SemaChecking.cpp revision 7479ef6b5dd4903a7d832b4a4207045d7005a812
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "Sema.h" 16#include "clang/Analysis/Analyses/PrintfFormatString.h" 17#include "clang/AST/ASTContext.h" 18#include "clang/AST/CharUnits.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/ExprCXX.h" 21#include "clang/AST/ExprObjC.h" 22#include "clang/AST/DeclObjC.h" 23#include "clang/AST/StmtCXX.h" 24#include "clang/AST/StmtObjC.h" 25#include "clang/Lex/LiteralSupport.h" 26#include "clang/Lex/Preprocessor.h" 27#include "llvm/ADT/BitVector.h" 28#include "llvm/ADT/STLExtras.h" 29#include "llvm/ADT/StringExtras.h" 30#include "llvm/Support/raw_ostream.h" 31#include "clang/Basic/TargetBuiltins.h" 32#include "clang/Basic/TargetInfo.h" 33#include <limits> 34using namespace clang; 35 36/// getLocationOfStringLiteralByte - Return a source location that points to the 37/// specified byte of the specified string literal. 38/// 39/// Strings are amazingly complex. They can be formed from multiple tokens and 40/// can have escape sequences in them in addition to the usual trigraph and 41/// escaped newline business. This routine handles this complexity. 42/// 43SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 44 unsigned ByteNo) const { 45 assert(!SL->isWide() && "This doesn't work for wide strings yet"); 46 47 // Loop over all of the tokens in this string until we find the one that 48 // contains the byte we're looking for. 49 unsigned TokNo = 0; 50 while (1) { 51 assert(TokNo < SL->getNumConcatenated() && "Invalid byte number!"); 52 SourceLocation StrTokLoc = SL->getStrTokenLoc(TokNo); 53 54 // Get the spelling of the string so that we can get the data that makes up 55 // the string literal, not the identifier for the macro it is potentially 56 // expanded through. 57 SourceLocation StrTokSpellingLoc = SourceMgr.getSpellingLoc(StrTokLoc); 58 59 // Re-lex the token to get its length and original spelling. 60 std::pair<FileID, unsigned> LocInfo = 61 SourceMgr.getDecomposedLoc(StrTokSpellingLoc); 62 bool Invalid = false; 63 llvm::StringRef Buffer = SourceMgr.getBufferData(LocInfo.first, &Invalid); 64 if (Invalid) 65 return StrTokSpellingLoc; 66 67 const char *StrData = Buffer.data()+LocInfo.second; 68 69 // Create a langops struct and enable trigraphs. This is sufficient for 70 // relexing tokens. 71 LangOptions LangOpts; 72 LangOpts.Trigraphs = true; 73 74 // Create a lexer starting at the beginning of this token. 75 Lexer TheLexer(StrTokSpellingLoc, LangOpts, Buffer.begin(), StrData, 76 Buffer.end()); 77 Token TheTok; 78 TheLexer.LexFromRawLexer(TheTok); 79 80 // Use the StringLiteralParser to compute the length of the string in bytes. 81 StringLiteralParser SLP(&TheTok, 1, PP, /*Complain=*/false); 82 unsigned TokNumBytes = SLP.GetStringLength(); 83 84 // If the byte is in this token, return the location of the byte. 85 if (ByteNo < TokNumBytes || 86 (ByteNo == TokNumBytes && TokNo == SL->getNumConcatenated())) { 87 unsigned Offset = 88 StringLiteralParser::getOffsetOfStringByte(TheTok, ByteNo, PP, 89 /*Complain=*/false); 90 91 // Now that we know the offset of the token in the spelling, use the 92 // preprocessor to get the offset in the original source. 93 return PP.AdvanceToTokenCharacter(StrTokLoc, Offset); 94 } 95 96 // Move to the next string token. 97 ++TokNo; 98 ByteNo -= TokNumBytes; 99 } 100} 101 102/// CheckablePrintfAttr - does a function call have a "printf" attribute 103/// and arguments that merit checking? 104bool Sema::CheckablePrintfAttr(const FormatAttr *Format, CallExpr *TheCall) { 105 if (Format->getType() == "printf") return true; 106 if (Format->getType() == "printf0") { 107 // printf0 allows null "format" string; if so don't check format/args 108 unsigned format_idx = Format->getFormatIdx() - 1; 109 // Does the index refer to the implicit object argument? 110 if (isa<CXXMemberCallExpr>(TheCall)) { 111 if (format_idx == 0) 112 return false; 113 --format_idx; 114 } 115 if (format_idx < TheCall->getNumArgs()) { 116 Expr *Format = TheCall->getArg(format_idx)->IgnoreParenCasts(); 117 if (!Format->isNullPointerConstant(Context, 118 Expr::NPC_ValueDependentIsNull)) 119 return true; 120 } 121 } 122 return false; 123} 124 125Action::OwningExprResult 126Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 127 OwningExprResult TheCallResult(Owned(TheCall)); 128 129 switch (BuiltinID) { 130 case Builtin::BI__builtin___CFStringMakeConstantString: 131 assert(TheCall->getNumArgs() == 1 && 132 "Wrong # arguments to builtin CFStringMakeConstantString"); 133 if (CheckObjCString(TheCall->getArg(0))) 134 return ExprError(); 135 break; 136 case Builtin::BI__builtin_stdarg_start: 137 case Builtin::BI__builtin_va_start: 138 if (SemaBuiltinVAStart(TheCall)) 139 return ExprError(); 140 break; 141 case Builtin::BI__builtin_isgreater: 142 case Builtin::BI__builtin_isgreaterequal: 143 case Builtin::BI__builtin_isless: 