SemaChecking.cpp revision 6c656c3d89523d8ddd143f96e11f6bc16c10c60b
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/Initialization.h" 16#include "clang/Sema/Sema.h" 17#include "clang/Sema/SemaInternal.h" 18#include "clang/Sema/Initialization.h" 19#include "clang/Sema/ScopeInfo.h" 20#include "clang/Analysis/Analyses/FormatString.h" 21#include "clang/AST/ASTContext.h" 22#include "clang/AST/CharUnits.h" 23#include "clang/AST/DeclCXX.h" 24#include "clang/AST/DeclObjC.h" 25#include "clang/AST/ExprCXX.h" 26#include "clang/AST/ExprObjC.h" 27#include "clang/AST/EvaluatedExprVisitor.h" 28#include "clang/AST/DeclObjC.h" 29#include "clang/AST/StmtCXX.h" 30#include "clang/AST/StmtObjC.h" 31#include "clang/Lex/Preprocessor.h" 32#include "llvm/ADT/BitVector.h" 33#include "llvm/ADT/SmallString.h" 34#include "llvm/ADT/STLExtras.h" 35#include "llvm/Support/raw_ostream.h" 36#include "clang/Basic/TargetBuiltins.h" 37#include "clang/Basic/TargetInfo.h" 38#include "clang/Basic/ConvertUTF.h" 39#include <limits> 40using namespace clang; 41using namespace sema; 42 43SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 44 unsigned ByteNo) const { 45 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 46 PP.getLangOpts(), PP.getTargetInfo()); 47} 48 49/// Checks that a call expression's argument count is the desired number. 50/// This is useful when doing custom type-checking. Returns true on error. 51static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 52 unsigned argCount = call->getNumArgs(); 53 if (argCount == desiredArgCount) return false; 54 55 if (argCount < desiredArgCount) 56 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 57 << 0 /*function call*/ << desiredArgCount << argCount 58 << call->getSourceRange(); 59 60 // Highlight all the excess arguments. 61 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 62 call->getArg(argCount - 1)->getLocEnd()); 63 64 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 65 << 0 /*function call*/ << desiredArgCount << argCount 66 << call->getArg(1)->getSourceRange(); 67} 68 69/// CheckBuiltinAnnotationString - Checks that string argument to the builtin 70/// annotation is a non wide string literal. 71static bool CheckBuiltinAnnotationString(Sema &S, Expr *Arg) { 72 Arg = Arg->IgnoreParenCasts(); 73 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 74 if (!Literal || !Literal->isAscii()) { 75 S.Diag(Arg->getLocStart(), diag::err_builtin_annotation_not_string_constant) 76 << Arg->getSourceRange(); 77 return true; 78 } 79 return false; 80} 81 82ExprResult 83Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 84 ExprResult TheCallResult(Owned(TheCall)); 85 86 // Find out if any arguments are required to be integer constant expressions. 87 unsigned ICEArguments = 0; 88 ASTContext::GetBuiltinTypeError Error; 89 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 90 if (Error != ASTContext::GE_None) 91 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 92 93 // If any arguments are required to be ICE's, check and diagnose. 94 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 95 // Skip arguments not required to be ICE's. 96 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 97 98 llvm::APSInt Result; 99 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 100 return true; 101 ICEArguments &= ~(1 << ArgNo); 102 } 103 104 switch (BuiltinID) { 105 case Builtin::BI__builtin___CFStringMakeConstantString: 106 assert(TheCall->getNumArgs() == 1 && 107 "Wrong # arguments to builtin CFStringMakeConstantString"); 108 if (CheckObjCString(TheCall->getArg(0))) 109 return ExprError(); 110 break; 111 case Builtin::BI__builtin_stdarg_start: 112 case Builtin::BI__builtin_va_start: 113 if (SemaBuiltinVAStart(TheCall)) 114 return ExprError(); 115 break; 116 case Builtin::BI__builtin_isgreater: 117 case Builtin::BI__builtin_isgreaterequal: 118 case Builtin::BI__builtin_isless: 119 case Builtin::BI__builtin_islessequal: 120 case Builtin::BI__builtin_islessgreater: 121 case Builtin::BI__builtin_isunordered: 122 if (SemaBuiltinUnorderedCompare(TheCall)) 123 return ExprError(); 124 break; 125 case Builtin::BI__builtin_fpclassify: 126 if (SemaBuiltinFPClassification(TheCall, 6)) 127 return ExprError(); 128 break; 129 case Builtin::BI__builtin_isfinite: 130 case Builtin::BI__builtin_isinf: 131 case Builtin::BI__builtin_isinf_sign: 132 case Builtin::BI__builtin_isnan: 133 case Builtin::BI__builtin_isnormal: 134 if (SemaBuiltinFPClassification(TheCall, 1)) 135 return ExprError(); 136 break; 137 case Builtin::BI__builtin_shufflevector: 138 return SemaBuiltinShuffleVector(TheCall); 139 // TheCall will be freed by the smart pointer here, but that's fine, since 140 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 141 case Builtin::BI__builtin_prefetch: 142 if (SemaBuiltinPrefetch(TheCall)) 143 return ExprError(); 144 break; 145 case Builtin::BI__builtin_object_size: 146 if (SemaBuiltinObjectSize(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_longjmp: 150 if (SemaBuiltinLongjmp(TheCall)) 151 return ExprError(); 152 break; 153 154 case Builtin::BI__builtin_classify_type: 155 if (checkArgCount(*this, TheCall, 1)) return true; 156 TheCall->setType(Context.IntTy); 157 break; 158 case Builtin::BI__builtin_constant_p: 159 if (checkArgCount(*this, TheCall, 1)) return true; 160 TheCall->setType(Context.IntTy); 161 break; 162 case Builtin::BI__sync_fetch_and_add: 163 case Builtin::BI__sync_fetch_and_add_1: 164 case Builtin::BI__sync_fetch_and_add_2: 165 case Builtin::BI__sync_fetch_and_add_4: 166 case Builtin::BI__sync_fetch_and_add_8: 167 case Builtin::BI__sync_fetch_and_add_16: 168 case Builtin::BI__sync_fetch_and_sub: 169 case Builtin::BI__sync_fetch_and_sub_1: 170 case Builtin::BI__sync_fetch_and_sub_2: 171 case Builtin::BI__sync_fetch_and_sub_4: 172 case Builtin::BI__sync_fetch_and_sub_8: 173 case Builtin::BI__sync_fetch_and_sub_16: 174 case Builtin::BI__sync_fetch_and_or: 175 case Builtin::BI__sync_fetch_and_or_1: 176 case Builtin::BI__sync_fetch_and_or_2: 177 case Builtin::BI__sync_fetch_and_or_4: 178 case Builtin::BI__sync_fetch_and_or_8: 179 case Builtin::BI__sync_fetch_and_or_16: 180 case Builtin::BI__sync_fetch_and_and: 181 case Builtin::BI__sync_fetch_and_and_1: 182 case Builtin::BI__sync_fetch_and_and_2: 183 case Builtin::BI__sync_fetch_and_and_4: 184 case Builtin::BI__sync_fetch_and_and_8: 185 case Builtin::BI__sync_fetch_and_and_16: 186 case Builtin::BI__sync_fetch_and_xor: 187 case Builtin::BI__sync_fetch_and_xor_1: 188 case Builtin::BI__sync_fetch_and_xor_2: 189 case Builtin::BI__sync_fetch_and_xor_4: 190 case Builtin::BI__sync_fetch_and_xor_8: 191 case Builtin::BI__sync_fetch_and_xor_16: 192 case Builtin::BI__sync_add_and_fetch: 193 case Builtin::BI__sync_add_and_fetch_1: 194 case Builtin::BI__sync_add_and_fetch_2: 195 case Builtin::BI__sync_add_and_fetch_4: 196 case Builtin::BI__sync_add_and_fetch_8: 197 case Builtin::BI__sync_add_and_fetch_16: 198 case Builtin::BI__sync_sub_and_fetch: 199 case Builtin::BI__sync_sub_and_fetch_1: 200 case Builtin::BI__sync_sub_and_fetch_2: 201 case Builtin::BI__sync_sub_and_fetch_4: 202 case Builtin::BI__sync_sub_and_fetch_8: 203 case Builtin::BI__sync_sub_and_fetch_16: 204 case Builtin::BI__sync_and_and_fetch: 205 case Builtin::BI__sync_and_and_fetch_1: 206 case Builtin::BI__sync_and_and_fetch_2: 207 case Builtin::BI__sync_and_and_fetch_4: 208 case Builtin::BI__sync_and_and_fetch_8: 209 case Builtin::BI__sync_and_and_fetch_16: 210 case Builtin::BI__sync_or_and_fetch: 211 case Builtin::BI__sync_or_and_fetch_1: 212 case Builtin::BI__sync_or_and_fetch_2: 213 case Builtin::BI__sync_or_and_fetch_4: 214 case Builtin::BI__sync_or_and_fetch_8: 215 case Builtin::BI__sync_or_and_fetch_16: 216 case Builtin::BI__sync_xor_and_fetch: 217 case Builtin::BI__sync_xor_and_fetch_1: 218 case Builtin::BI__sync_xor_and_fetch_2: 219 case Builtin::BI__sync_xor_and_fetch_4: 220 case Builtin::BI__sync_xor_and_fetch_8: 221 case Builtin::BI__sync_xor_and_fetch_16: 222 case Builtin::BI__sync_val_compare_and_swap: 223 case Builtin::BI__sync_val_compare_and_swap_1: 224 case Builtin::BI__sync_val_compare_and_swap_2: 225 case Builtin::BI__sync_val_compare_and_swap_4: 226 case Builtin::BI__sync_val_compare_and_swap_8: 227 case Builtin::BI__sync_val_compare_and_swap_16: 228 case Builtin::BI__sync_bool_compare_and_swap: 229 case Builtin::BI__sync_bool_compare_and_swap_1: 230 case Builtin::BI__sync_bool_compare_and_swap_2: 231 case Builtin::BI__sync_bool_compare_and_swap_4: 232 case Builtin::BI__sync_bool_compare_and_swap_8: 233 case Builtin::BI__sync_bool_compare_and_swap_16: 234 case Builtin::BI__sync_lock_test_and_set: 235 case Builtin::BI__sync_lock_test_and_set_1: 236 case Builtin::BI__sync_lock_test_and_set_2: 237 case Builtin::BI__sync_lock_test_and_set_4: 238 case Builtin::BI__sync_lock_test_and_set_8: 239 case Builtin::BI__sync_lock_test_and_set_16: 240 case Builtin::BI__sync_lock_release: 241 case Builtin::BI__sync_lock_release_1: 242 case Builtin::BI__sync_lock_release_2: 243 case Builtin::BI__sync_lock_release_4: 244 case Builtin::BI__sync_lock_release_8: 245 case Builtin::BI__sync_lock_release_16: 246 case Builtin::BI__sync_swap: 247 case Builtin::BI__sync_swap_1: 248 case Builtin::BI__sync_swap_2: 249 case Builtin::BI__sync_swap_4: 250 case Builtin::BI__sync_swap_8: 251 case Builtin::BI__sync_swap_16: 252 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 253 case Builtin::BI__atomic_load: 254 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Load); 255 case Builtin::BI__atomic_store: 256 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Store); 257 case Builtin::BI__atomic_init: 258 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Init); 259 case Builtin::BI__atomic_exchange: 260 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xchg); 261 case Builtin::BI__atomic_compare_exchange_strong: 262 return SemaAtomicOpsOverloaded(move(TheCallResult), 263 AtomicExpr::CmpXchgStrong); 264 case Builtin::BI__atomic_compare_exchange_weak: 265 return SemaAtomicOpsOverloaded(move(TheCallResult), 266 AtomicExpr::CmpXchgWeak); 267 case Builtin::BI__atomic_fetch_add: 268 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Add); 269 case Builtin::BI__atomic_fetch_sub: 270 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Sub); 271 case Builtin::BI__atomic_fetch_and: 272 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::And); 273 case Builtin::BI__atomic_fetch_or: 274 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Or); 275 case Builtin::BI__atomic_fetch_xor: 276 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xor); 277 case Builtin::BI__builtin_annotation: 278 if (CheckBuiltinAnnotationString(*this, TheCall->getArg(1))) 279 return ExprError(); 280 break; 281 } 282 283 // Since the target specific builtins for each arch overlap, only check those 284 // of the arch we are compiling for. 285 if (BuiltinID >= Builtin::FirstTSBuiltin) { 286 switch (Context.getTargetInfo().getTriple().getArch()) { 287 case llvm::Triple::arm: 288 case llvm::Triple::thumb: 289 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 290 return ExprError(); 291 break; 292 default: 293 break; 294 } 295 } 296 297 return move(TheCallResult); 298} 299 300// Get the valid immediate range for the specified NEON type code. 301static unsigned RFT(unsigned t, bool shift = false) { 302 NeonTypeFlags Type(t); 303 int IsQuad = Type.isQuad(); 304 switch (Type.getEltType()) { 305 case NeonTypeFlags::Int8: 306 case NeonTypeFlags::Poly8: 307 return shift ? 7 : (8 << IsQuad) - 1; 308 case NeonTypeFlags::Int16: 309 case NeonTypeFlags::Poly16: 310 return shift ? 15 : (4 << IsQuad) - 1; 311 case NeonTypeFlags::Int32: 312 return shift ? 31 : (2 << IsQuad) - 1; 313 case NeonTypeFlags::Int64: 314 return shift ? 63 : (1 << IsQuad) - 1; 315 case NeonTypeFlags::Float16: 316 assert(!shift && "cannot shift float types!"); 317 return (4 << IsQuad) - 1; 318 case NeonTypeFlags::Float32: 319 assert(!shift && "cannot shift float types!"); 320 return (2 << IsQuad) - 1; 321 } 322 llvm_unreachable("Invalid NeonTypeFlag!"); 323} 324 325/// getNeonEltType - Return the QualType corresponding to the elements of 326/// the vector type specified by the NeonTypeFlags. This is used to check 327/// the pointer arguments for Neon load/store intrinsics. 328static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 329 switch (Flags.getEltType()) { 330 case NeonTypeFlags::Int8: 331 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 332 case NeonTypeFlags::Int16: 333 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 334 case NeonTypeFlags::Int32: 335 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 336 case NeonTypeFlags::Int64: 337 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 338 case NeonTypeFlags::Poly8: 339 return Context.SignedCharTy; 340 case NeonTypeFlags::Poly16: 341 return Context.ShortTy; 342 case NeonTypeFlags::Float16: 343 return Context.UnsignedShortTy; 344 case NeonTypeFlags::Float32: 345 return Context.FloatTy; 346 } 347 llvm_unreachable("Invalid NeonTypeFlag!"); 348} 349 350bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 351 llvm::APSInt Result; 352 353 unsigned mask = 0; 354 unsigned TV = 0; 355 int PtrArgNum = -1; 356 bool HasConstPtr = false; 357 switch (BuiltinID) { 358#define GET_NEON_OVERLOAD_CHECK 359#include "clang/Basic/arm_neon.inc" 360#undef GET_NEON_OVERLOAD_CHECK 361 } 362 363 // For NEON intrinsics which are overloaded on vector element type, validate 364 // the immediate which specifies which variant to emit. 365 unsigned ImmArg = TheCall->getNumArgs()-1; 366 if (mask) { 367 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 368 return true; 369 370 TV = Result.getLimitedValue(64); 371 if ((TV > 63) || (mask & (1 << TV)) == 0) 372 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 373 << TheCall->getArg(ImmArg)->getSourceRange(); 374 } 375 376 if (PtrArgNum >= 0) { 377 // Check that pointer arguments have the specified type. 378 Expr *Arg = TheCall->getArg(PtrArgNum); 379 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 380 Arg = ICE->getSubExpr(); 381 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 382 QualType RHSTy = RHS.get()->getType(); 383 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 384 if (HasConstPtr) 385 EltTy = EltTy.withConst(); 386 QualType LHSTy = Context.getPointerType(EltTy); 387 AssignConvertType ConvTy; 388 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 389 if (RHS.isInvalid()) 390 return true; 391 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 392 RHS.get(), AA_Assigning)) 393 return true; 394 } 395 396 // For NEON intrinsics which take an immediate value as part of the 397 // instruction, range check them here. 398 unsigned i = 0, l = 0, u = 0; 399 switch (BuiltinID) { 400 default: return false; 401 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 402 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 403 case ARM::BI__builtin_arm_vcvtr_f: 404 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 405#define GET_NEON_IMMEDIATE_CHECK 406#include "clang/Basic/arm_neon.inc" 407#undef GET_NEON_IMMEDIATE_CHECK 408 }; 409 410 // Check that the immediate argument is actually a constant. 411 if (SemaBuiltinConstantArg(TheCall, i, Result)) 412 return true; 413 414 // Range check against the upper/lower values for this isntruction. 415 unsigned Val = Result.getZExtValue(); 416 if (Val < l || Val > (u + l)) 417 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 418 << l << u+l << TheCall->getArg(i)->getSourceRange(); 419 420 // FIXME: VFP Intrinsics should error if VFP not present. 421 return false; 422} 423 424/// CheckFunctionCall - Check a direct function call for various correctness 425/// and safety properties not strictly enforced by the C type system. 426bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 427 // Get the IdentifierInfo* for the called function. 428 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 429 430 // None of the checks below are needed for functions that don't have 431 // simple names (e.g., C++ conversion functions). 432 if (!FnInfo) 433 return false; 434 435 // FIXME: This mechanism should be abstracted to be less fragile and 436 // more efficient. For example, just map function ids to custom 437 // handlers. 438 439 // Printf and scanf checking. 440 for (specific_attr_iterator<FormatAttr> 441 i = FDecl->specific_attr_begin<FormatAttr>(), 442 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 443 CheckFormatArguments(*i, TheCall); 444 } 445 446 for (specific_attr_iterator<NonNullAttr> 447 i = FDecl->specific_attr_begin<NonNullAttr>(), 448 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 449 CheckNonNullArguments(*i, TheCall->getArgs(), 450 TheCall->getCallee()->getLocStart()); 451 } 452 453 unsigned CMId = FDecl->getMemoryFunctionKind(); 454 if (CMId == 0) 455 return false; 456 457 // Handle memory setting and copying functions. 458 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 459 CheckStrlcpycatArguments(TheCall, FnInfo); 460 else if (CMId == Builtin::BIstrncat) 461 CheckStrncatArguments(TheCall, FnInfo); 462 else 463 CheckMemaccessArguments(TheCall, CMId, FnInfo); 464 465 return false; 466} 467 468bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 469 Expr **Args, unsigned NumArgs) { 470 for (specific_attr_iterator<FormatAttr> 471 i = Method->specific_attr_begin<FormatAttr>(), 472 e = Method->specific_attr_end<FormatAttr>(); i != e ; ++i) { 473 474 CheckFormatArguments(*i, Args, NumArgs, false, lbrac, 475 Method->getSourceRange()); 476 } 477 478 // diagnose nonnull arguments. 479 for (specific_attr_iterator<NonNullAttr> 480 i = Method->specific_attr_begin<NonNullAttr>(), 481 e = Method->specific_attr_end<NonNullAttr>(); i != e; ++i) { 482 CheckNonNullArguments(*i, Args, lbrac); 483 } 484 485 return false; 486} 487 488bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 489 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 490 if (!V) 491 return false; 492 493 QualType Ty = V->getType(); 494 if (!Ty->isBlockPointerType()) 495 return false; 496 497 // format string checking. 498 for (specific_attr_iterator<FormatAttr> 499 i = NDecl->specific_attr_begin<FormatAttr>(), 500 e = NDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 501 CheckFormatArguments(*i, TheCall); 502 } 503 504 return false; 505} 506 507ExprResult 508Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, AtomicExpr::AtomicOp Op) { 509 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 510 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 511 512 // All these operations take one of the following four forms: 513 // T __atomic_load(_Atomic(T)*, int) (loads) 514 // T* __atomic_add(_Atomic(T*)*, ptrdiff_t, int) (pointer add/sub) 515 // int __atomic_compare_exchange_strong(_Atomic(T)*, T*, T, int, int) 516 // (cmpxchg) 517 // T __atomic_exchange(_Atomic(T)*, T, int) (everything else) 518 // where T is an appropriate type, and the int paremeterss are for orderings. 519 unsigned NumVals = 1; 520 unsigned NumOrders = 1; 521 if (Op == AtomicExpr::Load) { 522 NumVals = 0; 523 } else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) { 524 NumVals = 2; 525 NumOrders = 2; 526 } 527 if (Op == AtomicExpr::Init) 528 NumOrders = 0; 529 530 if (TheCall->getNumArgs() < NumVals+NumOrders+1) { 531 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 532 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 533 << TheCall->getCallee()->getSourceRange(); 534 return ExprError(); 535 } else if (TheCall->getNumArgs() > NumVals+NumOrders+1) { 536 Diag(TheCall->getArg(NumVals+NumOrders+1)->getLocStart(), 537 diag::err_typecheck_call_too_many_args) 538 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 539 << TheCall->getCallee()->getSourceRange(); 540 return ExprError(); 541 } 542 543 // Inspect the first argument of the atomic operation. This should always be 544 // a pointer to an _Atomic type. 545 Expr *Ptr = TheCall->getArg(0); 546 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 547 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 548 if (!pointerType) { 549 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 550 << Ptr->getType() << Ptr->getSourceRange(); 551 return ExprError(); 552 } 553 554 QualType AtomTy = pointerType->getPointeeType(); 555 if (!AtomTy->isAtomicType()) { 556 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 557 << Ptr->getType() << Ptr->getSourceRange(); 558 return ExprError(); 559 } 560 QualType ValType = AtomTy->getAs<AtomicType>()->getValueType(); 561 562 if ((Op == AtomicExpr::Add || Op == AtomicExpr::Sub) && 563 !ValType->isIntegerType() && !ValType->isPointerType()) { 564 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 565 << Ptr->getType() << Ptr->getSourceRange(); 566 return ExprError(); 567 } 568 569 if (!ValType->isIntegerType() && 570 (Op == AtomicExpr::And || Op == AtomicExpr::Or || Op == AtomicExpr::Xor)){ 571 Diag(DRE->getLocStart(), diag::err_atomic_op_logical_needs_atomic_int) 572 << Ptr->getType() << Ptr->getSourceRange(); 573 return ExprError(); 574 } 575 576 switch (ValType.getObjCLifetime()) { 577 case Qualifiers::OCL_None: 578 case Qualifiers::OCL_ExplicitNone: 579 // okay 580 break; 581 582 case Qualifiers::OCL_Weak: 583 case Qualifiers::OCL_Strong: 584 case Qualifiers::OCL_Autoreleasing: 585 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 586 << ValType << Ptr->getSourceRange(); 587 return ExprError(); 588 } 589 590 QualType ResultType = ValType; 591 if (Op == AtomicExpr::Store || Op == AtomicExpr::Init) 592 ResultType = Context.VoidTy; 593 else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) 594 ResultType = Context.BoolTy; 595 596 // The first argument --- the pointer --- has a fixed type; we 597 // deduce the types of the rest of the arguments accordingly. Walk 598 // the remaining arguments, converting them to the deduced value type. 599 for (unsigned i = 1; i != NumVals+NumOrders+1; ++i) { 600 ExprResult Arg = TheCall->getArg(i); 601 QualType Ty; 602 if (i < NumVals+1) { 603 // The second argument to a cmpxchg is a pointer to the data which will 604 // be exchanged. The second argument to a pointer add/subtract is the 605 // amount to add/subtract, which must be a ptrdiff_t. The third 606 // argument to a cmpxchg and the second argument in all other cases 607 // is the type of the value. 