SemaChecking.cpp revision 429bb276991ff2dbc7c5b438828b9b7737cb15eb
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/Sema.h" 16#include "clang/Sema/SemaInternal.h" 17#include "clang/Sema/ScopeInfo.h" 18#include "clang/Analysis/Analyses/FormatString.h" 19#include "clang/AST/ASTContext.h" 20#include "clang/AST/CharUnits.h" 21#include "clang/AST/DeclCXX.h" 22#include "clang/AST/DeclObjC.h" 23#include "clang/AST/ExprCXX.h" 24#include "clang/AST/ExprObjC.h" 25#include "clang/AST/DeclObjC.h" 26#include "clang/AST/StmtCXX.h" 27#include "clang/AST/StmtObjC.h" 28#include "clang/Lex/Preprocessor.h" 29#include "llvm/ADT/BitVector.h" 30#include "llvm/ADT/STLExtras.h" 31#include "llvm/Support/raw_ostream.h" 32#include "clang/Basic/TargetBuiltins.h" 33#include "clang/Basic/TargetInfo.h" 34#include "clang/Basic/ConvertUTF.h" 35#include <limits> 36using namespace clang; 37using namespace sema; 38 39SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 40 unsigned ByteNo) const { 41 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 42 PP.getLangOptions(), PP.getTargetInfo()); 43} 44 45 46/// CheckablePrintfAttr - does a function call have a "printf" attribute 47/// and arguments that merit checking? 48bool Sema::CheckablePrintfAttr(const FormatAttr *Format, CallExpr *TheCall) { 49 if (Format->getType() == "printf") return true; 50 if (Format->getType() == "printf0") { 51 // printf0 allows null "format" string; if so don't check format/args 52 unsigned format_idx = Format->getFormatIdx() - 1; 53 // Does the index refer to the implicit object argument? 54 if (isa<CXXMemberCallExpr>(TheCall)) { 55 if (format_idx == 0) 56 return false; 57 --format_idx; 58 } 59 if (format_idx < TheCall->getNumArgs()) { 60 Expr *Format = TheCall->getArg(format_idx)->IgnoreParenCasts(); 61 if (!Format->isNullPointerConstant(Context, 62 Expr::NPC_ValueDependentIsNull)) 63 return true; 64 } 65 } 66 return false; 67} 68 69/// Checks that a call expression's argument count is the desired number. 70/// This is useful when doing custom type-checking. Returns true on error. 71static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 72 unsigned argCount = call->getNumArgs(); 73 if (argCount == desiredArgCount) return false; 74 75 if (argCount < desiredArgCount) 76 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 77 << 0 /*function call*/ << desiredArgCount << argCount 78 << call->getSourceRange(); 79 80 // Highlight all the excess arguments. 81 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 82 call->getArg(argCount - 1)->getLocEnd()); 83 84 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 85 << 0 /*function call*/ << desiredArgCount << argCount 86 << call->getArg(1)->getSourceRange(); 87} 88 89ExprResult 90Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 91 ExprResult TheCallResult(Owned(TheCall)); 92 93 // Find out if any arguments are required to be integer constant expressions. 94 unsigned ICEArguments = 0; 95 ASTContext::GetBuiltinTypeError Error; 96 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 97 if (Error != ASTContext::GE_None) 98 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 99 100 // If any arguments are required to be ICE's, check and diagnose. 101 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 102 // Skip arguments not required to be ICE's. 103 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 104 105 llvm::APSInt Result; 106 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 107 return true; 108 ICEArguments &= ~(1 << ArgNo); 109 } 110 111 switch (BuiltinID) { 112 case Builtin::BI__builtin___CFStringMakeConstantString: 113 assert(TheCall->getNumArgs() == 1 && 114 "Wrong # arguments to builtin CFStringMakeConstantString"); 115 if (CheckObjCString(TheCall->getArg(0))) 116 return ExprError(); 117 break; 118 case Builtin::BI__builtin_stdarg_start: 119 case Builtin::BI__builtin_va_start: 120 if (SemaBuiltinVAStart(TheCall)) 121 return ExprError(); 122 break; 123 case Builtin::BI__builtin_isgreater: 124 case Builtin::BI__builtin_isgreaterequal: 125 case Builtin::BI__builtin_isless: 126 case Builtin::BI__builtin_islessequal: 127 case Builtin::BI__builtin_islessgreater: 128 case Builtin::BI__builtin_isunordered: 129 if (SemaBuiltinUnorderedCompare(TheCall)) 130 return ExprError(); 131 break; 132 case Builtin::BI__builtin_fpclassify: 133 if (SemaBuiltinFPClassification(TheCall, 6)) 134 return ExprError(); 135 break; 136 case Builtin::BI__builtin_isfinite: 137 case Builtin::BI__builtin_isinf: 138 case Builtin::BI__builtin_isinf_sign: 139 case Builtin::BI__builtin_isnan: 140 case Builtin::BI__builtin_isnormal: 141 if (SemaBuiltinFPClassification(TheCall, 1)) 142 return ExprError(); 143 break; 144 case Builtin::BI__builtin_shufflevector: 145 return SemaBuiltinShuffleVector(TheCall); 146 // TheCall will be freed by the smart pointer here, but that's fine, since 147 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 148 case Builtin::BI__builtin_prefetch: 149 if (SemaBuiltinPrefetch(TheCall)) 150 return ExprError(); 151 break; 152 case Builtin::BI__builtin_object_size: 153 if (SemaBuiltinObjectSize(TheCall)) 154 return ExprError(); 155 break; 156 case Builtin::BI__builtin_longjmp: 157 if (SemaBuiltinLongjmp(TheCall)) 158 return ExprError(); 159 break; 160 161 case Builtin::BI__builtin_classify_type: 162 if (checkArgCount(*this, TheCall, 1)) return true; 163 TheCall->setType(Context.IntTy); 164 break; 165 case Builtin::BI__builtin_constant_p: 166 if (checkArgCount(*this, TheCall, 1)) return true; 167 TheCall->setType(Context.IntTy); 168 break; 169 case Builtin::BI__sync_fetch_and_add: 170 case Builtin::BI__sync_fetch_and_sub: 171 case Builtin::BI__sync_fetch_and_or: 172 case Builtin::BI__sync_fetch_and_and: 173 case Builtin::BI__sync_fetch_and_xor: 174 case Builtin::BI__sync_add_and_fetch: 175 case Builtin::BI__sync_sub_and_fetch: 176 case Builtin::BI__sync_and_and_fetch: 177 case Builtin::BI__sync_or_and_fetch: 178 case Builtin::BI__sync_xor_and_fetch: 179 case Builtin::BI__sync_val_compare_and_swap: 180 case Builtin::BI__sync_bool_compare_and_swap: 181 case Builtin::BI__sync_lock_test_and_set: 182 case Builtin::BI__sync_lock_release: 183 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 184 } 185 186 // Since the target specific builtins for each arch overlap, only check those 187 // of the arch we are compiling for. 188 if (BuiltinID >= Builtin::FirstTSBuiltin) { 189 switch (Context.Target.getTriple().getArch()) { 190 case llvm::Triple::arm: 191 case llvm::Triple::thumb: 192 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 193 return ExprError(); 194 break; 195 default: 196 break; 197 } 198 } 199 200 return move(TheCallResult); 201} 202 203// Get the valid immediate range for the specified NEON type code. 204static unsigned RFT(unsigned t, bool shift = false) { 205 bool quad = t & 0x10; 206 207 switch (t & 0x7) { 208 case 0: // i8 209 return shift ? 7 : (8 << (int)quad) - 1; 210 case 1: // i16 211 return shift ? 15 : (4 << (int)quad) - 1; 212 case 2: // i32 213 return shift ? 31 : (2 << (int)quad) - 1; 214 case 3: // i64 215 return shift ? 63 : (1 << (int)quad) - 1; 216 case 4: // f32 217 assert(!shift && "cannot shift float types!"); 218 return (2 << (int)quad) - 1; 219 case 5: // poly8 220 return shift ? 7 : (8 << (int)quad) - 1; 221 case 6: // poly16 222 return shift ? 15 : (4 << (int)quad) - 1; 223 case 7: // float16 224 assert(!shift && "cannot shift float types!"); 225 return (4 << (int)quad) - 1; 226 } 227 return 0; 228} 229 230bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 231 llvm::APSInt Result; 232 233 unsigned mask = 0; 234 unsigned TV = 0; 235 switch (BuiltinID) { 236#define GET_NEON_OVERLOAD_CHECK 237#include "clang/Basic/arm_neon.inc" 238#undef GET_NEON_OVERLOAD_CHECK 239 } 240 241 // For NEON intrinsics which are overloaded on vector element type, validate 242 // the immediate which specifies which variant to emit. 243 if (mask) { 244 unsigned ArgNo = TheCall->getNumArgs()-1; 245 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 246 return true; 247 248 TV = Result.getLimitedValue(32); 249 if ((TV > 31) || (mask & (1 << TV)) == 0) 250 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 251 << TheCall->getArg(ArgNo)->getSourceRange(); 252 } 253 254 // For NEON intrinsics which take an immediate value as part of the 255 // instruction, range check them here. 256 unsigned i = 0, l = 0, u = 0; 257 switch (BuiltinID) { 258 default: return false; 259 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 260 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 261 case ARM::BI__builtin_arm_vcvtr_f: 262 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 263#define GET_NEON_IMMEDIATE_CHECK 264#include "clang/Basic/arm_neon.inc" 265#undef GET_NEON_IMMEDIATE_CHECK 266 }; 267 268 // Check that the immediate argument is actually a constant. 269 if (SemaBuiltinConstantArg(TheCall, i, Result)) 270 return true; 271 272 // Range check against the upper/lower values for this isntruction. 273 unsigned Val = Result.getZExtValue(); 274 if (Val < l || Val > (u + l)) 275 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 276 << l << u+l << TheCall->getArg(i)->getSourceRange(); 277 278 // FIXME: VFP Intrinsics should error if VFP not present. 279 return false; 280} 281 282/// CheckFunctionCall - Check a direct function call for various correctness 283/// and safety properties not strictly enforced by the C type system. 284bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 285 // Get the IdentifierInfo* for the called function. 286 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 287 288 // None of the checks below are needed for functions that don't have 289 // simple names (e.g., C++ conversion functions). 290 if (!FnInfo) 291 return false; 292 293 // FIXME: This mechanism should be abstracted to be less fragile and 294 // more efficient. For example, just map function ids to custom 295 // handlers. 296 297 // Printf and scanf checking. 298 for (specific_attr_iterator<FormatAttr> 299 i = FDecl->specific_attr_begin<FormatAttr>(), 300 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 301 302 const FormatAttr *Format = *i; 303 const bool b = Format->getType() == "scanf"; 304 if (b || CheckablePrintfAttr(Format, TheCall)) { 305 bool HasVAListArg = Format->getFirstArg() == 0; 306 CheckPrintfScanfArguments(TheCall, HasVAListArg, 307 Format->getFormatIdx() - 1, 308 HasVAListArg ? 0 : Format->getFirstArg() - 1, 309 !b); 310 } 311 } 312 313 for (specific_attr_iterator<NonNullAttr> 314 i = FDecl->specific_attr_begin<NonNullAttr>(), 315 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 316 CheckNonNullArguments(*i, TheCall->getArgs(), 317 TheCall->getCallee()->getLocStart()); 318 } 319 320 return false; 321} 322 323bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 324 // Printf checking. 325 const FormatAttr *Format = NDecl->getAttr<FormatAttr>(); 326 if (!Format) 327 return false; 328 329 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 330 if (!V) 331 return false; 332 333 QualType Ty = V->getType(); 334 if (!Ty->isBlockPointerType()) 335 return false; 336 337 const bool b = Format->getType() == "scanf"; 338 if (!b && !CheckablePrintfAttr(Format, TheCall)) 339 return false; 340 341 bool HasVAListArg = Format->getFirstArg() == 0; 342 CheckPrintfScanfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 343 HasVAListArg ? 0 : Format->getFirstArg() - 1, !b); 344 345 return false; 346} 347 348/// SemaBuiltinAtomicOverloaded - We have a call to a function like 349/// __sync_fetch_and_add, which is an overloaded function based on the pointer 350/// type of its first argument. The main ActOnCallExpr routines have already 351/// promoted the types of arguments because all of these calls are prototyped as 352/// void(...). 353/// 354/// This function goes through and does final semantic checking for these 355/// builtins, 356ExprResult 357Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 358 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 359 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 360 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 361 362 // Ensure that we have at least one argument to do type inference from. 363 if (TheCall->getNumArgs() < 1) { 364 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 365 << 0 << 1 << TheCall->getNumArgs() 366 << TheCall->getCallee()->getSourceRange(); 367 return ExprError(); 368 } 369 370 // Inspect the first argument of the atomic builtin. This should always be 371 // a pointer type, whose element is an integral scalar or pointer type. 372 // Because it is a pointer type, we don't have to worry about any implicit 373 // casts here. 374 // FIXME: We don't allow floating point scalars as input. 375 Expr *FirstArg = TheCall->getArg(0); 376 if (!FirstArg->getType()->isPointerType()) { 377 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 378 << FirstArg->getType() << FirstArg->getSourceRange(); 379 return ExprError(); 380 } 381 382 QualType ValType = 383 FirstArg->getType()->getAs<PointerType>()->getPointeeType(); 384 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 385 !ValType->isBlockPointerType()) { 386 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 387 << FirstArg->getType() << FirstArg->getSourceRange(); 388 return ExprError(); 389 } 390 391 // The majority of builtins return a value, but a few have special return 392 // types, so allow them to override appropriately below. 393 QualType ResultType = ValType; 394 395 // We need to figure out which concrete builtin this maps onto. For example, 396 // __sync_fetch_and_add with a 2 byte object turns into 397 // __sync_fetch_and_add_2. 