SemaChecking.cpp revision 6bcf27bb9a4b5c3f79cb44c0e4654a6d7619ad89
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/SemaInternal.h" 16#include "clang/AST/ASTContext.h" 17#include "clang/AST/CharUnits.h" 18#include "clang/AST/DeclCXX.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/EvaluatedExprVisitor.h" 21#include "clang/AST/Expr.h" 22#include "clang/AST/ExprCXX.h" 23#include "clang/AST/ExprObjC.h" 24#include "clang/AST/StmtCXX.h" 25#include "clang/AST/StmtObjC.h" 26#include "clang/Analysis/Analyses/FormatString.h" 27#include "clang/Basic/CharInfo.h" 28#include "clang/Basic/TargetBuiltins.h" 29#include "clang/Basic/TargetInfo.h" 30#include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering. 31#include "clang/Sema/Initialization.h" 32#include "clang/Sema/Lookup.h" 33#include "clang/Sema/ScopeInfo.h" 34#include "clang/Sema/Sema.h" 35#include "llvm/ADT/STLExtras.h" 36#include "llvm/ADT/SmallBitVector.h" 37#include "llvm/ADT/SmallString.h" 38#include "llvm/Support/ConvertUTF.h" 39#include "llvm/Support/raw_ostream.h" 40#include <limits> 41using namespace clang; 42using namespace sema; 43 44SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 45 unsigned ByteNo) const { 46 return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts, 47 Context.getTargetInfo()); 48} 49 50/// Checks that a call expression's argument count is the desired number. 51/// This is useful when doing custom type-checking. Returns true on error. 52static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 53 unsigned argCount = call->getNumArgs(); 54 if (argCount == desiredArgCount) return false; 55 56 if (argCount < desiredArgCount) 57 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 58 << 0 /*function call*/ << desiredArgCount << argCount 59 << call->getSourceRange(); 60 61 // Highlight all the excess arguments. 62 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 63 call->getArg(argCount - 1)->getLocEnd()); 64 65 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 66 << 0 /*function call*/ << desiredArgCount << argCount 67 << call->getArg(1)->getSourceRange(); 68} 69 70/// Check that the first argument to __builtin_annotation is an integer 71/// and the second argument is a non-wide string literal. 72static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 73 if (checkArgCount(S, TheCall, 2)) 74 return true; 75 76 // First argument should be an integer. 77 Expr *ValArg = TheCall->getArg(0); 78 QualType Ty = ValArg->getType(); 79 if (!Ty->isIntegerType()) { 80 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 81 << ValArg->getSourceRange(); 82 return true; 83 } 84 85 // Second argument should be a constant string. 86 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 87 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 88 if (!Literal || !Literal->isAscii()) { 89 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 90 << StrArg->getSourceRange(); 91 return true; 92 } 93 94 TheCall->setType(Ty); 95 return false; 96} 97 98/// Check that the argument to __builtin_addressof is a glvalue, and set the 99/// result type to the corresponding pointer type. 100static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) { 101 if (checkArgCount(S, TheCall, 1)) 102 return true; 103 104 ExprResult Arg(S.Owned(TheCall->getArg(0))); 105 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart()); 106 if (ResultType.isNull()) 107 return true; 108 109 TheCall->setArg(0, Arg.take()); 110 TheCall->setType(ResultType); 111 return false; 112} 113 114ExprResult 115Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 116 ExprResult TheCallResult(Owned(TheCall)); 117 118 // Find out if any arguments are required to be integer constant expressions. 119 unsigned ICEArguments = 0; 120 ASTContext::GetBuiltinTypeError Error; 121 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 122 if (Error != ASTContext::GE_None) 123 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 124 125 // If any arguments are required to be ICE's, check and diagnose. 126 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 127 // Skip arguments not required to be ICE's. 128 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 129 130 llvm::APSInt Result; 131 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 132 return true; 133 ICEArguments &= ~(1 << ArgNo); 134 } 135 136 switch (BuiltinID) { 137 case Builtin::BI__builtin___CFStringMakeConstantString: 138 assert(TheCall->getNumArgs() == 1 && 139 "Wrong # arguments to builtin CFStringMakeConstantString"); 140 if (CheckObjCString(TheCall->getArg(0))) 141 return ExprError(); 142 break; 143 case Builtin::BI__builtin_stdarg_start: 144 case Builtin::BI__builtin_va_start: 145 case Builtin::BI__va_start: 146 if (SemaBuiltinVAStart(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_isgreater: 150 case Builtin::BI__builtin_isgreaterequal: 151 case Builtin::BI__builtin_isless: 152 case Builtin::BI__builtin_islessequal: 153 case Builtin::BI__builtin_islessgreater: 154 case Builtin::BI__builtin_isunordered: 155 if (SemaBuiltinUnorderedCompare(TheCall)) 156 return ExprError(); 157 break; 158 case Builtin::BI__builtin_fpclassify: 159 if (SemaBuiltinFPClassification(TheCall, 6)) 160 return ExprError(); 161 break; 162 case Builtin::BI__builtin_isfinite: 163 case Builtin::BI__builtin_isinf: 164 case Builtin::BI__builtin_isinf_sign: 165 case Builtin::BI__builtin_isnan: 166 case Builtin::BI__builtin_isnormal: 167 if (SemaBuiltinFPClassification(TheCall, 1)) 168 return ExprError(); 169 break; 170 case Builtin::BI__builtin_shufflevector: 171 return SemaBuiltinShuffleVector(TheCall); 172 // TheCall will be freed by the smart pointer here, but that's fine, since 173 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 174 case Builtin::BI__builtin_prefetch: 175 if (SemaBuiltinPrefetch(TheCall)) 176 return ExprError(); 177 break; 178 case Builtin::BI__builtin_object_size: 179 if (SemaBuiltinConstantArgRange(TheCall, 1, 0, 3)) 180 return ExprError(); 181 break; 182 case Builtin::BI__builtin_longjmp: 183 if (SemaBuiltinLongjmp(TheCall)) 184 return ExprError(); 185 break; 186 187 case Builtin::BI__builtin_classify_type: 188 if (checkArgCount(*this, TheCall, 1)) return true; 189 TheCall->setType(Context.IntTy); 190 break; 191 case Builtin::BI__builtin_constant_p: 192 if (checkArgCount(*this, TheCall, 1)) return true; 193 TheCall->setType(Context.IntTy); 194 break; 195 case Builtin::BI__sync_fetch_and_add: 196 case Builtin::BI__sync_fetch_and_add_1: 197 case Builtin::BI__sync_fetch_and_add_2: 198 case Builtin::BI__sync_fetch_and_add_4: 199 case Builtin::BI__sync_fetch_and_add_8: 200 case Builtin::BI__sync_fetch_and_add_16: 201 case Builtin::BI__sync_fetch_and_sub: 202 case Builtin::BI__sync_fetch_and_sub_1: 203 case Builtin::BI__sync_fetch_and_sub_2: 204 case Builtin::BI__sync_fetch_and_sub_4: 205 case Builtin::BI__sync_fetch_and_sub_8: 206 case Builtin::BI__sync_fetch_and_sub_16: 207 case Builtin::BI__sync_fetch_and_or: 208 case Builtin::BI__sync_fetch_and_or_1: 209 case Builtin::BI__sync_fetch_and_or_2: 210 case Builtin::BI__sync_fetch_and_or_4: 211 case Builtin::BI__sync_fetch_and_or_8: 212 case Builtin::BI__sync_fetch_and_or_16: 213 case Builtin::BI__sync_fetch_and_and: 214 case Builtin::BI__sync_fetch_and_and_1: 215 case Builtin::BI__sync_fetch_and_and_2: 216 case Builtin::BI__sync_fetch_and_and_4: 217 case Builtin::BI__sync_fetch_and_and_8: 218 case Builtin::BI__sync_fetch_and_and_16: 219 case Builtin::BI__sync_fetch_and_xor: 220 case Builtin::BI__sync_fetch_and_xor_1: 221 case Builtin::BI__sync_fetch_and_xor_2: 222 case Builtin::BI__sync_fetch_and_xor_4: 223 case Builtin::BI__sync_fetch_and_xor_8: 224 case Builtin::BI__sync_fetch_and_xor_16: 225 case Builtin::BI__sync_add_and_fetch: 226 case Builtin::BI__sync_add_and_fetch_1: 227 case Builtin::BI__sync_add_and_fetch_2: 228 case Builtin::BI__sync_add_and_fetch_4: 229 case Builtin::BI__sync_add_and_fetch_8: 230 case Builtin::BI__sync_add_and_fetch_16: 231 case Builtin::BI__sync_sub_and_fetch: 232 case Builtin::BI__sync_sub_and_fetch_1: 233 case Builtin::BI__sync_sub_and_fetch_2: 234 case Builtin::BI__sync_sub_and_fetch_4: 235 case Builtin::BI__sync_sub_and_fetch_8: 236 case Builtin::BI__sync_sub_and_fetch_16: 237 case Builtin::BI__sync_and_and_fetch: 238 case Builtin::BI__sync_and_and_fetch_1: 239 case Builtin::BI__sync_and_and_fetch_2: 240 case Builtin::BI__sync_and_and_fetch_4: 241 case Builtin::BI__sync_and_and_fetch_8: 242 case Builtin::BI__sync_and_and_fetch_16: 243 case Builtin::BI__sync_or_and_fetch: 244 case Builtin::BI__sync_or_and_fetch_1: 245 case Builtin::BI__sync_or_and_fetch_2: 246 case Builtin::BI__sync_or_and_fetch_4: 247 case Builtin::BI__sync_or_and_fetch_8: 248 case Builtin::BI__sync_or_and_fetch_16: 249 case Builtin::BI__sync_xor_and_fetch: 250 case Builtin::BI__sync_xor_and_fetch_1: 251 case Builtin::BI__sync_xor_and_fetch_2: 252 case Builtin::BI__sync_xor_and_fetch_4: 253 case Builtin::BI__sync_xor_and_fetch_8: 254 case Builtin::BI__sync_xor_and_fetch_16: 255 case Builtin::BI__sync_val_compare_and_swap: 256 case Builtin::BI__sync_val_compare_and_swap_1: 257 case Builtin::BI__sync_val_compare_and_swap_2: 258 case Builtin::BI__sync_val_compare_and_swap_4: 259 case Builtin::BI__sync_val_compare_and_swap_8: 260 case Builtin::BI__sync_val_compare_and_swap_16: 261 case Builtin::BI__sync_bool_compare_and_swap: 262 case Builtin::BI__sync_bool_compare_and_swap_1: 263 case Builtin::BI__sync_bool_compare_and_swap_2: 264 case Builtin::BI__sync_bool_compare_and_swap_4: 265 case Builtin::BI__sync_bool_compare_and_swap_8: 266 case Builtin::BI__sync_bool_compare_and_swap_16: 267 case Builtin::BI__sync_lock_test_and_set: 268 case Builtin::BI__sync_lock_test_and_set_1: 269 case Builtin::BI__sync_lock_test_and_set_2: 270 case Builtin::BI__sync_lock_test_and_set_4: 271 case Builtin::BI__sync_lock_test_and_set_8: 272 case Builtin::BI__sync_lock_test_and_set_16: 273 case Builtin::BI__sync_lock_release: 274 case Builtin::BI__sync_lock_release_1: 275 case Builtin::BI__sync_lock_release_2: 276 case Builtin::BI__sync_lock_release_4: 277 case Builtin::BI__sync_lock_release_8: 278 case Builtin::BI__sync_lock_release_16: 279 case Builtin::BI__sync_swap: 280 case Builtin::BI__sync_swap_1: 281 case Builtin::BI__sync_swap_2: 282 case Builtin::BI__sync_swap_4: 283 case Builtin::BI__sync_swap_8: 284 case Builtin::BI__sync_swap_16: 285 return SemaBuiltinAtomicOverloaded(TheCallResult); 286#define BUILTIN(ID, TYPE, ATTRS) 287#define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 288 case Builtin::BI##ID: \ 289 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 290#include "clang/Basic/Builtins.def" 291 case Builtin::BI__builtin_annotation: 292 if (SemaBuiltinAnnotation(*this, TheCall)) 293 return ExprError(); 294 break; 295 case Builtin::BI__builtin_addressof: 296 if (SemaBuiltinAddressof(*this, TheCall)) 297 return ExprError(); 298 break; 299 } 300 301 // Since the target specific builtins for each arch overlap, only check those 302 // of the arch we are compiling for. 303 if (BuiltinID >= Builtin::FirstTSBuiltin) { 304 switch (Context.getTargetInfo().getTriple().getArch()) { 305 case llvm::Triple::arm: 306 case llvm::Triple::armeb: 307 case llvm::Triple::thumb: 308 case llvm::Triple::thumbeb: 309 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 310 return ExprError(); 311 break; 312 case llvm::Triple::aarch64: 313 case llvm::Triple::aarch64_be: 314 case llvm::Triple::arm64: 315 case llvm::Triple::arm64_be: 316 if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall)) 317 return ExprError(); 318 break; 319 case llvm::Triple::mips: 320 case llvm::Triple::mipsel: 321 case llvm::Triple::mips64: 322 case llvm::Triple::mips64el: 323 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 324 return ExprError(); 325 break; 326 case llvm::Triple::x86: 327 case llvm::Triple::x86_64: 328 if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall)) 329 return ExprError(); 330 break; 331 default: 332 break; 333 } 334 } 335 336 return TheCallResult; 337} 338 339// Get the valid immediate range for the specified NEON type code. 340static unsigned RFT(unsigned t, bool shift = false, bool ForceQuad = false) { 341 NeonTypeFlags Type(t); 342 int IsQuad = ForceQuad ? true : Type.isQuad(); 343 switch (Type.getEltType()) { 344 case NeonTypeFlags::Int8: 345 case NeonTypeFlags::Poly8: 346 return shift ? 7 : (8 << IsQuad) - 1; 347 case NeonTypeFlags::Int16: 348 case NeonTypeFlags::Poly16: 349 return shift ? 15 : (4 << IsQuad) - 1; 350 case NeonTypeFlags::Int32: 351 return shift ? 31 : (2 << IsQuad) - 1; 352 case NeonTypeFlags::Int64: 353 case NeonTypeFlags::Poly64: 354 return shift ? 63 : (1 << IsQuad) - 1; 355 case NeonTypeFlags::Poly128: 356 return shift ? 127 : (1 << IsQuad) - 1; 357 case NeonTypeFlags::Float16: 358 assert(!shift && "cannot shift float types!"); 359 return (4 << IsQuad) - 1; 360 case NeonTypeFlags::Float32: 361 assert(!shift && "cannot shift float types!"); 362 return (2 << IsQuad) - 1; 363 case NeonTypeFlags::Float64: 364 assert(!shift && "cannot shift float types!"); 365 return (1 << IsQuad) - 1; 366 } 367 llvm_unreachable("Invalid NeonTypeFlag!"); 368} 369 370/// getNeonEltType - Return the QualType corresponding to the elements of 371/// the vector type specified by the NeonTypeFlags. This is used to check 372/// the pointer arguments for Neon load/store intrinsics. 373static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context, 374 bool IsPolyUnsigned, bool IsInt64Long) { 375 switch (Flags.getEltType()) { 376 case NeonTypeFlags::Int8: 377 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 378 case NeonTypeFlags::Int16: 379 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 380 case NeonTypeFlags::Int32: 381 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 382 case NeonTypeFlags::Int64: 383 if (IsInt64Long) 384 return Flags.isUnsigned() ? Context.UnsignedLongTy : Context.LongTy; 385 else 386 return Flags.isUnsigned() ? Context.UnsignedLongLongTy 387 : Context.LongLongTy; 388 case NeonTypeFlags::Poly8: 389 return IsPolyUnsigned ? Context.UnsignedCharTy : Context.SignedCharTy; 390 case NeonTypeFlags::Poly16: 391 return IsPolyUnsigned ? Context.UnsignedShortTy : Context.ShortTy; 392 case NeonTypeFlags::Poly64: 393 return Context.UnsignedLongTy; 394 case NeonTypeFlags::Poly128: 395 break; 396 case NeonTypeFlags::Float16: 397 return Context.HalfTy; 398 case NeonTypeFlags::Float32: 399 return Context.FloatTy; 400 case NeonTypeFlags::Float64: 401 return Context.DoubleTy; 402 } 403 llvm_unreachable("Invalid NeonTypeFlag!"); 404} 405 406bool Sema::CheckNeonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 407 llvm::APSInt Result; 408 uint64_t mask = 0; 409 unsigned TV = 0; 410 int PtrArgNum = -1; 411 bool HasConstPtr = false; 412 switch (BuiltinID) { 413#define GET_NEON_OVERLOAD_CHECK 414#include "clang/Basic/arm_neon.inc" 415#undef GET_NEON_OVERLOAD_CHECK 416 } 417 418 // For NEON intrinsics which are overloaded on vector element type, validate 419 // the immediate which specifies which variant to emit. 420 unsigned ImmArg = TheCall->getNumArgs()-1; 421 if (mask) { 422 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 423 return true; 424 425 TV = Result.getLimitedValue(64); 426 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 427 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 428 << TheCall->getArg(ImmArg)->getSourceRange(); 429 } 430 431 if (PtrArgNum >= 0) { 432 // Check that pointer arguments have the specified type. 433 Expr *Arg = TheCall->getArg(PtrArgNum); 434 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 435 Arg = ICE->getSubExpr(); 436 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 437 QualType RHSTy = RHS.get()->getType(); 438 439 llvm::Triple::ArchType Arch = Context.getTargetInfo().getTriple().getArch(); 440 bool IsPolyUnsigned = 441 Arch == llvm::Triple::aarch64 || Arch == llvm::Triple::arm64; 442 bool IsInt64Long = 443 Context.getTargetInfo().getInt64Type() == TargetInfo::SignedLong; 444 QualType EltTy = 445 getNeonEltType(NeonTypeFlags(TV), Context, IsPolyUnsigned, IsInt64Long); 446 if (HasConstPtr) 447 EltTy = EltTy.withConst(); 448 QualType LHSTy = Context.getPointerType(EltTy); 449 AssignConvertType ConvTy; 450 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 451 if (RHS.isInvalid()) 452 return true; 453 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 454 RHS.get(), AA_Assigning)) 455 return true; 456 } 457 458 // For NEON intrinsics which take an immediate value as part of the 459 // instruction, range check them here. 460 unsigned i = 0, l = 0, u = 0; 461 switch (BuiltinID) { 462 default: 463 return false; 464#define GET_NEON_IMMEDIATE_CHECK 465#include "clang/Basic/arm_neon.inc" 466#undef GET_NEON_IMMEDIATE_CHECK 467 } 468 469 return SemaBuiltinConstantArgRange(TheCall, i, l, u + l); 470} 471 472bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall, 473 unsigned MaxWidth) { 474 assert((BuiltinID == ARM::BI__builtin_arm_ldrex || 475 BuiltinID == ARM::BI__builtin_arm_strex || 476 BuiltinID == AArch64::BI__builtin_arm_ldrex || 477 BuiltinID == AArch64::BI__builtin_arm_strex) && 478 "unexpected ARM builtin"); 479 bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex || 480 BuiltinID == AArch64::BI__builtin_arm_ldrex; 481 482 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 483 484 // Ensure that we have the proper number of arguments. 485 if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2)) 486 return true; 487 488 // Inspect the pointer argument of the atomic builtin. This should always be 489 // a pointer type, whose element is an integral scalar or pointer type. 490 // Because it is a pointer type, we don't have to worry about any implicit 491 // casts here. 492 Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1); 493 ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg); 494 if (PointerArgRes.isInvalid()) 495 return true; 496 PointerArg = PointerArgRes.take(); 497 498 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 499 if (!pointerType) { 500 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 501 << PointerArg->getType() << PointerArg->getSourceRange(); 502 return true; 503 } 504 505 // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next 506 // task is to insert the appropriate casts into the AST. First work out just 507 // what the appropriate type is. 508 QualType ValType = pointerType->getPointeeType(); 509 QualType AddrType = ValType.getUnqualifiedType().withVolatile(); 510 if (IsLdrex) 511 AddrType.addConst(); 512 513 // Issue a warning if the cast is dodgy. 514 CastKind CastNeeded = CK_NoOp; 515 if (!AddrType.isAtLeastAsQualifiedAs(ValType)) { 516 CastNeeded = CK_BitCast; 517 Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers) 518 << PointerArg->getType() 519 << Context.getPointerType(AddrType) 520 << AA_Passing << PointerArg->getSourceRange(); 521 } 522 523 // Finally, do the cast and replace the argument with the corrected version. 524 AddrType = Context.getPointerType(AddrType); 525 PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded); 526 if (PointerArgRes.isInvalid()) 527 return true; 528 PointerArg = PointerArgRes.take(); 529 530 TheCall->setArg(IsLdrex ? 0 : 1, PointerArg); 531 532 // In general, we allow ints, floats and pointers to be loaded and stored. 533 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 534 !ValType->isBlockPointerType() && !ValType->isFloatingType()) { 535 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr) 536 << PointerArg->getType() << PointerArg->getSourceRange(); 537 return true; 538 } 539 540 // But ARM doesn't have instructions to deal with 128-bit versions. 541 if (Context.getTypeSize(ValType) > MaxWidth) { 542 assert(MaxWidth == 64 && "Diagnostic unexpectedly inaccurate"); 543 Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size) 544 << PointerArg->getType() << PointerArg->getSourceRange(); 545 return true; 546 } 547 548 switch (ValType.getObjCLifetime()) { 549 case Qualifiers::OCL_None: 550 case Qualifiers::OCL_ExplicitNone: 551 // okay 552 break; 553 554 case Qualifiers::OCL_Weak: 555 case Qualifiers::OCL_Strong: 556 case Qualifiers::OCL_Autoreleasing: 557 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 558 << ValType << PointerArg->getSourceRange(); 559 return true; 560 } 561 562 563 if (IsLdrex) { 564 TheCall->setType(ValType); 565 return false; 566 } 567 568 // Initialize the argument to be stored. 569 ExprResult ValArg = TheCall->getArg(0); 570 InitializedEntity Entity = InitializedEntity::InitializeParameter( 571 Context, ValType, /*consume*/ false); 572 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 573 if (ValArg.isInvalid()) 574 return true; 575 TheCall->setArg(0, ValArg.get()); 576 577 // __builtin_arm_strex always returns an int. It's marked as such in the .def, 578 // but the custom checker bypasses all default analysis. 579 TheCall->setType(Context.IntTy); 580 return false; 581} 582 583bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 584 llvm::APSInt Result; 585 586 if (BuiltinID == ARM::BI__builtin_arm_ldrex || 587 BuiltinID == ARM::BI__builtin_arm_strex) { 588 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 64); 589 } 590 591 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 592 return true; 593 594 // For NEON intrinsics which take an immediate value as part of the 595 // instruction, range check them here. 596 unsigned i = 0, l = 0, u = 0; 597 switch (BuiltinID) { 598 default: return false; 599 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 600 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 601 case ARM::BI__builtin_arm_vcvtr_f: 602 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 603 case ARM::BI__builtin_arm_dmb: 604 case ARM::BI__builtin_arm_dsb: l = 0; u = 15; break; 605 } 606 607 // FIXME: VFP Intrinsics should error if VFP not present. 608 return SemaBuiltinConstantArgRange(TheCall, i, l, u + l); 609} 610 611bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, 612 CallExpr *TheCall) { 613 llvm::APSInt Result; 614 615 if (BuiltinID == AArch64::BI__builtin_arm_ldrex || 616 BuiltinID == AArch64::BI__builtin_arm_strex) { 617 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 128); 618 } 619 620 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 621 return true; 622 623 return false; 624} 625 626bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 627 unsigned i = 0, l = 0, u = 0; 628 switch (BuiltinID) { 629 default: return false; 630 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 631 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 632 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 633 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 634 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 635 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 636 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 637 } 638 639 return SemaBuiltinConstantArgRange(TheCall, i, l, u); 640} 641 642bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 643 switch (BuiltinID) { 644 case X86::BI_mm_prefetch: 645 // This is declared to take (const char*, int) 646 return SemaBuiltinConstantArgRange(TheCall, 1, 0, 3); 647 } 648 return false; 649} 650 651/// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 652/// parameter with the FormatAttr's correct format_idx and firstDataArg. 653/// Returns true when the format fits the function and the FormatStringInfo has 654/// been populated. 655bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 656 FormatStringInfo *FSI) { 657 FSI->HasVAListArg = Format->getFirstArg() == 0; 658 FSI->FormatIdx = Format->getFormatIdx() - 1; 659 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 660 661 // The way the format attribute works in GCC, the implicit this argument 662 // of member functions is counted. However, it doesn't appear in our own 663 // lists, so decrement format_idx in that case. 664 if (IsCXXMember) { 665 if(FSI->FormatIdx == 0) 666 return false; 667 --FSI->FormatIdx; 668 if (FSI->FirstDataArg != 0) 669 --FSI->FirstDataArg; 670 } 671 return true; 672} 673 674/// Checks if a the given expression evaluates to null. 675/// 676/// \brief Returns true if the value evaluates to null. 677static bool CheckNonNullExpr(Sema &S, 678 const Expr *Expr) { 679 // As a special case, transparent unions initialized with zero are 680 // considered null for the purposes of the nonnull attribute. 681 if (const RecordType *UT = Expr->getType()->getAsUnionType()) { 682 if (UT->getDecl()->hasAttr<TransparentUnionAttr>()) 683 if (const CompoundLiteralExpr *CLE = 684 dyn_cast<CompoundLiteralExpr>(Expr)) 685 if (const InitListExpr *ILE = 686 dyn_cast<InitListExpr>(CLE->getInitializer())) 687 Expr = ILE->getInit(0); 688 } 689 690 bool Result; 691 return (!Expr->isValueDependent() && 692 Expr->EvaluateAsBooleanCondition(Result, S.Context) && 693 !Result); 694} 695 696static void CheckNonNullArgument(Sema &S, 697 const Expr *ArgExpr, 698 SourceLocation CallSiteLoc) { 699 if (CheckNonNullExpr(S, ArgExpr)) 700 S.Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 701} 702 703static void CheckNonNullArguments(Sema &S, 704 const NamedDecl *FDecl, 705 const Expr * const *ExprArgs, 706 SourceLocation CallSiteLoc) { 707 // Check the attributes attached to the method/function itself. 708 for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) { 709 for (const auto &Val : NonNull->args()) 710 CheckNonNullArgument(S, ExprArgs[Val], CallSiteLoc); 711 } 712 713 // Check the attributes on the parameters. 714 ArrayRef<ParmVarDecl*> parms; 715 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl)) 716 parms = FD->parameters(); 717 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(FDecl)) 718 parms = MD->parameters(); 719 720 unsigned argIndex = 0; 721 for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end(); 722 I != E; ++I, ++argIndex) { 723 const ParmVarDecl *PVD = *I; 724 if (PVD->hasAttr<NonNullAttr>()) 725 CheckNonNullArgument(S, ExprArgs[argIndex], CallSiteLoc); 726 } 727} 728 729/// Handles the checks for format strings, non-POD arguments to vararg 730/// functions, and NULL arguments passed to non-NULL parameters. 731void Sema::checkCall(NamedDecl *FDecl, ArrayRef<const Expr *> Args, 732 unsigned NumParams, bool IsMemberFunction, 733 SourceLocation Loc, SourceRange Range, 734 VariadicCallType CallType) { 735 // FIXME: We should check as much as we can in the template definition. 736 if (CurContext->isDependentContext()) 737 return; 738 739 // Printf and scanf checking. 740 llvm::SmallBitVector CheckedVarArgs; 741 if (FDecl) { 742 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) { 743 // Only create vector if there are format attributes. 744 CheckedVarArgs.resize(Args.size()); 745 746 CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range, 747 CheckedVarArgs); 748 } 749 } 750 751 // Refuse POD arguments that weren't caught by the format string 752 // checks above. 753 if (CallType != VariadicDoesNotApply) { 754 for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) { 755 // Args[ArgIdx] can be null in malformed code. 756 if (const Expr *Arg = Args[ArgIdx]) { 757 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx]) 758 checkVariadicArgument(Arg, CallType); 759 } 760 } 761 } 762 763 if (FDecl) { 764 CheckNonNullArguments(*this, FDecl, Args.data(), Loc); 765 766 // Type safety checking. 767 for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>()) 768 CheckArgumentWithTypeTag(I, Args.data()); 769 } 770} 771 772/// CheckConstructorCall - Check a constructor call for correctness and safety 773/// properties not enforced by the C type system. 774void Sema::CheckConstructorCall(FunctionDecl *FDecl, 775 ArrayRef<const Expr *> Args, 776 const FunctionProtoType *Proto, 777 SourceLocation Loc) { 778 VariadicCallType CallType = 779 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 780 checkCall(FDecl, Args, Proto->getNumParams(), 781 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 782} 783 784/// CheckFunctionCall - Check a direct function call for various correctness 785/// and safety properties not strictly enforced by the C type system. 786bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 787 const FunctionProtoType *Proto) { 788 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 789 isa<CXXMethodDecl>(FDecl); 790 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 791 IsMemberOperatorCall; 792 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 793 TheCall->getCallee()); 794 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 795 Expr** Args = TheCall->getArgs(); 796 unsigned NumArgs = TheCall->getNumArgs(); 797 if (IsMemberOperatorCall) { 798 // If this is a call to a member operator, hide the first argument 799 // from checkCall. 800 // FIXME: Our choice of AST representation here is less than ideal. 801 ++Args; 802 --NumArgs; 803 } 804 checkCall(FDecl, llvm::makeArrayRef<const Expr *>(Args, NumArgs), NumParams, 805 IsMemberFunction, TheCall->getRParenLoc(), 806 TheCall->getCallee()->getSourceRange(), CallType); 807 808 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 809 // None of the checks below are needed for functions that don't have 810 // simple names (e.g., C++ conversion functions). 811 if (!FnInfo) 812 return false; 813 814 CheckAbsoluteValueFunction(TheCall, FDecl, FnInfo); 815 816 unsigned CMId = FDecl->getMemoryFunctionKind(); 817 if (CMId == 0) 818 return false; 819 820 // Handle memory setting and copying functions. 821 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 822 CheckStrlcpycatArguments(TheCall, FnInfo); 823 else if (CMId == Builtin::BIstrncat) 824 CheckStrncatArguments(TheCall, FnInfo); 825 else 826 CheckMemaccessArguments(TheCall, CMId, FnInfo); 827 828 return false; 829} 830 831bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 832 ArrayRef<const Expr *> Args) { 833 VariadicCallType CallType = 834 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 835 836 checkCall(Method, Args, Method->param_size(), 837 /*IsMemberFunction=*/false, 838 lbrac, Method->getSourceRange(), CallType); 839 840 return false; 841} 842 843bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, 844 const FunctionProtoType *Proto) { 845 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 846 if (!V) 847 return false; 848 849 QualType Ty = V->getType(); 850 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType()) 851 return false; 852 853 VariadicCallType CallType; 854 if (!Proto || !Proto->isVariadic()) { 855 CallType = VariadicDoesNotApply; 856 } else if (Ty->isBlockPointerType()) { 857 CallType = VariadicBlock; 858 } else { // Ty->isFunctionPointerType() 859 CallType = VariadicFunction; 860 } 861 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 862 863 checkCall(NDecl, llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 864 TheCall->getNumArgs()), 865 NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 866 TheCall->getCallee()->getSourceRange(), CallType); 867 868 return false; 869} 870 871/// Checks function calls when a FunctionDecl or a NamedDecl is not available, 872/// such as function pointers returned from functions. 873bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) { 874 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto, 875 TheCall->getCallee()); 876 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 877 878 checkCall(/*FDecl=*/nullptr, 879 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 880 TheCall->getNumArgs()), 881 NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 882 TheCall->getCallee()->getSourceRange(), CallType); 883 884 return false; 885} 886 887static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) { 888 if (Ordering < AtomicExpr::AO_ABI_memory_order_relaxed || 889 Ordering > AtomicExpr::AO_ABI_memory_order_seq_cst) 890 return false; 891 892 switch (Op) { 893 case AtomicExpr::AO__c11_atomic_init: 894 llvm_unreachable("There is no ordering argument for an init"); 895 896 case AtomicExpr::AO__c11_atomic_load: 897 case AtomicExpr::AO__atomic_load_n: 898 case AtomicExpr::AO__atomic_load: 899 return Ordering != AtomicExpr::AO_ABI_memory_order_release && 900 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 901 902 case AtomicExpr::AO__c11_atomic_store: 903 case AtomicExpr::AO__atomic_store: 904 case AtomicExpr::AO__atomic_store_n: 905 return Ordering != AtomicExpr::AO_ABI_memory_order_consume && 906 Ordering != AtomicExpr::AO_ABI_memory_order_acquire && 907 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 908 909 default: 910 return true; 911 } 912} 913 914ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 915 AtomicExpr::AtomicOp Op) { 916 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 917 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 918 919 // All these operations take one of the following forms: 920 enum { 921 // C __c11_atomic_init(A *, C) 922 Init, 923 // C __c11_atomic_load(A *, int) 924 Load, 925 // void __atomic_load(A *, CP, int) 926 Copy, 927 // C __c11_atomic_add(A *, M, int) 928 Arithmetic, 929 // C __atomic_exchange_n(A *, CP, int) 930 Xchg, 931 // void __atomic_exchange(A *, C *, CP, int) 932 GNUXchg, 933 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 934 C11CmpXchg, 935 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 936 GNUCmpXchg 937 } Form = Init; 938 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 939 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 940 // where: 941 // C is an appropriate type, 942 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 943 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 944 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 945 // the int parameters are for orderings. 946 947 assert(AtomicExpr::AO__c11_atomic_init == 0 && 948 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 949 && "need to update code for modified C11 atomics"); 950 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 951 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 952 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 953 Op == AtomicExpr::AO__atomic_store_n || 954 Op == AtomicExpr::AO__atomic_exchange_n || 955 Op == AtomicExpr::AO__atomic_compare_exchange_n; 956 bool IsAddSub = false; 957 958 switch (Op) { 959 case AtomicExpr::AO__c11_atomic_init: 960 Form = Init; 961 break; 962 963 case AtomicExpr::AO__c11_atomic_load: 964 case AtomicExpr::AO__atomic_load_n: 965 Form = Load; 966 break; 967 968 case AtomicExpr::AO__c11_atomic_store: 969 case AtomicExpr::AO__atomic_load: 970 case AtomicExpr::AO__atomic_store: 971 case AtomicExpr::AO__atomic_store_n: 972 Form = Copy; 973 break; 974 975 case AtomicExpr::AO__c11_atomic_fetch_add: 976 case AtomicExpr::AO__c11_atomic_fetch_sub: 977 case AtomicExpr::AO__atomic_fetch_add: 978 case AtomicExpr::AO__atomic_fetch_sub: 979 case AtomicExpr::AO__atomic_add_fetch: 980 case AtomicExpr::AO__atomic_sub_fetch: 981 IsAddSub = true; 982 // Fall through. 983 case AtomicExpr::AO__c11_atomic_fetch_and: 984 case AtomicExpr::AO__c11_atomic_fetch_or: 985 case AtomicExpr::AO__c11_atomic_fetch_xor: 986 case AtomicExpr::AO__atomic_fetch_and: 987 case AtomicExpr::AO__atomic_fetch_or: 988 case AtomicExpr::AO__atomic_fetch_xor: 989 case AtomicExpr::AO__atomic_fetch_nand: 990 case AtomicExpr::AO__atomic_and_fetch: 991 case AtomicExpr::AO__atomic_or_fetch: 992 case AtomicExpr::AO__atomic_xor_fetch: 993 case AtomicExpr::AO__atomic_nand_fetch: 994 Form = Arithmetic; 995 break; 996 997 case AtomicExpr::AO__c11_atomic_exchange: 998 case AtomicExpr::AO__atomic_exchange_n: 999 Form = Xchg; 1000 break; 1001 1002 case AtomicExpr::AO__atomic_exchange: 1003 Form = GNUXchg; 1004 break; 1005 1006 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 1007 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 1008 Form = C11CmpXchg; 1009 break; 1010 1011 case AtomicExpr::AO__atomic_compare_exchange: 1012 case AtomicExpr::AO__atomic_compare_exchange_n: 1013 Form = GNUCmpXchg; 1014 break; 1015 } 1016 1017 // Check we have the right number of arguments. 