608 if (i == 1 && (Op == AtomicExpr::CmpXchgWeak || 609 Op == AtomicExpr::CmpXchgStrong)) 610 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 611 else if (!ValType->isIntegerType() && 612 (Op == AtomicExpr::Add || Op == AtomicExpr::Sub)) 613 Ty = Context.getPointerDiffType(); 614 else 615 Ty = ValType; 616 } else { 617 // The order(s) are always converted to int. 618 Ty = Context.IntTy; 619 } 620 InitializedEntity Entity = 621 InitializedEntity::InitializeParameter(Context, Ty, false); 622 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 623 if (Arg.isInvalid()) 624 return true; 625 TheCall->setArg(i, Arg.get()); 626 } 627 628 SmallVector<Expr*, 5> SubExprs; 629 SubExprs.push_back(Ptr); 630 if (Op == AtomicExpr::Load) { 631 SubExprs.push_back(TheCall->getArg(1)); // Order 632 } else if (Op == AtomicExpr::Init) { 633 SubExprs.push_back(TheCall->getArg(1)); // Val1 634 } else if (Op != AtomicExpr::CmpXchgWeak && Op != AtomicExpr::CmpXchgStrong) { 635 SubExprs.push_back(TheCall->getArg(2)); // Order 636 SubExprs.push_back(TheCall->getArg(1)); // Val1 637 } else { 638 SubExprs.push_back(TheCall->getArg(3)); // Order 639 SubExprs.push_back(TheCall->getArg(1)); // Val1 640 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 641 SubExprs.push_back(TheCall->getArg(2)); // Val2 642 } 643 644 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 645 SubExprs.data(), SubExprs.size(), 646 ResultType, Op, 647 TheCall->getRParenLoc())); 648} 649 650 651/// checkBuiltinArgument - Given a call to a builtin function, perform 652/// normal type-checking on the given argument, updating the call in 653/// place. This is useful when a builtin function requires custom 654/// type-checking for some of its arguments but not necessarily all of 655/// them. 656/// 657/// Returns true on error. 658static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 659 FunctionDecl *Fn = E->getDirectCallee(); 660 assert(Fn && "builtin call without direct callee!"); 661 662 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 663 InitializedEntity Entity = 664 InitializedEntity::InitializeParameter(S.Context, Param); 665 666 ExprResult Arg = E->getArg(0); 667 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 668 if (Arg.isInvalid()) 669 return true; 670 671 E->setArg(ArgIndex, Arg.take()); 672 return false; 673} 674 675/// SemaBuiltinAtomicOverloaded - We have a call to a function like 676/// __sync_fetch_and_add, which is an overloaded function based on the pointer 677/// type of its first argument. The main ActOnCallExpr routines have already 678/// promoted the types of arguments because all of these calls are prototyped as 679/// void(...). 680/// 681/// This function goes through and does final semantic checking for these 682/// builtins, 683ExprResult 684Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 685 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 686 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 687 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 688 689 // Ensure that we have at least one argument to do type inference from. 690 if (TheCall->getNumArgs() < 1) { 691 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 692 << 0 << 1 << TheCall->getNumArgs() 693 << TheCall->getCallee()->getSourceRange(); 694 return ExprError(); 695 } 696 697 // Inspect the first argument of the atomic builtin. This should always be 698 // a pointer type, whose element is an integral scalar or pointer type. 699 // Because it is a pointer type, we don't have to worry about any implicit 700 // casts here. 701 // FIXME: We don't allow floating point scalars as input. 702 Expr *FirstArg = TheCall->getArg(0); 703 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 704 if (FirstArgResult.isInvalid()) 705 return ExprError(); 706 FirstArg = FirstArgResult.take(); 707 TheCall->setArg(0, FirstArg); 708 709 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 710 if (!pointerType) { 711 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 712 << FirstArg->getType() << FirstArg->getSourceRange(); 713 return ExprError(); 714 } 715 716 QualType ValType = pointerType->getPointeeType(); 717 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 718 !ValType->isBlockPointerType()) { 719 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 720 << FirstArg->getType() << FirstArg->getSourceRange(); 721 return ExprError(); 722 } 723 724 switch (ValType.getObjCLifetime()) { 725 case Qualifiers::OCL_None: 726 case Qualifiers::OCL_ExplicitNone: 727 // okay 728 break; 729 730 case Qualifiers::OCL_Weak: 731 case Qualifiers::OCL_Strong: 732 case Qualifiers::OCL_Autoreleasing: 733 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 734 << ValType << FirstArg->getSourceRange(); 735 return ExprError(); 736 } 737 738 // Strip any qualifiers off ValType. 739 ValType = ValType.getUnqualifiedType(); 740 741 // The majority of builtins return a value, but a few have special return 742 // types, so allow them to override appropriately below. 743 QualType ResultType = ValType; 744 745 // We need to figure out which concrete builtin this maps onto. For example, 746 // __sync_fetch_and_add with a 2 byte object turns into 747 // __sync_fetch_and_add_2. 748#define BUILTIN_ROW(x) \ 749 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 750 Builtin::BI##x##_8, Builtin::BI##x##_16 } 751 752 static const unsigned BuiltinIndices[][5] = { 753 BUILTIN_ROW(__sync_fetch_and_add), 754 BUILTIN_ROW(__sync_fetch_and_sub), 755 BUILTIN_ROW(__sync_fetch_and_or), 756 BUILTIN_ROW(__sync_fetch_and_and), 757 BUILTIN_ROW(__sync_fetch_and_xor), 758 759 BUILTIN_ROW(__sync_add_and_fetch), 760 BUILTIN_ROW(__sync_sub_and_fetch), 761 BUILTIN_ROW(__sync_and_and_fetch), 762 BUILTIN_ROW(__sync_or_and_fetch), 763 BUILTIN_ROW(__sync_xor_and_fetch), 764 765 BUILTIN_ROW(__sync_val_compare_and_swap), 766 BUILTIN_ROW(__sync_bool_compare_and_swap), 767 BUILTIN_ROW(__sync_lock_test_and_set), 768 BUILTIN_ROW(__sync_lock_release), 769 BUILTIN_ROW(__sync_swap) 770 }; 771#undef BUILTIN_ROW 772 773 // Determine the index of the size. 774 unsigned SizeIndex; 775 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 776 case 1: SizeIndex = 0; break; 777 case 2: SizeIndex = 1; break; 778 case 4: SizeIndex = 2; break; 779 case 8: SizeIndex = 3; break; 780 case 16: SizeIndex = 4; break; 781 default: 782 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 783 << FirstArg->getType() << FirstArg->getSourceRange(); 784 return ExprError(); 785 } 786 787 // Each of these builtins has one pointer argument, followed by some number of 788 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 789 // that we ignore. Find out which row of BuiltinIndices to read from as well 790 // as the number of fixed args. 791 unsigned BuiltinID = FDecl->getBuiltinID(); 792 unsigned BuiltinIndex, NumFixed = 1; 793 switch (BuiltinID) { 794 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 795 case Builtin::BI__sync_fetch_and_add: 796 case Builtin::BI__sync_fetch_and_add_1: 797 case Builtin::BI__sync_fetch_and_add_2: 798 case Builtin::BI__sync_fetch_and_add_4: 799 case Builtin::BI__sync_fetch_and_add_8: 800 case Builtin::BI__sync_fetch_and_add_16: 801 BuiltinIndex = 0; 802 break; 803 804 case Builtin::BI__sync_fetch_and_sub: 805 case Builtin::BI__sync_fetch_and_sub_1: 806 case Builtin::BI__sync_fetch_and_sub_2: 807 case Builtin::BI__sync_fetch_and_sub_4: 808 case Builtin::BI__sync_fetch_and_sub_8: 809 case Builtin::BI__sync_fetch_and_sub_16: 810 BuiltinIndex = 1; 811 break; 812 813 case Builtin::BI__sync_fetch_and_or: 814 case Builtin::BI__sync_fetch_and_or_1: 815 case Builtin::BI__sync_fetch_and_or_2: 816 case Builtin::BI__sync_fetch_and_or_4: 817 case Builtin::BI__sync_fetch_and_or_8: 818 case Builtin::BI__sync_fetch_and_or_16: 819 BuiltinIndex = 2; 820 break; 821 822 case Builtin::BI__sync_fetch_and_and: 823 case Builtin::BI__sync_fetch_and_and_1: 824 case Builtin::BI__sync_fetch_and_and_2: 825 case Builtin::BI__sync_fetch_and_and_4: 826 case Builtin::BI__sync_fetch_and_and_8: 827 case Builtin::BI__sync_fetch_and_and_16: 828 BuiltinIndex = 3; 829 break; 830 831 case Builtin::BI__sync_fetch_and_xor: 832 case Builtin::BI__sync_fetch_and_xor_1: 833 case Builtin::BI__sync_fetch_and_xor_2: 834 case Builtin::BI__sync_fetch_and_xor_4: 835 case Builtin::BI__sync_fetch_and_xor_8: 836 case Builtin::BI__sync_fetch_and_xor_16: 837 BuiltinIndex = 4; 838 break; 839 840 case Builtin::BI__sync_add_and_fetch: 841 case Builtin::BI__sync_add_and_fetch_1: 842 case Builtin::BI__sync_add_and_fetch_2: 843 case Builtin::BI__sync_add_and_fetch_4: 844 case Builtin::BI__sync_add_and_fetch_8: 845 case Builtin::BI__sync_add_and_fetch_16: 846 BuiltinIndex = 5; 847 break; 848 849 case Builtin::BI__sync_sub_and_fetch: 850 case Builtin::BI__sync_sub_and_fetch_1: 851 case Builtin::BI__sync_sub_and_fetch_2: 852 case Builtin::BI__sync_sub_and_fetch_4: 853 case Builtin::BI__sync_sub_and_fetch_8: 854 case Builtin::BI__sync_sub_and_fetch_16: 855 BuiltinIndex = 6; 856 break; 857 858 case Builtin::BI__sync_and_and_fetch: 859 case Builtin::BI__sync_and_and_fetch_1: 860 case Builtin::BI__sync_and_and_fetch_2: 861 case Builtin::BI__sync_and_and_fetch_4: 862 case Builtin::BI__sync_and_and_fetch_8: 863 case Builtin::BI__sync_and_and_fetch_16: 864 BuiltinIndex = 7; 865 break; 866 867 case Builtin::BI__sync_or_and_fetch: 868 case Builtin::BI__sync_or_and_fetch_1: 869 case Builtin::BI__sync_or_and_fetch_2: 870 case Builtin::BI__sync_or_and_fetch_4: 871 case Builtin::BI__sync_or_and_fetch_8: 872 case Builtin::BI__sync_or_and_fetch_16: 873 BuiltinIndex = 8; 874 break; 875 876 case Builtin::BI__sync_xor_and_fetch: 877 case Builtin::BI__sync_xor_and_fetch_1: 878 case Builtin::BI__sync_xor_and_fetch_2: 879 case Builtin::BI__sync_xor_and_fetch_4: 880 case Builtin::BI__sync_xor_and_fetch_8: 881 case Builtin::BI__sync_xor_and_fetch_16: 882 BuiltinIndex = 9; 883 break; 884 885 case Builtin::BI__sync_val_compare_and_swap: 886 case Builtin::BI__sync_val_compare_and_swap_1: 887 case Builtin::BI__sync_val_compare_and_swap_2: 888 case Builtin::BI__sync_val_compare_and_swap_4: 889 case Builtin::BI__sync_val_compare_and_swap_8: 890 case Builtin::BI__sync_val_compare_and_swap_16: 891 BuiltinIndex = 10; 892 NumFixed = 2; 893 break; 894 895 case Builtin::BI__sync_bool_compare_and_swap: 896 case Builtin::BI__sync_bool_compare_and_swap_1: 897 case Builtin::BI__sync_bool_compare_and_swap_2: 898 case Builtin::BI__sync_bool_compare_and_swap_4: 899 case Builtin::BI__sync_bool_compare_and_swap_8: 900 case Builtin::BI__sync_bool_compare_and_swap_16: 901 BuiltinIndex = 11; 902 NumFixed = 2; 903 ResultType = Context.BoolTy; 904 break; 905 906 case Builtin::BI__sync_lock_test_and_set: 907 case Builtin::BI__sync_lock_test_and_set_1: 908 case Builtin::BI__sync_lock_test_and_set_2: 909 case Builtin::BI__sync_lock_test_and_set_4: 910 case Builtin::BI__sync_lock_test_and_set_8: 911 case Builtin::BI__sync_lock_test_and_set_16: 912 BuiltinIndex = 12; 913 break; 914 915 case Builtin::BI__sync_lock_release: 916 case Builtin::BI__sync_lock_release_1: 917 case Builtin::BI__sync_lock_release_2: 918 case Builtin::BI__sync_lock_release_4: 919 case Builtin::BI__sync_lock_release_8: 920 case Builtin::BI__sync_lock_release_16: 921 BuiltinIndex = 13; 922 NumFixed = 0; 923 ResultType = Context.VoidTy; 924 break; 925 926 case Builtin::BI__sync_swap: 927 case Builtin::BI__sync_swap_1: 928 case Builtin::BI__sync_swap_2: 929 case Builtin::BI__sync_swap_4: 930 case Builtin::BI__sync_swap_8: 931 case Builtin::BI__sync_swap_16: 932 BuiltinIndex = 14; 933 break; 934 } 935 936 // Now that we know how many fixed arguments we expect, first check that we 937 // have at least that many. 938 if (TheCall->getNumArgs() < 1+NumFixed) { 939 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 940 << 0 << 1+NumFixed << TheCall->getNumArgs() 941 << TheCall->getCallee()->getSourceRange(); 942 return ExprError(); 943 } 944 945 // Get the decl for the concrete builtin from this, we can tell what the 946 // concrete integer type we should convert to is. 947 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 948 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 949 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 950 FunctionDecl *NewBuiltinDecl = 951 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 952 TUScope, false, DRE->getLocStart())); 953 954 // The first argument --- the pointer --- has a fixed type; we 955 // deduce the types of the rest of the arguments accordingly. Walk 956 // the remaining arguments, converting them to the deduced value type. 957 for (unsigned i = 0; i != NumFixed; ++i) { 958 ExprResult Arg = TheCall->getArg(i+1); 959 960 // GCC does an implicit conversion to the pointer or integer ValType. This 961 // can fail in some cases (1i -> int**), check for this error case now. 962 // Initialize the argument. 963 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 964 ValType, /*consume*/ false); 965 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 966 if (Arg.isInvalid()) 967 return ExprError(); 968 969 // Okay, we have something that *can* be converted to the right type. Check 970 // to see if there is a potentially weird extension going on here. This can 971 // happen when you do an atomic operation on something like an char* and 972 // pass in 42. The 42 gets converted to char. This is even more strange 973 // for things like 45.123 -> char, etc. 974 // FIXME: Do this check. 975 TheCall->setArg(i+1, Arg.take()); 976 } 977 978 ASTContext& Context = this->getASTContext(); 979 980 // Create a new DeclRefExpr to refer to the new decl. 981 DeclRefExpr* NewDRE = DeclRefExpr::Create( 982 Context, 983 DRE->getQualifierLoc(), 984 SourceLocation(), 985 NewBuiltinDecl, 986 /*enclosing*/ false, 987 DRE->getLocation(), 988 NewBuiltinDecl->getType(), 989 DRE->getValueKind()); 990 991 // Set the callee in the CallExpr. 992 // FIXME: This leaks the original parens and implicit casts. 993 ExprResult PromotedCall = UsualUnaryConversions(NewDRE); 994 if (PromotedCall.isInvalid()) 995 return ExprError(); 996 TheCall->setCallee(PromotedCall.take()); 997 998 // Change the result type of the call to match the original value type. This 999 // is arbitrary, but the codegen for these builtins ins design to handle it 1000 // gracefully. 1001 TheCall->setType(ResultType); 1002 1003 return move(TheCallResult); 1004} 1005 1006/// CheckObjCString - Checks that the argument to the builtin 1007/// CFString constructor is correct 1008/// Note: It might also make sense to do the UTF-16 conversion here (would 1009/// simplify the backend). 1010bool Sema::CheckObjCString(Expr *Arg) { 1011 Arg = Arg->IgnoreParenCasts(); 1012 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1013 1014 if (!Literal || !Literal->isAscii()) { 1015 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1016 << Arg->getSourceRange(); 1017 return true; 1018 } 1019 1020 if (Literal->containsNonAsciiOrNull()) { 1021 StringRef String = Literal->getString(); 1022 unsigned NumBytes = String.size(); 1023 SmallVector<UTF16, 128> ToBuf(NumBytes); 1024 const UTF8 *FromPtr = (UTF8 *)String.data(); 1025 UTF16 *ToPtr = &ToBuf[0]; 1026 1027 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1028 &ToPtr, ToPtr + NumBytes, 1029 strictConversion); 1030 // Check for conversion failure. 1031 if (Result != conversionOK) 1032 Diag(Arg->getLocStart(), 1033 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1034 } 1035 return false; 1036} 1037 1038/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1039/// Emit an error and return true on failure, return false on success. 1040bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1041 Expr *Fn = TheCall->getCallee(); 1042 if (TheCall->getNumArgs() > 2) { 1043 Diag(TheCall->getArg(2)->getLocStart(), 1044 diag::err_typecheck_call_too_many_args) 1045 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1046 << Fn->getSourceRange() 1047 << SourceRange(TheCall->getArg(2)->getLocStart(), 1048 (*(TheCall->arg_end()-1))->getLocEnd()); 1049 return true; 1050 } 1051 1052 if (TheCall->getNumArgs() < 2) { 1053 return Diag(TheCall->getLocEnd(), 1054 diag::err_typecheck_call_too_few_args_at_least) 1055 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1056 } 1057 1058 // Type-check the first argument normally. 1059 if (checkBuiltinArgument(*this, TheCall, 0)) 1060 return true; 1061 1062 // Determine whether the current function is variadic or not. 1063 BlockScopeInfo *CurBlock = getCurBlock(); 1064 bool isVariadic; 1065 if (CurBlock) 1066 isVariadic = CurBlock->TheDecl->isVariadic(); 1067 else if (FunctionDecl *FD = getCurFunctionDecl()) 1068 isVariadic = FD->isVariadic(); 1069 else 1070 isVariadic = getCurMethodDecl()->isVariadic(); 1071 1072 if (!isVariadic) { 1073 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1074 return true; 1075 } 1076 1077 // Verify that the second argument to the builtin is the last argument of the 1078 // current function or method. 1079 bool SecondArgIsLastNamedArgument = false; 1080 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1081 1082 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1083 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1084 // FIXME: This isn't correct for methods (results in bogus warning). 1085 // Get the last formal in the current function. 1086 const ParmVarDecl *LastArg; 1087 if (CurBlock) 1088 LastArg = *(CurBlock->TheDecl->param_end()-1); 1089 else if (FunctionDecl *FD = getCurFunctionDecl()) 1090 LastArg = *(FD->param_end()-1); 1091 else 1092 LastArg = *(getCurMethodDecl()->param_end()-1); 1093 SecondArgIsLastNamedArgument = PV == LastArg; 1094 } 1095 } 1096 1097 if (!SecondArgIsLastNamedArgument) 1098 Diag(TheCall->getArg(1)->getLocStart(), 1099 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1100 return false; 1101} 1102 1103/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1104/// friends. This is declared to take (...), so we have to check everything. 1105bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1106 if (TheCall->getNumArgs() < 2) 1107 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1108 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1109 if (TheCall->getNumArgs() > 2) 1110 return Diag(TheCall->getArg(2)->getLocStart(), 1111 diag::err_typecheck_call_too_many_args) 1112 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1113 << SourceRange(TheCall->getArg(2)->getLocStart(), 1114 (*(TheCall->arg_end()-1))->getLocEnd()); 1115 1116 ExprResult OrigArg0 = TheCall->getArg(0); 1117 ExprResult OrigArg1 = TheCall->getArg(1); 1118 1119 // Do standard promotions between the two arguments, returning their common 1120 // type. 1121 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1122 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1123 return true; 1124 1125 // Make sure any conversions are pushed back into the call; this is 1126 // type safe since unordered compare builtins are declared as "_Bool 1127 // foo(...)". 1128 TheCall->setArg(0, OrigArg0.get()); 1129 TheCall->setArg(1, OrigArg1.get()); 1130 1131 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1132 return false; 1133 1134 // If the common type isn't a real floating type, then the arguments were 1135 // invalid for this operation. 1136 if (!Res->isRealFloatingType()) 1137 return Diag(OrigArg0.get()->getLocStart(), 1138 diag::err_typecheck_call_invalid_ordered_compare) 1139 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1140 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1141 1142 return false; 1143} 1144 1145/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1146/// __builtin_isnan and friends. This is declared to take (...), so we have 1147/// to check everything. We expect the last argument to be a floating point 1148/// value. 1149bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1150 if (TheCall->getNumArgs() < NumArgs) 1151 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1152 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1153 if (TheCall->getNumArgs() > NumArgs) 1154 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1155 diag::err_typecheck_call_too_many_args) 1156 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1157 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1158 (*(TheCall->arg_end()-1))->getLocEnd()); 1159 1160 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1161 1162 if (OrigArg->isTypeDependent()) 1163 return false; 1164 1165 // This operation requires a non-_Complex floating-point number. 1166 if (!OrigArg->getType()->isRealFloatingType()) 1167 return Diag(OrigArg->getLocStart(), 1168 diag::err_typecheck_call_invalid_unary_fp) 1169 << OrigArg->getType() << OrigArg->getSourceRange(); 1170 1171 // If this is an implicit conversion from float -> double, remove it. 1172 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1173 Expr *CastArg = Cast->getSubExpr(); 1174 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1175 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1176 "promotion from float to double is the only expected cast here"); 1177 Cast->setSubExpr(0); 1178 TheCall->setArg(NumArgs-1, CastArg); 1179 } 1180 } 1181 1182 return false; 1183} 1184 1185/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1186// This is declared to take (...), so we have to check everything. 