398#define BUILTIN_ROW(x) \ 399 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 400 Builtin::BI##x##_8, Builtin::BI##x##_16 } 401 402 static const unsigned BuiltinIndices[][5] = { 403 BUILTIN_ROW(__sync_fetch_and_add), 404 BUILTIN_ROW(__sync_fetch_and_sub), 405 BUILTIN_ROW(__sync_fetch_and_or), 406 BUILTIN_ROW(__sync_fetch_and_and), 407 BUILTIN_ROW(__sync_fetch_and_xor), 408 409 BUILTIN_ROW(__sync_add_and_fetch), 410 BUILTIN_ROW(__sync_sub_and_fetch), 411 BUILTIN_ROW(__sync_and_and_fetch), 412 BUILTIN_ROW(__sync_or_and_fetch), 413 BUILTIN_ROW(__sync_xor_and_fetch), 414 415 BUILTIN_ROW(__sync_val_compare_and_swap), 416 BUILTIN_ROW(__sync_bool_compare_and_swap), 417 BUILTIN_ROW(__sync_lock_test_and_set), 418 BUILTIN_ROW(__sync_lock_release) 419 }; 420#undef BUILTIN_ROW 421 422 // Determine the index of the size. 423 unsigned SizeIndex; 424 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 425 case 1: SizeIndex = 0; break; 426 case 2: SizeIndex = 1; break; 427 case 4: SizeIndex = 2; break; 428 case 8: SizeIndex = 3; break; 429 case 16: SizeIndex = 4; break; 430 default: 431 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 432 << FirstArg->getType() << FirstArg->getSourceRange(); 433 return ExprError(); 434 } 435 436 // Each of these builtins has one pointer argument, followed by some number of 437 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 438 // that we ignore. Find out which row of BuiltinIndices to read from as well 439 // as the number of fixed args. 440 unsigned BuiltinID = FDecl->getBuiltinID(); 441 unsigned BuiltinIndex, NumFixed = 1; 442 switch (BuiltinID) { 443 default: assert(0 && "Unknown overloaded atomic builtin!"); 444 case Builtin::BI__sync_fetch_and_add: BuiltinIndex = 0; break; 445 case Builtin::BI__sync_fetch_and_sub: BuiltinIndex = 1; break; 446 case Builtin::BI__sync_fetch_and_or: BuiltinIndex = 2; break; 447 case Builtin::BI__sync_fetch_and_and: BuiltinIndex = 3; break; 448 case Builtin::BI__sync_fetch_and_xor: BuiltinIndex = 4; break; 449 450 case Builtin::BI__sync_add_and_fetch: BuiltinIndex = 5; break; 451 case Builtin::BI__sync_sub_and_fetch: BuiltinIndex = 6; break; 452 case Builtin::BI__sync_and_and_fetch: BuiltinIndex = 7; break; 453 case Builtin::BI__sync_or_and_fetch: BuiltinIndex = 8; break; 454 case Builtin::BI__sync_xor_and_fetch: BuiltinIndex = 9; break; 455 456 case Builtin::BI__sync_val_compare_and_swap: 457 BuiltinIndex = 10; 458 NumFixed = 2; 459 break; 460 case Builtin::BI__sync_bool_compare_and_swap: 461 BuiltinIndex = 11; 462 NumFixed = 2; 463 ResultType = Context.BoolTy; 464 break; 465 case Builtin::BI__sync_lock_test_and_set: BuiltinIndex = 12; break; 466 case Builtin::BI__sync_lock_release: 467 BuiltinIndex = 13; 468 NumFixed = 0; 469 ResultType = Context.VoidTy; 470 break; 471 } 472 473 // Now that we know how many fixed arguments we expect, first check that we 474 // have at least that many. 475 if (TheCall->getNumArgs() < 1+NumFixed) { 476 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 477 << 0 << 1+NumFixed << TheCall->getNumArgs() 478 << TheCall->getCallee()->getSourceRange(); 479 return ExprError(); 480 } 481 482 // Get the decl for the concrete builtin from this, we can tell what the 483 // concrete integer type we should convert to is. 484 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 485 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 486 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 487 FunctionDecl *NewBuiltinDecl = 488 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 489 TUScope, false, DRE->getLocStart())); 490 491 // The first argument --- the pointer --- has a fixed type; we 492 // deduce the types of the rest of the arguments accordingly. Walk 493 // the remaining arguments, converting them to the deduced value type. 494 for (unsigned i = 0; i != NumFixed; ++i) { 495 ExprResult Arg = TheCall->getArg(i+1); 496 497 // If the argument is an implicit cast, then there was a promotion due to 498 // "...", just remove it now. 499 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg.get())) { 500 Arg = ICE->getSubExpr(); 501 ICE->setSubExpr(0); 502 TheCall->setArg(i+1, Arg.get()); 503 } 504 505 // GCC does an implicit conversion to the pointer or integer ValType. This 506 // can fail in some cases (1i -> int**), check for this error case now. 507 CastKind Kind = CK_Invalid; 508 ExprValueKind VK = VK_RValue; 509 CXXCastPath BasePath; 510 Arg = CheckCastTypes(Arg.get()->getSourceRange(), ValType, Arg.take(), Kind, VK, BasePath); 511 if (Arg.isInvalid()) 512 return ExprError(); 513 514 // Okay, we have something that *can* be converted to the right type. Check 515 // to see if there is a potentially weird extension going on here. This can 516 // happen when you do an atomic operation on something like an char* and 517 // pass in 42. The 42 gets converted to char. This is even more strange 518 // for things like 45.123 -> char, etc. 519 // FIXME: Do this check. 520 Arg = ImpCastExprToType(Arg.take(), ValType, Kind, VK, &BasePath); 521 TheCall->setArg(i+1, Arg.get()); 522 } 523 524 // Switch the DeclRefExpr to refer to the new decl. 525 DRE->setDecl(NewBuiltinDecl); 526 DRE->setType(NewBuiltinDecl->getType()); 527 528 // Set the callee in the CallExpr. 529 // FIXME: This leaks the original parens and implicit casts. 530 ExprResult PromotedCall = UsualUnaryConversions(DRE); 531 if (PromotedCall.isInvalid()) 532 return ExprError(); 533 TheCall->setCallee(PromotedCall.take()); 534 535 // Change the result type of the call to match the original value type. This 536 // is arbitrary, but the codegen for these builtins ins design to handle it 537 // gracefully. 538 TheCall->setType(ResultType); 539 540 return move(TheCallResult); 541} 542 543 544/// CheckObjCString - Checks that the argument to the builtin 545/// CFString constructor is correct 546/// Note: It might also make sense to do the UTF-16 conversion here (would 547/// simplify the backend). 548bool Sema::CheckObjCString(Expr *Arg) { 549 Arg = Arg->IgnoreParenCasts(); 550 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 551 552 if (!Literal || Literal->isWide()) { 553 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 554 << Arg->getSourceRange(); 555 return true; 556 } 557 558 if (Literal->containsNonAsciiOrNull()) { 559 llvm::StringRef String = Literal->getString(); 560 unsigned NumBytes = String.size(); 561 llvm::SmallVector<UTF16, 128> ToBuf(NumBytes); 562 const UTF8 *FromPtr = (UTF8 *)String.data(); 563 UTF16 *ToPtr = &ToBuf[0]; 564 565 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 566 &ToPtr, ToPtr + NumBytes, 567 strictConversion); 568 // Check for conversion failure. 569 if (Result != conversionOK) 570 Diag(Arg->getLocStart(), 571 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 572 } 573 return false; 574} 575 576/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 577/// Emit an error and return true on failure, return false on success. 578bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 579 Expr *Fn = TheCall->getCallee(); 580 if (TheCall->getNumArgs() > 2) { 581 Diag(TheCall->getArg(2)->getLocStart(), 582 diag::err_typecheck_call_too_many_args) 583 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 584 << Fn->getSourceRange() 585 << SourceRange(TheCall->getArg(2)->getLocStart(), 586 (*(TheCall->arg_end()-1))->getLocEnd()); 587 return true; 588 } 589 590 if (TheCall->getNumArgs() < 2) { 591 return Diag(TheCall->getLocEnd(), 592 diag::err_typecheck_call_too_few_args_at_least) 593 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 594 } 595 596 // Determine whether the current function is variadic or not. 597 BlockScopeInfo *CurBlock = getCurBlock(); 598 bool isVariadic; 599 if (CurBlock) 600 isVariadic = CurBlock->TheDecl->isVariadic(); 601 else if (FunctionDecl *FD = getCurFunctionDecl()) 602 isVariadic = FD->isVariadic(); 603 else 604 isVariadic = getCurMethodDecl()->isVariadic(); 605 606 if (!isVariadic) { 607 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 608 return true; 609 } 610 611 // Verify that the second argument to the builtin is the last argument of the 612 // current function or method. 613 bool SecondArgIsLastNamedArgument = false; 614 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 615 616 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 617 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 618 // FIXME: This isn't correct for methods (results in bogus warning). 619 // Get the last formal in the current function. 620 const ParmVarDecl *LastArg; 621 if (CurBlock) 622 LastArg = *(CurBlock->TheDecl->param_end()-1); 623 else if (FunctionDecl *FD = getCurFunctionDecl()) 624 LastArg = *(FD->param_end()-1); 625 else 626 LastArg = *(getCurMethodDecl()->param_end()-1); 627 SecondArgIsLastNamedArgument = PV == LastArg; 628 } 629 } 630 631 if (!SecondArgIsLastNamedArgument) 632 Diag(TheCall->getArg(1)->getLocStart(), 633 diag::warn_second_parameter_of_va_start_not_last_named_argument); 634 return false; 635} 636 637/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 638/// friends. This is declared to take (...), so we have to check everything. 639bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 640 if (TheCall->getNumArgs() < 2) 641 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 642 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 643 if (TheCall->getNumArgs() > 2) 644 return Diag(TheCall->getArg(2)->getLocStart(), 645 diag::err_typecheck_call_too_many_args) 646 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 647 << SourceRange(TheCall->getArg(2)->getLocStart(), 648 (*(TheCall->arg_end()-1))->getLocEnd()); 649 650 ExprResult OrigArg0 = TheCall->getArg(0); 651 ExprResult OrigArg1 = TheCall->getArg(1); 652 653 // Do standard promotions between the two arguments, returning their common 654 // type. 655 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 656 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 657 return true; 658 659 // Make sure any conversions are pushed back into the call; this is 660 // type safe since unordered compare builtins are declared as "_Bool 661 // foo(...)". 662 TheCall->setArg(0, OrigArg0.get()); 663 TheCall->setArg(1, OrigArg1.get()); 664 665 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 666 return false; 667 668 // If the common type isn't a real floating type, then the arguments were 669 // invalid for this operation. 670 if (!Res->isRealFloatingType()) 671 return Diag(OrigArg0.get()->getLocStart(), 672 diag::err_typecheck_call_invalid_ordered_compare) 673 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 674 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 675 676 return false; 677} 678 679/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 680/// __builtin_isnan and friends. This is declared to take (...), so we have 681/// to check everything. We expect the last argument to be a floating point 682/// value. 683bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 684 if (TheCall->getNumArgs() < NumArgs) 685 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 686 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 687 if (TheCall->getNumArgs() > NumArgs) 688 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 689 diag::err_typecheck_call_too_many_args) 690 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 691 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 692 (*(TheCall->arg_end()-1))->getLocEnd()); 693 694 Expr *OrigArg = TheCall->getArg(NumArgs-1); 695 696 if (OrigArg->isTypeDependent()) 697 return false; 698 699 // This operation requires a non-_Complex floating-point number. 700 if (!OrigArg->getType()->isRealFloatingType()) 701 return Diag(OrigArg->getLocStart(), 702 diag::err_typecheck_call_invalid_unary_fp) 703 << OrigArg->getType() << OrigArg->getSourceRange(); 704 705 // If this is an implicit conversion from float -> double, remove it. 706 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 707 Expr *CastArg = Cast->getSubExpr(); 708 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 709 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 710 "promotion from float to double is the only expected cast here"); 711 Cast->setSubExpr(0); 712 TheCall->setArg(NumArgs-1, CastArg); 713 OrigArg = CastArg; 714 } 715 } 716 717 return false; 718} 719 720/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 721// This is declared to take (...), so we have to check everything. 722ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 723 if (TheCall->getNumArgs() < 2) 724 return ExprError(Diag(TheCall->getLocEnd(), 725 diag::err_typecheck_call_too_few_args_at_least) 726 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 727 << TheCall->getSourceRange()); 728 729 // Determine which of the following types of shufflevector we're checking: 730 // 1) unary, vector mask: (lhs, mask) 731 // 2) binary, vector mask: (lhs, rhs, mask) 732 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 733 QualType resType = TheCall->getArg(0)->getType(); 734 unsigned numElements = 0; 735 736 if (!TheCall->getArg(0)->isTypeDependent() && 737 !TheCall->getArg(1)->isTypeDependent()) { 738 QualType LHSType = TheCall->getArg(0)->getType(); 739 QualType RHSType = TheCall->getArg(1)->getType(); 740 741 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 742 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 743 << SourceRange(TheCall->getArg(0)->getLocStart(), 744 TheCall->getArg(1)->getLocEnd()); 745 return ExprError(); 746 } 747 748 numElements = LHSType->getAs<VectorType>()->getNumElements(); 749 unsigned numResElements = TheCall->getNumArgs() - 2; 750 751 // Check to see if we have a call with 2 vector arguments, the unary shuffle 752 // with mask. If so, verify that RHS is an integer vector type with the 753 // same number of elts as lhs. 754 if (TheCall->getNumArgs() == 2) { 755 if (!RHSType->hasIntegerRepresentation() || 756 RHSType->getAs<VectorType>()->getNumElements() != numElements) 757 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 758 << SourceRange(TheCall->getArg(1)->getLocStart(), 759 TheCall->getArg(1)->getLocEnd()); 760 numResElements = numElements; 761 } 762 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 763 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 764 << SourceRange(TheCall->getArg(0)->getLocStart(), 765 TheCall->getArg(1)->getLocEnd()); 766 return ExprError(); 767 } else if (numElements != numResElements) { 768 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 769 resType = Context.getVectorType(eltType, numResElements, 770 VectorType::GenericVector); 771 } 772 } 773 774 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 775 if (TheCall->getArg(i)->isTypeDependent() || 776 TheCall->getArg(i)->isValueDependent()) 777 continue; 778 779 llvm::APSInt Result(32); 780 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 781 return ExprError(Diag(TheCall->getLocStart(), 782 diag::err_shufflevector_nonconstant_argument) 783 << TheCall->getArg(i)->getSourceRange()); 784 785 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 786 return ExprError(Diag(TheCall->getLocStart(), 787 diag::err_shufflevector_argument_too_large) 788 << TheCall->getArg(i)->getSourceRange()); 789 } 790 791 llvm::SmallVector<Expr*, 32> exprs; 792 793 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 794 exprs.push_back(TheCall->getArg(i)); 795 TheCall->setArg(i, 0); 796 } 797 798 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 799 exprs.size(), resType, 800 TheCall->getCallee()->getLocStart(), 801 TheCall->getRParenLoc())); 802} 803 804/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 805// This is declared to take (const void*, ...) and can take two 806// optional constant int args. 807bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 808 unsigned NumArgs = TheCall->getNumArgs(); 809 810 if (NumArgs > 3) 811 return Diag(TheCall->getLocEnd(), 812 diag::err_typecheck_call_too_many_args_at_most) 813 << 0 /*function call*/ << 3 << NumArgs 814 << TheCall->getSourceRange(); 815 816 // Argument 0 is checked for us and the remaining arguments must be 817 // constant integers. 