SemaChecking.cpp revision 60d7b3a319d84d688752be3870615ac0f111fb16
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/Sema.h" 16#include "clang/Analysis/Analyses/FormatString.h" 17#include "clang/AST/ASTContext.h" 18#include "clang/AST/CharUnits.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/ExprCXX.h" 21#include "clang/AST/ExprObjC.h" 22#include "clang/AST/DeclObjC.h" 23#include "clang/AST/StmtCXX.h" 24#include "clang/AST/StmtObjC.h" 25#include "clang/Lex/LiteralSupport.h" 26#include "clang/Lex/Preprocessor.h" 27#include "llvm/ADT/BitVector.h" 28#include "llvm/ADT/STLExtras.h" 29#include "llvm/Support/raw_ostream.h" 30#include "clang/Basic/TargetBuiltins.h" 31#include "clang/Basic/TargetInfo.h" 32#include <limits> 33using namespace clang; 34 35/// getLocationOfStringLiteralByte - Return a source location that points to the 36/// specified byte of the specified string literal. 37/// 38/// Strings are amazingly complex. They can be formed from multiple tokens and 39/// can have escape sequences in them in addition to the usual trigraph and 40/// escaped newline business. This routine handles this complexity. 41/// 42SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 43 unsigned ByteNo) const { 44 assert(!SL->isWide() && "This doesn't work for wide strings yet"); 45 46 // Loop over all of the tokens in this string until we find the one that 47 // contains the byte we're looking for. 48 unsigned TokNo = 0; 49 while (1) { 50 assert(TokNo < SL->getNumConcatenated() && "Invalid byte number!"); 51 SourceLocation StrTokLoc = SL->getStrTokenLoc(TokNo); 52 53 // Get the spelling of the string so that we can get the data that makes up 54 // the string literal, not the identifier for the macro it is potentially 55 // expanded through. 56 SourceLocation StrTokSpellingLoc = SourceMgr.getSpellingLoc(StrTokLoc); 57 58 // Re-lex the token to get its length and original spelling. 59 std::pair<FileID, unsigned> LocInfo = 60 SourceMgr.getDecomposedLoc(StrTokSpellingLoc); 61 bool Invalid = false; 62 llvm::StringRef Buffer = SourceMgr.getBufferData(LocInfo.first, &Invalid); 63 if (Invalid) 64 return StrTokSpellingLoc; 65 66 const char *StrData = Buffer.data()+LocInfo.second; 67 68 // Create a langops struct and enable trigraphs. This is sufficient for 69 // relexing tokens. 70 LangOptions LangOpts; 71 LangOpts.Trigraphs = true; 72 73 // Create a lexer starting at the beginning of this token. 74 Lexer TheLexer(StrTokSpellingLoc, LangOpts, Buffer.begin(), StrData, 75 Buffer.end()); 76 Token TheTok; 77 TheLexer.LexFromRawLexer(TheTok); 78 79 // Use the StringLiteralParser to compute the length of the string in bytes. 80 StringLiteralParser SLP(&TheTok, 1, PP, /*Complain=*/false); 81 unsigned TokNumBytes = SLP.GetStringLength(); 82 83 // If the byte is in this token, return the location of the byte. 84 if (ByteNo < TokNumBytes || 85 (ByteNo == TokNumBytes && TokNo == SL->getNumConcatenated())) { 86 unsigned Offset = 87 StringLiteralParser::getOffsetOfStringByte(TheTok, ByteNo, PP, 88 /*Complain=*/false); 89 90 // Now that we know the offset of the token in the spelling, use the 91 // preprocessor to get the offset in the original source. 92 return PP.AdvanceToTokenCharacter(StrTokLoc, Offset); 93 } 94 95 // Move to the next string token. 96 ++TokNo; 97 ByteNo -= TokNumBytes; 98 } 99} 100 101/// CheckablePrintfAttr - does a function call have a "printf" attribute 102/// and arguments that merit checking? 103bool Sema::CheckablePrintfAttr(const FormatAttr *Format, CallExpr *TheCall) { 104 if (Format->getType() == "printf") return true; 105 if (Format->getType() == "printf0") { 106 // printf0 allows null "format" string; if so don't check format/args 107 unsigned format_idx = Format->getFormatIdx() - 1; 108 // Does the index refer to the implicit object argument? 109 if (isa<CXXMemberCallExpr>(TheCall)) { 110 if (format_idx == 0) 111 return false; 112 --format_idx; 113 } 114 if (format_idx < TheCall->getNumArgs()) { 115 Expr *Format = TheCall->getArg(format_idx)->IgnoreParenCasts(); 116 if (!Format->isNullPointerConstant(Context, 117 Expr::NPC_ValueDependentIsNull)) 118 return true; 119 } 120 } 121 return false; 122} 123 124ExprResult 125Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 126 ExprResult TheCallResult(Owned(TheCall)); 127 128 switch (BuiltinID) { 129 case Builtin::BI__builtin___CFStringMakeConstantString: 130 assert(TheCall->getNumArgs() == 1 && 131 "Wrong # arguments to builtin CFStringMakeConstantString"); 132 if (CheckObjCString(TheCall->getArg(0))) 133 return ExprError(); 134 break; 135 case Builtin::BI__builtin_stdarg_start: 136 case Builtin::BI__builtin_va_start: 137 if (SemaBuiltinVAStart(TheCall)) 138 return ExprError(); 139 break; 140 case Builtin::BI__builtin_isgreater: 141 case Builtin::BI__builtin_isgreaterequal: 142 case Builtin::BI__builtin_isless: 143 case Builtin::BI__builtin_islessequal: 144 case Builtin::BI__builtin_islessgreater: 145 case Builtin::BI__builtin_isunordered: 146 if (SemaBuiltinUnorderedCompare(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_fpclassify: 150 if (SemaBuiltinFPClassification(TheCall, 6)) 151 return ExprError(); 152 break; 153 case Builtin::BI__builtin_isfinite: 154 case Builtin::BI__builtin_isinf: 155 case Builtin::BI__builtin_isinf_sign: 156 case Builtin::BI__builtin_isnan: 157 case Builtin::BI__builtin_isnormal: 158 if (SemaBuiltinFPClassification(TheCall, 1)) 159 return ExprError(); 160 break; 161 case Builtin::BI__builtin_return_address: 162 case Builtin::BI__builtin_frame_address: { 163 llvm::APSInt Result; 164 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 165 return ExprError(); 166 break; 167 } 168 case Builtin::BI__builtin_eh_return_data_regno: { 169 llvm::APSInt Result; 170 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 171 return ExprError(); 172 break; 173 } 174 case Builtin::BI__builtin_shufflevector: 175 return SemaBuiltinShuffleVector(TheCall); 176 // TheCall will be freed by the smart pointer here, but that's fine, since 177 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 178 case Builtin::BI__builtin_prefetch: 179 if (SemaBuiltinPrefetch(TheCall)) 180 return ExprError(); 181 break; 182 case Builtin::BI__builtin_object_size: 183 if (SemaBuiltinObjectSize(TheCall)) 184 return ExprError(); 185 break; 186 case Builtin::BI__builtin_longjmp: 187 if (SemaBuiltinLongjmp(TheCall)) 188 return ExprError(); 189 break; 190 case Builtin::BI__sync_fetch_and_add: 191 case Builtin::BI__sync_fetch_and_sub: 192 case Builtin::BI__sync_fetch_and_or: 193 case Builtin::BI__sync_fetch_and_and: 194 case Builtin::BI__sync_fetch_and_xor: 195 case Builtin::BI__sync_add_and_fetch: 196 case Builtin::BI__sync_sub_and_fetch: 197 case Builtin::BI__sync_and_and_fetch: 198 case Builtin::BI__sync_or_and_fetch: 199 case Builtin::BI__sync_xor_and_fetch: 200 case Builtin::BI__sync_val_compare_and_swap: 201 case Builtin::BI__sync_bool_compare_and_swap: 202 case Builtin::BI__sync_lock_test_and_set: 203 case Builtin::BI__sync_lock_release: 204 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 205 } 206 207 // Since the target specific builtins for each arch overlap, only check those 208 // of the arch we are compiling for. 209 if (BuiltinID >= Builtin::FirstTSBuiltin) { 210 switch (Context.Target.getTriple().getArch()) { 211 case llvm::Triple::arm: 212 case llvm::Triple::thumb: 213 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 214 return ExprError(); 215 break; 216 case llvm::Triple::x86: 217 case llvm::Triple::x86_64: 218 if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall)) 219 return ExprError(); 220 break; 221 default: 222 break; 223 } 224 } 225 226 return move(TheCallResult); 227} 228 229bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 230 switch (BuiltinID) { 231 case X86::BI__builtin_ia32_palignr128: 232 case X86::BI__builtin_ia32_palignr: { 233 llvm::APSInt Result; 234 if (SemaBuiltinConstantArg(TheCall, 2, Result)) 235 return true; 236 break; 237 } 238 } 239 return false; 240} 241 242// Get the valid immediate range for the specified NEON type code. 243static unsigned RFT(unsigned t, bool shift = false) { 244 bool quad = t & 0x10; 245 246 switch (t & 0x7) { 247 case 0: // i8 248 return shift ? 7 : (8 << (int)quad) - 1; 249 case 1: // i16 250 return shift ? 15 : (4 << (int)quad) - 1; 251 case 2: // i32 252 return shift ? 31 : (2 << (int)quad) - 1; 253 case 3: // i64 254 return shift ? 63 : (1 << (int)quad) - 1; 255 case 4: // f32 256 assert(!shift && "cannot shift float types!"); 257 return (2 << (int)quad) - 1; 258 case 5: // poly8 259 assert(!shift && "cannot shift polynomial types!"); 260 return (8 << (int)quad) - 1; 261 case 6: // poly16 262 assert(!shift && "cannot shift polynomial types!"); 263 return (4 << (int)quad) - 1; 264 case 7: // float16 265 assert(!shift && "cannot shift float types!"); 266 return (4 << (int)quad) - 1; 267 } 268 return 0; 269} 270 271bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 272 llvm::APSInt Result; 273 274 unsigned mask = 0; 275 unsigned TV = 0; 276 switch (BuiltinID) { 277#define GET_NEON_OVERLOAD_CHECK 278#include "clang/Basic/arm_neon.inc" 279#undef GET_NEON_OVERLOAD_CHECK 280 } 281 282 // For NEON intrinsics which are overloaded on vector element type, validate 283 // the immediate which specifies which variant to emit. 284 if (mask) { 285 unsigned ArgNo = TheCall->getNumArgs()-1; 286 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 287 return true; 288 289 TV = Result.getLimitedValue(32); 290 if ((TV > 31) || (mask & (1 << TV)) == 0) 291 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 292 << TheCall->getArg(ArgNo)->getSourceRange(); 293 } 294 295 // For NEON intrinsics which take an immediate value as part of the 296 // instruction, range check them here. 297 unsigned i = 0, l = 0, u = 0; 298 switch (BuiltinID) { 299 default: return false; 300 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 301 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 302 case ARM::BI__builtin_arm_vcvtr_f: 303 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 304#define GET_NEON_IMMEDIATE_CHECK 305#include "clang/Basic/arm_neon.inc" 306#undef GET_NEON_IMMEDIATE_CHECK 307 }; 308 309 // Check that the immediate argument is actually a constant. 310 if (SemaBuiltinConstantArg(TheCall, i, Result)) 311 return true; 312 313 // Range check against the upper/lower values for this isntruction. 314 unsigned Val = Result.getZExtValue(); 315 if (Val < l || Val > (u + l)) 316 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 317 << l << u+l << TheCall->getArg(i)->getSourceRange(); 318 319 // FIXME: VFP Intrinsics should error if VFP not present. 320 return false; 321} 322 323/// CheckFunctionCall - Check a direct function call for various correctness 324/// and safety properties not strictly enforced by the C type system. 325bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 326 // Get the IdentifierInfo* for the called function. 327 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 328 329 // None of the checks below are needed for functions that don't have 330 // simple names (e.g., C++ conversion functions). 331 if (!FnInfo) 332 return false; 333 334 // FIXME: This mechanism should be abstracted to be less fragile and 335 // more efficient. For example, just map function ids to custom 336 // handlers. 337 338 // Printf checking. 339 if (const FormatAttr *Format = FDecl->getAttr<FormatAttr>()) { 340 const bool b = Format->getType() == "scanf"; 341 if (b || CheckablePrintfAttr(Format, TheCall)) { 342 bool HasVAListArg = Format->getFirstArg() == 0; 343 CheckPrintfScanfArguments(TheCall, HasVAListArg, 344 Format->getFormatIdx() - 1, 345 HasVAListArg ? 0 : Format->getFirstArg() - 1, 346 !b); 347 } 348 } 349 350 specific_attr_iterator<NonNullAttr> 351 i = FDecl->specific_attr_begin<NonNullAttr>(), 352 e = FDecl->specific_attr_end<NonNullAttr>(); 353 354 for (; i != e; ++i) 355 CheckNonNullArguments(*i, TheCall); 356 357 return false; 358} 359 360bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 361 // Printf checking. 362 const FormatAttr *Format = NDecl->getAttr<FormatAttr>(); 363 if (!Format) 364 return false; 365 366 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 367 if (!V) 368 return false; 369 370 QualType Ty = V->getType(); 371 if (!Ty->isBlockPointerType()) 372 return false; 373 374 const bool b = Format->getType() == "scanf"; 375 if (!b && !CheckablePrintfAttr(Format, TheCall)) 376 return false; 377 378 bool HasVAListArg = Format->getFirstArg() == 0; 379 CheckPrintfScanfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 380 HasVAListArg ? 0 : Format->getFirstArg() - 1, !b); 381 382 return false; 383} 384 385/// SemaBuiltinAtomicOverloaded - We have a call to a function like 386/// __sync_fetch_and_add, which is an overloaded function based on the pointer 387/// type of its first argument. The main ActOnCallExpr routines have already 388/// promoted the types of arguments because all of these calls are prototyped as 389/// void(...). 