1187ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1188 if (TheCall->getNumArgs() < 2) 1189 return ExprError(Diag(TheCall->getLocEnd(), 1190 diag::err_typecheck_call_too_few_args_at_least) 1191 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1192 << TheCall->getSourceRange()); 1193 1194 // Determine which of the following types of shufflevector we're checking: 1195 // 1) unary, vector mask: (lhs, mask) 1196 // 2) binary, vector mask: (lhs, rhs, mask) 1197 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1198 QualType resType = TheCall->getArg(0)->getType(); 1199 unsigned numElements = 0; 1200 1201 if (!TheCall->getArg(0)->isTypeDependent() && 1202 !TheCall->getArg(1)->isTypeDependent()) { 1203 QualType LHSType = TheCall->getArg(0)->getType(); 1204 QualType RHSType = TheCall->getArg(1)->getType(); 1205 1206 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 1207 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 1208 << SourceRange(TheCall->getArg(0)->getLocStart(), 1209 TheCall->getArg(1)->getLocEnd()); 1210 return ExprError(); 1211 } 1212 1213 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1214 unsigned numResElements = TheCall->getNumArgs() - 2; 1215 1216 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1217 // with mask. If so, verify that RHS is an integer vector type with the 1218 // same number of elts as lhs. 1219 if (TheCall->getNumArgs() == 2) { 1220 if (!RHSType->hasIntegerRepresentation() || 1221 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1222 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1223 << SourceRange(TheCall->getArg(1)->getLocStart(), 1224 TheCall->getArg(1)->getLocEnd()); 1225 numResElements = numElements; 1226 } 1227 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1228 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1229 << SourceRange(TheCall->getArg(0)->getLocStart(), 1230 TheCall->getArg(1)->getLocEnd()); 1231 return ExprError(); 1232 } else if (numElements != numResElements) { 1233 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1234 resType = Context.getVectorType(eltType, numResElements, 1235 VectorType::GenericVector); 1236 } 1237 } 1238 1239 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1240 if (TheCall->getArg(i)->isTypeDependent() || 1241 TheCall->getArg(i)->isValueDependent()) 1242 continue; 1243 1244 llvm::APSInt Result(32); 1245 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1246 return ExprError(Diag(TheCall->getLocStart(), 1247 diag::err_shufflevector_nonconstant_argument) 1248 << TheCall->getArg(i)->getSourceRange()); 1249 1250 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1251 return ExprError(Diag(TheCall->getLocStart(), 1252 diag::err_shufflevector_argument_too_large) 1253 << TheCall->getArg(i)->getSourceRange()); 1254 } 1255 1256 SmallVector<Expr*, 32> exprs; 1257 1258 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1259 exprs.push_back(TheCall->getArg(i)); 1260 TheCall->setArg(i, 0); 1261 } 1262 1263 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 1264 exprs.size(), resType, 1265 TheCall->getCallee()->getLocStart(), 1266 TheCall->getRParenLoc())); 1267} 1268 1269/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1270// This is declared to take (const void*, ...) and can take two 1271// optional constant int args. 1272bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1273 unsigned NumArgs = TheCall->getNumArgs(); 1274 1275 if (NumArgs > 3) 1276 return Diag(TheCall->getLocEnd(), 1277 diag::err_typecheck_call_too_many_args_at_most) 1278 << 0 /*function call*/ << 3 << NumArgs 1279 << TheCall->getSourceRange(); 1280 1281 // Argument 0 is checked for us and the remaining arguments must be 1282 // constant integers. 1283 for (unsigned i = 1; i != NumArgs; ++i) { 1284 Expr *Arg = TheCall->getArg(i); 1285 1286 llvm::APSInt Result; 1287 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1288 return true; 1289 1290 // FIXME: gcc issues a warning and rewrites these to 0. These 1291 // seems especially odd for the third argument since the default 1292 // is 3. 1293 if (i == 1) { 1294 if (Result.getLimitedValue() > 1) 1295 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1296 << "0" << "1" << Arg->getSourceRange(); 1297 } else { 1298 if (Result.getLimitedValue() > 3) 1299 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1300 << "0" << "3" << Arg->getSourceRange(); 1301 } 1302 } 1303 1304 return false; 1305} 1306 1307/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1308/// TheCall is a constant expression. 1309bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1310 llvm::APSInt &Result) { 1311 Expr *Arg = TheCall->getArg(ArgNum); 1312 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1313 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1314 1315 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1316 1317 if (!Arg->isIntegerConstantExpr(Result, Context)) 1318 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1319 << FDecl->getDeclName() << Arg->getSourceRange(); 1320 1321 return false; 1322} 1323 1324/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1325/// int type). This simply type checks that type is one of the defined 1326/// constants (0-3). 1327// For compatibility check 0-3, llvm only handles 0 and 2. 1328bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1329 llvm::APSInt Result; 1330 1331 // Check constant-ness first. 1332 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1333 return true; 1334 1335 Expr *Arg = TheCall->getArg(1); 1336 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1337 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1338 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1339 } 1340 1341 return false; 1342} 1343 1344/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1345/// This checks that val is a constant 1. 1346bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1347 Expr *Arg = TheCall->getArg(1); 1348 llvm::APSInt Result; 1349 1350 // TODO: This is less than ideal. Overload this to take a value. 1351 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1352 return true; 1353 1354 if (Result != 1) 1355 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1356 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1357 1358 return false; 1359} 1360 1361// Handle i > 1 ? "x" : "y", recursively. 1362bool Sema::SemaCheckStringLiteral(const Expr *E, Expr **Args, 1363 unsigned NumArgs, bool HasVAListArg, 1364 unsigned format_idx, unsigned firstDataArg, 1365 FormatStringType Type, bool inFunctionCall) { 1366 tryAgain: 1367 if (E->isTypeDependent() || E->isValueDependent()) 1368 return false; 1369 1370 E = E->IgnoreParenCasts(); 1371 1372 if (E->isNullPointerConstant(Context, Expr::NPC_ValueDependentIsNotNull)) 1373 // Technically -Wformat-nonliteral does not warn about this case. 1374 // The behavior of printf and friends in this case is implementation 1375 // dependent. Ideally if the format string cannot be null then 1376 // it should have a 'nonnull' attribute in the function prototype. 1377 return true; 1378 1379 switch (E->getStmtClass()) { 1380 case Stmt::BinaryConditionalOperatorClass: 1381 case Stmt::ConditionalOperatorClass: { 1382 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 1383 return SemaCheckStringLiteral(C->getTrueExpr(), Args, NumArgs, HasVAListArg, 1384 format_idx, firstDataArg, Type, 1385 inFunctionCall) 1386 && SemaCheckStringLiteral(C->getFalseExpr(), Args, NumArgs, HasVAListArg, 1387 format_idx, firstDataArg, Type, 1388 inFunctionCall); 1389 } 1390 1391 case Stmt::ImplicitCastExprClass: { 1392 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1393 goto tryAgain; 1394 } 1395 1396 case Stmt::OpaqueValueExprClass: 1397 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1398 E = src; 1399 goto tryAgain; 1400 } 1401 return false; 1402 1403 case Stmt::PredefinedExprClass: 1404 // While __func__, etc., are technically not string literals, they 1405 // cannot contain format specifiers and thus are not a security 1406 // liability. 1407 return true; 1408 1409 case Stmt::DeclRefExprClass: { 1410 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1411 1412 // As an exception, do not flag errors for variables binding to 1413 // const string literals. 1414 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1415 bool isConstant = false; 1416 QualType T = DR->getType(); 1417 1418 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1419 isConstant = AT->getElementType().isConstant(Context); 1420 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1421 isConstant = T.isConstant(Context) && 1422 PT->getPointeeType().isConstant(Context); 1423 } else if (T->isObjCObjectPointerType()) { 1424 // In ObjC, there is usually no "const ObjectPointer" type, 1425 // so don't check if the pointee type is constant. 1426 isConstant = T.isConstant(Context); 1427 } 1428 1429 if (isConstant) { 1430 if (const Expr *Init = VD->getAnyInitializer()) 1431 return SemaCheckStringLiteral(Init, Args, NumArgs, 1432 HasVAListArg, format_idx, firstDataArg, 1433 Type, /*inFunctionCall*/false); 1434 } 1435 1436 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1437 // special check to see if the format string is a function parameter 1438 // of the function calling the printf function. If the function 1439 // has an attribute indicating it is a printf-like function, then we 1440 // should suppress warnings concerning non-literals being used in a call 1441 // to a vprintf function. For example: 1442 // 1443 // void 1444 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1445 // va_list ap; 1446 // va_start(ap, fmt); 1447 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1448 // ... 1449 // 1450 if (HasVAListArg) { 1451 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 1452 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 1453 int PVIndex = PV->getFunctionScopeIndex() + 1; 1454 for (specific_attr_iterator<FormatAttr> 1455 i = ND->specific_attr_begin<FormatAttr>(), 1456 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 1457 FormatAttr *PVFormat = *i; 1458 // adjust for implicit parameter 1459 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1460 if (MD->isInstance()) 1461 ++PVIndex; 1462 // We also check if the formats are compatible. 1463 // We can't pass a 'scanf' string to a 'printf' function. 1464 if (PVIndex == PVFormat->getFormatIdx() && 1465 Type == GetFormatStringType(PVFormat)) 1466 return true; 1467 } 1468 } 1469 } 1470 } 1471 } 1472 1473 return false; 1474 } 1475 1476 case Stmt::CallExprClass: 1477 case Stmt::CXXMemberCallExprClass: { 1478 const CallExpr *CE = cast<CallExpr>(E); 1479 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 1480 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 1481 unsigned ArgIndex = FA->getFormatIdx(); 1482 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1483 if (MD->isInstance()) 1484 --ArgIndex; 1485 const Expr *Arg = CE->getArg(ArgIndex - 1); 1486 1487 return SemaCheckStringLiteral(Arg, Args, NumArgs, HasVAListArg, 1488 format_idx, firstDataArg, Type, 1489 inFunctionCall); 1490 } 1491 } 1492 1493 return false; 1494 } 1495 case Stmt::ObjCStringLiteralClass: 1496 case Stmt::StringLiteralClass: { 1497 const StringLiteral *StrE = NULL; 1498 1499 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1500 StrE = ObjCFExpr->getString(); 1501 else 1502 StrE = cast<StringLiteral>(E); 1503 1504 if (StrE) { 1505 CheckFormatString(StrE, E, Args, NumArgs, HasVAListArg, format_idx, 1506 firstDataArg, Type, inFunctionCall); 1507 return true; 1508 } 1509 1510 return false; 1511 } 1512 1513 default: 1514 return false; 1515 } 1516} 1517 1518void 1519Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1520 const Expr * const *ExprArgs, 1521 SourceLocation CallSiteLoc) { 1522 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1523 e = NonNull->args_end(); 1524 i != e; ++i) { 1525 const Expr *ArgExpr = ExprArgs[*i]; 1526 if (ArgExpr->isNullPointerConstant(Context, 1527 Expr::NPC_ValueDependentIsNotNull)) 1528 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1529 } 1530} 1531 1532Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 1533 return llvm::StringSwitch<FormatStringType>(Format->getType()) 1534 .Case("scanf", FST_Scanf) 1535 .Cases("printf", "printf0", FST_Printf) 1536 .Cases("NSString", "CFString", FST_NSString) 1537 .Case("strftime", FST_Strftime) 1538 .Case("strfmon", FST_Strfmon) 1539 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 1540 .Default(FST_Unknown); 1541} 1542 1543/// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1544/// functions) for correct use of format strings. 1545void Sema::CheckFormatArguments(const FormatAttr *Format, CallExpr *TheCall) { 1546 bool IsCXXMember = false; 1547 // The way the format attribute works in GCC, the implicit this argument 1548 // of member functions is counted. However, it doesn't appear in our own 1549 // lists, so decrement format_idx in that case. 1550 IsCXXMember = isa<CXXMemberCallExpr>(TheCall); 1551 CheckFormatArguments(Format, TheCall->getArgs(), TheCall->getNumArgs(), 1552 IsCXXMember, TheCall->getRParenLoc(), 1553 TheCall->getCallee()->getSourceRange()); 1554} 1555 1556void Sema::CheckFormatArguments(const FormatAttr *Format, Expr **Args, 1557 unsigned NumArgs, bool IsCXXMember, 1558 SourceLocation Loc, SourceRange Range) { 1559 bool HasVAListArg = Format->getFirstArg() == 0; 1560 unsigned format_idx = Format->getFormatIdx() - 1; 1561 unsigned firstDataArg = HasVAListArg ? 0 : Format->getFirstArg() - 1; 1562 if (IsCXXMember) { 1563 if (format_idx == 0) 1564 return; 1565 --format_idx; 1566 if(firstDataArg != 0) 1567 --firstDataArg; 1568 } 1569 CheckFormatArguments(Args, NumArgs, HasVAListArg, format_idx, 1570 firstDataArg, GetFormatStringType(Format), Loc, Range); 1571} 1572 1573void Sema::CheckFormatArguments(Expr **Args, unsigned NumArgs, 1574 bool HasVAListArg, unsigned format_idx, 1575 unsigned firstDataArg, FormatStringType Type, 1576 SourceLocation Loc, SourceRange Range) { 1577 // CHECK: printf/scanf-like function is called with no format string. 1578 if (format_idx >= NumArgs) { 1579 Diag(Loc, diag::warn_missing_format_string) << Range; 1580 return; 1581 } 1582 1583 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 1584 1585 // CHECK: format string is not a string literal. 1586 // 1587 // Dynamically generated format strings are difficult to 1588 // automatically vet at compile time. Requiring that format strings 1589 // are string literals: (1) permits the checking of format strings by 1590 // the compiler and thereby (2) can practically remove the source of 1591 // many format string exploits. 1592 1593 // Format string can be either ObjC string (e.g. @"%d") or 1594 // C string (e.g. "%d") 1595 // ObjC string uses the same format specifiers as C string, so we can use 1596 // the same format string checking logic for both ObjC and C strings. 1597 if (SemaCheckStringLiteral(OrigFormatExpr, Args, NumArgs, HasVAListArg, 1598 format_idx, firstDataArg, Type)) 1599 return; // Literal format string found, check done! 1600 1601 // Strftime is particular as it always uses a single 'time' argument, 1602 // so it is safe to pass a non-literal string. 1603 if (Type == FST_Strftime) 1604 return; 1605 1606 // Do not emit diag when the string param is a macro expansion and the 1607 // format is either NSString or CFString. This is a hack to prevent 1608 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 1609 // which are usually used in place of NS and CF string literals. 1610 if (Type == FST_NSString && Args[format_idx]->getLocStart().isMacroID()) 1611 return; 1612 1613 // If there are no arguments specified, warn with -Wformat-security, otherwise 1614 // warn only with -Wformat-nonliteral. 1615 if (NumArgs == format_idx+1) 1616 Diag(Args[format_idx]->getLocStart(), 1617 diag::warn_format_nonliteral_noargs) 1618 << OrigFormatExpr->getSourceRange(); 1619 else 1620 Diag(Args[format_idx]->getLocStart(), 1621 diag::warn_format_nonliteral) 1622 << OrigFormatExpr->getSourceRange(); 1623} 1624 1625namespace { 1626class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1627protected: 1628 Sema &S; 1629 const StringLiteral *FExpr; 1630 const Expr *OrigFormatExpr; 1631 const unsigned FirstDataArg; 1632 const unsigned NumDataArgs; 1633 const bool IsObjCLiteral; 1634 const char *Beg; // Start of format string. 1635 const bool HasVAListArg; 1636 const Expr * const *Args; 1637 const unsigned NumArgs; 1638 unsigned FormatIdx; 1639 llvm::BitVector CoveredArgs; 1640 bool usesPositionalArgs; 1641 bool atFirstArg; 1642 bool inFunctionCall; 1643public: 1644 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1645 const Expr *origFormatExpr, unsigned firstDataArg, 1646 unsigned numDataArgs, bool isObjCLiteral, 1647 const char *beg, bool hasVAListArg, 1648 Expr **args, unsigned numArgs, 1649 unsigned formatIdx, bool inFunctionCall) 1650 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1651 FirstDataArg(firstDataArg), 1652 NumDataArgs(numDataArgs), 1653 IsObjCLiteral(isObjCLiteral), Beg(beg), 1654 HasVAListArg(hasVAListArg), 1655 Args(args), NumArgs(numArgs), FormatIdx(formatIdx), 1656 usesPositionalArgs(false), atFirstArg(true), 1657 inFunctionCall(inFunctionCall) { 1658 CoveredArgs.resize(numDataArgs); 1659 CoveredArgs.reset(); 1660 } 1661 1662 void DoneProcessing(); 1663 1664 void HandleIncompleteSpecifier(const char *startSpecifier, 1665 unsigned specifierLen); 1666 1667 void HandleNonStandardLengthModifier( 1668 const analyze_format_string::LengthModifier &LM, 1669 const char *startSpecifier, unsigned specifierLen); 1670 1671 void HandleNonStandardConversionSpecifier( 1672 const analyze_format_string::ConversionSpecifier &CS, 1673 const char *startSpecifier, unsigned specifierLen); 1674 1675 void HandleNonStandardConversionSpecification( 1676 const analyze_format_string::LengthModifier &LM, 1677 const analyze_format_string::ConversionSpecifier &CS, 1678 const char *startSpecifier, unsigned specifierLen); 1679 1680 virtual void HandlePosition(const char *startPos, unsigned posLen); 1681 1682 virtual void HandleInvalidPosition(const char *startSpecifier, 1683 unsigned specifierLen, 1684 analyze_format_string::PositionContext p); 1685 1686 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1687 1688 void HandleNullChar(const char *nullCharacter); 1689 1690 template <typename Range> 1691 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 1692 const Expr *ArgumentExpr, 1693 PartialDiagnostic PDiag, 1694 SourceLocation StringLoc, 1695 bool IsStringLocation, Range StringRange, 1696 FixItHint Fixit = FixItHint()); 1697 1698protected: 1699 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1700 const char *startSpec, 1701 unsigned specifierLen, 1702 const char *csStart, unsigned csLen); 1703 1704 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 1705 const char *startSpec, 1706 unsigned specifierLen); 1707 1708 SourceRange getFormatStringRange(); 1709 CharSourceRange getSpecifierRange(const char *startSpecifier, 1710 unsigned specifierLen); 1711 SourceLocation getLocationOfByte(const char *x); 1712 1713 const Expr *getDataArg(unsigned i) const; 1714 1715 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1716 const analyze_format_string::ConversionSpecifier &CS, 1717 const char *startSpecifier, unsigned specifierLen, 1718 unsigned argIndex); 1719 1720 template <typename Range> 1721 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 1722 bool IsStringLocation, Range StringRange, 1723 FixItHint Fixit = FixItHint()); 1724 1725 void CheckPositionalAndNonpositionalArgs( 1726 const analyze_format_string::FormatSpecifier *FS); 1727}; 1728} 1729 1730SourceRange CheckFormatHandler::getFormatStringRange() { 1731 return OrigFormatExpr->getSourceRange(); 1732} 1733 1734CharSourceRange CheckFormatHandler:: 1735getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1736 SourceLocation Start = getLocationOfByte(startSpecifier); 1737 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1738 1739 // Advance the end SourceLocation by one due to half-open ranges. 1740 End = End.getLocWithOffset(1); 1741 1742 return CharSourceRange::getCharRange(Start, End); 1743} 1744 1745SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1746 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1747} 1748 1749void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1750 unsigned specifierLen){ 1751 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 1752 getLocationOfByte(startSpecifier), 1753 /*IsStringLocation*/true, 1754 getSpecifierRange(startSpecifier, specifierLen)); 1755} 1756 1757void CheckFormatHandler::HandleNonStandardLengthModifier( 1758 const analyze_format_string::LengthModifier &LM, 1759 const char *startSpecifier, unsigned specifierLen) { 1760 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) << LM.toString() 1761 << 0, 1762 getLocationOfByte(LM.getStart()), 1763 /*IsStringLocation*/true, 1764 getSpecifierRange(startSpecifier, specifierLen)); 1765} 1766 1767void CheckFormatHandler::HandleNonStandardConversionSpecifier( 1768 const analyze_format_string::ConversionSpecifier &CS, 1769 const char *startSpecifier, unsigned specifierLen) { 1770 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) << CS.toString() 1771 << 1, 1772 getLocationOfByte(CS.getStart()), 1773 /*IsStringLocation*/true, 1774 getSpecifierRange(startSpecifier, specifierLen)); 1775} 1776 1777void CheckFormatHandler::HandleNonStandardConversionSpecification( 1778 const analyze_format_string::LengthModifier &LM, 1779 const analyze_format_string::ConversionSpecifier &CS, 1780 const char *startSpecifier, unsigned specifierLen) { 1781 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_conversion_spec) 1782 << LM.toString() << CS.toString(), 1783 getLocationOfByte(LM.getStart()), 1784 /*IsStringLocation*/true, 1785 getSpecifierRange(startSpecifier, specifierLen)); 1786} 1787 1788void CheckFormatHandler::HandlePosition(const char *startPos, 1789 unsigned posLen) { 1790 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 1791 getLocationOfByte(startPos), 1792 /*IsStringLocation*/true, 1793 getSpecifierRange(startPos, posLen)); 1794} 1795 1796void 1797CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1798 analyze_format_string::PositionContext p) { 1799 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 1800 << (unsigned) p, 1801 getLocationOfByte(startPos), /*IsStringLocation*/true, 1802 getSpecifierRange(startPos, posLen)); 1803} 1804 1805void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1806 unsigned posLen) { 1807 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 1808 getLocationOfByte(startPos), 1809 /*IsStringLocation*/true, 1810 getSpecifierRange(startPos, posLen)); 1811} 1812 1813void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1814 if (!IsObjCLiteral) { 1815 // The presence of a null character is likely an error. 1816 EmitFormatDiagnostic( 1817 S.PDiag(diag::warn_printf_format_string_contains_null_char), 1818 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 1819 getFormatStringRange()); 1820 } 1821} 1822 1823const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1824 return Args[FirstDataArg + i]; 1825} 1826 1827void CheckFormatHandler::DoneProcessing() { 1828 // Does the number of data arguments exceed the number of 1829 // format conversions in the format string? 1830 if (!HasVAListArg) { 1831 // Find any arguments that weren't covered. 1832 CoveredArgs.flip(); 1833 signed notCoveredArg = CoveredArgs.find_first(); 1834 if (notCoveredArg >= 0) { 1835 assert((unsigned)notCoveredArg < NumDataArgs); 1836 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 1837 getDataArg((unsigned) notCoveredArg)->getLocStart(), 1838 /*IsStringLocation*/false, getFormatStringRange()); 1839 } 1840 } 1841} 1842 1843bool 1844CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1845 SourceLocation Loc, 1846 const char *startSpec, 1847 unsigned specifierLen, 1848 const char *csStart, 1849 unsigned csLen) { 1850 1851 bool keepGoing = true; 1852 if (argIndex < NumDataArgs) { 1853 // Consider the argument coverered, even though the specifier doesn't 1854 // make sense. 1855 CoveredArgs.set(argIndex); 1856 } 1857 else { 1858 // If argIndex exceeds the number of data arguments we 1859 // don't issue a warning because that is just a cascade of warnings (and 1860 // they may have intended '%%' anyway). We don't want to continue processing 1861 // the format string after this point, however, as we will like just get 1862 // gibberish when trying to match arguments. 