818 for (unsigned i = 1; i != NumArgs; ++i) { 819 Expr *Arg = TheCall->getArg(i); 820 821 llvm::APSInt Result; 822 if (SemaBuiltinConstantArg(TheCall, i, Result)) 823 return true; 824 825 // FIXME: gcc issues a warning and rewrites these to 0. These 826 // seems especially odd for the third argument since the default 827 // is 3. 828 if (i == 1) { 829 if (Result.getLimitedValue() > 1) 830 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 831 << "0" << "1" << Arg->getSourceRange(); 832 } else { 833 if (Result.getLimitedValue() > 3) 834 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 835 << "0" << "3" << Arg->getSourceRange(); 836 } 837 } 838 839 return false; 840} 841 842/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 843/// TheCall is a constant expression. 844bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 845 llvm::APSInt &Result) { 846 Expr *Arg = TheCall->getArg(ArgNum); 847 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 848 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 849 850 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 851 852 if (!Arg->isIntegerConstantExpr(Result, Context)) 853 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 854 << FDecl->getDeclName() << Arg->getSourceRange(); 855 856 return false; 857} 858 859/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 860/// int type). This simply type checks that type is one of the defined 861/// constants (0-3). 862// For compatability check 0-3, llvm only handles 0 and 2. 863bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 864 llvm::APSInt Result; 865 866 // Check constant-ness first. 867 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 868 return true; 869 870 Expr *Arg = TheCall->getArg(1); 871 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 872 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 873 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 874 } 875 876 return false; 877} 878 879/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 880/// This checks that val is a constant 1. 881bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 882 Expr *Arg = TheCall->getArg(1); 883 llvm::APSInt Result; 884 885 // TODO: This is less than ideal. Overload this to take a value. 886 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 887 return true; 888 889 if (Result != 1) 890 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 891 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 892 893 return false; 894} 895 896// Handle i > 1 ? "x" : "y", recursively. 897bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall, 898 bool HasVAListArg, 899 unsigned format_idx, unsigned firstDataArg, 900 bool isPrintf) { 901 tryAgain: 902 if (E->isTypeDependent() || E->isValueDependent()) 903 return false; 904 905 switch (E->getStmtClass()) { 906 case Stmt::BinaryConditionalOperatorClass: 907 case Stmt::ConditionalOperatorClass: { 908 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 909 return SemaCheckStringLiteral(C->getTrueExpr(), TheCall, HasVAListArg, 910 format_idx, firstDataArg, isPrintf) 911 && SemaCheckStringLiteral(C->getFalseExpr(), TheCall, HasVAListArg, 912 format_idx, firstDataArg, isPrintf); 913 } 914 915 case Stmt::IntegerLiteralClass: 916 // Technically -Wformat-nonliteral does not warn about this case. 917 // The behavior of printf and friends in this case is implementation 918 // dependent. Ideally if the format string cannot be null then 919 // it should have a 'nonnull' attribute in the function prototype. 920 return true; 921 922 case Stmt::ImplicitCastExprClass: { 923 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 924 goto tryAgain; 925 } 926 927 case Stmt::ParenExprClass: { 928 E = cast<ParenExpr>(E)->getSubExpr(); 929 goto tryAgain; 930 } 931 932 case Stmt::OpaqueValueExprClass: 933 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 934 E = src; 935 goto tryAgain; 936 } 937 return false; 938 939 case Stmt::PredefinedExprClass: 940 // While __func__, etc., are technically not string literals, they 941 // cannot contain format specifiers and thus are not a security 942 // liability. 943 return true; 944 945 case Stmt::DeclRefExprClass: { 946 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 947 948 // As an exception, do not flag errors for variables binding to 949 // const string literals. 950 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 951 bool isConstant = false; 952 QualType T = DR->getType(); 953 954 if (const ArrayType *AT = Context.getAsArrayType(T)) { 955 isConstant = AT->getElementType().isConstant(Context); 956 } else if (const PointerType *PT = T->getAs<PointerType>()) { 957 isConstant = T.isConstant(Context) && 958 PT->getPointeeType().isConstant(Context); 959 } 960 961 if (isConstant) { 962 if (const Expr *Init = VD->getAnyInitializer()) 963 return SemaCheckStringLiteral(Init, TheCall, 964 HasVAListArg, format_idx, firstDataArg, 965 isPrintf); 966 } 967 968 // For vprintf* functions (i.e., HasVAListArg==true), we add a 969 // special check to see if the format string is a function parameter 970 // of the function calling the printf function. If the function 971 // has an attribute indicating it is a printf-like function, then we 972 // should suppress warnings concerning non-literals being used in a call 973 // to a vprintf function. For example: 974 // 975 // void 976 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 977 // va_list ap; 978 // va_start(ap, fmt); 979 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 980 // ... 981 // 982 // 983 // FIXME: We don't have full attribute support yet, so just check to see 984 // if the argument is a DeclRefExpr that references a parameter. We'll 985 // add proper support for checking the attribute later. 986 if (HasVAListArg) 987 if (isa<ParmVarDecl>(VD)) 988 return true; 989 } 990 991 return false; 992 } 993 994 case Stmt::CallExprClass: { 995 const CallExpr *CE = cast<CallExpr>(E); 996 if (const ImplicitCastExpr *ICE 997 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 998 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 999 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 1000 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 1001 unsigned ArgIndex = FA->getFormatIdx(); 1002 const Expr *Arg = CE->getArg(ArgIndex - 1); 1003 1004 return SemaCheckStringLiteral(Arg, TheCall, HasVAListArg, 1005 format_idx, firstDataArg, isPrintf); 1006 } 1007 } 1008 } 1009 } 1010 1011 return false; 1012 } 1013 case Stmt::ObjCStringLiteralClass: 1014 case Stmt::StringLiteralClass: { 1015 const StringLiteral *StrE = NULL; 1016 1017 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1018 StrE = ObjCFExpr->getString(); 1019 else 1020 StrE = cast<StringLiteral>(E); 1021 1022 if (StrE) { 1023 CheckFormatString(StrE, E, TheCall, HasVAListArg, format_idx, 1024 firstDataArg, isPrintf); 1025 return true; 1026 } 1027 1028 return false; 1029 } 1030 1031 default: 1032 return false; 1033 } 1034} 1035 1036void 1037Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1038 const Expr * const *ExprArgs, 1039 SourceLocation CallSiteLoc) { 1040 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1041 e = NonNull->args_end(); 1042 i != e; ++i) { 1043 const Expr *ArgExpr = ExprArgs[*i]; 1044 if (ArgExpr->isNullPointerConstant(Context, 1045 Expr::NPC_ValueDependentIsNotNull)) 1046 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1047 } 1048} 1049 1050/// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1051/// functions) for correct use of format strings. 1052void 1053Sema::CheckPrintfScanfArguments(const CallExpr *TheCall, bool HasVAListArg, 1054 unsigned format_idx, unsigned firstDataArg, 1055 bool isPrintf) { 1056 1057 const Expr *Fn = TheCall->getCallee(); 1058 1059 // The way the format attribute works in GCC, the implicit this argument 1060 // of member functions is counted. However, it doesn't appear in our own 1061 // lists, so decrement format_idx in that case. 1062 if (isa<CXXMemberCallExpr>(TheCall)) { 1063 const CXXMethodDecl *method_decl = 1064 dyn_cast<CXXMethodDecl>(TheCall->getCalleeDecl()); 1065 if (method_decl && method_decl->isInstance()) { 1066 // Catch a format attribute mistakenly referring to the object argument. 1067 if (format_idx == 0) 1068 return; 1069 --format_idx; 1070 if(firstDataArg != 0) 1071 --firstDataArg; 1072 } 1073 } 1074 1075 // CHECK: printf/scanf-like function is called with no format string. 1076 if (format_idx >= TheCall->getNumArgs()) { 1077 Diag(TheCall->getRParenLoc(), diag::warn_missing_format_string) 1078 << Fn->getSourceRange(); 1079 return; 1080 } 1081 1082 const Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 1083 1084 // CHECK: format string is not a string literal. 1085 // 1086 // Dynamically generated format strings are difficult to 1087 // automatically vet at compile time. Requiring that format strings 1088 // are string literals: (1) permits the checking of format strings by 1089 // the compiler and thereby (2) can practically remove the source of 1090 // many format string exploits. 1091 1092 // Format string can be either ObjC string (e.g. @"%d") or 1093 // C string (e.g. "%d") 1094 // ObjC string uses the same format specifiers as C string, so we can use 1095 // the same format string checking logic for both ObjC and C strings. 1096 if (SemaCheckStringLiteral(OrigFormatExpr, TheCall, HasVAListArg, format_idx, 1097 firstDataArg, isPrintf)) 1098 return; // Literal format string found, check done! 1099 1100 // If there are no arguments specified, warn with -Wformat-security, otherwise 1101 // warn only with -Wformat-nonliteral. 1102 if (TheCall->getNumArgs() == format_idx+1) 1103 Diag(TheCall->getArg(format_idx)->getLocStart(), 1104 diag::warn_format_nonliteral_noargs) 1105 << OrigFormatExpr->getSourceRange(); 1106 else 1107 Diag(TheCall->getArg(format_idx)->getLocStart(), 1108 diag::warn_format_nonliteral) 1109 << OrigFormatExpr->getSourceRange(); 1110} 1111 1112namespace { 1113class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1114protected: 1115 Sema &S; 1116 const StringLiteral *FExpr; 1117 const Expr *OrigFormatExpr; 1118 const unsigned FirstDataArg; 1119 const unsigned NumDataArgs; 1120 const bool IsObjCLiteral; 1121 const char *Beg; // Start of format string. 1122 const bool HasVAListArg; 1123 const CallExpr *TheCall; 1124 unsigned FormatIdx; 1125 llvm::BitVector CoveredArgs; 1126 bool usesPositionalArgs; 1127 bool atFirstArg; 1128public: 1129 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1130 const Expr *origFormatExpr, unsigned firstDataArg, 1131 unsigned numDataArgs, bool isObjCLiteral, 1132 const char *beg, bool hasVAListArg, 1133 const CallExpr *theCall, unsigned formatIdx) 1134 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1135 FirstDataArg(firstDataArg), 1136 NumDataArgs(numDataArgs), 1137 IsObjCLiteral(isObjCLiteral), Beg(beg), 1138 HasVAListArg(hasVAListArg), 1139 TheCall(theCall), FormatIdx(formatIdx), 1140 usesPositionalArgs(false), atFirstArg(true) { 1141 CoveredArgs.resize(numDataArgs); 1142 CoveredArgs.reset(); 1143 } 1144 1145 void DoneProcessing(); 1146 1147 void HandleIncompleteSpecifier(const char *startSpecifier, 1148 unsigned specifierLen); 1149 1150 virtual void HandleInvalidPosition(const char *startSpecifier, 1151 unsigned specifierLen, 1152 analyze_format_string::PositionContext p); 1153 1154 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1155 1156 void HandleNullChar(const char *nullCharacter); 1157 1158protected: 1159 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1160 const char *startSpec, 1161 unsigned specifierLen, 1162 const char *csStart, unsigned csLen); 1163 1164 SourceRange getFormatStringRange(); 1165 CharSourceRange getSpecifierRange(const char *startSpecifier, 1166 unsigned specifierLen); 1167 SourceLocation getLocationOfByte(const char *x); 1168 1169 const Expr *getDataArg(unsigned i) const; 1170 1171 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1172 const analyze_format_string::ConversionSpecifier &CS, 1173 const char *startSpecifier, unsigned specifierLen, 1174 unsigned argIndex); 1175}; 1176} 1177 1178SourceRange CheckFormatHandler::getFormatStringRange() { 1179 return OrigFormatExpr->getSourceRange(); 1180} 1181 1182CharSourceRange CheckFormatHandler:: 1183getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1184 SourceLocation Start = getLocationOfByte(startSpecifier); 1185 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1186 1187 // Advance the end SourceLocation by one due to half-open ranges. 1188 End = End.getFileLocWithOffset(1); 1189 1190 return CharSourceRange::getCharRange(Start, End); 1191} 1192 1193SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1194 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1195} 1196 1197void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1198 unsigned specifierLen){ 1199 SourceLocation Loc = getLocationOfByte(startSpecifier); 1200 S.Diag(Loc, diag::warn_printf_incomplete_specifier) 1201 << getSpecifierRange(startSpecifier, specifierLen); 1202} 1203 1204void 1205CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1206 analyze_format_string::PositionContext p) { 1207 SourceLocation Loc = getLocationOfByte(startPos); 1208 S.Diag(Loc, diag::warn_format_invalid_positional_specifier) 1209 << (unsigned) p << getSpecifierRange(startPos, posLen); 1210} 1211 1212void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1213 unsigned posLen) { 1214 SourceLocation Loc = getLocationOfByte(startPos); 1215 S.Diag(Loc, diag::warn_format_zero_positional_specifier) 1216 << getSpecifierRange(startPos, posLen); 1217} 1218 1219void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1220 if (!IsObjCLiteral) { 1221 // The presence of a null character is likely an error. 1222 S.Diag(getLocationOfByte(nullCharacter), 1223 diag::warn_printf_format_string_contains_null_char) 1224 << getFormatStringRange(); 1225 } 1226} 1227 1228const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1229 return TheCall->getArg(FirstDataArg + i); 1230} 1231 1232void CheckFormatHandler::DoneProcessing() { 1233 // Does the number of data arguments exceed the number of 1234 // format conversions in the format string? 