144 case Builtin::BI__builtin_islessequal: 145 case Builtin::BI__builtin_islessgreater: 146 case Builtin::BI__builtin_isunordered: 147 if (SemaBuiltinUnorderedCompare(TheCall)) 148 return ExprError(); 149 break; 150 case Builtin::BI__builtin_fpclassify: 151 if (SemaBuiltinFPClassification(TheCall, 6)) 152 return ExprError(); 153 break; 154 case Builtin::BI__builtin_isfinite: 155 case Builtin::BI__builtin_isinf: 156 case Builtin::BI__builtin_isinf_sign: 157 case Builtin::BI__builtin_isnan: 158 case Builtin::BI__builtin_isnormal: 159 if (SemaBuiltinFPClassification(TheCall, 1)) 160 return ExprError(); 161 break; 162 case Builtin::BI__builtin_return_address: 163 case Builtin::BI__builtin_frame_address: { 164 llvm::APSInt Result; 165 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 166 return ExprError(); 167 break; 168 } 169 case Builtin::BI__builtin_eh_return_data_regno: { 170 llvm::APSInt Result; 171 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 172 return ExprError(); 173 break; 174 } 175 case Builtin::BI__builtin_shufflevector: 176 return SemaBuiltinShuffleVector(TheCall); 177 // TheCall will be freed by the smart pointer here, but that's fine, since 178 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 179 case Builtin::BI__builtin_prefetch: 180 if (SemaBuiltinPrefetch(TheCall)) 181 return ExprError(); 182 break; 183 case Builtin::BI__builtin_object_size: 184 if (SemaBuiltinObjectSize(TheCall)) 185 return ExprError(); 186 break; 187 case Builtin::BI__builtin_longjmp: 188 if (SemaBuiltinLongjmp(TheCall)) 189 return ExprError(); 190 break; 191 case Builtin::BI__sync_fetch_and_add: 192 case Builtin::BI__sync_fetch_and_sub: 193 case Builtin::BI__sync_fetch_and_or: 194 case Builtin::BI__sync_fetch_and_and: 195 case Builtin::BI__sync_fetch_and_xor: 196 case Builtin::BI__sync_add_and_fetch: 197 case Builtin::BI__sync_sub_and_fetch: 198 case Builtin::BI__sync_and_and_fetch: 199 case Builtin::BI__sync_or_and_fetch: 200 case Builtin::BI__sync_xor_and_fetch: 201 case Builtin::BI__sync_val_compare_and_swap: 202 case Builtin::BI__sync_bool_compare_and_swap: 203 case Builtin::BI__sync_lock_test_and_set: 204 case Builtin::BI__sync_lock_release: 205 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 206 } 207 208 // Since the target specific builtins for each arch overlap, only check those 209 // of the arch we are compiling for. 210 if (BuiltinID >= Builtin::FirstTSBuiltin) { 211 switch (Context.Target.getTriple().getArch()) { 212 case llvm::Triple::arm: 213 case llvm::Triple::thumb: 214 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 215 return ExprError(); 216 break; 217 case llvm::Triple::x86: 218 case llvm::Triple::x86_64: 219 if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall)) 220 return ExprError(); 221 break; 222 default: 223 break; 224 } 225 } 226 227 return move(TheCallResult); 228} 229 230bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 231 switch (BuiltinID) { 232 case X86::BI__builtin_ia32_palignr128: 233 case X86::BI__builtin_ia32_palignr: { 234 llvm::APSInt Result; 235 if (SemaBuiltinConstantArg(TheCall, 2, Result)) 236 return true; 237 break; 238 } 239 } 240 return false; 241} 242 243// Get the valid immediate range for the specified NEON type code. 244static unsigned RFT(unsigned t, bool shift = false) { 245 bool quad = t & 0x10; 246 247 switch (t & 0x7) { 248 case 0: // i8 249 return shift ? 7 : (8 << (int)quad) - 1; 250 case 1: // i16 251 return shift ? 15 : (4 << (int)quad) - 1; 252 case 2: // i32 253 return shift ? 31 : (2 << (int)quad) - 1; 254 case 3: // i64 255 return shift ? 63 : (1 << (int)quad) - 1; 256 case 4: // f32 257 assert(!shift && "cannot shift float types!"); 258 return (2 << (int)quad) - 1; 259 case 5: // poly8 260 assert(!shift && "cannot shift polynomial types!"); 261 return (8 << (int)quad) - 1; 262 case 6: // poly16 263 assert(!shift && "cannot shift polynomial types!"); 264 return (4 << (int)quad) - 1; 265 case 7: // float16 266 assert(!shift && "cannot shift float types!"); 267 return (4 << (int)quad) - 1; 268 } 269 return 0; 270} 271 272bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 273 llvm::APSInt Result; 274 275 unsigned mask = 0; 276 unsigned TV = 0; 277 switch (BuiltinID) { 278#define GET_NEON_OVERLOAD_CHECK 279#include "clang/Basic/arm_neon.inc" 280#undef GET_NEON_OVERLOAD_CHECK 281 } 282 283 // For NEON intrinsics which are overloaded on vector element type, validate 284 // the immediate which specifies which variant to emit. 285 if (mask) { 286 unsigned ArgNo = TheCall->getNumArgs()-1; 287 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 288 return true; 289 290 TV = Result.getLimitedValue(32); 291 if ((TV > 31) || (mask & (1 << TV)) == 0) 292 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 293 << TheCall->getArg(ArgNo)->getSourceRange(); 294 } 295 296 // For NEON intrinsics which take an immediate value as part of the 297 // instruction, range check them here. 298 unsigned i = 0, l = 0, u = 0; 299 switch (BuiltinID) { 300 default: return false; 301#define GET_NEON_IMMEDIATE_CHECK 302#include "clang/Basic/arm_neon.inc" 303#undef GET_NEON_IMMEDIATE_CHECK 304 }; 305 306 // Check that the immediate argument is actually a constant. 