1863 keepGoing = false; 1864 } 1865 1866 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 1867 << StringRef(csStart, csLen), 1868 Loc, /*IsStringLocation*/true, 1869 getSpecifierRange(startSpec, specifierLen)); 1870 1871 return keepGoing; 1872} 1873 1874void 1875CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 1876 const char *startSpec, 1877 unsigned specifierLen) { 1878 EmitFormatDiagnostic( 1879 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 1880 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 1881} 1882 1883bool 1884CheckFormatHandler::CheckNumArgs( 1885 const analyze_format_string::FormatSpecifier &FS, 1886 const analyze_format_string::ConversionSpecifier &CS, 1887 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 1888 1889 if (argIndex >= NumDataArgs) { 1890 PartialDiagnostic PDiag = FS.usesPositionalArg() 1891 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 1892 << (argIndex+1) << NumDataArgs) 1893 : S.PDiag(diag::warn_printf_insufficient_data_args); 1894 EmitFormatDiagnostic( 1895 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 1896 getSpecifierRange(startSpecifier, specifierLen)); 1897 return false; 1898 } 1899 return true; 1900} 1901 1902template<typename Range> 1903void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 1904 SourceLocation Loc, 1905 bool IsStringLocation, 1906 Range StringRange, 1907 FixItHint FixIt) { 1908 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 1909 Loc, IsStringLocation, StringRange, FixIt); 1910} 1911 1912/// \brief If the format string is not within the funcion call, emit a note 1913/// so that the function call and string are in diagnostic messages. 1914/// 1915/// \param inFunctionCall if true, the format string is within the function 1916/// call and only one diagnostic message will be produced. Otherwise, an 1917/// extra note will be emitted pointing to location of the format string. 1918/// 1919/// \param ArgumentExpr the expression that is passed as the format string 1920/// argument in the function call. Used for getting locations when two 1921/// diagnostics are emitted. 1922/// 1923/// \param PDiag the callee should already have provided any strings for the 1924/// diagnostic message. This function only adds locations and fixits 1925/// to diagnostics. 1926/// 1927/// \param Loc primary location for diagnostic. If two diagnostics are 1928/// required, one will be at Loc and a new SourceLocation will be created for 1929/// the other one. 1930/// 1931/// \param IsStringLocation if true, Loc points to the format string should be 1932/// used for the note. Otherwise, Loc points to the argument list and will 1933/// be used with PDiag. 1934/// 1935/// \param StringRange some or all of the string to highlight. This is 1936/// templated so it can accept either a CharSourceRange or a SourceRange. 1937/// 1938/// \param Fixit optional fix it hint for the format string. 1939template<typename Range> 1940void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 1941 const Expr *ArgumentExpr, 1942 PartialDiagnostic PDiag, 1943 SourceLocation Loc, 1944 bool IsStringLocation, 1945 Range StringRange, 1946 FixItHint FixIt) { 1947 if (InFunctionCall) 1948 S.Diag(Loc, PDiag) << StringRange << FixIt; 1949 else { 1950 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 1951 << ArgumentExpr->getSourceRange(); 1952 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 1953 diag::note_format_string_defined) 1954 << StringRange << FixIt; 1955 } 1956} 1957 1958//===--- CHECK: Printf format string checking ------------------------------===// 1959 1960namespace { 1961class CheckPrintfHandler : public CheckFormatHandler { 1962public: 1963 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1964 const Expr *origFormatExpr, unsigned firstDataArg, 1965 unsigned numDataArgs, bool isObjCLiteral, 1966 const char *beg, bool hasVAListArg, 1967 Expr **Args, unsigned NumArgs, 1968 unsigned formatIdx, bool inFunctionCall) 1969 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1970 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1971 Args, NumArgs, formatIdx, inFunctionCall) {} 1972 1973 1974 bool HandleInvalidPrintfConversionSpecifier( 1975 const analyze_printf::PrintfSpecifier &FS, 1976 const char *startSpecifier, 1977 unsigned specifierLen); 1978 1979 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 1980 const char *startSpecifier, 1981 unsigned specifierLen); 1982 1983 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 1984 const char *startSpecifier, unsigned specifierLen); 1985 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 1986 const analyze_printf::OptionalAmount &Amt, 1987 unsigned type, 1988 const char *startSpecifier, unsigned specifierLen); 1989 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1990 const analyze_printf::OptionalFlag &flag, 1991 const char *startSpecifier, unsigned specifierLen); 1992 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 1993 const analyze_printf::OptionalFlag &ignoredFlag, 1994 const analyze_printf::OptionalFlag &flag, 1995 const char *startSpecifier, unsigned specifierLen); 1996}; 1997} 1998 1999bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2000 const analyze_printf::PrintfSpecifier &FS, 2001 const char *startSpecifier, 2002 unsigned specifierLen) { 2003 const analyze_printf::PrintfConversionSpecifier &CS = 2004 FS.getConversionSpecifier(); 2005 2006 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2007 getLocationOfByte(CS.getStart()), 2008 startSpecifier, specifierLen, 2009 CS.getStart(), CS.getLength()); 2010} 2011 2012bool CheckPrintfHandler::HandleAmount( 2013 const analyze_format_string::OptionalAmount &Amt, 2014 unsigned k, const char *startSpecifier, 2015 unsigned specifierLen) { 2016 2017 if (Amt.hasDataArgument()) { 2018 if (!HasVAListArg) { 2019 unsigned argIndex = Amt.getArgIndex(); 2020 if (argIndex >= NumDataArgs) { 2021 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2022 << k, 2023 getLocationOfByte(Amt.getStart()), 2024 /*IsStringLocation*/true, 2025 getSpecifierRange(startSpecifier, specifierLen)); 2026 // Don't do any more checking. We will just emit 2027 // spurious errors. 2028 return false; 2029 } 2030 2031 // Type check the data argument. It should be an 'int'. 2032 // Although not in conformance with C99, we also allow the argument to be 2033 // an 'unsigned int' as that is a reasonably safe case. GCC also 2034 // doesn't emit a warning for that case. 2035 CoveredArgs.set(argIndex); 2036 const Expr *Arg = getDataArg(argIndex); 2037 QualType T = Arg->getType(); 2038 2039 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 2040 assert(ATR.isValid()); 2041 2042 if (!ATR.matchesType(S.Context, T)) { 2043 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2044 << k << ATR.getRepresentativeTypeName(S.Context) 2045 << T << Arg->getSourceRange(), 2046 getLocationOfByte(Amt.getStart()), 2047 /*IsStringLocation*/true, 2048 getSpecifierRange(startSpecifier, specifierLen)); 2049 // Don't do any more checking. We will just emit 2050 // spurious errors. 2051 return false; 2052 } 2053 } 2054 } 2055 return true; 2056} 2057 2058void CheckPrintfHandler::HandleInvalidAmount( 2059 const analyze_printf::PrintfSpecifier &FS, 2060 const analyze_printf::OptionalAmount &Amt, 2061 unsigned type, 2062 const char *startSpecifier, 2063 unsigned specifierLen) { 2064 const analyze_printf::PrintfConversionSpecifier &CS = 2065 FS.getConversionSpecifier(); 2066 2067 FixItHint fixit = 2068 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2069 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2070 Amt.getConstantLength())) 2071 : FixItHint(); 2072 2073 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2074 << type << CS.toString(), 2075 getLocationOfByte(Amt.getStart()), 2076 /*IsStringLocation*/true, 2077 getSpecifierRange(startSpecifier, specifierLen), 2078 fixit); 2079} 2080 2081void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2082 const analyze_printf::OptionalFlag &flag, 2083 const char *startSpecifier, 2084 unsigned specifierLen) { 2085 // Warn about pointless flag with a fixit removal. 2086 const analyze_printf::PrintfConversionSpecifier &CS = 2087 FS.getConversionSpecifier(); 2088 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2089 << flag.toString() << CS.toString(), 2090 getLocationOfByte(flag.getPosition()), 2091 /*IsStringLocation*/true, 2092 getSpecifierRange(startSpecifier, specifierLen), 2093 FixItHint::CreateRemoval( 2094 getSpecifierRange(flag.getPosition(), 1))); 2095} 2096 2097void CheckPrintfHandler::HandleIgnoredFlag( 2098 const analyze_printf::PrintfSpecifier &FS, 2099 const analyze_printf::OptionalFlag &ignoredFlag, 2100 const analyze_printf::OptionalFlag &flag, 2101 const char *startSpecifier, 2102 unsigned specifierLen) { 2103 // Warn about ignored flag with a fixit removal. 2104 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2105 << ignoredFlag.toString() << flag.toString(), 2106 getLocationOfByte(ignoredFlag.getPosition()), 2107 /*IsStringLocation*/true, 2108 getSpecifierRange(startSpecifier, specifierLen), 2109 FixItHint::CreateRemoval( 2110 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2111} 2112 2113bool 2114CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2115 &FS, 2116 const char *startSpecifier, 2117 unsigned specifierLen) { 2118 2119 using namespace analyze_format_string; 2120 using namespace analyze_printf; 2121 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2122 2123 if (FS.consumesDataArgument()) { 2124 if (atFirstArg) { 2125 atFirstArg = false; 2126 usesPositionalArgs = FS.usesPositionalArg(); 2127 } 2128 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2129 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2130 startSpecifier, specifierLen); 2131 return false; 2132 } 2133 } 2134 2135 // First check if the field width, precision, and conversion specifier 2136 // have matching data arguments. 2137 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2138 startSpecifier, specifierLen)) { 2139 return false; 2140 } 2141 2142 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2143 startSpecifier, specifierLen)) { 2144 return false; 2145 } 2146 2147 if (!CS.consumesDataArgument()) { 2148 // FIXME: Technically specifying a precision or field width here 2149 // makes no sense. Worth issuing a warning at some point. 2150 return true; 2151 } 2152 2153 // Consume the argument. 2154 unsigned argIndex = FS.getArgIndex(); 2155 if (argIndex < NumDataArgs) { 2156 // The check to see if the argIndex is valid will come later. 2157 // We set the bit here because we may exit early from this 2158 // function if we encounter some other error. 2159 CoveredArgs.set(argIndex); 2160 } 2161 2162 // Check for using an Objective-C specific conversion specifier 2163 // in a non-ObjC literal. 2164 if (!IsObjCLiteral && CS.isObjCArg()) { 2165 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2166 specifierLen); 2167 } 2168 2169 // Check for invalid use of field width 2170 if (!FS.hasValidFieldWidth()) { 2171 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2172 startSpecifier, specifierLen); 2173 } 2174 2175 // Check for invalid use of precision 2176 if (!FS.hasValidPrecision()) { 2177 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2178 startSpecifier, specifierLen); 2179 } 2180 2181 // Check each flag does not conflict with any other component. 2182 if (!FS.hasValidThousandsGroupingPrefix()) 2183 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2184 if (!FS.hasValidLeadingZeros()) 2185 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2186 if (!FS.hasValidPlusPrefix()) 2187 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2188 if (!FS.hasValidSpacePrefix()) 2189 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2190 if (!FS.hasValidAlternativeForm()) 2191 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2192 if (!FS.hasValidLeftJustified()) 2193 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2194 2195 // Check that flags are not ignored by another flag 2196 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2197 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2198 startSpecifier, specifierLen); 2199 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2200 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2201 startSpecifier, specifierLen); 2202 2203 // Check the length modifier is valid with the given conversion specifier. 2204 const LengthModifier &LM = FS.getLengthModifier(); 2205 if (!FS.hasValidLengthModifier()) 2206 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 2207 << LM.toString() << CS.toString(), 2208 getLocationOfByte(LM.getStart()), 2209 /*IsStringLocation*/true, 2210 getSpecifierRange(startSpecifier, specifierLen), 2211 FixItHint::CreateRemoval( 2212 getSpecifierRange(LM.getStart(), 2213 LM.getLength()))); 2214 if (!FS.hasStandardLengthModifier()) 2215 HandleNonStandardLengthModifier(LM, startSpecifier, specifierLen); 2216 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2217 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2218 if (!FS.hasStandardLengthConversionCombination()) 2219 HandleNonStandardConversionSpecification(LM, CS, startSpecifier, 2220 specifierLen); 2221 2222 // Are we using '%n'? 2223 if (CS.getKind() == ConversionSpecifier::nArg) { 2224 // Issue a warning about this being a possible security issue. 2225 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_write_back), 2226 getLocationOfByte(CS.getStart()), 2227 /*IsStringLocation*/true, 2228 getSpecifierRange(startSpecifier, specifierLen)); 2229 // Continue checking the other format specifiers. 2230 return true; 2231 } 2232 2233 // The remaining checks depend on the data arguments. 2234 if (HasVAListArg) 2235 return true; 2236 2237 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2238 return false; 2239 2240 // Now type check the data expression that matches the 2241 // format specifier. 2242 const Expr *Ex = getDataArg(argIndex); 2243 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context, 2244 IsObjCLiteral); 2245 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2246 // Check if we didn't match because of an implicit cast from a 'char' 2247 // or 'short' to an 'int'. This is done because printf is a varargs 2248 // function. 2249 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 2250 if (ICE->getType() == S.Context.IntTy) { 2251 // All further checking is done on the subexpression. 2252 Ex = ICE->getSubExpr(); 2253 if (ATR.matchesType(S.Context, Ex->getType())) 2254 return true; 2255 } 2256 2257 // We may be able to offer a FixItHint if it is a supported type. 2258 PrintfSpecifier fixedFS = FS; 2259 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 2260 S.Context, IsObjCLiteral); 2261 2262 if (success) { 2263 // Get the fix string from the fixed format specifier 2264 SmallString<128> buf; 2265 llvm::raw_svector_ostream os(buf); 2266 fixedFS.toString(os); 2267 2268 EmitFormatDiagnostic( 2269 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2270 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2271 << Ex->getSourceRange(), 2272 getLocationOfByte(CS.getStart()), 2273 /*IsStringLocation*/true, 2274 getSpecifierRange(startSpecifier, specifierLen), 2275 FixItHint::CreateReplacement( 2276 getSpecifierRange(startSpecifier, specifierLen), 2277 os.str())); 2278 } 2279 else { 2280 EmitFormatDiagnostic( 2281 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2282 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2283 << getSpecifierRange(startSpecifier, specifierLen) 2284 << Ex->getSourceRange(), 2285 getLocationOfByte(CS.getStart()), 2286 true, 2287 getSpecifierRange(startSpecifier, specifierLen)); 2288 } 2289 } 2290 2291 return true; 2292} 2293 2294//===--- CHECK: Scanf format string checking ------------------------------===// 2295 2296namespace { 2297class CheckScanfHandler : public CheckFormatHandler { 2298public: 2299 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 2300 const Expr *origFormatExpr, unsigned firstDataArg, 2301 unsigned numDataArgs, bool isObjCLiteral, 2302 const char *beg, bool hasVAListArg, 2303 Expr **Args, unsigned NumArgs, 2304 unsigned formatIdx, bool inFunctionCall) 2305 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2306 numDataArgs, isObjCLiteral, beg, hasVAListArg, 2307 Args, NumArgs, formatIdx, inFunctionCall) {} 2308 2309 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 2310 const char *startSpecifier, 2311 unsigned specifierLen); 2312 2313 bool HandleInvalidScanfConversionSpecifier( 2314 const analyze_scanf::ScanfSpecifier &FS, 2315 const char *startSpecifier, 2316 unsigned specifierLen); 2317 2318 void HandleIncompleteScanList(const char *start, const char *end); 2319}; 2320} 2321 2322void CheckScanfHandler::HandleIncompleteScanList(const char *start, 2323 const char *end) { 2324 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 2325 getLocationOfByte(end), /*IsStringLocation*/true, 2326 getSpecifierRange(start, end - start)); 2327} 2328 2329bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 2330 const analyze_scanf::ScanfSpecifier &FS, 2331 const char *startSpecifier, 2332 unsigned specifierLen) { 2333 2334 const analyze_scanf::ScanfConversionSpecifier &CS = 2335 FS.getConversionSpecifier(); 2336 2337 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2338 getLocationOfByte(CS.getStart()), 2339 startSpecifier, specifierLen, 2340 CS.getStart(), CS.getLength()); 2341} 2342 2343bool CheckScanfHandler::HandleScanfSpecifier( 2344 const analyze_scanf::ScanfSpecifier &FS, 2345 const char *startSpecifier, 2346 unsigned specifierLen) { 2347 2348 using namespace analyze_scanf; 2349 using namespace analyze_format_string; 2350 2351 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 2352 2353 // Handle case where '%' and '*' don't consume an argument. These shouldn't 2354 // be used to decide if we are using positional arguments consistently. 2355 if (FS.consumesDataArgument()) { 2356 if (atFirstArg) { 2357 atFirstArg = false; 2358 usesPositionalArgs = FS.usesPositionalArg(); 2359 } 2360 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2361 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2362 startSpecifier, specifierLen); 2363 return false; 2364 } 2365 } 2366 2367 // Check if the field with is non-zero. 2368 const OptionalAmount &Amt = FS.getFieldWidth(); 2369 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 2370 if (Amt.getConstantAmount() == 0) { 2371 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 2372 Amt.getConstantLength()); 2373 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 2374 getLocationOfByte(Amt.getStart()), 2375 /*IsStringLocation*/true, R, 2376 FixItHint::CreateRemoval(R)); 2377 } 2378 } 2379 2380 if (!FS.consumesDataArgument()) { 2381 // FIXME: Technically specifying a precision or field width here 2382 // makes no sense. Worth issuing a warning at some point. 2383 return true; 2384 } 2385 2386 // Consume the argument. 2387 unsigned argIndex = FS.getArgIndex(); 2388 if (argIndex < NumDataArgs) { 2389 // The check to see if the argIndex is valid will come later. 2390 // We set the bit here because we may exit early from this 2391 // function if we encounter some other error. 2392 CoveredArgs.set(argIndex); 2393 } 2394 2395 // Check the length modifier is valid with the given conversion specifier. 2396 const LengthModifier &LM = FS.getLengthModifier(); 2397 if (!FS.hasValidLengthModifier()) { 2398 const CharSourceRange &R = getSpecifierRange(LM.getStart(), LM.getLength()); 2399 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 2400 << LM.toString() << CS.toString() 2401 << getSpecifierRange(startSpecifier, specifierLen), 2402 getLocationOfByte(LM.getStart()), 2403 /*IsStringLocation*/true, R, 2404 FixItHint::CreateRemoval(R)); 2405 } 2406 2407 if (!FS.hasStandardLengthModifier()) 2408 HandleNonStandardLengthModifier(LM, startSpecifier, specifierLen); 2409 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2410 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2411 if (!FS.hasStandardLengthConversionCombination()) 2412 HandleNonStandardConversionSpecification(LM, CS, startSpecifier, 2413 specifierLen); 2414 2415 // The remaining checks depend on the data arguments. 2416 if (HasVAListArg) 2417 return true; 2418 2419 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2420 return false; 2421 2422 // Check that the argument type matches the format specifier. 2423 const Expr *Ex = getDataArg(argIndex); 2424 const analyze_scanf::ScanfArgTypeResult &ATR = FS.getArgType(S.Context); 2425 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2426 ScanfSpecifier fixedFS = FS; 2427 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 2428 S.Context); 2429 2430 if (success) { 2431 // Get the fix string from the fixed format specifier. 2432 SmallString<128> buf; 2433 llvm::raw_svector_ostream os(buf); 2434 fixedFS.toString(os); 2435 2436 EmitFormatDiagnostic( 2437 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2438 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2439 << Ex->getSourceRange(), 2440 getLocationOfByte(CS.getStart()), 2441 /*IsStringLocation*/true, 2442 getSpecifierRange(startSpecifier, specifierLen), 2443 FixItHint::CreateReplacement( 2444 getSpecifierRange(startSpecifier, specifierLen), 2445 os.str())); 2446 } else { 2447 EmitFormatDiagnostic( 2448 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2449 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2450 << Ex->getSourceRange(), 2451 getLocationOfByte(CS.getStart()), 2452 /*IsStringLocation*/true, 2453 getSpecifierRange(startSpecifier, specifierLen)); 2454 } 2455 } 2456 2457 return true; 2458} 2459 2460void Sema::CheckFormatString(const StringLiteral *FExpr, 2461 const Expr *OrigFormatExpr, 2462 Expr **Args, unsigned NumArgs, 2463 bool HasVAListArg, unsigned format_idx, 2464 unsigned firstDataArg, FormatStringType Type, 2465 bool inFunctionCall) { 2466 2467 // CHECK: is the format string a wide literal? 2468 if (!FExpr->isAscii()) { 2469 CheckFormatHandler::EmitFormatDiagnostic( 2470 *this, inFunctionCall, Args[format_idx], 2471 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 2472 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2473 return; 2474 } 2475 2476 // Str - The format string. NOTE: this is NOT null-terminated! 2477 StringRef StrRef = FExpr->getString(); 2478 const char *Str = StrRef.data(); 2479 unsigned StrLen = StrRef.size(); 2480 const unsigned numDataArgs = NumArgs - firstDataArg; 2481 2482 // CHECK: empty format string? 