390/// 391/// This function goes through and does final semantic checking for these 392/// builtins, 393ExprResult 394Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 395 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 396 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 397 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 398 399 // Ensure that we have at least one argument to do type inference from. 400 if (TheCall->getNumArgs() < 1) { 401 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 402 << 0 << 1 << TheCall->getNumArgs() 403 << TheCall->getCallee()->getSourceRange(); 404 return ExprError(); 405 } 406 407 // Inspect the first argument of the atomic builtin. This should always be 408 // a pointer type, whose element is an integral scalar or pointer type. 409 // Because it is a pointer type, we don't have to worry about any implicit 410 // casts here. 411 // FIXME: We don't allow floating point scalars as input. 412 Expr *FirstArg = TheCall->getArg(0); 413 if (!FirstArg->getType()->isPointerType()) { 414 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 415 << FirstArg->getType() << FirstArg->getSourceRange(); 416 return ExprError(); 417 } 418 419 QualType ValType = 420 FirstArg->getType()->getAs<PointerType>()->getPointeeType(); 421 if (!ValType->isIntegerType() && !ValType->isPointerType() && 422 !ValType->isBlockPointerType()) { 423 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 424 << FirstArg->getType() << FirstArg->getSourceRange(); 425 return ExprError(); 426 } 427 428 // The majority of builtins return a value, but a few have special return 429 // types, so allow them to override appropriately below. 430 QualType ResultType = ValType; 431 432 // We need to figure out which concrete builtin this maps onto. For example, 433 // __sync_fetch_and_add with a 2 byte object turns into 434 // __sync_fetch_and_add_2. 435#define BUILTIN_ROW(x) \ 436 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 437 Builtin::BI##x##_8, Builtin::BI##x##_16 } 438 439 static const unsigned BuiltinIndices[][5] = { 440 BUILTIN_ROW(__sync_fetch_and_add), 441 BUILTIN_ROW(__sync_fetch_and_sub), 442 BUILTIN_ROW(__sync_fetch_and_or), 443 BUILTIN_ROW(__sync_fetch_and_and), 444 BUILTIN_ROW(__sync_fetch_and_xor), 445 446 BUILTIN_ROW(__sync_add_and_fetch), 447 BUILTIN_ROW(__sync_sub_and_fetch), 448 BUILTIN_ROW(__sync_and_and_fetch), 449 BUILTIN_ROW(__sync_or_and_fetch), 450 BUILTIN_ROW(__sync_xor_and_fetch), 451 452 BUILTIN_ROW(__sync_val_compare_and_swap), 453 BUILTIN_ROW(__sync_bool_compare_and_swap), 454 BUILTIN_ROW(__sync_lock_test_and_set), 455 BUILTIN_ROW(__sync_lock_release) 456 }; 457#undef BUILTIN_ROW 458 459 // Determine the index of the size. 460 unsigned SizeIndex; 461 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 462 case 1: SizeIndex = 0; break; 463 case 2: SizeIndex = 1; break; 464 case 4: SizeIndex = 2; break; 465 case 8: SizeIndex = 3; break; 466 case 16: SizeIndex = 4; break; 467 default: 468 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 469 << FirstArg->getType() << FirstArg->getSourceRange(); 470 return ExprError(); 471 } 472 473 // Each of these builtins has one pointer argument, followed by some number of 474 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 475 // that we ignore. Find out which row of BuiltinIndices to read from as well 476 // as the number of fixed args. 477 unsigned BuiltinID = FDecl->getBuiltinID(); 478 unsigned BuiltinIndex, NumFixed = 1; 479 switch (BuiltinID) { 480 default: assert(0 && "Unknown overloaded atomic builtin!"); 481 case Builtin::BI__sync_fetch_and_add: BuiltinIndex = 0; break; 482 case Builtin::BI__sync_fetch_and_sub: BuiltinIndex = 1; break; 483 case Builtin::BI__sync_fetch_and_or: BuiltinIndex = 2; break; 484 case Builtin::BI__sync_fetch_and_and: BuiltinIndex = 3; break; 485 case Builtin::BI__sync_fetch_and_xor: BuiltinIndex = 4; break; 486 487 case Builtin::BI__sync_add_and_fetch: BuiltinIndex = 5; break; 488 case Builtin::BI__sync_sub_and_fetch: BuiltinIndex = 6; break; 489 case Builtin::BI__sync_and_and_fetch: BuiltinIndex = 7; break; 490 case Builtin::BI__sync_or_and_fetch: BuiltinIndex = 8; break; 491 case Builtin::BI__sync_xor_and_fetch: BuiltinIndex = 9; break; 492 493 case Builtin::BI__sync_val_compare_and_swap: 494 BuiltinIndex = 10; 495 NumFixed = 2; 496 break; 497 case Builtin::BI__sync_bool_compare_and_swap: 498 BuiltinIndex = 11; 499 NumFixed = 2; 500 ResultType = Context.BoolTy; 501 break; 502 case Builtin::BI__sync_lock_test_and_set: BuiltinIndex = 12; break; 503 case Builtin::BI__sync_lock_release: 504 BuiltinIndex = 13; 505 NumFixed = 0; 506 ResultType = Context.VoidTy; 507 break; 508 } 509 510 // Now that we know how many fixed arguments we expect, first check that we 511 // have at least that many. 512 if (TheCall->getNumArgs() < 1+NumFixed) { 513 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 514 << 0 << 1+NumFixed << TheCall->getNumArgs() 515 << TheCall->getCallee()->getSourceRange(); 516 return ExprError(); 517 } 518 519 // Get the decl for the concrete builtin from this, we can tell what the 520 // concrete integer type we should convert to is. 521 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 522 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 523 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 524 FunctionDecl *NewBuiltinDecl = 525 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 526 TUScope, false, DRE->getLocStart())); 527 528 // The first argument --- the pointer --- has a fixed type; we 529 // deduce the types of the rest of the arguments accordingly. Walk 530 // the remaining arguments, converting them to the deduced value type. 531 for (unsigned i = 0; i != NumFixed; ++i) { 532 Expr *Arg = TheCall->getArg(i+1); 533 534 // If the argument is an implicit cast, then there was a promotion due to 535 // "...", just remove it now. 536 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) { 537 Arg = ICE->getSubExpr(); 538 ICE->setSubExpr(0); 539 TheCall->setArg(i+1, Arg); 540 } 541 542 // GCC does an implicit conversion to the pointer or integer ValType. This 543 // can fail in some cases (1i -> int**), check for this error case now. 544 CastExpr::CastKind Kind = CastExpr::CK_Unknown; 545 CXXCastPath BasePath; 546 if (CheckCastTypes(Arg->getSourceRange(), ValType, Arg, Kind, BasePath)) 547 return ExprError(); 548 549 // Okay, we have something that *can* be converted to the right type. Check 550 // to see if there is a potentially weird extension going on here. This can 551 // happen when you do an atomic operation on something like an char* and 552 // pass in 42. The 42 gets converted to char. This is even more strange 553 // for things like 45.123 -> char, etc. 554 // FIXME: Do this check. 555 ImpCastExprToType(Arg, ValType, Kind, ImplicitCastExpr::RValue, &BasePath); 556 TheCall->setArg(i+1, Arg); 557 } 558 559 // Switch the DeclRefExpr to refer to the new decl. 560 DRE->setDecl(NewBuiltinDecl); 561 DRE->setType(NewBuiltinDecl->getType()); 562 563 // Set the callee in the CallExpr. 564 // FIXME: This leaks the original parens and implicit casts. 565 Expr *PromotedCall = DRE; 566 UsualUnaryConversions(PromotedCall); 567 TheCall->setCallee(PromotedCall); 568 569 // Change the result type of the call to match the original value type. This 570 // is arbitrary, but the codegen for these builtins ins design to handle it 571 // gracefully. 572 TheCall->setType(ResultType); 573 574 return move(TheCallResult); 575} 576 577 578/// CheckObjCString - Checks that the argument to the builtin 579/// CFString constructor is correct 580/// FIXME: GCC currently emits the following warning: 581/// "warning: input conversion stopped due to an input byte that does not 582/// belong to the input codeset UTF-8" 583/// Note: It might also make sense to do the UTF-16 conversion here (would 584/// simplify the backend). 585bool Sema::CheckObjCString(Expr *Arg) { 586 Arg = Arg->IgnoreParenCasts(); 587 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 588 589 if (!Literal || Literal->isWide()) { 590 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 591 << Arg->getSourceRange(); 592 return true; 593 } 594 595 size_t NulPos = Literal->getString().find('\0'); 596 if (NulPos != llvm::StringRef::npos) { 597 Diag(getLocationOfStringLiteralByte(Literal, NulPos), 598 diag::warn_cfstring_literal_contains_nul_character) 599 << Arg->getSourceRange(); 600 } 601 602 return false; 603} 604 605/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 606/// Emit an error and return true on failure, return false on success. 607bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 608 Expr *Fn = TheCall->getCallee(); 609 if (TheCall->getNumArgs() > 2) { 610 Diag(TheCall->getArg(2)->getLocStart(), 611 diag::err_typecheck_call_too_many_args) 612 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 613 << Fn->getSourceRange() 614 << SourceRange(TheCall->getArg(2)->getLocStart(), 615 (*(TheCall->arg_end()-1))->getLocEnd()); 616 return true; 617 } 618 619 if (TheCall->getNumArgs() < 2) { 620 return Diag(TheCall->getLocEnd(), 621 diag::err_typecheck_call_too_few_args_at_least) 622 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 623 } 624 625 // Determine whether the current function is variadic or not. 626 BlockScopeInfo *CurBlock = getCurBlock(); 627 bool isVariadic; 628 if (CurBlock) 629 isVariadic = CurBlock->TheDecl->isVariadic(); 630 else if (FunctionDecl *FD = getCurFunctionDecl()) 631 isVariadic = FD->isVariadic(); 632 else 633 isVariadic = getCurMethodDecl()->isVariadic(); 634 635 if (!isVariadic) { 636 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 637 return true; 638 } 639 640 // Verify that the second argument to the builtin is the last argument of the 641 // current function or method. 642 bool SecondArgIsLastNamedArgument = false; 643 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 644 645 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 646 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 647 // FIXME: This isn't correct for methods (results in bogus warning). 648 // Get the last formal in the current function. 649 const ParmVarDecl *LastArg; 650 if (CurBlock) 651 LastArg = *(CurBlock->TheDecl->param_end()-1); 652 else if (FunctionDecl *FD = getCurFunctionDecl()) 653 LastArg = *(FD->param_end()-1); 654 else 655 LastArg = *(getCurMethodDecl()->param_end()-1); 656 SecondArgIsLastNamedArgument = PV == LastArg; 657 } 658 } 659 660 if (!SecondArgIsLastNamedArgument) 661 Diag(TheCall->getArg(1)->getLocStart(), 662 diag::warn_second_parameter_of_va_start_not_last_named_argument); 663 return false; 664} 665 666/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 667/// friends. This is declared to take (...), so we have to check everything. 668bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 669 if (TheCall->getNumArgs() < 2) 670 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 671 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 672 if (TheCall->getNumArgs() > 2) 673 return Diag(TheCall->getArg(2)->getLocStart(), 674 diag::err_typecheck_call_too_many_args) 675 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 676 << SourceRange(TheCall->getArg(2)->getLocStart(), 677 (*(TheCall->arg_end()-1))->getLocEnd()); 678 679 Expr *OrigArg0 = TheCall->getArg(0); 680 Expr *OrigArg1 = TheCall->getArg(1); 681 682 // Do standard promotions between the two arguments, returning their common 683 // type. 684 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 685 686 // Make sure any conversions are pushed back into the call; this is 687 // type safe since unordered compare builtins are declared as "_Bool 688 // foo(...)". 689 TheCall->setArg(0, OrigArg0); 690 TheCall->setArg(1, OrigArg1); 691 692 if (OrigArg0->isTypeDependent() || OrigArg1->isTypeDependent()) 693 return false; 694 695 // If the common type isn't a real floating type, then the arguments were 696 // invalid for this operation. 697 if (!Res->isRealFloatingType()) 698 return Diag(OrigArg0->getLocStart(), 699 diag::err_typecheck_call_invalid_ordered_compare) 700 << OrigArg0->getType() << OrigArg1->getType() 701 << SourceRange(OrigArg0->getLocStart(), OrigArg1->getLocEnd()); 702 703 return false; 704} 705 706/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 707/// __builtin_isnan and friends. This is declared to take (...), so we have 708/// to check everything. We expect the last argument to be a floating point 709/// value. 710bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 711 if (TheCall->getNumArgs() < NumArgs) 712 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 713 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 714 if (TheCall->getNumArgs() > NumArgs) 715 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 716 diag::err_typecheck_call_too_many_args) 717 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 718 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 719 (*(TheCall->arg_end()-1))->getLocEnd()); 720 721 Expr *OrigArg = TheCall->getArg(NumArgs-1); 722 723 if (OrigArg->isTypeDependent()) 724 return false; 725 726 // This operation requires a non-_Complex floating-point number. 727 if (!OrigArg->getType()->isRealFloatingType()) 728 return Diag(OrigArg->getLocStart(), 729 diag::err_typecheck_call_invalid_unary_fp) 730 << OrigArg->getType() << OrigArg->getSourceRange(); 731 732 // If this is an implicit conversion from float -> double, remove it. 733 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 734 Expr *CastArg = Cast->getSubExpr(); 735 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 736 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 737 "promotion from float to double is the only expected cast here"); 738 Cast->setSubExpr(0); 739 TheCall->setArg(NumArgs-1, CastArg); 740 OrigArg = CastArg; 741 } 742 } 743 744 return false; 745} 746 747/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 748// This is declared to take (...), so we have to check everything. 749ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 750 if (TheCall->getNumArgs() < 2) 751 return ExprError(Diag(TheCall->getLocEnd(), 752 diag::err_typecheck_call_too_few_args_at_least) 753 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 754 << TheCall->getSourceRange()); 755 756 // Determine which of the following types of shufflevector we're checking: 757 // 1) unary, vector mask: (lhs, mask) 758 // 2) binary, vector mask: (lhs, rhs, mask) 759 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 760 QualType resType = TheCall->getArg(0)->getType(); 761 unsigned numElements = 0; 762 763 if (!TheCall->getArg(0)->isTypeDependent() && 764 !TheCall->getArg(1)->isTypeDependent()) { 765 QualType LHSType = TheCall->getArg(0)->getType(); 766 QualType RHSType = TheCall->getArg(1)->getType(); 767 768 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 769 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 770 << SourceRange(TheCall->getArg(0)->getLocStart(), 771 TheCall->getArg(1)->getLocEnd()); 772 return ExprError(); 773 } 774 775 numElements = LHSType->getAs<VectorType>()->getNumElements(); 776 unsigned numResElements = TheCall->getNumArgs() - 2; 777 778 // Check to see if we have a call with 2 vector arguments, the unary shuffle 779 // with mask. If so, verify that RHS is an integer vector type with the 780 // same number of elts as lhs. 781 if (TheCall->getNumArgs() == 2) { 782 if (!RHSType->hasIntegerRepresentation() || 783 RHSType->getAs<VectorType>()->getNumElements() != numElements) 784 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 785 << SourceRange(TheCall->getArg(1)->getLocStart(), 786 TheCall->getArg(1)->getLocEnd()); 787 numResElements = numElements; 788 } 789 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 790 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 791 << SourceRange(TheCall->getArg(0)->getLocStart(), 792 TheCall->getArg(1)->getLocEnd()); 793 return ExprError(); 794 } else if (numElements != numResElements) { 795 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 796 resType = Context.getVectorType(eltType, numResElements, 797 VectorType::NotAltiVec); 798 } 799 } 800 801 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 802 if (TheCall->getArg(i)->isTypeDependent() || 803 TheCall->getArg(i)->isValueDependent()) 804 continue; 805 806 llvm::APSInt Result(32); 807 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 808 return ExprError(Diag(TheCall->getLocStart(), 809 diag::err_shufflevector_nonconstant_argument) 810 << TheCall->getArg(i)->getSourceRange()); 811 812 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 813 return ExprError(Diag(TheCall->getLocStart(), 814 diag::err_shufflevector_argument_too_large) 815 << TheCall->getArg(i)->getSourceRange()); 816 } 817 818 llvm::SmallVector<Expr*, 32> exprs; 819 820 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 821 exprs.push_back(TheCall->getArg(i)); 822 TheCall->setArg(i, 0); 823 } 824 825 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 826 exprs.size(), resType, 827 TheCall->getCallee()->getLocStart(), 828 TheCall->getRParenLoc())); 829} 830 831/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 832// This is declared to take (const void*, ...) and can take two 833// optional constant int args. 834bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 835 unsigned NumArgs = TheCall->getNumArgs(); 836 837 if (NumArgs > 3) 838 return Diag(TheCall->getLocEnd(), 839 diag::err_typecheck_call_too_many_args_at_most) 840 << 0 /*function call*/ << 3 << NumArgs 841 << TheCall->getSourceRange(); 842 843 // Argument 0 is checked for us and the remaining arguments must be 844 // constant integers. 845 for (unsigned i = 1; i != NumArgs; ++i) { 846 Expr *Arg = TheCall->getArg(i); 847 848 llvm::APSInt Result; 849 if (SemaBuiltinConstantArg(TheCall, i, Result)) 850 return true; 851 852 // FIXME: gcc issues a warning and rewrites these to 0. These 853 // seems especially odd for the third argument since the default 854 // is 3. 855 if (i == 1) { 856 if (Result.getLimitedValue() > 1) 857 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 858 << "0" << "1" << Arg->getSourceRange(); 859 } else { 860 if (Result.getLimitedValue() > 3) 861 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 862 << "0" << "3" << Arg->getSourceRange(); 863 } 864 } 865 866 return false; 867} 868 869/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 870/// TheCall is a constant expression. 871bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 872 llvm::APSInt &Result) { 873 Expr *Arg = TheCall->getArg(ArgNum); 874 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 875 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 876 877 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 878 879 if (!Arg->isIntegerConstantExpr(Result, Context)) 880 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 881 << FDecl->getDeclName() << Arg->getSourceRange(); 882 883 return false; 884} 885 886/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 887/// int type). This simply type checks that type is one of the defined 888/// constants (0-3). 889// For compatability check 0-3, llvm only handles 0 and 2. 890bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 891 llvm::APSInt Result; 892 893 // Check constant-ness first. 894 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 895 return true; 896 897 Expr *Arg = TheCall->getArg(1); 898 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 899 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 900 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 901 } 902 903 return false; 904} 905 906/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 907/// This checks that val is a constant 1. 908bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 909 Expr *Arg = TheCall->getArg(1); 910 llvm::APSInt Result; 911 912 // TODO: This is less than ideal. Overload this to take a value. 913 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 914 return true; 915 916 if (Result != 1) 917 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 918 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 919 920 return false; 921} 922 923// Handle i > 1 ? "x" : "y", recursivelly 924bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall, 925 bool HasVAListArg, 926 unsigned format_idx, unsigned firstDataArg, 927 bool isPrintf) { 928 929 if (E->isTypeDependent() || E->isValueDependent()) 930 return false; 931 932 switch (E->getStmtClass()) { 933 case Stmt::ConditionalOperatorClass: { 934 const ConditionalOperator *C = cast<ConditionalOperator>(E); 935 return SemaCheckStringLiteral(C->getTrueExpr(), TheCall, HasVAListArg, 936 format_idx, firstDataArg, isPrintf) 937 && SemaCheckStringLiteral(C->getRHS(), TheCall, HasVAListArg, 938 format_idx, firstDataArg, isPrintf); 939 } 940 941 case Stmt::ImplicitCastExprClass: { 942 const ImplicitCastExpr *Expr = cast<ImplicitCastExpr>(E); 943 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 944 format_idx, firstDataArg, isPrintf); 945 } 946 947 case Stmt::ParenExprClass: { 948 const ParenExpr *Expr = cast<ParenExpr>(E); 949 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 950 format_idx, firstDataArg, isPrintf); 951 } 952 953 case Stmt::DeclRefExprClass: { 954 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 955 956 // As an exception, do not flag errors for variables binding to 957 // const string literals. 958 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 959 bool isConstant = false; 960 QualType T = DR->getType(); 961 962 if (const ArrayType *AT = Context.getAsArrayType(T)) { 963 isConstant = AT->getElementType().isConstant(Context); 964 } else if (const PointerType *PT = T->getAs<PointerType>()) { 965 isConstant = T.isConstant(Context) && 966 PT->getPointeeType().isConstant(Context); 967 } 968 969 if (isConstant) { 970 if (const Expr *Init = VD->getAnyInitializer()) 971 return SemaCheckStringLiteral(Init, TheCall, 972 HasVAListArg, format_idx, firstDataArg, 973 isPrintf); 974 } 975 976 // For vprintf* functions (i.e., HasVAListArg==true), we add a 977 // special check to see if the format string is a function parameter 978 // of the function calling the printf function. If the function 979 // has an attribute indicating it is a printf-like function, then we 980 // should suppress warnings concerning non-literals being used in a call 981 // to a vprintf function. For example: 982 // 983 // void 984 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 985 // va_list ap; 986 // va_start(ap, fmt); 987 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 988 // ... 989 // 990 // 991 // FIXME: We don't have full attribute support yet, so just check to see 992 // if the argument is a DeclRefExpr that references a parameter. We'll 993 // add proper support for checking the attribute later. 994 if (HasVAListArg) 995 if (isa<ParmVarDecl>(VD)) 996 return true; 997 } 998 999 return false; 1000 } 1001 1002 case Stmt::CallExprClass: { 1003 const CallExpr *CE = cast<CallExpr>(E); 1004 if (const ImplicitCastExpr *ICE 1005 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 1006 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 1007 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 1008 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 1009 unsigned ArgIndex = FA->getFormatIdx(); 1010 const Expr *Arg = CE->getArg(ArgIndex - 1); 1011 1012 return SemaCheckStringLiteral(Arg, TheCall, HasVAListArg, 1013 format_idx, firstDataArg, isPrintf); 1014 } 1015 } 1016 } 1017 } 1018 1019 return false; 1020 } 1021 case Stmt::ObjCStringLiteralClass: 1022 case Stmt::StringLiteralClass: { 1023 const StringLiteral *StrE = NULL; 1024 1025 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1026 StrE = ObjCFExpr->getString(); 1027 else 1028 StrE = cast<StringLiteral>(E); 1029 1030 if (StrE) { 1031 CheckFormatString(StrE, E, TheCall, HasVAListArg, format_idx, 1032 firstDataArg, isPrintf); 1033 return true; 1034 } 1035 1036 return false; 1037 } 1038 1039 default: 1040 return false; 1041 } 1042} 1043 1044void 1045Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1046 const CallExpr *TheCall) { 1047 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1048 e = NonNull->args_end(); 1049 i != e; ++i) { 1050 const Expr *ArgExpr = TheCall->getArg(*i); 1051 if (ArgExpr->isNullPointerConstant(Context, 1052 Expr::NPC_ValueDependentIsNotNull)) 1053 Diag(TheCall->getCallee()->getLocStart(), diag::warn_null_arg) 1054 << ArgExpr->getSourceRange(); 1055 } 1056} 1057 1058/// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1059/// functions) for correct use of format strings. 1060void 1061Sema::CheckPrintfScanfArguments(const CallExpr *TheCall, bool HasVAListArg, 1062 unsigned format_idx, unsigned firstDataArg, 1063 bool isPrintf) { 1064 1065 const Expr *Fn = TheCall->getCallee(); 1066 1067 // The way the format attribute works in GCC, the implicit this argument 1068 // of member functions is counted. However, it doesn't appear in our own 1069 // lists, so decrement format_idx in that case. 1070 if (isa<CXXMemberCallExpr>(TheCall)) { 1071 // Catch a format attribute mistakenly referring to the object argument. 1072 if (format_idx == 0) 1073 return; 1074 --format_idx; 1075 if(firstDataArg != 0) 1076 --firstDataArg; 1077 } 1078 1079 // CHECK: printf/scanf-like function is called with no format string. 