307 if (SemaBuiltinConstantArg(TheCall, i, Result)) 308 return true; 309 310 // Range check against the upper/lower values for this isntruction. 311 unsigned Val = Result.getZExtValue(); 312 if (Val < l || Val > (u + l)) 313 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 314 << llvm::utostr(l) << llvm::utostr(u+l) 315 << TheCall->getArg(i)->getSourceRange(); 316 317 return false; 318} 319 320/// CheckFunctionCall - Check a direct function call for various correctness 321/// and safety properties not strictly enforced by the C type system. 322bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 323 // Get the IdentifierInfo* for the called function. 324 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 325 326 // None of the checks below are needed for functions that don't have 327 // simple names (e.g., C++ conversion functions). 328 if (!FnInfo) 329 return false; 330 331 // FIXME: This mechanism should be abstracted to be less fragile and 332 // more efficient. For example, just map function ids to custom 333 // handlers. 334 335 // Printf checking. 336 if (const FormatAttr *Format = FDecl->getAttr<FormatAttr>()) { 337 if (CheckablePrintfAttr(Format, TheCall)) { 338 bool HasVAListArg = Format->getFirstArg() == 0; 339 CheckPrintfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 340 HasVAListArg ? 0 : Format->getFirstArg() - 1); 341 } 342 } 343 344 for (const NonNullAttr *NonNull = FDecl->getAttr<NonNullAttr>(); NonNull; 345 NonNull = NonNull->getNext<NonNullAttr>()) 346 CheckNonNullArguments(NonNull, TheCall); 347 348 return false; 349} 350 351bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 352 // Printf checking. 353 const FormatAttr *Format = NDecl->getAttr<FormatAttr>(); 354 if (!Format) 355 return false; 356 357 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 358 if (!V) 359 return false; 360 361 QualType Ty = V->getType(); 362 if (!Ty->isBlockPointerType()) 363 return false; 364 365 if (!CheckablePrintfAttr(Format, TheCall)) 366 return false; 367 368 bool HasVAListArg = Format->getFirstArg() == 0; 369 CheckPrintfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 370 HasVAListArg ? 0 : Format->getFirstArg() - 1); 371 372 return false; 373} 374 375/// SemaBuiltinAtomicOverloaded - We have a call to a function like 376/// __sync_fetch_and_add, which is an overloaded function based on the pointer 377/// type of its first argument. The main ActOnCallExpr routines have already 378/// promoted the types of arguments because all of these calls are prototyped as 379/// void(...). 380/// 381/// This function goes through and does final semantic checking for these 382/// builtins, 383Sema::OwningExprResult 384Sema::SemaBuiltinAtomicOverloaded(OwningExprResult TheCallResult) { 385 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 386 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 387 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 388 389 // Ensure that we have at least one argument to do type inference from. 390 if (TheCall->getNumArgs() < 1) { 391 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 392 << 0 << 1 << TheCall->getNumArgs() 393 << TheCall->getCallee()->getSourceRange(); 394 return ExprError(); 395 } 396 397 // Inspect the first argument of the atomic builtin. This should always be 398 // a pointer type, whose element is an integral scalar or pointer type. 399 // Because it is a pointer type, we don't have to worry about any implicit 400 // casts here. 401 // FIXME: We don't allow floating point scalars as input. 402 Expr *FirstArg = TheCall->getArg(0); 403 if (!FirstArg->getType()->isPointerType()) { 404 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 405 << FirstArg->getType() << FirstArg->getSourceRange(); 406 return ExprError(); 407 } 408 409 QualType ValType = 410 FirstArg->getType()->getAs<PointerType>()->getPointeeType(); 411 if (!ValType->isIntegerType() && !ValType->isPointerType() && 412 !ValType->isBlockPointerType()) { 413 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 414 << FirstArg->getType() << FirstArg->getSourceRange(); 415 return ExprError(); 416 } 417 418 // We need to figure out which concrete builtin this maps onto. For example, 419 // __sync_fetch_and_add with a 2 byte object turns into 420 // __sync_fetch_and_add_2. 