2483 if (StrLen == 0 && numDataArgs > 0) { 2484 CheckFormatHandler::EmitFormatDiagnostic( 2485 *this, inFunctionCall, Args[format_idx], 2486 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 2487 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2488 return; 2489 } 2490 2491 if (Type == FST_Printf || Type == FST_NSString) { 2492 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2493 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2494 Str, HasVAListArg, Args, NumArgs, format_idx, 2495 inFunctionCall); 2496 2497 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 2498 getLangOpts())) 2499 H.DoneProcessing(); 2500 } else if (Type == FST_Scanf) { 2501 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2502 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2503 Str, HasVAListArg, Args, NumArgs, format_idx, 2504 inFunctionCall); 2505 2506 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 2507 getLangOpts())) 2508 H.DoneProcessing(); 2509 } // TODO: handle other formats 2510} 2511 2512//===--- CHECK: Standard memory functions ---------------------------------===// 2513 2514/// \brief Determine whether the given type is a dynamic class type (e.g., 2515/// whether it has a vtable). 2516static bool isDynamicClassType(QualType T) { 2517 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 2518 if (CXXRecordDecl *Definition = Record->getDefinition()) 2519 if (Definition->isDynamicClass()) 2520 return true; 2521 2522 return false; 2523} 2524 2525/// \brief If E is a sizeof expression, returns its argument expression, 2526/// otherwise returns NULL. 2527static const Expr *getSizeOfExprArg(const Expr* E) { 2528 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2529 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2530 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 2531 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 2532 2533 return 0; 2534} 2535 2536/// \brief If E is a sizeof expression, returns its argument type. 2537static QualType getSizeOfArgType(const Expr* E) { 2538 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2539 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2540 if (SizeOf->getKind() == clang::UETT_SizeOf) 2541 return SizeOf->getTypeOfArgument(); 2542 2543 return QualType(); 2544} 2545 2546/// \brief Check for dangerous or invalid arguments to memset(). 2547/// 2548/// This issues warnings on known problematic, dangerous or unspecified 2549/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 2550/// function calls. 2551/// 2552/// \param Call The call expression to diagnose. 2553void Sema::CheckMemaccessArguments(const CallExpr *Call, 2554 unsigned BId, 2555 IdentifierInfo *FnName) { 2556 assert(BId != 0); 2557 2558 // It is possible to have a non-standard definition of memset. Validate 2559 // we have enough arguments, and if not, abort further checking. 2560 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 2561 if (Call->getNumArgs() < ExpectedNumArgs) 2562 return; 2563 2564 unsigned LastArg = (BId == Builtin::BImemset || 2565 BId == Builtin::BIstrndup ? 1 : 2); 2566 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 2567 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 2568 2569 // We have special checking when the length is a sizeof expression. 2570 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 2571 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 2572 llvm::FoldingSetNodeID SizeOfArgID; 2573 2574 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 2575 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 2576 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 2577 2578 QualType DestTy = Dest->getType(); 2579 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 2580 QualType PointeeTy = DestPtrTy->getPointeeType(); 2581 2582 // Never warn about void type pointers. This can be used to suppress 2583 // false positives. 2584 if (PointeeTy->isVoidType()) 2585 continue; 2586 2587 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 2588 // actually comparing the expressions for equality. Because computing the 2589 // expression IDs can be expensive, we only do this if the diagnostic is 2590 // enabled. 2591 if (SizeOfArg && 2592 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 2593 SizeOfArg->getExprLoc())) { 2594 // We only compute IDs for expressions if the warning is enabled, and 2595 // cache the sizeof arg's ID. 2596 if (SizeOfArgID == llvm::FoldingSetNodeID()) 2597 SizeOfArg->Profile(SizeOfArgID, Context, true); 2598 llvm::FoldingSetNodeID DestID; 2599 Dest->Profile(DestID, Context, true); 2600 if (DestID == SizeOfArgID) { 2601 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 2602 // over sizeof(src) as well. 2603 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 2604 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 2605 if (UnaryOp->getOpcode() == UO_AddrOf) 2606 ActionIdx = 1; // If its an address-of operator, just remove it. 2607 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 2608 ActionIdx = 2; // If the pointee's size is sizeof(char), 2609 // suggest an explicit length. 2610 unsigned DestSrcSelect = 2611 (BId == Builtin::BIstrndup ? 1 : ArgIdx); 2612 DiagRuntimeBehavior(SizeOfArg->getExprLoc(), Dest, 2613 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 2614 << FnName << DestSrcSelect << ActionIdx 2615 << Dest->getSourceRange() 2616 << SizeOfArg->getSourceRange()); 2617 break; 2618 } 2619 } 2620 2621 // Also check for cases where the sizeof argument is the exact same 2622 // type as the memory argument, and where it points to a user-defined 2623 // record type. 2624 if (SizeOfArgTy != QualType()) { 2625 if (PointeeTy->isRecordType() && 2626 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 2627 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 2628 PDiag(diag::warn_sizeof_pointer_type_memaccess) 2629 << FnName << SizeOfArgTy << ArgIdx 2630 << PointeeTy << Dest->getSourceRange() 2631 << LenExpr->getSourceRange()); 2632 break; 2633 } 2634 } 2635 2636 // Always complain about dynamic classes. 2637 if (isDynamicClassType(PointeeTy)) { 2638 2639 unsigned OperationType = 0; 2640 // "overwritten" if we're warning about the destination for any call 2641 // but memcmp; otherwise a verb appropriate to the call. 2642 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 2643 if (BId == Builtin::BImemcpy) 2644 OperationType = 1; 2645 else if(BId == Builtin::BImemmove) 2646 OperationType = 2; 2647 else if (BId == Builtin::BImemcmp) 2648 OperationType = 3; 2649 } 2650 2651 DiagRuntimeBehavior( 2652 Dest->getExprLoc(), Dest, 2653 PDiag(diag::warn_dyn_class_memaccess) 2654 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 2655 << FnName << PointeeTy 2656 << OperationType 2657 << Call->getCallee()->getSourceRange()); 2658 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 2659 BId != Builtin::BImemset) 2660 DiagRuntimeBehavior( 2661 Dest->getExprLoc(), Dest, 2662 PDiag(diag::warn_arc_object_memaccess) 2663 << ArgIdx << FnName << PointeeTy 2664 << Call->getCallee()->getSourceRange()); 2665 else 2666 continue; 2667 2668 DiagRuntimeBehavior( 2669 Dest->getExprLoc(), Dest, 2670 PDiag(diag::note_bad_memaccess_silence) 2671 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 2672 break; 2673 } 2674 } 2675} 2676 2677// A little helper routine: ignore addition and subtraction of integer literals. 2678// This intentionally does not ignore all integer constant expressions because 2679// we don't want to remove sizeof(). 2680static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 2681 Ex = Ex->IgnoreParenCasts(); 2682 2683 for (;;) { 2684 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 2685 if (!BO || !BO->isAdditiveOp()) 2686 break; 2687 2688 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 2689 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 2690 2691 if (isa<IntegerLiteral>(RHS)) 2692 Ex = LHS; 2693 else if (isa<IntegerLiteral>(LHS)) 2694 Ex = RHS; 2695 else 2696 break; 2697 } 2698 2699 return Ex; 2700} 2701 2702// Warn if the user has made the 'size' argument to strlcpy or strlcat 2703// be the size of the source, instead of the destination. 2704void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 2705 IdentifierInfo *FnName) { 2706 2707 // Don't crash if the user has the wrong number of arguments 2708 if (Call->getNumArgs() != 3) 2709 return; 2710 2711 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 2712 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 2713 const Expr *CompareWithSrc = NULL; 2714 2715 // Look for 'strlcpy(dst, x, sizeof(x))' 2716 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 2717 CompareWithSrc = Ex; 2718 else { 2719 // Look for 'strlcpy(dst, x, strlen(x))' 2720 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 2721 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 2722 && SizeCall->getNumArgs() == 1) 2723 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 2724 } 2725 } 2726 2727 if (!CompareWithSrc) 2728 return; 2729 2730 // Determine if the argument to sizeof/strlen is equal to the source 2731 // argument. In principle there's all kinds of things you could do 2732 // here, for instance creating an == expression and evaluating it with 2733 // EvaluateAsBooleanCondition, but this uses a more direct technique: 2734 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 2735 if (!SrcArgDRE) 2736 return; 2737 2738 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 2739 if (!CompareWithSrcDRE || 2740 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 2741 return; 2742 2743 const Expr *OriginalSizeArg = Call->getArg(2); 2744 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 2745 << OriginalSizeArg->getSourceRange() << FnName; 2746 2747 // Output a FIXIT hint if the destination is an array (rather than a 2748 // pointer to an array). This could be enhanced to handle some 2749 // pointers if we know the actual size, like if DstArg is 'array+2' 2750 // we could say 'sizeof(array)-2'. 2751 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 2752 QualType DstArgTy = DstArg->getType(); 2753 2754 // Only handle constant-sized or VLAs, but not flexible members. 2755 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2756 // Only issue the FIXIT for arrays of size > 1. 2757 if (CAT->getSize().getSExtValue() <= 1) 2758 return; 2759 } else if (!DstArgTy->isVariableArrayType()) { 2760 return; 2761 } 2762 2763 SmallString<128> sizeString; 2764 llvm::raw_svector_ostream OS(sizeString); 2765 OS << "sizeof("; 2766 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2767 OS << ")"; 2768 2769 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 2770 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 2771 OS.str()); 2772} 2773 2774/// Check if two expressions refer to the same declaration. 2775static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 2776 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 2777 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 2778 return D1->getDecl() == D2->getDecl(); 2779 return false; 2780} 2781 2782static const Expr *getStrlenExprArg(const Expr *E) { 2783 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 2784 const FunctionDecl *FD = CE->getDirectCallee(); 2785 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 2786 return 0; 2787 return CE->getArg(0)->IgnoreParenCasts(); 2788 } 2789 return 0; 2790} 2791 2792// Warn on anti-patterns as the 'size' argument to strncat. 2793// The correct size argument should look like following: 2794// strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 2795void Sema::CheckStrncatArguments(const CallExpr *CE, 2796 IdentifierInfo *FnName) { 2797 // Don't crash if the user has the wrong number of arguments. 2798 if (CE->getNumArgs() < 3) 2799 return; 2800 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 2801 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 2802 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 2803 2804 // Identify common expressions, which are wrongly used as the size argument 2805 // to strncat and may lead to buffer overflows. 2806 unsigned PatternType = 0; 2807 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 2808 // - sizeof(dst) 2809 if (referToTheSameDecl(SizeOfArg, DstArg)) 2810 PatternType = 1; 2811 // - sizeof(src) 2812 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 2813 PatternType = 2; 2814 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 2815 if (BE->getOpcode() == BO_Sub) { 2816 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 2817 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 2818 // - sizeof(dst) - strlen(dst) 2819 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 2820 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 2821 PatternType = 1; 2822 // - sizeof(src) - (anything) 2823 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 2824 PatternType = 2; 2825 } 2826 } 2827 2828 if (PatternType == 0) 2829 return; 2830 2831 // Generate the diagnostic. 2832 SourceLocation SL = LenArg->getLocStart(); 2833 SourceRange SR = LenArg->getSourceRange(); 2834 SourceManager &SM = PP.getSourceManager(); 2835 2836 // If the function is defined as a builtin macro, do not show macro expansion. 2837 if (SM.isMacroArgExpansion(SL)) { 2838 SL = SM.getSpellingLoc(SL); 2839 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 2840 SM.getSpellingLoc(SR.getEnd())); 2841 } 2842 2843 if (PatternType == 1) 2844 Diag(SL, diag::warn_strncat_large_size) << SR; 2845 else 2846 Diag(SL, diag::warn_strncat_src_size) << SR; 2847 2848 // Output a FIXIT hint if the destination is an array (rather than a 2849 // pointer to an array). This could be enhanced to handle some 2850 // pointers if we know the actual size, like if DstArg is 'array+2' 2851 // we could say 'sizeof(array)-2'. 2852 QualType DstArgTy = DstArg->getType(); 2853 2854 // Only handle constant-sized or VLAs, but not flexible members. 2855 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2856 // Only issue the FIXIT for arrays of size > 1. 2857 if (CAT->getSize().getSExtValue() <= 1) 2858 return; 2859 } else if (!DstArgTy->isVariableArrayType()) { 2860 return; 2861 } 2862 2863 SmallString<128> sizeString; 2864 llvm::raw_svector_ostream OS(sizeString); 2865 OS << "sizeof("; 2866 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2867 OS << ") - "; 2868 OS << "strlen("; 2869 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2870 OS << ") - 1"; 2871 2872 Diag(SL, diag::note_strncat_wrong_size) 2873 << FixItHint::CreateReplacement(SR, OS.str()); 2874} 2875 2876//===--- CHECK: Return Address of Stack Variable --------------------------===// 2877 2878static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars); 2879static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars); 2880 2881/// CheckReturnStackAddr - Check if a return statement returns the address 2882/// of a stack variable. 2883void 2884Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 2885 SourceLocation ReturnLoc) { 2886 2887 Expr *stackE = 0; 2888 SmallVector<DeclRefExpr *, 8> refVars; 2889 2890 // Perform checking for returned stack addresses, local blocks, 2891 // label addresses or references to temporaries. 2892 if (lhsType->isPointerType() || 2893 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 2894 stackE = EvalAddr(RetValExp, refVars); 2895 } else if (lhsType->isReferenceType()) { 2896 stackE = EvalVal(RetValExp, refVars); 2897 } 2898 2899 if (stackE == 0) 2900 return; // Nothing suspicious was found. 2901 2902 SourceLocation diagLoc; 2903 SourceRange diagRange; 2904 if (refVars.empty()) { 2905 diagLoc = stackE->getLocStart(); 2906 diagRange = stackE->getSourceRange(); 2907 } else { 2908 // We followed through a reference variable. 'stackE' contains the 2909 // problematic expression but we will warn at the return statement pointing 2910 // at the reference variable. We will later display the "trail" of 2911 // reference variables using notes. 2912 diagLoc = refVars[0]->getLocStart(); 2913 diagRange = refVars[0]->getSourceRange(); 2914 } 2915 2916 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 2917 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 2918 : diag::warn_ret_stack_addr) 2919 << DR->getDecl()->getDeclName() << diagRange; 2920 } else if (isa<BlockExpr>(stackE)) { // local block. 2921 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 2922 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 2923 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 2924 } else { // local temporary. 2925 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 2926 : diag::warn_ret_local_temp_addr) 2927 << diagRange; 2928 } 2929 2930 // Display the "trail" of reference variables that we followed until we 2931 // found the problematic expression using notes. 2932 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 2933 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 2934 // If this var binds to another reference var, show the range of the next 2935 // var, otherwise the var binds to the problematic expression, in which case 2936 // show the range of the expression. 2937 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 2938 : stackE->getSourceRange(); 2939 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 2940 << VD->getDeclName() << range; 2941 } 2942} 2943 2944/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 2945/// check if the expression in a return statement evaluates to an address 2946/// to a location on the stack, a local block, an address of a label, or a 2947/// reference to local temporary. The recursion is used to traverse the 2948/// AST of the return expression, with recursion backtracking when we 2949/// encounter a subexpression that (1) clearly does not lead to one of the 2950/// above problematic expressions (2) is something we cannot determine leads to 2951/// a problematic expression based on such local checking. 2952/// 2953/// Both EvalAddr and EvalVal follow through reference variables to evaluate 2954/// the expression that they point to. Such variables are added to the 2955/// 'refVars' vector so that we know what the reference variable "trail" was. 2956/// 2957/// EvalAddr processes expressions that are pointers that are used as 2958/// references (and not L-values). EvalVal handles all other values. 2959/// At the base case of the recursion is a check for the above problematic 2960/// expressions. 2961/// 2962/// This implementation handles: 2963/// 2964/// * pointer-to-pointer casts 2965/// * implicit conversions from array references to pointers 2966/// * taking the address of fields 2967/// * arbitrary interplay between "&" and "*" operators 2968/// * pointer arithmetic from an address of a stack variable 2969/// * taking the address of an array element where the array is on the stack 2970static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2971 if (E->isTypeDependent()) 2972 return NULL; 2973 2974 // We should only be called for evaluating pointer expressions. 2975 assert((E->getType()->isAnyPointerType() || 2976 E->getType()->isBlockPointerType() || 2977 E->getType()->isObjCQualifiedIdType()) && 2978 "EvalAddr only works on pointers"); 2979 2980 E = E->IgnoreParens(); 2981 2982 // Our "symbolic interpreter" is just a dispatch off the currently 2983 // viewed AST node. We then recursively traverse the AST by calling 2984 // EvalAddr and EvalVal appropriately. 2985 switch (E->getStmtClass()) { 2986 case Stmt::DeclRefExprClass: { 2987 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2988 2989 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2990 // If this is a reference variable, follow through to the expression that 2991 // it points to. 2992 if (V->hasLocalStorage() && 2993 V->getType()->isReferenceType() && V->hasInit()) { 2994 // Add the reference variable to the "trail". 2995 refVars.push_back(DR); 2996 return EvalAddr(V->getInit(), refVars); 2997 } 2998 2999 return NULL; 3000 } 3001 3002 case Stmt::UnaryOperatorClass: { 3003 // The only unary operator that make sense to handle here 3004 // is AddrOf. All others don't make sense as pointers. 3005 UnaryOperator *U = cast<UnaryOperator>(E); 3006 3007 if (U->getOpcode() == UO_AddrOf) 3008 return EvalVal(U->getSubExpr(), refVars); 3009 else 3010 return NULL; 3011 } 3012 3013 case Stmt::BinaryOperatorClass: { 3014 // Handle pointer arithmetic. All other binary operators are not valid 3015 // in this context. 3016 BinaryOperator *B = cast<BinaryOperator>(E); 3017 BinaryOperatorKind op = B->getOpcode(); 3018 3019 if (op != BO_Add && op != BO_Sub) 3020 return NULL; 3021 3022 Expr *Base = B->getLHS(); 3023 3024 // Determine which argument is the real pointer base. It could be 3025 // the RHS argument instead of the LHS. 3026 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 3027 3028 assert (Base->getType()->isPointerType()); 3029 return EvalAddr(Base, refVars); 3030 } 3031 3032 // For conditional operators we need to see if either the LHS or RHS are 3033 // valid DeclRefExpr*s. If one of them is valid, we return it. 3034 case Stmt::ConditionalOperatorClass: { 3035 ConditionalOperator *C = cast<ConditionalOperator>(E); 3036 3037 // Handle the GNU extension for missing LHS. 3038 if (Expr *lhsExpr = C->getLHS()) { 3039 // In C++, we can have a throw-expression, which has 'void' type. 3040 if (!lhsExpr->getType()->isVoidType()) 3041 if (Expr* LHS = EvalAddr(lhsExpr, refVars)) 3042 return LHS; 3043 } 3044 3045 // In C++, we can have a throw-expression, which has 'void' type. 3046 if (C->getRHS()->getType()->isVoidType()) 3047 return NULL; 3048 3049 return EvalAddr(C->getRHS(), refVars); 3050 } 3051 3052 case Stmt::BlockExprClass: 3053 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 3054 return E; // local block. 3055 return NULL; 3056 3057 case Stmt::AddrLabelExprClass: 3058 return E; // address of label. 3059 3060 case Stmt::ExprWithCleanupsClass: 3061 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 3062 3063 // For casts, we need to handle conversions from arrays to 3064 // pointer values, and pointer-to-pointer conversions. 