1018 if (TheCall->getNumArgs() < NumArgs[Form]) { 1019 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1020 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1021 << TheCall->getCallee()->getSourceRange(); 1022 return ExprError(); 1023 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 1024 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 1025 diag::err_typecheck_call_too_many_args) 1026 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1027 << TheCall->getCallee()->getSourceRange(); 1028 return ExprError(); 1029 } 1030 1031 // Inspect the first argument of the atomic operation. 1032 Expr *Ptr = TheCall->getArg(0); 1033 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 1034 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 1035 if (!pointerType) { 1036 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1037 << Ptr->getType() << Ptr->getSourceRange(); 1038 return ExprError(); 1039 } 1040 1041 // For a __c11 builtin, this should be a pointer to an _Atomic type. 1042 QualType AtomTy = pointerType->getPointeeType(); // 'A' 1043 QualType ValType = AtomTy; // 'C' 1044 if (IsC11) { 1045 if (!AtomTy->isAtomicType()) { 1046 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 1047 << Ptr->getType() << Ptr->getSourceRange(); 1048 return ExprError(); 1049 } 1050 if (AtomTy.isConstQualified()) { 1051 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 1052 << Ptr->getType() << Ptr->getSourceRange(); 1053 return ExprError(); 1054 } 1055 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 1056 } 1057 1058 // For an arithmetic operation, the implied arithmetic must be well-formed. 1059 if (Form == Arithmetic) { 1060 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 1061 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 1062 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1063 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1064 return ExprError(); 1065 } 1066 if (!IsAddSub && !ValType->isIntegerType()) { 1067 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 1068 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1069 return ExprError(); 1070 } 1071 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 1072 // For __atomic_*_n operations, the value type must be a scalar integral or 1073 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 1074 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1075 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1076 return ExprError(); 1077 } 1078 1079 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) && 1080 !AtomTy->isScalarType()) { 1081 // For GNU atomics, require a trivially-copyable type. This is not part of 1082 // the GNU atomics specification, but we enforce it for sanity. 1083 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 1084 << Ptr->getType() << Ptr->getSourceRange(); 1085 return ExprError(); 1086 } 1087 1088 // FIXME: For any builtin other than a load, the ValType must not be 1089 // const-qualified. 1090 1091 switch (ValType.getObjCLifetime()) { 1092 case Qualifiers::OCL_None: 1093 case Qualifiers::OCL_ExplicitNone: 1094 // okay 1095 break; 1096 1097 case Qualifiers::OCL_Weak: 1098 case Qualifiers::OCL_Strong: 1099 case Qualifiers::OCL_Autoreleasing: 1100 // FIXME: Can this happen? By this point, ValType should be known 1101 // to be trivially copyable. 1102 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1103 << ValType << Ptr->getSourceRange(); 1104 return ExprError(); 1105 } 1106 1107 QualType ResultType = ValType; 1108 if (Form == Copy || Form == GNUXchg || Form == Init) 1109 ResultType = Context.VoidTy; 1110 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 1111 ResultType = Context.BoolTy; 1112 1113 // The type of a parameter passed 'by value'. In the GNU atomics, such 1114 // arguments are actually passed as pointers. 1115 QualType ByValType = ValType; // 'CP' 1116 if (!IsC11 && !IsN) 1117 ByValType = Ptr->getType(); 1118 1119 // The first argument --- the pointer --- has a fixed type; we 1120 // deduce the types of the rest of the arguments accordingly. Walk 1121 // the remaining arguments, converting them to the deduced value type. 1122 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 1123 QualType Ty; 1124 if (i < NumVals[Form] + 1) { 1125 switch (i) { 1126 case 1: 1127 // The second argument is the non-atomic operand. For arithmetic, this 1128 // is always passed by value, and for a compare_exchange it is always 1129 // passed by address. For the rest, GNU uses by-address and C11 uses 1130 // by-value. 1131 assert(Form != Load); 1132 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 1133 Ty = ValType; 1134 else if (Form == Copy || Form == Xchg) 1135 Ty = ByValType; 1136 else if (Form == Arithmetic) 1137 Ty = Context.getPointerDiffType(); 1138 else 1139 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 1140 break; 1141 case 2: 1142 // The third argument to compare_exchange / GNU exchange is a 1143 // (pointer to a) desired value. 1144 Ty = ByValType; 1145 break; 1146 case 3: 1147 // The fourth argument to GNU compare_exchange is a 'weak' flag. 1148 Ty = Context.BoolTy; 1149 break; 1150 } 1151 } else { 1152 // The order(s) are always converted to int. 1153 Ty = Context.IntTy; 1154 } 1155 1156 InitializedEntity Entity = 1157 InitializedEntity::InitializeParameter(Context, Ty, false); 1158 ExprResult Arg = TheCall->getArg(i); 1159 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1160 if (Arg.isInvalid()) 1161 return true; 1162 TheCall->setArg(i, Arg.get()); 1163 } 1164 1165 // Permute the arguments into a 'consistent' order. 1166 SmallVector<Expr*, 5> SubExprs; 1167 SubExprs.push_back(Ptr); 1168 switch (Form) { 1169 case Init: 1170 // Note, AtomicExpr::getVal1() has a special case for this atomic. 1171 SubExprs.push_back(TheCall->getArg(1)); // Val1 1172 break; 1173 case Load: 1174 SubExprs.push_back(TheCall->getArg(1)); // Order 1175 break; 1176 case Copy: 1177 case Arithmetic: 1178 case Xchg: 1179 SubExprs.push_back(TheCall->getArg(2)); // Order 1180 SubExprs.push_back(TheCall->getArg(1)); // Val1 1181 break; 1182 case GNUXchg: 1183 // Note, AtomicExpr::getVal2() has a special case for this atomic. 1184 SubExprs.push_back(TheCall->getArg(3)); // Order 1185 SubExprs.push_back(TheCall->getArg(1)); // Val1 1186 SubExprs.push_back(TheCall->getArg(2)); // Val2 1187 break; 1188 case C11CmpXchg: 1189 SubExprs.push_back(TheCall->getArg(3)); // Order 1190 SubExprs.push_back(TheCall->getArg(1)); // Val1 1191 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 1192 SubExprs.push_back(TheCall->getArg(2)); // Val2 1193 break; 1194 case GNUCmpXchg: 1195 SubExprs.push_back(TheCall->getArg(4)); // Order 1196 SubExprs.push_back(TheCall->getArg(1)); // Val1 1197 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 1198 SubExprs.push_back(TheCall->getArg(2)); // Val2 1199 SubExprs.push_back(TheCall->getArg(3)); // Weak 1200 break; 1201 } 1202 1203 if (SubExprs.size() >= 2 && Form != Init) { 1204 llvm::APSInt Result(32); 1205 if (SubExprs[1]->isIntegerConstantExpr(Result, Context) && 1206 !isValidOrderingForOp(Result.getSExtValue(), Op)) 1207 Diag(SubExprs[1]->getLocStart(), 1208 diag::warn_atomic_op_has_invalid_memory_order) 1209 << SubExprs[1]->getSourceRange(); 1210 } 1211 1212 AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 1213 SubExprs, ResultType, Op, 1214 TheCall->getRParenLoc()); 1215 1216 if ((Op == AtomicExpr::AO__c11_atomic_load || 1217 (Op == AtomicExpr::AO__c11_atomic_store)) && 1218 Context.AtomicUsesUnsupportedLibcall(AE)) 1219 Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) << 1220 ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1); 1221 1222 return Owned(AE); 1223} 1224 1225 1226/// checkBuiltinArgument - Given a call to a builtin function, perform 1227/// normal type-checking on the given argument, updating the call in 1228/// place. This is useful when a builtin function requires custom 1229/// type-checking for some of its arguments but not necessarily all of 1230/// them. 1231/// 1232/// Returns true on error. 1233static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 1234 FunctionDecl *Fn = E->getDirectCallee(); 1235 assert(Fn && "builtin call without direct callee!"); 1236 1237 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 1238 InitializedEntity Entity = 1239 InitializedEntity::InitializeParameter(S.Context, Param); 1240 1241 ExprResult Arg = E->getArg(0); 1242 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 1243 if (Arg.isInvalid()) 1244 return true; 1245 1246 E->setArg(ArgIndex, Arg.take()); 1247 return false; 1248} 1249 1250/// SemaBuiltinAtomicOverloaded - We have a call to a function like 1251/// __sync_fetch_and_add, which is an overloaded function based on the pointer 1252/// type of its first argument. The main ActOnCallExpr routines have already 1253/// promoted the types of arguments because all of these calls are prototyped as 1254/// void(...). 1255/// 1256/// This function goes through and does final semantic checking for these 1257/// builtins, 1258ExprResult 1259Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 1260 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 1261 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1262 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1263 1264 // Ensure that we have at least one argument to do type inference from. 1265 if (TheCall->getNumArgs() < 1) { 1266 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1267 << 0 << 1 << TheCall->getNumArgs() 1268 << TheCall->getCallee()->getSourceRange(); 1269 return ExprError(); 1270 } 1271 1272 // Inspect the first argument of the atomic builtin. This should always be 1273 // a pointer type, whose element is an integral scalar or pointer type. 1274 // Because it is a pointer type, we don't have to worry about any implicit 1275 // casts here. 1276 // FIXME: We don't allow floating point scalars as input. 1277 Expr *FirstArg = TheCall->getArg(0); 1278 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 1279 if (FirstArgResult.isInvalid()) 1280 return ExprError(); 1281 FirstArg = FirstArgResult.take(); 1282 TheCall->setArg(0, FirstArg); 1283 1284 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 1285 if (!pointerType) { 1286 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1287 << FirstArg->getType() << FirstArg->getSourceRange(); 1288 return ExprError(); 1289 } 1290 1291 QualType ValType = pointerType->getPointeeType(); 1292 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 1293 !ValType->isBlockPointerType()) { 1294 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 1295 << FirstArg->getType() << FirstArg->getSourceRange(); 1296 return ExprError(); 1297 } 1298 1299 switch (ValType.getObjCLifetime()) { 1300 case Qualifiers::OCL_None: 1301 case Qualifiers::OCL_ExplicitNone: 1302 // okay 1303 break; 1304 1305 case Qualifiers::OCL_Weak: 1306 case Qualifiers::OCL_Strong: 1307 case Qualifiers::OCL_Autoreleasing: 1308 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1309 << ValType << FirstArg->getSourceRange(); 1310 return ExprError(); 1311 } 1312 1313 // Strip any qualifiers off ValType. 1314 ValType = ValType.getUnqualifiedType(); 1315 1316 // The majority of builtins return a value, but a few have special return 1317 // types, so allow them to override appropriately below. 1318 QualType ResultType = ValType; 1319 1320 // We need to figure out which concrete builtin this maps onto. For example, 1321 // __sync_fetch_and_add with a 2 byte object turns into 1322 // __sync_fetch_and_add_2. 1323#define BUILTIN_ROW(x) \ 1324 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1325 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1326 1327 static const unsigned BuiltinIndices[][5] = { 1328 BUILTIN_ROW(__sync_fetch_and_add), 1329 BUILTIN_ROW(__sync_fetch_and_sub), 1330 BUILTIN_ROW(__sync_fetch_and_or), 1331 BUILTIN_ROW(__sync_fetch_and_and), 1332 BUILTIN_ROW(__sync_fetch_and_xor), 1333 1334 BUILTIN_ROW(__sync_add_and_fetch), 1335 BUILTIN_ROW(__sync_sub_and_fetch), 1336 BUILTIN_ROW(__sync_and_and_fetch), 1337 BUILTIN_ROW(__sync_or_and_fetch), 1338 BUILTIN_ROW(__sync_xor_and_fetch), 1339 1340 BUILTIN_ROW(__sync_val_compare_and_swap), 1341 BUILTIN_ROW(__sync_bool_compare_and_swap), 1342 BUILTIN_ROW(__sync_lock_test_and_set), 1343 BUILTIN_ROW(__sync_lock_release), 1344 BUILTIN_ROW(__sync_swap) 1345 }; 1346#undef BUILTIN_ROW 1347 1348 // Determine the index of the size. 1349 unsigned SizeIndex; 1350 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1351 case 1: SizeIndex = 0; break; 1352 case 2: SizeIndex = 1; break; 1353 case 4: SizeIndex = 2; break; 1354 case 8: SizeIndex = 3; break; 1355 case 16: SizeIndex = 4; break; 1356 default: 1357 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1358 << FirstArg->getType() << FirstArg->getSourceRange(); 1359 return ExprError(); 1360 } 1361 1362 // Each of these builtins has one pointer argument, followed by some number of 1363 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1364 // that we ignore. Find out which row of BuiltinIndices to read from as well 1365 // as the number of fixed args. 1366 unsigned BuiltinID = FDecl->getBuiltinID(); 1367 unsigned BuiltinIndex, NumFixed = 1; 1368 switch (BuiltinID) { 1369 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1370 case Builtin::BI__sync_fetch_and_add: 1371 case Builtin::BI__sync_fetch_and_add_1: 1372 case Builtin::BI__sync_fetch_and_add_2: 1373 case Builtin::BI__sync_fetch_and_add_4: 1374 case Builtin::BI__sync_fetch_and_add_8: 1375 case Builtin::BI__sync_fetch_and_add_16: 1376 BuiltinIndex = 0; 1377 break; 1378 1379 case Builtin::BI__sync_fetch_and_sub: 1380 case Builtin::BI__sync_fetch_and_sub_1: 1381 case Builtin::BI__sync_fetch_and_sub_2: 1382 case Builtin::BI__sync_fetch_and_sub_4: 1383 case Builtin::BI__sync_fetch_and_sub_8: 1384 case Builtin::BI__sync_fetch_and_sub_16: 1385 BuiltinIndex = 1; 1386 break; 1387 1388 case Builtin::BI__sync_fetch_and_or: 1389 case Builtin::BI__sync_fetch_and_or_1: 1390 case Builtin::BI__sync_fetch_and_or_2: 1391 case Builtin::BI__sync_fetch_and_or_4: 1392 case Builtin::BI__sync_fetch_and_or_8: 1393 case Builtin::BI__sync_fetch_and_or_16: 1394 BuiltinIndex = 2; 1395 break; 1396 1397 case Builtin::BI__sync_fetch_and_and: 1398 case Builtin::BI__sync_fetch_and_and_1: 1399 case Builtin::BI__sync_fetch_and_and_2: 1400 case Builtin::BI__sync_fetch_and_and_4: 1401 case Builtin::BI__sync_fetch_and_and_8: 1402 case Builtin::BI__sync_fetch_and_and_16: 1403 BuiltinIndex = 3; 1404 break; 1405 1406 case Builtin::BI__sync_fetch_and_xor: 1407 case Builtin::BI__sync_fetch_and_xor_1: 1408 case Builtin::BI__sync_fetch_and_xor_2: 1409 case Builtin::BI__sync_fetch_and_xor_4: 1410 case Builtin::BI__sync_fetch_and_xor_8: 1411 case Builtin::BI__sync_fetch_and_xor_16: 1412 BuiltinIndex = 4; 1413 break; 1414 1415 case Builtin::BI__sync_add_and_fetch: 1416 case Builtin::BI__sync_add_and_fetch_1: 1417 case Builtin::BI__sync_add_and_fetch_2: 1418 case Builtin::BI__sync_add_and_fetch_4: 1419 case Builtin::BI__sync_add_and_fetch_8: 1420 case Builtin::BI__sync_add_and_fetch_16: 1421 BuiltinIndex = 5; 1422 break; 1423 1424 case Builtin::BI__sync_sub_and_fetch: 1425 case Builtin::BI__sync_sub_and_fetch_1: 1426 case Builtin::BI__sync_sub_and_fetch_2: 1427 case Builtin::BI__sync_sub_and_fetch_4: 1428 case Builtin::BI__sync_sub_and_fetch_8: 1429 case Builtin::BI__sync_sub_and_fetch_16: 1430 BuiltinIndex = 6; 1431 break; 1432 1433 case Builtin::BI__sync_and_and_fetch: 1434 case Builtin::BI__sync_and_and_fetch_1: 1435 case Builtin::BI__sync_and_and_fetch_2: 1436 case Builtin::BI__sync_and_and_fetch_4: 1437 case Builtin::BI__sync_and_and_fetch_8: 1438 case Builtin::BI__sync_and_and_fetch_16: 1439 BuiltinIndex = 7; 1440 break; 1441 1442 case Builtin::BI__sync_or_and_fetch: 1443 case Builtin::BI__sync_or_and_fetch_1: 1444 case Builtin::BI__sync_or_and_fetch_2: 1445 case Builtin::BI__sync_or_and_fetch_4: 1446 case Builtin::BI__sync_or_and_fetch_8: 1447 case Builtin::BI__sync_or_and_fetch_16: 1448 BuiltinIndex = 8; 1449 break; 1450 1451 case Builtin::BI__sync_xor_and_fetch: 1452 case Builtin::BI__sync_xor_and_fetch_1: 1453 case Builtin::BI__sync_xor_and_fetch_2: 1454 case Builtin::BI__sync_xor_and_fetch_4: 1455 case Builtin::BI__sync_xor_and_fetch_8: 1456 case Builtin::BI__sync_xor_and_fetch_16: 1457 BuiltinIndex = 9; 1458 break; 1459 1460 case Builtin::BI__sync_val_compare_and_swap: 1461 case Builtin::BI__sync_val_compare_and_swap_1: 1462 case Builtin::BI__sync_val_compare_and_swap_2: 1463 case Builtin::BI__sync_val_compare_and_swap_4: 1464 case Builtin::BI__sync_val_compare_and_swap_8: 1465 case Builtin::BI__sync_val_compare_and_swap_16: 1466 BuiltinIndex = 10; 1467 NumFixed = 2; 1468 break; 1469 1470 case Builtin::BI__sync_bool_compare_and_swap: 1471 case Builtin::BI__sync_bool_compare_and_swap_1: 1472 case Builtin::BI__sync_bool_compare_and_swap_2: 1473 case Builtin::BI__sync_bool_compare_and_swap_4: 1474 case Builtin::BI__sync_bool_compare_and_swap_8: 1475 case Builtin::BI__sync_bool_compare_and_swap_16: 1476 BuiltinIndex = 11; 1477 NumFixed = 2; 1478 ResultType = Context.BoolTy; 1479 break; 1480 1481 case Builtin::BI__sync_lock_test_and_set: 1482 case Builtin::BI__sync_lock_test_and_set_1: 1483 case Builtin::BI__sync_lock_test_and_set_2: 1484 case Builtin::BI__sync_lock_test_and_set_4: 1485 case Builtin::BI__sync_lock_test_and_set_8: 1486 case Builtin::BI__sync_lock_test_and_set_16: 1487 BuiltinIndex = 12; 1488 break; 1489 1490 case Builtin::BI__sync_lock_release: 1491 case Builtin::BI__sync_lock_release_1: 1492 case Builtin::BI__sync_lock_release_2: 1493 case Builtin::BI__sync_lock_release_4: 1494 case Builtin::BI__sync_lock_release_8: 1495 case Builtin::BI__sync_lock_release_16: 1496 BuiltinIndex = 13; 1497 NumFixed = 0; 1498 ResultType = Context.VoidTy; 1499 break; 1500 1501 case Builtin::BI__sync_swap: 1502 case Builtin::BI__sync_swap_1: 1503 case Builtin::BI__sync_swap_2: 1504 case Builtin::BI__sync_swap_4: 1505 case Builtin::BI__sync_swap_8: 1506 case Builtin::BI__sync_swap_16: 1507 BuiltinIndex = 14; 1508 break; 1509 } 1510 1511 // Now that we know how many fixed arguments we expect, first check that we 1512 // have at least that many. 1513 if (TheCall->getNumArgs() < 1+NumFixed) { 1514 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1515 << 0 << 1+NumFixed << TheCall->getNumArgs() 1516 << TheCall->getCallee()->getSourceRange(); 1517 return ExprError(); 1518 } 1519 1520 // Get the decl for the concrete builtin from this, we can tell what the 1521 // concrete integer type we should convert to is. 1522 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1523 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1524 FunctionDecl *NewBuiltinDecl; 1525 if (NewBuiltinID == BuiltinID) 1526 NewBuiltinDecl = FDecl; 1527 else { 1528 // Perform builtin lookup to avoid redeclaring it. 1529 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 1530 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 1531 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 1532 assert(Res.getFoundDecl()); 1533 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 1534 if (!NewBuiltinDecl) 1535 return ExprError(); 1536 } 1537 1538 // The first argument --- the pointer --- has a fixed type; we 1539 // deduce the types of the rest of the arguments accordingly. Walk 1540 // the remaining arguments, converting them to the deduced value type. 1541 for (unsigned i = 0; i != NumFixed; ++i) { 1542 ExprResult Arg = TheCall->getArg(i+1); 1543 1544 // GCC does an implicit conversion to the pointer or integer ValType. This 1545 // can fail in some cases (1i -> int**), check for this error case now. 1546 // Initialize the argument. 1547 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1548 ValType, /*consume*/ false); 1549 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1550 if (Arg.isInvalid()) 1551 return ExprError(); 1552 1553 // Okay, we have something that *can* be converted to the right type. Check 1554 // to see if there is a potentially weird extension going on here. This can 1555 // happen when you do an atomic operation on something like an char* and 1556 // pass in 42. The 42 gets converted to char. This is even more strange 1557 // for things like 45.123 -> char, etc. 1558 // FIXME: Do this check. 1559 TheCall->setArg(i+1, Arg.take()); 1560 } 1561 1562 ASTContext& Context = this->getASTContext(); 1563 1564 // Create a new DeclRefExpr to refer to the new decl. 1565 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1566 Context, 1567 DRE->getQualifierLoc(), 1568 SourceLocation(), 1569 NewBuiltinDecl, 1570 /*enclosing*/ false, 1571 DRE->getLocation(), 1572 Context.BuiltinFnTy, 1573 DRE->getValueKind()); 1574 1575 // Set the callee in the CallExpr. 1576 // FIXME: This loses syntactic information. 1577 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1578 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1579 CK_BuiltinFnToFnPtr); 1580 TheCall->setCallee(PromotedCall.take()); 1581 1582 // Change the result type of the call to match the original value type. This 1583 // is arbitrary, but the codegen for these builtins ins design to handle it 1584 // gracefully. 1585 TheCall->setType(ResultType); 1586 1587 return TheCallResult; 1588} 1589 1590/// CheckObjCString - Checks that the argument to the builtin 1591/// CFString constructor is correct 1592/// Note: It might also make sense to do the UTF-16 conversion here (would 1593/// simplify the backend). 1594bool Sema::CheckObjCString(Expr *Arg) { 1595 Arg = Arg->IgnoreParenCasts(); 1596 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1597 1598 if (!Literal || !Literal->isAscii()) { 1599 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1600 << Arg->getSourceRange(); 1601 return true; 1602 } 1603 1604 if (Literal->containsNonAsciiOrNull()) { 1605 StringRef String = Literal->getString(); 1606 unsigned NumBytes = String.size(); 1607 SmallVector<UTF16, 128> ToBuf(NumBytes); 1608 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1609 UTF16 *ToPtr = &ToBuf[0]; 1610 1611 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1612 &ToPtr, ToPtr + NumBytes, 1613 strictConversion); 1614 // Check for conversion failure. 1615 if (Result != conversionOK) 1616 Diag(Arg->getLocStart(), 1617 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1618 } 1619 return false; 1620} 1621 1622/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1623/// Emit an error and return true on failure, return false on success. 1624bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1625 Expr *Fn = TheCall->getCallee(); 1626 if (TheCall->getNumArgs() > 2) { 1627 Diag(TheCall->getArg(2)->getLocStart(), 1628 diag::err_typecheck_call_too_many_args) 1629 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1630 << Fn->getSourceRange() 1631 << SourceRange(TheCall->getArg(2)->getLocStart(), 1632 (*(TheCall->arg_end()-1))->getLocEnd()); 1633 return true; 1634 } 1635 1636 if (TheCall->getNumArgs() < 2) { 1637 return Diag(TheCall->getLocEnd(), 1638 diag::err_typecheck_call_too_few_args_at_least) 1639 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1640 } 1641 1642 // Type-check the first argument normally. 1643 if (checkBuiltinArgument(*this, TheCall, 0)) 1644 return true; 1645 1646 // Determine whether the current function is variadic or not. 1647 BlockScopeInfo *CurBlock = getCurBlock(); 1648 bool isVariadic; 1649 if (CurBlock) 1650 isVariadic = CurBlock->TheDecl->isVariadic(); 1651 else if (FunctionDecl *FD = getCurFunctionDecl()) 1652 isVariadic = FD->isVariadic(); 1653 else 1654 isVariadic = getCurMethodDecl()->isVariadic(); 1655 1656 if (!isVariadic) { 1657 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1658 return true; 1659 } 1660 1661 // Verify that the second argument to the builtin is the last argument of the 1662 // current function or method. 1663 bool SecondArgIsLastNamedArgument = false; 1664 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1665 1666 // These are valid if SecondArgIsLastNamedArgument is false after the next 1667 // block. 1668 QualType Type; 1669 SourceLocation ParamLoc; 1670 1671 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1672 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1673 // FIXME: This isn't correct for methods (results in bogus warning). 1674 // Get the last formal in the current function. 1675 const ParmVarDecl *LastArg; 1676 if (CurBlock) 1677 LastArg = *(CurBlock->TheDecl->param_end()-1); 1678 else if (FunctionDecl *FD = getCurFunctionDecl()) 1679 LastArg = *(FD->param_end()-1); 1680 else 1681 LastArg = *(getCurMethodDecl()->param_end()-1); 1682 SecondArgIsLastNamedArgument = PV == LastArg; 1683 1684 Type = PV->getType(); 1685 ParamLoc = PV->getLocation(); 1686 } 1687 } 1688 1689 if (!SecondArgIsLastNamedArgument) 1690 Diag(TheCall->getArg(1)->getLocStart(), 1691 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1692 else if (Type->isReferenceType()) { 1693 Diag(Arg->getLocStart(), 1694 diag::warn_va_start_of_reference_type_is_undefined); 1695 Diag(ParamLoc, diag::note_parameter_type) << Type; 1696 } 1697 1698 TheCall->setType(Context.VoidTy); 1699 return false; 1700} 1701 1702/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1703/// friends. This is declared to take (...), so we have to check everything. 1704bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1705 if (TheCall->getNumArgs() < 2) 1706 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1707 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1708 if (TheCall->getNumArgs() > 2) 1709 return Diag(TheCall->getArg(2)->getLocStart(), 1710 diag::err_typecheck_call_too_many_args) 1711 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1712 << SourceRange(TheCall->getArg(2)->getLocStart(), 1713 (*(TheCall->arg_end()-1))->getLocEnd()); 1714 1715 ExprResult OrigArg0 = TheCall->getArg(0); 1716 ExprResult OrigArg1 = TheCall->getArg(1); 1717 1718 // Do standard promotions between the two arguments, returning their common 1719 // type. 1720 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1721 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1722 return true; 1723 1724 // Make sure any conversions are pushed back into the call; this is 1725 // type safe since unordered compare builtins are declared as "_Bool 1726 // foo(...)". 1727 TheCall->setArg(0, OrigArg0.get()); 1728 TheCall->setArg(1, OrigArg1.get()); 1729 1730 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1731 return false; 1732 1733 // If the common type isn't a real floating type, then the arguments were 1734 // invalid for this operation. 1735 if (Res.isNull() || !Res->isRealFloatingType()) 1736 return Diag(OrigArg0.get()->getLocStart(), 1737 diag::err_typecheck_call_invalid_ordered_compare) 1738 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1739 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1740 1741 return false; 1742} 1743 1744/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1745/// __builtin_isnan and friends. This is declared to take (...), so we have 1746/// to check everything. We expect the last argument to be a floating point 1747/// value. 1748bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1749 if (TheCall->getNumArgs() < NumArgs) 1750 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1751 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1752 if (TheCall->getNumArgs() > NumArgs) 1753 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1754 diag::err_typecheck_call_too_many_args) 1755 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1756 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1757 (*(TheCall->arg_end()-1))->getLocEnd()); 1758 1759 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1760 1761 if (OrigArg->isTypeDependent()) 1762 return false; 1763 1764 // This operation requires a non-_Complex floating-point number. 1765 if (!OrigArg->getType()->isRealFloatingType()) 1766 return Diag(OrigArg->getLocStart(), 1767 diag::err_typecheck_call_invalid_unary_fp) 1768 << OrigArg->getType() << OrigArg->getSourceRange(); 1769 1770 // If this is an implicit conversion from float -> double, remove it. 1771 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1772 Expr *CastArg = Cast->getSubExpr(); 1773 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1774 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1775 "promotion from float to double is the only expected cast here"); 1776 Cast->setSubExpr(nullptr); 1777 TheCall->setArg(NumArgs-1, CastArg); 1778 } 1779 } 1780 1781 return false; 1782} 1783 1784/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1785// This is declared to take (...), so we have to check everything. 1786ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1787 if (TheCall->getNumArgs() < 2) 1788 return ExprError(Diag(TheCall->getLocEnd(), 1789 diag::err_typecheck_call_too_few_args_at_least) 1790 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1791 << TheCall->getSourceRange()); 1792 1793 // Determine which of the following types of shufflevector we're checking: 1794 // 1) unary, vector mask: (lhs, mask) 1795 // 2) binary, vector mask: (lhs, rhs, mask) 1796 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1797 QualType resType = TheCall->getArg(0)->getType(); 1798 unsigned numElements = 0; 1799 1800 if (!TheCall->getArg(0)->isTypeDependent() && 1801 !TheCall->getArg(1)->isTypeDependent()) { 1802 QualType LHSType = TheCall->getArg(0)->getType(); 1803 QualType RHSType = TheCall->getArg(1)->getType(); 1804 1805 if (!LHSType->isVectorType() || !RHSType->isVectorType()) 1806 return ExprError(Diag(TheCall->getLocStart(), 1807 diag::err_shufflevector_non_vector) 1808 << SourceRange(TheCall->getArg(0)->getLocStart(), 1809 TheCall->getArg(1)->getLocEnd())); 1810 1811 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1812 unsigned numResElements = TheCall->getNumArgs() - 2; 1813 1814 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1815 // with mask. If so, verify that RHS is an integer vector type with the 1816 // same number of elts as lhs. 1817 if (TheCall->getNumArgs() == 2) { 1818 if (!RHSType->hasIntegerRepresentation() || 1819 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1820 return ExprError(Diag(TheCall->getLocStart(), 1821 diag::err_shufflevector_incompatible_vector) 1822 << SourceRange(TheCall->getArg(1)->getLocStart(), 1823 TheCall->getArg(1)->getLocEnd())); 1824 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1825 return ExprError(Diag(TheCall->getLocStart(), 1826 diag::err_shufflevector_incompatible_vector) 1827 << SourceRange(TheCall->getArg(0)->getLocStart(), 1828 TheCall->getArg(1)->getLocEnd())); 1829 } else if (numElements != numResElements) { 1830 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1831 resType = Context.getVectorType(eltType, numResElements, 1832 VectorType::GenericVector); 1833 } 1834 } 1835 1836 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1837 if (TheCall->getArg(i)->isTypeDependent() || 1838 TheCall->getArg(i)->isValueDependent()) 1839 continue; 1840 1841 llvm::APSInt Result(32); 1842 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1843 return ExprError(Diag(TheCall->getLocStart(), 1844 diag::err_shufflevector_nonconstant_argument) 1845 << TheCall->getArg(i)->getSourceRange()); 1846 1847 // Allow -1 which will be translated to undef in the IR. 1848 if (Result.isSigned() && Result.isAllOnesValue()) 1849 continue; 1850 1851 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1852 return ExprError(Diag(TheCall->getLocStart(), 1853 diag::err_shufflevector_argument_too_large) 1854 << TheCall->getArg(i)->getSourceRange()); 1855 } 1856 1857 SmallVector<Expr*, 32> exprs; 1858 1859 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1860 exprs.push_back(TheCall->getArg(i)); 1861 TheCall->setArg(i, nullptr); 1862 } 1863 1864 return Owned(new (Context) ShuffleVectorExpr(Context, exprs, resType, 1865 TheCall->getCallee()->getLocStart(), 1866 TheCall->getRParenLoc())); 1867} 1868 1869/// SemaConvertVectorExpr - Handle __builtin_convertvector 1870ExprResult Sema::SemaConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo, 1871 SourceLocation BuiltinLoc, 1872 SourceLocation RParenLoc) { 1873 ExprValueKind VK = VK_RValue; 1874 ExprObjectKind OK = OK_Ordinary; 1875 QualType DstTy = TInfo->getType(); 1876 QualType SrcTy = E->getType(); 1877 1878 if (!SrcTy->isVectorType() && !SrcTy->isDependentType()) 1879 return ExprError(Diag(BuiltinLoc, 1880 diag::err_convertvector_non_vector) 1881 << E->getSourceRange()); 1882 if (!DstTy->isVectorType() && !DstTy->isDependentType()) 1883 return ExprError(Diag(BuiltinLoc, 1884 diag::err_convertvector_non_vector_type)); 1885 1886 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) { 1887 unsigned SrcElts = SrcTy->getAs<VectorType>()->getNumElements(); 1888 unsigned DstElts = DstTy->getAs<VectorType>()->getNumElements(); 1889 if (SrcElts != DstElts) 1890 return ExprError(Diag(BuiltinLoc, 1891 diag::err_convertvector_incompatible_vector) 1892 << E->getSourceRange()); 1893 } 1894 1895 return Owned(new (Context) ConvertVectorExpr(E, TInfo, DstTy, VK, OK, 1896 BuiltinLoc, RParenLoc)); 1897 1898} 1899 1900/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1901// This is declared to take (const void*, ...) and can take two 1902// optional constant int args. 1903bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1904 unsigned NumArgs = TheCall->getNumArgs(); 1905 1906 if (NumArgs > 3) 1907 return Diag(TheCall->getLocEnd(), 1908 diag::err_typecheck_call_too_many_args_at_most) 1909 << 0 /*function call*/ << 3 << NumArgs 1910 << TheCall->getSourceRange(); 1911 1912 // Argument 0 is checked for us and the remaining arguments must be 1913 // constant integers. 1914 for (unsigned i = 1; i != NumArgs; ++i) 1915 if (SemaBuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3)) 1916 return true; 1917 1918 return false; 1919} 1920 1921/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1922/// TheCall is a constant expression. 1923bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1924 llvm::APSInt &Result) { 1925 Expr *Arg = TheCall->getArg(ArgNum); 1926 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1927 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1928 1929 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1930 1931 if (!Arg->isIntegerConstantExpr(Result, Context)) 1932 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1933 << FDecl->getDeclName() << Arg->getSourceRange(); 1934 1935 return false; 1936} 1937 1938/// SemaBuiltinConstantArgRange - Handle a check if argument ArgNum of CallExpr 1939/// TheCall is a constant expression in the range [Low, High]. 1940bool Sema::SemaBuiltinConstantArgRange(CallExpr *TheCall, int ArgNum, 1941 int Low, int High) { 1942 llvm::APSInt Result; 1943 1944 // We can't check the value of a dependent argument. 1945 Expr *Arg = TheCall->getArg(ArgNum); 1946 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1947 return false; 1948 1949 // Check constant-ness first. 1950 if (SemaBuiltinConstantArg(TheCall, ArgNum, Result)) 1951 return true; 1952 1953 if (Result.getSExtValue() < Low || Result.getSExtValue() > High) 1954 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1955 << Low << High << Arg->getSourceRange(); 1956 1957 return false; 1958} 1959 1960/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1961/// This checks that val is a constant 1. 