421#define BUILTIN_ROW(x) \ 422 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 423 Builtin::BI##x##_8, Builtin::BI##x##_16 } 424 425 static const unsigned BuiltinIndices[][5] = { 426 BUILTIN_ROW(__sync_fetch_and_add), 427 BUILTIN_ROW(__sync_fetch_and_sub), 428 BUILTIN_ROW(__sync_fetch_and_or), 429 BUILTIN_ROW(__sync_fetch_and_and), 430 BUILTIN_ROW(__sync_fetch_and_xor), 431 432 BUILTIN_ROW(__sync_add_and_fetch), 433 BUILTIN_ROW(__sync_sub_and_fetch), 434 BUILTIN_ROW(__sync_and_and_fetch), 435 BUILTIN_ROW(__sync_or_and_fetch), 436 BUILTIN_ROW(__sync_xor_and_fetch), 437 438 BUILTIN_ROW(__sync_val_compare_and_swap), 439 BUILTIN_ROW(__sync_bool_compare_and_swap), 440 BUILTIN_ROW(__sync_lock_test_and_set), 441 BUILTIN_ROW(__sync_lock_release) 442 }; 443#undef BUILTIN_ROW 444 445 // Determine the index of the size. 446 unsigned SizeIndex; 447 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 448 case 1: SizeIndex = 0; break; 449 case 2: SizeIndex = 1; break; 450 case 4: SizeIndex = 2; break; 451 case 8: SizeIndex = 3; break; 452 case 16: SizeIndex = 4; break; 453 default: 454 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 455 << FirstArg->getType() << FirstArg->getSourceRange(); 456 return ExprError(); 457 } 458 459 // Each of these builtins has one pointer argument, followed by some number of 460 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 461 // that we ignore. Find out which row of BuiltinIndices to read from as well 462 // as the number of fixed args. 463 unsigned BuiltinID = FDecl->getBuiltinID(); 464 unsigned BuiltinIndex, NumFixed = 1; 465 switch (BuiltinID) { 466 default: assert(0 && "Unknown overloaded atomic builtin!"); 467 case Builtin::BI__sync_fetch_and_add: BuiltinIndex = 0; break; 468 case Builtin::BI__sync_fetch_and_sub: BuiltinIndex = 1; break; 469 case Builtin::BI__sync_fetch_and_or: BuiltinIndex = 2; break; 470 case Builtin::BI__sync_fetch_and_and: BuiltinIndex = 3; break; 471 case Builtin::BI__sync_fetch_and_xor: BuiltinIndex = 4; break; 472 473 case Builtin::BI__sync_add_and_fetch: BuiltinIndex = 5; break; 474 case Builtin::BI__sync_sub_and_fetch: BuiltinIndex = 6; break; 475 case Builtin::BI__sync_and_and_fetch: BuiltinIndex = 7; break; 476 case Builtin::BI__sync_or_and_fetch: BuiltinIndex = 8; break; 477 case Builtin::BI__sync_xor_and_fetch: BuiltinIndex = 9; break; 478 479 case Builtin::BI__sync_val_compare_and_swap: 480 BuiltinIndex = 10; 481 NumFixed = 2; 482 break; 483 case Builtin::BI__sync_bool_compare_and_swap: 484 BuiltinIndex = 11; 485 NumFixed = 2; 486 break; 487 case Builtin::BI__sync_lock_test_and_set: BuiltinIndex = 12; break; 488 case Builtin::BI__sync_lock_release: 489 BuiltinIndex = 13; 490 NumFixed = 0; 491 break; 492 } 493 494 // Now that we know how many fixed arguments we expect, first check that we 495 // have at least that many. 496 if (TheCall->getNumArgs() < 1+NumFixed) { 497 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 498 << 0 << 1+NumFixed << TheCall->getNumArgs() 499 << TheCall->getCallee()->getSourceRange(); 500 return ExprError(); 501 } 502 503 // Get the decl for the concrete builtin from this, we can tell what the 504 // concrete integer type we should convert to is. 505 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 506 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 507 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 508 FunctionDecl *NewBuiltinDecl = 509 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 510 TUScope, false, DRE->getLocStart())); 511 const FunctionProtoType *BuiltinFT = 512 NewBuiltinDecl->getType()->getAs<FunctionProtoType>(); 513 514 QualType OrigValType = ValType; 515 ValType = BuiltinFT->getArgType(0)->getAs<PointerType>()->getPointeeType(); 516 517 // If the first type needs to be converted (e.g. void** -> int*), do it now. 518 if (BuiltinFT->getArgType(0) != FirstArg->getType()) { 519 ImpCastExprToType(FirstArg, BuiltinFT->getArgType(0), CastExpr::CK_BitCast); 520 TheCall->setArg(0, FirstArg); 521 } 522 523 // Next, walk the valid ones promoting to the right type. 524 for (unsigned i = 0; i != NumFixed; ++i) { 525 Expr *Arg = TheCall->getArg(i+1); 526 527 // If the argument is an implicit cast, then there was a promotion due to 528 // "...", just remove it now. 529 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) { 530 Arg = ICE->getSubExpr(); 531 ICE->setSubExpr(0); 532 ICE->Destroy(Context); 533 TheCall->setArg(i+1, Arg); 534 } 535 536 // GCC does an implicit conversion to the pointer or integer ValType. This 537 // can fail in some cases (1i -> int**), check for this error case now. 538 CastExpr::CastKind Kind = CastExpr::CK_Unknown; 539 CXXBaseSpecifierArray BasePath; 540 if (CheckCastTypes(Arg->getSourceRange(), ValType, Arg, Kind, BasePath)) 541 return ExprError(); 542 543 // Okay, we have something that *can* be converted to the right type. Check 544 // to see if there is a potentially weird extension going on here. This can 545 // happen when you do an atomic operation on something like an char* and 546 // pass in 42. The 42 gets converted to char. This is even more strange 547 // for things like 45.123 -> char, etc. 548 // FIXME: Do this check. 