1235 if (!HasVAListArg) { 1236 // Find any arguments that weren't covered. 1237 CoveredArgs.flip(); 1238 signed notCoveredArg = CoveredArgs.find_first(); 1239 if (notCoveredArg >= 0) { 1240 assert((unsigned)notCoveredArg < NumDataArgs); 1241 S.Diag(getDataArg((unsigned) notCoveredArg)->getLocStart(), 1242 diag::warn_printf_data_arg_not_used) 1243 << getFormatStringRange(); 1244 } 1245 } 1246} 1247 1248bool 1249CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1250 SourceLocation Loc, 1251 const char *startSpec, 1252 unsigned specifierLen, 1253 const char *csStart, 1254 unsigned csLen) { 1255 1256 bool keepGoing = true; 1257 if (argIndex < NumDataArgs) { 1258 // Consider the argument coverered, even though the specifier doesn't 1259 // make sense. 1260 CoveredArgs.set(argIndex); 1261 } 1262 else { 1263 // If argIndex exceeds the number of data arguments we 1264 // don't issue a warning because that is just a cascade of warnings (and 1265 // they may have intended '%%' anyway). We don't want to continue processing 1266 // the format string after this point, however, as we will like just get 1267 // gibberish when trying to match arguments. 1268 keepGoing = false; 1269 } 1270 1271 S.Diag(Loc, diag::warn_format_invalid_conversion) 1272 << llvm::StringRef(csStart, csLen) 1273 << getSpecifierRange(startSpec, specifierLen); 1274 1275 return keepGoing; 1276} 1277 1278bool 1279CheckFormatHandler::CheckNumArgs( 1280 const analyze_format_string::FormatSpecifier &FS, 1281 const analyze_format_string::ConversionSpecifier &CS, 1282 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 1283 1284 if (argIndex >= NumDataArgs) { 1285 if (FS.usesPositionalArg()) { 1286 S.Diag(getLocationOfByte(CS.getStart()), 1287 diag::warn_printf_positional_arg_exceeds_data_args) 1288 << (argIndex+1) << NumDataArgs 1289 << getSpecifierRange(startSpecifier, specifierLen); 1290 } 1291 else { 1292 S.Diag(getLocationOfByte(CS.getStart()), 1293 diag::warn_printf_insufficient_data_args) 1294 << getSpecifierRange(startSpecifier, specifierLen); 1295 } 1296 1297 return false; 1298 } 1299 return true; 1300} 1301 1302//===--- CHECK: Printf format string checking ------------------------------===// 1303 1304namespace { 1305class CheckPrintfHandler : public CheckFormatHandler { 1306public: 1307 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1308 const Expr *origFormatExpr, unsigned firstDataArg, 1309 unsigned numDataArgs, bool isObjCLiteral, 1310 const char *beg, bool hasVAListArg, 1311 const CallExpr *theCall, unsigned formatIdx) 1312 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1313 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1314 theCall, formatIdx) {} 1315 1316 1317 bool HandleInvalidPrintfConversionSpecifier( 1318 const analyze_printf::PrintfSpecifier &FS, 1319 const char *startSpecifier, 1320 unsigned specifierLen); 1321 1322 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 1323 const char *startSpecifier, 1324 unsigned specifierLen); 1325 1326 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 1327 const char *startSpecifier, unsigned specifierLen); 1328 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 1329 const analyze_printf::OptionalAmount &Amt, 1330 unsigned type, 1331 const char *startSpecifier, unsigned specifierLen); 1332 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1333 const analyze_printf::OptionalFlag &flag, 1334 const char *startSpecifier, unsigned specifierLen); 1335 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 1336 const analyze_printf::OptionalFlag &ignoredFlag, 1337 const analyze_printf::OptionalFlag &flag, 1338 const char *startSpecifier, unsigned specifierLen); 1339}; 1340} 1341 1342bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 1343 const analyze_printf::PrintfSpecifier &FS, 1344 const char *startSpecifier, 1345 unsigned specifierLen) { 1346 const analyze_printf::PrintfConversionSpecifier &CS = 1347 FS.getConversionSpecifier(); 1348 1349 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1350 getLocationOfByte(CS.getStart()), 1351 startSpecifier, specifierLen, 1352 CS.getStart(), CS.getLength()); 1353} 1354 1355bool CheckPrintfHandler::HandleAmount( 1356 const analyze_format_string::OptionalAmount &Amt, 1357 unsigned k, const char *startSpecifier, 1358 unsigned specifierLen) { 1359 1360 if (Amt.hasDataArgument()) { 1361 if (!HasVAListArg) { 1362 unsigned argIndex = Amt.getArgIndex(); 1363 if (argIndex >= NumDataArgs) { 1364 S.Diag(getLocationOfByte(Amt.getStart()), 1365 diag::warn_printf_asterisk_missing_arg) 1366 << k << getSpecifierRange(startSpecifier, specifierLen); 1367 // Don't do any more checking. We will just emit 1368 // spurious errors. 1369 return false; 1370 } 1371 1372 // Type check the data argument. It should be an 'int'. 1373 // Although not in conformance with C99, we also allow the argument to be 1374 // an 'unsigned int' as that is a reasonably safe case. GCC also 1375 // doesn't emit a warning for that case. 1376 CoveredArgs.set(argIndex); 1377 const Expr *Arg = getDataArg(argIndex); 1378 QualType T = Arg->getType(); 1379 1380 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1381 assert(ATR.isValid()); 1382 1383 if (!ATR.matchesType(S.Context, T)) { 1384 S.Diag(getLocationOfByte(Amt.getStart()), 1385 diag::warn_printf_asterisk_wrong_type) 1386 << k 1387 << ATR.getRepresentativeType(S.Context) << T 1388 << getSpecifierRange(startSpecifier, specifierLen) 1389 << Arg->getSourceRange(); 1390 // Don't do any more checking. We will just emit 1391 // spurious errors. 1392 return false; 1393 } 1394 } 1395 } 1396 return true; 1397} 1398 1399void CheckPrintfHandler::HandleInvalidAmount( 1400 const analyze_printf::PrintfSpecifier &FS, 1401 const analyze_printf::OptionalAmount &Amt, 1402 unsigned type, 1403 const char *startSpecifier, 1404 unsigned specifierLen) { 1405 const analyze_printf::PrintfConversionSpecifier &CS = 1406 FS.getConversionSpecifier(); 1407 switch (Amt.getHowSpecified()) { 1408 case analyze_printf::OptionalAmount::Constant: 1409 S.Diag(getLocationOfByte(Amt.getStart()), 1410 diag::warn_printf_nonsensical_optional_amount) 1411 << type 1412 << CS.toString() 1413 << getSpecifierRange(startSpecifier, specifierLen) 1414 << FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 1415 Amt.getConstantLength())); 1416 break; 1417 1418 default: 1419 S.Diag(getLocationOfByte(Amt.getStart()), 1420 diag::warn_printf_nonsensical_optional_amount) 1421 << type 1422 << CS.toString() 1423 << getSpecifierRange(startSpecifier, specifierLen); 1424 break; 1425 } 1426} 1427 1428void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1429 const analyze_printf::OptionalFlag &flag, 1430 const char *startSpecifier, 1431 unsigned specifierLen) { 1432 // Warn about pointless flag with a fixit removal. 1433 const analyze_printf::PrintfConversionSpecifier &CS = 1434 FS.getConversionSpecifier(); 1435 S.Diag(getLocationOfByte(flag.getPosition()), 1436 diag::warn_printf_nonsensical_flag) 1437 << flag.toString() << CS.toString() 1438 << getSpecifierRange(startSpecifier, specifierLen) 1439 << FixItHint::CreateRemoval(getSpecifierRange(flag.getPosition(), 1)); 1440} 1441 1442void CheckPrintfHandler::HandleIgnoredFlag( 1443 const analyze_printf::PrintfSpecifier &FS, 1444 const analyze_printf::OptionalFlag &ignoredFlag, 1445 const analyze_printf::OptionalFlag &flag, 1446 const char *startSpecifier, 1447 unsigned specifierLen) { 1448 // Warn about ignored flag with a fixit removal. 1449 S.Diag(getLocationOfByte(ignoredFlag.getPosition()), 1450 diag::warn_printf_ignored_flag) 1451 << ignoredFlag.toString() << flag.toString() 1452 << getSpecifierRange(startSpecifier, specifierLen) 1453 << FixItHint::CreateRemoval(getSpecifierRange( 1454 ignoredFlag.getPosition(), 1)); 1455} 1456 1457bool 1458CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 1459 &FS, 1460 const char *startSpecifier, 1461 unsigned specifierLen) { 1462 1463 using namespace analyze_format_string; 1464 using namespace analyze_printf; 1465 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 1466 1467 if (FS.consumesDataArgument()) { 1468 if (atFirstArg) { 1469 atFirstArg = false; 1470 usesPositionalArgs = FS.usesPositionalArg(); 1471 } 1472 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1473 // Cannot mix-and-match positional and non-positional arguments. 1474 S.Diag(getLocationOfByte(CS.getStart()), 1475 diag::warn_format_mix_positional_nonpositional_args) 1476 << getSpecifierRange(startSpecifier, specifierLen); 1477 return false; 1478 } 1479 } 1480 1481 // First check if the field width, precision, and conversion specifier 1482 // have matching data arguments. 1483 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 1484 startSpecifier, specifierLen)) { 1485 return false; 1486 } 1487 1488 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 1489 startSpecifier, specifierLen)) { 1490 return false; 1491 } 1492 1493 if (!CS.consumesDataArgument()) { 1494 // FIXME: Technically specifying a precision or field width here 1495 // makes no sense. Worth issuing a warning at some point. 1496 return true; 1497 } 1498 1499 // Consume the argument. 1500 unsigned argIndex = FS.getArgIndex(); 1501 if (argIndex < NumDataArgs) { 1502 // The check to see if the argIndex is valid will come later. 1503 // We set the bit here because we may exit early from this 1504 // function if we encounter some other error. 1505 CoveredArgs.set(argIndex); 1506 } 1507 1508 // Check for using an Objective-C specific conversion specifier 1509 // in a non-ObjC literal. 1510 if (!IsObjCLiteral && CS.isObjCArg()) { 1511 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 1512 specifierLen); 1513 } 1514 1515 // Check for invalid use of field width 1516 if (!FS.hasValidFieldWidth()) { 1517 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 1518 startSpecifier, specifierLen); 1519 } 1520 1521 // Check for invalid use of precision 1522 if (!FS.hasValidPrecision()) { 1523 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 1524 startSpecifier, specifierLen); 1525 } 1526 1527 // Check each flag does not conflict with any other component. 1528 if (!FS.hasValidThousandsGroupingPrefix()) 1529 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 1530 if (!FS.hasValidLeadingZeros()) 1531 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 1532 if (!FS.hasValidPlusPrefix()) 1533 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 1534 if (!FS.hasValidSpacePrefix()) 1535 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 1536 if (!FS.hasValidAlternativeForm()) 1537 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 1538 if (!FS.hasValidLeftJustified()) 1539 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 1540 1541 // Check that flags are not ignored by another flag 1542 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 1543 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 1544 startSpecifier, specifierLen); 1545 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 1546 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 1547 startSpecifier, specifierLen); 1548 1549 // Check the length modifier is valid with the given conversion specifier. 1550 const LengthModifier &LM = FS.getLengthModifier(); 1551 if (!FS.hasValidLengthModifier()) 1552 S.Diag(getLocationOfByte(LM.getStart()), 1553 diag::warn_format_nonsensical_length) 1554 << LM.toString() << CS.toString() 1555 << getSpecifierRange(startSpecifier, specifierLen) 1556 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 1557 LM.getLength())); 1558 1559 // Are we using '%n'? 1560 if (CS.getKind() == ConversionSpecifier::nArg) { 1561 // Issue a warning about this being a possible security issue. 1562 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back) 1563 << getSpecifierRange(startSpecifier, specifierLen); 1564 // Continue checking the other format specifiers. 1565 return true; 1566 } 1567 1568 // The remaining checks depend on the data arguments. 1569 if (HasVAListArg) 1570 return true; 1571 1572 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 1573 return false; 1574 1575 // Now type check the data expression that matches the 1576 // format specifier. 1577 const Expr *Ex = getDataArg(argIndex); 1578 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 1579 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 1580 // Check if we didn't match because of an implicit cast from a 'char' 1581 // or 'short' to an 'int'. This is done because printf is a varargs 1582 // function. 1583 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 1584 if (ICE->getType() == S.Context.IntTy) { 1585 // All further checking is done on the subexpression. 1586 Ex = ICE->getSubExpr(); 1587 if (ATR.matchesType(S.Context, Ex->getType())) 1588 return true; 1589 } 1590 1591 // We may be able to offer a FixItHint if it is a supported type. 1592 PrintfSpecifier fixedFS = FS; 1593 bool success = fixedFS.fixType(Ex->getType()); 1594 1595 if (success) { 1596 // Get the fix string from the fixed format specifier 1597 llvm::SmallString<128> buf; 1598 llvm::raw_svector_ostream os(buf); 1599 fixedFS.toString(os); 1600 1601 // FIXME: getRepresentativeType() perhaps should return a string 1602 // instead of a QualType to better handle when the representative 1603 // type is 'wint_t' (which is defined in the system headers). 