1080 if (format_idx >= TheCall->getNumArgs()) { 1081 Diag(TheCall->getRParenLoc(), diag::warn_missing_format_string) 1082 << Fn->getSourceRange(); 1083 return; 1084 } 1085 1086 const Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 1087 1088 // CHECK: format string is not a string literal. 1089 // 1090 // Dynamically generated format strings are difficult to 1091 // automatically vet at compile time. Requiring that format strings 1092 // are string literals: (1) permits the checking of format strings by 1093 // the compiler and thereby (2) can practically remove the source of 1094 // many format string exploits. 1095 1096 // Format string can be either ObjC string (e.g. @"%d") or 1097 // C string (e.g. "%d") 1098 // ObjC string uses the same format specifiers as C string, so we can use 1099 // the same format string checking logic for both ObjC and C strings. 1100 if (SemaCheckStringLiteral(OrigFormatExpr, TheCall, HasVAListArg, format_idx, 1101 firstDataArg, isPrintf)) 1102 return; // Literal format string found, check done! 1103 1104 // If there are no arguments specified, warn with -Wformat-security, otherwise 1105 // warn only with -Wformat-nonliteral. 1106 if (TheCall->getNumArgs() == format_idx+1) 1107 Diag(TheCall->getArg(format_idx)->getLocStart(), 1108 diag::warn_format_nonliteral_noargs) 1109 << OrigFormatExpr->getSourceRange(); 1110 else 1111 Diag(TheCall->getArg(format_idx)->getLocStart(), 1112 diag::warn_format_nonliteral) 1113 << OrigFormatExpr->getSourceRange(); 1114} 1115 1116namespace { 1117class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1118protected: 1119 Sema &S; 1120 const StringLiteral *FExpr; 1121 const Expr *OrigFormatExpr; 1122 const unsigned FirstDataArg; 1123 const unsigned NumDataArgs; 1124 const bool IsObjCLiteral; 1125 const char *Beg; // Start of format string. 1126 const bool HasVAListArg; 1127 const CallExpr *TheCall; 1128 unsigned FormatIdx; 1129 llvm::BitVector CoveredArgs; 1130 bool usesPositionalArgs; 1131 bool atFirstArg; 1132public: 1133 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1134 const Expr *origFormatExpr, unsigned firstDataArg, 1135 unsigned numDataArgs, bool isObjCLiteral, 1136 const char *beg, bool hasVAListArg, 1137 const CallExpr *theCall, unsigned formatIdx) 1138 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1139 FirstDataArg(firstDataArg), 1140 NumDataArgs(numDataArgs), 1141 IsObjCLiteral(isObjCLiteral), Beg(beg), 1142 HasVAListArg(hasVAListArg), 1143 TheCall(theCall), FormatIdx(formatIdx), 1144 usesPositionalArgs(false), atFirstArg(true) { 1145 CoveredArgs.resize(numDataArgs); 1146 CoveredArgs.reset(); 1147 } 1148 1149 void DoneProcessing(); 1150 1151 void HandleIncompleteSpecifier(const char *startSpecifier, 1152 unsigned specifierLen); 1153 1154 virtual void HandleInvalidPosition(const char *startSpecifier, 1155 unsigned specifierLen, 1156 analyze_format_string::PositionContext p); 1157 1158 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1159 1160 void HandleNullChar(const char *nullCharacter); 1161 1162protected: 1163 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1164 const char *startSpec, 1165 unsigned specifierLen, 1166 const char *csStart, unsigned csLen); 1167 1168 SourceRange getFormatStringRange(); 1169 CharSourceRange getSpecifierRange(const char *startSpecifier, 1170 unsigned specifierLen); 1171 SourceLocation getLocationOfByte(const char *x); 1172 1173 const Expr *getDataArg(unsigned i) const; 1174 1175 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1176 const analyze_format_string::ConversionSpecifier &CS, 1177 const char *startSpecifier, unsigned specifierLen, 1178 unsigned argIndex); 1179}; 1180} 1181 1182SourceRange CheckFormatHandler::getFormatStringRange() { 1183 return OrigFormatExpr->getSourceRange(); 1184} 1185 1186CharSourceRange CheckFormatHandler:: 1187getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1188 SourceLocation Start = getLocationOfByte(startSpecifier); 1189 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1190 1191 // Advance the end SourceLocation by one due to half-open ranges. 1192 End = End.getFileLocWithOffset(1); 1193 1194 return CharSourceRange::getCharRange(Start, End); 1195} 1196 1197SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1198 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1199} 1200 1201void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1202 unsigned specifierLen){ 1203 SourceLocation Loc = getLocationOfByte(startSpecifier); 1204 S.Diag(Loc, diag::warn_printf_incomplete_specifier) 1205 << getSpecifierRange(startSpecifier, specifierLen); 1206} 1207 1208void 1209CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1210 analyze_format_string::PositionContext p) { 1211 SourceLocation Loc = getLocationOfByte(startPos); 1212 S.Diag(Loc, diag::warn_format_invalid_positional_specifier) 1213 << (unsigned) p << getSpecifierRange(startPos, posLen); 1214} 1215 1216void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1217 unsigned posLen) { 1218 SourceLocation Loc = getLocationOfByte(startPos); 1219 S.Diag(Loc, diag::warn_format_zero_positional_specifier) 1220 << getSpecifierRange(startPos, posLen); 1221} 1222 1223void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1224 // The presence of a null character is likely an error. 1225 S.Diag(getLocationOfByte(nullCharacter), 1226 diag::warn_printf_format_string_contains_null_char) 1227 << getFormatStringRange(); 1228} 1229 1230const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1231 return TheCall->getArg(FirstDataArg + i); 1232} 1233 1234void CheckFormatHandler::DoneProcessing() { 1235 // Does the number of data arguments exceed the number of 1236 // format conversions in the format string? 1237 if (!HasVAListArg) { 1238 // Find any arguments that weren't covered. 1239 CoveredArgs.flip(); 1240 signed notCoveredArg = CoveredArgs.find_first(); 1241 if (notCoveredArg >= 0) { 1242 assert((unsigned)notCoveredArg < NumDataArgs); 1243 S.Diag(getDataArg((unsigned) notCoveredArg)->getLocStart(), 1244 diag::warn_printf_data_arg_not_used) 1245 << getFormatStringRange(); 1246 } 1247 } 1248} 1249 1250bool 1251CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1252 SourceLocation Loc, 1253 const char *startSpec, 1254 unsigned specifierLen, 1255 const char *csStart, 1256 unsigned csLen) { 1257 1258 bool keepGoing = true; 1259 if (argIndex < NumDataArgs) { 1260 // Consider the argument coverered, even though the specifier doesn't 1261 // make sense. 1262 CoveredArgs.set(argIndex); 1263 } 1264 else { 1265 // If argIndex exceeds the number of data arguments we 1266 // don't issue a warning because that is just a cascade of warnings (and 1267 // they may have intended '%%' anyway). We don't want to continue processing 1268 // the format string after this point, however, as we will like just get 1269 // gibberish when trying to match arguments. 1270 keepGoing = false; 1271 } 1272 1273 S.Diag(Loc, diag::warn_format_invalid_conversion) 1274 << llvm::StringRef(csStart, csLen) 1275 << getSpecifierRange(startSpec, specifierLen); 1276 1277 return keepGoing; 1278} 1279 1280bool 1281CheckFormatHandler::CheckNumArgs( 1282 const analyze_format_string::FormatSpecifier &FS, 1283 const analyze_format_string::ConversionSpecifier &CS, 1284 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 1285 1286 if (argIndex >= NumDataArgs) { 1287 if (FS.usesPositionalArg()) { 1288 S.Diag(getLocationOfByte(CS.getStart()), 1289 diag::warn_printf_positional_arg_exceeds_data_args) 1290 << (argIndex+1) << NumDataArgs 1291 << getSpecifierRange(startSpecifier, specifierLen); 1292 } 1293 else { 1294 S.Diag(getLocationOfByte(CS.getStart()), 1295 diag::warn_printf_insufficient_data_args) 1296 << getSpecifierRange(startSpecifier, specifierLen); 1297 } 1298 1299 return false; 1300 } 1301 return true; 1302} 1303 1304//===--- CHECK: Printf format string checking ------------------------------===// 1305 1306namespace { 1307class CheckPrintfHandler : public CheckFormatHandler { 1308public: 1309 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1310 const Expr *origFormatExpr, unsigned firstDataArg, 1311 unsigned numDataArgs, bool isObjCLiteral, 1312 const char *beg, bool hasVAListArg, 1313 const CallExpr *theCall, unsigned formatIdx) 1314 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1315 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1316 theCall, formatIdx) {} 1317 1318 1319 bool HandleInvalidPrintfConversionSpecifier( 1320 const analyze_printf::PrintfSpecifier &FS, 1321 const char *startSpecifier, 1322 unsigned specifierLen); 1323 1324 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 1325 const char *startSpecifier, 1326 unsigned specifierLen); 1327 1328 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 1329 const char *startSpecifier, unsigned specifierLen); 1330 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 1331 const analyze_printf::OptionalAmount &Amt, 1332 unsigned type, 1333 const char *startSpecifier, unsigned specifierLen); 1334 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1335 const analyze_printf::OptionalFlag &flag, 1336 const char *startSpecifier, unsigned specifierLen); 1337 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 1338 const analyze_printf::OptionalFlag &ignoredFlag, 1339 const analyze_printf::OptionalFlag &flag, 1340 const char *startSpecifier, unsigned specifierLen); 1341}; 1342} 1343 1344bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 1345 const analyze_printf::PrintfSpecifier &FS, 1346 const char *startSpecifier, 1347 unsigned specifierLen) { 1348 const analyze_printf::PrintfConversionSpecifier &CS = 1349 FS.getConversionSpecifier(); 1350 1351 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1352 getLocationOfByte(CS.getStart()), 1353 startSpecifier, specifierLen, 1354 CS.getStart(), CS.getLength()); 1355} 1356 1357bool CheckPrintfHandler::HandleAmount( 1358 const analyze_format_string::OptionalAmount &Amt, 1359 unsigned k, const char *startSpecifier, 1360 unsigned specifierLen) { 1361 1362 if (Amt.hasDataArgument()) { 1363 if (!HasVAListArg) { 1364 unsigned argIndex = Amt.getArgIndex(); 1365 if (argIndex >= NumDataArgs) { 1366 S.Diag(getLocationOfByte(Amt.getStart()), 1367 diag::warn_printf_asterisk_missing_arg) 1368 << k << getSpecifierRange(startSpecifier, specifierLen); 1369 // Don't do any more checking. We will just emit 1370 // spurious errors. 1371 return false; 1372 } 1373 1374 // Type check the data argument. It should be an 'int'. 1375 // Although not in conformance with C99, we also allow the argument to be 1376 // an 'unsigned int' as that is a reasonably safe case. GCC also 1377 // doesn't emit a warning for that case. 1378 CoveredArgs.set(argIndex); 1379 const Expr *Arg = getDataArg(argIndex); 1380 QualType T = Arg->getType(); 1381 1382 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1383 assert(ATR.isValid()); 1384 1385 if (!ATR.matchesType(S.Context, T)) { 1386 S.Diag(getLocationOfByte(Amt.getStart()), 1387 diag::warn_printf_asterisk_wrong_type) 1388 << k 1389 << ATR.getRepresentativeType(S.Context) << T 1390 << getSpecifierRange(startSpecifier, specifierLen) 1391 << Arg->getSourceRange(); 1392 // Don't do any more checking. We will just emit 1393 // spurious errors. 1394 return false; 1395 } 1396 } 1397 } 1398 return true; 1399} 1400 1401void CheckPrintfHandler::HandleInvalidAmount( 1402 const analyze_printf::PrintfSpecifier &FS, 1403 const analyze_printf::OptionalAmount &Amt, 1404 unsigned type, 1405 const char *startSpecifier, 1406 unsigned specifierLen) { 1407 const analyze_printf::PrintfConversionSpecifier &CS = 1408 FS.getConversionSpecifier(); 1409 switch (Amt.getHowSpecified()) { 1410 case analyze_printf::OptionalAmount::Constant: 1411 S.Diag(getLocationOfByte(Amt.getStart()), 1412 diag::warn_printf_nonsensical_optional_amount) 1413 << type 1414 << CS.toString() 1415 << getSpecifierRange(startSpecifier, specifierLen) 1416 << FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 1417 Amt.getConstantLength())); 1418 break; 1419 1420 default: 1421 S.Diag(getLocationOfByte(Amt.getStart()), 1422 diag::warn_printf_nonsensical_optional_amount) 1423 << type 1424 << CS.toString() 1425 << getSpecifierRange(startSpecifier, specifierLen); 1426 break; 1427 } 1428} 1429 1430void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1431 const analyze_printf::OptionalFlag &flag, 1432 const char *startSpecifier, 1433 unsigned specifierLen) { 1434 // Warn about pointless flag with a fixit removal. 1435 const analyze_printf::PrintfConversionSpecifier &CS = 1436 FS.getConversionSpecifier(); 1437 S.Diag(getLocationOfByte(flag.getPosition()), 1438 diag::warn_printf_nonsensical_flag) 1439 << flag.toString() << CS.toString() 1440 << getSpecifierRange(startSpecifier, specifierLen) 1441 << FixItHint::CreateRemoval(getSpecifierRange(flag.getPosition(), 1)); 1442} 1443 1444void CheckPrintfHandler::HandleIgnoredFlag( 1445 const analyze_printf::PrintfSpecifier &FS, 1446 const analyze_printf::OptionalFlag &ignoredFlag, 1447 const analyze_printf::OptionalFlag &flag, 1448 const char *startSpecifier, 1449 unsigned specifierLen) { 1450 // Warn about ignored flag with a fixit removal. 