549 ImpCastExprToType(Arg, ValType, Kind); 550 TheCall->setArg(i+1, Arg); 551 } 552 553 // Switch the DeclRefExpr to refer to the new decl. 554 DRE->setDecl(NewBuiltinDecl); 555 DRE->setType(NewBuiltinDecl->getType()); 556 557 // Set the callee in the CallExpr. 558 // FIXME: This leaks the original parens and implicit casts. 559 Expr *PromotedCall = DRE; 560 UsualUnaryConversions(PromotedCall); 561 TheCall->setCallee(PromotedCall); 562 563 // Change the result type of the call to match the result type of the decl. 564 TheCall->setType(NewBuiltinDecl->getResultType()); 565 566 // If the value type was converted to an integer when processing the 567 // arguments (e.g. void* -> int), we need to convert the result back. 568 if (!Context.hasSameUnqualifiedType(ValType, OrigValType)) { 569 Expr *E = TheCallResult.takeAs<Expr>(); 570 571 assert(ValType->isIntegerType() && 572 "We always convert atomic operation values to integers."); 573 // FIXME: Handle floating point value type here too. 574 CastExpr::CastKind Kind; 575 if (OrigValType->isIntegerType()) 576 Kind = CastExpr::CK_IntegralCast; 577 else if (OrigValType->hasPointerRepresentation()) 578 Kind = CastExpr::CK_IntegralToPointer; 579 else 580 llvm_unreachable("Unhandled original value type!"); 581 582 ImpCastExprToType(E, OrigValType, Kind); 583 return Owned(E); 584 } 585 586 return move(TheCallResult); 587} 588 589 590/// CheckObjCString - Checks that the argument to the builtin 591/// CFString constructor is correct 592/// FIXME: GCC currently emits the following warning: 593/// "warning: input conversion stopped due to an input byte that does not 594/// belong to the input codeset UTF-8" 595/// Note: It might also make sense to do the UTF-16 conversion here (would 596/// simplify the backend). 597bool Sema::CheckObjCString(Expr *Arg) { 598 Arg = Arg->IgnoreParenCasts(); 599 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 600 601 if (!Literal || Literal->isWide()) { 602 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 603 << Arg->getSourceRange(); 604 return true; 605 } 606 607 const char *Data = Literal->getStrData(); 608 unsigned Length = Literal->getByteLength(); 609 610 for (unsigned i = 0; i < Length; ++i) { 611 if (!Data[i]) { 612 Diag(getLocationOfStringLiteralByte(Literal, i), 613 diag::warn_cfstring_literal_contains_nul_character) 614 << Arg->getSourceRange(); 615 break; 616 } 617 } 618 619 return false; 620} 621 622/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 623/// Emit an error and return true on failure, return false on success. 624bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 625 Expr *Fn = TheCall->getCallee(); 626 if (TheCall->getNumArgs() > 2) { 627 Diag(TheCall->getArg(2)->getLocStart(), 628 diag::err_typecheck_call_too_many_args) 629 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 630 << Fn->getSourceRange() 631 << SourceRange(TheCall->getArg(2)->getLocStart(), 632 (*(TheCall->arg_end()-1))->getLocEnd()); 633 return true; 634 } 635 636 if (TheCall->getNumArgs() < 2) { 637 return Diag(TheCall->getLocEnd(), 638 diag::err_typecheck_call_too_few_args_at_least) 639 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 640 } 641 642 // Determine whether the current function is variadic or not. 643 BlockScopeInfo *CurBlock = getCurBlock(); 644 bool isVariadic; 645 if (CurBlock) 646 isVariadic = CurBlock->TheDecl->isVariadic(); 647 else if (FunctionDecl *FD = getCurFunctionDecl()) 648 isVariadic = FD->isVariadic(); 649 else 650 isVariadic = getCurMethodDecl()->isVariadic(); 651 652 if (!isVariadic) { 653 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 654 return true; 655 } 656 657 // Verify that the second argument to the builtin is the last argument of the 658 // current function or method. 659 bool SecondArgIsLastNamedArgument = false; 660 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 661 662 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 663 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 664 // FIXME: This isn't correct for methods (results in bogus warning). 665 // Get the last formal in the current function. 666 const ParmVarDecl *LastArg; 667 if (CurBlock) 668 LastArg = *(CurBlock->TheDecl->param_end()-1); 669 else if (FunctionDecl *FD = getCurFunctionDecl()) 670 LastArg = *(FD->param_end()-1); 671 else 672 LastArg = *(getCurMethodDecl()->param_end()-1); 673 SecondArgIsLastNamedArgument = PV == LastArg; 674 } 675 } 676 677 if (!SecondArgIsLastNamedArgument) 678 Diag(TheCall->getArg(1)->getLocStart(), 679 diag::warn_second_parameter_of_va_start_not_last_named_argument); 680 return false; 681} 682 683/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 684/// friends. This is declared to take (...), so we have to check everything. 685bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 686 if (TheCall->getNumArgs() < 2) 687 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 688 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 689 if (TheCall->getNumArgs() > 2) 690 return Diag(TheCall->getArg(2)->getLocStart(), 691 diag::err_typecheck_call_too_many_args) 692 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 693 << SourceRange(TheCall->getArg(2)->getLocStart(), 694 (*(TheCall->arg_end()-1))->getLocEnd()); 695 696 Expr *OrigArg0 = TheCall->getArg(0); 697 Expr *OrigArg1 = TheCall->getArg(1); 698 699 // Do standard promotions between the two arguments, returning their common 700 // type. 701 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 702 703 // Make sure any conversions are pushed back into the call; this is 704 // type safe since unordered compare builtins are declared as "_Bool 705 // foo(...)". 706 TheCall->setArg(0, OrigArg0); 707 TheCall->setArg(1, OrigArg1); 708 709 if (OrigArg0->isTypeDependent() || OrigArg1->isTypeDependent()) 710 return false; 711 712 // If the common type isn't a real floating type, then the arguments were 713 // invalid for this operation. 714 if (!Res->isRealFloatingType()) 715 return Diag(OrigArg0->getLocStart(), 716 diag::err_typecheck_call_invalid_ordered_compare) 717 << OrigArg0->getType() << OrigArg1->getType() 718 << SourceRange(OrigArg0->getLocStart(), OrigArg1->getLocEnd()); 719 720 return false; 721} 722 723/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 724/// __builtin_isnan and friends. This is declared to take (...), so we have 725/// to check everything. We expect the last argument to be a floating point 726/// value. 727bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 728 if (TheCall->getNumArgs() < NumArgs) 729 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 730 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 731 if (TheCall->getNumArgs() > NumArgs) 732 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 733 diag::err_typecheck_call_too_many_args) 734 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 735 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 736 (*(TheCall->arg_end()-1))->getLocEnd()); 737 738 Expr *OrigArg = TheCall->getArg(NumArgs-1); 739 740 if (OrigArg->isTypeDependent()) 741 return false; 742 743 // This operation requires a non-_Complex floating-point number. 744 if (!OrigArg->getType()->isRealFloatingType()) 745 return Diag(OrigArg->getLocStart(), 746 diag::err_typecheck_call_invalid_unary_fp) 747 << OrigArg->getType() << OrigArg->getSourceRange(); 748 749 // If this is an implicit conversion from float -> double, remove it. 750 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 751 Expr *CastArg = Cast->getSubExpr(); 752 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 753 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 754 "promotion from float to double is the only expected cast here"); 755 Cast->setSubExpr(0); 756 Cast->Destroy(Context); 757 TheCall->setArg(NumArgs-1, CastArg); 758 OrigArg = CastArg; 759 } 760 } 761 762 return false; 763} 764 765/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 766// This is declared to take (...), so we have to check everything. 767Action::OwningExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 768 if (TheCall->getNumArgs() < 2) 769 return ExprError(Diag(TheCall->getLocEnd(), 770 diag::err_typecheck_call_too_few_args_at_least) 771 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 772 << TheCall->getSourceRange()); 773 774 // Determine which of the following types of shufflevector we're checking: 775 // 1) unary, vector mask: (lhs, mask) 776 // 2) binary, vector mask: (lhs, rhs, mask) 777 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 778 QualType resType = TheCall->getArg(0)->getType(); 779 unsigned numElements = 0; 780 781 if (!TheCall->getArg(0)->isTypeDependent() && 782 !TheCall->getArg(1)->isTypeDependent()) { 783 QualType LHSType = TheCall->getArg(0)->getType(); 784 QualType RHSType = TheCall->getArg(1)->getType(); 785 786 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 787 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 788 << SourceRange(TheCall->getArg(0)->getLocStart(), 789 TheCall->getArg(1)->getLocEnd()); 790 return ExprError(); 791 } 792 793 numElements = LHSType->getAs<VectorType>()->getNumElements(); 794 unsigned numResElements = TheCall->getNumArgs() - 2; 795 796 // Check to see if we have a call with 2 vector arguments, the unary shuffle 797 // with mask. If so, verify that RHS is an integer vector type with the 798 // same number of elts as lhs. 799 if (TheCall->getNumArgs() == 2) { 800 if (!RHSType->isIntegerType() || 801 RHSType->getAs<VectorType>()->getNumElements() != numElements) 802 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 803 << SourceRange(TheCall->getArg(1)->getLocStart(), 804 TheCall->getArg(1)->getLocEnd()); 805 numResElements = numElements; 806 } 807 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 808 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 