1962bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1963 Expr *Arg = TheCall->getArg(1); 1964 llvm::APSInt Result; 1965 1966 // TODO: This is less than ideal. Overload this to take a value. 1967 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1968 return true; 1969 1970 if (Result != 1) 1971 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1972 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1973 1974 return false; 1975} 1976 1977namespace { 1978enum StringLiteralCheckType { 1979 SLCT_NotALiteral, 1980 SLCT_UncheckedLiteral, 1981 SLCT_CheckedLiteral 1982}; 1983} 1984 1985// Determine if an expression is a string literal or constant string. 1986// If this function returns false on the arguments to a function expecting a 1987// format string, we will usually need to emit a warning. 1988// True string literals are then checked by CheckFormatString. 1989static StringLiteralCheckType 1990checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, 1991 bool HasVAListArg, unsigned format_idx, 1992 unsigned firstDataArg, Sema::FormatStringType Type, 1993 Sema::VariadicCallType CallType, bool InFunctionCall, 1994 llvm::SmallBitVector &CheckedVarArgs) { 1995 tryAgain: 1996 if (E->isTypeDependent() || E->isValueDependent()) 1997 return SLCT_NotALiteral; 1998 1999 E = E->IgnoreParenCasts(); 2000 2001 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) 2002 // Technically -Wformat-nonliteral does not warn about this case. 2003 // The behavior of printf and friends in this case is implementation 2004 // dependent. Ideally if the format string cannot be null then 2005 // it should have a 'nonnull' attribute in the function prototype. 2006 return SLCT_UncheckedLiteral; 2007 2008 switch (E->getStmtClass()) { 2009 case Stmt::BinaryConditionalOperatorClass: 2010 case Stmt::ConditionalOperatorClass: { 2011 // The expression is a literal if both sub-expressions were, and it was 2012 // completely checked only if both sub-expressions were checked. 2013 const AbstractConditionalOperator *C = 2014 cast<AbstractConditionalOperator>(E); 2015 StringLiteralCheckType Left = 2016 checkFormatStringExpr(S, C->getTrueExpr(), Args, 2017 HasVAListArg, format_idx, firstDataArg, 2018 Type, CallType, InFunctionCall, CheckedVarArgs); 2019 if (Left == SLCT_NotALiteral) 2020 return SLCT_NotALiteral; 2021 StringLiteralCheckType Right = 2022 checkFormatStringExpr(S, C->getFalseExpr(), Args, 2023 HasVAListArg, format_idx, firstDataArg, 2024 Type, CallType, InFunctionCall, CheckedVarArgs); 2025 return Left < Right ? Left : Right; 2026 } 2027 2028 case Stmt::ImplicitCastExprClass: { 2029 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 2030 goto tryAgain; 2031 } 2032 2033 case Stmt::OpaqueValueExprClass: 2034 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 2035 E = src; 2036 goto tryAgain; 2037 } 2038 return SLCT_NotALiteral; 2039 2040 case Stmt::PredefinedExprClass: 2041 // While __func__, etc., are technically not string literals, they 2042 // cannot contain format specifiers and thus are not a security 2043 // liability. 2044 return SLCT_UncheckedLiteral; 2045 2046 case Stmt::DeclRefExprClass: { 2047 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 2048 2049 // As an exception, do not flag errors for variables binding to 2050 // const string literals. 2051 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 2052 bool isConstant = false; 2053 QualType T = DR->getType(); 2054 2055 if (const ArrayType *AT = S.Context.getAsArrayType(T)) { 2056 isConstant = AT->getElementType().isConstant(S.Context); 2057 } else if (const PointerType *PT = T->getAs<PointerType>()) { 2058 isConstant = T.isConstant(S.Context) && 2059 PT->getPointeeType().isConstant(S.Context); 2060 } else if (T->isObjCObjectPointerType()) { 2061 // In ObjC, there is usually no "const ObjectPointer" type, 2062 // so don't check if the pointee type is constant. 2063 isConstant = T.isConstant(S.Context); 2064 } 2065 2066 if (isConstant) { 2067 if (const Expr *Init = VD->getAnyInitializer()) { 2068 // Look through initializers like const char c[] = { "foo" } 2069 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 2070 if (InitList->isStringLiteralInit()) 2071 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 2072 } 2073 return checkFormatStringExpr(S, Init, Args, 2074 HasVAListArg, format_idx, 2075 firstDataArg, Type, CallType, 2076 /*InFunctionCall*/false, CheckedVarArgs); 2077 } 2078 } 2079 2080 // For vprintf* functions (i.e., HasVAListArg==true), we add a 2081 // special check to see if the format string is a function parameter 2082 // of the function calling the printf function. If the function 2083 // has an attribute indicating it is a printf-like function, then we 2084 // should suppress warnings concerning non-literals being used in a call 2085 // to a vprintf function. For example: 2086 // 2087 // void 2088 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 2089 // va_list ap; 2090 // va_start(ap, fmt); 2091 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 2092 // ... 2093 // } 2094 if (HasVAListArg) { 2095 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 2096 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 2097 int PVIndex = PV->getFunctionScopeIndex() + 1; 2098 for (const auto *PVFormat : ND->specific_attrs<FormatAttr>()) { 2099 // adjust for implicit parameter 2100 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2101 if (MD->isInstance()) 2102 ++PVIndex; 2103 // We also check if the formats are compatible. 2104 // We can't pass a 'scanf' string to a 'printf' function. 2105 if (PVIndex == PVFormat->getFormatIdx() && 2106 Type == S.GetFormatStringType(PVFormat)) 2107 return SLCT_UncheckedLiteral; 2108 } 2109 } 2110 } 2111 } 2112 } 2113 2114 return SLCT_NotALiteral; 2115 } 2116 2117 case Stmt::CallExprClass: 2118 case Stmt::CXXMemberCallExprClass: { 2119 const CallExpr *CE = cast<CallExpr>(E); 2120 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 2121 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2122 unsigned ArgIndex = FA->getFormatIdx(); 2123 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2124 if (MD->isInstance()) 2125 --ArgIndex; 2126 const Expr *Arg = CE->getArg(ArgIndex - 1); 2127 2128 return checkFormatStringExpr(S, Arg, Args, 2129 HasVAListArg, format_idx, firstDataArg, 2130 Type, CallType, InFunctionCall, 2131 CheckedVarArgs); 2132 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 2133 unsigned BuiltinID = FD->getBuiltinID(); 2134 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 2135 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 2136 const Expr *Arg = CE->getArg(0); 2137 return checkFormatStringExpr(S, Arg, Args, 2138 HasVAListArg, format_idx, 2139 firstDataArg, Type, CallType, 2140 InFunctionCall, CheckedVarArgs); 2141 } 2142 } 2143 } 2144 2145 return SLCT_NotALiteral; 2146 } 2147 case Stmt::ObjCStringLiteralClass: 2148 case Stmt::StringLiteralClass: { 2149 const StringLiteral *StrE = nullptr; 2150 2151 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 2152 StrE = ObjCFExpr->getString(); 2153 else 2154 StrE = cast<StringLiteral>(E); 2155 2156 if (StrE) { 2157 S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg, 2158 Type, InFunctionCall, CallType, CheckedVarArgs); 2159 return SLCT_CheckedLiteral; 2160 } 2161 2162 return SLCT_NotALiteral; 2163 } 2164 2165 default: 2166 return SLCT_NotALiteral; 2167 } 2168} 2169 2170Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 2171 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName()) 2172 .Case("scanf", FST_Scanf) 2173 .Cases("printf", "printf0", FST_Printf) 2174 .Cases("NSString", "CFString", FST_NSString) 2175 .Case("strftime", FST_Strftime) 2176 .Case("strfmon", FST_Strfmon) 2177 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 2178 .Default(FST_Unknown); 2179} 2180 2181/// CheckFormatArguments - Check calls to printf and scanf (and similar 2182/// functions) for correct use of format strings. 2183/// Returns true if a format string has been fully checked. 2184bool Sema::CheckFormatArguments(const FormatAttr *Format, 2185 ArrayRef<const Expr *> Args, 2186 bool IsCXXMember, 2187 VariadicCallType CallType, 2188 SourceLocation Loc, SourceRange Range, 2189 llvm::SmallBitVector &CheckedVarArgs) { 2190 FormatStringInfo FSI; 2191 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 2192 return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, 2193 FSI.FirstDataArg, GetFormatStringType(Format), 2194 CallType, Loc, Range, CheckedVarArgs); 2195 return false; 2196} 2197 2198bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, 2199 bool HasVAListArg, unsigned format_idx, 2200 unsigned firstDataArg, FormatStringType Type, 2201 VariadicCallType CallType, 2202 SourceLocation Loc, SourceRange Range, 2203 llvm::SmallBitVector &CheckedVarArgs) { 2204 // CHECK: printf/scanf-like function is called with no format string. 2205 if (format_idx >= Args.size()) { 2206 Diag(Loc, diag::warn_missing_format_string) << Range; 2207 return false; 2208 } 2209 2210 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 2211 2212 // CHECK: format string is not a string literal. 2213 // 2214 // Dynamically generated format strings are difficult to 2215 // automatically vet at compile time. Requiring that format strings 2216 // are string literals: (1) permits the checking of format strings by 2217 // the compiler and thereby (2) can practically remove the source of 2218 // many format string exploits. 2219 2220 // Format string can be either ObjC string (e.g. @"%d") or 2221 // C string (e.g. "%d") 2222 // ObjC string uses the same format specifiers as C string, so we can use 2223 // the same format string checking logic for both ObjC and C strings. 2224 StringLiteralCheckType CT = 2225 checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, 2226 format_idx, firstDataArg, Type, CallType, 2227 /*IsFunctionCall*/true, CheckedVarArgs); 2228 if (CT != SLCT_NotALiteral) 2229 // Literal format string found, check done! 2230 return CT == SLCT_CheckedLiteral; 2231 2232 // Strftime is particular as it always uses a single 'time' argument, 2233 // so it is safe to pass a non-literal string. 2234 if (Type == FST_Strftime) 2235 return false; 2236 2237 // Do not emit diag when the string param is a macro expansion and the 2238 // format is either NSString or CFString. This is a hack to prevent 2239 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 2240 // which are usually used in place of NS and CF string literals. 2241 if (Type == FST_NSString && 2242 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 2243 return false; 2244 2245 // If there are no arguments specified, warn with -Wformat-security, otherwise 2246 // warn only with -Wformat-nonliteral. 2247 if (Args.size() == firstDataArg) 2248 Diag(Args[format_idx]->getLocStart(), 2249 diag::warn_format_nonliteral_noargs) 2250 << OrigFormatExpr->getSourceRange(); 2251 else 2252 Diag(Args[format_idx]->getLocStart(), 2253 diag::warn_format_nonliteral) 2254 << OrigFormatExpr->getSourceRange(); 2255 return false; 2256} 2257 2258namespace { 2259class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 2260protected: 2261 Sema &S; 2262 const StringLiteral *FExpr; 2263 const Expr *OrigFormatExpr; 2264 const unsigned FirstDataArg; 2265 const unsigned NumDataArgs; 2266 const char *Beg; // Start of format string. 2267 const bool HasVAListArg; 2268 ArrayRef<const Expr *> Args; 2269 unsigned FormatIdx; 2270 llvm::SmallBitVector CoveredArgs; 2271 bool usesPositionalArgs; 2272 bool atFirstArg; 2273 bool inFunctionCall; 2274 Sema::VariadicCallType CallType; 2275 llvm::SmallBitVector &CheckedVarArgs; 2276public: 2277 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 2278 const Expr *origFormatExpr, unsigned firstDataArg, 2279 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2280 ArrayRef<const Expr *> Args, 2281 unsigned formatIdx, bool inFunctionCall, 2282 Sema::VariadicCallType callType, 2283 llvm::SmallBitVector &CheckedVarArgs) 2284 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 2285 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 2286 Beg(beg), HasVAListArg(hasVAListArg), 2287 Args(Args), FormatIdx(formatIdx), 2288 usesPositionalArgs(false), atFirstArg(true), 2289 inFunctionCall(inFunctionCall), CallType(callType), 2290 CheckedVarArgs(CheckedVarArgs) { 2291 CoveredArgs.resize(numDataArgs); 2292 CoveredArgs.reset(); 2293 } 2294 2295 void DoneProcessing(); 2296 2297 void HandleIncompleteSpecifier(const char *startSpecifier, 2298 unsigned specifierLen) override; 2299 2300 void HandleInvalidLengthModifier( 2301 const analyze_format_string::FormatSpecifier &FS, 2302 const analyze_format_string::ConversionSpecifier &CS, 2303 const char *startSpecifier, unsigned specifierLen, 2304 unsigned DiagID); 2305 2306 void HandleNonStandardLengthModifier( 2307 const analyze_format_string::FormatSpecifier &FS, 2308 const char *startSpecifier, unsigned specifierLen); 2309 2310 void HandleNonStandardConversionSpecifier( 2311 const analyze_format_string::ConversionSpecifier &CS, 2312 const char *startSpecifier, unsigned specifierLen); 2313 2314 void HandlePosition(const char *startPos, unsigned posLen) override; 2315 2316 void HandleInvalidPosition(const char *startSpecifier, 2317 unsigned specifierLen, 2318 analyze_format_string::PositionContext p) override; 2319 2320 void HandleZeroPosition(const char *startPos, unsigned posLen) override; 2321 2322 void HandleNullChar(const char *nullCharacter) override; 2323 2324 template <typename Range> 2325 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 2326 const Expr *ArgumentExpr, 2327 PartialDiagnostic PDiag, 2328 SourceLocation StringLoc, 2329 bool IsStringLocation, Range StringRange, 2330 ArrayRef<FixItHint> Fixit = None); 2331 2332protected: 2333 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 2334 const char *startSpec, 2335 unsigned specifierLen, 2336 const char *csStart, unsigned csLen); 2337 2338 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 2339 const char *startSpec, 2340 unsigned specifierLen); 2341 2342 SourceRange getFormatStringRange(); 2343 CharSourceRange getSpecifierRange(const char *startSpecifier, 2344 unsigned specifierLen); 2345 SourceLocation getLocationOfByte(const char *x); 2346 2347 const Expr *getDataArg(unsigned i) const; 2348 2349 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 2350 const analyze_format_string::ConversionSpecifier &CS, 2351 const char *startSpecifier, unsigned specifierLen, 2352 unsigned argIndex); 2353 2354 template <typename Range> 2355 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 2356 bool IsStringLocation, Range StringRange, 2357 ArrayRef<FixItHint> Fixit = None); 2358}; 2359} 2360 2361SourceRange CheckFormatHandler::getFormatStringRange() { 2362 return OrigFormatExpr->getSourceRange(); 2363} 2364 2365CharSourceRange CheckFormatHandler:: 2366getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2367 SourceLocation Start = getLocationOfByte(startSpecifier); 2368 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2369 2370 // Advance the end SourceLocation by one due to half-open ranges. 2371 End = End.getLocWithOffset(1); 2372 2373 return CharSourceRange::getCharRange(Start, End); 2374} 2375 2376SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2377 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2378} 2379 2380void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2381 unsigned specifierLen){ 2382 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2383 getLocationOfByte(startSpecifier), 2384 /*IsStringLocation*/true, 2385 getSpecifierRange(startSpecifier, specifierLen)); 2386} 2387 2388void CheckFormatHandler::HandleInvalidLengthModifier( 2389 const analyze_format_string::FormatSpecifier &FS, 2390 const analyze_format_string::ConversionSpecifier &CS, 2391 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2392 using namespace analyze_format_string; 2393 2394 const LengthModifier &LM = FS.getLengthModifier(); 2395 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2396 2397 // See if we know how to fix this length modifier. 2398 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2399 if (FixedLM) { 2400 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2401 getLocationOfByte(LM.getStart()), 2402 /*IsStringLocation*/true, 2403 getSpecifierRange(startSpecifier, specifierLen)); 2404 2405 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2406 << FixedLM->toString() 2407 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2408 2409 } else { 2410 FixItHint Hint; 2411 if (DiagID == diag::warn_format_nonsensical_length) 2412 Hint = FixItHint::CreateRemoval(LMRange); 2413 2414 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2415 getLocationOfByte(LM.getStart()), 2416 /*IsStringLocation*/true, 2417 getSpecifierRange(startSpecifier, specifierLen), 2418 Hint); 2419 } 2420} 2421 2422void CheckFormatHandler::HandleNonStandardLengthModifier( 2423 const analyze_format_string::FormatSpecifier &FS, 2424 const char *startSpecifier, unsigned specifierLen) { 2425 using namespace analyze_format_string; 2426 2427 const LengthModifier &LM = FS.getLengthModifier(); 2428 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2429 2430 // See if we know how to fix this length modifier. 2431 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2432 if (FixedLM) { 2433 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2434 << LM.toString() << 0, 2435 getLocationOfByte(LM.getStart()), 2436 /*IsStringLocation*/true, 2437 getSpecifierRange(startSpecifier, specifierLen)); 2438 2439 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2440 << FixedLM->toString() 2441 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2442 2443 } else { 2444 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2445 << LM.toString() << 0, 2446 getLocationOfByte(LM.getStart()), 2447 /*IsStringLocation*/true, 2448 getSpecifierRange(startSpecifier, specifierLen)); 2449 } 2450} 2451 2452void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2453 const analyze_format_string::ConversionSpecifier &CS, 2454 const char *startSpecifier, unsigned specifierLen) { 2455 using namespace analyze_format_string; 2456 2457 // See if we know how to fix this conversion specifier. 2458 Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 2459 if (FixedCS) { 2460 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2461 << CS.toString() << /*conversion specifier*/1, 2462 getLocationOfByte(CS.getStart()), 2463 /*IsStringLocation*/true, 2464 getSpecifierRange(startSpecifier, specifierLen)); 2465 2466 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 2467 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 2468 << FixedCS->toString() 2469 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 2470 } else { 2471 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2472 << CS.toString() << /*conversion specifier*/1, 2473 getLocationOfByte(CS.getStart()), 2474 /*IsStringLocation*/true, 2475 getSpecifierRange(startSpecifier, specifierLen)); 2476 } 2477} 2478 2479void CheckFormatHandler::HandlePosition(const char *startPos, 2480 unsigned posLen) { 2481 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2482 getLocationOfByte(startPos), 2483 /*IsStringLocation*/true, 2484 getSpecifierRange(startPos, posLen)); 2485} 2486 2487void 2488CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2489 analyze_format_string::PositionContext p) { 2490 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2491 << (unsigned) p, 2492 getLocationOfByte(startPos), /*IsStringLocation*/true, 2493 getSpecifierRange(startPos, posLen)); 2494} 2495 2496void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2497 unsigned posLen) { 2498 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2499 getLocationOfByte(startPos), 2500 /*IsStringLocation*/true, 2501 getSpecifierRange(startPos, posLen)); 2502} 2503 2504void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2505 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2506 // The presence of a null character is likely an error. 2507 EmitFormatDiagnostic( 2508 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2509 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2510 getFormatStringRange()); 2511 } 2512} 2513 2514// Note that this may return NULL if there was an error parsing or building 2515// one of the argument expressions. 2516const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2517 return Args[FirstDataArg + i]; 2518} 2519 2520void CheckFormatHandler::DoneProcessing() { 2521 // Does the number of data arguments exceed the number of 2522 // format conversions in the format string? 2523 if (!HasVAListArg) { 2524 // Find any arguments that weren't covered. 2525 CoveredArgs.flip(); 2526 signed notCoveredArg = CoveredArgs.find_first(); 2527 if (notCoveredArg >= 0) { 2528 assert((unsigned)notCoveredArg < NumDataArgs); 2529 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2530 SourceLocation Loc = E->getLocStart(); 2531 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2532 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2533 Loc, /*IsStringLocation*/false, 2534 getFormatStringRange()); 2535 } 2536 } 2537 } 2538 } 2539} 2540 2541bool 2542CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2543 SourceLocation Loc, 2544 const char *startSpec, 2545 unsigned specifierLen, 2546 const char *csStart, 2547 unsigned csLen) { 2548 2549 bool keepGoing = true; 2550 if (argIndex < NumDataArgs) { 2551 // Consider the argument coverered, even though the specifier doesn't 2552 // make sense. 2553 CoveredArgs.set(argIndex); 2554 } 2555 else { 2556 // If argIndex exceeds the number of data arguments we 2557 // don't issue a warning because that is just a cascade of warnings (and 2558 // they may have intended '%%' anyway). We don't want to continue processing 2559 // the format string after this point, however, as we will like just get 2560 // gibberish when trying to match arguments. 2561 keepGoing = false; 2562 } 2563 2564 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2565 << StringRef(csStart, csLen), 2566 Loc, /*IsStringLocation*/true, 2567 getSpecifierRange(startSpec, specifierLen)); 2568 2569 return keepGoing; 2570} 2571 2572void 2573CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2574 const char *startSpec, 2575 unsigned specifierLen) { 2576 EmitFormatDiagnostic( 2577 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2578 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2579} 2580 2581bool 2582CheckFormatHandler::CheckNumArgs( 2583 const analyze_format_string::FormatSpecifier &FS, 2584 const analyze_format_string::ConversionSpecifier &CS, 2585 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2586 2587 if (argIndex >= NumDataArgs) { 2588 PartialDiagnostic PDiag = FS.usesPositionalArg() 2589 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2590 << (argIndex+1) << NumDataArgs) 2591 : S.PDiag(diag::warn_printf_insufficient_data_args); 2592 EmitFormatDiagnostic( 2593 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2594 getSpecifierRange(startSpecifier, specifierLen)); 2595 return false; 2596 } 2597 return true; 2598} 2599 2600template<typename Range> 2601void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2602 SourceLocation Loc, 2603 bool IsStringLocation, 2604 Range StringRange, 2605 ArrayRef<FixItHint> FixIt) { 2606 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2607 Loc, IsStringLocation, StringRange, FixIt); 2608} 2609 2610/// \brief If the format string is not within the funcion call, emit a note 2611/// so that the function call and string are in diagnostic messages. 2612/// 2613/// \param InFunctionCall if true, the format string is within the function 2614/// call and only one diagnostic message will be produced. Otherwise, an 2615/// extra note will be emitted pointing to location of the format string. 2616/// 2617/// \param ArgumentExpr the expression that is passed as the format string 2618/// argument in the function call. Used for getting locations when two 2619/// diagnostics are emitted. 2620/// 2621/// \param PDiag the callee should already have provided any strings for the 2622/// diagnostic message. This function only adds locations and fixits 2623/// to diagnostics. 2624/// 2625/// \param Loc primary location for diagnostic. If two diagnostics are 2626/// required, one will be at Loc and a new SourceLocation will be created for 2627/// the other one. 2628/// 2629/// \param IsStringLocation if true, Loc points to the format string should be 2630/// used for the note. Otherwise, Loc points to the argument list and will 2631/// be used with PDiag. 2632/// 2633/// \param StringRange some or all of the string to highlight. This is 2634/// templated so it can accept either a CharSourceRange or a SourceRange. 2635/// 2636/// \param FixIt optional fix it hint for the format string. 2637template<typename Range> 2638void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2639 const Expr *ArgumentExpr, 2640 PartialDiagnostic PDiag, 2641 SourceLocation Loc, 2642 bool IsStringLocation, 2643 Range StringRange, 2644 ArrayRef<FixItHint> FixIt) { 2645 if (InFunctionCall) { 2646 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2647 D << StringRange; 2648 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2649 I != E; ++I) { 2650 D << *I; 2651 } 2652 } else { 2653 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2654 << ArgumentExpr->getSourceRange(); 2655 2656 const Sema::SemaDiagnosticBuilder &Note = 2657 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2658 diag::note_format_string_defined); 2659 2660 Note << StringRange; 2661 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2662 I != E; ++I) { 2663 Note << *I; 2664 } 2665 } 2666} 2667 2668//===--- CHECK: Printf format string checking ------------------------------===// 2669 2670namespace { 2671class CheckPrintfHandler : public CheckFormatHandler { 2672 bool ObjCContext; 2673public: 2674 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2675 const Expr *origFormatExpr, unsigned firstDataArg, 2676 unsigned numDataArgs, bool isObjC, 2677 const char *beg, bool hasVAListArg, 2678 ArrayRef<const Expr *> Args, 2679 unsigned formatIdx, bool inFunctionCall, 2680 Sema::VariadicCallType CallType, 2681 llvm::SmallBitVector &CheckedVarArgs) 2682 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2683 numDataArgs, beg, hasVAListArg, Args, 2684 formatIdx, inFunctionCall, CallType, CheckedVarArgs), 2685 ObjCContext(isObjC) 2686 {} 2687 2688 2689 bool HandleInvalidPrintfConversionSpecifier( 2690 const analyze_printf::PrintfSpecifier &FS, 2691 const char *startSpecifier, 2692 unsigned specifierLen) override; 2693 2694 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2695 const char *startSpecifier, 2696 unsigned specifierLen) override; 2697 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2698 const char *StartSpecifier, 2699 unsigned SpecifierLen, 2700 const Expr *E); 2701 2702 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2703 const char *startSpecifier, unsigned specifierLen); 2704 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2705 const analyze_printf::OptionalAmount &Amt, 2706 unsigned type, 2707 const char *startSpecifier, unsigned specifierLen); 2708 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2709 const analyze_printf::OptionalFlag &flag, 2710 const char *startSpecifier, unsigned specifierLen); 2711 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2712 const analyze_printf::OptionalFlag &ignoredFlag, 2713 const analyze_printf::OptionalFlag &flag, 2714 const char *startSpecifier, unsigned specifierLen); 2715 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2716 const Expr *E); 2717 2718}; 2719} 2720 2721bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2722 const analyze_printf::PrintfSpecifier &FS, 2723 const char *startSpecifier, 2724 unsigned specifierLen) { 2725 const analyze_printf::PrintfConversionSpecifier &CS = 2726 FS.getConversionSpecifier(); 2727 2728 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2729 getLocationOfByte(CS.getStart()), 2730 startSpecifier, specifierLen, 2731 CS.getStart(), CS.getLength()); 2732} 2733 2734bool CheckPrintfHandler::HandleAmount( 2735 const analyze_format_string::OptionalAmount &Amt, 2736 unsigned k, const char *startSpecifier, 2737 unsigned specifierLen) { 2738 2739 if (Amt.hasDataArgument()) { 2740 if (!HasVAListArg) { 2741 unsigned argIndex = Amt.getArgIndex(); 2742 if (argIndex >= NumDataArgs) { 2743 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2744 << k, 2745 getLocationOfByte(Amt.getStart()), 2746 /*IsStringLocation*/true, 2747 getSpecifierRange(startSpecifier, specifierLen)); 2748 // Don't do any more checking. We will just emit 2749 // spurious errors. 2750 return false; 2751 } 2752 2753 // Type check the data argument. It should be an 'int'. 2754 // Although not in conformance with C99, we also allow the argument to be 2755 // an 'unsigned int' as that is a reasonably safe case. GCC also 2756 // doesn't emit a warning for that case. 2757 CoveredArgs.set(argIndex); 2758 const Expr *Arg = getDataArg(argIndex); 2759 if (!Arg) 2760 return false; 2761 2762 QualType T = Arg->getType(); 2763 2764 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2765 assert(AT.isValid()); 2766 2767 if (!AT.matchesType(S.Context, T)) { 2768 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2769 << k << AT.getRepresentativeTypeName(S.Context) 2770 << T << Arg->getSourceRange(), 2771 getLocationOfByte(Amt.getStart()), 2772 /*IsStringLocation*/true, 2773 getSpecifierRange(startSpecifier, specifierLen)); 2774 // Don't do any more checking. We will just emit 2775 // spurious errors. 2776 return false; 2777 } 2778 } 2779 } 2780 return true; 2781} 2782 2783void CheckPrintfHandler::HandleInvalidAmount( 2784 const analyze_printf::PrintfSpecifier &FS, 2785 const analyze_printf::OptionalAmount &Amt, 2786 unsigned type, 2787 const char *startSpecifier, 2788 unsigned specifierLen) { 2789 const analyze_printf::PrintfConversionSpecifier &CS = 2790 FS.getConversionSpecifier(); 2791 2792 FixItHint fixit = 2793 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2794 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2795 Amt.getConstantLength())) 2796 : FixItHint(); 2797 2798 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2799 << type << CS.toString(), 2800 getLocationOfByte(Amt.getStart()), 2801 /*IsStringLocation*/true, 2802 getSpecifierRange(startSpecifier, specifierLen), 2803 fixit); 2804} 2805 2806void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2807 const analyze_printf::OptionalFlag &flag, 2808 const char *startSpecifier, 2809 unsigned specifierLen) { 2810 // Warn about pointless flag with a fixit removal. 2811 const analyze_printf::PrintfConversionSpecifier &CS = 2812 FS.getConversionSpecifier(); 2813 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2814 << flag.toString() << CS.toString(), 2815 getLocationOfByte(flag.getPosition()), 2816 /*IsStringLocation*/true, 2817 getSpecifierRange(startSpecifier, specifierLen), 2818 FixItHint::CreateRemoval( 2819 getSpecifierRange(flag.getPosition(), 1))); 2820} 2821 2822void CheckPrintfHandler::HandleIgnoredFlag( 2823 const analyze_printf::PrintfSpecifier &FS, 2824 const analyze_printf::OptionalFlag &ignoredFlag, 2825 const analyze_printf::OptionalFlag &flag, 2826 const char *startSpecifier, 2827 unsigned specifierLen) { 2828 // Warn about ignored flag with a fixit removal. 2829 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2830 << ignoredFlag.toString() << flag.toString(), 2831 getLocationOfByte(ignoredFlag.getPosition()), 2832 /*IsStringLocation*/true, 2833 getSpecifierRange(startSpecifier, specifierLen), 2834 FixItHint::CreateRemoval( 2835 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2836} 2837 2838// Determines if the specified is a C++ class or struct containing 2839// a member with the specified name and kind (e.g. a CXXMethodDecl named 2840// "c_str()"). 2841template<typename MemberKind> 2842static llvm::SmallPtrSet<MemberKind*, 1> 2843CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2844 const RecordType *RT = Ty->getAs<RecordType>(); 2845 llvm::SmallPtrSet<MemberKind*, 1> Results; 2846 2847 if (!RT) 2848 return Results; 2849 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2850 if (!RD || !RD->getDefinition()) 2851 return Results; 2852 2853 LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(), 2854 Sema::LookupMemberName); 2855 R.suppressDiagnostics(); 2856 2857 // We just need to include all members of the right kind turned up by the 2858 // filter, at this point. 2859 if (S.LookupQualifiedName(R, RT->getDecl())) 2860 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2861 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2862 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2863 Results.insert(FK); 2864 } 2865 return Results; 2866} 2867 2868/// Check if we could call '.c_str()' on an object. 2869/// 2870/// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't 2871/// allow the call, or if it would be ambiguous). 2872bool Sema::hasCStrMethod(const Expr *E) { 2873 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2874 MethodSet Results = 2875 CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType()); 2876 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2877 MI != ME; ++MI) 2878 if ((*MI)->getMinRequiredArguments() == 0) 2879 return true; 2880 return false; 2881} 2882 2883// Check if a (w)string was passed when a (w)char* was needed, and offer a 2884// better diagnostic if so. AT is assumed to be valid. 2885// Returns true when a c_str() conversion method is found. 2886bool CheckPrintfHandler::checkForCStrMembers( 2887 const analyze_printf::ArgType &AT, const Expr *E) { 2888 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2889 2890 MethodSet Results = 2891 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2892 2893 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2894 MI != ME; ++MI) { 2895 const CXXMethodDecl *Method = *MI; 2896 if (Method->getMinRequiredArguments() == 0 && 2897 AT.matchesType(S.Context, Method->getReturnType())) { 2898 // FIXME: Suggest parens if the expression needs them. 2899 SourceLocation EndLoc = S.getLocForEndOfToken(E->getLocEnd()); 2900 S.Diag(E->getLocStart(), diag::note_printf_c_str) 2901 << "c_str()" 2902 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 2903 return true; 2904 } 2905 } 2906 2907 return false; 2908} 2909 2910bool 2911CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2912 &FS, 2913 const char *startSpecifier, 2914 unsigned specifierLen) { 2915 2916 using namespace analyze_format_string; 2917 using namespace analyze_printf; 2918 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2919 2920 if (FS.consumesDataArgument()) { 2921 if (atFirstArg) { 2922 atFirstArg = false; 2923 usesPositionalArgs = FS.usesPositionalArg(); 2924 } 2925 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2926 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2927 startSpecifier, specifierLen); 2928 return false; 2929 } 2930 } 2931 2932 // First check if the field width, precision, and conversion specifier 2933 // have matching data arguments. 2934 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2935 startSpecifier, specifierLen)) { 2936 return false; 2937 } 2938 2939 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2940 startSpecifier, specifierLen)) { 2941 return false; 2942 } 2943 2944 if (!CS.consumesDataArgument()) { 2945 // FIXME: Technically specifying a precision or field width here 2946 // makes no sense. Worth issuing a warning at some point. 