1451 S.Diag(getLocationOfByte(ignoredFlag.getPosition()), 1452 diag::warn_printf_ignored_flag) 1453 << ignoredFlag.toString() << flag.toString() 1454 << getSpecifierRange(startSpecifier, specifierLen) 1455 << FixItHint::CreateRemoval(getSpecifierRange( 1456 ignoredFlag.getPosition(), 1)); 1457} 1458 1459bool 1460CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 1461 &FS, 1462 const char *startSpecifier, 1463 unsigned specifierLen) { 1464 1465 using namespace analyze_format_string; 1466 using namespace analyze_printf; 1467 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 1468 1469 if (FS.consumesDataArgument()) { 1470 if (atFirstArg) { 1471 atFirstArg = false; 1472 usesPositionalArgs = FS.usesPositionalArg(); 1473 } 1474 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1475 // Cannot mix-and-match positional and non-positional arguments. 1476 S.Diag(getLocationOfByte(CS.getStart()), 1477 diag::warn_format_mix_positional_nonpositional_args) 1478 << getSpecifierRange(startSpecifier, specifierLen); 1479 return false; 1480 } 1481 } 1482 1483 // First check if the field width, precision, and conversion specifier 1484 // have matching data arguments. 1485 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 1486 startSpecifier, specifierLen)) { 1487 return false; 1488 } 1489 1490 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 1491 startSpecifier, specifierLen)) { 1492 return false; 1493 } 1494 1495 if (!CS.consumesDataArgument()) { 1496 // FIXME: Technically specifying a precision or field width here 1497 // makes no sense. Worth issuing a warning at some point. 1498 return true; 1499 } 1500 1501 // Consume the argument. 1502 unsigned argIndex = FS.getArgIndex(); 1503 if (argIndex < NumDataArgs) { 1504 // The check to see if the argIndex is valid will come later. 1505 // We set the bit here because we may exit early from this 1506 // function if we encounter some other error. 1507 CoveredArgs.set(argIndex); 1508 } 1509 1510 // Check for using an Objective-C specific conversion specifier 1511 // in a non-ObjC literal. 1512 if (!IsObjCLiteral && CS.isObjCArg()) { 1513 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 1514 specifierLen); 1515 } 1516 1517 // Check for invalid use of field width 1518 if (!FS.hasValidFieldWidth()) { 1519 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 1520 startSpecifier, specifierLen); 1521 } 1522 1523 // Check for invalid use of precision 1524 if (!FS.hasValidPrecision()) { 1525 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 1526 startSpecifier, specifierLen); 1527 } 1528 1529 // Check each flag does not conflict with any other component. 1530 if (!FS.hasValidLeadingZeros()) 1531 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 1532 if (!FS.hasValidPlusPrefix()) 1533 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 1534 if (!FS.hasValidSpacePrefix()) 1535 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 1536 if (!FS.hasValidAlternativeForm()) 1537 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 1538 if (!FS.hasValidLeftJustified()) 1539 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 1540 1541 // Check that flags are not ignored by another flag 1542 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 1543 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 1544 startSpecifier, specifierLen); 1545 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 1546 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 1547 startSpecifier, specifierLen); 1548 1549 // Check the length modifier is valid with the given conversion specifier. 1550 const LengthModifier &LM = FS.getLengthModifier(); 1551 if (!FS.hasValidLengthModifier()) 1552 S.Diag(getLocationOfByte(LM.getStart()), 1553 diag::warn_format_nonsensical_length) 1554 << LM.toString() << CS.toString() 1555 << getSpecifierRange(startSpecifier, specifierLen) 1556 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 1557 LM.getLength())); 1558 1559 // Are we using '%n'? 1560 if (CS.getKind() == ConversionSpecifier::nArg) { 1561 // Issue a warning about this being a possible security issue. 1562 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back) 1563 << getSpecifierRange(startSpecifier, specifierLen); 1564 // Continue checking the other format specifiers. 1565 return true; 1566 } 1567 1568 // The remaining checks depend on the data arguments. 1569 if (HasVAListArg) 1570 return true; 1571 1572 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 1573 return false; 1574 1575 // Now type check the data expression that matches the 1576 // format specifier. 1577 const Expr *Ex = getDataArg(argIndex); 1578 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 1579 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 1580 // Check if we didn't match because of an implicit cast from a 'char' 1581 // or 'short' to an 'int'. This is done because printf is a varargs 1582 // function. 1583 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 1584 if (ICE->getType() == S.Context.IntTy) 1585 if (ATR.matchesType(S.Context, ICE->getSubExpr()->getType())) 1586 return true; 1587 1588 // We may be able to offer a FixItHint if it is a supported type. 1589 PrintfSpecifier fixedFS = FS; 1590 bool success = fixedFS.fixType(Ex->getType()); 1591 1592 if (success) { 1593 // Get the fix string from the fixed format specifier 1594 llvm::SmallString<128> buf; 1595 llvm::raw_svector_ostream os(buf); 1596 fixedFS.toString(os); 1597 1598 S.Diag(getLocationOfByte(CS.getStart()), 1599 diag::warn_printf_conversion_argument_type_mismatch) 1600 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1601 << getSpecifierRange(startSpecifier, specifierLen) 1602 << Ex->getSourceRange() 1603 << FixItHint::CreateReplacement( 1604 getSpecifierRange(startSpecifier, specifierLen), 1605 os.str()); 1606 } 1607 else { 1608 S.Diag(getLocationOfByte(CS.getStart()), 1609 diag::warn_printf_conversion_argument_type_mismatch) 1610 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1611 << getSpecifierRange(startSpecifier, specifierLen) 1612 << Ex->getSourceRange(); 1613 } 1614 } 1615 1616 return true; 1617} 1618 1619//===--- CHECK: Scanf format string checking ------------------------------===// 1620 1621namespace { 1622class CheckScanfHandler : public CheckFormatHandler { 1623public: 1624 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 1625 const Expr *origFormatExpr, unsigned firstDataArg, 1626 unsigned numDataArgs, bool isObjCLiteral, 1627 const char *beg, bool hasVAListArg, 1628 const CallExpr *theCall, unsigned formatIdx) 1629 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1630 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1631 theCall, formatIdx) {} 1632 1633 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 1634 const char *startSpecifier, 1635 unsigned specifierLen); 1636 1637 bool HandleInvalidScanfConversionSpecifier( 1638 const analyze_scanf::ScanfSpecifier &FS, 1639 const char *startSpecifier, 1640 unsigned specifierLen); 1641 1642 void HandleIncompleteScanList(const char *start, const char *end); 1643}; 1644} 1645 1646void CheckScanfHandler::HandleIncompleteScanList(const char *start, 1647 const char *end) { 1648 S.Diag(getLocationOfByte(end), diag::warn_scanf_scanlist_incomplete) 1649 << getSpecifierRange(start, end - start); 1650} 1651 1652bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 1653 const analyze_scanf::ScanfSpecifier &FS, 1654 const char *startSpecifier, 1655 unsigned specifierLen) { 1656 1657 const analyze_scanf::ScanfConversionSpecifier &CS = 1658 FS.getConversionSpecifier(); 1659 1660 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1661 getLocationOfByte(CS.getStart()), 1662 startSpecifier, specifierLen, 1663 CS.getStart(), CS.getLength()); 1664} 1665 1666bool CheckScanfHandler::HandleScanfSpecifier( 1667 const analyze_scanf::ScanfSpecifier &FS, 1668 const char *startSpecifier, 1669 unsigned specifierLen) { 1670 1671 using namespace analyze_scanf; 1672 using namespace analyze_format_string; 1673 1674 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 1675 1676 // Handle case where '%' and '*' don't consume an argument. These shouldn't 1677 // be used to decide if we are using positional arguments consistently. 1678 if (FS.consumesDataArgument()) { 1679 if (atFirstArg) { 1680 atFirstArg = false; 1681 usesPositionalArgs = FS.usesPositionalArg(); 1682 } 1683 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1684 // Cannot mix-and-match positional and non-positional arguments. 1685 S.Diag(getLocationOfByte(CS.getStart()), 1686 diag::warn_format_mix_positional_nonpositional_args) 1687 << getSpecifierRange(startSpecifier, specifierLen); 1688 return false; 1689 } 1690 } 1691 1692 // Check if the field with is non-zero. 1693 const OptionalAmount &Amt = FS.getFieldWidth(); 1694 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 1695 if (Amt.getConstantAmount() == 0) { 1696 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 1697 Amt.getConstantLength()); 1698 S.Diag(getLocationOfByte(Amt.getStart()), 1699 diag::warn_scanf_nonzero_width) 1700 << R << FixItHint::CreateRemoval(R); 1701 } 1702 } 1703 1704 if (!FS.consumesDataArgument()) { 1705 // FIXME: Technically specifying a precision or field width here 1706 // makes no sense. Worth issuing a warning at some point. 1707 return true; 1708 } 1709 1710 // Consume the argument. 1711 unsigned argIndex = FS.getArgIndex(); 1712 if (argIndex < NumDataArgs) { 1713 // The check to see if the argIndex is valid will come later. 1714 // We set the bit here because we may exit early from this 1715 // function if we encounter some other error. 1716 CoveredArgs.set(argIndex); 1717 } 1718 1719 // Check the length modifier is valid with the given conversion specifier. 1720 const LengthModifier &LM = FS.getLengthModifier(); 1721 if (!FS.hasValidLengthModifier()) { 1722 S.Diag(getLocationOfByte(LM.getStart()), 1723 diag::warn_format_nonsensical_length) 1724 << LM.toString() << CS.toString() 1725 << getSpecifierRange(startSpecifier, specifierLen) 1726 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 1727 LM.getLength())); 1728 } 1729 1730 // The remaining checks depend on the data arguments. 1731 if (HasVAListArg) 1732 return true; 1733 1734 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 1735 return false; 1736 1737 // FIXME: Check that the argument type matches the format specifier. 1738 1739 return true; 1740} 1741 1742void Sema::CheckFormatString(const StringLiteral *FExpr, 1743 const Expr *OrigFormatExpr, 1744 const CallExpr *TheCall, bool HasVAListArg, 1745 unsigned format_idx, unsigned firstDataArg, 1746 bool isPrintf) { 1747 1748 // CHECK: is the format string a wide literal? 1749 if (FExpr->isWide()) { 1750 Diag(FExpr->getLocStart(), 1751 diag::warn_format_string_is_wide_literal) 1752 << OrigFormatExpr->getSourceRange(); 1753 return; 1754 } 1755 1756 // Str - The format string. NOTE: this is NOT null-terminated! 1757 llvm::StringRef StrRef = FExpr->getString(); 1758 const char *Str = StrRef.data(); 1759 unsigned StrLen = StrRef.size(); 1760 1761 // CHECK: empty format string? 1762 if (StrLen == 0) { 1763 Diag(FExpr->getLocStart(), diag::warn_empty_format_string) 1764 << OrigFormatExpr->getSourceRange(); 1765 return; 1766 } 1767 1768 if (isPrintf) { 1769 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1770 TheCall->getNumArgs() - firstDataArg, 1771 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1772 HasVAListArg, TheCall, format_idx); 1773 1774 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen)) 1775 H.DoneProcessing(); 1776 } 1777 else { 1778 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1779 TheCall->getNumArgs() - firstDataArg, 1780 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1781 HasVAListArg, TheCall, format_idx); 1782 1783 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen)) 1784 H.DoneProcessing(); 1785 } 1786} 1787 1788//===--- CHECK: Return Address of Stack Variable --------------------------===// 1789 1790static DeclRefExpr* EvalVal(Expr *E); 1791static DeclRefExpr* EvalAddr(Expr* E); 1792 1793/// CheckReturnStackAddr - Check if a return statement returns the address 1794/// of a stack variable. 1795void 1796Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 1797 SourceLocation ReturnLoc) { 1798 1799 // Perform checking for returned stack addresses. 1800 if (lhsType->isPointerType() || lhsType->isBlockPointerType()) { 1801 if (DeclRefExpr *DR = EvalAddr(RetValExp)) 1802 Diag(DR->getLocStart(), diag::warn_ret_stack_addr) 1803 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1804 1805 // Skip over implicit cast expressions when checking for block expressions. 