809 << SourceRange(TheCall->getArg(0)->getLocStart(), 810 TheCall->getArg(1)->getLocEnd()); 811 return ExprError(); 812 } else if (numElements != numResElements) { 813 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 814 resType = Context.getVectorType(eltType, numResElements, 815 VectorType::NotAltiVec); 816 } 817 } 818 819 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 820 if (TheCall->getArg(i)->isTypeDependent() || 821 TheCall->getArg(i)->isValueDependent()) 822 continue; 823 824 llvm::APSInt Result(32); 825 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 826 return ExprError(Diag(TheCall->getLocStart(), 827 diag::err_shufflevector_nonconstant_argument) 828 << TheCall->getArg(i)->getSourceRange()); 829 830 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 831 return ExprError(Diag(TheCall->getLocStart(), 832 diag::err_shufflevector_argument_too_large) 833 << TheCall->getArg(i)->getSourceRange()); 834 } 835 836 llvm::SmallVector<Expr*, 32> exprs; 837 838 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 839 exprs.push_back(TheCall->getArg(i)); 840 TheCall->setArg(i, 0); 841 } 842 843 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 844 exprs.size(), resType, 845 TheCall->getCallee()->getLocStart(), 846 TheCall->getRParenLoc())); 847} 848 849/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 850// This is declared to take (const void*, ...) and can take two 851// optional constant int args. 852bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 853 unsigned NumArgs = TheCall->getNumArgs(); 854 855 if (NumArgs > 3) 856 return Diag(TheCall->getLocEnd(), 857 diag::err_typecheck_call_too_many_args_at_most) 858 << 0 /*function call*/ << 3 << NumArgs 859 << TheCall->getSourceRange(); 860 861 // Argument 0 is checked for us and the remaining arguments must be 862 // constant integers. 863 for (unsigned i = 1; i != NumArgs; ++i) { 864 Expr *Arg = TheCall->getArg(i); 865 866 llvm::APSInt Result; 867 if (SemaBuiltinConstantArg(TheCall, i, Result)) 868 return true; 869 870 // FIXME: gcc issues a warning and rewrites these to 0. These 871 // seems especially odd for the third argument since the default 872 // is 3. 873 if (i == 1) { 874 if (Result.getLimitedValue() > 1) 875 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 876 << "0" << "1" << Arg->getSourceRange(); 877 } else { 878 if (Result.getLimitedValue() > 3) 879 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 880 << "0" << "3" << Arg->getSourceRange(); 881 } 882 } 883 884 return false; 885} 886 887/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 888/// TheCall is a constant expression. 889bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 890 llvm::APSInt &Result) { 891 Expr *Arg = TheCall->getArg(ArgNum); 892 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 893 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 894 895 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 896 897 if (!Arg->isIntegerConstantExpr(Result, Context)) 898 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 899 << FDecl->getDeclName() << Arg->getSourceRange(); 900 901 return false; 902} 903 904/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 905/// int type). This simply type checks that type is one of the defined 906/// constants (0-3). 907// For compatability check 0-3, llvm only handles 0 and 2. 908bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 909 llvm::APSInt Result; 910 911 // Check constant-ness first. 912 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 913 return true; 914 915 Expr *Arg = TheCall->getArg(1); 916 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 917 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 918 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 919 } 920 921 return false; 922} 923 924/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 925/// This checks that val is a constant 1. 926bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 927 Expr *Arg = TheCall->getArg(1); 928 llvm::APSInt Result; 929 930 // TODO: This is less than ideal. Overload this to take a value. 931 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 932 return true; 933 934 if (Result != 1) 935 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 936 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 937 938 return false; 939} 940 941// Handle i > 1 ? "x" : "y", recursivelly 942bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall, 943 bool HasVAListArg, 944 unsigned format_idx, unsigned firstDataArg) { 945 if (E->isTypeDependent() || E->isValueDependent()) 946 return false; 947 948 switch (E->getStmtClass()) { 949 case Stmt::ConditionalOperatorClass: { 950 const ConditionalOperator *C = cast<ConditionalOperator>(E); 951 return SemaCheckStringLiteral(C->getTrueExpr(), TheCall, 952 HasVAListArg, format_idx, firstDataArg) 953 && SemaCheckStringLiteral(C->getRHS(), TheCall, 954 HasVAListArg, format_idx, firstDataArg); 955 } 956 957 case Stmt::ImplicitCastExprClass: { 958 const ImplicitCastExpr *Expr = cast<ImplicitCastExpr>(E); 959 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 960 format_idx, firstDataArg); 961 } 962 963 case Stmt::ParenExprClass: { 964 const ParenExpr *Expr = cast<ParenExpr>(E); 965 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 966 format_idx, firstDataArg); 967 } 968 969 case Stmt::DeclRefExprClass: { 970 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 971 972 // As an exception, do not flag errors for variables binding to 973 // const string literals. 