2947 return true; 2948 } 2949 2950 // Consume the argument. 2951 unsigned argIndex = FS.getArgIndex(); 2952 if (argIndex < NumDataArgs) { 2953 // The check to see if the argIndex is valid will come later. 2954 // We set the bit here because we may exit early from this 2955 // function if we encounter some other error. 2956 CoveredArgs.set(argIndex); 2957 } 2958 2959 // Check for using an Objective-C specific conversion specifier 2960 // in a non-ObjC literal. 2961 if (!ObjCContext && CS.isObjCArg()) { 2962 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2963 specifierLen); 2964 } 2965 2966 // Check for invalid use of field width 2967 if (!FS.hasValidFieldWidth()) { 2968 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2969 startSpecifier, specifierLen); 2970 } 2971 2972 // Check for invalid use of precision 2973 if (!FS.hasValidPrecision()) { 2974 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2975 startSpecifier, specifierLen); 2976 } 2977 2978 // Check each flag does not conflict with any other component. 2979 if (!FS.hasValidThousandsGroupingPrefix()) 2980 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2981 if (!FS.hasValidLeadingZeros()) 2982 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2983 if (!FS.hasValidPlusPrefix()) 2984 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2985 if (!FS.hasValidSpacePrefix()) 2986 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2987 if (!FS.hasValidAlternativeForm()) 2988 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2989 if (!FS.hasValidLeftJustified()) 2990 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2991 2992 // Check that flags are not ignored by another flag 2993 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2994 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2995 startSpecifier, specifierLen); 2996 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2997 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2998 startSpecifier, specifierLen); 2999 3000 // Check the length modifier is valid with the given conversion specifier. 3001 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3002 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3003 diag::warn_format_nonsensical_length); 3004 else if (!FS.hasStandardLengthModifier()) 3005 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3006 else if (!FS.hasStandardLengthConversionCombination()) 3007 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3008 diag::warn_format_non_standard_conversion_spec); 3009 3010 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3011 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3012 3013 // The remaining checks depend on the data arguments. 3014 if (HasVAListArg) 3015 return true; 3016 3017 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3018 return false; 3019 3020 const Expr *Arg = getDataArg(argIndex); 3021 if (!Arg) 3022 return true; 3023 3024 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 3025} 3026 3027static bool requiresParensToAddCast(const Expr *E) { 3028 // FIXME: We should have a general way to reason about operator 3029 // precedence and whether parens are actually needed here. 3030 // Take care of a few common cases where they aren't. 3031 const Expr *Inside = E->IgnoreImpCasts(); 3032 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 3033 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 3034 3035 switch (Inside->getStmtClass()) { 3036 case Stmt::ArraySubscriptExprClass: 3037 case Stmt::CallExprClass: 3038 case Stmt::CharacterLiteralClass: 3039 case Stmt::CXXBoolLiteralExprClass: 3040 case Stmt::DeclRefExprClass: 3041 case Stmt::FloatingLiteralClass: 3042 case Stmt::IntegerLiteralClass: 3043 case Stmt::MemberExprClass: 3044 case Stmt::ObjCArrayLiteralClass: 3045 case Stmt::ObjCBoolLiteralExprClass: 3046 case Stmt::ObjCBoxedExprClass: 3047 case Stmt::ObjCDictionaryLiteralClass: 3048 case Stmt::ObjCEncodeExprClass: 3049 case Stmt::ObjCIvarRefExprClass: 3050 case Stmt::ObjCMessageExprClass: 3051 case Stmt::ObjCPropertyRefExprClass: 3052 case Stmt::ObjCStringLiteralClass: 3053 case Stmt::ObjCSubscriptRefExprClass: 3054 case Stmt::ParenExprClass: 3055 case Stmt::StringLiteralClass: 3056 case Stmt::UnaryOperatorClass: 3057 return false; 3058 default: 3059 return true; 3060 } 3061} 3062 3063bool 3064CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 3065 const char *StartSpecifier, 3066 unsigned SpecifierLen, 3067 const Expr *E) { 3068 using namespace analyze_format_string; 3069 using namespace analyze_printf; 3070 // Now type check the data expression that matches the 3071 // format specifier. 3072 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 3073 ObjCContext); 3074 if (!AT.isValid()) 3075 return true; 3076 3077 QualType ExprTy = E->getType(); 3078 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { 3079 ExprTy = TET->getUnderlyingExpr()->getType(); 3080 } 3081 3082 if (AT.matchesType(S.Context, ExprTy)) 3083 return true; 3084 3085 // Look through argument promotions for our error message's reported type. 3086 // This includes the integral and floating promotions, but excludes array 3087 // and function pointer decay; seeing that an argument intended to be a 3088 // string has type 'char [6]' is probably more confusing than 'char *'. 3089 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3090 if (ICE->getCastKind() == CK_IntegralCast || 3091 ICE->getCastKind() == CK_FloatingCast) { 3092 E = ICE->getSubExpr(); 3093 ExprTy = E->getType(); 3094 3095 // Check if we didn't match because of an implicit cast from a 'char' 3096 // or 'short' to an 'int'. This is done because printf is a varargs 3097 // function. 3098 if (ICE->getType() == S.Context.IntTy || 3099 ICE->getType() == S.Context.UnsignedIntTy) { 3100 // All further checking is done on the subexpression. 3101 if (AT.matchesType(S.Context, ExprTy)) 3102 return true; 3103 } 3104 } 3105 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 3106 // Special case for 'a', which has type 'int' in C. 3107 // Note, however, that we do /not/ want to treat multibyte constants like 3108 // 'MooV' as characters! This form is deprecated but still exists. 3109 if (ExprTy == S.Context.IntTy) 3110 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 3111 ExprTy = S.Context.CharTy; 3112 } 3113 3114 // %C in an Objective-C context prints a unichar, not a wchar_t. 3115 // If the argument is an integer of some kind, believe the %C and suggest 3116 // a cast instead of changing the conversion specifier. 3117 QualType IntendedTy = ExprTy; 3118 if (ObjCContext && 3119 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 3120 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 3121 !ExprTy->isCharType()) { 3122 // 'unichar' is defined as a typedef of unsigned short, but we should 3123 // prefer using the typedef if it is visible. 3124 IntendedTy = S.Context.UnsignedShortTy; 3125 3126 // While we are here, check if the value is an IntegerLiteral that happens 3127 // to be within the valid range. 3128 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) { 3129 const llvm::APInt &V = IL->getValue(); 3130 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy)) 3131 return true; 3132 } 3133 3134 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 3135 Sema::LookupOrdinaryName); 3136 if (S.LookupName(Result, S.getCurScope())) { 3137 NamedDecl *ND = Result.getFoundDecl(); 3138 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 3139 if (TD->getUnderlyingType() == IntendedTy) 3140 IntendedTy = S.Context.getTypedefType(TD); 3141 } 3142 } 3143 } 3144 3145 // Special-case some of Darwin's platform-independence types by suggesting 3146 // casts to primitive types that are known to be large enough. 3147 bool ShouldNotPrintDirectly = false; 3148 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 3149 // Use a 'while' to peel off layers of typedefs. 3150 QualType TyTy = IntendedTy; 3151 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) { 3152 StringRef Name = UserTy->getDecl()->getName(); 3153 QualType CastTy = llvm::StringSwitch<QualType>(Name) 3154 .Case("NSInteger", S.Context.LongTy) 3155 .Case("NSUInteger", S.Context.UnsignedLongTy) 3156 .Case("SInt32", S.Context.IntTy) 3157 .Case("UInt32", S.Context.UnsignedIntTy) 3158 .Default(QualType()); 3159 3160 if (!CastTy.isNull()) { 3161 ShouldNotPrintDirectly = true; 3162 IntendedTy = CastTy; 3163 break; 3164 } 3165 TyTy = UserTy->desugar(); 3166 } 3167 } 3168 3169 // We may be able to offer a FixItHint if it is a supported type. 3170 PrintfSpecifier fixedFS = FS; 3171 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 3172 S.Context, ObjCContext); 3173 3174 if (success) { 3175 // Get the fix string from the fixed format specifier 3176 SmallString<16> buf; 3177 llvm::raw_svector_ostream os(buf); 3178 fixedFS.toString(os); 3179 3180 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 3181 3182 if (IntendedTy == ExprTy) { 3183 // In this case, the specifier is wrong and should be changed to match 3184 // the argument. 3185 EmitFormatDiagnostic( 3186 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3187 << AT.getRepresentativeTypeName(S.Context) << IntendedTy 3188 << E->getSourceRange(), 3189 E->getLocStart(), 3190 /*IsStringLocation*/false, 3191 SpecRange, 3192 FixItHint::CreateReplacement(SpecRange, os.str())); 3193 3194 } else { 3195 // The canonical type for formatting this value is different from the 3196 // actual type of the expression. (This occurs, for example, with Darwin's 3197 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 3198 // should be printed as 'long' for 64-bit compatibility.) 3199 // Rather than emitting a normal format/argument mismatch, we want to 3200 // add a cast to the recommended type (and correct the format string 3201 // if necessary). 3202 SmallString<16> CastBuf; 3203 llvm::raw_svector_ostream CastFix(CastBuf); 3204 CastFix << "("; 3205 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 3206 CastFix << ")"; 3207 3208 SmallVector<FixItHint,4> Hints; 3209 if (!AT.matchesType(S.Context, IntendedTy)) 3210 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 3211 3212 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 3213 // If there's already a cast present, just replace it. 3214 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 3215 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 3216 3217 } else if (!requiresParensToAddCast(E)) { 3218 // If the expression has high enough precedence, 3219 // just write the C-style cast. 3220 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3221 CastFix.str())); 3222 } else { 3223 // Otherwise, add parens around the expression as well as the cast. 3224 CastFix << "("; 3225 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3226 CastFix.str())); 3227 3228 SourceLocation After = S.getLocForEndOfToken(E->getLocEnd()); 3229 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 3230 } 3231 3232 if (ShouldNotPrintDirectly) { 3233 // The expression has a type that should not be printed directly. 3234 // We extract the name from the typedef because we don't want to show 3235 // the underlying type in the diagnostic. 3236 StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName(); 3237 3238 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 3239 << Name << IntendedTy 3240 << E->getSourceRange(), 3241 E->getLocStart(), /*IsStringLocation=*/false, 3242 SpecRange, Hints); 3243 } else { 3244 // In this case, the expression could be printed using a different 3245 // specifier, but we've decided that the specifier is probably correct 3246 // and we should cast instead. Just use the normal warning message. 3247 EmitFormatDiagnostic( 3248 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3249 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3250 << E->getSourceRange(), 3251 E->getLocStart(), /*IsStringLocation*/false, 3252 SpecRange, Hints); 3253 } 3254 } 3255 } else { 3256 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 3257 SpecifierLen); 3258 // Since the warning for passing non-POD types to variadic functions 3259 // was deferred until now, we emit a warning for non-POD 3260 // arguments here. 3261 switch (S.isValidVarArgType(ExprTy)) { 3262 case Sema::VAK_Valid: 3263 case Sema::VAK_ValidInCXX11: 3264 EmitFormatDiagnostic( 3265 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3266 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3267 << CSR 3268 << E->getSourceRange(), 3269 E->getLocStart(), /*IsStringLocation*/false, CSR); 3270 break; 3271 3272 case Sema::VAK_Undefined: 3273 EmitFormatDiagnostic( 3274 S.PDiag(diag::warn_non_pod_vararg_with_format_string) 3275 << S.getLangOpts().CPlusPlus11 3276 << ExprTy 3277 << CallType 3278 << AT.getRepresentativeTypeName(S.Context) 3279 << CSR 3280 << E->getSourceRange(), 3281 E->getLocStart(), /*IsStringLocation*/false, CSR); 3282 checkForCStrMembers(AT, E); 3283 break; 3284 3285 case Sema::VAK_Invalid: 3286 if (ExprTy->isObjCObjectType()) 3287 EmitFormatDiagnostic( 3288 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) 3289 << S.getLangOpts().CPlusPlus11 3290 << ExprTy 3291 << CallType 3292 << AT.getRepresentativeTypeName(S.Context) 3293 << CSR 3294 << E->getSourceRange(), 3295 E->getLocStart(), /*IsStringLocation*/false, CSR); 3296 else 3297 // FIXME: If this is an initializer list, suggest removing the braces 3298 // or inserting a cast to the target type. 3299 S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format) 3300 << isa<InitListExpr>(E) << ExprTy << CallType 3301 << AT.getRepresentativeTypeName(S.Context) 3302 << E->getSourceRange(); 3303 break; 3304 } 3305 3306 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && 3307 "format string specifier index out of range"); 3308 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; 3309 } 3310 3311 return true; 3312} 3313 3314//===--- CHECK: Scanf format string checking ------------------------------===// 3315 3316namespace { 3317class CheckScanfHandler : public CheckFormatHandler { 3318public: 3319 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 3320 const Expr *origFormatExpr, unsigned firstDataArg, 3321 unsigned numDataArgs, const char *beg, bool hasVAListArg, 3322 ArrayRef<const Expr *> Args, 3323 unsigned formatIdx, bool inFunctionCall, 3324 Sema::VariadicCallType CallType, 3325 llvm::SmallBitVector &CheckedVarArgs) 3326 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 3327 numDataArgs, beg, hasVAListArg, 3328 Args, formatIdx, inFunctionCall, CallType, 3329 CheckedVarArgs) 3330 {} 3331 3332 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 3333 const char *startSpecifier, 3334 unsigned specifierLen) override; 3335 3336 bool HandleInvalidScanfConversionSpecifier( 3337 const analyze_scanf::ScanfSpecifier &FS, 3338 const char *startSpecifier, 3339 unsigned specifierLen) override; 3340 3341 void HandleIncompleteScanList(const char *start, const char *end) override; 3342}; 3343} 3344 3345void CheckScanfHandler::HandleIncompleteScanList(const char *start, 3346 const char *end) { 3347 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 3348 getLocationOfByte(end), /*IsStringLocation*/true, 3349 getSpecifierRange(start, end - start)); 3350} 3351 3352bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 3353 const analyze_scanf::ScanfSpecifier &FS, 3354 const char *startSpecifier, 3355 unsigned specifierLen) { 3356 3357 const analyze_scanf::ScanfConversionSpecifier &CS = 3358 FS.getConversionSpecifier(); 3359 3360 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 3361 getLocationOfByte(CS.getStart()), 3362 startSpecifier, specifierLen, 3363 CS.getStart(), CS.getLength()); 3364} 3365 3366bool CheckScanfHandler::HandleScanfSpecifier( 3367 const analyze_scanf::ScanfSpecifier &FS, 3368 const char *startSpecifier, 3369 unsigned specifierLen) { 3370 3371 using namespace analyze_scanf; 3372 using namespace analyze_format_string; 3373 3374 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 3375 3376 // Handle case where '%' and '*' don't consume an argument. These shouldn't 3377 // be used to decide if we are using positional arguments consistently. 3378 if (FS.consumesDataArgument()) { 3379 if (atFirstArg) { 3380 atFirstArg = false; 3381 usesPositionalArgs = FS.usesPositionalArg(); 3382 } 3383 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3384 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3385 startSpecifier, specifierLen); 3386 return false; 3387 } 3388 } 3389 3390 // Check if the field with is non-zero. 3391 const OptionalAmount &Amt = FS.getFieldWidth(); 3392 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 3393 if (Amt.getConstantAmount() == 0) { 3394 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 3395 Amt.getConstantLength()); 3396 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 3397 getLocationOfByte(Amt.getStart()), 3398 /*IsStringLocation*/true, R, 3399 FixItHint::CreateRemoval(R)); 3400 } 3401 } 3402 3403 if (!FS.consumesDataArgument()) { 3404 // FIXME: Technically specifying a precision or field width here 3405 // makes no sense. Worth issuing a warning at some point. 3406 return true; 3407 } 3408 3409 // Consume the argument. 3410 unsigned argIndex = FS.getArgIndex(); 3411 if (argIndex < NumDataArgs) { 3412 // The check to see if the argIndex is valid will come later. 3413 // We set the bit here because we may exit early from this 3414 // function if we encounter some other error. 3415 CoveredArgs.set(argIndex); 3416 } 3417 3418 // Check the length modifier is valid with the given conversion specifier. 3419 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3420 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3421 diag::warn_format_nonsensical_length); 3422 else if (!FS.hasStandardLengthModifier()) 3423 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3424 else if (!FS.hasStandardLengthConversionCombination()) 3425 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3426 diag::warn_format_non_standard_conversion_spec); 3427 3428 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3429 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3430 3431 // The remaining checks depend on the data arguments. 3432 if (HasVAListArg) 3433 return true; 3434 3435 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3436 return false; 3437 3438 // Check that the argument type matches the format specifier. 3439 const Expr *Ex = getDataArg(argIndex); 3440 if (!Ex) 3441 return true; 3442 3443 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 3444 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 3445 ScanfSpecifier fixedFS = FS; 3446 bool success = fixedFS.fixType(Ex->getType(), 3447 Ex->IgnoreImpCasts()->getType(), 3448 S.getLangOpts(), S.Context); 3449 3450 if (success) { 3451 // Get the fix string from the fixed format specifier. 3452 SmallString<128> buf; 3453 llvm::raw_svector_ostream os(buf); 3454 fixedFS.toString(os); 3455 3456 EmitFormatDiagnostic( 3457 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3458 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3459 << Ex->getSourceRange(), 3460 Ex->getLocStart(), 3461 /*IsStringLocation*/false, 3462 getSpecifierRange(startSpecifier, specifierLen), 3463 FixItHint::CreateReplacement( 3464 getSpecifierRange(startSpecifier, specifierLen), 3465 os.str())); 3466 } else { 3467 EmitFormatDiagnostic( 3468 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3469 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3470 << Ex->getSourceRange(), 3471 Ex->getLocStart(), 3472 /*IsStringLocation*/false, 3473 getSpecifierRange(startSpecifier, specifierLen)); 3474 } 3475 } 3476 3477 return true; 3478} 3479 3480void Sema::CheckFormatString(const StringLiteral *FExpr, 3481 const Expr *OrigFormatExpr, 3482 ArrayRef<const Expr *> Args, 3483 bool HasVAListArg, unsigned format_idx, 3484 unsigned firstDataArg, FormatStringType Type, 3485 bool inFunctionCall, VariadicCallType CallType, 3486 llvm::SmallBitVector &CheckedVarArgs) { 3487 3488 // CHECK: is the format string a wide literal? 3489 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 3490 CheckFormatHandler::EmitFormatDiagnostic( 3491 *this, inFunctionCall, Args[format_idx], 3492 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 3493 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3494 return; 3495 } 3496 3497 // Str - The format string. NOTE: this is NOT null-terminated! 3498 StringRef StrRef = FExpr->getString(); 3499 const char *Str = StrRef.data(); 3500 // Account for cases where the string literal is truncated in a declaration. 3501 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType()); 3502 assert(T && "String literal not of constant array type!"); 3503 size_t TypeSize = T->getSize().getZExtValue(); 3504 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size()); 3505 const unsigned numDataArgs = Args.size() - firstDataArg; 3506 3507 // Emit a warning if the string literal is truncated and does not contain an 3508 // embedded null character. 3509 if (TypeSize <= StrRef.size() && 3510 StrRef.substr(0, TypeSize).find('\0') == StringRef::npos) { 3511 CheckFormatHandler::EmitFormatDiagnostic( 3512 *this, inFunctionCall, Args[format_idx], 3513 PDiag(diag::warn_printf_format_string_not_null_terminated), 3514 FExpr->getLocStart(), 3515 /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange()); 3516 return; 3517 } 3518 3519 // CHECK: empty format string? 3520 if (StrLen == 0 && numDataArgs > 0) { 3521 CheckFormatHandler::EmitFormatDiagnostic( 3522 *this, inFunctionCall, Args[format_idx], 3523 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3524 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3525 return; 3526 } 3527 3528 if (Type == FST_Printf || Type == FST_NSString) { 3529 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3530 numDataArgs, (Type == FST_NSString), 3531 Str, HasVAListArg, Args, format_idx, 3532 inFunctionCall, CallType, CheckedVarArgs); 3533 3534 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3535 getLangOpts(), 3536 Context.getTargetInfo())) 3537 H.DoneProcessing(); 3538 } else if (Type == FST_Scanf) { 3539 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3540 Str, HasVAListArg, Args, format_idx, 3541 inFunctionCall, CallType, CheckedVarArgs); 3542 3543 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3544 getLangOpts(), 3545 Context.getTargetInfo())) 3546 H.DoneProcessing(); 3547 } // TODO: handle other formats 3548} 3549 3550//===--- CHECK: Warn on use of wrong absolute value function. -------------===// 3551 3552// Returns the related absolute value function that is larger, of 0 if one 3553// does not exist. 3554static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) { 3555 switch (AbsFunction) { 3556 default: 3557 return 0; 3558 3559 case Builtin::BI__builtin_abs: 3560 return Builtin::BI__builtin_labs; 3561 case Builtin::BI__builtin_labs: 3562 return Builtin::BI__builtin_llabs; 3563 case Builtin::BI__builtin_llabs: 3564 return 0; 3565 3566 case Builtin::BI__builtin_fabsf: 3567 return Builtin::BI__builtin_fabs; 3568 case Builtin::BI__builtin_fabs: 3569 return Builtin::BI__builtin_fabsl; 3570 case Builtin::BI__builtin_fabsl: 3571 return 0; 3572 3573 case Builtin::BI__builtin_cabsf: 3574 return Builtin::BI__builtin_cabs; 3575 case Builtin::BI__builtin_cabs: 3576 return Builtin::BI__builtin_cabsl; 3577 case Builtin::BI__builtin_cabsl: 3578 return 0; 3579 3580 case Builtin::BIabs: 3581 return Builtin::BIlabs; 3582 case Builtin::BIlabs: 3583 return Builtin::BIllabs; 3584 case Builtin::BIllabs: 3585 return 0; 3586 3587 case Builtin::BIfabsf: 3588 return Builtin::BIfabs; 3589 case Builtin::BIfabs: 3590 return Builtin::BIfabsl; 3591 case Builtin::BIfabsl: 3592 return 0; 3593 3594 case Builtin::BIcabsf: 3595 return Builtin::BIcabs; 3596 case Builtin::BIcabs: 3597 return Builtin::BIcabsl; 3598 case Builtin::BIcabsl: 3599 return 0; 3600 } 3601} 3602 3603// Returns the argument type of the absolute value function. 3604static QualType getAbsoluteValueArgumentType(ASTContext &Context, 3605 unsigned AbsType) { 3606 if (AbsType == 0) 3607 return QualType(); 3608 3609 ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None; 3610 QualType BuiltinType = Context.GetBuiltinType(AbsType, Error); 3611 if (Error != ASTContext::GE_None) 3612 return QualType(); 3613 3614 const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>(); 3615 if (!FT) 3616 return QualType(); 3617 3618 if (FT->getNumParams() != 1) 3619 return QualType(); 3620 3621 return FT->getParamType(0); 3622} 3623 3624// Returns the best absolute value function, or zero, based on type and 3625// current absolute value function. 3626static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType, 3627 unsigned AbsFunctionKind) { 3628 unsigned BestKind = 0; 3629 uint64_t ArgSize = Context.getTypeSize(ArgType); 3630 for (unsigned Kind = AbsFunctionKind; Kind != 0; 3631 Kind = getLargerAbsoluteValueFunction(Kind)) { 3632 QualType ParamType = getAbsoluteValueArgumentType(Context, Kind); 3633 if (Context.getTypeSize(ParamType) >= ArgSize) { 3634 if (BestKind == 0) 3635 BestKind = Kind; 3636 else if (Context.hasSameType(ParamType, ArgType)) { 3637 BestKind = Kind; 3638 break; 3639 } 3640 } 3641 } 3642 return BestKind; 3643} 3644 3645enum AbsoluteValueKind { 3646 AVK_Integer, 3647 AVK_Floating, 3648 AVK_Complex 3649}; 3650 3651static AbsoluteValueKind getAbsoluteValueKind(QualType T) { 3652 if (T->isIntegralOrEnumerationType()) 3653 return AVK_Integer; 3654 if (T->isRealFloatingType()) 3655 return AVK_Floating; 3656 if (T->isAnyComplexType()) 3657 return AVK_Complex; 3658 3659 llvm_unreachable("Type not integer, floating, or complex"); 3660} 3661 3662// Changes the absolute value function to a different type. Preserves whether 3663// the function is a builtin. 3664static unsigned changeAbsFunction(unsigned AbsKind, 3665 AbsoluteValueKind ValueKind) { 3666 switch (ValueKind) { 3667 case AVK_Integer: 3668 switch (AbsKind) { 3669 default: 3670 return 0; 3671 case Builtin::BI__builtin_fabsf: 3672 case Builtin::BI__builtin_fabs: 3673 case Builtin::BI__builtin_fabsl: 3674 case Builtin::BI__builtin_cabsf: 3675 case Builtin::BI__builtin_cabs: 3676 case Builtin::BI__builtin_cabsl: 3677 return Builtin::BI__builtin_abs; 3678 case Builtin::BIfabsf: 3679 case Builtin::BIfabs: 3680 case Builtin::BIfabsl: 3681 case Builtin::BIcabsf: 3682 case Builtin::BIcabs: 3683 case Builtin::BIcabsl: 3684 return Builtin::BIabs; 3685 } 3686 case AVK_Floating: 3687 switch (AbsKind) { 3688 default: 3689 return 0; 3690 case Builtin::BI__builtin_abs: 3691 case Builtin::BI__builtin_labs: 3692 case Builtin::BI__builtin_llabs: 3693 case Builtin::BI__builtin_cabsf: 3694 case Builtin::BI__builtin_cabs: 3695 case Builtin::BI__builtin_cabsl: 3696 return Builtin::BI__builtin_fabsf; 3697 case Builtin::BIabs: 3698 case Builtin::BIlabs: 3699 case Builtin::BIllabs: 3700 case Builtin::BIcabsf: 3701 case Builtin::BIcabs: 3702 case Builtin::BIcabsl: 3703 return Builtin::BIfabsf; 3704 } 3705 case AVK_Complex: 3706 switch (AbsKind) { 3707 default: 3708 return 0; 3709 case Builtin::BI__builtin_abs: 3710 case Builtin::BI__builtin_labs: 3711 case Builtin::BI__builtin_llabs: 3712 case Builtin::BI__builtin_fabsf: 3713 case Builtin::BI__builtin_fabs: 3714 case Builtin::BI__builtin_fabsl: 3715 return Builtin::BI__builtin_cabsf; 3716 case Builtin::BIabs: 3717 case Builtin::BIlabs: 3718 case Builtin::BIllabs: 3719 case Builtin::BIfabsf: 3720 case Builtin::BIfabs: 3721 case Builtin::BIfabsl: 3722 return Builtin::BIcabsf; 3723 } 3724 } 3725 llvm_unreachable("Unable to convert function"); 3726} 3727 3728static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) { 3729 const IdentifierInfo *FnInfo = FDecl->getIdentifier(); 3730 if (!FnInfo) 3731 return 0; 3732 3733 switch (FDecl->getBuiltinID()) { 3734 default: 3735 return 0; 3736 case Builtin::BI__builtin_abs: 3737 case Builtin::BI__builtin_fabs: 3738 case Builtin::BI__builtin_fabsf: 3739 case Builtin::BI__builtin_fabsl: 3740 case Builtin::BI__builtin_labs: 3741 case Builtin::BI__builtin_llabs: 3742 case Builtin::BI__builtin_cabs: 3743 case Builtin::BI__builtin_cabsf: 3744 case Builtin::BI__builtin_cabsl: 3745 case Builtin::BIabs: 3746 case Builtin::BIlabs: 3747 case Builtin::BIllabs: 3748 case Builtin::BIfabs: 3749 case Builtin::BIfabsf: 3750 case Builtin::BIfabsl: 3751 case Builtin::BIcabs: 3752 case Builtin::BIcabsf: 3753 case Builtin::BIcabsl: 3754 return FDecl->getBuiltinID(); 3755 } 3756 llvm_unreachable("Unknown Builtin type"); 3757} 3758 3759// If the replacement is valid, emit a note with replacement function. 3760// Additionally, suggest including the proper header if not already included. 3761static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range, 3762 unsigned AbsKind, QualType ArgType) { 3763 bool EmitHeaderHint = true; 3764 const char *HeaderName = nullptr; 3765 const char *FunctionName = nullptr; 3766 if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) { 3767 FunctionName = "std::abs"; 3768 if (ArgType->isIntegralOrEnumerationType()) { 3769 HeaderName = "cstdlib"; 3770 } else if (ArgType->isRealFloatingType()) { 3771 HeaderName = "cmath"; 3772 } else { 3773 llvm_unreachable("Invalid Type"); 3774 } 3775 3776 // Lookup all std::abs 3777 if (NamespaceDecl *Std = S.getStdNamespace()) { 3778 LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName); 3779 R.suppressDiagnostics(); 3780 S.LookupQualifiedName(R, Std); 3781 3782 for (const auto *I : R) { 3783 const FunctionDecl *FDecl = nullptr; 3784 if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) { 3785 FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl()); 3786 } else { 3787 FDecl = dyn_cast<FunctionDecl>(I); 3788 } 3789 if (!FDecl) 3790 continue; 3791 3792 // Found std::abs(), check that they are the right ones. 3793 if (FDecl->getNumParams() != 1) 3794 continue; 3795 3796 // Check that the parameter type can handle the argument. 3797 QualType ParamType = FDecl->getParamDecl(0)->getType(); 3798 if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) && 3799 S.Context.getTypeSize(ArgType) <= 3800 S.Context.getTypeSize(ParamType)) { 3801 // Found a function, don't need the header hint. 3802 EmitHeaderHint = false; 3803 break; 3804 } 3805 } 3806 } 3807 } else { 3808 FunctionName = S.Context.BuiltinInfo.GetName(AbsKind); 3809 HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind); 3810 3811 if (HeaderName) { 3812 DeclarationName DN(&S.Context.Idents.get(FunctionName)); 3813 LookupResult R(S, DN, Loc, Sema::LookupAnyName); 3814 R.suppressDiagnostics(); 3815 S.LookupName(R, S.getCurScope()); 3816 3817 if (R.isSingleResult()) { 3818 FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl()); 3819 if (FD && FD->getBuiltinID() == AbsKind) { 3820 EmitHeaderHint = false; 3821 } else { 3822 return; 3823 } 3824 } else if (!R.empty()) { 3825 return; 3826 } 3827 } 3828 } 3829 3830 S.Diag(Loc, diag::note_replace_abs_function) 3831 << FunctionName << FixItHint::CreateReplacement(Range, FunctionName); 3832 3833 if (!HeaderName) 3834 return; 3835 3836 if (!EmitHeaderHint) 3837 return; 3838 3839 S.Diag(Loc, diag::note_please_include_header) << HeaderName << FunctionName; 3840} 3841 3842static bool IsFunctionStdAbs(const FunctionDecl *FDecl) { 3843 if (!FDecl) 3844 return false; 3845 3846 if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr("abs")) 3847 return false; 3848 3849 const NamespaceDecl *ND = dyn_cast<NamespaceDecl>(FDecl->getDeclContext()); 3850 3851 while (ND && ND->isInlineNamespace()) { 3852 ND = dyn_cast<NamespaceDecl>(ND->getDeclContext()); 3853 } 3854 3855 if (!ND || !ND->getIdentifier() || !ND->getIdentifier()->isStr("std")) 3856 return false; 3857 3858 if (!isa<TranslationUnitDecl>(ND->getDeclContext())) 3859 return false; 3860 3861 return true; 3862} 3863 3864// Warn when using the wrong abs() function. 3865void Sema::CheckAbsoluteValueFunction(const CallExpr *Call, 3866 const FunctionDecl *FDecl, 3867 IdentifierInfo *FnInfo) { 3868 if (Call->getNumArgs() != 1) 3869 return; 3870 3871 unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl); 3872 bool IsStdAbs = IsFunctionStdAbs(FDecl); 3873 if (AbsKind == 0 && !IsStdAbs) 3874 return; 3875 3876 QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType(); 3877 QualType ParamType = Call->getArg(0)->getType(); 3878 3879 // Unsigned types can not be negative. Suggest to drop the absolute value 3880 // function. 3881 if (ArgType->isUnsignedIntegerType()) { 3882 const char *FunctionName = 3883 IsStdAbs ? "std::abs" : Context.BuiltinInfo.GetName(AbsKind); 3884 Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType; 3885 Diag(Call->getExprLoc(), diag::note_remove_abs) 3886 << FunctionName 3887 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange()); 3888 return; 3889 } 3890 3891 // std::abs has overloads which prevent most of the absolute value problems 3892 // from occurring. 3893 if (IsStdAbs) 3894 return; 3895 3896 AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType); 3897 AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType); 3898 3899 // The argument and parameter are the same kind. Check if they are the right 3900 // size. 3901 if (ArgValueKind == ParamValueKind) { 3902 if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType)) 3903 return; 3904 3905 unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind); 3906 Diag(Call->getExprLoc(), diag::warn_abs_too_small) 3907 << FDecl << ArgType << ParamType; 3908 3909 if (NewAbsKind == 0) 3910 return; 3911 3912 emitReplacement(*this, Call->getExprLoc(), 3913 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 3914 return; 3915 } 3916 3917 // ArgValueKind != ParamValueKind 3918 // The wrong type of absolute value function was used. Attempt to find the 3919 // proper one. 3920 unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind); 3921 NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind); 3922 if (NewAbsKind == 0) 3923 return; 3924 3925 Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type) 3926 << FDecl << ParamValueKind << ArgValueKind; 3927 3928 emitReplacement(*this, Call->getExprLoc(), 3929 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 3930 return; 3931} 3932 3933//===--- CHECK: Standard memory functions ---------------------------------===// 3934 3935/// \brief Takes the expression passed to the size_t parameter of functions 3936/// such as memcmp, strncat, etc and warns if it's a comparison. 3937/// 3938/// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`. 3939static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E, 3940 IdentifierInfo *FnName, 3941 SourceLocation FnLoc, 3942 SourceLocation RParenLoc) { 3943 const BinaryOperator *Size = dyn_cast<BinaryOperator>(E); 3944 if (!Size) 3945 return false; 3946 3947 // if E is binop and op is >, <, >=, <=, ==, &&, ||: 3948 if (!Size->isComparisonOp() && !Size->isEqualityOp() && !Size->isLogicalOp()) 3949 return false; 3950 3951 SourceRange SizeRange = Size->getSourceRange(); 3952 S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison) 3953 << SizeRange << FnName; 3954 S.Diag(FnLoc, diag::note_memsize_comparison_paren) 3955 << FnName << FixItHint::CreateInsertion( 3956 S.getLocForEndOfToken(Size->getLHS()->getLocEnd()), ")") 3957 << FixItHint::CreateRemoval(RParenLoc); 3958 S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence) 3959 << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(") 3960 << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()), 3961 ")"); 3962 3963 return true; 3964} 3965 3966/// \brief Determine whether the given type is a dynamic class type (e.g., 3967/// whether it has a vtable). 