1806 RetValExp = RetValExp->IgnoreParenCasts(); 1807 1808 if (BlockExpr *C = dyn_cast<BlockExpr>(RetValExp)) 1809 if (C->hasBlockDeclRefExprs()) 1810 Diag(C->getLocStart(), diag::err_ret_local_block) 1811 << C->getSourceRange(); 1812 1813 if (AddrLabelExpr *ALE = dyn_cast<AddrLabelExpr>(RetValExp)) 1814 Diag(ALE->getLocStart(), diag::warn_ret_addr_label) 1815 << ALE->getSourceRange(); 1816 1817 } else if (lhsType->isReferenceType()) { 1818 // Perform checking for stack values returned by reference. 1819 // Check for a reference to the stack 1820 if (DeclRefExpr *DR = EvalVal(RetValExp)) 1821 Diag(DR->getLocStart(), diag::warn_ret_stack_ref) 1822 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1823 } 1824} 1825 1826/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 1827/// check if the expression in a return statement evaluates to an address 1828/// to a location on the stack. The recursion is used to traverse the 1829/// AST of the return expression, with recursion backtracking when we 1830/// encounter a subexpression that (1) clearly does not lead to the address 1831/// of a stack variable or (2) is something we cannot determine leads to 1832/// the address of a stack variable based on such local checking. 1833/// 1834/// EvalAddr processes expressions that are pointers that are used as 1835/// references (and not L-values). EvalVal handles all other values. 1836/// At the base case of the recursion is a check for a DeclRefExpr* in 1837/// the refers to a stack variable. 1838/// 1839/// This implementation handles: 1840/// 1841/// * pointer-to-pointer casts 1842/// * implicit conversions from array references to pointers 1843/// * taking the address of fields 1844/// * arbitrary interplay between "&" and "*" operators 1845/// * pointer arithmetic from an address of a stack variable 1846/// * taking the address of an array element where the array is on the stack 1847static DeclRefExpr* EvalAddr(Expr *E) { 1848 // We should only be called for evaluating pointer expressions. 1849 assert((E->getType()->isAnyPointerType() || 1850 E->getType()->isBlockPointerType() || 1851 E->getType()->isObjCQualifiedIdType()) && 1852 "EvalAddr only works on pointers"); 1853 1854 // Our "symbolic interpreter" is just a dispatch off the currently 1855 // viewed AST node. We then recursively traverse the AST by calling 1856 // EvalAddr and EvalVal appropriately. 1857 switch (E->getStmtClass()) { 1858 case Stmt::ParenExprClass: 1859 // Ignore parentheses. 1860 return EvalAddr(cast<ParenExpr>(E)->getSubExpr()); 1861 1862 case Stmt::UnaryOperatorClass: { 1863 // The only unary operator that make sense to handle here 1864 // is AddrOf. All others don't make sense as pointers. 1865 UnaryOperator *U = cast<UnaryOperator>(E); 1866 1867 if (U->getOpcode() == UnaryOperator::AddrOf) 1868 return EvalVal(U->getSubExpr()); 1869 else 1870 return NULL; 1871 } 1872 1873 case Stmt::BinaryOperatorClass: { 1874 // Handle pointer arithmetic. All other binary operators are not valid 1875 // in this context. 1876 BinaryOperator *B = cast<BinaryOperator>(E); 1877 BinaryOperator::Opcode op = B->getOpcode(); 1878 1879 if (op != BinaryOperator::Add && op != BinaryOperator::Sub) 1880 return NULL; 1881 1882 Expr *Base = B->getLHS(); 1883 1884 // Determine which argument is the real pointer base. It could be 1885 // the RHS argument instead of the LHS. 1886 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 1887 1888 assert (Base->getType()->isPointerType()); 1889 return EvalAddr(Base); 1890 } 1891 1892 // For conditional operators we need to see if either the LHS or RHS are 1893 // valid DeclRefExpr*s. If one of them is valid, we return it. 1894 case Stmt::ConditionalOperatorClass: { 1895 ConditionalOperator *C = cast<ConditionalOperator>(E); 1896 1897 // Handle the GNU extension for missing LHS. 1898 if (Expr *lhsExpr = C->getLHS()) 1899 if (DeclRefExpr* LHS = EvalAddr(lhsExpr)) 1900 return LHS; 1901 1902 return EvalAddr(C->getRHS()); 1903 } 1904 1905 // For casts, we need to handle conversions from arrays to 1906 // pointer values, and pointer-to-pointer conversions. 1907 case Stmt::ImplicitCastExprClass: 1908 case Stmt::CStyleCastExprClass: 1909 case Stmt::CXXFunctionalCastExprClass: { 1910 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 1911 QualType T = SubExpr->getType(); 1912 1913 if (SubExpr->getType()->isPointerType() || 1914 SubExpr->getType()->isBlockPointerType() || 1915 SubExpr->getType()->isObjCQualifiedIdType()) 1916 return EvalAddr(SubExpr); 1917 else if (T->isArrayType()) 1918 return EvalVal(SubExpr); 1919 else 1920 return 0; 1921 } 1922 1923 // C++ casts. For dynamic casts, static casts, and const casts, we 1924 // are always converting from a pointer-to-pointer, so we just blow 1925 // through the cast. In the case the dynamic cast doesn't fail (and 1926 // return NULL), we take the conservative route and report cases 1927 // where we return the address of a stack variable. For Reinterpre 1928 // FIXME: The comment about is wrong; we're not always converting 1929 // from pointer to pointer. I'm guessing that this code should also 1930 // handle references to objects. 1931 case Stmt::CXXStaticCastExprClass: 1932 case Stmt::CXXDynamicCastExprClass: 1933 case Stmt::CXXConstCastExprClass: 1934 case Stmt::CXXReinterpretCastExprClass: { 1935 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 1936 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 1937 return EvalAddr(S); 1938 else 1939 return NULL; 1940 } 1941 1942 // Everything else: we simply don't reason about them. 1943 default: 1944 return NULL; 1945 } 1946} 1947 1948 1949/// EvalVal - This function is complements EvalAddr in the mutual recursion. 1950/// See the comments for EvalAddr for more details. 1951static DeclRefExpr* EvalVal(Expr *E) { 1952do { 1953 // We should only be called for evaluating non-pointer expressions, or 1954 // expressions with a pointer type that are not used as references but instead 1955 // are l-values (e.g., DeclRefExpr with a pointer type). 1956 1957 // Our "symbolic interpreter" is just a dispatch off the currently 1958 // viewed AST node. We then recursively traverse the AST by calling 1959 // EvalAddr and EvalVal appropriately. 1960 switch (E->getStmtClass()) { 1961 case Stmt::ImplicitCastExprClass: { 1962 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 1963 if (IE->getCategory() == ImplicitCastExpr::LValue) { 1964 E = IE->getSubExpr(); 1965 continue; 1966 } 1967 return NULL; 1968 } 1969 1970 case Stmt::DeclRefExprClass: { 1971 // DeclRefExpr: the base case. When we hit a DeclRefExpr we are looking 1972 // at code that refers to a variable's name. We check if it has local 1973 // storage within the function, and if so, return the expression. 1974 DeclRefExpr *DR = cast<DeclRefExpr>(E); 1975 1976 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 1977 if (V->hasLocalStorage() && !V->getType()->isReferenceType()) return DR; 1978 1979 return NULL; 1980 } 1981 1982 case Stmt::ParenExprClass: { 1983 // Ignore parentheses. 1984 E = cast<ParenExpr>(E)->getSubExpr(); 1985 continue; 1986 } 1987 1988 case Stmt::UnaryOperatorClass: { 1989 // The only unary operator that make sense to handle here 1990 // is Deref. All others don't resolve to a "name." This includes 1991 // handling all sorts of rvalues passed to a unary operator. 1992 UnaryOperator *U = cast<UnaryOperator>(E); 1993 1994 if (U->getOpcode() == UnaryOperator::Deref) 1995 return EvalAddr(U->getSubExpr()); 1996 1997 return NULL; 1998 } 1999 2000 case Stmt::ArraySubscriptExprClass: { 2001 // Array subscripts are potential references to data on the stack. We 2002 // retrieve the DeclRefExpr* for the array variable if it indeed 2003 // has local storage. 2004 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase()); 2005 } 2006 2007 case Stmt::ConditionalOperatorClass: { 2008 // For conditional operators we need to see if either the LHS or RHS are 2009 // non-NULL DeclRefExpr's. If one is non-NULL, we return it. 2010 ConditionalOperator *C = cast<ConditionalOperator>(E); 2011 2012 // Handle the GNU extension for missing LHS. 2013 if (Expr *lhsExpr = C->getLHS()) 2014 if (DeclRefExpr *LHS = EvalVal(lhsExpr)) 2015 return LHS; 2016 2017 return EvalVal(C->getRHS()); 2018 } 2019 2020 // Accesses to members are potential references to data on the stack. 2021 case Stmt::MemberExprClass: { 2022 MemberExpr *M = cast<MemberExpr>(E); 2023 2024 // Check for indirect access. We only want direct field accesses. 2025 if (!M->isArrow()) 2026 return EvalVal(M->getBase()); 2027 else 2028 return NULL; 2029 } 2030 2031 // Everything else: we simply don't reason about them. 2032 default: 2033 return NULL; 2034 } 2035} while (true); 2036} 2037 2038//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 2039 2040/// Check for comparisons of floating point operands using != and ==. 2041/// Issue a warning if these are no self-comparisons, as they are not likely 2042/// to do what the programmer intended. 2043void Sema::CheckFloatComparison(SourceLocation loc, Expr* lex, Expr *rex) { 2044 bool EmitWarning = true; 2045 2046 Expr* LeftExprSansParen = lex->IgnoreParens(); 2047 Expr* RightExprSansParen = rex->IgnoreParens(); 2048 2049 // Special case: check for x == x (which is OK). 2050 // Do not emit warnings for such cases. 2051 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 2052 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 2053 if (DRL->getDecl() == DRR->getDecl()) 2054 EmitWarning = false; 2055 2056 2057 // Special case: check for comparisons against literals that can be exactly 2058 // represented by APFloat. In such cases, do not emit a warning. This 2059 // is a heuristic: often comparison against such literals are used to 2060 // detect if a value in a variable has not changed. This clearly can 2061 // lead to false negatives. 2062 if (EmitWarning) { 2063 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 2064 if (FLL->isExact()) 2065 EmitWarning = false; 2066 } else 2067 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 2068 if (FLR->isExact()) 2069 EmitWarning = false; 2070 } 2071 } 2072 2073 // Check for comparisons with builtin types. 2074 if (EmitWarning) 2075 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 2076 if (CL->isBuiltinCall(Context)) 2077 EmitWarning = false; 2078 2079 if (EmitWarning) 2080 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 2081 if (CR->isBuiltinCall(Context)) 2082 EmitWarning = false; 2083 2084 // Emit the diagnostic. 2085 if (EmitWarning) 2086 Diag(loc, diag::warn_floatingpoint_eq) 2087 << lex->getSourceRange() << rex->getSourceRange(); 2088} 2089 2090//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 2091//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 2092 2093namespace { 2094 2095/// Structure recording the 'active' range of an integer-valued 2096/// expression. 2097struct IntRange { 2098 /// The number of bits active in the int. 2099 unsigned Width; 2100 2101 /// True if the int is known not to have negative values. 2102 bool NonNegative; 2103 2104 IntRange(unsigned Width, bool NonNegative) 2105 : Width(Width), NonNegative(NonNegative) 2106 {} 2107 2108 // Returns the range of the bool type. 2109 static IntRange forBoolType() { 2110 return IntRange(1, true); 2111 } 2112 2113 // Returns the range of an integral type. 2114 static IntRange forType(ASTContext &C, QualType T) { 2115 return forCanonicalType(C, T->getCanonicalTypeInternal().getTypePtr()); 2116 } 2117 2118 // Returns the range of an integeral type based on its canonical 2119 // representation. 2120 static IntRange forCanonicalType(ASTContext &C, const Type *T) { 2121 assert(T->isCanonicalUnqualified()); 2122 2123 if (const VectorType *VT = dyn_cast<VectorType>(T)) 2124 T = VT->getElementType().getTypePtr(); 2125 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 2126 T = CT->getElementType().getTypePtr(); 2127 2128 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 2129 EnumDecl *Enum = ET->getDecl(); 2130 unsigned NumPositive = Enum->getNumPositiveBits(); 2131 unsigned NumNegative = Enum->getNumNegativeBits(); 2132 2133 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 2134 } 2135 2136 const BuiltinType *BT = cast<BuiltinType>(T); 2137 assert(BT->isInteger()); 2138 2139 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 2140 } 2141 2142 // Returns the supremum of two ranges: i.e. their conservative merge. 2143 static IntRange join(IntRange L, IntRange R) { 2144 return IntRange(std::max(L.Width, R.Width), 2145 L.NonNegative && R.NonNegative); 2146 } 2147 2148 // Returns the infinum of two ranges: i.e. their aggressive merge. 