3065 case Stmt::ImplicitCastExprClass: 3066 case Stmt::CStyleCastExprClass: 3067 case Stmt::CXXFunctionalCastExprClass: 3068 case Stmt::ObjCBridgedCastExprClass: 3069 case Stmt::CXXStaticCastExprClass: 3070 case Stmt::CXXDynamicCastExprClass: 3071 case Stmt::CXXConstCastExprClass: 3072 case Stmt::CXXReinterpretCastExprClass: { 3073 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 3074 switch (cast<CastExpr>(E)->getCastKind()) { 3075 case CK_BitCast: 3076 case CK_LValueToRValue: 3077 case CK_NoOp: 3078 case CK_BaseToDerived: 3079 case CK_DerivedToBase: 3080 case CK_UncheckedDerivedToBase: 3081 case CK_Dynamic: 3082 case CK_CPointerToObjCPointerCast: 3083 case CK_BlockPointerToObjCPointerCast: 3084 case CK_AnyPointerToBlockPointerCast: 3085 return EvalAddr(SubExpr, refVars); 3086 3087 case CK_ArrayToPointerDecay: 3088 return EvalVal(SubExpr, refVars); 3089 3090 default: 3091 return 0; 3092 } 3093 } 3094 3095 case Stmt::MaterializeTemporaryExprClass: 3096 if (Expr *Result = EvalAddr( 3097 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3098 refVars)) 3099 return Result; 3100 3101 return E; 3102 3103 // Everything else: we simply don't reason about them. 3104 default: 3105 return NULL; 3106 } 3107} 3108 3109 3110/// EvalVal - This function is complements EvalAddr in the mutual recursion. 3111/// See the comments for EvalAddr for more details. 3112static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 3113do { 3114 // We should only be called for evaluating non-pointer expressions, or 3115 // expressions with a pointer type that are not used as references but instead 3116 // are l-values (e.g., DeclRefExpr with a pointer type). 3117 3118 // Our "symbolic interpreter" is just a dispatch off the currently 3119 // viewed AST node. We then recursively traverse the AST by calling 3120 // EvalAddr and EvalVal appropriately. 3121 3122 E = E->IgnoreParens(); 3123 switch (E->getStmtClass()) { 3124 case Stmt::ImplicitCastExprClass: { 3125 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 3126 if (IE->getValueKind() == VK_LValue) { 3127 E = IE->getSubExpr(); 3128 continue; 3129 } 3130 return NULL; 3131 } 3132 3133 case Stmt::ExprWithCleanupsClass: 3134 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 3135 3136 case Stmt::DeclRefExprClass: { 3137 // When we hit a DeclRefExpr we are looking at code that refers to a 3138 // variable's name. If it's not a reference variable we check if it has 3139 // local storage within the function, and if so, return the expression. 3140 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3141 3142 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 3143 if (V->hasLocalStorage()) { 3144 if (!V->getType()->isReferenceType()) 3145 return DR; 3146 3147 // Reference variable, follow through to the expression that 3148 // it points to. 3149 if (V->hasInit()) { 3150 // Add the reference variable to the "trail". 3151 refVars.push_back(DR); 3152 return EvalVal(V->getInit(), refVars); 3153 } 3154 } 3155 3156 return NULL; 3157 } 3158 3159 case Stmt::UnaryOperatorClass: { 3160 // The only unary operator that make sense to handle here 3161 // is Deref. All others don't resolve to a "name." This includes 3162 // handling all sorts of rvalues passed to a unary operator. 3163 UnaryOperator *U = cast<UnaryOperator>(E); 3164 3165 if (U->getOpcode() == UO_Deref) 3166 return EvalAddr(U->getSubExpr(), refVars); 3167 3168 return NULL; 3169 } 3170 3171 case Stmt::ArraySubscriptExprClass: { 3172 // Array subscripts are potential references to data on the stack. We 3173 // retrieve the DeclRefExpr* for the array variable if it indeed 3174 // has local storage. 3175 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars); 3176 } 3177 3178 case Stmt::ConditionalOperatorClass: { 3179 // For conditional operators we need to see if either the LHS or RHS are 3180 // non-NULL Expr's. If one is non-NULL, we return it. 3181 ConditionalOperator *C = cast<ConditionalOperator>(E); 3182 3183 // Handle the GNU extension for missing LHS. 3184 if (Expr *lhsExpr = C->getLHS()) 3185 if (Expr *LHS = EvalVal(lhsExpr, refVars)) 3186 return LHS; 3187 3188 return EvalVal(C->getRHS(), refVars); 3189 } 3190 3191 // Accesses to members are potential references to data on the stack. 3192 case Stmt::MemberExprClass: { 3193 MemberExpr *M = cast<MemberExpr>(E); 3194 3195 // Check for indirect access. We only want direct field accesses. 3196 if (M->isArrow()) 3197 return NULL; 3198 3199 // Check whether the member type is itself a reference, in which case 3200 // we're not going to refer to the member, but to what the member refers to. 3201 if (M->getMemberDecl()->getType()->isReferenceType()) 3202 return NULL; 3203 3204 return EvalVal(M->getBase(), refVars); 3205 } 3206 3207 case Stmt::MaterializeTemporaryExprClass: 3208 if (Expr *Result = EvalVal( 3209 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3210 refVars)) 3211 return Result; 3212 3213 return E; 3214 3215 default: 3216 // Check that we don't return or take the address of a reference to a 3217 // temporary. This is only useful in C++. 3218 if (!E->isTypeDependent() && E->isRValue()) 3219 return E; 3220 3221 // Everything else: we simply don't reason about them. 3222 return NULL; 3223 } 3224} while (true); 3225} 3226 3227//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 3228 3229/// Check for comparisons of floating point operands using != and ==. 3230/// Issue a warning if these are no self-comparisons, as they are not likely 3231/// to do what the programmer intended. 3232void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 3233 bool EmitWarning = true; 3234 3235 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 3236 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 3237 3238 // Special case: check for x == x (which is OK). 3239 // Do not emit warnings for such cases. 3240 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 3241 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 3242 if (DRL->getDecl() == DRR->getDecl()) 3243 EmitWarning = false; 3244 3245 3246 // Special case: check for comparisons against literals that can be exactly 3247 // represented by APFloat. In such cases, do not emit a warning. This 3248 // is a heuristic: often comparison against such literals are used to 3249 // detect if a value in a variable has not changed. This clearly can 3250 // lead to false negatives. 3251 if (EmitWarning) { 3252 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 3253 if (FLL->isExact()) 3254 EmitWarning = false; 3255 } else 3256 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 3257 if (FLR->isExact()) 3258 EmitWarning = false; 3259 } 3260 } 3261 3262 // Check for comparisons with builtin types. 3263 if (EmitWarning) 3264 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 3265 if (CL->isBuiltinCall()) 3266 EmitWarning = false; 3267 3268 if (EmitWarning) 3269 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 3270 if (CR->isBuiltinCall()) 3271 EmitWarning = false; 3272 3273 // Emit the diagnostic. 3274 if (EmitWarning) 3275 Diag(Loc, diag::warn_floatingpoint_eq) 3276 << LHS->getSourceRange() << RHS->getSourceRange(); 3277} 3278 3279//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 3280//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 3281 3282namespace { 3283 3284/// Structure recording the 'active' range of an integer-valued 3285/// expression. 3286struct IntRange { 3287 /// The number of bits active in the int. 3288 unsigned Width; 3289 3290 /// True if the int is known not to have negative values. 3291 bool NonNegative; 3292 3293 IntRange(unsigned Width, bool NonNegative) 3294 : Width(Width), NonNegative(NonNegative) 3295 {} 3296 3297 /// Returns the range of the bool type. 3298 static IntRange forBoolType() { 3299 return IntRange(1, true); 3300 } 3301 3302 /// Returns the range of an opaque value of the given integral type. 3303 static IntRange forValueOfType(ASTContext &C, QualType T) { 3304 return forValueOfCanonicalType(C, 3305 T->getCanonicalTypeInternal().getTypePtr()); 3306 } 3307 3308 /// Returns the range of an opaque value of a canonical integral type. 3309 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 3310 assert(T->isCanonicalUnqualified()); 3311 3312 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3313 T = VT->getElementType().getTypePtr(); 3314 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3315 T = CT->getElementType().getTypePtr(); 3316 3317 // For enum types, use the known bit width of the enumerators. 3318 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 3319 EnumDecl *Enum = ET->getDecl(); 3320 if (!Enum->isCompleteDefinition()) 3321 return IntRange(C.getIntWidth(QualType(T, 0)), false); 3322 3323 unsigned NumPositive = Enum->getNumPositiveBits(); 3324 unsigned NumNegative = Enum->getNumNegativeBits(); 3325 3326 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 3327 } 3328 3329 const BuiltinType *BT = cast<BuiltinType>(T); 3330 assert(BT->isInteger()); 3331 3332 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3333 } 3334 3335 /// Returns the "target" range of a canonical integral type, i.e. 3336 /// the range of values expressible in the type. 3337 /// 3338 /// This matches forValueOfCanonicalType except that enums have the 3339 /// full range of their type, not the range of their enumerators. 3340 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 3341 assert(T->isCanonicalUnqualified()); 3342 3343 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3344 T = VT->getElementType().getTypePtr(); 3345 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3346 T = CT->getElementType().getTypePtr(); 3347 if (const EnumType *ET = dyn_cast<EnumType>(T)) 3348 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 3349 3350 const BuiltinType *BT = cast<BuiltinType>(T); 3351 assert(BT->isInteger()); 3352 3353 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3354 } 3355 3356 /// Returns the supremum of two ranges: i.e. their conservative merge. 3357 static IntRange join(IntRange L, IntRange R) { 3358 return IntRange(std::max(L.Width, R.Width), 3359 L.NonNegative && R.NonNegative); 3360 } 3361 3362 /// Returns the infinum of two ranges: i.e. their aggressive merge. 3363 static IntRange meet(IntRange L, IntRange R) { 3364 return IntRange(std::min(L.Width, R.Width), 3365 L.NonNegative || R.NonNegative); 3366 } 3367}; 3368 3369static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 3370 unsigned MaxWidth) { 3371 if (value.isSigned() && value.isNegative()) 3372 return IntRange(value.getMinSignedBits(), false); 3373 3374 if (value.getBitWidth() > MaxWidth) 3375 value = value.trunc(MaxWidth); 3376 3377 // isNonNegative() just checks the sign bit without considering 3378 // signedness. 3379 return IntRange(value.getActiveBits(), true); 3380} 3381 3382static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 3383 unsigned MaxWidth) { 3384 if (result.isInt()) 3385 return GetValueRange(C, result.getInt(), MaxWidth); 3386 3387 if (result.isVector()) { 3388 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 3389 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 3390 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 3391 R = IntRange::join(R, El); 3392 } 3393 return R; 3394 } 3395 3396 if (result.isComplexInt()) { 3397 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 3398 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 3399 return IntRange::join(R, I); 3400 } 3401 3402 // This can happen with lossless casts to intptr_t of "based" lvalues. 3403 // Assume it might use arbitrary bits. 3404 // FIXME: The only reason we need to pass the type in here is to get 3405 // the sign right on this one case. It would be nice if APValue 3406 // preserved this. 3407 assert(result.isLValue() || result.isAddrLabelDiff()); 3408 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 3409} 3410 3411/// Pseudo-evaluate the given integer expression, estimating the 3412/// range of values it might take. 3413/// 3414/// \param MaxWidth - the width to which the value will be truncated 3415static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 3416 E = E->IgnoreParens(); 3417 3418 // Try a full evaluation first. 3419 Expr::EvalResult result; 3420 if (E->EvaluateAsRValue(result, C)) 3421 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 3422 3423 // I think we only want to look through implicit casts here; if the 3424 // user has an explicit widening cast, we should treat the value as 3425 // being of the new, wider type. 3426 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 3427 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 3428 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 3429 3430 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 3431 3432 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 3433 3434 // Assume that non-integer casts can span the full range of the type. 3435 if (!isIntegerCast) 3436 return OutputTypeRange; 3437 3438 IntRange SubRange 3439 = GetExprRange(C, CE->getSubExpr(), 3440 std::min(MaxWidth, OutputTypeRange.Width)); 3441 3442 // Bail out if the subexpr's range is as wide as the cast type. 3443 if (SubRange.Width >= OutputTypeRange.Width) 3444 return OutputTypeRange; 3445 3446 // Otherwise, we take the smaller width, and we're non-negative if 3447 // either the output type or the subexpr is. 3448 return IntRange(SubRange.Width, 3449 SubRange.NonNegative || OutputTypeRange.NonNegative); 3450 } 3451 3452 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 3453 // If we can fold the condition, just take that operand. 3454 bool CondResult; 3455 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 3456 return GetExprRange(C, CondResult ? CO->getTrueExpr() 3457 : CO->getFalseExpr(), 3458 MaxWidth); 3459 3460 // Otherwise, conservatively merge. 3461 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 3462 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 3463 return IntRange::join(L, R); 3464 } 3465 3466 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3467 switch (BO->getOpcode()) { 3468 3469 // Boolean-valued operations are single-bit and positive. 3470 case BO_LAnd: 3471 case BO_LOr: 3472 case BO_LT: 3473 case BO_GT: 3474 case BO_LE: 3475 case BO_GE: 3476 case BO_EQ: 3477 case BO_NE: 3478 return IntRange::forBoolType(); 3479 3480 // The type of the assignments is the type of the LHS, so the RHS 3481 // is not necessarily the same type. 3482 case BO_MulAssign: 3483 case BO_DivAssign: 3484 case BO_RemAssign: 3485 case BO_AddAssign: 3486 case BO_SubAssign: 3487 case BO_XorAssign: 3488 case BO_OrAssign: 3489 // TODO: bitfields? 3490 return IntRange::forValueOfType(C, E->getType()); 3491 3492 // Simple assignments just pass through the RHS, which will have 3493 // been coerced to the LHS type. 3494 case BO_Assign: 3495 // TODO: bitfields? 3496 return GetExprRange(C, BO->getRHS(), MaxWidth); 3497 3498 // Operations with opaque sources are black-listed. 3499 case BO_PtrMemD: 3500 case BO_PtrMemI: 3501 return IntRange::forValueOfType(C, E->getType()); 3502 3503 // Bitwise-and uses the *infinum* of the two source ranges. 3504 case BO_And: 3505 case BO_AndAssign: 3506 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 3507 GetExprRange(C, BO->getRHS(), MaxWidth)); 3508 3509 // Left shift gets black-listed based on a judgement call. 3510 case BO_Shl: 3511 // ...except that we want to treat '1 << (blah)' as logically 3512 // positive. It's an important idiom. 3513 if (IntegerLiteral *I 3514 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 3515 if (I->getValue() == 1) { 3516 IntRange R = IntRange::forValueOfType(C, E->getType()); 3517 return IntRange(R.Width, /*NonNegative*/ true); 3518 } 3519 } 3520 // fallthrough 3521 3522 case BO_ShlAssign: 3523 return IntRange::forValueOfType(C, E->getType()); 3524 3525 // Right shift by a constant can narrow its left argument. 3526 case BO_Shr: 3527 case BO_ShrAssign: { 3528 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3529 3530 // If the shift amount is a positive constant, drop the width by 3531 // that much. 3532 llvm::APSInt shift; 3533 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 3534 shift.isNonNegative()) { 3535 unsigned zext = shift.getZExtValue(); 3536 if (zext >= L.Width) 3537 L.Width = (L.NonNegative ? 0 : 1); 3538 else 3539 L.Width -= zext; 3540 } 3541 3542 return L; 3543 } 3544 3545 // Comma acts as its right operand. 3546 case BO_Comma: 3547 return GetExprRange(C, BO->getRHS(), MaxWidth); 3548 3549 // Black-list pointer subtractions. 3550 case BO_Sub: 3551 if (BO->getLHS()->getType()->isPointerType()) 3552 return IntRange::forValueOfType(C, E->getType()); 3553 break; 3554 3555 // The width of a division result is mostly determined by the size 3556 // of the LHS. 3557 case BO_Div: { 3558 // Don't 'pre-truncate' the operands. 3559 unsigned opWidth = C.getIntWidth(E->getType()); 3560 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3561 3562 // If the divisor is constant, use that. 3563 llvm::APSInt divisor; 3564 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 3565 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 3566 if (log2 >= L.Width) 3567 L.Width = (L.NonNegative ? 0 : 1); 3568 else 3569 L.Width = std::min(L.Width - log2, MaxWidth); 3570 return L; 3571 } 3572 3573 // Otherwise, just use the LHS's width. 3574 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3575 return IntRange(L.Width, L.NonNegative && R.NonNegative); 3576 } 3577 3578 // The result of a remainder can't be larger than the result of 3579 // either side. 3580 case BO_Rem: { 3581 // Don't 'pre-truncate' the operands. 3582 unsigned opWidth = C.getIntWidth(E->getType()); 3583 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3584 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3585 3586 IntRange meet = IntRange::meet(L, R); 3587 meet.Width = std::min(meet.Width, MaxWidth); 3588 return meet; 3589 } 3590 3591 // The default behavior is okay for these. 3592 case BO_Mul: 3593 case BO_Add: 3594 case BO_Xor: 3595 case BO_Or: 3596 break; 3597 } 3598 3599 // The default case is to treat the operation as if it were closed 3600 // on the narrowest type that encompasses both operands. 3601 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3602 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 3603 return IntRange::join(L, R); 3604 } 3605 3606 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 3607 switch (UO->getOpcode()) { 3608 // Boolean-valued operations are white-listed. 3609 case UO_LNot: 3610 return IntRange::forBoolType(); 3611 3612 // Operations with opaque sources are black-listed. 3613 case UO_Deref: 3614 case UO_AddrOf: // should be impossible 3615 return IntRange::forValueOfType(C, E->getType()); 3616 3617 default: 3618 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 3619 } 3620 } 3621 3622 if (dyn_cast<OffsetOfExpr>(E)) { 3623 IntRange::forValueOfType(C, E->getType()); 3624 } 3625 3626 if (FieldDecl *BitField = E->getBitField()) 3627 return IntRange(BitField->getBitWidthValue(C), 3628 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 3629 3630 return IntRange::forValueOfType(C, E->getType()); 3631} 3632 3633static IntRange GetExprRange(ASTContext &C, Expr *E) { 3634 return GetExprRange(C, E, C.getIntWidth(E->getType())); 3635} 3636 3637/// Checks whether the given value, which currently has the given 3638/// source semantics, has the same value when coerced through the 3639/// target semantics. 3640static bool IsSameFloatAfterCast(const llvm::APFloat &value, 3641 const llvm::fltSemantics &Src, 3642 const llvm::fltSemantics &Tgt) { 3643 llvm::APFloat truncated = value; 3644 3645 bool ignored; 3646 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 3647 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 3648 3649 return truncated.bitwiseIsEqual(value); 3650} 3651 3652/// Checks whether the given value, which currently has the given 3653/// source semantics, has the same value when coerced through the 3654/// target semantics. 3655/// 3656/// The value might be a vector of floats (or a complex number). 3657static bool IsSameFloatAfterCast(const APValue &value, 3658 const llvm::fltSemantics &Src, 3659 const llvm::fltSemantics &Tgt) { 3660 if (value.isFloat()) 3661 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 3662 3663 if (value.isVector()) { 3664 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 3665 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 3666 return false; 3667 return true; 3668 } 3669 3670 assert(value.isComplexFloat()); 3671 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 3672 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 3673} 3674 3675static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 3676 3677static bool IsZero(Sema &S, Expr *E) { 3678 // Suppress cases where we are comparing against an enum constant. 3679 if (const DeclRefExpr *DR = 3680 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 3681 if (isa<EnumConstantDecl>(DR->getDecl())) 3682 return false; 3683 3684 // Suppress cases where the '0' value is expanded from a macro. 3685 if (E->getLocStart().isMacroID()) 3686 return false; 3687 3688 llvm::APSInt Value; 3689 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 3690} 3691 3692static bool HasEnumType(Expr *E) { 3693 // Strip off implicit integral promotions. 3694 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3695 if (ICE->getCastKind() != CK_IntegralCast && 3696 ICE->getCastKind() != CK_NoOp) 3697 break; 3698 E = ICE->getSubExpr(); 3699 } 3700 3701 return E->getType()->isEnumeralType(); 3702} 3703 3704static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 3705 BinaryOperatorKind op = E->getOpcode(); 3706 if (E->isValueDependent()) 3707 return; 3708 3709 if (op == BO_LT && IsZero(S, E->getRHS())) { 3710 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3711 << "< 0" << "false" << HasEnumType(E->getLHS()) 3712 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3713 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 3714 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3715 << ">= 0" << "true" << HasEnumType(E->getLHS()) 3716 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3717 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 3718 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3719 << "0 >" << "false" << HasEnumType(E->getRHS()) 3720 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3721 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 3722 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3723 << "0 <=" << "true" << HasEnumType(E->getRHS()) 3724 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3725 } 3726} 3727 3728/// Analyze the operands of the given comparison. Implements the 3729/// fallback case from AnalyzeComparison. 3730static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 3731 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3732 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3733} 3734 3735/// \brief Implements -Wsign-compare. 