3968static bool isDynamicClassType(QualType T) { 3969 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 3970 if (CXXRecordDecl *Definition = Record->getDefinition()) 3971 if (Definition->isDynamicClass()) 3972 return true; 3973 3974 return false; 3975} 3976 3977/// \brief If E is a sizeof expression, returns its argument expression, 3978/// otherwise returns NULL. 3979static const Expr *getSizeOfExprArg(const Expr* E) { 3980 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3981 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3982 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 3983 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 3984 3985 return nullptr; 3986} 3987 3988/// \brief If E is a sizeof expression, returns its argument type. 3989static QualType getSizeOfArgType(const Expr* E) { 3990 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3991 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3992 if (SizeOf->getKind() == clang::UETT_SizeOf) 3993 return SizeOf->getTypeOfArgument(); 3994 3995 return QualType(); 3996} 3997 3998/// \brief Check for dangerous or invalid arguments to memset(). 3999/// 4000/// This issues warnings on known problematic, dangerous or unspecified 4001/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 4002/// function calls. 4003/// 4004/// \param Call The call expression to diagnose. 4005void Sema::CheckMemaccessArguments(const CallExpr *Call, 4006 unsigned BId, 4007 IdentifierInfo *FnName) { 4008 assert(BId != 0); 4009 4010 // It is possible to have a non-standard definition of memset. Validate 4011 // we have enough arguments, and if not, abort further checking. 4012 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 4013 if (Call->getNumArgs() < ExpectedNumArgs) 4014 return; 4015 4016 unsigned LastArg = (BId == Builtin::BImemset || 4017 BId == Builtin::BIstrndup ? 1 : 2); 4018 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 4019 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 4020 4021 if (CheckMemorySizeofForComparison(*this, LenExpr, FnName, 4022 Call->getLocStart(), Call->getRParenLoc())) 4023 return; 4024 4025 // We have special checking when the length is a sizeof expression. 4026 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 4027 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 4028 llvm::FoldingSetNodeID SizeOfArgID; 4029 4030 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 4031 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 4032 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 4033 4034 QualType DestTy = Dest->getType(); 4035 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 4036 QualType PointeeTy = DestPtrTy->getPointeeType(); 4037 4038 // Never warn about void type pointers. This can be used to suppress 4039 // false positives. 4040 if (PointeeTy->isVoidType()) 4041 continue; 4042 4043 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 4044 // actually comparing the expressions for equality. Because computing the 4045 // expression IDs can be expensive, we only do this if the diagnostic is 4046 // enabled. 4047 if (SizeOfArg && 4048 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 4049 SizeOfArg->getExprLoc())) { 4050 // We only compute IDs for expressions if the warning is enabled, and 4051 // cache the sizeof arg's ID. 4052 if (SizeOfArgID == llvm::FoldingSetNodeID()) 4053 SizeOfArg->Profile(SizeOfArgID, Context, true); 4054 llvm::FoldingSetNodeID DestID; 4055 Dest->Profile(DestID, Context, true); 4056 if (DestID == SizeOfArgID) { 4057 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 4058 // over sizeof(src) as well. 4059 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 4060 StringRef ReadableName = FnName->getName(); 4061 4062 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 4063 if (UnaryOp->getOpcode() == UO_AddrOf) 4064 ActionIdx = 1; // If its an address-of operator, just remove it. 4065 if (!PointeeTy->isIncompleteType() && 4066 (Context.getTypeSize(PointeeTy) == Context.getCharWidth())) 4067 ActionIdx = 2; // If the pointee's size is sizeof(char), 4068 // suggest an explicit length. 4069 4070 // If the function is defined as a builtin macro, do not show macro 4071 // expansion. 4072 SourceLocation SL = SizeOfArg->getExprLoc(); 4073 SourceRange DSR = Dest->getSourceRange(); 4074 SourceRange SSR = SizeOfArg->getSourceRange(); 4075 SourceManager &SM = getSourceManager(); 4076 4077 if (SM.isMacroArgExpansion(SL)) { 4078 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 4079 SL = SM.getSpellingLoc(SL); 4080 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 4081 SM.getSpellingLoc(DSR.getEnd())); 4082 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 4083 SM.getSpellingLoc(SSR.getEnd())); 4084 } 4085 4086 DiagRuntimeBehavior(SL, SizeOfArg, 4087 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 4088 << ReadableName 4089 << PointeeTy 4090 << DestTy 4091 << DSR 4092 << SSR); 4093 DiagRuntimeBehavior(SL, SizeOfArg, 4094 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 4095 << ActionIdx 4096 << SSR); 4097 4098 break; 4099 } 4100 } 4101 4102 // Also check for cases where the sizeof argument is the exact same 4103 // type as the memory argument, and where it points to a user-defined 4104 // record type. 4105 if (SizeOfArgTy != QualType()) { 4106 if (PointeeTy->isRecordType() && 4107 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 4108 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 4109 PDiag(diag::warn_sizeof_pointer_type_memaccess) 4110 << FnName << SizeOfArgTy << ArgIdx 4111 << PointeeTy << Dest->getSourceRange() 4112 << LenExpr->getSourceRange()); 4113 break; 4114 } 4115 } 4116 4117 // Always complain about dynamic classes. 4118 if (isDynamicClassType(PointeeTy)) { 4119 4120 unsigned OperationType = 0; 4121 // "overwritten" if we're warning about the destination for any call 4122 // but memcmp; otherwise a verb appropriate to the call. 4123 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 4124 if (BId == Builtin::BImemcpy) 4125 OperationType = 1; 4126 else if(BId == Builtin::BImemmove) 4127 OperationType = 2; 4128 else if (BId == Builtin::BImemcmp) 4129 OperationType = 3; 4130 } 4131 4132 DiagRuntimeBehavior( 4133 Dest->getExprLoc(), Dest, 4134 PDiag(diag::warn_dyn_class_memaccess) 4135 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 4136 << FnName << PointeeTy 4137 << OperationType 4138 << Call->getCallee()->getSourceRange()); 4139 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 4140 BId != Builtin::BImemset) 4141 DiagRuntimeBehavior( 4142 Dest->getExprLoc(), Dest, 4143 PDiag(diag::warn_arc_object_memaccess) 4144 << ArgIdx << FnName << PointeeTy 4145 << Call->getCallee()->getSourceRange()); 4146 else 4147 continue; 4148 4149 DiagRuntimeBehavior( 4150 Dest->getExprLoc(), Dest, 4151 PDiag(diag::note_bad_memaccess_silence) 4152 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 4153 break; 4154 } 4155 } 4156} 4157 4158// A little helper routine: ignore addition and subtraction of integer literals. 4159// This intentionally does not ignore all integer constant expressions because 4160// we don't want to remove sizeof(). 4161static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 4162 Ex = Ex->IgnoreParenCasts(); 4163 4164 for (;;) { 4165 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 4166 if (!BO || !BO->isAdditiveOp()) 4167 break; 4168 4169 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 4170 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 4171 4172 if (isa<IntegerLiteral>(RHS)) 4173 Ex = LHS; 4174 else if (isa<IntegerLiteral>(LHS)) 4175 Ex = RHS; 4176 else 4177 break; 4178 } 4179 4180 return Ex; 4181} 4182 4183static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 4184 ASTContext &Context) { 4185 // Only handle constant-sized or VLAs, but not flexible members. 4186 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 4187 // Only issue the FIXIT for arrays of size > 1. 4188 if (CAT->getSize().getSExtValue() <= 1) 4189 return false; 4190 } else if (!Ty->isVariableArrayType()) { 4191 return false; 4192 } 4193 return true; 4194} 4195 4196// Warn if the user has made the 'size' argument to strlcpy or strlcat 4197// be the size of the source, instead of the destination. 4198void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 4199 IdentifierInfo *FnName) { 4200 4201 // Don't crash if the user has the wrong number of arguments 4202 if (Call->getNumArgs() != 3) 4203 return; 4204 4205 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 4206 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 4207 const Expr *CompareWithSrc = nullptr; 4208 4209 if (CheckMemorySizeofForComparison(*this, SizeArg, FnName, 4210 Call->getLocStart(), Call->getRParenLoc())) 4211 return; 4212 4213 // Look for 'strlcpy(dst, x, sizeof(x))' 4214 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 4215 CompareWithSrc = Ex; 4216 else { 4217 // Look for 'strlcpy(dst, x, strlen(x))' 4218 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 4219 if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen && 4220 SizeCall->getNumArgs() == 1) 4221 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 4222 } 4223 } 4224 4225 if (!CompareWithSrc) 4226 return; 4227 4228 // Determine if the argument to sizeof/strlen is equal to the source 4229 // argument. In principle there's all kinds of things you could do 4230 // here, for instance creating an == expression and evaluating it with 4231 // EvaluateAsBooleanCondition, but this uses a more direct technique: 4232 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 4233 if (!SrcArgDRE) 4234 return; 4235 4236 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 4237 if (!CompareWithSrcDRE || 4238 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 4239 return; 4240 4241 const Expr *OriginalSizeArg = Call->getArg(2); 4242 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 4243 << OriginalSizeArg->getSourceRange() << FnName; 4244 4245 // Output a FIXIT hint if the destination is an array (rather than a 4246 // pointer to an array). This could be enhanced to handle some 4247 // pointers if we know the actual size, like if DstArg is 'array+2' 4248 // we could say 'sizeof(array)-2'. 4249 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 4250 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 4251 return; 4252 4253 SmallString<128> sizeString; 4254 llvm::raw_svector_ostream OS(sizeString); 4255 OS << "sizeof("; 4256 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 4257 OS << ")"; 4258 4259 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 4260 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 4261 OS.str()); 4262} 4263 4264/// Check if two expressions refer to the same declaration. 4265static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 4266 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 4267 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 4268 return D1->getDecl() == D2->getDecl(); 4269 return false; 4270} 4271 4272static const Expr *getStrlenExprArg(const Expr *E) { 4273 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 4274 const FunctionDecl *FD = CE->getDirectCallee(); 4275 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 4276 return nullptr; 4277 return CE->getArg(0)->IgnoreParenCasts(); 4278 } 4279 return nullptr; 4280} 4281 4282// Warn on anti-patterns as the 'size' argument to strncat. 4283// The correct size argument should look like following: 4284// strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 4285void Sema::CheckStrncatArguments(const CallExpr *CE, 4286 IdentifierInfo *FnName) { 4287 // Don't crash if the user has the wrong number of arguments. 4288 if (CE->getNumArgs() < 3) 4289 return; 4290 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 4291 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 4292 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 4293 4294 if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getLocStart(), 4295 CE->getRParenLoc())) 4296 return; 4297 4298 // Identify common expressions, which are wrongly used as the size argument 4299 // to strncat and may lead to buffer overflows. 4300 unsigned PatternType = 0; 4301 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 4302 // - sizeof(dst) 4303 if (referToTheSameDecl(SizeOfArg, DstArg)) 4304 PatternType = 1; 4305 // - sizeof(src) 4306 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 4307 PatternType = 2; 4308 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 4309 if (BE->getOpcode() == BO_Sub) { 4310 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 4311 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 4312 // - sizeof(dst) - strlen(dst) 4313 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 4314 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 4315 PatternType = 1; 4316 // - sizeof(src) - (anything) 4317 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 4318 PatternType = 2; 4319 } 4320 } 4321 4322 if (PatternType == 0) 4323 return; 4324 4325 // Generate the diagnostic. 4326 SourceLocation SL = LenArg->getLocStart(); 4327 SourceRange SR = LenArg->getSourceRange(); 4328 SourceManager &SM = getSourceManager(); 4329 4330 // If the function is defined as a builtin macro, do not show macro expansion. 4331 if (SM.isMacroArgExpansion(SL)) { 4332 SL = SM.getSpellingLoc(SL); 4333 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 4334 SM.getSpellingLoc(SR.getEnd())); 4335 } 4336 4337 // Check if the destination is an array (rather than a pointer to an array). 4338 QualType DstTy = DstArg->getType(); 4339 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 4340 Context); 4341 if (!isKnownSizeArray) { 4342 if (PatternType == 1) 4343 Diag(SL, diag::warn_strncat_wrong_size) << SR; 4344 else 4345 Diag(SL, diag::warn_strncat_src_size) << SR; 4346 return; 4347 } 4348 4349 if (PatternType == 1) 4350 Diag(SL, diag::warn_strncat_large_size) << SR; 4351 else 4352 Diag(SL, diag::warn_strncat_src_size) << SR; 4353 4354 SmallString<128> sizeString; 4355 llvm::raw_svector_ostream OS(sizeString); 4356 OS << "sizeof("; 4357 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 4358 OS << ") - "; 4359 OS << "strlen("; 4360 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 4361 OS << ") - 1"; 4362 4363 Diag(SL, diag::note_strncat_wrong_size) 4364 << FixItHint::CreateReplacement(SR, OS.str()); 4365} 4366 4367//===--- CHECK: Return Address of Stack Variable --------------------------===// 4368 4369static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4370 Decl *ParentDecl); 4371static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 4372 Decl *ParentDecl); 4373 4374/// CheckReturnStackAddr - Check if a return statement returns the address 4375/// of a stack variable. 4376static void 4377CheckReturnStackAddr(Sema &S, Expr *RetValExp, QualType lhsType, 4378 SourceLocation ReturnLoc) { 4379 4380 Expr *stackE = nullptr; 4381 SmallVector<DeclRefExpr *, 8> refVars; 4382 4383 // Perform checking for returned stack addresses, local blocks, 4384 // label addresses or references to temporaries. 4385 if (lhsType->isPointerType() || 4386 (!S.getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 4387 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/nullptr); 4388 } else if (lhsType->isReferenceType()) { 4389 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/nullptr); 4390 } 4391 4392 if (!stackE) 4393 return; // Nothing suspicious was found. 4394 4395 SourceLocation diagLoc; 4396 SourceRange diagRange; 4397 if (refVars.empty()) { 4398 diagLoc = stackE->getLocStart(); 4399 diagRange = stackE->getSourceRange(); 4400 } else { 4401 // We followed through a reference variable. 'stackE' contains the 4402 // problematic expression but we will warn at the return statement pointing 4403 // at the reference variable. We will later display the "trail" of 4404 // reference variables using notes. 4405 diagLoc = refVars[0]->getLocStart(); 4406 diagRange = refVars[0]->getSourceRange(); 4407 } 4408 4409 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 4410 S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 4411 : diag::warn_ret_stack_addr) 4412 << DR->getDecl()->getDeclName() << diagRange; 4413 } else if (isa<BlockExpr>(stackE)) { // local block. 4414 S.Diag(diagLoc, diag::err_ret_local_block) << diagRange; 4415 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 4416 S.Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 4417 } else { // local temporary. 4418 S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 4419 : diag::warn_ret_local_temp_addr) 4420 << diagRange; 4421 } 4422 4423 // Display the "trail" of reference variables that we followed until we 4424 // found the problematic expression using notes. 4425 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 4426 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 4427 // If this var binds to another reference var, show the range of the next 4428 // var, otherwise the var binds to the problematic expression, in which case 4429 // show the range of the expression. 4430 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 4431 : stackE->getSourceRange(); 4432 S.Diag(VD->getLocation(), diag::note_ref_var_local_bind) 4433 << VD->getDeclName() << range; 4434 } 4435} 4436 4437/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 4438/// check if the expression in a return statement evaluates to an address 4439/// to a location on the stack, a local block, an address of a label, or a 4440/// reference to local temporary. The recursion is used to traverse the 4441/// AST of the return expression, with recursion backtracking when we 4442/// encounter a subexpression that (1) clearly does not lead to one of the 4443/// above problematic expressions (2) is something we cannot determine leads to 4444/// a problematic expression based on such local checking. 4445/// 4446/// Both EvalAddr and EvalVal follow through reference variables to evaluate 4447/// the expression that they point to. Such variables are added to the 4448/// 'refVars' vector so that we know what the reference variable "trail" was. 4449/// 4450/// EvalAddr processes expressions that are pointers that are used as 4451/// references (and not L-values). EvalVal handles all other values. 4452/// At the base case of the recursion is a check for the above problematic 4453/// expressions. 4454/// 4455/// This implementation handles: 4456/// 4457/// * pointer-to-pointer casts 4458/// * implicit conversions from array references to pointers 4459/// * taking the address of fields 4460/// * arbitrary interplay between "&" and "*" operators 4461/// * pointer arithmetic from an address of a stack variable 4462/// * taking the address of an array element where the array is on the stack 4463static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4464 Decl *ParentDecl) { 4465 if (E->isTypeDependent()) 4466 return nullptr; 4467 4468 // We should only be called for evaluating pointer expressions. 4469 assert((E->getType()->isAnyPointerType() || 4470 E->getType()->isBlockPointerType() || 4471 E->getType()->isObjCQualifiedIdType()) && 4472 "EvalAddr only works on pointers"); 4473 4474 E = E->IgnoreParens(); 4475 4476 // Our "symbolic interpreter" is just a dispatch off the currently 4477 // viewed AST node. We then recursively traverse the AST by calling 4478 // EvalAddr and EvalVal appropriately. 4479 switch (E->getStmtClass()) { 4480 case Stmt::DeclRefExprClass: { 4481 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4482 4483 // If we leave the immediate function, the lifetime isn't about to end. 4484 if (DR->refersToEnclosingLocal()) 4485 return nullptr; 4486 4487 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 4488 // If this is a reference variable, follow through to the expression that 4489 // it points to. 4490 if (V->hasLocalStorage() && 4491 V->getType()->isReferenceType() && V->hasInit()) { 4492 // Add the reference variable to the "trail". 4493 refVars.push_back(DR); 4494 return EvalAddr(V->getInit(), refVars, ParentDecl); 4495 } 4496 4497 return nullptr; 4498 } 4499 4500 case Stmt::UnaryOperatorClass: { 4501 // The only unary operator that make sense to handle here 4502 // is AddrOf. All others don't make sense as pointers. 4503 UnaryOperator *U = cast<UnaryOperator>(E); 4504 4505 if (U->getOpcode() == UO_AddrOf) 4506 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 4507 else 4508 return nullptr; 4509 } 4510 4511 case Stmt::BinaryOperatorClass: { 4512 // Handle pointer arithmetic. All other binary operators are not valid 4513 // in this context. 4514 BinaryOperator *B = cast<BinaryOperator>(E); 4515 BinaryOperatorKind op = B->getOpcode(); 4516 4517 if (op != BO_Add && op != BO_Sub) 4518 return nullptr; 4519 4520 Expr *Base = B->getLHS(); 4521 4522 // Determine which argument is the real pointer base. It could be 4523 // the RHS argument instead of the LHS. 4524 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 4525 4526 assert (Base->getType()->isPointerType()); 4527 return EvalAddr(Base, refVars, ParentDecl); 4528 } 4529 4530 // For conditional operators we need to see if either the LHS or RHS are 4531 // valid DeclRefExpr*s. If one of them is valid, we return it. 4532 case Stmt::ConditionalOperatorClass: { 4533 ConditionalOperator *C = cast<ConditionalOperator>(E); 4534 4535 // Handle the GNU extension for missing LHS. 4536 // FIXME: That isn't a ConditionalOperator, so doesn't get here. 4537 if (Expr *LHSExpr = C->getLHS()) { 4538 // In C++, we can have a throw-expression, which has 'void' type. 4539 if (!LHSExpr->getType()->isVoidType()) 4540 if (Expr *LHS = EvalAddr(LHSExpr, refVars, ParentDecl)) 4541 return LHS; 4542 } 4543 4544 // In C++, we can have a throw-expression, which has 'void' type. 4545 if (C->getRHS()->getType()->isVoidType()) 4546 return nullptr; 4547 4548 return EvalAddr(C->getRHS(), refVars, ParentDecl); 4549 } 4550 4551 case Stmt::BlockExprClass: 4552 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 4553 return E; // local block. 4554 return nullptr; 4555 4556 case Stmt::AddrLabelExprClass: 4557 return E; // address of label. 4558 4559 case Stmt::ExprWithCleanupsClass: 4560 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 4561 ParentDecl); 4562 4563 // For casts, we need to handle conversions from arrays to 4564 // pointer values, and pointer-to-pointer conversions. 4565 case Stmt::ImplicitCastExprClass: 4566 case Stmt::CStyleCastExprClass: 4567 case Stmt::CXXFunctionalCastExprClass: 4568 case Stmt::ObjCBridgedCastExprClass: 4569 case Stmt::CXXStaticCastExprClass: 4570 case Stmt::CXXDynamicCastExprClass: 4571 case Stmt::CXXConstCastExprClass: 4572 case Stmt::CXXReinterpretCastExprClass: { 4573 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 4574 switch (cast<CastExpr>(E)->getCastKind()) { 4575 case CK_BitCast: 4576 case CK_LValueToRValue: 4577 case CK_NoOp: 4578 case CK_BaseToDerived: 4579 case CK_DerivedToBase: 4580 case CK_UncheckedDerivedToBase: 4581 case CK_Dynamic: 4582 case CK_CPointerToObjCPointerCast: 4583 case CK_BlockPointerToObjCPointerCast: 4584 case CK_AnyPointerToBlockPointerCast: 4585 return EvalAddr(SubExpr, refVars, ParentDecl); 4586 4587 case CK_ArrayToPointerDecay: 4588 return EvalVal(SubExpr, refVars, ParentDecl); 4589 4590 default: 4591 return nullptr; 4592 } 4593 } 4594 4595 case Stmt::MaterializeTemporaryExprClass: 4596 if (Expr *Result = EvalAddr( 4597 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4598 refVars, ParentDecl)) 4599 return Result; 4600 4601 return E; 4602 4603 // Everything else: we simply don't reason about them. 4604 default: 4605 return nullptr; 4606 } 4607} 4608 4609 4610/// EvalVal - This function is complements EvalAddr in the mutual recursion. 4611/// See the comments for EvalAddr for more details. 4612static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4613 Decl *ParentDecl) { 4614do { 4615 // We should only be called for evaluating non-pointer expressions, or 4616 // expressions with a pointer type that are not used as references but instead 4617 // are l-values (e.g., DeclRefExpr with a pointer type). 4618 4619 // Our "symbolic interpreter" is just a dispatch off the currently 4620 // viewed AST node. We then recursively traverse the AST by calling 4621 // EvalAddr and EvalVal appropriately. 4622 4623 E = E->IgnoreParens(); 4624 switch (E->getStmtClass()) { 4625 case Stmt::ImplicitCastExprClass: { 4626 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 4627 if (IE->getValueKind() == VK_LValue) { 4628 E = IE->getSubExpr(); 4629 continue; 4630 } 4631 return nullptr; 4632 } 4633 4634 case Stmt::ExprWithCleanupsClass: 4635 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 4636 4637 case Stmt::DeclRefExprClass: { 4638 // When we hit a DeclRefExpr we are looking at code that refers to a 4639 // variable's name. If it's not a reference variable we check if it has 4640 // local storage within the function, and if so, return the expression. 4641 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4642 4643 // If we leave the immediate function, the lifetime isn't about to end. 4644 if (DR->refersToEnclosingLocal()) 4645 return nullptr; 4646 4647 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 4648 // Check if it refers to itself, e.g. "int& i = i;". 4649 if (V == ParentDecl) 4650 return DR; 4651 4652 if (V->hasLocalStorage()) { 4653 if (!V->getType()->isReferenceType()) 4654 return DR; 4655 4656 // Reference variable, follow through to the expression that 4657 // it points to. 4658 if (V->hasInit()) { 4659 // Add the reference variable to the "trail". 4660 refVars.push_back(DR); 4661 return EvalVal(V->getInit(), refVars, V); 4662 } 4663 } 4664 } 4665 4666 return nullptr; 4667 } 4668 4669 case Stmt::UnaryOperatorClass: { 4670 // The only unary operator that make sense to handle here 4671 // is Deref. All others don't resolve to a "name." This includes 4672 // handling all sorts of rvalues passed to a unary operator. 4673 UnaryOperator *U = cast<UnaryOperator>(E); 4674 4675 if (U->getOpcode() == UO_Deref) 4676 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 4677 4678 return nullptr; 4679 } 4680 4681 case Stmt::ArraySubscriptExprClass: { 4682 // Array subscripts are potential references to data on the stack. We 4683 // retrieve the DeclRefExpr* for the array variable if it indeed 4684 // has local storage. 4685 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 4686 } 4687 4688 case Stmt::ConditionalOperatorClass: { 4689 // For conditional operators we need to see if either the LHS or RHS are 4690 // non-NULL Expr's. If one is non-NULL, we return it. 4691 ConditionalOperator *C = cast<ConditionalOperator>(E); 4692 4693 // Handle the GNU extension for missing LHS. 4694 if (Expr *LHSExpr = C->getLHS()) { 4695 // In C++, we can have a throw-expression, which has 'void' type. 4696 if (!LHSExpr->getType()->isVoidType()) 4697 if (Expr *LHS = EvalVal(LHSExpr, refVars, ParentDecl)) 4698 return LHS; 4699 } 4700 4701 // In C++, we can have a throw-expression, which has 'void' type. 4702 if (C->getRHS()->getType()->isVoidType()) 4703 return nullptr; 4704 4705 return EvalVal(C->getRHS(), refVars, ParentDecl); 4706 } 4707 4708 // Accesses to members are potential references to data on the stack. 4709 case Stmt::MemberExprClass: { 4710 MemberExpr *M = cast<MemberExpr>(E); 4711 4712 // Check for indirect access. We only want direct field accesses. 4713 if (M->isArrow()) 4714 return nullptr; 4715 4716 // Check whether the member type is itself a reference, in which case 4717 // we're not going to refer to the member, but to what the member refers to. 4718 if (M->getMemberDecl()->getType()->isReferenceType()) 4719 return nullptr; 4720 4721 return EvalVal(M->getBase(), refVars, ParentDecl); 4722 } 4723 4724 case Stmt::MaterializeTemporaryExprClass: 4725 if (Expr *Result = EvalVal( 4726 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4727 refVars, ParentDecl)) 4728 return Result; 4729 4730 return E; 4731 4732 default: 4733 // Check that we don't return or take the address of a reference to a 4734 // temporary. This is only useful in C++. 4735 if (!E->isTypeDependent() && E->isRValue()) 4736 return E; 4737 4738 // Everything else: we simply don't reason about them. 4739 return nullptr; 4740 } 4741} while (true); 4742} 4743 4744void 4745Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType, 4746 SourceLocation ReturnLoc, 4747 bool isObjCMethod, 4748 const AttrVec *Attrs, 4749 const FunctionDecl *FD) { 4750 CheckReturnStackAddr(*this, RetValExp, lhsType, ReturnLoc); 4751 4752 // Check if the return value is null but should not be. 4753 if (Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs) && 4754 CheckNonNullExpr(*this, RetValExp)) 4755 Diag(ReturnLoc, diag::warn_null_ret) 4756 << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange(); 4757 4758 // C++11 [basic.stc.dynamic.allocation]p4: 4759 // If an allocation function declared with a non-throwing 4760 // exception-specification fails to allocate storage, it shall return 4761 // a null pointer. Any other allocation function that fails to allocate 4762 // storage shall indicate failure only by throwing an exception [...] 4763 if (FD) { 4764 OverloadedOperatorKind Op = FD->getOverloadedOperator(); 4765 if (Op == OO_New || Op == OO_Array_New) { 4766 const FunctionProtoType *Proto 4767 = FD->getType()->castAs<FunctionProtoType>(); 4768 if (!Proto->isNothrow(Context, /*ResultIfDependent*/true) && 4769 CheckNonNullExpr(*this, RetValExp)) 4770 Diag(ReturnLoc, diag::warn_operator_new_returns_null) 4771 << FD << getLangOpts().CPlusPlus11; 4772 } 4773 } 4774} 4775 4776//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 4777 4778/// Check for comparisons of floating point operands using != and ==. 4779/// Issue a warning if these are no self-comparisons, as they are not likely 4780/// to do what the programmer intended. 4781void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 4782 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 4783 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 4784 4785 // Special case: check for x == x (which is OK). 4786 // Do not emit warnings for such cases. 4787 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 4788 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 4789 if (DRL->getDecl() == DRR->getDecl()) 4790 return; 4791 4792 4793 // Special case: check for comparisons against literals that can be exactly 4794 // represented by APFloat. In such cases, do not emit a warning. This 4795 // is a heuristic: often comparison against such literals are used to 4796 // detect if a value in a variable has not changed. This clearly can 4797 // lead to false negatives. 4798 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 4799 if (FLL->isExact()) 4800 return; 4801 } else 4802 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 4803 if (FLR->isExact()) 4804 return; 4805 4806 // Check for comparisons with builtin types. 4807 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 4808 if (CL->getBuiltinCallee()) 4809 return; 4810 4811 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 4812 if (CR->getBuiltinCallee()) 4813 return; 4814 4815 // Emit the diagnostic. 4816 Diag(Loc, diag::warn_floatingpoint_eq) 4817 << LHS->getSourceRange() << RHS->getSourceRange(); 4818} 4819 4820//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 4821//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 4822 4823namespace { 4824 4825/// Structure recording the 'active' range of an integer-valued 4826/// expression. 4827struct IntRange { 4828 /// The number of bits active in the int. 4829 unsigned Width; 4830 4831 /// True if the int is known not to have negative values. 4832 bool NonNegative; 4833 4834 IntRange(unsigned Width, bool NonNegative) 4835 : Width(Width), NonNegative(NonNegative) 4836 {} 4837 4838 /// Returns the range of the bool type. 4839 static IntRange forBoolType() { 4840 return IntRange(1, true); 4841 } 4842 4843 /// Returns the range of an opaque value of the given integral type. 4844 static IntRange forValueOfType(ASTContext &C, QualType T) { 4845 return forValueOfCanonicalType(C, 4846 T->getCanonicalTypeInternal().getTypePtr()); 4847 } 4848 4849 /// Returns the range of an opaque value of a canonical integral type. 4850 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 4851 assert(T->isCanonicalUnqualified()); 4852 4853 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4854 T = VT->getElementType().getTypePtr(); 4855 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4856 T = CT->getElementType().getTypePtr(); 4857 4858 // For enum types, use the known bit width of the enumerators. 4859 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 4860 EnumDecl *Enum = ET->getDecl(); 4861 if (!Enum->isCompleteDefinition()) 4862 return IntRange(C.getIntWidth(QualType(T, 0)), false); 4863 4864 unsigned NumPositive = Enum->getNumPositiveBits(); 4865 unsigned NumNegative = Enum->getNumNegativeBits(); 4866 4867 if (NumNegative == 0) 4868 return IntRange(NumPositive, true/*NonNegative*/); 4869 else 4870 return IntRange(std::max(NumPositive + 1, NumNegative), 4871 false/*NonNegative*/); 4872 } 4873 4874 const BuiltinType *BT = cast<BuiltinType>(T); 4875 assert(BT->isInteger()); 4876 4877 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4878 } 4879 4880 /// Returns the "target" range of a canonical integral type, i.e. 4881 /// the range of values expressible in the type. 4882 /// 4883 /// This matches forValueOfCanonicalType except that enums have the 4884 /// full range of their type, not the range of their enumerators. 4885 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 4886 assert(T->isCanonicalUnqualified()); 4887 4888 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4889 T = VT->getElementType().getTypePtr(); 4890 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4891 T = CT->getElementType().getTypePtr(); 4892 if (const EnumType *ET = dyn_cast<EnumType>(T)) 4893 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 4894 4895 const BuiltinType *BT = cast<BuiltinType>(T); 4896 assert(BT->isInteger()); 4897 4898 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4899 } 4900 4901 /// Returns the supremum of two ranges: i.e. their conservative merge. 4902 static IntRange join(IntRange L, IntRange R) { 4903 return IntRange(std::max(L.Width, R.Width), 4904 L.NonNegative && R.NonNegative); 4905 } 4906 4907 /// Returns the infinum of two ranges: i.e. their aggressive merge. 4908 static IntRange meet(IntRange L, IntRange R) { 4909 return IntRange(std::min(L.Width, R.Width), 4910 L.NonNegative || R.NonNegative); 4911 } 4912}; 4913 4914static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 4915 unsigned MaxWidth) { 4916 if (value.isSigned() && value.isNegative()) 4917 return IntRange(value.getMinSignedBits(), false); 4918 4919 if (value.getBitWidth() > MaxWidth) 4920 value = value.trunc(MaxWidth); 4921 4922 // isNonNegative() just checks the sign bit without considering 4923 // signedness. 4924 return IntRange(value.getActiveBits(), true); 4925} 4926 4927static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 4928 unsigned MaxWidth) { 4929 if (result.isInt()) 4930 return GetValueRange(C, result.getInt(), MaxWidth); 4931 4932 if (result.isVector()) { 4933 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 4934 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 4935 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 4936 R = IntRange::join(R, El); 4937 } 4938 return R; 4939 } 4940 4941 if (result.isComplexInt()) { 4942 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 4943 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 4944 return IntRange::join(R, I); 4945 } 4946 4947 // This can happen with lossless casts to intptr_t of "based" lvalues. 