2149 static IntRange meet(IntRange L, IntRange R) { 2150 return IntRange(std::min(L.Width, R.Width), 2151 L.NonNegative || R.NonNegative); 2152 } 2153}; 2154 2155IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 2156 if (value.isSigned() && value.isNegative()) 2157 return IntRange(value.getMinSignedBits(), false); 2158 2159 if (value.getBitWidth() > MaxWidth) 2160 value.trunc(MaxWidth); 2161 2162 // isNonNegative() just checks the sign bit without considering 2163 // signedness. 2164 return IntRange(value.getActiveBits(), true); 2165} 2166 2167IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 2168 unsigned MaxWidth) { 2169 if (result.isInt()) 2170 return GetValueRange(C, result.getInt(), MaxWidth); 2171 2172 if (result.isVector()) { 2173 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 2174 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 2175 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 2176 R = IntRange::join(R, El); 2177 } 2178 return R; 2179 } 2180 2181 if (result.isComplexInt()) { 2182 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 2183 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 2184 return IntRange::join(R, I); 2185 } 2186 2187 // This can happen with lossless casts to intptr_t of "based" lvalues. 2188 // Assume it might use arbitrary bits. 2189 // FIXME: The only reason we need to pass the type in here is to get 2190 // the sign right on this one case. It would be nice if APValue 2191 // preserved this. 2192 assert(result.isLValue()); 2193 return IntRange(MaxWidth, Ty->isUnsignedIntegerType()); 2194} 2195 2196/// Pseudo-evaluate the given integer expression, estimating the 2197/// range of values it might take. 2198/// 2199/// \param MaxWidth - the width to which the value will be truncated 2200IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 2201 E = E->IgnoreParens(); 2202 2203 // Try a full evaluation first. 2204 Expr::EvalResult result; 2205 if (E->Evaluate(result, C)) 2206 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 2207 2208 // I think we only want to look through implicit casts here; if the 2209 // user has an explicit widening cast, we should treat the value as 2210 // being of the new, wider type. 2211 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 2212 if (CE->getCastKind() == CastExpr::CK_NoOp) 2213 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 2214 2215 IntRange OutputTypeRange = IntRange::forType(C, CE->getType()); 2216 2217 bool isIntegerCast = (CE->getCastKind() == CastExpr::CK_IntegralCast); 2218 if (!isIntegerCast && CE->getCastKind() == CastExpr::CK_Unknown) 2219 isIntegerCast = CE->getSubExpr()->getType()->isIntegerType(); 2220 2221 // Assume that non-integer casts can span the full range of the type. 2222 if (!isIntegerCast) 2223 return OutputTypeRange; 2224 2225 IntRange SubRange 2226 = GetExprRange(C, CE->getSubExpr(), 2227 std::min(MaxWidth, OutputTypeRange.Width)); 2228 2229 // Bail out if the subexpr's range is as wide as the cast type. 2230 if (SubRange.Width >= OutputTypeRange.Width) 2231 return OutputTypeRange; 2232 2233 // Otherwise, we take the smaller width, and we're non-negative if 2234 // either the output type or the subexpr is. 2235 return IntRange(SubRange.Width, 2236 SubRange.NonNegative || OutputTypeRange.NonNegative); 2237 } 2238 2239 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 2240 // If we can fold the condition, just take that operand. 2241 bool CondResult; 2242 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 2243 return GetExprRange(C, CondResult ? CO->getTrueExpr() 2244 : CO->getFalseExpr(), 2245 MaxWidth); 2246 2247 // Otherwise, conservatively merge. 2248 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 2249 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 2250 return IntRange::join(L, R); 2251 } 2252 2253 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 2254 switch (BO->getOpcode()) { 2255 2256 // Boolean-valued operations are single-bit and positive. 2257 case BinaryOperator::LAnd: 2258 case BinaryOperator::LOr: 2259 case BinaryOperator::LT: 2260 case BinaryOperator::GT: 2261 case BinaryOperator::LE: 2262 case BinaryOperator::GE: 2263 case BinaryOperator::EQ: 2264 case BinaryOperator::NE: 2265 return IntRange::forBoolType(); 2266 2267 // The type of these compound assignments is the type of the LHS, 2268 // so the RHS is not necessarily an integer. 2269 case BinaryOperator::MulAssign: 2270 case BinaryOperator::DivAssign: 2271 case BinaryOperator::RemAssign: 2272 case BinaryOperator::AddAssign: 2273 case BinaryOperator::SubAssign: 2274 return IntRange::forType(C, E->getType()); 2275 2276 // Operations with opaque sources are black-listed. 2277 case BinaryOperator::PtrMemD: 2278 case BinaryOperator::PtrMemI: 2279 return IntRange::forType(C, E->getType()); 2280 2281 // Bitwise-and uses the *infinum* of the two source ranges. 2282 case BinaryOperator::And: 2283 case BinaryOperator::AndAssign: 2284 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 2285 GetExprRange(C, BO->getRHS(), MaxWidth)); 2286 2287 // Left shift gets black-listed based on a judgement call. 2288 case BinaryOperator::Shl: 2289 // ...except that we want to treat '1 << (blah)' as logically 2290 // positive. It's an important idiom. 2291 if (IntegerLiteral *I 2292 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 2293 if (I->getValue() == 1) { 2294 IntRange R = IntRange::forType(C, E->getType()); 2295 return IntRange(R.Width, /*NonNegative*/ true); 2296 } 2297 } 2298 // fallthrough 2299 2300 case BinaryOperator::ShlAssign: 2301 return IntRange::forType(C, E->getType()); 2302 2303 // Right shift by a constant can narrow its left argument. 2304 case BinaryOperator::Shr: 2305 case BinaryOperator::ShrAssign: { 2306 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2307 2308 // If the shift amount is a positive constant, drop the width by 2309 // that much. 2310 llvm::APSInt shift; 2311 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 2312 shift.isNonNegative()) { 2313 unsigned zext = shift.getZExtValue(); 2314 if (zext >= L.Width) 2315 L.Width = (L.NonNegative ? 0 : 1); 2316 else 2317 L.Width -= zext; 2318 } 2319 2320 return L; 2321 } 2322 2323 // Comma acts as its right operand. 2324 case BinaryOperator::Comma: 2325 return GetExprRange(C, BO->getRHS(), MaxWidth); 2326 2327 // Black-list pointer subtractions. 2328 case BinaryOperator::Sub: 2329 if (BO->getLHS()->getType()->isPointerType()) 2330 return IntRange::forType(C, E->getType()); 2331 // fallthrough 2332 2333 default: 2334 break; 2335 } 2336 2337 // Treat every other operator as if it were closed on the 2338 // narrowest type that encompasses both operands. 2339 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2340 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 2341 return IntRange::join(L, R); 2342 } 2343 2344 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 2345 switch (UO->getOpcode()) { 2346 // Boolean-valued operations are white-listed. 2347 case UnaryOperator::LNot: 2348 return IntRange::forBoolType(); 2349 2350 // Operations with opaque sources are black-listed. 2351 case UnaryOperator::Deref: 2352 case UnaryOperator::AddrOf: // should be impossible 2353 return IntRange::forType(C, E->getType()); 2354 2355 default: 2356 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 2357 } 2358 } 2359 2360 if (dyn_cast<OffsetOfExpr>(E)) { 2361 IntRange::forType(C, E->getType()); 2362 } 2363 2364 FieldDecl *BitField = E->getBitField(); 2365 if (BitField) { 2366 llvm::APSInt BitWidthAP = BitField->getBitWidth()->EvaluateAsInt(C); 2367 unsigned BitWidth = BitWidthAP.getZExtValue(); 2368 2369 return IntRange(BitWidth, BitField->getType()->isUnsignedIntegerType()); 2370 } 2371 2372 return IntRange::forType(C, E->getType()); 2373} 2374 2375IntRange GetExprRange(ASTContext &C, Expr *E) { 2376 return GetExprRange(C, E, C.getIntWidth(E->getType())); 2377} 2378 2379/// Checks whether the given value, which currently has the given 2380/// source semantics, has the same value when coerced through the 2381/// target semantics. 2382bool IsSameFloatAfterCast(const llvm::APFloat &value, 2383 const llvm::fltSemantics &Src, 2384 const llvm::fltSemantics &Tgt) { 2385 llvm::APFloat truncated = value; 2386 2387 bool ignored; 2388 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 2389 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 2390 2391 return truncated.bitwiseIsEqual(value); 2392} 2393 2394/// Checks whether the given value, which currently has the given 2395/// source semantics, has the same value when coerced through the 2396/// target semantics. 2397/// 2398/// The value might be a vector of floats (or a complex number). 2399bool IsSameFloatAfterCast(const APValue &value, 2400 const llvm::fltSemantics &Src, 2401 const llvm::fltSemantics &Tgt) { 2402 if (value.isFloat()) 2403 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 2404 2405 if (value.isVector()) { 2406 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 2407 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 2408 return false; 2409 return true; 2410 } 2411 2412 assert(value.isComplexFloat()); 2413 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 2414 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 2415} 2416 2417void AnalyzeImplicitConversions(Sema &S, Expr *E); 2418 2419bool IsZero(Sema &S, Expr *E) { 2420 llvm::APSInt Value; 2421 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 2422} 2423 2424void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 2425 BinaryOperator::Opcode op = E->getOpcode(); 2426 if (op == BinaryOperator::LT && IsZero(S, E->getRHS())) { 2427 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2428 << "< 0" << "false" 2429 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2430 } else if (op == BinaryOperator::GE && IsZero(S, E->getRHS())) { 2431 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2432 << ">= 0" << "true" 2433 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2434 } else if (op == BinaryOperator::GT && IsZero(S, E->getLHS())) { 2435 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2436 << "0 >" << "false" 2437 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2438 } else if (op == BinaryOperator::LE && IsZero(S, E->getLHS())) { 2439 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2440 << "0 <=" << "true" 2441 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2442 } 2443} 2444 2445/// Analyze the operands of the given comparison. Implements the 2446/// fallback case from AnalyzeComparison. 2447void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 2448 AnalyzeImplicitConversions(S, E->getLHS()); 2449 AnalyzeImplicitConversions(S, E->getRHS()); 2450} 2451 2452/// \brief Implements -Wsign-compare. 2453/// 2454/// \param lex the left-hand expression 2455/// \param rex the right-hand expression 2456/// \param OpLoc the location of the joining operator 2457/// \param BinOpc binary opcode or 0 2458void AnalyzeComparison(Sema &S, BinaryOperator *E) { 2459 // The type the comparison is being performed in. 2460 QualType T = E->getLHS()->getType(); 2461 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 2462 && "comparison with mismatched types"); 2463 2464 // We don't do anything special if this isn't an unsigned integral 2465 // comparison: we're only interested in integral comparisons, and 2466 // signed comparisons only happen in cases we don't care to warn about. 2467 if (!T->hasUnsignedIntegerRepresentation()) 2468 return AnalyzeImpConvsInComparison(S, E); 2469 2470 Expr *lex = E->getLHS()->IgnoreParenImpCasts(); 2471 Expr *rex = E->getRHS()->IgnoreParenImpCasts(); 2472 2473 // Check to see if one of the (unmodified) operands is of different 2474 // signedness. 2475 Expr *signedOperand, *unsignedOperand; 2476 if (lex->getType()->hasSignedIntegerRepresentation()) { 2477 assert(!rex->getType()->hasSignedIntegerRepresentation() && 2478 "unsigned comparison between two signed integer expressions?"); 2479 signedOperand = lex; 2480 unsignedOperand = rex; 2481 } else if (rex->getType()->hasSignedIntegerRepresentation()) { 2482 signedOperand = rex; 2483 unsignedOperand = lex; 2484 } else { 2485 CheckTrivialUnsignedComparison(S, E); 2486 return AnalyzeImpConvsInComparison(S, E); 2487 } 2488 2489 // Otherwise, calculate the effective range of the signed operand. 2490 IntRange signedRange = GetExprRange(S.Context, signedOperand); 2491 2492 // Go ahead and analyze implicit conversions in the operands. Note 2493 // that we skip the implicit conversions on both sides. 2494 AnalyzeImplicitConversions(S, lex); 2495 AnalyzeImplicitConversions(S, rex); 2496 2497 // If the signed range is non-negative, -Wsign-compare won't fire, 2498 // but we should still check for comparisons which are always true 2499 // or false. 2500 if (signedRange.NonNegative) 2501 return CheckTrivialUnsignedComparison(S, E); 2502 2503 // For (in)equality comparisons, if the unsigned operand is a 2504 // constant which cannot collide with a overflowed signed operand, 2505 // then reinterpreting the signed operand as unsigned will not 2506 // change the result of the comparison. 