3736/// 3737/// \param E the binary operator to check for warnings 3738static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 3739 // The type the comparison is being performed in. 3740 QualType T = E->getLHS()->getType(); 3741 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 3742 && "comparison with mismatched types"); 3743 3744 // We don't do anything special if this isn't an unsigned integral 3745 // comparison: we're only interested in integral comparisons, and 3746 // signed comparisons only happen in cases we don't care to warn about. 3747 // 3748 // We also don't care about value-dependent expressions or expressions 3749 // whose result is a constant. 3750 if (!T->hasUnsignedIntegerRepresentation() 3751 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 3752 return AnalyzeImpConvsInComparison(S, E); 3753 3754 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 3755 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 3756 3757 // Check to see if one of the (unmodified) operands is of different 3758 // signedness. 3759 Expr *signedOperand, *unsignedOperand; 3760 if (LHS->getType()->hasSignedIntegerRepresentation()) { 3761 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 3762 "unsigned comparison between two signed integer expressions?"); 3763 signedOperand = LHS; 3764 unsignedOperand = RHS; 3765 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 3766 signedOperand = RHS; 3767 unsignedOperand = LHS; 3768 } else { 3769 CheckTrivialUnsignedComparison(S, E); 3770 return AnalyzeImpConvsInComparison(S, E); 3771 } 3772 3773 // Otherwise, calculate the effective range of the signed operand. 3774 IntRange signedRange = GetExprRange(S.Context, signedOperand); 3775 3776 // Go ahead and analyze implicit conversions in the operands. Note 3777 // that we skip the implicit conversions on both sides. 3778 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 3779 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 3780 3781 // If the signed range is non-negative, -Wsign-compare won't fire, 3782 // but we should still check for comparisons which are always true 3783 // or false. 3784 if (signedRange.NonNegative) 3785 return CheckTrivialUnsignedComparison(S, E); 3786 3787 // For (in)equality comparisons, if the unsigned operand is a 3788 // constant which cannot collide with a overflowed signed operand, 3789 // then reinterpreting the signed operand as unsigned will not 3790 // change the result of the comparison. 3791 if (E->isEqualityOp()) { 3792 unsigned comparisonWidth = S.Context.getIntWidth(T); 3793 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 3794 3795 // We should never be unable to prove that the unsigned operand is 3796 // non-negative. 3797 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 3798 3799 if (unsignedRange.Width < comparisonWidth) 3800 return; 3801 } 3802 3803 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 3804 << LHS->getType() << RHS->getType() 3805 << LHS->getSourceRange() << RHS->getSourceRange(); 3806} 3807 3808/// Analyzes an attempt to assign the given value to a bitfield. 3809/// 3810/// Returns true if there was something fishy about the attempt. 3811static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 3812 SourceLocation InitLoc) { 3813 assert(Bitfield->isBitField()); 3814 if (Bitfield->isInvalidDecl()) 3815 return false; 3816 3817 // White-list bool bitfields. 3818 if (Bitfield->getType()->isBooleanType()) 3819 return false; 3820 3821 // Ignore value- or type-dependent expressions. 3822 if (Bitfield->getBitWidth()->isValueDependent() || 3823 Bitfield->getBitWidth()->isTypeDependent() || 3824 Init->isValueDependent() || 3825 Init->isTypeDependent()) 3826 return false; 3827 3828 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 3829 3830 llvm::APSInt Value; 3831 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 3832 return false; 3833 3834 unsigned OriginalWidth = Value.getBitWidth(); 3835 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 3836 3837 if (OriginalWidth <= FieldWidth) 3838 return false; 3839 3840 // Compute the value which the bitfield will contain. 3841 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 3842 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 3843 3844 // Check whether the stored value is equal to the original value. 3845 TruncatedValue = TruncatedValue.extend(OriginalWidth); 3846 if (Value == TruncatedValue) 3847 return false; 3848 3849 // Special-case bitfields of width 1: booleans are naturally 0/1, and 3850 // therefore don't strictly fit into a signed bitfield of width 1. 3851 if (FieldWidth == 1 && Value == 1) 3852 return false; 3853 3854 std::string PrettyValue = Value.toString(10); 3855 std::string PrettyTrunc = TruncatedValue.toString(10); 3856 3857 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 3858 << PrettyValue << PrettyTrunc << OriginalInit->getType() 3859 << Init->getSourceRange(); 3860 3861 return true; 3862} 3863 3864/// Analyze the given simple or compound assignment for warning-worthy 3865/// operations. 3866static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 3867 // Just recurse on the LHS. 3868 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3869 3870 // We want to recurse on the RHS as normal unless we're assigning to 3871 // a bitfield. 3872 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 3873 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 3874 E->getOperatorLoc())) { 3875 // Recurse, ignoring any implicit conversions on the RHS. 3876 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 3877 E->getOperatorLoc()); 3878 } 3879 } 3880 3881 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3882} 3883 3884/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3885static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 3886 SourceLocation CContext, unsigned diag, 3887 bool pruneControlFlow = false) { 3888 if (pruneControlFlow) { 3889 S.DiagRuntimeBehavior(E->getExprLoc(), E, 3890 S.PDiag(diag) 3891 << SourceType << T << E->getSourceRange() 3892 << SourceRange(CContext)); 3893 return; 3894 } 3895 S.Diag(E->getExprLoc(), diag) 3896 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 3897} 3898 3899/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3900static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 3901 SourceLocation CContext, unsigned diag, 3902 bool pruneControlFlow = false) { 3903 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 3904} 3905 3906/// Diagnose an implicit cast from a literal expression. Does not warn when the 3907/// cast wouldn't lose information. 3908void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 3909 SourceLocation CContext) { 3910 // Try to convert the literal exactly to an integer. If we can, don't warn. 3911 bool isExact = false; 3912 const llvm::APFloat &Value = FL->getValue(); 3913 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 3914 T->hasUnsignedIntegerRepresentation()); 3915 if (Value.convertToInteger(IntegerValue, 3916 llvm::APFloat::rmTowardZero, &isExact) 3917 == llvm::APFloat::opOK && isExact) 3918 return; 3919 3920 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 3921 << FL->getType() << T << FL->getSourceRange() << SourceRange(CContext); 3922} 3923 3924std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 3925 if (!Range.Width) return "0"; 3926 3927 llvm::APSInt ValueInRange = Value; 3928 ValueInRange.setIsSigned(!Range.NonNegative); 3929 ValueInRange = ValueInRange.trunc(Range.Width); 3930 return ValueInRange.toString(10); 3931} 3932 3933void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 3934 SourceLocation CC, bool *ICContext = 0) { 3935 if (E->isTypeDependent() || E->isValueDependent()) return; 3936 3937 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 3938 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 3939 if (Source == Target) return; 3940 if (Target->isDependentType()) return; 3941 3942 // If the conversion context location is invalid don't complain. We also 3943 // don't want to emit a warning if the issue occurs from the expansion of 3944 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 3945 // delay this check as long as possible. Once we detect we are in that 3946 // scenario, we just return. 3947 if (CC.isInvalid()) 3948 return; 3949 3950 // Diagnose implicit casts to bool. 3951 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 3952 if (isa<StringLiteral>(E)) 3953 // Warn on string literal to bool. Checks for string literals in logical 3954 // expressions, for instances, assert(0 && "error here"), is prevented 3955 // by a check in AnalyzeImplicitConversions(). 3956 return DiagnoseImpCast(S, E, T, CC, 3957 diag::warn_impcast_string_literal_to_bool); 3958 if (Source->isFunctionType()) { 3959 // Warn on function to bool. Checks free functions and static member 3960 // functions. Weakly imported functions are excluded from the check, 3961 // since it's common to test their value to check whether the linker 3962 // found a definition for them. 3963 ValueDecl *D = 0; 3964 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 3965 D = R->getDecl(); 3966 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 3967 D = M->getMemberDecl(); 3968 } 3969 3970 if (D && !D->isWeak()) { 3971 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 3972 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 3973 << F << E->getSourceRange() << SourceRange(CC); 3974 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 3975 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 3976 QualType ReturnType; 3977 UnresolvedSet<4> NonTemplateOverloads; 3978 S.isExprCallable(*E, ReturnType, NonTemplateOverloads); 3979 if (!ReturnType.isNull() 3980 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 3981 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 3982 << FixItHint::CreateInsertion( 3983 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 3984 return; 3985 } 3986 } 3987 } 3988 return; // Other casts to bool are not checked. 3989 } 3990 3991 // Strip vector types. 3992 if (isa<VectorType>(Source)) { 3993 if (!isa<VectorType>(Target)) { 3994 if (S.SourceMgr.isInSystemMacro(CC)) 3995 return; 3996 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 3997 } 3998 3999 // If the vector cast is cast between two vectors of the same size, it is 4000 // a bitcast, not a conversion. 4001 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 4002 return; 4003 4004 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 4005 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 4006 } 4007 4008 // Strip complex types. 4009 if (isa<ComplexType>(Source)) { 4010 if (!isa<ComplexType>(Target)) { 4011 if (S.SourceMgr.isInSystemMacro(CC)) 4012 return; 4013 4014 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 4015 } 4016 4017 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 4018 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 4019 } 4020 4021 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 4022 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 4023 4024 // If the source is floating point... 4025 if (SourceBT && SourceBT->isFloatingPoint()) { 4026 // ...and the target is floating point... 4027 if (TargetBT && TargetBT->isFloatingPoint()) { 4028 // ...then warn if we're dropping FP rank. 4029 4030 // Builtin FP kinds are ordered by increasing FP rank. 4031 if (SourceBT->getKind() > TargetBT->getKind()) { 4032 // Don't warn about float constants that are precisely 4033 // representable in the target type. 4034 Expr::EvalResult result; 4035 if (E->EvaluateAsRValue(result, S.Context)) { 4036 // Value might be a float, a float vector, or a float complex. 4037 if (IsSameFloatAfterCast(result.Val, 4038 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 4039 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 4040 return; 4041 } 4042 4043 if (S.SourceMgr.isInSystemMacro(CC)) 4044 return; 4045 4046 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 4047 } 4048 return; 4049 } 4050 4051 // If the target is integral, always warn. 4052 if ((TargetBT && TargetBT->isInteger())) { 4053 if (S.SourceMgr.isInSystemMacro(CC)) 4054 return; 4055 4056 Expr *InnerE = E->IgnoreParenImpCasts(); 4057 // We also want to warn on, e.g., "int i = -1.234" 4058 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 4059 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 4060 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 4061 4062 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 4063 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 4064 } else { 4065 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 4066 } 4067 } 4068 4069 return; 4070 } 4071 4072 if (!Source->isIntegerType() || !Target->isIntegerType()) 4073 return; 4074 4075 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 4076 == Expr::NPCK_GNUNull) && Target->isIntegerType()) { 4077 SourceLocation Loc = E->getSourceRange().getBegin(); 4078 if (Loc.isMacroID()) 4079 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 4080 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 4081 << T << Loc << clang::SourceRange(CC); 4082 return; 4083 } 4084 4085 IntRange SourceRange = GetExprRange(S.Context, E); 4086 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 4087 4088 if (SourceRange.Width > TargetRange.Width) { 4089 // If the source is a constant, use a default-on diagnostic. 4090 // TODO: this should happen for bitfield stores, too. 4091 llvm::APSInt Value(32); 4092 if (E->isIntegerConstantExpr(Value, S.Context)) { 4093 if (S.SourceMgr.isInSystemMacro(CC)) 4094 return; 4095 4096 std::string PrettySourceValue = Value.toString(10); 4097 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 4098 4099 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4100 S.PDiag(diag::warn_impcast_integer_precision_constant) 4101 << PrettySourceValue << PrettyTargetValue 4102 << E->getType() << T << E->getSourceRange() 4103 << clang::SourceRange(CC)); 4104 return; 4105 } 4106 4107 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 4108 if (S.SourceMgr.isInSystemMacro(CC)) 4109 return; 4110 4111 if (SourceRange.Width == 64 && TargetRange.Width == 32) 4112 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 4113 /* pruneControlFlow */ true); 4114 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 4115 } 4116 4117 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 4118 (!TargetRange.NonNegative && SourceRange.NonNegative && 4119 SourceRange.Width == TargetRange.Width)) { 4120 4121 if (S.SourceMgr.isInSystemMacro(CC)) 4122 return; 4123 4124 unsigned DiagID = diag::warn_impcast_integer_sign; 4125 4126 // Traditionally, gcc has warned about this under -Wsign-compare. 4127 // We also want to warn about it in -Wconversion. 4128 // So if -Wconversion is off, use a completely identical diagnostic 4129 // in the sign-compare group. 4130 // The conditional-checking code will 4131 if (ICContext) { 4132 DiagID = diag::warn_impcast_integer_sign_conditional; 4133 *ICContext = true; 4134 } 4135 4136 return DiagnoseImpCast(S, E, T, CC, DiagID); 4137 } 4138 4139 // Diagnose conversions between different enumeration types. 4140 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 4141 // type, to give us better diagnostics. 4142 QualType SourceType = E->getType(); 4143 if (!S.getLangOpts().CPlusPlus) { 4144 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 4145 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 4146 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 4147 SourceType = S.Context.getTypeDeclType(Enum); 4148 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 4149 } 4150 } 4151 4152 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 4153 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 4154 if ((SourceEnum->getDecl()->getIdentifier() || 4155 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 4156 (TargetEnum->getDecl()->getIdentifier() || 4157 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 4158 SourceEnum != TargetEnum) { 4159 if (S.SourceMgr.isInSystemMacro(CC)) 4160 return; 4161 4162 return DiagnoseImpCast(S, E, SourceType, T, CC, 4163 diag::warn_impcast_different_enum_types); 4164 } 4165 4166 return; 4167} 4168 4169void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 4170 4171void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 4172 SourceLocation CC, bool &ICContext) { 4173 E = E->IgnoreParenImpCasts(); 4174 4175 if (isa<ConditionalOperator>(E)) 4176 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 4177 4178 AnalyzeImplicitConversions(S, E, CC); 4179 if (E->getType() != T) 4180 return CheckImplicitConversion(S, E, T, CC, &ICContext); 4181 return; 4182} 4183 4184void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 4185 SourceLocation CC = E->getQuestionLoc(); 4186 4187 AnalyzeImplicitConversions(S, E->getCond(), CC); 4188 4189 bool Suspicious = false; 4190 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 4191 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 4192 4193 // If -Wconversion would have warned about either of the candidates 4194 // for a signedness conversion to the context type... 4195 if (!Suspicious) return; 4196 4197 // ...but it's currently ignored... 4198 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 4199 CC)) 4200 return; 4201 4202 // ...then check whether it would have warned about either of the 4203 // candidates for a signedness conversion to the condition type. 4204 if (E->getType() == T) return; 4205 4206 Suspicious = false; 4207 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 4208 E->getType(), CC, &Suspicious); 4209 if (!Suspicious) 4210 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 4211 E->getType(), CC, &Suspicious); 4212} 4213 4214/// AnalyzeImplicitConversions - Find and report any interesting 4215/// implicit conversions in the given expression. There are a couple 4216/// of competing diagnostics here, -Wconversion and -Wsign-compare. 4217void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 4218 QualType T = OrigE->getType(); 4219 Expr *E = OrigE->IgnoreParenImpCasts(); 4220 4221 if (E->isTypeDependent() || E->isValueDependent()) 4222 return; 4223 4224 // For conditional operators, we analyze the arguments as if they 4225 // were being fed directly into the output. 4226 if (isa<ConditionalOperator>(E)) { 4227 ConditionalOperator *CO = cast<ConditionalOperator>(E); 4228 CheckConditionalOperator(S, CO, T); 4229 return; 4230 } 4231 4232 // Go ahead and check any implicit conversions we might have skipped. 4233 // The non-canonical typecheck is just an optimization; 4234 // CheckImplicitConversion will filter out dead implicit conversions. 4235 if (E->getType() != T) 4236 CheckImplicitConversion(S, E, T, CC); 4237 4238 // Now continue drilling into this expression. 4239 4240 // Skip past explicit casts. 4241 if (isa<ExplicitCastExpr>(E)) { 4242 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 4243 return AnalyzeImplicitConversions(S, E, CC); 4244 } 4245 4246 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4247 // Do a somewhat different check with comparison operators. 4248 if (BO->isComparisonOp()) 4249 return AnalyzeComparison(S, BO); 4250 4251 // And with simple assignments. 4252 if (BO->getOpcode() == BO_Assign) 4253 return AnalyzeAssignment(S, BO); 4254 } 4255 4256 // These break the otherwise-useful invariant below. Fortunately, 4257 // we don't really need to recurse into them, because any internal 4258 // expressions should have been analyzed already when they were 4259 // built into statements. 4260 if (isa<StmtExpr>(E)) return; 4261 4262 // Don't descend into unevaluated contexts. 4263 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 4264 4265 // Now just recurse over the expression's children. 4266 CC = E->getExprLoc(); 4267 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 4268 bool IsLogicalOperator = BO && BO->isLogicalOp(); 4269 for (Stmt::child_range I = E->children(); I; ++I) { 4270 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 4271 if (!ChildExpr) 4272 continue; 4273 4274 if (IsLogicalOperator && 4275 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 4276 // Ignore checking string literals that are in logical operators. 4277 continue; 4278 AnalyzeImplicitConversions(S, ChildExpr, CC); 4279 } 4280} 4281 4282} // end anonymous namespace 4283 4284/// Diagnoses "dangerous" implicit conversions within the given 4285/// expression (which is a full expression). Implements -Wconversion 4286/// and -Wsign-compare. 4287/// 4288/// \param CC the "context" location of the implicit conversion, i.e. 4289/// the most location of the syntactic entity requiring the implicit 4290/// conversion 4291void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 4292 // Don't diagnose in unevaluated contexts. 4293 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 4294 return; 4295 4296 // Don't diagnose for value- or type-dependent expressions. 4297 if (E->isTypeDependent() || E->isValueDependent()) 4298 return; 4299 4300 // Check for array bounds violations in cases where the check isn't triggered 4301 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 4302 // ArraySubscriptExpr is on the RHS of a variable initialization. 4303 CheckArrayAccess(E); 4304 4305 // This is not the right CC for (e.g.) a variable initialization. 4306 AnalyzeImplicitConversions(*this, E, CC); 4307} 4308 4309void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 4310 FieldDecl *BitField, 4311 Expr *Init) { 4312 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 4313} 4314 4315/// CheckParmsForFunctionDef - Check that the parameters of the given 4316/// function are appropriate for the definition of a function. This 4317/// takes care of any checks that cannot be performed on the 4318/// declaration itself, e.g., that the types of each of the function 4319/// parameters are complete. 4320bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 4321 bool CheckParameterNames) { 4322 bool HasInvalidParm = false; 4323 for (; P != PEnd; ++P) { 4324 ParmVarDecl *Param = *P; 4325 4326 // C99 6.7.5.3p4: the parameters in a parameter type list in a 4327 // function declarator that is part of a function definition of 4328 // that function shall not have incomplete type. 4329 // 4330 // This is also C++ [dcl.fct]p6. 4331 if (!Param->isInvalidDecl() && 4332 RequireCompleteType(Param->getLocation(), Param->getType(), 4333 diag::err_typecheck_decl_incomplete_type)) { 4334 Param->setInvalidDecl(); 4335 HasInvalidParm = true; 4336 } 4337 4338 // C99 6.9.1p5: If the declarator includes a parameter type list, the 4339 // declaration of each parameter shall include an identifier. 4340 if (CheckParameterNames && 4341 Param->getIdentifier() == 0 && 4342 !Param->isImplicit() && 4343 !getLangOpts().CPlusPlus) 4344 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 4345 4346 // C99 6.7.5.3p12: 4347 // If the function declarator is not part of a definition of that 4348 // function, parameters may have incomplete type and may use the [*] 4349 // notation in their sequences of declarator specifiers to specify 4350 // variable length array types. 