1604 S.Diag(getLocationOfByte(CS.getStart()), 1605 diag::warn_printf_conversion_argument_type_mismatch) 1606 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1607 << getSpecifierRange(startSpecifier, specifierLen) 1608 << Ex->getSourceRange() 1609 << FixItHint::CreateReplacement( 1610 getSpecifierRange(startSpecifier, specifierLen), 1611 os.str()); 1612 } 1613 else { 1614 S.Diag(getLocationOfByte(CS.getStart()), 1615 diag::warn_printf_conversion_argument_type_mismatch) 1616 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1617 << getSpecifierRange(startSpecifier, specifierLen) 1618 << Ex->getSourceRange(); 1619 } 1620 } 1621 1622 return true; 1623} 1624 1625//===--- CHECK: Scanf format string checking ------------------------------===// 1626 1627namespace { 1628class CheckScanfHandler : public CheckFormatHandler { 1629public: 1630 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 1631 const Expr *origFormatExpr, unsigned firstDataArg, 1632 unsigned numDataArgs, bool isObjCLiteral, 1633 const char *beg, bool hasVAListArg, 1634 const CallExpr *theCall, unsigned formatIdx) 1635 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1636 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1637 theCall, formatIdx) {} 1638 1639 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 1640 const char *startSpecifier, 1641 unsigned specifierLen); 1642 1643 bool HandleInvalidScanfConversionSpecifier( 1644 const analyze_scanf::ScanfSpecifier &FS, 1645 const char *startSpecifier, 1646 unsigned specifierLen); 1647 1648 void HandleIncompleteScanList(const char *start, const char *end); 1649}; 1650} 1651 1652void CheckScanfHandler::HandleIncompleteScanList(const char *start, 1653 const char *end) { 1654 S.Diag(getLocationOfByte(end), diag::warn_scanf_scanlist_incomplete) 1655 << getSpecifierRange(start, end - start); 1656} 1657 1658bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 1659 const analyze_scanf::ScanfSpecifier &FS, 1660 const char *startSpecifier, 1661 unsigned specifierLen) { 1662 1663 const analyze_scanf::ScanfConversionSpecifier &CS = 1664 FS.getConversionSpecifier(); 1665 1666 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1667 getLocationOfByte(CS.getStart()), 1668 startSpecifier, specifierLen, 1669 CS.getStart(), CS.getLength()); 1670} 1671 1672bool CheckScanfHandler::HandleScanfSpecifier( 1673 const analyze_scanf::ScanfSpecifier &FS, 1674 const char *startSpecifier, 1675 unsigned specifierLen) { 1676 1677 using namespace analyze_scanf; 1678 using namespace analyze_format_string; 1679 1680 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 1681 1682 // Handle case where '%' and '*' don't consume an argument. These shouldn't 1683 // be used to decide if we are using positional arguments consistently. 1684 if (FS.consumesDataArgument()) { 1685 if (atFirstArg) { 1686 atFirstArg = false; 1687 usesPositionalArgs = FS.usesPositionalArg(); 1688 } 1689 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1690 // Cannot mix-and-match positional and non-positional arguments. 1691 S.Diag(getLocationOfByte(CS.getStart()), 1692 diag::warn_format_mix_positional_nonpositional_args) 1693 << getSpecifierRange(startSpecifier, specifierLen); 1694 return false; 1695 } 1696 } 1697 1698 // Check if the field with is non-zero. 1699 const OptionalAmount &Amt = FS.getFieldWidth(); 1700 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 1701 if (Amt.getConstantAmount() == 0) { 1702 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 1703 Amt.getConstantLength()); 1704 S.Diag(getLocationOfByte(Amt.getStart()), 1705 diag::warn_scanf_nonzero_width) 1706 << R << FixItHint::CreateRemoval(R); 1707 } 1708 } 1709 1710 if (!FS.consumesDataArgument()) { 1711 // FIXME: Technically specifying a precision or field width here 1712 // makes no sense. Worth issuing a warning at some point. 1713 return true; 1714 } 1715 1716 // Consume the argument. 1717 unsigned argIndex = FS.getArgIndex(); 1718 if (argIndex < NumDataArgs) { 1719 // The check to see if the argIndex is valid will come later. 1720 // We set the bit here because we may exit early from this 1721 // function if we encounter some other error. 1722 CoveredArgs.set(argIndex); 1723 } 1724 1725 // Check the length modifier is valid with the given conversion specifier. 1726 const LengthModifier &LM = FS.getLengthModifier(); 1727 if (!FS.hasValidLengthModifier()) { 1728 S.Diag(getLocationOfByte(LM.getStart()), 1729 diag::warn_format_nonsensical_length) 1730 << LM.toString() << CS.toString() 1731 << getSpecifierRange(startSpecifier, specifierLen) 1732 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 1733 LM.getLength())); 1734 } 1735 1736 // The remaining checks depend on the data arguments. 1737 if (HasVAListArg) 1738 return true; 1739 1740 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 1741 return false; 1742 1743 // FIXME: Check that the argument type matches the format specifier. 1744 1745 return true; 1746} 1747 1748void Sema::CheckFormatString(const StringLiteral *FExpr, 1749 const Expr *OrigFormatExpr, 1750 const CallExpr *TheCall, bool HasVAListArg, 1751 unsigned format_idx, unsigned firstDataArg, 1752 bool isPrintf) { 1753 1754 // CHECK: is the format string a wide literal? 1755 if (FExpr->isWide()) { 1756 Diag(FExpr->getLocStart(), 1757 diag::warn_format_string_is_wide_literal) 1758 << OrigFormatExpr->getSourceRange(); 1759 return; 1760 } 1761 1762 // Str - The format string. NOTE: this is NOT null-terminated! 1763 llvm::StringRef StrRef = FExpr->getString(); 1764 const char *Str = StrRef.data(); 1765 unsigned StrLen = StrRef.size(); 1766 1767 // CHECK: empty format string? 1768 if (StrLen == 0) { 1769 Diag(FExpr->getLocStart(), diag::warn_empty_format_string) 1770 << OrigFormatExpr->getSourceRange(); 1771 return; 1772 } 1773 1774 if (isPrintf) { 1775 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1776 TheCall->getNumArgs() - firstDataArg, 1777 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1778 HasVAListArg, TheCall, format_idx); 1779 1780 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen)) 1781 H.DoneProcessing(); 1782 } 1783 else { 1784 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1785 TheCall->getNumArgs() - firstDataArg, 1786 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1787 HasVAListArg, TheCall, format_idx); 1788 1789 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen)) 1790 H.DoneProcessing(); 1791 } 1792} 1793 1794//===--- CHECK: Return Address of Stack Variable --------------------------===// 1795 1796static Expr *EvalVal(Expr *E, llvm::SmallVectorImpl<DeclRefExpr *> &refVars); 1797static Expr *EvalAddr(Expr* E, llvm::SmallVectorImpl<DeclRefExpr *> &refVars); 1798 1799/// CheckReturnStackAddr - Check if a return statement returns the address 1800/// of a stack variable. 1801void 1802Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 1803 SourceLocation ReturnLoc) { 1804 1805 Expr *stackE = 0; 1806 llvm::SmallVector<DeclRefExpr *, 8> refVars; 1807 1808 // Perform checking for returned stack addresses, local blocks, 1809 // label addresses or references to temporaries. 1810 if (lhsType->isPointerType() || lhsType->isBlockPointerType()) { 1811 stackE = EvalAddr(RetValExp, refVars); 1812 } else if (lhsType->isReferenceType()) { 1813 stackE = EvalVal(RetValExp, refVars); 1814 } 1815 1816 if (stackE == 0) 1817 return; // Nothing suspicious was found. 1818 1819 SourceLocation diagLoc; 1820 SourceRange diagRange; 1821 if (refVars.empty()) { 1822 diagLoc = stackE->getLocStart(); 1823 diagRange = stackE->getSourceRange(); 1824 } else { 1825 // We followed through a reference variable. 'stackE' contains the 1826 // problematic expression but we will warn at the return statement pointing 1827 // at the reference variable. We will later display the "trail" of 1828 // reference variables using notes. 1829 diagLoc = refVars[0]->getLocStart(); 1830 diagRange = refVars[0]->getSourceRange(); 1831 } 1832 1833 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 1834 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 1835 : diag::warn_ret_stack_addr) 1836 << DR->getDecl()->getDeclName() << diagRange; 1837 } else if (isa<BlockExpr>(stackE)) { // local block. 1838 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 1839 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 1840 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 1841 } else { // local temporary. 1842 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 1843 : diag::warn_ret_local_temp_addr) 1844 << diagRange; 1845 } 1846 1847 // Display the "trail" of reference variables that we followed until we 1848 // found the problematic expression using notes. 1849 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 1850 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 1851 // If this var binds to another reference var, show the range of the next 1852 // var, otherwise the var binds to the problematic expression, in which case 1853 // show the range of the expression. 1854 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 1855 : stackE->getSourceRange(); 1856 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 1857 << VD->getDeclName() << range; 1858 } 1859} 1860 1861/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 1862/// check if the expression in a return statement evaluates to an address 1863/// to a location on the stack, a local block, an address of a label, or a 1864/// reference to local temporary. The recursion is used to traverse the 1865/// AST of the return expression, with recursion backtracking when we 1866/// encounter a subexpression that (1) clearly does not lead to one of the 1867/// above problematic expressions (2) is something we cannot determine leads to 1868/// a problematic expression based on such local checking. 1869/// 1870/// Both EvalAddr and EvalVal follow through reference variables to evaluate 1871/// the expression that they point to. Such variables are added to the 1872/// 'refVars' vector so that we know what the reference variable "trail" was. 1873/// 1874/// EvalAddr processes expressions that are pointers that are used as 1875/// references (and not L-values). EvalVal handles all other values. 1876/// At the base case of the recursion is a check for the above problematic 1877/// expressions. 1878/// 1879/// This implementation handles: 1880/// 1881/// * pointer-to-pointer casts 1882/// * implicit conversions from array references to pointers 1883/// * taking the address of fields 1884/// * arbitrary interplay between "&" and "*" operators 1885/// * pointer arithmetic from an address of a stack variable 1886/// * taking the address of an array element where the array is on the stack 1887static Expr *EvalAddr(Expr *E, llvm::SmallVectorImpl<DeclRefExpr *> &refVars) { 1888 if (E->isTypeDependent()) 1889 return NULL; 1890 1891 // We should only be called for evaluating pointer expressions. 1892 assert((E->getType()->isAnyPointerType() || 1893 E->getType()->isBlockPointerType() || 1894 E->getType()->isObjCQualifiedIdType()) && 1895 "EvalAddr only works on pointers"); 1896 1897 // Our "symbolic interpreter" is just a dispatch off the currently 1898 // viewed AST node. We then recursively traverse the AST by calling 1899 // EvalAddr and EvalVal appropriately. 1900 switch (E->getStmtClass()) { 1901 case Stmt::ParenExprClass: 1902 // Ignore parentheses. 1903 return EvalAddr(cast<ParenExpr>(E)->getSubExpr(), refVars); 1904 1905 case Stmt::DeclRefExprClass: { 1906 DeclRefExpr *DR = cast<DeclRefExpr>(E); 1907 1908 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 1909 // If this is a reference variable, follow through to the expression that 1910 // it points to. 1911 if (V->hasLocalStorage() && 1912 V->getType()->isReferenceType() && V->hasInit()) { 1913 // Add the reference variable to the "trail". 1914 refVars.push_back(DR); 1915 return EvalAddr(V->getInit(), refVars); 1916 } 1917 1918 return NULL; 1919 } 1920 1921 case Stmt::UnaryOperatorClass: { 1922 // The only unary operator that make sense to handle here 1923 // is AddrOf. All others don't make sense as pointers. 1924 UnaryOperator *U = cast<UnaryOperator>(E); 1925 1926 if (U->getOpcode() == UO_AddrOf) 1927 return EvalVal(U->getSubExpr(), refVars); 1928 else 1929 return NULL; 1930 } 1931 1932 case Stmt::BinaryOperatorClass: { 1933 // Handle pointer arithmetic. All other binary operators are not valid 1934 // in this context. 1935 BinaryOperator *B = cast<BinaryOperator>(E); 1936 BinaryOperatorKind op = B->getOpcode(); 1937 1938 if (op != BO_Add && op != BO_Sub) 1939 return NULL; 1940 1941 Expr *Base = B->getLHS(); 1942 1943 // Determine which argument is the real pointer base. It could be 1944 // the RHS argument instead of the LHS. 1945 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 1946 1947 assert (Base->getType()->isPointerType()); 1948 return EvalAddr(Base, refVars); 1949 } 1950 1951 // For conditional operators we need to see if either the LHS or RHS are 1952 // valid DeclRefExpr*s. If one of them is valid, we return it. 1953 case Stmt::ConditionalOperatorClass: { 1954 ConditionalOperator *C = cast<ConditionalOperator>(E); 1955 1956 // Handle the GNU extension for missing LHS. 1957 if (Expr *lhsExpr = C->getLHS()) { 1958 // In C++, we can have a throw-expression, which has 'void' type. 1959 if (!lhsExpr->getType()->isVoidType()) 1960 if (Expr* LHS = EvalAddr(lhsExpr, refVars)) 1961 return LHS; 1962 } 1963 1964 // In C++, we can have a throw-expression, which has 'void' type. 1965 if (C->getRHS()->getType()->isVoidType()) 1966 return NULL; 1967 1968 return EvalAddr(C->getRHS(), refVars); 1969 } 1970 1971 case Stmt::BlockExprClass: 1972 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 1973 return E; // local block. 1974 return NULL; 1975 1976 case Stmt::AddrLabelExprClass: 1977 return E; // address of label. 1978 1979 // For casts, we need to handle conversions from arrays to 1980 // pointer values, and pointer-to-pointer conversions. 1981 case Stmt::ImplicitCastExprClass: 1982 case Stmt::CStyleCastExprClass: 1983 case Stmt::CXXFunctionalCastExprClass: { 1984 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 1985 QualType T = SubExpr->getType(); 1986 1987 if (SubExpr->getType()->isPointerType() || 1988 SubExpr->getType()->isBlockPointerType() || 1989 SubExpr->getType()->isObjCQualifiedIdType()) 1990 return EvalAddr(SubExpr, refVars); 1991 else if (T->isArrayType()) 1992 return EvalVal(SubExpr, refVars); 1993 else 1994 return 0; 1995 } 1996 1997 // C++ casts. For dynamic casts, static casts, and const casts, we 1998 // are always converting from a pointer-to-pointer, so we just blow 1999 // through the cast. In the case the dynamic cast doesn't fail (and 2000 // return NULL), we take the conservative route and report cases 2001 // where we return the address of a stack variable. For Reinterpre 2002 // FIXME: The comment about is wrong; we're not always converting 2003 // from pointer to pointer. I'm guessing that this code should also 2004 // handle references to objects. 2005 case Stmt::CXXStaticCastExprClass: 2006 case Stmt::CXXDynamicCastExprClass: 2007 case Stmt::CXXConstCastExprClass: 2008 case Stmt::CXXReinterpretCastExprClass: { 2009 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 2010 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 2011 return EvalAddr(S, refVars); 2012 else 2013 return NULL; 2014 } 2015 2016 // Everything else: we simply don't reason about them. 2017 default: 2018 return NULL; 2019 } 2020} 2021 2022 2023/// EvalVal - This function is complements EvalAddr in the mutual recursion. 2024/// See the comments for EvalAddr for more details. 2025static Expr *EvalVal(Expr *E, llvm::SmallVectorImpl<DeclRefExpr *> &refVars) { 2026do { 2027 // We should only be called for evaluating non-pointer expressions, or 2028 // expressions with a pointer type that are not used as references but instead 2029 // are l-values (e.g., DeclRefExpr with a pointer type). 