2507 if (E->isEqualityOp()) { 2508 unsigned comparisonWidth = S.Context.getIntWidth(T); 2509 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 2510 2511 // We should never be unable to prove that the unsigned operand is 2512 // non-negative. 2513 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 2514 2515 if (unsignedRange.Width < comparisonWidth) 2516 return; 2517 } 2518 2519 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 2520 << lex->getType() << rex->getType() 2521 << lex->getSourceRange() << rex->getSourceRange(); 2522} 2523 2524/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 2525void DiagnoseImpCast(Sema &S, Expr *E, QualType T, unsigned diag) { 2526 S.Diag(E->getExprLoc(), diag) << E->getType() << T << E->getSourceRange(); 2527} 2528 2529void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 2530 bool *ICContext = 0) { 2531 if (E->isTypeDependent() || E->isValueDependent()) return; 2532 2533 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 2534 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 2535 if (Source == Target) return; 2536 if (Target->isDependentType()) return; 2537 2538 // Never diagnose implicit casts to bool. 2539 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 2540 return; 2541 2542 // Strip vector types. 2543 if (isa<VectorType>(Source)) { 2544 if (!isa<VectorType>(Target)) 2545 return DiagnoseImpCast(S, E, T, diag::warn_impcast_vector_scalar); 2546 2547 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 2548 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 2549 } 2550 2551 // Strip complex types. 2552 if (isa<ComplexType>(Source)) { 2553 if (!isa<ComplexType>(Target)) 2554 return DiagnoseImpCast(S, E, T, diag::warn_impcast_complex_scalar); 2555 2556 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 2557 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 2558 } 2559 2560 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 2561 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 2562 2563 // If the source is floating point... 2564 if (SourceBT && SourceBT->isFloatingPoint()) { 2565 // ...and the target is floating point... 2566 if (TargetBT && TargetBT->isFloatingPoint()) { 2567 // ...then warn if we're dropping FP rank. 2568 2569 // Builtin FP kinds are ordered by increasing FP rank. 2570 if (SourceBT->getKind() > TargetBT->getKind()) { 2571 // Don't warn about float constants that are precisely 2572 // representable in the target type. 2573 Expr::EvalResult result; 2574 if (E->Evaluate(result, S.Context)) { 2575 // Value might be a float, a float vector, or a float complex. 2576 if (IsSameFloatAfterCast(result.Val, 2577 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 2578 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 2579 return; 2580 } 2581 2582 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_precision); 2583 } 2584 return; 2585 } 2586 2587 // If the target is integral, always warn. 2588 if ((TargetBT && TargetBT->isInteger())) 2589 // TODO: don't warn for integer values? 2590 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_integer); 2591 2592 return; 2593 } 2594 2595 if (!Source->isIntegerType() || !Target->isIntegerType()) 2596 return; 2597 2598 IntRange SourceRange = GetExprRange(S.Context, E); 2599 IntRange TargetRange = IntRange::forCanonicalType(S.Context, Target); 2600 2601 if (SourceRange.Width > TargetRange.Width) { 2602 // People want to build with -Wshorten-64-to-32 and not -Wconversion 2603 // and by god we'll let them. 2604 if (SourceRange.Width == 64 && TargetRange.Width == 32) 2605 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_64_32); 2606 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_precision); 2607 } 2608 2609 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 2610 (!TargetRange.NonNegative && SourceRange.NonNegative && 2611 SourceRange.Width == TargetRange.Width)) { 2612 unsigned DiagID = diag::warn_impcast_integer_sign; 2613 2614 // Traditionally, gcc has warned about this under -Wsign-compare. 2615 // We also want to warn about it in -Wconversion. 2616 // So if -Wconversion is off, use a completely identical diagnostic 2617 // in the sign-compare group. 2618 // The conditional-checking code will 2619 if (ICContext) { 2620 DiagID = diag::warn_impcast_integer_sign_conditional; 2621 *ICContext = true; 2622 } 2623 2624 return DiagnoseImpCast(S, E, T, DiagID); 2625 } 2626 2627 return; 2628} 2629 2630void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 2631 2632void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 2633 bool &ICContext) { 2634 E = E->IgnoreParenImpCasts(); 2635 2636 if (isa<ConditionalOperator>(E)) 2637 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 2638 2639 AnalyzeImplicitConversions(S, E); 2640 if (E->getType() != T) 2641 return CheckImplicitConversion(S, E, T, &ICContext); 2642 return; 2643} 2644 2645void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 2646 AnalyzeImplicitConversions(S, E->getCond()); 2647 2648 bool Suspicious = false; 2649 CheckConditionalOperand(S, E->getTrueExpr(), T, Suspicious); 2650 CheckConditionalOperand(S, E->getFalseExpr(), T, Suspicious); 2651 2652 // If -Wconversion would have warned about either of the candidates 2653 // for a signedness conversion to the context type... 2654 if (!Suspicious) return; 2655 2656 // ...but it's currently ignored... 2657 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional)) 2658 return; 2659 2660 // ...and -Wsign-compare isn't... 2661 if (!S.Diags.getDiagnosticLevel(diag::warn_mixed_sign_conditional)) 2662 return; 2663 2664 // ...then check whether it would have warned about either of the 2665 // candidates for a signedness conversion to the condition type. 2666 if (E->getType() != T) { 2667 Suspicious = false; 2668 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 2669 E->getType(), &Suspicious); 2670 if (!Suspicious) 2671 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 2672 E->getType(), &Suspicious); 2673 if (!Suspicious) 2674 return; 2675 } 2676 2677 // If so, emit a diagnostic under -Wsign-compare. 2678 Expr *lex = E->getTrueExpr()->IgnoreParenImpCasts(); 2679 Expr *rex = E->getFalseExpr()->IgnoreParenImpCasts(); 2680 S.Diag(E->getQuestionLoc(), diag::warn_mixed_sign_conditional) 2681 << lex->getType() << rex->getType() 2682 << lex->getSourceRange() << rex->getSourceRange(); 2683} 2684 2685/// AnalyzeImplicitConversions - Find and report any interesting 2686/// implicit conversions in the given expression. There are a couple 2687/// of competing diagnostics here, -Wconversion and -Wsign-compare. 2688void AnalyzeImplicitConversions(Sema &S, Expr *OrigE) { 2689 QualType T = OrigE->getType(); 2690 Expr *E = OrigE->IgnoreParenImpCasts(); 2691 2692 // For conditional operators, we analyze the arguments as if they 2693 // were being fed directly into the output. 2694 if (isa<ConditionalOperator>(E)) { 2695 ConditionalOperator *CO = cast<ConditionalOperator>(E); 2696 CheckConditionalOperator(S, CO, T); 2697 return; 2698 } 2699 2700 // Go ahead and check any implicit conversions we might have skipped. 2701 // The non-canonical typecheck is just an optimization; 2702 // CheckImplicitConversion will filter out dead implicit conversions. 2703 if (E->getType() != T) 2704 CheckImplicitConversion(S, E, T); 2705 2706 // Now continue drilling into this expression. 2707 2708 // Skip past explicit casts. 2709 if (isa<ExplicitCastExpr>(E)) { 2710 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 2711 return AnalyzeImplicitConversions(S, E); 2712 } 2713 2714 // Do a somewhat different check with comparison operators. 2715 if (isa<BinaryOperator>(E) && cast<BinaryOperator>(E)->isComparisonOp()) 2716 return AnalyzeComparison(S, cast<BinaryOperator>(E)); 2717 2718 // These break the otherwise-useful invariant below. Fortunately, 2719 // we don't really need to recurse into them, because any internal 2720 // expressions should have been analyzed already when they were 2721 // built into statements. 2722 if (isa<StmtExpr>(E)) return; 2723 2724 // Don't descend into unevaluated contexts. 2725 if (isa<SizeOfAlignOfExpr>(E)) return; 2726 2727 // Now just recurse over the expression's children. 2728 for (Stmt::child_iterator I = E->child_begin(), IE = E->child_end(); 2729 I != IE; ++I) 2730 AnalyzeImplicitConversions(S, cast<Expr>(*I)); 2731} 2732 2733} // end anonymous namespace 2734 2735/// Diagnoses "dangerous" implicit conversions within the given 2736/// expression (which is a full expression). Implements -Wconversion 2737/// and -Wsign-compare. 2738void Sema::CheckImplicitConversions(Expr *E) { 2739 // Don't diagnose in unevaluated contexts. 2740 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 2741 return; 2742 2743 // Don't diagnose for value- or type-dependent expressions. 2744 if (E->isTypeDependent() || E->isValueDependent()) 2745 return; 2746 2747 AnalyzeImplicitConversions(*this, E); 2748} 2749 2750/// CheckParmsForFunctionDef - Check that the parameters of the given 2751/// function are appropriate for the definition of a function. This 2752/// takes care of any checks that cannot be performed on the 2753/// declaration itself, e.g., that the types of each of the function 2754/// parameters are complete. 2755bool Sema::CheckParmsForFunctionDef(FunctionDecl *FD) { 2756 bool HasInvalidParm = false; 2757 for (unsigned p = 0, NumParams = FD->getNumParams(); p < NumParams; ++p) { 2758 ParmVarDecl *Param = FD->getParamDecl(p); 2759 2760 // C99 6.7.5.3p4: the parameters in a parameter type list in a 2761 // function declarator that is part of a function definition of 2762 // that function shall not have incomplete type. 2763 // 2764 // This is also C++ [dcl.fct]p6. 2765 if (!Param->isInvalidDecl() && 2766 RequireCompleteType(Param->getLocation(), Param->getType(), 2767 diag::err_typecheck_decl_incomplete_type)) { 2768 Param->setInvalidDecl(); 2769 HasInvalidParm = true; 2770 } 2771 2772 // C99 6.9.1p5: If the declarator includes a parameter type list, the 2773 // declaration of each parameter shall include an identifier. 2774 if (Param->getIdentifier() == 0 && 2775 !Param->isImplicit() && 2776 !getLangOptions().CPlusPlus) 2777 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 2778 2779 // C99 6.7.5.3p12: 2780 // If the function declarator is not part of a definition of that 2781 // function, parameters may have incomplete type and may use the [*] 2782 // notation in their sequences of declarator specifiers to specify 2783 // variable length array types. 2784 QualType PType = Param->getOriginalType(); 2785 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 2786 if (AT->getSizeModifier() == ArrayType::Star) { 2787 // FIXME: This diagnosic should point the the '[*]' if source-location 2788 // information is added for it. 2789 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 2790 } 2791 } 2792 } 2793 2794 return HasInvalidParm; 2795} 2796 2797/// CheckCastAlign - Implements -Wcast-align, which warns when a 2798/// pointer cast increases the alignment requirements. 2799void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 2800 // This is actually a lot of work to potentially be doing on every 2801 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 2802 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align) 2803 == Diagnostic::Ignored) 2804 return; 2805 2806 // Ignore dependent types. 2807 if (T->isDependentType() || Op->getType()->isDependentType()) 2808 return; 2809 2810 // Require that the destination be a pointer type. 2811 const PointerType *DestPtr = T->getAs<PointerType>(); 2812 if (!DestPtr) return; 2813 2814 // If the destination has alignment 1, we're done. 2815 QualType DestPointee = DestPtr->getPointeeType(); 2816 if (DestPointee->isIncompleteType()) return; 2817 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 2818 if (DestAlign.isOne()) return; 2819 2820 // Require that the source be a pointer type. 2821 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 2822 if (!SrcPtr) return; 2823 QualType SrcPointee = SrcPtr->getPointeeType(); 2824 2825 // Whitelist casts from cv void*. We already implicitly 2826 // whitelisted casts to cv void*, since they have alignment 1. 2827 // Also whitelist casts involving incomplete types, which implicitly 2828 // includes 'void'. 2829 if (SrcPointee->isIncompleteType()) return; 2830 2831 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 2832 if (SrcAlign >= DestAlign) return; 2833 2834 Diag(TRange.getBegin(), diag::warn_cast_align) 2835 << Op->getType() << T 2836 << static_cast<unsigned>(SrcAlign.getQuantity()) 2837 << static_cast<unsigned>(DestAlign.getQuantity()) 2838 << TRange << Op->getSourceRange(); 2839} 2840 2841