4351 QualType PType = Param->getOriginalType(); 4352 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 4353 if (AT->getSizeModifier() == ArrayType::Star) { 4354 // FIXME: This diagnosic should point the the '[*]' if source-location 4355 // information is added for it. 4356 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 4357 } 4358 } 4359 } 4360 4361 return HasInvalidParm; 4362} 4363 4364/// CheckCastAlign - Implements -Wcast-align, which warns when a 4365/// pointer cast increases the alignment requirements. 4366void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 4367 // This is actually a lot of work to potentially be doing on every 4368 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 4369 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 4370 TRange.getBegin()) 4371 == DiagnosticsEngine::Ignored) 4372 return; 4373 4374 // Ignore dependent types. 4375 if (T->isDependentType() || Op->getType()->isDependentType()) 4376 return; 4377 4378 // Require that the destination be a pointer type. 4379 const PointerType *DestPtr = T->getAs<PointerType>(); 4380 if (!DestPtr) return; 4381 4382 // If the destination has alignment 1, we're done. 4383 QualType DestPointee = DestPtr->getPointeeType(); 4384 if (DestPointee->isIncompleteType()) return; 4385 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 4386 if (DestAlign.isOne()) return; 4387 4388 // Require that the source be a pointer type. 4389 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 4390 if (!SrcPtr) return; 4391 QualType SrcPointee = SrcPtr->getPointeeType(); 4392 4393 // Whitelist casts from cv void*. We already implicitly 4394 // whitelisted casts to cv void*, since they have alignment 1. 4395 // Also whitelist casts involving incomplete types, which implicitly 4396 // includes 'void'. 4397 if (SrcPointee->isIncompleteType()) return; 4398 4399 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 4400 if (SrcAlign >= DestAlign) return; 4401 4402 Diag(TRange.getBegin(), diag::warn_cast_align) 4403 << Op->getType() << T 4404 << static_cast<unsigned>(SrcAlign.getQuantity()) 4405 << static_cast<unsigned>(DestAlign.getQuantity()) 4406 << TRange << Op->getSourceRange(); 4407} 4408 4409static const Type* getElementType(const Expr *BaseExpr) { 4410 const Type* EltType = BaseExpr->getType().getTypePtr(); 4411 if (EltType->isAnyPointerType()) 4412 return EltType->getPointeeType().getTypePtr(); 4413 else if (EltType->isArrayType()) 4414 return EltType->getBaseElementTypeUnsafe(); 4415 return EltType; 4416} 4417 4418/// \brief Check whether this array fits the idiom of a size-one tail padded 4419/// array member of a struct. 4420/// 4421/// We avoid emitting out-of-bounds access warnings for such arrays as they are 4422/// commonly used to emulate flexible arrays in C89 code. 4423static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 4424 const NamedDecl *ND) { 4425 if (Size != 1 || !ND) return false; 4426 4427 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 4428 if (!FD) return false; 4429 4430 // Don't consider sizes resulting from macro expansions or template argument 4431 // substitution to form C89 tail-padded arrays. 4432 ConstantArrayTypeLoc TL = 4433 cast<ConstantArrayTypeLoc>(FD->getTypeSourceInfo()->getTypeLoc()); 4434 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(TL.getSizeExpr()); 4435 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 4436 return false; 4437 4438 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 4439 if (!RD) return false; 4440 if (RD->isUnion()) return false; 4441 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 4442 if (!CRD->isStandardLayout()) return false; 4443 } 4444 4445 // See if this is the last field decl in the record. 4446 const Decl *D = FD; 4447 while ((D = D->getNextDeclInContext())) 4448 if (isa<FieldDecl>(D)) 4449 return false; 4450 return true; 4451} 4452 4453void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 4454 const ArraySubscriptExpr *ASE, 4455 bool AllowOnePastEnd, bool IndexNegated) { 4456 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 4457 if (IndexExpr->isValueDependent()) 4458 return; 4459 4460 const Type *EffectiveType = getElementType(BaseExpr); 4461 BaseExpr = BaseExpr->IgnoreParenCasts(); 4462 const ConstantArrayType *ArrayTy = 4463 Context.getAsConstantArrayType(BaseExpr->getType()); 4464 if (!ArrayTy) 4465 return; 4466 4467 llvm::APSInt index; 4468 if (!IndexExpr->EvaluateAsInt(index, Context)) 4469 return; 4470 if (IndexNegated) 4471 index = -index; 4472 4473 const NamedDecl *ND = NULL; 4474 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4475 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4476 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4477 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4478 4479 if (index.isUnsigned() || !index.isNegative()) { 4480 llvm::APInt size = ArrayTy->getSize(); 4481 if (!size.isStrictlyPositive()) 4482 return; 4483 4484 const Type* BaseType = getElementType(BaseExpr); 4485 if (BaseType != EffectiveType) { 4486 // Make sure we're comparing apples to apples when comparing index to size 4487 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 4488 uint64_t array_typesize = Context.getTypeSize(BaseType); 4489 // Handle ptrarith_typesize being zero, such as when casting to void* 4490 if (!ptrarith_typesize) ptrarith_typesize = 1; 4491 if (ptrarith_typesize != array_typesize) { 4492 // There's a cast to a different size type involved 4493 uint64_t ratio = array_typesize / ptrarith_typesize; 4494 // TODO: Be smarter about handling cases where array_typesize is not a 4495 // multiple of ptrarith_typesize 4496 if (ptrarith_typesize * ratio == array_typesize) 4497 size *= llvm::APInt(size.getBitWidth(), ratio); 4498 } 4499 } 4500 4501 if (size.getBitWidth() > index.getBitWidth()) 4502 index = index.zext(size.getBitWidth()); 4503 else if (size.getBitWidth() < index.getBitWidth()) 4504 size = size.zext(index.getBitWidth()); 4505 4506 // For array subscripting the index must be less than size, but for pointer 4507 // arithmetic also allow the index (offset) to be equal to size since 4508 // computing the next address after the end of the array is legal and 4509 // commonly done e.g. in C++ iterators and range-based for loops. 4510 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 4511 return; 4512 4513 // Also don't warn for arrays of size 1 which are members of some 4514 // structure. These are often used to approximate flexible arrays in C89 4515 // code. 4516 if (IsTailPaddedMemberArray(*this, size, ND)) 4517 return; 4518 4519 // Suppress the warning if the subscript expression (as identified by the 4520 // ']' location) and the index expression are both from macro expansions 4521 // within a system header. 4522 if (ASE) { 4523 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 4524 ASE->getRBracketLoc()); 4525 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 4526 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 4527 IndexExpr->getLocStart()); 4528 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 4529 return; 4530 } 4531 } 4532 4533 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 4534 if (ASE) 4535 DiagID = diag::warn_array_index_exceeds_bounds; 4536 4537 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4538 PDiag(DiagID) << index.toString(10, true) 4539 << size.toString(10, true) 4540 << (unsigned)size.getLimitedValue(~0U) 4541 << IndexExpr->getSourceRange()); 4542 } else { 4543 unsigned DiagID = diag::warn_array_index_precedes_bounds; 4544 if (!ASE) { 4545 DiagID = diag::warn_ptr_arith_precedes_bounds; 4546 if (index.isNegative()) index = -index; 4547 } 4548 4549 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4550 PDiag(DiagID) << index.toString(10, true) 4551 << IndexExpr->getSourceRange()); 4552 } 4553 4554 if (!ND) { 4555 // Try harder to find a NamedDecl to point at in the note. 4556 while (const ArraySubscriptExpr *ASE = 4557 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 4558 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 4559 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4560 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4561 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4562 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4563 } 4564 4565 if (ND) 4566 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 4567 PDiag(diag::note_array_index_out_of_bounds) 4568 << ND->getDeclName()); 4569} 4570 4571void Sema::CheckArrayAccess(const Expr *expr) { 4572 int AllowOnePastEnd = 0; 4573 while (expr) { 4574 expr = expr->IgnoreParenImpCasts(); 4575 switch (expr->getStmtClass()) { 4576 case Stmt::ArraySubscriptExprClass: { 4577 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 4578 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 4579 AllowOnePastEnd > 0); 4580 return; 4581 } 4582 case Stmt::UnaryOperatorClass: { 4583 // Only unwrap the * and & unary operators 4584 const UnaryOperator *UO = cast<UnaryOperator>(expr); 4585 expr = UO->getSubExpr(); 4586 switch (UO->getOpcode()) { 4587 case UO_AddrOf: 4588 AllowOnePastEnd++; 4589 break; 4590 case UO_Deref: 4591 AllowOnePastEnd--; 4592 break; 4593 default: 4594 return; 4595 } 4596 break; 4597 } 4598 case Stmt::ConditionalOperatorClass: { 4599 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 4600 if (const Expr *lhs = cond->getLHS()) 4601 CheckArrayAccess(lhs); 4602 if (const Expr *rhs = cond->getRHS()) 4603 CheckArrayAccess(rhs); 4604 return; 4605 } 4606 default: 4607 return; 4608 } 4609 } 4610} 4611 4612//===--- CHECK: Objective-C retain cycles ----------------------------------// 4613 4614namespace { 4615 struct RetainCycleOwner { 4616 RetainCycleOwner() : Variable(0), Indirect(false) {} 4617 VarDecl *Variable; 4618 SourceRange Range; 4619 SourceLocation Loc; 4620 bool Indirect; 4621 4622 void setLocsFrom(Expr *e) { 4623 Loc = e->getExprLoc(); 4624 Range = e->getSourceRange(); 4625 } 4626 }; 4627} 4628 4629/// Consider whether capturing the given variable can possibly lead to 4630/// a retain cycle. 4631static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 4632 // In ARC, it's captured strongly iff the variable has __strong 4633 // lifetime. In MRR, it's captured strongly if the variable is 4634 // __block and has an appropriate type. 4635 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4636 return false; 4637 4638 owner.Variable = var; 4639 owner.setLocsFrom(ref); 4640 return true; 4641} 4642 4643static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 4644 while (true) { 4645 e = e->IgnoreParens(); 4646 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 4647 switch (cast->getCastKind()) { 4648 case CK_BitCast: 4649 case CK_LValueBitCast: 4650 case CK_LValueToRValue: 4651 case CK_ARCReclaimReturnedObject: 4652 e = cast->getSubExpr(); 4653 continue; 4654 4655 default: 4656 return false; 4657 } 4658 } 4659 4660 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 4661 ObjCIvarDecl *ivar = ref->getDecl(); 4662 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4663 return false; 4664 4665 // Try to find a retain cycle in the base. 4666 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 4667 return false; 4668 4669 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 4670 owner.Indirect = true; 4671 return true; 4672 } 4673 4674 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 4675 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 4676 if (!var) return false; 4677 return considerVariable(var, ref, owner); 4678 } 4679 4680 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 4681 if (member->isArrow()) return false; 4682 4683 // Don't count this as an indirect ownership. 4684 e = member->getBase(); 4685 continue; 4686 } 4687 4688 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 4689 // Only pay attention to pseudo-objects on property references. 4690 ObjCPropertyRefExpr *pre 4691 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 4692 ->IgnoreParens()); 4693 if (!pre) return false; 4694 if (pre->isImplicitProperty()) return false; 4695 ObjCPropertyDecl *property = pre->getExplicitProperty(); 4696 if (!property->isRetaining() && 4697 !(property->getPropertyIvarDecl() && 4698 property->getPropertyIvarDecl()->getType() 4699 .getObjCLifetime() == Qualifiers::OCL_Strong)) 4700 return false; 4701 4702 owner.Indirect = true; 4703 if (pre->isSuperReceiver()) { 4704 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 4705 if (!owner.Variable) 4706 return false; 4707 owner.Loc = pre->getLocation(); 4708 owner.Range = pre->getSourceRange(); 4709 return true; 4710 } 4711 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 4712 ->getSourceExpr()); 4713 continue; 4714 } 4715 4716 // Array ivars? 4717 4718 return false; 4719 } 4720} 4721 4722namespace { 4723 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 4724 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 4725 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 4726 Variable(variable), Capturer(0) {} 4727 4728 VarDecl *Variable; 4729 Expr *Capturer; 4730 4731 void VisitDeclRefExpr(DeclRefExpr *ref) { 4732 if (ref->getDecl() == Variable && !Capturer) 4733 Capturer = ref; 4734 } 4735 4736 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 4737 if (Capturer) return; 4738 Visit(ref->getBase()); 4739 if (Capturer && ref->isFreeIvar()) 4740 Capturer = ref; 4741 } 4742 4743 void VisitBlockExpr(BlockExpr *block) { 4744 // Look inside nested blocks 4745 if (block->getBlockDecl()->capturesVariable(Variable)) 4746 Visit(block->getBlockDecl()->getBody()); 4747 } 4748 }; 4749} 4750 4751/// Check whether the given argument is a block which captures a 4752/// variable. 4753static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 4754 assert(owner.Variable && owner.Loc.isValid()); 4755 4756 e = e->IgnoreParenCasts(); 4757 BlockExpr *block = dyn_cast<BlockExpr>(e); 4758 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 4759 return 0; 4760 4761 FindCaptureVisitor visitor(S.Context, owner.Variable); 4762 visitor.Visit(block->getBlockDecl()->getBody()); 4763 return visitor.Capturer; 4764} 4765 4766static void diagnoseRetainCycle(Sema &S, Expr *capturer, 4767 RetainCycleOwner &owner) { 4768 assert(capturer); 4769 assert(owner.Variable && owner.Loc.isValid()); 4770 4771 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 4772 << owner.Variable << capturer->getSourceRange(); 4773 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 4774 << owner.Indirect << owner.Range; 4775} 4776 4777/// Check for a keyword selector that starts with the word 'add' or 4778/// 'set'. 4779static bool isSetterLikeSelector(Selector sel) { 4780 if (sel.isUnarySelector()) return false; 4781 4782 StringRef str = sel.getNameForSlot(0); 4783 while (!str.empty() && str.front() == '_') str = str.substr(1); 4784 if (str.startswith("set")) 4785 str = str.substr(3); 4786 else if (str.startswith("add")) { 4787 // Specially whitelist 'addOperationWithBlock:'. 4788 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 4789 return false; 4790 str = str.substr(3); 4791 } 4792 else 4793 return false; 4794 4795 if (str.empty()) return true; 4796 return !islower(str.front()); 4797} 4798 4799/// Check a message send to see if it's likely to cause a retain cycle. 4800void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 4801 // Only check instance methods whose selector looks like a setter. 4802 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 4803 return; 4804 4805 // Try to find a variable that the receiver is strongly owned by. 4806 RetainCycleOwner owner; 4807 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 4808 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 4809 return; 4810 } else { 4811 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 4812 owner.Variable = getCurMethodDecl()->getSelfDecl(); 4813 owner.Loc = msg->getSuperLoc(); 4814 owner.Range = msg->getSuperLoc(); 4815 } 4816 4817 // Check whether the receiver is captured by any of the arguments. 4818 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 4819 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 4820 return diagnoseRetainCycle(*this, capturer, owner); 4821} 4822 4823/// Check a property assign to see if it's likely to cause a retain cycle. 4824void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 4825 RetainCycleOwner owner; 4826 if (!findRetainCycleOwner(*this, receiver, owner)) 4827 return; 4828 4829 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 4830 diagnoseRetainCycle(*this, capturer, owner); 4831} 4832 4833bool Sema::checkUnsafeAssigns(SourceLocation Loc, 4834 QualType LHS, Expr *RHS) { 4835 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 4836 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 4837 return false; 4838 // strip off any implicit cast added to get to the one arc-specific 4839 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4840 if (cast->getCastKind() == CK_ARCConsumeObject) { 4841 Diag(Loc, diag::warn_arc_retained_assign) 4842 << (LT == Qualifiers::OCL_ExplicitNone) 4843 << RHS->getSourceRange(); 4844 return true; 4845 } 4846 RHS = cast->getSubExpr(); 4847 } 4848 return false; 4849} 4850 4851void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 4852 Expr *LHS, Expr *RHS) { 4853 QualType LHSType; 4854 // PropertyRef on LHS type need be directly obtained from 4855 // its declaration as it has a PsuedoType. 4856 ObjCPropertyRefExpr *PRE 4857 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 4858 if (PRE && !PRE->isImplicitProperty()) { 4859 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4860 if (PD) 4861 LHSType = PD->getType(); 4862 } 4863 4864 if (LHSType.isNull()) 4865 LHSType = LHS->getType(); 4866 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 4867 return; 4868 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 4869 // FIXME. Check for other life times. 4870 if (LT != Qualifiers::OCL_None) 4871 return; 4872 4873 if (PRE) { 4874 if (PRE->isImplicitProperty()) 4875 return; 4876 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4877 if (!PD) 4878 return; 4879 4880 unsigned Attributes = PD->getPropertyAttributes(); 4881 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 4882 // when 'assign' attribute was not explicitly specified 4883 // by user, ignore it and rely on property type itself 4884 // for lifetime info. 4885 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 4886 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 4887 LHSType->isObjCRetainableType()) 4888 return; 4889 4890 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4891 if (cast->getCastKind() == CK_ARCConsumeObject) { 4892 Diag(Loc, diag::warn_arc_retained_property_assign) 4893 << RHS->getSourceRange(); 4894 return; 4895 } 4896 RHS = cast->getSubExpr(); 4897 } 4898 } 4899 } 4900} 4901 4902//===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 4903 4904namespace { 4905bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 4906 SourceLocation StmtLoc, 4907 const NullStmt *Body) { 4908 // Do not warn if the body is a macro that expands to nothing, e.g: 4909 // 4910 // #define CALL(x) 4911 // if (condition) 4912 // CALL(0); 4913 // 4914 if (Body->hasLeadingEmptyMacro()) 4915 return false; 4916 4917 // Get line numbers of statement and body. 4918 bool StmtLineInvalid; 4919 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 4920 &StmtLineInvalid); 4921 if (StmtLineInvalid) 4922 return false; 4923 4924 bool BodyLineInvalid; 4925 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 4926 &BodyLineInvalid); 4927 if (BodyLineInvalid) 4928 return false; 4929 4930 // Warn if null statement and body are on the same line. 4931 if (StmtLine != BodyLine) 4932 return false; 4933 4934 return true; 4935} 4936} // Unnamed namespace 4937 4938void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 4939 const Stmt *Body, 4940 unsigned DiagID) { 4941 // Since this is a syntactic check, don't emit diagnostic for template 4942 // instantiations, this just adds noise. 4943 if (CurrentInstantiationScope) 4944 return; 4945 4946 // The body should be a null statement. 4947 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 4948 if (!NBody) 4949 return; 4950 4951 // Do the usual checks. 4952 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 4953 return; 4954 4955 Diag(NBody->getSemiLoc(), DiagID); 4956 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 4957} 4958 4959void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 4960 const Stmt *PossibleBody) { 4961 assert(!CurrentInstantiationScope); // Ensured by caller 4962 4963 SourceLocation StmtLoc; 4964 const Stmt *Body; 4965 unsigned DiagID; 4966 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 4967 StmtLoc = FS->getRParenLoc(); 4968 Body = FS->getBody(); 4969 DiagID = diag::warn_empty_for_body; 4970 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 4971 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 4972 Body = WS->getBody(); 4973 DiagID = diag::warn_empty_while_body; 4974 } else 4975 return; // Neither `for' nor `while'. 4976 4977 // The body should be a null statement. 4978 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 4979 if (!NBody) 4980 return; 4981 4982 // Skip expensive checks if diagnostic is disabled. 4983 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 4984 DiagnosticsEngine::Ignored) 4985 return; 4986 4987 // Do the usual checks. 4988 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 4989 return; 4990 4991 // `for(...);' and `while(...);' are popular idioms, so in order to keep 4992 // noise level low, emit diagnostics only if for/while is followed by a 4993 // CompoundStmt, e.g.: 4994 // for (int i = 0; i < n; i++); 4995 // { 4996 // a(i); 4997 // } 4998 // or if for/while is followed by a statement with more indentation 4999 // than for/while itself: 5000 // for (int i = 0; i < n; i++); 5001 // a(i); 5002 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 5003 if (!ProbableTypo) { 5004 bool BodyColInvalid; 5005 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 5006 PossibleBody->getLocStart(), 5007 &BodyColInvalid); 5008 if (BodyColInvalid) 5009 return; 5010 5011 bool StmtColInvalid; 5012 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 5013 S->getLocStart(), 5014 &StmtColInvalid); 5015 if (StmtColInvalid) 5016 return; 5017 5018 if (BodyCol > StmtCol) 5019 ProbableTypo = true; 5020 } 5021 5022 if (ProbableTypo) { 5023 Diag(NBody->getSemiLoc(), DiagID); 5024 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 5025 } 5026} 5027