2030 2031 // Our "symbolic interpreter" is just a dispatch off the currently 2032 // viewed AST node. We then recursively traverse the AST by calling 2033 // EvalAddr and EvalVal appropriately. 2034 switch (E->getStmtClass()) { 2035 case Stmt::ImplicitCastExprClass: { 2036 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 2037 if (IE->getValueKind() == VK_LValue) { 2038 E = IE->getSubExpr(); 2039 continue; 2040 } 2041 return NULL; 2042 } 2043 2044 case Stmt::DeclRefExprClass: { 2045 // When we hit a DeclRefExpr we are looking at code that refers to a 2046 // variable's name. If it's not a reference variable we check if it has 2047 // local storage within the function, and if so, return the expression. 2048 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2049 2050 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2051 if (V->hasLocalStorage()) { 2052 if (!V->getType()->isReferenceType()) 2053 return DR; 2054 2055 // Reference variable, follow through to the expression that 2056 // it points to. 2057 if (V->hasInit()) { 2058 // Add the reference variable to the "trail". 2059 refVars.push_back(DR); 2060 return EvalVal(V->getInit(), refVars); 2061 } 2062 } 2063 2064 return NULL; 2065 } 2066 2067 case Stmt::ParenExprClass: { 2068 // Ignore parentheses. 2069 E = cast<ParenExpr>(E)->getSubExpr(); 2070 continue; 2071 } 2072 2073 case Stmt::UnaryOperatorClass: { 2074 // The only unary operator that make sense to handle here 2075 // is Deref. All others don't resolve to a "name." This includes 2076 // handling all sorts of rvalues passed to a unary operator. 2077 UnaryOperator *U = cast<UnaryOperator>(E); 2078 2079 if (U->getOpcode() == UO_Deref) 2080 return EvalAddr(U->getSubExpr(), refVars); 2081 2082 return NULL; 2083 } 2084 2085 case Stmt::ArraySubscriptExprClass: { 2086 // Array subscripts are potential references to data on the stack. We 2087 // retrieve the DeclRefExpr* for the array variable if it indeed 2088 // has local storage. 2089 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars); 2090 } 2091 2092 case Stmt::ConditionalOperatorClass: { 2093 // For conditional operators we need to see if either the LHS or RHS are 2094 // non-NULL Expr's. If one is non-NULL, we return it. 2095 ConditionalOperator *C = cast<ConditionalOperator>(E); 2096 2097 // Handle the GNU extension for missing LHS. 2098 if (Expr *lhsExpr = C->getLHS()) 2099 if (Expr *LHS = EvalVal(lhsExpr, refVars)) 2100 return LHS; 2101 2102 return EvalVal(C->getRHS(), refVars); 2103 } 2104 2105 // Accesses to members are potential references to data on the stack. 2106 case Stmt::MemberExprClass: { 2107 MemberExpr *M = cast<MemberExpr>(E); 2108 2109 // Check for indirect access. We only want direct field accesses. 2110 if (M->isArrow()) 2111 return NULL; 2112 2113 // Check whether the member type is itself a reference, in which case 2114 // we're not going to refer to the member, but to what the member refers to. 2115 if (M->getMemberDecl()->getType()->isReferenceType()) 2116 return NULL; 2117 2118 return EvalVal(M->getBase(), refVars); 2119 } 2120 2121 default: 2122 // Check that we don't return or take the address of a reference to a 2123 // temporary. This is only useful in C++. 2124 if (!E->isTypeDependent() && E->isRValue()) 2125 return E; 2126 2127 // Everything else: we simply don't reason about them. 2128 return NULL; 2129 } 2130} while (true); 2131} 2132 2133//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 2134 2135/// Check for comparisons of floating point operands using != and ==. 2136/// Issue a warning if these are no self-comparisons, as they are not likely 2137/// to do what the programmer intended. 2138void Sema::CheckFloatComparison(SourceLocation loc, Expr* lex, Expr *rex) { 2139 bool EmitWarning = true; 2140 2141 Expr* LeftExprSansParen = lex->IgnoreParenImpCasts(); 2142 Expr* RightExprSansParen = rex->IgnoreParenImpCasts(); 2143 2144 // Special case: check for x == x (which is OK). 2145 // Do not emit warnings for such cases. 2146 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 2147 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 2148 if (DRL->getDecl() == DRR->getDecl()) 2149 EmitWarning = false; 2150 2151 2152 // Special case: check for comparisons against literals that can be exactly 2153 // represented by APFloat. In such cases, do not emit a warning. This 2154 // is a heuristic: often comparison against such literals are used to 2155 // detect if a value in a variable has not changed. This clearly can 2156 // lead to false negatives. 2157 if (EmitWarning) { 2158 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 2159 if (FLL->isExact()) 2160 EmitWarning = false; 2161 } else 2162 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 2163 if (FLR->isExact()) 2164 EmitWarning = false; 2165 } 2166 } 2167 2168 // Check for comparisons with builtin types. 2169 if (EmitWarning) 2170 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 2171 if (CL->isBuiltinCall(Context)) 2172 EmitWarning = false; 2173 2174 if (EmitWarning) 2175 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 2176 if (CR->isBuiltinCall(Context)) 2177 EmitWarning = false; 2178 2179 // Emit the diagnostic. 2180 if (EmitWarning) 2181 Diag(loc, diag::warn_floatingpoint_eq) 2182 << lex->getSourceRange() << rex->getSourceRange(); 2183} 2184 2185//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 2186//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 2187 2188namespace { 2189 2190/// Structure recording the 'active' range of an integer-valued 2191/// expression. 2192struct IntRange { 2193 /// The number of bits active in the int. 2194 unsigned Width; 2195 2196 /// True if the int is known not to have negative values. 2197 bool NonNegative; 2198 2199 IntRange(unsigned Width, bool NonNegative) 2200 : Width(Width), NonNegative(NonNegative) 2201 {} 2202 2203 /// Returns the range of the bool type. 2204 static IntRange forBoolType() { 2205 return IntRange(1, true); 2206 } 2207 2208 /// Returns the range of an opaque value of the given integral type. 2209 static IntRange forValueOfType(ASTContext &C, QualType T) { 2210 return forValueOfCanonicalType(C, 2211 T->getCanonicalTypeInternal().getTypePtr()); 2212 } 2213 2214 /// Returns the range of an opaque value of a canonical integral type. 2215 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 2216 assert(T->isCanonicalUnqualified()); 2217 2218 if (const VectorType *VT = dyn_cast<VectorType>(T)) 2219 T = VT->getElementType().getTypePtr(); 2220 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 2221 T = CT->getElementType().getTypePtr(); 2222 2223 // For enum types, use the known bit width of the enumerators. 2224 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 2225 EnumDecl *Enum = ET->getDecl(); 2226 if (!Enum->isDefinition()) 2227 return IntRange(C.getIntWidth(QualType(T, 0)), false); 2228 2229 unsigned NumPositive = Enum->getNumPositiveBits(); 2230 unsigned NumNegative = Enum->getNumNegativeBits(); 2231 2232 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 2233 } 2234 2235 const BuiltinType *BT = cast<BuiltinType>(T); 2236 assert(BT->isInteger()); 2237 2238 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 2239 } 2240 2241 /// Returns the "target" range of a canonical integral type, i.e. 2242 /// the range of values expressible in the type. 2243 /// 2244 /// This matches forValueOfCanonicalType except that enums have the 2245 /// full range of their type, not the range of their enumerators. 2246 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 2247 assert(T->isCanonicalUnqualified()); 2248 2249 if (const VectorType *VT = dyn_cast<VectorType>(T)) 2250 T = VT->getElementType().getTypePtr(); 2251 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 2252 T = CT->getElementType().getTypePtr(); 2253 if (const EnumType *ET = dyn_cast<EnumType>(T)) 2254 T = ET->getDecl()->getIntegerType().getTypePtr(); 2255 2256 const BuiltinType *BT = cast<BuiltinType>(T); 2257 assert(BT->isInteger()); 2258 2259 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 2260 } 2261 2262 /// Returns the supremum of two ranges: i.e. their conservative merge. 2263 static IntRange join(IntRange L, IntRange R) { 2264 return IntRange(std::max(L.Width, R.Width), 2265 L.NonNegative && R.NonNegative); 2266 } 2267 2268 /// Returns the infinum of two ranges: i.e. their aggressive merge. 2269 static IntRange meet(IntRange L, IntRange R) { 2270 return IntRange(std::min(L.Width, R.Width), 2271 L.NonNegative || R.NonNegative); 2272 } 2273}; 2274 2275IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 2276 if (value.isSigned() && value.isNegative()) 2277 return IntRange(value.getMinSignedBits(), false); 2278 2279 if (value.getBitWidth() > MaxWidth) 2280 value = value.trunc(MaxWidth); 2281 2282 // isNonNegative() just checks the sign bit without considering 2283 // signedness. 2284 return IntRange(value.getActiveBits(), true); 2285} 2286 2287IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 2288 unsigned MaxWidth) { 2289 if (result.isInt()) 2290 return GetValueRange(C, result.getInt(), MaxWidth); 2291 2292 if (result.isVector()) { 2293 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 2294 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 2295 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 2296 R = IntRange::join(R, El); 2297 } 2298 return R; 2299 } 2300 2301 if (result.isComplexInt()) { 2302 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 2303 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 2304 return IntRange::join(R, I); 2305 } 2306 2307 // This can happen with lossless casts to intptr_t of "based" lvalues. 2308 // Assume it might use arbitrary bits. 2309 // FIXME: The only reason we need to pass the type in here is to get 2310 // the sign right on this one case. It would be nice if APValue 2311 // preserved this. 2312 assert(result.isLValue()); 2313 return IntRange(MaxWidth, Ty->isUnsignedIntegerType()); 2314} 2315 2316/// Pseudo-evaluate the given integer expression, estimating the 2317/// range of values it might take. 2318/// 2319/// \param MaxWidth - the width to which the value will be truncated 2320IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 2321 E = E->IgnoreParens(); 2322 2323 // Try a full evaluation first. 2324 Expr::EvalResult result; 2325 if (E->Evaluate(result, C)) 2326 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 2327 2328 // I think we only want to look through implicit casts here; if the 2329 // user has an explicit widening cast, we should treat the value as 2330 // being of the new, wider type. 2331 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 2332 if (CE->getCastKind() == CK_NoOp) 2333 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 2334 2335 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 2336 2337 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 2338 2339 // Assume that non-integer casts can span the full range of the type. 2340 if (!isIntegerCast) 2341 return OutputTypeRange; 2342 2343 IntRange SubRange 2344 = GetExprRange(C, CE->getSubExpr(), 2345 std::min(MaxWidth, OutputTypeRange.Width)); 2346 2347 // Bail out if the subexpr's range is as wide as the cast type. 2348 if (SubRange.Width >= OutputTypeRange.Width) 2349 return OutputTypeRange; 2350 2351 // Otherwise, we take the smaller width, and we're non-negative if 2352 // either the output type or the subexpr is. 2353 return IntRange(SubRange.Width, 2354 SubRange.NonNegative || OutputTypeRange.NonNegative); 2355 } 2356 2357 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 2358 // If we can fold the condition, just take that operand. 2359 bool CondResult; 2360 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 2361 return GetExprRange(C, CondResult ? CO->getTrueExpr() 2362 : CO->getFalseExpr(), 2363 MaxWidth); 2364 2365 // Otherwise, conservatively merge. 2366 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 2367 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 2368 return IntRange::join(L, R); 2369 } 2370 2371 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 2372 switch (BO->getOpcode()) { 2373 2374 // Boolean-valued operations are single-bit and positive. 2375 case BO_LAnd: 2376 case BO_LOr: 2377 case BO_LT: 2378 case BO_GT: 2379 case BO_LE: 2380 case BO_GE: 2381 case BO_EQ: 2382 case BO_NE: 2383 return IntRange::forBoolType(); 2384 2385 // The type of these compound assignments is the type of the LHS, 2386 // so the RHS is not necessarily an integer. 2387 case BO_MulAssign: 2388 case BO_DivAssign: 2389 case BO_RemAssign: 2390 case BO_AddAssign: 2391 case BO_SubAssign: 2392 return IntRange::forValueOfType(C, E->getType()); 2393 2394 // Operations with opaque sources are black-listed. 2395 case BO_PtrMemD: 2396 case BO_PtrMemI: 2397 return IntRange::forValueOfType(C, E->getType()); 2398 2399 // Bitwise-and uses the *infinum* of the two source ranges. 2400 case BO_And: 2401 case BO_AndAssign: 2402 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 2403 GetExprRange(C, BO->getRHS(), MaxWidth)); 2404 2405 // Left shift gets black-listed based on a judgement call. 2406 case BO_Shl: 2407 // ...except that we want to treat '1 << (blah)' as logically 2408 // positive. It's an important idiom. 2409 if (IntegerLiteral *I 2410 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 2411 if (I->getValue() == 1) { 2412 IntRange R = IntRange::forValueOfType(C, E->getType()); 2413 return IntRange(R.Width, /*NonNegative*/ true); 2414 } 2415 } 2416 // fallthrough 2417 2418 case BO_ShlAssign: 2419 return IntRange::forValueOfType(C, E->getType()); 2420 2421 // Right shift by a constant can narrow its left argument. 2422 case BO_Shr: 2423 case BO_ShrAssign: { 2424 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2425 2426 // If the shift amount is a positive constant, drop the width by 2427 // that much. 2428 llvm::APSInt shift; 2429 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 2430 shift.isNonNegative()) { 2431 unsigned zext = shift.getZExtValue(); 2432 if (zext >= L.Width) 2433 L.Width = (L.NonNegative ? 0 : 1); 2434 else 2435 L.Width -= zext; 2436 } 2437 2438 return L; 2439 } 2440 2441 // Comma acts as its right operand. 2442 case BO_Comma: 2443 return GetExprRange(C, BO->getRHS(), MaxWidth); 2444 2445 // Black-list pointer subtractions. 2446 case BO_Sub: 2447 if (BO->getLHS()->getType()->isPointerType()) 2448 return IntRange::forValueOfType(C, E->getType()); 2449 // fallthrough 2450 2451 default: 2452 break; 2453 } 2454 2455 // Treat every other operator as if it were closed on the 2456 // narrowest type that encompasses both operands. 