmt::child_iterator I = E->child_begin(), IE = E->child_end(); 2420 I != IE; ++I) 2421 AnalyzeImplicitConversions(S, cast<Expr>(*I)); 2422} 2423 2424} // end anonymous namespace 2425 2426/// Diagnoses "dangerous" implicit conversions within the given 2427/// expression (which is a full expression). Implements -Wconversion 2428/// and -Wsign-compare. 2429void Sema::CheckImplicitConversions(Expr *E) { 2430 // Don't diagnose in unevaluated contexts. 2431 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 2432 return; 2433 2434 // Don't diagnose for value- or type-dependent expressions. 2435 if (E->isTypeDependent() || E->isValueDependent()) 2436 return; 2437 2438 AnalyzeImplicitConversions(*this, E); 2439} 2440 2441/// CheckParmsForFunctionDef - Check that the parameters of the given 2442/// function are appropriate for the definition of a function. This 2443/// takes care of any checks that cannot be performed on the 2444/// declaration itself, e.g., that the types of each of the function 2445/// parameters are complete. 2446bool Sema::CheckParmsForFunctionDef(FunctionDecl *FD) { 2447 bool HasInvalidParm = false; 2448 for (unsigned p = 0, NumParams = FD->getNumParams(); p < NumParams; ++p) { 2449 ParmVarDecl *Param = FD->getParamDecl(p); 2450 2451 // C99 6.7.5.3p4: the parameters in a parameter type list in a 2452 // function declarator that is part of a function definition of 2453 // that function shall not have incomplete type. 2454 // 2455 // This is also C++ [dcl.fct]p6. 2456 if (!Param->isInvalidDecl() && 2457 RequireCompleteType(Param->getLocation(), Param->getType(), 2458 diag::err_typecheck_decl_incomplete_type)) { 2459 Param->setInvalidDecl(); 2460 HasInvalidParm = true; 2461 } 2462 2463 // C99 6.9.1p5: If the declarator includes a parameter type list, the 2464 // declaration of each parameter shall include an identifier. 2465 if (Param->getIdentifier() == 0 && 2466 !Param->isImplicit() && 2467 !getLangOptions().CPlusPlus) 2468 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 2469 2470 // C99 6.7.5.3p12: 2471 // If the function declarator is not part of a definition of that 2472 // function, parameters may have incomplete type and may use the [*] 2473 // notation in their sequences of declarator specifiers to specify 2474 // variable length array types. 2475 QualType PType = Param->getOriginalType(); 2476 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 2477 if (AT->getSizeModifier() == ArrayType::Star) { 2478 // FIXME: This diagnosic should point the the '[*]' if source-location 2479 // information is added for it. 2480 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 2481 } 2482 } 2483 } 2484 2485 return HasInvalidParm; 2486} 2487