4948 // Assume it might use arbitrary bits. 4949 // FIXME: The only reason we need to pass the type in here is to get 4950 // the sign right on this one case. It would be nice if APValue 4951 // preserved this. 4952 assert(result.isLValue() || result.isAddrLabelDiff()); 4953 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 4954} 4955 4956static QualType GetExprType(Expr *E) { 4957 QualType Ty = E->getType(); 4958 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>()) 4959 Ty = AtomicRHS->getValueType(); 4960 return Ty; 4961} 4962 4963/// Pseudo-evaluate the given integer expression, estimating the 4964/// range of values it might take. 4965/// 4966/// \param MaxWidth - the width to which the value will be truncated 4967static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 4968 E = E->IgnoreParens(); 4969 4970 // Try a full evaluation first. 4971 Expr::EvalResult result; 4972 if (E->EvaluateAsRValue(result, C)) 4973 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth); 4974 4975 // I think we only want to look through implicit casts here; if the 4976 // user has an explicit widening cast, we should treat the value as 4977 // being of the new, wider type. 4978 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 4979 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 4980 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 4981 4982 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE)); 4983 4984 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 4985 4986 // Assume that non-integer casts can span the full range of the type. 4987 if (!isIntegerCast) 4988 return OutputTypeRange; 4989 4990 IntRange SubRange 4991 = GetExprRange(C, CE->getSubExpr(), 4992 std::min(MaxWidth, OutputTypeRange.Width)); 4993 4994 // Bail out if the subexpr's range is as wide as the cast type. 4995 if (SubRange.Width >= OutputTypeRange.Width) 4996 return OutputTypeRange; 4997 4998 // Otherwise, we take the smaller width, and we're non-negative if 4999 // either the output type or the subexpr is. 5000 return IntRange(SubRange.Width, 5001 SubRange.NonNegative || OutputTypeRange.NonNegative); 5002 } 5003 5004 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 5005 // If we can fold the condition, just take that operand. 5006 bool CondResult; 5007 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 5008 return GetExprRange(C, CondResult ? CO->getTrueExpr() 5009 : CO->getFalseExpr(), 5010 MaxWidth); 5011 5012 // Otherwise, conservatively merge. 5013 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 5014 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 5015 return IntRange::join(L, R); 5016 } 5017 5018 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5019 switch (BO->getOpcode()) { 5020 5021 // Boolean-valued operations are single-bit and positive. 5022 case BO_LAnd: 5023 case BO_LOr: 5024 case BO_LT: 5025 case BO_GT: 5026 case BO_LE: 5027 case BO_GE: 5028 case BO_EQ: 5029 case BO_NE: 5030 return IntRange::forBoolType(); 5031 5032 // The type of the assignments is the type of the LHS, so the RHS 5033 // is not necessarily the same type. 5034 case BO_MulAssign: 5035 case BO_DivAssign: 5036 case BO_RemAssign: 5037 case BO_AddAssign: 5038 case BO_SubAssign: 5039 case BO_XorAssign: 5040 case BO_OrAssign: 5041 // TODO: bitfields? 5042 return IntRange::forValueOfType(C, GetExprType(E)); 5043 5044 // Simple assignments just pass through the RHS, which will have 5045 // been coerced to the LHS type. 5046 case BO_Assign: 5047 // TODO: bitfields? 5048 return GetExprRange(C, BO->getRHS(), MaxWidth); 5049 5050 // Operations with opaque sources are black-listed. 5051 case BO_PtrMemD: 5052 case BO_PtrMemI: 5053 return IntRange::forValueOfType(C, GetExprType(E)); 5054 5055 // Bitwise-and uses the *infinum* of the two source ranges. 5056 case BO_And: 5057 case BO_AndAssign: 5058 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 5059 GetExprRange(C, BO->getRHS(), MaxWidth)); 5060 5061 // Left shift gets black-listed based on a judgement call. 5062 case BO_Shl: 5063 // ...except that we want to treat '1 << (blah)' as logically 5064 // positive. It's an important idiom. 5065 if (IntegerLiteral *I 5066 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 5067 if (I->getValue() == 1) { 5068 IntRange R = IntRange::forValueOfType(C, GetExprType(E)); 5069 return IntRange(R.Width, /*NonNegative*/ true); 5070 } 5071 } 5072 // fallthrough 5073 5074 case BO_ShlAssign: 5075 return IntRange::forValueOfType(C, GetExprType(E)); 5076 5077 // Right shift by a constant can narrow its left argument. 5078 case BO_Shr: 5079 case BO_ShrAssign: { 5080 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 5081 5082 // If the shift amount is a positive constant, drop the width by 5083 // that much. 5084 llvm::APSInt shift; 5085 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 5086 shift.isNonNegative()) { 5087 unsigned zext = shift.getZExtValue(); 5088 if (zext >= L.Width) 5089 L.Width = (L.NonNegative ? 0 : 1); 5090 else 5091 L.Width -= zext; 5092 } 5093 5094 return L; 5095 } 5096 5097 // Comma acts as its right operand. 5098 case BO_Comma: 5099 return GetExprRange(C, BO->getRHS(), MaxWidth); 5100 5101 // Black-list pointer subtractions. 5102 case BO_Sub: 5103 if (BO->getLHS()->getType()->isPointerType()) 5104 return IntRange::forValueOfType(C, GetExprType(E)); 5105 break; 5106 5107 // The width of a division result is mostly determined by the size 5108 // of the LHS. 5109 case BO_Div: { 5110 // Don't 'pre-truncate' the operands. 5111 unsigned opWidth = C.getIntWidth(GetExprType(E)); 5112 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 5113 5114 // If the divisor is constant, use that. 5115 llvm::APSInt divisor; 5116 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 5117 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 5118 if (log2 >= L.Width) 5119 L.Width = (L.NonNegative ? 0 : 1); 5120 else 5121 L.Width = std::min(L.Width - log2, MaxWidth); 5122 return L; 5123 } 5124 5125 // Otherwise, just use the LHS's width. 5126 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 5127 return IntRange(L.Width, L.NonNegative && R.NonNegative); 5128 } 5129 5130 // The result of a remainder can't be larger than the result of 5131 // either side. 5132 case BO_Rem: { 5133 // Don't 'pre-truncate' the operands. 5134 unsigned opWidth = C.getIntWidth(GetExprType(E)); 5135 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 5136 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 5137 5138 IntRange meet = IntRange::meet(L, R); 5139 meet.Width = std::min(meet.Width, MaxWidth); 5140 return meet; 5141 } 5142 5143 // The default behavior is okay for these. 5144 case BO_Mul: 5145 case BO_Add: 5146 case BO_Xor: 5147 case BO_Or: 5148 break; 5149 } 5150 5151 // The default case is to treat the operation as if it were closed 5152 // on the narrowest type that encompasses both operands. 5153 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 5154 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 5155 return IntRange::join(L, R); 5156 } 5157 5158 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 5159 switch (UO->getOpcode()) { 5160 // Boolean-valued operations are white-listed. 5161 case UO_LNot: 5162 return IntRange::forBoolType(); 5163 5164 // Operations with opaque sources are black-listed. 5165 case UO_Deref: 5166 case UO_AddrOf: // should be impossible 5167 return IntRange::forValueOfType(C, GetExprType(E)); 5168 5169 default: 5170 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 5171 } 5172 } 5173 5174 if (OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 5175 return GetExprRange(C, OVE->getSourceExpr(), MaxWidth); 5176 5177 if (FieldDecl *BitField = E->getSourceBitField()) 5178 return IntRange(BitField->getBitWidthValue(C), 5179 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 5180 5181 return IntRange::forValueOfType(C, GetExprType(E)); 5182} 5183 5184static IntRange GetExprRange(ASTContext &C, Expr *E) { 5185 return GetExprRange(C, E, C.getIntWidth(GetExprType(E))); 5186} 5187 5188/// Checks whether the given value, which currently has the given 5189/// source semantics, has the same value when coerced through the 5190/// target semantics. 5191static bool IsSameFloatAfterCast(const llvm::APFloat &value, 5192 const llvm::fltSemantics &Src, 5193 const llvm::fltSemantics &Tgt) { 5194 llvm::APFloat truncated = value; 5195 5196 bool ignored; 5197 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 5198 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 5199 5200 return truncated.bitwiseIsEqual(value); 5201} 5202 5203/// Checks whether the given value, which currently has the given 5204/// source semantics, has the same value when coerced through the 5205/// target semantics. 5206/// 5207/// The value might be a vector of floats (or a complex number). 5208static bool IsSameFloatAfterCast(const APValue &value, 5209 const llvm::fltSemantics &Src, 5210 const llvm::fltSemantics &Tgt) { 5211 if (value.isFloat()) 5212 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 5213 5214 if (value.isVector()) { 5215 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 5216 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 5217 return false; 5218 return true; 5219 } 5220 5221 assert(value.isComplexFloat()); 5222 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 5223 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 5224} 5225 5226static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 5227 5228static bool IsZero(Sema &S, Expr *E) { 5229 // Suppress cases where we are comparing against an enum constant. 5230 if (const DeclRefExpr *DR = 5231 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 5232 if (isa<EnumConstantDecl>(DR->getDecl())) 5233 return false; 5234 5235 // Suppress cases where the '0' value is expanded from a macro. 5236 if (E->getLocStart().isMacroID()) 5237 return false; 5238 5239 llvm::APSInt Value; 5240 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 5241} 5242 5243static bool HasEnumType(Expr *E) { 5244 // Strip off implicit integral promotions. 5245 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 5246 if (ICE->getCastKind() != CK_IntegralCast && 5247 ICE->getCastKind() != CK_NoOp) 5248 break; 5249 E = ICE->getSubExpr(); 5250 } 5251 5252 return E->getType()->isEnumeralType(); 5253} 5254 5255static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 5256 // Disable warning in template instantiations. 5257 if (!S.ActiveTemplateInstantiations.empty()) 5258 return; 5259 5260 BinaryOperatorKind op = E->getOpcode(); 5261 if (E->isValueDependent()) 5262 return; 5263 5264 if (op == BO_LT && IsZero(S, E->getRHS())) { 5265 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 5266 << "< 0" << "false" << HasEnumType(E->getLHS()) 5267 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5268 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 5269 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 5270 << ">= 0" << "true" << HasEnumType(E->getLHS()) 5271 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5272 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 5273 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 5274 << "0 >" << "false" << HasEnumType(E->getRHS()) 5275 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5276 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 5277 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 5278 << "0 <=" << "true" << HasEnumType(E->getRHS()) 5279 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5280 } 5281} 5282 5283static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 5284 Expr *Constant, Expr *Other, 5285 llvm::APSInt Value, 5286 bool RhsConstant) { 5287 // Disable warning in template instantiations. 5288 if (!S.ActiveTemplateInstantiations.empty()) 5289 return; 5290 5291 // TODO: Investigate using GetExprRange() to get tighter bounds 5292 // on the bit ranges. 5293 QualType OtherT = Other->getType(); 5294 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 5295 unsigned OtherWidth = OtherRange.Width; 5296 5297 bool OtherIsBooleanType = Other->isKnownToHaveBooleanValue(); 5298 5299 // 0 values are handled later by CheckTrivialUnsignedComparison(). 5300 if ((Value == 0) && (!OtherIsBooleanType)) 5301 return; 5302 5303 BinaryOperatorKind op = E->getOpcode(); 5304 bool IsTrue = true; 5305 5306 // Used for diagnostic printout. 5307 enum { 5308 LiteralConstant = 0, 5309 CXXBoolLiteralTrue, 5310 CXXBoolLiteralFalse 5311 } LiteralOrBoolConstant = LiteralConstant; 5312 5313 if (!OtherIsBooleanType) { 5314 QualType ConstantT = Constant->getType(); 5315 QualType CommonT = E->getLHS()->getType(); 5316 5317 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 5318 return; 5319 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) && 5320 "comparison with non-integer type"); 5321 5322 bool ConstantSigned = ConstantT->isSignedIntegerType(); 5323 bool CommonSigned = CommonT->isSignedIntegerType(); 5324 5325 bool EqualityOnly = false; 5326 5327 if (CommonSigned) { 5328 // The common type is signed, therefore no signed to unsigned conversion. 5329 if (!OtherRange.NonNegative) { 5330 // Check that the constant is representable in type OtherT. 5331 if (ConstantSigned) { 5332 if (OtherWidth >= Value.getMinSignedBits()) 5333 return; 5334 } else { // !ConstantSigned 5335 if (OtherWidth >= Value.getActiveBits() + 1) 5336 return; 5337 } 5338 } else { // !OtherSigned 5339 // Check that the constant is representable in type OtherT. 5340 // Negative values are out of range. 5341 if (ConstantSigned) { 5342 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 5343 return; 5344 } else { // !ConstantSigned 5345 if (OtherWidth >= Value.getActiveBits()) 5346 return; 5347 } 5348 } 5349 } else { // !CommonSigned 5350 if (OtherRange.NonNegative) { 5351 if (OtherWidth >= Value.getActiveBits()) 5352 return; 5353 } else if (!OtherRange.NonNegative && !ConstantSigned) { 5354 // Check to see if the constant is representable in OtherT. 5355 if (OtherWidth > Value.getActiveBits()) 5356 return; 5357 // Check to see if the constant is equivalent to a negative value 5358 // cast to CommonT. 5359 if (S.Context.getIntWidth(ConstantT) == 5360 S.Context.getIntWidth(CommonT) && 5361 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 5362 return; 5363 // The constant value rests between values that OtherT can represent 5364 // after conversion. Relational comparison still works, but equality 5365 // comparisons will be tautological. 5366 EqualityOnly = true; 5367 } else { // OtherSigned && ConstantSigned 5368 assert(0 && "Two signed types converted to unsigned types."); 5369 } 5370 } 5371 5372 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 5373 5374 if (op == BO_EQ || op == BO_NE) { 5375 IsTrue = op == BO_NE; 5376 } else if (EqualityOnly) { 5377 return; 5378 } else if (RhsConstant) { 5379 if (op == BO_GT || op == BO_GE) 5380 IsTrue = !PositiveConstant; 5381 else // op == BO_LT || op == BO_LE 5382 IsTrue = PositiveConstant; 5383 } else { 5384 if (op == BO_LT || op == BO_LE) 5385 IsTrue = !PositiveConstant; 5386 else // op == BO_GT || op == BO_GE 5387 IsTrue = PositiveConstant; 5388 } 5389 } else { 5390 // Other isKnownToHaveBooleanValue 5391 enum CompareBoolWithConstantResult { AFals, ATrue, Unkwn }; 5392 enum ConstantValue { LT_Zero, Zero, One, GT_One, SizeOfConstVal }; 5393 enum ConstantSide { Lhs, Rhs, SizeOfConstSides }; 5394 5395 static const struct LinkedConditions { 5396 CompareBoolWithConstantResult BO_LT_OP[SizeOfConstSides][SizeOfConstVal]; 5397 CompareBoolWithConstantResult BO_GT_OP[SizeOfConstSides][SizeOfConstVal]; 5398 CompareBoolWithConstantResult BO_LE_OP[SizeOfConstSides][SizeOfConstVal]; 5399 CompareBoolWithConstantResult BO_GE_OP[SizeOfConstSides][SizeOfConstVal]; 5400 CompareBoolWithConstantResult BO_EQ_OP[SizeOfConstSides][SizeOfConstVal]; 5401 CompareBoolWithConstantResult BO_NE_OP[SizeOfConstSides][SizeOfConstVal]; 5402 5403 } TruthTable = { 5404 // Constant on LHS. | Constant on RHS. | 5405 // LT_Zero| Zero | One |GT_One| LT_Zero| Zero | One |GT_One| 5406 { { ATrue, Unkwn, AFals, AFals }, { AFals, AFals, Unkwn, ATrue } }, 5407 { { AFals, AFals, Unkwn, ATrue }, { ATrue, Unkwn, AFals, AFals } }, 5408 { { ATrue, ATrue, Unkwn, AFals }, { AFals, Unkwn, ATrue, ATrue } }, 5409 { { AFals, Unkwn, ATrue, ATrue }, { ATrue, ATrue, Unkwn, AFals } }, 5410 { { AFals, Unkwn, Unkwn, AFals }, { AFals, Unkwn, Unkwn, AFals } }, 5411 { { ATrue, Unkwn, Unkwn, ATrue }, { ATrue, Unkwn, Unkwn, ATrue } } 5412 }; 5413 5414 bool ConstantIsBoolLiteral = isa<CXXBoolLiteralExpr>(Constant); 5415 5416 enum ConstantValue ConstVal = Zero; 5417 if (Value.isUnsigned() || Value.isNonNegative()) { 5418 if (Value == 0) { 5419 LiteralOrBoolConstant = 5420 ConstantIsBoolLiteral ? CXXBoolLiteralFalse : LiteralConstant; 5421 ConstVal = Zero; 5422 } else if (Value == 1) { 5423 LiteralOrBoolConstant = 5424 ConstantIsBoolLiteral ? CXXBoolLiteralTrue : LiteralConstant; 5425 ConstVal = One; 5426 } else { 5427 LiteralOrBoolConstant = LiteralConstant; 5428 ConstVal = GT_One; 5429 } 5430 } else { 5431 ConstVal = LT_Zero; 5432 } 5433 5434 CompareBoolWithConstantResult CmpRes; 5435 5436 switch (op) { 5437 case BO_LT: 5438 CmpRes = TruthTable.BO_LT_OP[RhsConstant][ConstVal]; 5439 break; 5440 case BO_GT: 5441 CmpRes = TruthTable.BO_GT_OP[RhsConstant][ConstVal]; 5442 break; 5443 case BO_LE: 5444 CmpRes = TruthTable.BO_LE_OP[RhsConstant][ConstVal]; 5445 break; 5446 case BO_GE: 5447 CmpRes = TruthTable.BO_GE_OP[RhsConstant][ConstVal]; 5448 break; 5449 case BO_EQ: 5450 CmpRes = TruthTable.BO_EQ_OP[RhsConstant][ConstVal]; 5451 break; 5452 case BO_NE: 5453 CmpRes = TruthTable.BO_NE_OP[RhsConstant][ConstVal]; 5454 break; 5455 default: 5456 CmpRes = Unkwn; 5457 break; 5458 } 5459 5460 if (CmpRes == AFals) { 5461 IsTrue = false; 5462 } else if (CmpRes == ATrue) { 5463 IsTrue = true; 5464 } else { 5465 return; 5466 } 5467 } 5468 5469 // If this is a comparison to an enum constant, include that 5470 // constant in the diagnostic. 5471 const EnumConstantDecl *ED = nullptr; 5472 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant)) 5473 ED = dyn_cast<EnumConstantDecl>(DR->getDecl()); 5474 5475 SmallString<64> PrettySourceValue; 5476 llvm::raw_svector_ostream OS(PrettySourceValue); 5477 if (ED) 5478 OS << '\'' << *ED << "' (" << Value << ")"; 5479 else 5480 OS << Value; 5481 5482 S.DiagRuntimeBehavior( 5483 E->getOperatorLoc(), E, 5484 S.PDiag(diag::warn_out_of_range_compare) 5485 << OS.str() << LiteralOrBoolConstant 5486 << OtherT << (OtherIsBooleanType && !OtherT->isBooleanType()) << IsTrue 5487 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange()); 5488} 5489 5490/// Analyze the operands of the given comparison. Implements the 5491/// fallback case from AnalyzeComparison. 5492static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 5493 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5494 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5495} 5496 5497/// \brief Implements -Wsign-compare. 5498/// 5499/// \param E the binary operator to check for warnings 5500static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 5501 // The type the comparison is being performed in. 5502 QualType T = E->getLHS()->getType(); 5503 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 5504 && "comparison with mismatched types"); 5505 if (E->isValueDependent()) 5506 return AnalyzeImpConvsInComparison(S, E); 5507 5508 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 5509 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 5510 5511 bool IsComparisonConstant = false; 5512 5513 // Check whether an integer constant comparison results in a value 5514 // of 'true' or 'false'. 5515 if (T->isIntegralType(S.Context)) { 5516 llvm::APSInt RHSValue; 5517 bool IsRHSIntegralLiteral = 5518 RHS->isIntegerConstantExpr(RHSValue, S.Context); 5519 llvm::APSInt LHSValue; 5520 bool IsLHSIntegralLiteral = 5521 LHS->isIntegerConstantExpr(LHSValue, S.Context); 5522 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 5523 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 5524 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 5525 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 5526 else 5527 IsComparisonConstant = 5528 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 5529 } else if (!T->hasUnsignedIntegerRepresentation()) 5530 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 5531 5532 // We don't do anything special if this isn't an unsigned integral 5533 // comparison: we're only interested in integral comparisons, and 5534 // signed comparisons only happen in cases we don't care to warn about. 5535 // 5536 // We also don't care about value-dependent expressions or expressions 5537 // whose result is a constant. 5538 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 5539 return AnalyzeImpConvsInComparison(S, E); 5540 5541 // Check to see if one of the (unmodified) operands is of different 5542 // signedness. 5543 Expr *signedOperand, *unsignedOperand; 5544 if (LHS->getType()->hasSignedIntegerRepresentation()) { 5545 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 5546 "unsigned comparison between two signed integer expressions?"); 5547 signedOperand = LHS; 5548 unsignedOperand = RHS; 5549 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 5550 signedOperand = RHS; 5551 unsignedOperand = LHS; 5552 } else { 5553 CheckTrivialUnsignedComparison(S, E); 5554 return AnalyzeImpConvsInComparison(S, E); 5555 } 5556 5557 // Otherwise, calculate the effective range of the signed operand. 5558 IntRange signedRange = GetExprRange(S.Context, signedOperand); 5559 5560 // Go ahead and analyze implicit conversions in the operands. Note 5561 // that we skip the implicit conversions on both sides. 5562 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 5563 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 5564 5565 // If the signed range is non-negative, -Wsign-compare won't fire, 5566 // but we should still check for comparisons which are always true 5567 // or false. 5568 if (signedRange.NonNegative) 5569 return CheckTrivialUnsignedComparison(S, E); 5570 5571 // For (in)equality comparisons, if the unsigned operand is a 5572 // constant which cannot collide with a overflowed signed operand, 5573 // then reinterpreting the signed operand as unsigned will not 5574 // change the result of the comparison. 5575 if (E->isEqualityOp()) { 5576 unsigned comparisonWidth = S.Context.getIntWidth(T); 5577 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 5578 5579 // We should never be unable to prove that the unsigned operand is 5580 // non-negative. 5581 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 5582 5583 if (unsignedRange.Width < comparisonWidth) 5584 return; 5585 } 5586 5587 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 5588 S.PDiag(diag::warn_mixed_sign_comparison) 5589 << LHS->getType() << RHS->getType() 5590 << LHS->getSourceRange() << RHS->getSourceRange()); 5591} 5592 5593/// Analyzes an attempt to assign the given value to a bitfield. 5594/// 5595/// Returns true if there was something fishy about the attempt. 5596static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 5597 SourceLocation InitLoc) { 5598 assert(Bitfield->isBitField()); 5599 if (Bitfield->isInvalidDecl()) 5600 return false; 5601 5602 // White-list bool bitfields. 5603 if (Bitfield->getType()->isBooleanType()) 5604 return false; 5605 5606 // Ignore value- or type-dependent expressions. 5607 if (Bitfield->getBitWidth()->isValueDependent() || 5608 Bitfield->getBitWidth()->isTypeDependent() || 5609 Init->isValueDependent() || 5610 Init->isTypeDependent()) 5611 return false; 5612 5613 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 5614 5615 llvm::APSInt Value; 5616 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 5617 return false; 5618 5619 unsigned OriginalWidth = Value.getBitWidth(); 5620 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 5621 5622 if (OriginalWidth <= FieldWidth) 5623 return false; 5624 5625 // Compute the value which the bitfield will contain. 5626 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 5627 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 5628 5629 // Check whether the stored value is equal to the original value. 5630 TruncatedValue = TruncatedValue.extend(OriginalWidth); 5631 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 5632 return false; 5633 5634 // Special-case bitfields of width 1: booleans are naturally 0/1, and 5635 // therefore don't strictly fit into a signed bitfield of width 1. 5636 if (FieldWidth == 1 && Value == 1) 5637 return false; 5638 5639 std::string PrettyValue = Value.toString(10); 5640 std::string PrettyTrunc = TruncatedValue.toString(10); 5641 5642 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 5643 << PrettyValue << PrettyTrunc << OriginalInit->getType() 5644 << Init->getSourceRange(); 5645 5646 return true; 5647} 5648 5649/// Analyze the given simple or compound assignment for warning-worthy 5650/// operations. 5651static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 5652 // Just recurse on the LHS. 5653 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5654 5655 // We want to recurse on the RHS as normal unless we're assigning to 5656 // a bitfield. 5657 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) { 5658 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 5659 E->getOperatorLoc())) { 5660 // Recurse, ignoring any implicit conversions on the RHS. 5661 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 5662 E->getOperatorLoc()); 5663 } 5664 } 5665 5666 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5667} 5668 5669/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5670static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 5671 SourceLocation CContext, unsigned diag, 5672 bool pruneControlFlow = false) { 5673 if (pruneControlFlow) { 5674 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5675 S.PDiag(diag) 5676 << SourceType << T << E->getSourceRange() 5677 << SourceRange(CContext)); 5678 return; 5679 } 5680 S.Diag(E->getExprLoc(), diag) 5681 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 5682} 5683 5684/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5685static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 5686 SourceLocation CContext, unsigned diag, 5687 bool pruneControlFlow = false) { 5688 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 5689} 5690 5691/// Diagnose an implicit cast from a literal expression. Does not warn when the 5692/// cast wouldn't lose information. 5693void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 5694 SourceLocation CContext) { 5695 // Try to convert the literal exactly to an integer. If we can, don't warn. 5696 bool isExact = false; 5697 const llvm::APFloat &Value = FL->getValue(); 5698 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 5699 T->hasUnsignedIntegerRepresentation()); 5700 if (Value.convertToInteger(IntegerValue, 5701 llvm::APFloat::rmTowardZero, &isExact) 5702 == llvm::APFloat::opOK && isExact) 5703 return; 5704 5705 // FIXME: Force the precision of the source value down so we don't print 5706 // digits which are usually useless (we don't really care here if we 5707 // truncate a digit by accident in edge cases). Ideally, APFloat::toString 5708 // would automatically print the shortest representation, but it's a bit 5709 // tricky to implement. 5710 SmallString<16> PrettySourceValue; 5711 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics()); 5712 precision = (precision * 59 + 195) / 196; 5713 Value.toString(PrettySourceValue, precision); 5714 5715 SmallString<16> PrettyTargetValue; 5716 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 5717 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 5718 else 5719 IntegerValue.toString(PrettyTargetValue); 5720 5721 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 5722 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 5723 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 5724} 5725 5726std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 5727 if (!Range.Width) return "0"; 5728 5729 llvm::APSInt ValueInRange = Value; 5730 ValueInRange.setIsSigned(!Range.NonNegative); 5731 ValueInRange = ValueInRange.trunc(Range.Width); 5732 return ValueInRange.toString(10); 5733} 5734 5735static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 5736 if (!isa<ImplicitCastExpr>(Ex)) 5737 return false; 5738 5739 Expr *InnerE = Ex->IgnoreParenImpCasts(); 5740 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 5741 const Type *Source = 5742 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5743 if (Target->isDependentType()) 5744 return false; 5745 5746 const BuiltinType *FloatCandidateBT = 5747 dyn_cast<BuiltinType>(ToBool ? Source : Target); 5748 const Type *BoolCandidateType = ToBool ? Target : Source; 5749 5750 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 5751 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 5752} 5753 5754void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 5755 SourceLocation CC) { 5756 unsigned NumArgs = TheCall->getNumArgs(); 5757 for (unsigned i = 0; i < NumArgs; ++i) { 5758 Expr *CurrA = TheCall->getArg(i); 5759 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 5760 continue; 5761 5762 bool IsSwapped = ((i > 0) && 5763 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 5764 IsSwapped |= ((i < (NumArgs - 1)) && 5765 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 5766 if (IsSwapped) { 5767 // Warn on this floating-point to bool conversion. 5768 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 5769 CurrA->getType(), CC, 5770 diag::warn_impcast_floating_point_to_bool); 5771 } 5772 } 5773} 5774 5775void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 5776 SourceLocation CC, bool *ICContext = nullptr) { 5777 if (E->isTypeDependent() || E->isValueDependent()) return; 5778 5779 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 5780 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 5781 if (Source == Target) return; 5782 if (Target->isDependentType()) return; 5783 5784 // If the conversion context location is invalid don't complain. We also 5785 // don't want to emit a warning if the issue occurs from the expansion of 5786 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 5787 // delay this check as long as possible. Once we detect we are in that 5788 // scenario, we just return. 5789 if (CC.isInvalid()) 5790 return; 5791 5792 // Diagnose implicit casts to bool. 5793 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 5794 if (isa<StringLiteral>(E)) 5795 // Warn on string literal to bool. Checks for string literals in logical 5796 // and expressions, for instance, assert(0 && "error here"), are 5797 // prevented by a check in AnalyzeImplicitConversions(). 5798 return DiagnoseImpCast(S, E, T, CC, 5799 diag::warn_impcast_string_literal_to_bool); 5800 if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) || 5801 isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) { 5802 // This covers the literal expressions that evaluate to Objective-C 5803 // objects. 5804 return DiagnoseImpCast(S, E, T, CC, 5805 diag::warn_impcast_objective_c_literal_to_bool); 5806 } 5807 if (Source->isPointerType() || Source->canDecayToPointerType()) { 5808 // Warn on pointer to bool conversion that is always true. 5809 S.DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false, 5810 SourceRange(CC)); 5811 } 5812 } 5813 5814 // Strip vector types. 5815 if (isa<VectorType>(Source)) { 5816 if (!isa<VectorType>(Target)) { 5817 if (S.SourceMgr.isInSystemMacro(CC)) 5818 return; 5819 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 5820 } 5821 5822 // If the vector cast is cast between two vectors of the same size, it is 5823 // a bitcast, not a conversion. 5824 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 5825 return; 5826 5827 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 5828 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 5829 } 5830 if (auto VecTy = dyn_cast<VectorType>(Target)) 5831 Target = VecTy->getElementType().getTypePtr(); 5832 5833 // Strip complex types. 5834 if (isa<ComplexType>(Source)) { 5835 if (!isa<ComplexType>(Target)) { 5836 if (S.SourceMgr.isInSystemMacro(CC)) 5837 return; 5838 5839 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 5840 } 5841 5842 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 5843 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 5844 } 5845 5846 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 5847 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 5848 5849 // If the source is floating point... 5850 if (SourceBT && SourceBT->isFloatingPoint()) { 5851 // ...and the target is floating point... 5852 if (TargetBT && TargetBT->isFloatingPoint()) { 5853 // ...then warn if we're dropping FP rank. 5854 5855 // Builtin FP kinds are ordered by increasing FP rank. 5856 if (SourceBT->getKind() > TargetBT->getKind()) { 5857 // Don't warn about float constants that are precisely 5858 // representable in the target type. 5859 Expr::EvalResult result; 5860 if (E->EvaluateAsRValue(result, S.Context)) { 5861 // Value might be a float, a float vector, or a float complex. 5862 if (IsSameFloatAfterCast(result.Val, 5863 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 5864 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 5865 return; 5866 } 5867 5868 if (S.SourceMgr.isInSystemMacro(CC)) 5869 return; 5870 5871 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 5872 } 5873 return; 5874 } 5875 5876 // If the target is integral, always warn. 5877 if (TargetBT && TargetBT->isInteger()) { 5878 if (S.SourceMgr.isInSystemMacro(CC)) 5879 return; 5880 5881 Expr *InnerE = E->IgnoreParenImpCasts(); 5882 // We also want to warn on, e.g., "int i = -1.234" 5883 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 5884 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 5885 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 5886 5887 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 5888 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 5889 } else { 5890 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 5891 } 5892 } 5893 5894 // If the target is bool, warn if expr is a function or method call. 5895 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 5896 isa<CallExpr>(E)) { 5897 // Check last argument of function call to see if it is an 5898 // implicit cast from a type matching the type the result 5899 // is being cast to. 5900 CallExpr *CEx = cast<CallExpr>(E); 5901 unsigned NumArgs = CEx->getNumArgs(); 5902 if (NumArgs > 0) { 5903 Expr *LastA = CEx->getArg(NumArgs - 1); 5904 Expr *InnerE = LastA->IgnoreParenImpCasts(); 5905 const Type *InnerType = 5906 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5907 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 5908 // Warn on this floating-point to bool conversion 5909 DiagnoseImpCast(S, E, T, CC, 5910 diag::warn_impcast_floating_point_to_bool); 5911 } 5912 } 5913 } 5914 return; 5915 } 5916 5917 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 5918 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 5919 && !Target->isBlockPointerType() && !Target->isMemberPointerType() 5920 && Target->isScalarType() && !Target->isNullPtrType()) { 5921 SourceLocation Loc = E->getSourceRange().getBegin(); 5922 if (Loc.isMacroID()) 5923 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 5924 if (!Loc.isMacroID() || CC.isMacroID()) 5925 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 5926 << T << clang::SourceRange(CC) 5927 << FixItHint::CreateReplacement(Loc, 5928 S.getFixItZeroLiteralForType(T, Loc)); 5929 } 5930 5931 if (!Source->isIntegerType() || !Target->isIntegerType()) 5932 return; 5933 5934 // TODO: remove this early return once the false positives for constant->bool 5935 // in templates, macros, etc, are reduced or removed. 