2457 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2458 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 2459 return IntRange::join(L, R); 2460 } 2461 2462 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 2463 switch (UO->getOpcode()) { 2464 // Boolean-valued operations are white-listed. 2465 case UO_LNot: 2466 return IntRange::forBoolType(); 2467 2468 // Operations with opaque sources are black-listed. 2469 case UO_Deref: 2470 case UO_AddrOf: // should be impossible 2471 return IntRange::forValueOfType(C, E->getType()); 2472 2473 default: 2474 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 2475 } 2476 } 2477 2478 if (dyn_cast<OffsetOfExpr>(E)) { 2479 IntRange::forValueOfType(C, E->getType()); 2480 } 2481 2482 FieldDecl *BitField = E->getBitField(); 2483 if (BitField) { 2484 llvm::APSInt BitWidthAP = BitField->getBitWidth()->EvaluateAsInt(C); 2485 unsigned BitWidth = BitWidthAP.getZExtValue(); 2486 2487 return IntRange(BitWidth, BitField->getType()->isUnsignedIntegerType()); 2488 } 2489 2490 return IntRange::forValueOfType(C, E->getType()); 2491} 2492 2493IntRange GetExprRange(ASTContext &C, Expr *E) { 2494 return GetExprRange(C, E, C.getIntWidth(E->getType())); 2495} 2496 2497/// Checks whether the given value, which currently has the given 2498/// source semantics, has the same value when coerced through the 2499/// target semantics. 2500bool IsSameFloatAfterCast(const llvm::APFloat &value, 2501 const llvm::fltSemantics &Src, 2502 const llvm::fltSemantics &Tgt) { 2503 llvm::APFloat truncated = value; 2504 2505 bool ignored; 2506 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 2507 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 2508 2509 return truncated.bitwiseIsEqual(value); 2510} 2511 2512/// Checks whether the given value, which currently has the given 2513/// source semantics, has the same value when coerced through the 2514/// target semantics. 2515/// 2516/// The value might be a vector of floats (or a complex number). 2517bool IsSameFloatAfterCast(const APValue &value, 2518 const llvm::fltSemantics &Src, 2519 const llvm::fltSemantics &Tgt) { 2520 if (value.isFloat()) 2521 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 2522 2523 if (value.isVector()) { 2524 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 2525 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 2526 return false; 2527 return true; 2528 } 2529 2530 assert(value.isComplexFloat()); 2531 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 2532 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 2533} 2534 2535void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 2536 2537static bool IsZero(Sema &S, Expr *E) { 2538 // Suppress cases where we are comparing against an enum constant. 2539 if (const DeclRefExpr *DR = 2540 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 2541 if (isa<EnumConstantDecl>(DR->getDecl())) 2542 return false; 2543 2544 // Suppress cases where the '0' value is expanded from a macro. 2545 if (E->getLocStart().isMacroID()) 2546 return false; 2547 2548 llvm::APSInt Value; 2549 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 2550} 2551 2552static bool HasEnumType(Expr *E) { 2553 // Strip off implicit integral promotions. 2554 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 2555 if (ICE->getCastKind() != CK_IntegralCast && 2556 ICE->getCastKind() != CK_NoOp) 2557 break; 2558 E = ICE->getSubExpr(); 2559 } 2560 2561 return E->getType()->isEnumeralType(); 2562} 2563 2564void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 2565 BinaryOperatorKind op = E->getOpcode(); 2566 if (E->isValueDependent()) 2567 return; 2568 2569 if (op == BO_LT && IsZero(S, E->getRHS())) { 2570 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2571 << "< 0" << "false" << HasEnumType(E->getLHS()) 2572 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2573 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 2574 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2575 << ">= 0" << "true" << HasEnumType(E->getLHS()) 2576 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2577 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 2578 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2579 << "0 >" << "false" << HasEnumType(E->getRHS()) 2580 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2581 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 2582 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2583 << "0 <=" << "true" << HasEnumType(E->getRHS()) 2584 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2585 } 2586} 2587 2588/// Analyze the operands of the given comparison. Implements the 2589/// fallback case from AnalyzeComparison. 2590void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 2591 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 2592 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 2593} 2594 2595/// \brief Implements -Wsign-compare. 2596/// 2597/// \param lex the left-hand expression 2598/// \param rex the right-hand expression 2599/// \param OpLoc the location of the joining operator 2600/// \param BinOpc binary opcode or 0 2601void AnalyzeComparison(Sema &S, BinaryOperator *E) { 2602 // The type the comparison is being performed in. 2603 QualType T = E->getLHS()->getType(); 2604 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 2605 && "comparison with mismatched types"); 2606 2607 // We don't do anything special if this isn't an unsigned integral 2608 // comparison: we're only interested in integral comparisons, and 2609 // signed comparisons only happen in cases we don't care to warn about. 2610 // 2611 // We also don't care about value-dependent expressions or expressions 2612 // whose result is a constant. 2613 if (!T->hasUnsignedIntegerRepresentation() 2614 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 2615 return AnalyzeImpConvsInComparison(S, E); 2616 2617 Expr *lex = E->getLHS()->IgnoreParenImpCasts(); 2618 Expr *rex = E->getRHS()->IgnoreParenImpCasts(); 2619 2620 // Check to see if one of the (unmodified) operands is of different 2621 // signedness. 2622 Expr *signedOperand, *unsignedOperand; 2623 if (lex->getType()->hasSignedIntegerRepresentation()) { 2624 assert(!rex->getType()->hasSignedIntegerRepresentation() && 2625 "unsigned comparison between two signed integer expressions?"); 2626 signedOperand = lex; 2627 unsignedOperand = rex; 2628 } else if (rex->getType()->hasSignedIntegerRepresentation()) { 2629 signedOperand = rex; 2630 unsignedOperand = lex; 2631 } else { 2632 CheckTrivialUnsignedComparison(S, E); 2633 return AnalyzeImpConvsInComparison(S, E); 2634 } 2635 2636 // Otherwise, calculate the effective range of the signed operand. 2637 IntRange signedRange = GetExprRange(S.Context, signedOperand); 2638 2639 // Go ahead and analyze implicit conversions in the operands. Note 2640 // that we skip the implicit conversions on both sides. 2641 AnalyzeImplicitConversions(S, lex, E->getOperatorLoc()); 2642 AnalyzeImplicitConversions(S, rex, E->getOperatorLoc()); 2643 2644 // If the signed range is non-negative, -Wsign-compare won't fire, 2645 // but we should still check for comparisons which are always true 2646 // or false. 2647 if (signedRange.NonNegative) 2648 return CheckTrivialUnsignedComparison(S, E); 2649 2650 // For (in)equality comparisons, if the unsigned operand is a 2651 // constant which cannot collide with a overflowed signed operand, 2652 // then reinterpreting the signed operand as unsigned will not 2653 // change the result of the comparison. 2654 if (E->isEqualityOp()) { 2655 unsigned comparisonWidth = S.Context.getIntWidth(T); 2656 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 2657 2658 // We should never be unable to prove that the unsigned operand is 2659 // non-negative. 2660 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 2661 2662 if (unsignedRange.Width < comparisonWidth) 2663 return; 2664 } 2665 2666 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 2667 << lex->getType() << rex->getType() 2668 << lex->getSourceRange() << rex->getSourceRange(); 2669} 2670 2671/// Analyzes an attempt to assign the given value to a bitfield. 2672/// 2673/// Returns true if there was something fishy about the attempt. 2674bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 2675 SourceLocation InitLoc) { 2676 assert(Bitfield->isBitField()); 2677 if (Bitfield->isInvalidDecl()) 2678 return false; 2679 2680 // White-list bool bitfields. 2681 if (Bitfield->getType()->isBooleanType()) 2682 return false; 2683 2684 // Ignore value- or type-dependent expressions. 2685 if (Bitfield->getBitWidth()->isValueDependent() || 2686 Bitfield->getBitWidth()->isTypeDependent() || 2687 Init->isValueDependent() || 2688 Init->isTypeDependent()) 2689 return false; 2690 2691 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 2692 2693 llvm::APSInt Width(32); 2694 Expr::EvalResult InitValue; 2695 if (!Bitfield->getBitWidth()->isIntegerConstantExpr(Width, S.Context) || 2696 !OriginalInit->Evaluate(InitValue, S.Context) || 2697 !InitValue.Val.isInt()) 2698 return false; 2699 2700 const llvm::APSInt &Value = InitValue.Val.getInt(); 2701 unsigned OriginalWidth = Value.getBitWidth(); 2702 unsigned FieldWidth = Width.getZExtValue(); 2703 2704 if (OriginalWidth <= FieldWidth) 2705 return false; 2706 2707 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 2708 2709 // It's fairly common to write values into signed bitfields 2710 // that, if sign-extended, would end up becoming a different 2711 // value. We don't want to warn about that. 2712 if (Value.isSigned() && Value.isNegative()) 2713 TruncatedValue = TruncatedValue.sext(OriginalWidth); 2714 else 2715 TruncatedValue = TruncatedValue.zext(OriginalWidth); 2716 2717 if (Value == TruncatedValue) 2718 return false; 2719 2720 std::string PrettyValue = Value.toString(10); 2721 std::string PrettyTrunc = TruncatedValue.toString(10); 2722 2723 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 2724 << PrettyValue << PrettyTrunc << OriginalInit->getType() 2725 << Init->getSourceRange(); 2726 2727 return true; 2728} 2729 2730/// Analyze the given simple or compound assignment for warning-worthy 2731/// operations. 2732void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 2733 // Just recurse on the LHS. 2734 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 2735 2736 // We want to recurse on the RHS as normal unless we're assigning to 2737 // a bitfield. 2738 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 2739 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 2740 E->getOperatorLoc())) { 2741 // Recurse, ignoring any implicit conversions on the RHS. 2742 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 2743 E->getOperatorLoc()); 2744 } 2745 } 2746 2747 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 2748} 2749 2750/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 2751void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 2752 SourceLocation CContext, unsigned diag) { 2753 S.Diag(E->getExprLoc(), diag) 2754 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 2755} 2756 2757/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 2758void DiagnoseImpCast(Sema &S, Expr *E, QualType T, SourceLocation CContext, 2759 unsigned diag) { 2760 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag); 2761} 2762 2763std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 2764 if (!Range.Width) return "0"; 2765 2766 llvm::APSInt ValueInRange = Value; 2767 ValueInRange.setIsSigned(!Range.NonNegative); 2768 ValueInRange = ValueInRange.trunc(Range.Width); 2769 return ValueInRange.toString(10); 2770} 2771 2772static bool isFromSystemMacro(Sema &S, SourceLocation loc) { 2773 SourceManager &smgr = S.Context.getSourceManager(); 2774 return loc.isMacroID() && smgr.isInSystemHeader(smgr.getSpellingLoc(loc)); 2775} 2776 2777void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 2778 SourceLocation CC, bool *ICContext = 0) { 2779 if (E->isTypeDependent() || E->isValueDependent()) return; 2780 2781 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 2782 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 2783 if (Source == Target) return; 2784 if (Target->isDependentType()) return; 2785 2786 // If the conversion context location is invalid don't complain. 2787 // We also don't want to emit a warning if the issue occurs from the 2788 // instantiation of a system macro. The problem is that 'getSpellingLoc()' 2789 // is slow, so we delay this check as long as possible. Once we detect 2790 // we are in that scenario, we just return. 2791 if (CC.isInvalid()) 2792 return; 2793 2794 // Never diagnose implicit casts to bool. 2795 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 2796 return; 2797 2798 // Strip vector types. 2799 if (isa<VectorType>(Source)) { 2800 if (!isa<VectorType>(Target)) { 2801 if (isFromSystemMacro(S, CC)) 2802 return; 2803 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 2804 } 2805 2806 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 2807 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 2808 } 2809 2810 // Strip complex types. 2811 if (isa<ComplexType>(Source)) { 2812 if (!isa<ComplexType>(Target)) { 2813 if (isFromSystemMacro(S, CC)) 2814 return; 2815 2816 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 2817 } 2818 2819 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 2820 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 2821 } 2822 2823 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 2824 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 2825 2826 // If the source is floating point... 2827 if (SourceBT && SourceBT->isFloatingPoint()) { 2828 // ...and the target is floating point... 2829 if (TargetBT && TargetBT->isFloatingPoint()) { 2830 // ...then warn if we're dropping FP rank. 2831 2832 // Builtin FP kinds are ordered by increasing FP rank. 2833 if (SourceBT->getKind() > TargetBT->getKind()) { 2834 // Don't warn about float constants that are precisely 2835 // representable in the target type. 2836 Expr::EvalResult result; 2837 if (E->Evaluate(result, S.Context)) { 2838 // Value might be a float, a float vector, or a float complex. 