5936 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 5937 return; 5938 5939 IntRange SourceRange = GetExprRange(S.Context, E); 5940 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 5941 5942 if (SourceRange.Width > TargetRange.Width) { 5943 // If the source is a constant, use a default-on diagnostic. 5944 // TODO: this should happen for bitfield stores, too. 5945 llvm::APSInt Value(32); 5946 if (E->isIntegerConstantExpr(Value, S.Context)) { 5947 if (S.SourceMgr.isInSystemMacro(CC)) 5948 return; 5949 5950 std::string PrettySourceValue = Value.toString(10); 5951 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 5952 5953 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5954 S.PDiag(diag::warn_impcast_integer_precision_constant) 5955 << PrettySourceValue << PrettyTargetValue 5956 << E->getType() << T << E->getSourceRange() 5957 << clang::SourceRange(CC)); 5958 return; 5959 } 5960 5961 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 5962 if (S.SourceMgr.isInSystemMacro(CC)) 5963 return; 5964 5965 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 5966 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 5967 /* pruneControlFlow */ true); 5968 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 5969 } 5970 5971 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 5972 (!TargetRange.NonNegative && SourceRange.NonNegative && 5973 SourceRange.Width == TargetRange.Width)) { 5974 5975 if (S.SourceMgr.isInSystemMacro(CC)) 5976 return; 5977 5978 unsigned DiagID = diag::warn_impcast_integer_sign; 5979 5980 // Traditionally, gcc has warned about this under -Wsign-compare. 5981 // We also want to warn about it in -Wconversion. 5982 // So if -Wconversion is off, use a completely identical diagnostic 5983 // in the sign-compare group. 5984 // The conditional-checking code will 5985 if (ICContext) { 5986 DiagID = diag::warn_impcast_integer_sign_conditional; 5987 *ICContext = true; 5988 } 5989 5990 return DiagnoseImpCast(S, E, T, CC, DiagID); 5991 } 5992 5993 // Diagnose conversions between different enumeration types. 5994 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 5995 // type, to give us better diagnostics. 5996 QualType SourceType = E->getType(); 5997 if (!S.getLangOpts().CPlusPlus) { 5998 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5999 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 6000 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 6001 SourceType = S.Context.getTypeDeclType(Enum); 6002 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 6003 } 6004 } 6005 6006 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 6007 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 6008 if (SourceEnum->getDecl()->hasNameForLinkage() && 6009 TargetEnum->getDecl()->hasNameForLinkage() && 6010 SourceEnum != TargetEnum) { 6011 if (S.SourceMgr.isInSystemMacro(CC)) 6012 return; 6013 6014 return DiagnoseImpCast(S, E, SourceType, T, CC, 6015 diag::warn_impcast_different_enum_types); 6016 } 6017 6018 return; 6019} 6020 6021void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 6022 SourceLocation CC, QualType T); 6023 6024void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 6025 SourceLocation CC, bool &ICContext) { 6026 E = E->IgnoreParenImpCasts(); 6027 6028 if (isa<ConditionalOperator>(E)) 6029 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 6030 6031 AnalyzeImplicitConversions(S, E, CC); 6032 if (E->getType() != T) 6033 return CheckImplicitConversion(S, E, T, CC, &ICContext); 6034 return; 6035} 6036 6037void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 6038 SourceLocation CC, QualType T) { 6039 AnalyzeImplicitConversions(S, E->getCond(), CC); 6040 6041 bool Suspicious = false; 6042 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 6043 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 6044 6045 // If -Wconversion would have warned about either of the candidates 6046 // for a signedness conversion to the context type... 6047 if (!Suspicious) return; 6048 6049 // ...but it's currently ignored... 6050 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 6051 CC)) 6052 return; 6053 6054 // ...then check whether it would have warned about either of the 6055 // candidates for a signedness conversion to the condition type. 6056 if (E->getType() == T) return; 6057 6058 Suspicious = false; 6059 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 6060 E->getType(), CC, &Suspicious); 6061 if (!Suspicious) 6062 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 6063 E->getType(), CC, &Suspicious); 6064} 6065 6066/// AnalyzeImplicitConversions - Find and report any interesting 6067/// implicit conversions in the given expression. There are a couple 6068/// of competing diagnostics here, -Wconversion and -Wsign-compare. 6069void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 6070 QualType T = OrigE->getType(); 6071 Expr *E = OrigE->IgnoreParenImpCasts(); 6072 6073 if (E->isTypeDependent() || E->isValueDependent()) 6074 return; 6075 6076 // For conditional operators, we analyze the arguments as if they 6077 // were being fed directly into the output. 6078 if (isa<ConditionalOperator>(E)) { 6079 ConditionalOperator *CO = cast<ConditionalOperator>(E); 6080 CheckConditionalOperator(S, CO, CC, T); 6081 return; 6082 } 6083 6084 // Check implicit argument conversions for function calls. 6085 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 6086 CheckImplicitArgumentConversions(S, Call, CC); 6087 6088 // Go ahead and check any implicit conversions we might have skipped. 6089 // The non-canonical typecheck is just an optimization; 6090 // CheckImplicitConversion will filter out dead implicit conversions. 6091 if (E->getType() != T) 6092 CheckImplicitConversion(S, E, T, CC); 6093 6094 // Now continue drilling into this expression. 6095 6096 if (PseudoObjectExpr * POE = dyn_cast<PseudoObjectExpr>(E)) { 6097 if (POE->getResultExpr()) 6098 E = POE->getResultExpr(); 6099 } 6100 6101 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 6102 return AnalyzeImplicitConversions(S, OVE->getSourceExpr(), CC); 6103 6104 // Skip past explicit casts. 6105 if (isa<ExplicitCastExpr>(E)) { 6106 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 6107 return AnalyzeImplicitConversions(S, E, CC); 6108 } 6109 6110 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 6111 // Do a somewhat different check with comparison operators. 6112 if (BO->isComparisonOp()) 6113 return AnalyzeComparison(S, BO); 6114 6115 // And with simple assignments. 6116 if (BO->getOpcode() == BO_Assign) 6117 return AnalyzeAssignment(S, BO); 6118 } 6119 6120 // These break the otherwise-useful invariant below. Fortunately, 6121 // we don't really need to recurse into them, because any internal 6122 // expressions should have been analyzed already when they were 6123 // built into statements. 6124 if (isa<StmtExpr>(E)) return; 6125 6126 // Don't descend into unevaluated contexts. 6127 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 6128 6129 // Now just recurse over the expression's children. 6130 CC = E->getExprLoc(); 6131 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 6132 bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd; 6133 for (Stmt::child_range I = E->children(); I; ++I) { 6134 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 6135 if (!ChildExpr) 6136 continue; 6137 6138 if (IsLogicalAndOperator && 6139 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 6140 // Ignore checking string literals that are in logical and operators. 6141 // This is a common pattern for asserts. 6142 continue; 6143 AnalyzeImplicitConversions(S, ChildExpr, CC); 6144 } 6145} 6146 6147} // end anonymous namespace 6148 6149enum { 6150 AddressOf, 6151 FunctionPointer, 6152 ArrayPointer 6153}; 6154 6155/// \brief Diagnose pointers that are always non-null. 6156/// \param E the expression containing the pointer 6157/// \param NullKind NPCK_NotNull if E is a cast to bool, otherwise, E is 6158/// compared to a null pointer 6159/// \param IsEqual True when the comparison is equal to a null pointer 6160/// \param Range Extra SourceRange to highlight in the diagnostic 6161void Sema::DiagnoseAlwaysNonNullPointer(Expr *E, 6162 Expr::NullPointerConstantKind NullKind, 6163 bool IsEqual, SourceRange Range) { 6164 6165 // Don't warn inside macros. 6166 if (E->getExprLoc().isMacroID()) 6167 return; 6168 E = E->IgnoreImpCasts(); 6169 6170 const bool IsCompare = NullKind != Expr::NPCK_NotNull; 6171 6172 bool IsAddressOf = false; 6173 6174 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 6175 if (UO->getOpcode() != UO_AddrOf) 6176 return; 6177 IsAddressOf = true; 6178 E = UO->getSubExpr(); 6179 } 6180 6181 // Expect to find a single Decl. Skip anything more complicated. 6182 ValueDecl *D = nullptr; 6183 if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) { 6184 D = R->getDecl(); 6185 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 6186 D = M->getMemberDecl(); 6187 } 6188 6189 // Weak Decls can be null. 6190 if (!D || D->isWeak()) 6191 return; 6192 6193 QualType T = D->getType(); 6194 const bool IsArray = T->isArrayType(); 6195 const bool IsFunction = T->isFunctionType(); 6196 6197 if (IsAddressOf) { 6198 // Address of function is used to silence the function warning. 6199 if (IsFunction) 6200 return; 6201 // Address of reference can be null. 6202 if (T->isReferenceType()) 6203 return; 6204 } 6205 6206 // Found nothing. 6207 if (!IsAddressOf && !IsFunction && !IsArray) 6208 return; 6209 6210 // Pretty print the expression for the diagnostic. 6211 std::string Str; 6212 llvm::raw_string_ostream S(Str); 6213 E->printPretty(S, nullptr, getPrintingPolicy()); 6214 6215 unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare 6216 : diag::warn_impcast_pointer_to_bool; 6217 unsigned DiagType; 6218 if (IsAddressOf) 6219 DiagType = AddressOf; 6220 else if (IsFunction) 6221 DiagType = FunctionPointer; 6222 else if (IsArray) 6223 DiagType = ArrayPointer; 6224 else 6225 llvm_unreachable("Could not determine diagnostic."); 6226 Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange() 6227 << Range << IsEqual; 6228 6229 if (!IsFunction) 6230 return; 6231 6232 // Suggest '&' to silence the function warning. 6233 Diag(E->getExprLoc(), diag::note_function_warning_silence) 6234 << FixItHint::CreateInsertion(E->getLocStart(), "&"); 6235 6236 // Check to see if '()' fixit should be emitted. 6237 QualType ReturnType; 6238 UnresolvedSet<4> NonTemplateOverloads; 6239 tryExprAsCall(*E, ReturnType, NonTemplateOverloads); 6240 if (ReturnType.isNull()) 6241 return; 6242 6243 if (IsCompare) { 6244 // There are two cases here. If there is null constant, the only suggest 6245 // for a pointer return type. If the null is 0, then suggest if the return 6246 // type is a pointer or an integer type. 6247 if (!ReturnType->isPointerType()) { 6248 if (NullKind == Expr::NPCK_ZeroExpression || 6249 NullKind == Expr::NPCK_ZeroLiteral) { 6250 if (!ReturnType->isIntegerType()) 6251 return; 6252 } else { 6253 return; 6254 } 6255 } 6256 } else { // !IsCompare 6257 // For function to bool, only suggest if the function pointer has bool 6258 // return type. 6259 if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 6260 return; 6261 } 6262 Diag(E->getExprLoc(), diag::note_function_to_function_call) 6263 << FixItHint::CreateInsertion(getLocForEndOfToken(E->getLocEnd()), "()"); 6264} 6265 6266 6267/// Diagnoses "dangerous" implicit conversions within the given 6268/// expression (which is a full expression). Implements -Wconversion 6269/// and -Wsign-compare. 6270/// 6271/// \param CC the "context" location of the implicit conversion, i.e. 6272/// the most location of the syntactic entity requiring the implicit 6273/// conversion 6274void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 6275 // Don't diagnose in unevaluated contexts. 6276 if (isUnevaluatedContext()) 6277 return; 6278 6279 // Don't diagnose for value- or type-dependent expressions. 6280 if (E->isTypeDependent() || E->isValueDependent()) 6281 return; 6282 6283 // Check for array bounds violations in cases where the check isn't triggered 6284 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 6285 // ArraySubscriptExpr is on the RHS of a variable initialization. 6286 CheckArrayAccess(E); 6287 6288 // This is not the right CC for (e.g.) a variable initialization. 6289 AnalyzeImplicitConversions(*this, E, CC); 6290} 6291 6292/// Diagnose when expression is an integer constant expression and its evaluation 6293/// results in integer overflow 6294void Sema::CheckForIntOverflow (Expr *E) { 6295 if (isa<BinaryOperator>(E->IgnoreParens())) 6296 E->EvaluateForOverflow(Context); 6297} 6298 6299namespace { 6300/// \brief Visitor for expressions which looks for unsequenced operations on the 6301/// same object. 6302class SequenceChecker : public EvaluatedExprVisitor<SequenceChecker> { 6303 typedef EvaluatedExprVisitor<SequenceChecker> Base; 6304 6305 /// \brief A tree of sequenced regions within an expression. Two regions are 6306 /// unsequenced if one is an ancestor or a descendent of the other. When we 6307 /// finish processing an expression with sequencing, such as a comma 6308 /// expression, we fold its tree nodes into its parent, since they are 6309 /// unsequenced with respect to nodes we will visit later. 6310 class SequenceTree { 6311 struct Value { 6312 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {} 6313 unsigned Parent : 31; 6314 bool Merged : 1; 6315 }; 6316 SmallVector<Value, 8> Values; 6317 6318 public: 6319 /// \brief A region within an expression which may be sequenced with respect 6320 /// to some other region. 6321 class Seq { 6322 explicit Seq(unsigned N) : Index(N) {} 6323 unsigned Index; 6324 friend class SequenceTree; 6325 public: 6326 Seq() : Index(0) {} 6327 }; 6328 6329 SequenceTree() { Values.push_back(Value(0)); } 6330 Seq root() const { return Seq(0); } 6331 6332 /// \brief Create a new sequence of operations, which is an unsequenced 6333 /// subset of \p Parent. This sequence of operations is sequenced with 6334 /// respect to other children of \p Parent. 6335 Seq allocate(Seq Parent) { 6336 Values.push_back(Value(Parent.Index)); 6337 return Seq(Values.size() - 1); 6338 } 6339 6340 /// \brief Merge a sequence of operations into its parent. 6341 void merge(Seq S) { 6342 Values[S.Index].Merged = true; 6343 } 6344 6345 /// \brief Determine whether two operations are unsequenced. This operation 6346 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old 6347 /// should have been merged into its parent as appropriate. 6348 bool isUnsequenced(Seq Cur, Seq Old) { 6349 unsigned C = representative(Cur.Index); 6350 unsigned Target = representative(Old.Index); 6351 while (C >= Target) { 6352 if (C == Target) 6353 return true; 6354 C = Values[C].Parent; 6355 } 6356 return false; 6357 } 6358 6359 private: 6360 /// \brief Pick a representative for a sequence. 6361 unsigned representative(unsigned K) { 6362 if (Values[K].Merged) 6363 // Perform path compression as we go. 6364 return Values[K].Parent = representative(Values[K].Parent); 6365 return K; 6366 } 6367 }; 6368 6369 /// An object for which we can track unsequenced uses. 6370 typedef NamedDecl *Object; 6371 6372 /// Different flavors of object usage which we track. We only track the 6373 /// least-sequenced usage of each kind. 6374 enum UsageKind { 6375 /// A read of an object. Multiple unsequenced reads are OK. 6376 UK_Use, 6377 /// A modification of an object which is sequenced before the value 6378 /// computation of the expression, such as ++n in C++. 6379 UK_ModAsValue, 6380 /// A modification of an object which is not sequenced before the value 6381 /// computation of the expression, such as n++. 6382 UK_ModAsSideEffect, 6383 6384 UK_Count = UK_ModAsSideEffect + 1 6385 }; 6386 6387 struct Usage { 6388 Usage() : Use(nullptr), Seq() {} 6389 Expr *Use; 6390 SequenceTree::Seq Seq; 6391 }; 6392 6393 struct UsageInfo { 6394 UsageInfo() : Diagnosed(false) {} 6395 Usage Uses[UK_Count]; 6396 /// Have we issued a diagnostic for this variable already? 6397 bool Diagnosed; 6398 }; 6399 typedef llvm::SmallDenseMap<Object, UsageInfo, 16> UsageInfoMap; 6400 6401 Sema &SemaRef; 6402 /// Sequenced regions within the expression. 6403 SequenceTree Tree; 6404 /// Declaration modifications and references which we have seen. 6405 UsageInfoMap UsageMap; 6406 /// The region we are currently within. 6407 SequenceTree::Seq Region; 6408 /// Filled in with declarations which were modified as a side-effect 6409 /// (that is, post-increment operations). 6410 SmallVectorImpl<std::pair<Object, Usage> > *ModAsSideEffect; 6411 /// Expressions to check later. We defer checking these to reduce 6412 /// stack usage. 6413 SmallVectorImpl<Expr *> &WorkList; 6414 6415 /// RAII object wrapping the visitation of a sequenced subexpression of an 6416 /// expression. At the end of this process, the side-effects of the evaluation 6417 /// become sequenced with respect to the value computation of the result, so 6418 /// we downgrade any UK_ModAsSideEffect within the evaluation to 6419 /// UK_ModAsValue. 6420 struct SequencedSubexpression { 6421 SequencedSubexpression(SequenceChecker &Self) 6422 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) { 6423 Self.ModAsSideEffect = &ModAsSideEffect; 6424 } 6425 ~SequencedSubexpression() { 6426 for (unsigned I = 0, E = ModAsSideEffect.size(); I != E; ++I) { 6427 UsageInfo &U = Self.UsageMap[ModAsSideEffect[I].first]; 6428 U.Uses[UK_ModAsSideEffect] = ModAsSideEffect[I].second; 6429 Self.addUsage(U, ModAsSideEffect[I].first, 6430 ModAsSideEffect[I].second.Use, UK_ModAsValue); 6431 } 6432 Self.ModAsSideEffect = OldModAsSideEffect; 6433 } 6434 6435 SequenceChecker &Self; 6436 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect; 6437 SmallVectorImpl<std::pair<Object, Usage> > *OldModAsSideEffect; 6438 }; 6439 6440 /// RAII object wrapping the visitation of a subexpression which we might 6441 /// choose to evaluate as a constant. If any subexpression is evaluated and 6442 /// found to be non-constant, this allows us to suppress the evaluation of 6443 /// the outer expression. 6444 class EvaluationTracker { 6445 public: 6446 EvaluationTracker(SequenceChecker &Self) 6447 : Self(Self), Prev(Self.EvalTracker), EvalOK(true) { 6448 Self.EvalTracker = this; 6449 } 6450 ~EvaluationTracker() { 6451 Self.EvalTracker = Prev; 6452 if (Prev) 6453 Prev->EvalOK &= EvalOK; 6454 } 6455 6456 bool evaluate(const Expr *E, bool &Result) { 6457 if (!EvalOK || E->isValueDependent()) 6458 return false; 6459 EvalOK = E->EvaluateAsBooleanCondition(Result, Self.SemaRef.Context); 6460 return EvalOK; 6461 } 6462 6463 private: 6464 SequenceChecker &Self; 6465 EvaluationTracker *Prev; 6466 bool EvalOK; 6467 } *EvalTracker; 6468 6469 /// \brief Find the object which is produced by the specified expression, 6470 /// if any. 6471 Object getObject(Expr *E, bool Mod) const { 6472 E = E->IgnoreParenCasts(); 6473 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 6474 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec)) 6475 return getObject(UO->getSubExpr(), Mod); 6476 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 6477 if (BO->getOpcode() == BO_Comma) 6478 return getObject(BO->getRHS(), Mod); 6479 if (Mod && BO->isAssignmentOp()) 6480 return getObject(BO->getLHS(), Mod); 6481 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(E)) { 6482 // FIXME: Check for more interesting cases, like "x.n = ++x.n". 6483 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts())) 6484 return ME->getMemberDecl(); 6485 } else if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 6486 // FIXME: If this is a reference, map through to its value. 6487 return DRE->getDecl(); 6488 return nullptr; 6489 } 6490 6491 /// \brief Note that an object was modified or used by an expression. 6492 void addUsage(UsageInfo &UI, Object O, Expr *Ref, UsageKind UK) { 6493 Usage &U = UI.Uses[UK]; 6494 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) { 6495 if (UK == UK_ModAsSideEffect && ModAsSideEffect) 6496 ModAsSideEffect->push_back(std::make_pair(O, U)); 6497 U.Use = Ref; 6498 U.Seq = Region; 6499 } 6500 } 6501 /// \brief Check whether a modification or use conflicts with a prior usage. 6502 void checkUsage(Object O, UsageInfo &UI, Expr *Ref, UsageKind OtherKind, 6503 bool IsModMod) { 6504 if (UI.Diagnosed) 6505 return; 6506 6507 const Usage &U = UI.Uses[OtherKind]; 6508 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) 6509 return; 6510 6511 Expr *Mod = U.Use; 6512 Expr *ModOrUse = Ref; 6513 if (OtherKind == UK_Use) 6514 std::swap(Mod, ModOrUse); 6515 6516 SemaRef.Diag(Mod->getExprLoc(), 6517 IsModMod ? diag::warn_unsequenced_mod_mod 6518 : diag::warn_unsequenced_mod_use) 6519 << O << SourceRange(ModOrUse->getExprLoc()); 6520 UI.Diagnosed = true; 6521 } 6522 6523 void notePreUse(Object O, Expr *Use) { 6524 UsageInfo &U = UsageMap[O]; 6525 // Uses conflict with other modifications. 6526 checkUsage(O, U, Use, UK_ModAsValue, false); 6527 } 6528 void notePostUse(Object O, Expr *Use) { 6529 UsageInfo &U = UsageMap[O]; 6530 checkUsage(O, U, Use, UK_ModAsSideEffect, false); 6531 addUsage(U, O, Use, UK_Use); 6532 } 6533 6534 void notePreMod(Object O, Expr *Mod) { 6535 UsageInfo &U = UsageMap[O]; 6536 // Modifications conflict with other modifications and with uses. 6537 checkUsage(O, U, Mod, UK_ModAsValue, true); 6538 checkUsage(O, U, Mod, UK_Use, false); 6539 } 6540 void notePostMod(Object O, Expr *Use, UsageKind UK) { 6541 UsageInfo &U = UsageMap[O]; 6542 checkUsage(O, U, Use, UK_ModAsSideEffect, true); 6543 addUsage(U, O, Use, UK); 6544 } 6545 6546public: 6547 SequenceChecker(Sema &S, Expr *E, SmallVectorImpl<Expr *> &WorkList) 6548 : Base(S.Context), SemaRef(S), Region(Tree.root()), 6549 ModAsSideEffect(nullptr), WorkList(WorkList), EvalTracker(nullptr) { 6550 Visit(E); 6551 } 6552 6553 void VisitStmt(Stmt *S) { 6554 // Skip all statements which aren't expressions for now. 6555 } 6556 6557 void VisitExpr(Expr *E) { 6558 // By default, just recurse to evaluated subexpressions. 6559 Base::VisitStmt(E); 6560 } 6561 6562 void VisitCastExpr(CastExpr *E) { 6563 Object O = Object(); 6564 if (E->getCastKind() == CK_LValueToRValue) 6565 O = getObject(E->getSubExpr(), false); 6566 6567 if (O) 6568 notePreUse(O, E); 6569 VisitExpr(E); 6570 if (O) 6571 notePostUse(O, E); 6572 } 6573 6574 void VisitBinComma(BinaryOperator *BO) { 6575 // C++11 [expr.comma]p1: 6576 // Every value computation and side effect associated with the left 6577 // expression is sequenced before every value computation and side 6578 // effect associated with the right expression. 6579 SequenceTree::Seq LHS = Tree.allocate(Region); 6580 SequenceTree::Seq RHS = Tree.allocate(Region); 6581 SequenceTree::Seq OldRegion = Region; 6582 6583 { 6584 SequencedSubexpression SeqLHS(*this); 6585 Region = LHS; 6586 Visit(BO->getLHS()); 6587 } 6588 6589 Region = RHS; 6590 Visit(BO->getRHS()); 6591 6592 Region = OldRegion; 6593 6594 // Forget that LHS and RHS are sequenced. They are both unsequenced 6595 // with respect to other stuff. 6596 Tree.merge(LHS); 6597 Tree.merge(RHS); 6598 } 6599 6600 void VisitBinAssign(BinaryOperator *BO) { 6601 // The modification is sequenced after the value computation of the LHS 6602 // and RHS, so check it before inspecting the operands and update the 6603 // map afterwards. 6604 Object O = getObject(BO->getLHS(), true); 6605 if (!O) 6606 return VisitExpr(BO); 6607 6608 notePreMod(O, BO); 6609 6610 // C++11 [expr.ass]p7: 6611 // E1 op= E2 is equivalent to E1 = E1 op E2, except that E1 is evaluated 6612 // only once. 6613 // 6614 // Therefore, for a compound assignment operator, O is considered used 6615 // everywhere except within the evaluation of E1 itself. 6616 if (isa<CompoundAssignOperator>(BO)) 6617 notePreUse(O, BO); 6618 6619 Visit(BO->getLHS()); 6620 6621 if (isa<CompoundAssignOperator>(BO)) 6622 notePostUse(O, BO); 6623 6624 Visit(BO->getRHS()); 6625 6626 // C++11 [expr.ass]p1: 6627 // the assignment is sequenced [...] before the value computation of the 6628 // assignment expression. 6629 // C11 6.5.16/3 has no such rule. 6630 notePostMod(O, BO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 6631 : UK_ModAsSideEffect); 6632 } 6633 void VisitCompoundAssignOperator(CompoundAssignOperator *CAO) { 6634 VisitBinAssign(CAO); 6635 } 6636 6637 void VisitUnaryPreInc(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 6638 void VisitUnaryPreDec(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 6639 void VisitUnaryPreIncDec(UnaryOperator *UO) { 6640 Object O = getObject(UO->getSubExpr(), true); 6641 if (!O) 6642 return VisitExpr(UO); 6643 6644 notePreMod(O, UO); 6645 Visit(UO->getSubExpr()); 6646 // C++11 [expr.pre.incr]p1: 6647 // the expression ++x is equivalent to x+=1 6648 notePostMod(O, UO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 6649 : UK_ModAsSideEffect); 6650 } 6651 6652 void VisitUnaryPostInc(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 6653 void VisitUnaryPostDec(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 6654 void VisitUnaryPostIncDec(UnaryOperator *UO) { 6655 Object O = getObject(UO->getSubExpr(), true); 6656 if (!O) 6657 return VisitExpr(UO); 6658 6659 notePreMod(O, UO); 6660 Visit(UO->getSubExpr()); 6661 notePostMod(O, UO, UK_ModAsSideEffect); 6662 } 6663 6664 /// Don't visit the RHS of '&&' or '||' if it might not be evaluated. 6665 void VisitBinLOr(BinaryOperator *BO) { 6666 // The side-effects of the LHS of an '&&' are sequenced before the 6667 // value computation of the RHS, and hence before the value computation 6668 // of the '&&' itself, unless the LHS evaluates to zero. We treat them 6669 // as if they were unconditionally sequenced. 6670 EvaluationTracker Eval(*this); 6671 { 6672 SequencedSubexpression Sequenced(*this); 6673 Visit(BO->getLHS()); 6674 } 6675 6676 bool Result; 6677 if (Eval.evaluate(BO->getLHS(), Result)) { 6678 if (!Result) 6679 Visit(BO->getRHS()); 6680 } else { 6681 // Check for unsequenced operations in the RHS, treating it as an 6682 // entirely separate evaluation. 6683 // 6684 // FIXME: If there are operations in the RHS which are unsequenced 6685 // with respect to operations outside the RHS, and those operations 6686 // are unconditionally evaluated, diagnose them. 6687 WorkList.push_back(BO->getRHS()); 6688 } 6689 } 6690 void VisitBinLAnd(BinaryOperator *BO) { 6691 EvaluationTracker Eval(*this); 6692 { 6693 SequencedSubexpression Sequenced(*this); 6694 Visit(BO->getLHS()); 6695 } 6696 6697 bool Result; 6698 if (Eval.evaluate(BO->getLHS(), Result)) { 6699 if (Result) 6700 Visit(BO->getRHS()); 6701 } else { 6702 WorkList.push_back(BO->getRHS()); 6703 } 6704 } 6705 6706 // Only visit the condition, unless we can be sure which subexpression will 6707 // be chosen. 6708 void VisitAbstractConditionalOperator(AbstractConditionalOperator *CO) { 6709 EvaluationTracker Eval(*this); 6710 { 6711 SequencedSubexpression Sequenced(*this); 6712 Visit(CO->getCond()); 6713 } 6714 6715 bool Result; 6716 if (Eval.evaluate(CO->getCond(), Result)) 6717 Visit(Result ? CO->getTrueExpr() : CO->getFalseExpr()); 6718 else { 6719 WorkList.push_back(CO->getTrueExpr()); 6720 WorkList.push_back(CO->getFalseExpr()); 6721 } 6722 } 6723 6724 void VisitCallExpr(CallExpr *CE) { 6725 // C++11 [intro.execution]p15: 6726 // When calling a function [...], every value computation and side effect 6727 // associated with any argument expression, or with the postfix expression 6728 // designating the called function, is sequenced before execution of every 6729 // expression or statement in the body of the function [and thus before 6730 // the value computation of its result]. 6731 SequencedSubexpression Sequenced(*this); 6732 Base::VisitCallExpr(CE); 6733 6734 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions. 6735 } 6736 6737 void VisitCXXConstructExpr(CXXConstructExpr *CCE) { 6738 // This is a call, so all subexpressions are sequenced before the result. 6739 SequencedSubexpression Sequenced(*this); 6740 6741 if (!CCE->isListInitialization()) 6742 return VisitExpr(CCE); 6743 6744 // In C++11, list initializations are sequenced. 6745 SmallVector<SequenceTree::Seq, 32> Elts; 6746 SequenceTree::Seq Parent = Region; 6747 for (CXXConstructExpr::arg_iterator I = CCE->arg_begin(), 6748 E = CCE->arg_end(); 6749 I != E; ++I) { 6750 Region = Tree.allocate(Parent); 6751 Elts.push_back(Region); 6752 Visit(*I); 6753 } 6754 6755 // Forget that the initializers are sequenced. 6756 Region = Parent; 6757 for (unsigned I = 0; I < Elts.size(); ++I) 6758 Tree.merge(Elts[I]); 6759 } 6760 6761 void VisitInitListExpr(InitListExpr *ILE) { 6762 if (!SemaRef.getLangOpts().CPlusPlus11) 6763 return VisitExpr(ILE); 6764 6765 // In C++11, list initializations are sequenced. 6766 SmallVector<SequenceTree::Seq, 32> Elts; 6767 SequenceTree::Seq Parent = Region; 6768 for (unsigned I = 0; I < ILE->getNumInits(); ++I) { 6769 Expr *E = ILE->getInit(I); 6770 if (!E) continue; 6771 Region = Tree.allocate(Parent); 6772 Elts.push_back(Region); 6773 Visit(E); 6774 } 6775 6776 // Forget that the initializers are sequenced. 6777 Region = Parent; 6778 for (unsigned I = 0; I < Elts.size(); ++I) 6779 Tree.merge(Elts[I]); 6780 } 6781}; 6782} 6783 6784void Sema::CheckUnsequencedOperations(Expr *E) { 6785 SmallVector<Expr *, 8> WorkList; 6786 WorkList.push_back(E); 6787 while (!WorkList.empty()) { 6788 Expr *Item = WorkList.pop_back_val(); 6789 SequenceChecker(*this, Item, WorkList); 6790 } 6791} 6792 6793void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc, 6794 bool IsConstexpr) { 6795 CheckImplicitConversions(E, CheckLoc); 6796 CheckUnsequencedOperations(E); 6797 if (!IsConstexpr && !E->isValueDependent()) 6798 CheckForIntOverflow(E); 6799} 6800 6801void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 6802 FieldDecl *BitField, 6803 Expr *Init) { 6804 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 6805} 6806 6807/// CheckParmsForFunctionDef - Check that the parameters of the given 6808/// function are appropriate for the definition of a function. This 6809/// takes care of any checks that cannot be performed on the 6810/// declaration itself, e.g., that the types of each of the function 6811/// parameters are complete. 6812bool Sema::CheckParmsForFunctionDef(ParmVarDecl *const *P, 6813 ParmVarDecl *const *PEnd, 6814 bool CheckParameterNames) { 6815 bool HasInvalidParm = false; 6816 for (; P != PEnd; ++P) { 6817 ParmVarDecl *Param = *P; 6818 6819 // C99 6.7.5.3p4: the parameters in a parameter type list in a 6820 // function declarator that is part of a function definition of 6821 // that function shall not have incomplete type. 6822 // 6823 // This is also C++ [dcl.fct]p6. 6824 if (!Param->isInvalidDecl() && 6825 RequireCompleteType(Param->getLocation(), Param->getType(), 6826 diag::err_typecheck_decl_incomplete_type)) { 6827 Param->setInvalidDecl(); 6828 HasInvalidParm = true; 6829 } 6830 6831 // C99 6.9.1p5: If the declarator includes a parameter type list, the 6832 // declaration of each parameter shall include an identifier. 6833 if (CheckParameterNames && 6834 Param->getIdentifier() == nullptr && 6835 !Param->isImplicit() && 6836 !getLangOpts().CPlusPlus) 6837 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 6838 6839 // C99 6.7.5.3p12: 6840 // If the function declarator is not part of a definition of that 6841 // function, parameters may have incomplete type and may use the [*] 6842 // notation in their sequences of declarator specifiers to specify 6843 // variable length array types. 6844 QualType PType = Param->getOriginalType(); 6845 while (const ArrayType *AT = Context.getAsArrayType(PType)) { 6846 if (AT->getSizeModifier() == ArrayType::Star) { 6847 // FIXME: This diagnostic should point the '[*]' if source-location 6848 // information is added for it. 6849 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 6850 break; 6851 } 6852 PType= AT->getElementType(); 6853 } 6854 6855 // MSVC destroys objects passed by value in the callee. Therefore a 6856 // function definition which takes such a parameter must be able to call the 6857 // object's destructor. However, we don't perform any direct access check 6858 // on the dtor. 6859 if (getLangOpts().CPlusPlus && Context.getTargetInfo() 6860 .getCXXABI() 6861 .areArgsDestroyedLeftToRightInCallee()) { 6862 if (!Param->isInvalidDecl()) { 6863 if (const RecordType *RT = Param->getType()->getAs<RecordType>()) { 6864 CXXRecordDecl *ClassDecl = cast<CXXRecordDecl>(RT->getDecl()); 6865 if (!ClassDecl->isInvalidDecl() && 6866 !ClassDecl->hasIrrelevantDestructor() && 6867 !ClassDecl->isDependentContext()) { 6868 CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl); 6869 MarkFunctionReferenced(Param->getLocation(), Destructor); 6870 DiagnoseUseOfDecl(Destructor, Param->getLocation()); 6871 } 6872 } 6873 } 6874 } 6875 } 6876 6877 return HasInvalidParm; 6878} 6879 6880/// CheckCastAlign - Implements -Wcast-align, which warns when a 6881/// pointer cast increases the alignment requirements. 6882void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 6883 // This is actually a lot of work to potentially be doing on every 6884 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 6885 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 6886 TRange.getBegin()) 6887 == DiagnosticsEngine::Ignored) 6888 return; 6889 6890 // Ignore dependent types. 6891 if (T->isDependentType() || Op->getType()->isDependentType()) 6892 return; 6893 6894 // Require that the destination be a pointer type. 6895 const PointerType *DestPtr = T->getAs<PointerType>(); 6896 if (!DestPtr) return; 6897 6898 // If the destination has alignment 1, we're done. 6899 QualType DestPointee = DestPtr->getPointeeType(); 6900 if (DestPointee->isIncompleteType()) return; 6901 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 6902 if (DestAlign.isOne()) return; 6903 6904 // Require that the source be a pointer type. 6905 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 6906 if (!SrcPtr) return; 6907 QualType SrcPointee = SrcPtr->getPointeeType(); 6908 6909 // Whitelist casts from cv void*. We already implicitly 6910 // whitelisted casts to cv void*, since they have alignment 1. 6911 // Also whitelist casts involving incomplete types, which implicitly 6912 // includes 'void'. 6913 if (SrcPointee->isIncompleteType()) return; 6914 6915 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 6916 if (SrcAlign >= DestAlign) return; 6917 6918 Diag(TRange.getBegin(), diag::warn_cast_align) 6919 << Op->getType() << T 6920 << static_cast<unsigned>(SrcAlign.getQuantity()) 6921 << static_cast<unsigned>(DestAlign.getQuantity()) 6922 << TRange << Op->getSourceRange(); 6923} 6924 6925static const Type* getElementType(const Expr *BaseExpr) { 6926 const Type* EltType = BaseExpr->getType().getTypePtr(); 6927 if (EltType->isAnyPointerType()) 6928 return EltType->getPointeeType().getTypePtr(); 6929 else if (EltType->isArrayType()) 6930 return EltType->getBaseElementTypeUnsafe(); 6931 return EltType; 6932} 6933 6934/// \brief Check whether this array fits the idiom of a size-one tail padded 6935/// array member of a struct. 6936/// 6937/// We avoid emitting out-of-bounds access warnings for such arrays as they are 6938/// commonly used to emulate flexible arrays in C89 code. 6939static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 6940 const NamedDecl *ND) { 6941 if (Size != 1 || !ND) return false; 6942 6943 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 6944 if (!FD) return false; 6945 6946 // Don't consider sizes resulting from macro expansions or template argument 6947 // substitution to form C89 tail-padded arrays. 6948 6949 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 6950 while (TInfo) { 6951 TypeLoc TL = TInfo->getTypeLoc(); 6952 // Look through typedefs. 6953 if (TypedefTypeLoc TTL = TL.getAs<TypedefTypeLoc>()) { 6954 const TypedefNameDecl *TDL = TTL.getTypedefNameDecl(); 6955 TInfo = TDL->getTypeSourceInfo(); 6956 continue; 6957 } 6958 if (ConstantArrayTypeLoc CTL = TL.getAs<ConstantArrayTypeLoc>()) { 6959 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 6960 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 6961 return false; 6962 } 6963 break; 6964 } 6965 6966 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 6967 if (!RD) return false; 6968 if (RD->isUnion()) return false; 6969 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 6970 if (!CRD->isStandardLayout()) return false; 6971 } 6972 6973 // See if this is the last field decl in the record. 6974 const Decl *D = FD; 6975 while ((D = D->getNextDeclInContext())) 6976 if (isa<FieldDecl>(D)) 6977 return false; 6978 return true; 6979} 6980 6981void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 6982 const ArraySubscriptExpr *ASE, 6983 bool AllowOnePastEnd, bool IndexNegated) { 6984 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 6985 if (IndexExpr->isValueDependent()) 6986 return; 6987 6988 const Type *EffectiveType = getElementType(BaseExpr); 6989 BaseExpr = BaseExpr->IgnoreParenCasts(); 6990 const ConstantArrayType *ArrayTy = 6991 Context.getAsConstantArrayType(BaseExpr->getType()); 6992 if (!ArrayTy) 6993 return; 6994 6995 llvm::APSInt index; 6996 if (!IndexExpr->EvaluateAsInt(index, Context)) 6997 return; 6998 if (IndexNegated) 6999 index = -index; 7000 7001 const NamedDecl *ND = nullptr; 7002 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 7003 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 7004 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 7005 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 7006 7007 if (index.isUnsigned() || !index.isNegative()) { 7008 llvm::APInt size = ArrayTy->getSize(); 7009 if (!size.isStrictlyPositive()) 7010 return; 7011 7012 const Type* BaseType = getElementType(BaseExpr); 7013 if (BaseType != EffectiveType) { 7014 // Make sure we're comparing apples to apples when comparing index to size 7015 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 7016 uint64_t array_typesize = Context.getTypeSize(BaseType); 7017 // Handle ptrarith_typesize being zero, such as when casting to void* 7018 if (!ptrarith_typesize) ptrarith_typesize = 1; 7019 if (ptrarith_typesize != array_typesize) { 7020 // There's a cast to a different size type involved 7021 uint64_t ratio = array_typesize / ptrarith_typesize; 7022 // TODO: Be smarter about handling cases where array_typesize is not a 7023 // multiple of ptrarith_typesize 7024 if (ptrarith_typesize * ratio == array_typesize) 7025 size *= llvm::APInt(size.getBitWidth(), ratio); 7026 } 7027 } 7028 7029 if (size.getBitWidth() > index.getBitWidth()) 7030 index = index.zext(size.getBitWidth()); 7031 else if (size.getBitWidth() < index.getBitWidth()) 7032 size = size.zext(index.getBitWidth()); 7033 7034 // For array subscripting the index must be less than size, but for pointer 7035 // arithmetic also allow the index (offset) to be equal to size since 7036 // computing the next address after the end of the array is legal and 7037 // commonly done e.g. in C++ iterators and range-based for loops. 7038 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 7039 return; 7040 7041 // Also don't warn for arrays of size 1 which are members of some 7042 // structure. These are often used to approximate flexible arrays in C89 7043 // code. 7044 if (IsTailPaddedMemberArray(*this, size, ND)) 7045 return; 7046 7047 // Suppress the warning if the subscript expression (as identified by the 7048 // ']' location) and the index expression are both from macro expansions 7049 // within a system header. 7050 if (ASE) { 7051 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 7052 ASE->getRBracketLoc()); 7053 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 7054 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 7055 IndexExpr->getLocStart()); 7056 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc)) 7057 return; 7058 } 7059 } 7060 7061 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 7062 if (ASE) 7063 DiagID = diag::warn_array_index_exceeds_bounds; 7064 7065 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 7066 PDiag(DiagID) << index.toString(10, true) 7067 << size.toString(10, true) 7068 << (unsigned)size.getLimitedValue(~0U) 7069 << IndexExpr->getSourceRange()); 7070 } else { 7071 unsigned DiagID = diag::warn_array_index_precedes_bounds; 7072 if (!ASE) { 7073 DiagID = diag::warn_ptr_arith_precedes_bounds; 7074 if (index.isNegative()) index = -index; 7075 } 7076 7077 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 7078 PDiag(DiagID) << index.toString(10, true) 7079 << IndexExpr->getSourceRange()); 7080 } 7081 7082 if (!ND) { 7083 // Try harder to find a NamedDecl to point at in the note. 7084 while (const ArraySubscriptExpr *ASE = 7085 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 7086 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 7087 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 7088 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 7089 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 7090 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 7091 } 7092 7093 if (ND) 7094 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 7095 PDiag(diag::note_array_index_out_of_bounds) 7096 << ND->getDeclName()); 7097} 7098 7099void Sema::CheckArrayAccess(const Expr *expr) { 7100 int AllowOnePastEnd = 0; 7101 while (expr) { 7102 expr = expr->IgnoreParenImpCasts(); 7103 switch (expr->getStmtClass()) { 7104 case Stmt::ArraySubscriptExprClass: { 7105 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 7106 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 7107 AllowOnePastEnd > 0); 7108 return; 7109 } 7110 case Stmt::UnaryOperatorClass: { 7111 // Only unwrap the * and & unary operators 7112 const UnaryOperator *UO = cast<UnaryOperator>(expr); 7113 expr = UO->getSubExpr(); 7114 switch (UO->getOpcode()) { 7115 case UO_AddrOf: 7116 AllowOnePastEnd++; 7117 break; 7118 case UO_Deref: 7119 AllowOnePastEnd--; 7120 break; 7121 default: 7122 return; 7123 } 7124 break; 7125 } 7126 case Stmt::ConditionalOperatorClass: { 7127 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 7128 if (const Expr *lhs = cond->getLHS()) 7129 CheckArrayAccess(lhs); 7130 if (const Expr *rhs = cond->getRHS()) 7131 CheckArrayAccess(rhs); 7132 return; 7133 } 7134 default: 7135 return; 7136 } 7137 } 7138} 7139 7140//===--- CHECK: Objective-C retain cycles ----------------------------------// 7141 7142namespace { 7143 struct RetainCycleOwner { 7144 RetainCycleOwner() : Variable(nullptr), Indirect(false) {} 7145 VarDecl *Variable; 7146 SourceRange Range; 7147 SourceLocation Loc; 7148 bool Indirect; 7149 7150 void setLocsFrom(Expr *e) { 7151 Loc = e->getExprLoc(); 7152 Range = e->getSourceRange(); 7153 } 7154 }; 7155} 7156 7157/// Consider whether capturing the given variable can possibly lead to 7158/// a retain cycle. 7159static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 7160 // In ARC, it's captured strongly iff the variable has __strong 7161 // lifetime. In MRR, it's captured strongly if the variable is 7162 // __block and has an appropriate type. 7163 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 7164 return false; 7165 7166 owner.Variable = var; 7167 if (ref) 7168 owner.setLocsFrom(ref); 7169 return true; 7170} 7171 7172static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 7173 while (true) { 7174 e = e->IgnoreParens(); 7175 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 7176 switch (cast->getCastKind()) { 7177 case CK_BitCast: 7178 case CK_LValueBitCast: 7179 case CK_LValueToRValue: 7180 case CK_ARCReclaimReturnedObject: 7181 e = cast->getSubExpr(); 7182 continue; 7183 7184 default: 7185 return false; 7186 } 7187 } 7188 7189 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 7190 ObjCIvarDecl *ivar = ref->getDecl(); 7191 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 7192 return false; 7193 7194 // Try to find a retain cycle in the base. 7195 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 7196 return false; 7197 7198 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 7199 owner.Indirect = true; 7200 return true; 7201 } 7202 7203 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 7204 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 7205 if (!var) return false; 7206 return considerVariable(var, ref, owner); 7207 } 7208 7209 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 7210 if (member->isArrow()) return false; 7211 7212 // Don't count this as an indirect ownership. 7213 e = member->getBase(); 7214 continue; 7215 } 7216 7217 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 7218 // Only pay attention to pseudo-objects on property references. 7219 ObjCPropertyRefExpr *pre 7220 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 7221 ->IgnoreParens()); 7222 if (!pre) return false; 7223 if (pre->isImplicitProperty()) return false; 7224 ObjCPropertyDecl *property = pre->getExplicitProperty(); 7225 if (!property->isRetaining() && 7226 !(property->getPropertyIvarDecl() && 7227 property->getPropertyIvarDecl()->getType() 7228 .getObjCLifetime() == Qualifiers::OCL_Strong)) 7229 return false; 7230 7231 owner.Indirect = true; 7232 if (pre->isSuperReceiver()) { 7233 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 7234 if (!owner.Variable) 7235 return false; 7236 owner.Loc = pre->getLocation(); 7237 owner.Range = pre->getSourceRange(); 7238 return true; 7239 } 7240 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 7241 ->getSourceExpr()); 7242 continue; 7243 } 7244 7245 // Array ivars? 7246 7247 return false; 7248 } 7249} 7250 7251namespace { 7252 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 7253 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 7254 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 7255 Variable(variable), Capturer(nullptr) {} 7256 7257 VarDecl *Variable; 7258 Expr *Capturer; 7259 7260 void VisitDeclRefExpr(DeclRefExpr *ref) { 7261 if (ref->getDecl() == Variable && !Capturer) 7262 Capturer = ref; 7263 } 7264 7265 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 7266 if (Capturer) return; 7267 Visit(ref->getBase()); 7268 if (Capturer && ref->isFreeIvar()) 7269 Capturer = ref; 7270 } 7271 7272 void VisitBlockExpr(BlockExpr *block) { 7273 // Look inside nested blocks 7274 if (block->getBlockDecl()->capturesVariable(Variable)) 7275 Visit(block->getBlockDecl()->getBody()); 7276 } 7277 7278 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 7279 if (Capturer) return; 7280 if (OVE->getSourceExpr()) 7281 Visit(OVE->getSourceExpr()); 7282 } 7283 }; 7284} 7285 7286/// Check whether the given argument is a block which captures a 7287/// variable. 7288static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 7289 assert(owner.Variable && owner.Loc.isValid()); 7290 7291 e = e->IgnoreParenCasts(); 7292 7293 // Look through [^{...} copy] and Block_copy(^{...}). 7294 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 7295 Selector Cmd = ME->getSelector(); 7296 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 7297 e = ME->getInstanceReceiver(); 7298 if (!e) 7299 return nullptr; 7300 e = e->IgnoreParenCasts(); 7301 } 7302 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 7303 if (CE->getNumArgs() == 1) { 7304 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 7305 if (Fn) { 7306 const IdentifierInfo *FnI = Fn->getIdentifier(); 7307 if (FnI && FnI->isStr("_Block_copy")) { 7308 e = CE->getArg(0)->IgnoreParenCasts(); 7309 } 7310 } 7311 } 7312 } 7313 7314 BlockExpr *block = dyn_cast<BlockExpr>(e); 7315 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 7316 return nullptr; 7317 7318 FindCaptureVisitor visitor(S.Context, owner.Variable); 7319 visitor.Visit(block->getBlockDecl()->getBody()); 7320 return visitor.Capturer; 7321} 7322 7323static void diagnoseRetainCycle(Sema &S, Expr *capturer, 7324 RetainCycleOwner &owner) { 7325 assert(capturer); 7326 assert(owner.Variable && owner.Loc.isValid()); 7327 7328 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 7329 << owner.Variable << capturer->getSourceRange(); 7330 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 7331 << owner.Indirect << owner.Range; 7332} 7333 7334/// Check for a keyword selector that starts with the word 'add' or 7335/// 'set'. 7336static bool isSetterLikeSelector(Selector sel) { 7337 if (sel.isUnarySelector()) return false; 7338 7339 StringRef str = sel.getNameForSlot(0); 7340 while (!str.empty() && str.front() == '_') str = str.substr(1); 7341 if (str.startswith("set")) 7342 str = str.substr(3); 7343 else if (str.startswith("add")) { 7344 // Specially whitelist 'addOperationWithBlock:'. 7345 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 7346 return false; 7347 str = str.substr(3); 7348 } 7349 else 7350 return false; 7351 7352 if (str.empty()) return true; 7353 return !isLowercase(str.front()); 7354} 7355 7356/// Check a message send to see if it's likely to cause a retain cycle. 7357void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 7358 // Only check instance methods whose selector looks like a setter. 7359 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 7360 return; 7361 7362 // Try to find a variable that the receiver is strongly owned by. 7363 RetainCycleOwner owner; 7364 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 7365 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 7366 return; 7367 } else { 7368 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 7369 owner.Variable = getCurMethodDecl()->getSelfDecl(); 7370 owner.Loc = msg->getSuperLoc(); 7371 owner.Range = msg->getSuperLoc(); 7372 } 7373 7374 // Check whether the receiver is captured by any of the arguments. 7375 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 7376 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 7377 return diagnoseRetainCycle(*this, capturer, owner); 7378} 7379 7380/// Check a property assign to see if it's likely to cause a retain cycle. 7381void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 7382 RetainCycleOwner owner; 7383 if (!findRetainCycleOwner(*this, receiver, owner)) 7384 return; 7385 7386 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 7387 diagnoseRetainCycle(*this, capturer, owner); 7388} 7389 7390void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 7391 RetainCycleOwner Owner; 7392 if (!considerVariable(Var, /*DeclRefExpr=*/nullptr, Owner)) 7393 return; 7394 7395 // Because we don't have an expression for the variable, we have to set the 7396 // location explicitly here. 7397 Owner.Loc = Var->getLocation(); 7398 Owner.Range = Var->getSourceRange(); 7399 7400 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 7401 diagnoseRetainCycle(*this, Capturer, Owner); 7402} 7403 7404static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 7405 Expr *RHS, bool isProperty) { 7406 // Check if RHS is an Objective-C object literal, which also can get 7407 // immediately zapped in a weak reference. Note that we explicitly 7408 // allow ObjCStringLiterals, since those are designed to never really die. 7409 RHS = RHS->IgnoreParenImpCasts(); 7410 7411 // This enum needs to match with the 'select' in 7412 // warn_objc_arc_literal_assign (off-by-1). 7413 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 7414 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 7415 return false; 7416 7417 S.Diag(Loc, diag::warn_arc_literal_assign) 7418 << (unsigned) Kind 7419 << (isProperty ? 0 : 1) 7420 << RHS->getSourceRange(); 7421 7422 return true; 7423} 7424 7425static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 7426 Qualifiers::ObjCLifetime LT, 7427 Expr *RHS, bool isProperty) { 7428 // Strip off any implicit cast added to get to the one ARC-specific. 7429 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 7430 if (cast->getCastKind() == CK_ARCConsumeObject) { 7431 S.Diag(Loc, diag::warn_arc_retained_assign) 7432 << (LT == Qualifiers::OCL_ExplicitNone) 7433 << (isProperty ? 0 : 1) 7434 << RHS->getSourceRange(); 7435 return true; 7436 } 7437 RHS = cast->getSubExpr(); 7438 } 7439 7440 if (LT == Qualifiers::OCL_Weak && 7441 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 7442 return true; 7443 7444 return false; 7445} 7446 7447bool Sema::checkUnsafeAssigns(SourceLocation Loc, 7448 QualType LHS, Expr *RHS) { 7449 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 7450 7451 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 7452 return false; 7453 7454 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 7455 return true; 7456 7457 return false; 7458} 7459 7460void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 7461 Expr *LHS, Expr *RHS) { 7462 QualType LHSType; 7463 // PropertyRef on LHS type need be directly obtained from 7464 // its declaration as it has a PseudoType. 7465 ObjCPropertyRefExpr *PRE 7466 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 7467 if (PRE && !PRE->isImplicitProperty()) { 7468 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 7469 if (PD) 7470 LHSType = PD->getType(); 7471 } 7472 7473 if (LHSType.isNull()) 7474 LHSType = LHS->getType(); 7475 7476 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 7477 7478 if (LT == Qualifiers::OCL_Weak) { 7479 DiagnosticsEngine::Level Level = 7480 Diags.getDiagnosticLevel(diag::warn_arc_repeated_use_of_weak, Loc); 7481 if (Level != DiagnosticsEngine::Ignored) 7482 getCurFunction()->markSafeWeakUse(LHS); 7483 } 7484 7485 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 7486 return; 7487 7488 // FIXME. Check for other life times. 7489 if (LT != Qualifiers::OCL_None) 7490 return; 7491 7492 if (PRE) { 7493 if (PRE->isImplicitProperty()) 7494 return; 7495 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 7496 if (!PD) 7497 return; 7498 7499 unsigned Attributes = PD->getPropertyAttributes(); 7500 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 7501 // when 'assign' attribute was not explicitly specified 7502 // by user, ignore it and rely on property type itself 7503 // for lifetime info. 7504 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 7505 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 7506 LHSType->isObjCRetainableType()) 7507 return; 7508 7509 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 7510 if (cast->getCastKind() == CK_ARCConsumeObject) { 7511 Diag(Loc, diag::warn_arc_retained_property_assign) 7512 << RHS->getSourceRange(); 7513 return; 7514 } 7515 RHS = cast->getSubExpr(); 7516 } 7517 } 7518 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 7519 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 7520 return; 7521 } 7522 } 7523} 7524 7525//===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 7526 7527namespace { 7528bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 7529 SourceLocation StmtLoc, 7530 const NullStmt *Body) { 7531 // Do not warn if the body is a macro that expands to nothing, e.g: 7532 // 7533 // #define CALL(x) 7534 // if (condition) 7535 // CALL(0); 7536 // 7537 if (Body->hasLeadingEmptyMacro()) 7538 return false; 7539 7540 // Get line numbers of statement and body. 7541 bool StmtLineInvalid; 7542 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 7543 &StmtLineInvalid); 7544 if (StmtLineInvalid) 7545 return false; 7546 7547 bool BodyLineInvalid; 7548 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 7549 &BodyLineInvalid); 7550 if (BodyLineInvalid) 7551 return false; 7552 7553 // Warn if null statement and body are on the same line. 7554 if (StmtLine != BodyLine) 7555 return false; 7556 7557 return true; 7558} 7559} // Unnamed namespace 7560 7561void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 7562 const Stmt *Body, 7563 unsigned DiagID) { 7564 // Since this is a syntactic check, don't emit diagnostic for template 7565 // instantiations, this just adds noise. 7566 if (CurrentInstantiationScope) 7567 return; 7568 7569 // The body should be a null statement. 7570 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 7571 if (!NBody) 7572 return; 7573 7574 // Do the usual checks. 7575 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 7576 return; 7577 7578 Diag(NBody->getSemiLoc(), DiagID); 7579 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 7580} 7581 7582void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 7583 const Stmt *PossibleBody) { 7584 assert(!CurrentInstantiationScope); // Ensured by caller 7585 7586 SourceLocation StmtLoc; 7587 const Stmt *Body; 7588 unsigned DiagID; 7589 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 7590 StmtLoc = FS->getRParenLoc(); 7591 Body = FS->getBody(); 7592 DiagID = diag::warn_empty_for_body; 7593 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 7594 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 7595 Body = WS->getBody(); 7596 DiagID = diag::warn_empty_while_body; 7597 } else 7598 return; // Neither `for' nor `while'. 7599 7600 // The body should be a null statement. 7601 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 7602 if (!NBody) 7603 return; 7604 7605 // Skip expensive checks if diagnostic is disabled. 7606 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 7607 DiagnosticsEngine::Ignored) 7608 return; 7609 7610 // Do the usual checks. 7611 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 7612 return; 7613 7614 // `for(...);' and `while(...);' are popular idioms, so in order to keep 7615 // noise level low, emit diagnostics only if for/while is followed by a 7616 // CompoundStmt, e.g.: 7617 // for (int i = 0; i < n; i++); 7618 // { 7619 // a(i); 7620 // } 7621 // or if for/while is followed by a statement with more indentation 7622 // than for/while itself: 7623 // for (int i = 0; i < n; i++); 7624 // a(i); 7625 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 7626 if (!ProbableTypo) { 7627 bool BodyColInvalid; 7628 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 7629 PossibleBody->getLocStart(), 7630 &BodyColInvalid); 7631 if (BodyColInvalid) 7632 return; 7633 7634 bool StmtColInvalid; 7635 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 7636 S->getLocStart(), 7637 &StmtColInvalid); 7638 if (StmtColInvalid) 7639 return; 7640 7641 if (BodyCol > StmtCol) 7642 ProbableTypo = true; 7643 } 7644 7645 if (ProbableTypo) { 7646 Diag(NBody->getSemiLoc(), DiagID); 7647 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 7648 } 7649} 7650 7651//===--- Layout compatibility ----------------------------------------------// 7652 7653namespace { 7654 7655bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 7656 7657/// \brief Check if two enumeration types are layout-compatible. 7658bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 7659 // C++11 [dcl.enum] p8: 7660 // Two enumeration types are layout-compatible if they have the same 7661 // underlying type. 7662 return ED1->isComplete() && ED2->isComplete() && 7663 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 7664} 7665 7666/// \brief Check if two fields are layout-compatible. 7667bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 7668 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 7669 return false; 7670 7671 if (Field1->isBitField() != Field2->isBitField()) 7672 return false; 7673 7674 if (Field1->isBitField()) { 7675 // Make sure that the bit-fields are the same length. 7676 unsigned Bits1 = Field1->getBitWidthValue(C); 7677 unsigned Bits2 = Field2->getBitWidthValue(C); 7678 7679 if (Bits1 != Bits2) 7680 return false; 7681 } 7682 7683 return true; 7684} 7685 7686/// \brief Check if two standard-layout structs are layout-compatible. 7687/// (C++11 [class.mem] p17) 7688bool isLayoutCompatibleStruct(ASTContext &C, 7689 RecordDecl *RD1, 7690 RecordDecl *RD2) { 7691 // If both records are C++ classes, check that base classes match. 7692 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 7693 // If one of records is a CXXRecordDecl we are in C++ mode, 7694 // thus the other one is a CXXRecordDecl, too. 7695 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 7696 // Check number of base classes. 7697 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 7698 return false; 7699 7700 // Check the base classes. 7701 for (CXXRecordDecl::base_class_const_iterator 7702 Base1 = D1CXX->bases_begin(), 7703 BaseEnd1 = D1CXX->bases_end(), 7704 Base2 = D2CXX->bases_begin(); 7705 Base1 != BaseEnd1; 7706 ++Base1, ++Base2) { 7707 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 7708 return false; 7709 } 7710 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 7711 // If only RD2 is a C++ class, it should have zero base classes. 7712 if (D2CXX->getNumBases() > 0) 7713 return false; 7714 } 7715 7716 // Check the fields. 7717 RecordDecl::field_iterator Field2 = RD2->field_begin(), 7718 Field2End = RD2->field_end(), 7719 Field1 = RD1->field_begin(), 7720 Field1End = RD1->field_end(); 7721 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 7722 if (!isLayoutCompatible(C, *Field1, *Field2)) 7723 return false; 7724 } 7725 if (Field1 != Field1End || Field2 != Field2End) 7726 return false; 7727 7728 return true; 7729} 7730 7731/// \brief Check if two standard-layout unions are layout-compatible. 7732/// (C++11 [class.mem] p18) 7733bool isLayoutCompatibleUnion(ASTContext &C, 7734 RecordDecl *RD1, 7735 RecordDecl *RD2) { 7736 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 7737 for (auto *Field2 : RD2->fields()) 7738 UnmatchedFields.insert(Field2); 7739 7740 for (auto *Field1 : RD1->fields()) { 7741 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 7742 I = UnmatchedFields.begin(), 7743 E = UnmatchedFields.end(); 7744 7745 for ( ; I != E; ++I) { 7746 if (isLayoutCompatible(C, Field1, *I)) { 7747 bool Result = UnmatchedFields.erase(*I); 7748 (void) Result; 7749 assert(Result); 7750 break; 7751 } 7752 } 7753 if (I == E) 7754 return false; 7755 } 7756 7757 return UnmatchedFields.empty(); 7758} 7759 7760bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 7761 if (RD1->isUnion() != RD2->isUnion()) 7762 return false; 7763 7764 if (RD1->isUnion()) 7765 return isLayoutCompatibleUnion(C, RD1, RD2); 7766 else 7767 return isLayoutCompatibleStruct(C, RD1, RD2); 7768} 7769 7770/// \brief Check if two types are layout-compatible in C++11 sense. 7771bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 7772 if (T1.isNull() || T2.isNull()) 7773 return false; 7774 7775 // C++11 [basic.types] p11: 7776 // If two types T1 and T2 are the same type, then T1 and T2 are 7777 // layout-compatible types. 7778 if (C.hasSameType(T1, T2)) 7779 return true; 7780 7781 T1 = T1.getCanonicalType().getUnqualifiedType(); 7782 T2 = T2.getCanonicalType().getUnqualifiedType(); 7783 7784 const Type::TypeClass TC1 = T1->getTypeClass(); 7785 const Type::TypeClass TC2 = T2->getTypeClass(); 7786 7787 if (TC1 != TC2) 7788 return false; 7789 7790 if (TC1 == Type::Enum) { 7791 return isLayoutCompatible(C, 7792 cast<EnumType>(T1)->getDecl(), 7793 cast<EnumType>(T2)->getDecl()); 7794 } else if (TC1 == Type::Record) { 7795 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 7796 return false; 7797 7798 return isLayoutCompatible(C, 7799 cast<RecordType>(T1)->getDecl(), 7800 cast<RecordType>(T2)->getDecl()); 7801 } 7802 7803 return false; 7804} 7805} 7806 7807//===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 7808 7809namespace { 7810/// \brief Given a type tag expression find the type tag itself. 7811/// 7812/// \param TypeExpr Type tag expression, as it appears in user's code. 7813/// 7814/// \param VD Declaration of an identifier that appears in a type tag. 7815/// 7816/// \param MagicValue Type tag magic value. 7817bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 7818 const ValueDecl **VD, uint64_t *MagicValue) { 7819 while(true) { 7820 if (!TypeExpr) 7821 return false; 7822 7823 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 7824 7825 switch (TypeExpr->getStmtClass()) { 7826 case Stmt::UnaryOperatorClass: { 7827 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 7828 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 7829 TypeExpr = UO->getSubExpr(); 7830 continue; 7831 } 7832 return false; 7833 } 7834 7835 case Stmt::DeclRefExprClass: { 7836 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 7837 *VD = DRE->getDecl(); 7838 return true; 7839 } 7840 7841 case Stmt::IntegerLiteralClass: { 7842 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 7843 llvm::APInt MagicValueAPInt = IL->getValue(); 7844 if (MagicValueAPInt.getActiveBits() <= 64) { 7845 *MagicValue = MagicValueAPInt.getZExtValue(); 7846 return true; 7847 } else 7848 return false; 7849 } 7850 7851 case Stmt::BinaryConditionalOperatorClass: 7852 case Stmt::ConditionalOperatorClass: { 7853 const AbstractConditionalOperator *ACO = 7854 cast<AbstractConditionalOperator>(TypeExpr); 7855 bool Result; 7856 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 7857 if (Result) 7858 TypeExpr = ACO->getTrueExpr(); 7859 else 7860 TypeExpr = ACO->getFalseExpr(); 7861 continue; 7862 } 7863 return false; 7864 } 7865 7866 case Stmt::BinaryOperatorClass: { 7867 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 7868 if (BO->getOpcode() == BO_Comma) { 7869 TypeExpr = BO->getRHS(); 7870 continue; 7871 } 7872 return false; 7873 } 7874 7875 default: 7876 return false; 7877 } 7878 } 7879} 7880 7881/// \brief Retrieve the C type corresponding to type tag TypeExpr. 7882/// 7883/// \param TypeExpr Expression that specifies a type tag. 7884/// 7885/// \param MagicValues Registered magic values. 7886/// 7887/// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 7888/// kind. 7889/// 7890/// \param TypeInfo Information about the corresponding C type. 7891/// 7892/// \returns true if the corresponding C type was found. 7893bool GetMatchingCType( 7894 const IdentifierInfo *ArgumentKind, 7895 const Expr *TypeExpr, const ASTContext &Ctx, 7896 const llvm::DenseMap<Sema::TypeTagMagicValue, 7897 Sema::TypeTagData> *MagicValues, 7898 bool &FoundWrongKind, 7899 Sema::TypeTagData &TypeInfo) { 7900 FoundWrongKind = false; 7901 7902 // Variable declaration that has type_tag_for_datatype attribute. 7903 const ValueDecl *VD = nullptr; 7904 7905 uint64_t MagicValue; 7906 7907 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 7908 return false; 7909 7910 if (VD) { 7911 if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) { 7912 if (I->getArgumentKind() != ArgumentKind) { 7913 FoundWrongKind = true; 7914 return false; 7915 } 7916 TypeInfo.Type = I->getMatchingCType(); 7917 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 7918 TypeInfo.MustBeNull = I->getMustBeNull(); 7919 return true; 7920 } 7921 return false; 7922 } 7923 7924 if (!MagicValues) 7925 return false; 7926 7927 llvm::DenseMap<Sema::TypeTagMagicValue, 7928 Sema::TypeTagData>::const_iterator I = 7929 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 7930 if (I == MagicValues->end()) 7931 return false; 7932 7933 TypeInfo = I->second; 7934 return true; 7935} 7936} // unnamed namespace 7937 7938void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 7939 uint64_t MagicValue, QualType Type, 7940 bool LayoutCompatible, 7941 bool MustBeNull) { 7942 if (!TypeTagForDatatypeMagicValues) 7943 TypeTagForDatatypeMagicValues.reset( 7944 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 7945 7946 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 7947 (*TypeTagForDatatypeMagicValues)[Magic] = 7948 TypeTagData(Type, LayoutCompatible, MustBeNull); 7949} 7950 7951namespace { 7952bool IsSameCharType(QualType T1, QualType T2) { 7953 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 7954 if (!BT1) 7955 return false; 7956 7957 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 7958 if (!BT2) 7959 return false; 7960 7961 BuiltinType::Kind T1Kind = BT1->getKind(); 7962 BuiltinType::Kind T2Kind = BT2->getKind(); 7963 7964 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 7965 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 7966 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 7967 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 7968} 7969} // unnamed namespace 7970 7971void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 7972 const Expr * const *ExprArgs) { 7973 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 7974 bool IsPointerAttr = Attr->getIsPointer(); 7975 7976 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 7977 bool FoundWrongKind; 7978 TypeTagData TypeInfo; 7979 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 7980 TypeTagForDatatypeMagicValues.get(), 7981 FoundWrongKind, TypeInfo)) { 7982 if (FoundWrongKind) 7983 Diag(TypeTagExpr->getExprLoc(), 7984 diag::warn_type_tag_for_datatype_wrong_kind) 7985 << TypeTagExpr->getSourceRange(); 7986 return; 7987 } 7988 7989 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 7990 if (IsPointerAttr) { 7991 // Skip implicit cast of pointer to `void *' (as a function argument). 7992 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 7993 if (ICE->getType()->isVoidPointerType() && 7994 ICE->getCastKind() == CK_BitCast) 7995 ArgumentExpr = ICE->getSubExpr(); 7996 } 7997 QualType ArgumentType = ArgumentExpr->getType(); 7998 7999 // Passing a `void*' pointer shouldn't trigger a warning. 8000 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 8001 return; 8002 8003 if (TypeInfo.MustBeNull) { 8004 // Type tag with matching void type requires a null pointer. 8005 if (!ArgumentExpr->isNullPointerConstant(Context, 8006 Expr::NPC_ValueDependentIsNotNull)) { 8007 Diag(ArgumentExpr->getExprLoc(), 8008 diag::warn_type_safety_null_pointer_required) 8009 << ArgumentKind->getName() 8010 << ArgumentExpr->getSourceRange() 8011 << TypeTagExpr->getSourceRange(); 8012 } 8013 return; 8014 } 8015 8016 QualType RequiredType = TypeInfo.Type; 8017 if (IsPointerAttr) 8018 RequiredType = Context.getPointerType(RequiredType); 8019 8020 bool mismatch = false; 8021 if (!TypeInfo.LayoutCompatible) { 8022 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 8023 8024 // C++11 [basic.fundamental] p1: 8025 // Plain char, signed char, and unsigned char are three distinct types. 8026 // 8027 // But we treat plain `char' as equivalent to `signed char' or `unsigned 8028 // char' depending on the current char signedness mode. 8029 if (mismatch) 8030 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 8031 RequiredType->getPointeeType())) || 8032 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 8033 mismatch = false; 8034 } else 8035 if (IsPointerAttr) 8036 mismatch = !isLayoutCompatible(Context, 8037 ArgumentType->getPointeeType(), 8038 RequiredType->getPointeeType()); 8039 else 8040 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 8041 8042 if (mismatch) 8043 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 8044 << ArgumentType << ArgumentKind 8045 << TypeInfo.LayoutCompatible << RequiredType 8046 << ArgumentExpr->getSourceRange() 8047 << TypeTagExpr->getSourceRange(); 8048} 8049 8050