2839 if (IsSameFloatAfterCast(result.Val, 2840 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 2841 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 2842 return; 2843 } 2844 2845 if (isFromSystemMacro(S, CC)) 2846 return; 2847 2848 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 2849 } 2850 return; 2851 } 2852 2853 // If the target is integral, always warn. 2854 if ((TargetBT && TargetBT->isInteger())) { 2855 if (isFromSystemMacro(S, CC)) 2856 return; 2857 2858 Expr *InnerE = E->IgnoreParenImpCasts(); 2859 if (FloatingLiteral *LiteralExpr = dyn_cast<FloatingLiteral>(InnerE)) { 2860 DiagnoseImpCast(S, LiteralExpr, T, CC, 2861 diag::warn_impcast_literal_float_to_integer); 2862 } else { 2863 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 2864 } 2865 } 2866 2867 return; 2868 } 2869 2870 if (!Source->isIntegerType() || !Target->isIntegerType()) 2871 return; 2872 2873 IntRange SourceRange = GetExprRange(S.Context, E); 2874 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 2875 2876 if (SourceRange.Width > TargetRange.Width) { 2877 // If the source is a constant, use a default-on diagnostic. 2878 // TODO: this should happen for bitfield stores, too. 2879 llvm::APSInt Value(32); 2880 if (E->isIntegerConstantExpr(Value, S.Context)) { 2881 if (isFromSystemMacro(S, CC)) 2882 return; 2883 2884 std::string PrettySourceValue = Value.toString(10); 2885 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 2886 2887 S.Diag(E->getExprLoc(), diag::warn_impcast_integer_precision_constant) 2888 << PrettySourceValue << PrettyTargetValue 2889 << E->getType() << T << E->getSourceRange() << clang::SourceRange(CC); 2890 return; 2891 } 2892 2893 // People want to build with -Wshorten-64-to-32 and not -Wconversion 2894 // and by god we'll let them. 2895 2896 if (isFromSystemMacro(S, CC)) 2897 return; 2898 2899 if (SourceRange.Width == 64 && TargetRange.Width == 32) 2900 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32); 2901 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 2902 } 2903 2904 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 2905 (!TargetRange.NonNegative && SourceRange.NonNegative && 2906 SourceRange.Width == TargetRange.Width)) { 2907 2908 if (isFromSystemMacro(S, CC)) 2909 return; 2910 2911 unsigned DiagID = diag::warn_impcast_integer_sign; 2912 2913 // Traditionally, gcc has warned about this under -Wsign-compare. 2914 // We also want to warn about it in -Wconversion. 2915 // So if -Wconversion is off, use a completely identical diagnostic 2916 // in the sign-compare group. 2917 // The conditional-checking code will 2918 if (ICContext) { 2919 DiagID = diag::warn_impcast_integer_sign_conditional; 2920 *ICContext = true; 2921 } 2922 2923 return DiagnoseImpCast(S, E, T, CC, DiagID); 2924 } 2925 2926 // Diagnose conversions between different enumeration types. 2927 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 2928 // type, to give us better diagnostics. 2929 QualType SourceType = E->getType(); 2930 if (!S.getLangOptions().CPlusPlus) { 2931 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 2932 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 2933 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 2934 SourceType = S.Context.getTypeDeclType(Enum); 2935 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 2936 } 2937 } 2938 2939 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 2940 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 2941 if ((SourceEnum->getDecl()->getIdentifier() || 2942 SourceEnum->getDecl()->getTypedefForAnonDecl()) && 2943 (TargetEnum->getDecl()->getIdentifier() || 2944 TargetEnum->getDecl()->getTypedefForAnonDecl()) && 2945 SourceEnum != TargetEnum) { 2946 if (isFromSystemMacro(S, CC)) 2947 return; 2948 2949 return DiagnoseImpCast(S, E, SourceType, T, CC, 2950 diag::warn_impcast_different_enum_types); 2951 } 2952 2953 return; 2954} 2955 2956void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 2957 2958void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 2959 SourceLocation CC, bool &ICContext) { 2960 E = E->IgnoreParenImpCasts(); 2961 2962 if (isa<ConditionalOperator>(E)) 2963 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 2964 2965 AnalyzeImplicitConversions(S, E, CC); 2966 if (E->getType() != T) 2967 return CheckImplicitConversion(S, E, T, CC, &ICContext); 2968 return; 2969} 2970 2971void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 2972 SourceLocation CC = E->getQuestionLoc(); 2973 2974 AnalyzeImplicitConversions(S, E->getCond(), CC); 2975 2976 bool Suspicious = false; 2977 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 2978 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 2979 2980 // If -Wconversion would have warned about either of the candidates 2981 // for a signedness conversion to the context type... 2982 if (!Suspicious) return; 2983 2984 // ...but it's currently ignored... 2985 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 2986 CC)) 2987 return; 2988 2989 // ...and -Wsign-compare isn't... 2990 if (!S.Diags.getDiagnosticLevel(diag::warn_mixed_sign_conditional, CC)) 2991 return; 2992 2993 // ...then check whether it would have warned about either of the 2994 // candidates for a signedness conversion to the condition type. 2995 if (E->getType() != T) { 2996 Suspicious = false; 2997 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 2998 E->getType(), CC, &Suspicious); 2999 if (!Suspicious) 3000 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 3001 E->getType(), CC, &Suspicious); 3002 if (!Suspicious) 3003 return; 3004 } 3005 3006 // If so, emit a diagnostic under -Wsign-compare. 3007 Expr *lex = E->getTrueExpr()->IgnoreParenImpCasts(); 3008 Expr *rex = E->getFalseExpr()->IgnoreParenImpCasts(); 3009 S.Diag(E->getQuestionLoc(), diag::warn_mixed_sign_conditional) 3010 << lex->getType() << rex->getType() 3011 << lex->getSourceRange() << rex->getSourceRange(); 3012} 3013 3014/// AnalyzeImplicitConversions - Find and report any interesting 3015/// implicit conversions in the given expression. There are a couple 3016/// of competing diagnostics here, -Wconversion and -Wsign-compare. 3017void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 3018 QualType T = OrigE->getType(); 3019 Expr *E = OrigE->IgnoreParenImpCasts(); 3020 3021 // For conditional operators, we analyze the arguments as if they 3022 // were being fed directly into the output. 3023 if (isa<ConditionalOperator>(E)) { 3024 ConditionalOperator *CO = cast<ConditionalOperator>(E); 3025 CheckConditionalOperator(S, CO, T); 3026 return; 3027 } 3028 3029 // Go ahead and check any implicit conversions we might have skipped. 3030 // The non-canonical typecheck is just an optimization; 3031 // CheckImplicitConversion will filter out dead implicit conversions. 3032 if (E->getType() != T) 3033 CheckImplicitConversion(S, E, T, CC); 3034 3035 // Now continue drilling into this expression. 3036 3037 // Skip past explicit casts. 3038 if (isa<ExplicitCastExpr>(E)) { 3039 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 3040 return AnalyzeImplicitConversions(S, E, CC); 3041 } 3042 3043 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3044 // Do a somewhat different check with comparison operators. 3045 if (BO->isComparisonOp()) 3046 return AnalyzeComparison(S, BO); 3047 3048 // And with assignments and compound assignments. 3049 if (BO->isAssignmentOp()) 3050 return AnalyzeAssignment(S, BO); 3051 } 3052 3053 // These break the otherwise-useful invariant below. Fortunately, 3054 // we don't really need to recurse into them, because any internal 3055 // expressions should have been analyzed already when they were 3056 // built into statements. 3057 if (isa<StmtExpr>(E)) return; 3058 3059 // Don't descend into unevaluated contexts. 3060 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 3061 3062 // Now just recurse over the expression's children. 3063 CC = E->getExprLoc(); 3064 for (Stmt::child_range I = E->children(); I; ++I) 3065 AnalyzeImplicitConversions(S, cast<Expr>(*I), CC); 3066} 3067 3068} // end anonymous namespace 3069 3070/// Diagnoses "dangerous" implicit conversions within the given 3071/// expression (which is a full expression). Implements -Wconversion 3072/// and -Wsign-compare. 3073/// 3074/// \param CC the "context" location of the implicit conversion, i.e. 3075/// the most location of the syntactic entity requiring the implicit 3076/// conversion 3077void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 3078 // Don't diagnose in unevaluated contexts. 3079 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 3080 return; 3081 3082 // Don't diagnose for value- or type-dependent expressions. 3083 if (E->isTypeDependent() || E->isValueDependent()) 3084 return; 3085 3086 // This is not the right CC for (e.g.) a variable initialization. 3087 AnalyzeImplicitConversions(*this, E, CC); 3088} 3089 3090void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 3091 FieldDecl *BitField, 3092 Expr *Init) { 3093 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 3094} 3095 3096/// CheckParmsForFunctionDef - Check that the parameters of the given 3097/// function are appropriate for the definition of a function. This 3098/// takes care of any checks that cannot be performed on the 3099/// declaration itself, e.g., that the types of each of the function 3100/// parameters are complete. 3101bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 3102 bool CheckParameterNames) { 3103 bool HasInvalidParm = false; 3104 for (; P != PEnd; ++P) { 3105 ParmVarDecl *Param = *P; 3106 3107 // C99 6.7.5.3p4: the parameters in a parameter type list in a 3108 // function declarator that is part of a function definition of 3109 // that function shall not have incomplete type. 3110 // 3111 // This is also C++ [dcl.fct]p6. 3112 if (!Param->isInvalidDecl() && 3113 RequireCompleteType(Param->getLocation(), Param->getType(), 3114 diag::err_typecheck_decl_incomplete_type)) { 3115 Param->setInvalidDecl(); 3116 HasInvalidParm = true; 3117 } 3118 3119 // C99 6.9.1p5: If the declarator includes a parameter type list, the 3120 // declaration of each parameter shall include an identifier. 3121 if (CheckParameterNames && 3122 Param->getIdentifier() == 0 && 3123 !Param->isImplicit() && 3124 !getLangOptions().CPlusPlus) 3125 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 3126 3127 // C99 6.7.5.3p12: 3128 // If the function declarator is not part of a definition of that 3129 // function, parameters may have incomplete type and may use the [*] 3130 // notation in their sequences of declarator specifiers to specify 3131 // variable length array types. 3132 QualType PType = Param->getOriginalType(); 3133 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 3134 if (AT->getSizeModifier() == ArrayType::Star) { 3135 // FIXME: This diagnosic should point the the '[*]' if source-location 3136 // information is added for it. 3137 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 3138 } 3139 } 3140 } 3141 3142 return HasInvalidParm; 3143} 3144 3145/// CheckCastAlign - Implements -Wcast-align, which warns when a 3146/// pointer cast increases the alignment requirements. 3147void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 3148 // This is actually a lot of work to potentially be doing on every 3149 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 3150 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 3151 TRange.getBegin()) 3152 == Diagnostic::Ignored) 3153 return; 3154 3155 // Ignore dependent types. 3156 if (T->isDependentType() || Op->getType()->isDependentType()) 3157 return; 3158 3159 // Require that the destination be a pointer type. 3160 const PointerType *DestPtr = T->getAs<PointerType>(); 3161 if (!DestPtr) return; 3162 3163 // If the destination has alignment 1, we're done. 3164 QualType DestPointee = DestPtr->getPointeeType(); 3165 if (DestPointee->isIncompleteType()) return; 3166 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 3167 if (DestAlign.isOne()) return; 3168 3169 // Require that the source be a pointer type. 3170 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 3171 if (!SrcPtr) return; 3172 QualType SrcPointee = SrcPtr->getPointeeType(); 3173 3174 // Whitelist casts from cv void*. We already implicitly 3175 // whitelisted casts to cv void*, since they have alignment 1. 3176 // Also whitelist casts involving incomplete types, which implicitly 3177 // includes 'void'. 3178 if (SrcPointee->isIncompleteType()) return; 3179 3180 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 3181 if (SrcAlign >= DestAlign) return; 3182 3183 Diag(TRange.getBegin(), diag::warn_cast_align) 3184 << Op->getType() << T 3185 << static_cast<unsigned>(SrcAlign.getQuantity()) 3186 << static_cast<unsigned>(DestAlign.getQuantity()) 3187 << TRange << Op->getSourceRange(); 3188} 3189 3190static void CheckArrayAccess_Check(Sema &S, 3191 const clang::ArraySubscriptExpr *E) { 3192 const Expr *BaseExpr = E->getBase()->IgnoreParenImpCasts(); 3193 const ConstantArrayType *ArrayTy = 3194 S.Context.getAsConstantArrayType(BaseExpr->getType()); 3195 if (!ArrayTy) 3196 return; 3197 3198 const Expr *IndexExpr = E->getIdx(); 3199 if (IndexExpr->isValueDependent()) 3200 return; 3201 llvm::APSInt index; 3202 if (!IndexExpr->isIntegerConstantExpr(index, S.Context)) 3203 return; 3204 3205 if (index.isUnsigned() || !index.isNegative()) { 3206 llvm::APInt size = ArrayTy->getSize(); 3207 if (!size.isStrictlyPositive()) 3208 return; 3209 if (size.getBitWidth() > index.getBitWidth()) 3210 index = index.sext(size.getBitWidth()); 3211 else if (size.getBitWidth() < index.getBitWidth()) 3212 size = size.sext(index.getBitWidth()); 3213 3214 if (index.slt(size)) 3215 return; 3216 3217 S.DiagRuntimeBehavior(E->getBase()->getLocStart(), BaseExpr, 3218 S.PDiag(diag::warn_array_index_exceeds_bounds) 3219 << index.toString(10, true) 3220 << size.toString(10, true) 3221 << IndexExpr->getSourceRange()); 3222 } else { 3223 S.DiagRuntimeBehavior(E->getBase()->getLocStart(), BaseExpr, 3224 S.PDiag(diag::warn_array_index_precedes_bounds) 3225 << index.toString(10, true) 3226 << IndexExpr->getSourceRange()); 3227 } 3228 3229 const NamedDecl *ND = NULL; 3230 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 3231 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 3232 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 3233 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 3234 if (ND) 3235 S.DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 3236 S.PDiag(diag::note_array_index_out_of_bounds) 3237 << ND->getDeclName()); 3238} 3239 3240void Sema::CheckArrayAccess(const Expr *expr) { 3241 while (true) 3242 switch (expr->getStmtClass()) { 3243 case Stmt::ParenExprClass: 3244 expr = cast<ParenExpr>(expr)->getSubExpr(); 3245 continue; 3246 case Stmt::ArraySubscriptExprClass: 3247 CheckArrayAccess_Check(*this, cast<ArraySubscriptExpr>(expr)); 3248 return; 3249 case Stmt::ConditionalOperatorClass: { 3250 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 3251 if (const Expr *lhs = cond->getLHS()) 3252 CheckArrayAccess(lhs); 3253 if (const Expr *rhs = cond->getRHS()) 3254 CheckArrayAccess(rhs); 3255 return; 3256 } 3257 default: 3258 return; 3259 } 3260} 3261