974 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 975 bool isConstant = false; 976 QualType T = DR->getType(); 977 978 if (const ArrayType *AT = Context.getAsArrayType(T)) { 979 isConstant = AT->getElementType().isConstant(Context); 980 } else if (const PointerType *PT = T->getAs<PointerType>()) { 981 isConstant = T.isConstant(Context) && 982 PT->getPointeeType().isConstant(Context); 983 } 984 985 if (isConstant) { 986 if (const Expr *Init = VD->getAnyInitializer()) 987 return SemaCheckStringLiteral(Init, TheCall, 988 HasVAListArg, format_idx, firstDataArg); 989 } 990 991 // For vprintf* functions (i.e., HasVAListArg==true), we add a 992 // special check to see if the format string is a function parameter 993 // of the function calling the printf function. If the function 994 // has an attribute indicating it is a printf-like function, then we 995 // should suppress warnings concerning non-literals being used in a call 996 // to a vprintf function. For example: 997 // 998 // void 999 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1000 // va_list ap; 1001 // va_start(ap, fmt); 1002 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1003 // ... 1004 // 1005 // 1006 // FIXME: We don't have full attribute support yet, so just check to see 1007 // if the argument is a DeclRefExpr that references a parameter. We'll 1008 // add proper support for checking the attribute later. 1009 if (HasVAListArg) 1010 if (isa<ParmVarDecl>(VD)) 1011 return true; 1012 } 1013 1014 return false; 1015 } 1016 1017 case Stmt::CallExprClass: { 1018 const CallExpr *CE = cast<CallExpr>(E); 1019 if (const ImplicitCastExpr *ICE 1020 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 1021 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 1022 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 1023 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 1024 unsigned ArgIndex = FA->getFormatIdx(); 1025 const Expr *Arg = CE->getArg(ArgIndex - 1); 1026 1027 return SemaCheckStringLiteral(Arg, TheCall, HasVAListArg, 1028 format_idx, firstDataArg); 1029 } 1030 } 1031 } 1032 } 1033 1034 return false; 1035 } 1036 case Stmt::ObjCStringLiteralClass: 1037 case Stmt::StringLiteralClass: { 1038 const StringLiteral *StrE = NULL; 1039 1040 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1041 StrE = ObjCFExpr->getString(); 1042 else 1043 StrE = cast<StringLiteral>(E); 1044 1045 if (StrE) { 1046 CheckPrintfString(StrE, E, TheCall, HasVAListArg, format_idx, 1047 firstDataArg); 1048 return true; 1049 } 1050 1051 return false; 1052 } 1053 1054 default: 1055 return false; 1056 } 1057} 1058 1059void 1060Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1061 const CallExpr *TheCall) { 1062 for (NonNullAttr::iterator i = NonNull->begin(), e = NonNull->end(); 1063 i != e; ++i) { 1064 const Expr *ArgExpr = TheCall->getArg(*i); 1065 if (ArgExpr->isNullPointerConstant(Context, 1066 Expr::NPC_ValueDependentIsNotNull)) 1067 Diag(TheCall->getCallee()->getLocStart(), diag::warn_null_arg) 1068 << ArgExpr->getSourceRange(); 1069 } 1070} 1071 1072/// CheckPrintfArguments - Check calls to printf (and similar functions) for 1073/// correct use of format strings. 1074/// 1075/// HasVAListArg - A predicate indicating whether the printf-like 1076/// function is passed an explicit va_arg argument (e.g., vprintf) 1077/// 1078/// format_idx - The index into Args for the format string. 1079/// 1080/// Improper format strings to functions in the printf family can be 1081/// the source of bizarre bugs and very serious security holes. A 1082/// good source of information is available in the following paper 1083/// (which includes additional references): 1084/// 1085/// FormatGuard: Automatic Protection From printf Format String 1086/// Vulnerabilities, Proceedings of the 10th USENIX Security Symposium, 2001. 1087/// 1088/// TODO: 1089/// Functionality implemented: 1090/// 1091/// We can statically check the following properties for string 1092/// literal format strings for non v.*printf functions (where the 1093/// arguments are passed directly): 1094// 1095/// (1) Are the number of format conversions equal to the number of 1096/// data arguments? 1097/// 1098/// (2) Does each format conversion correctly match the type of the 1099/// corresponding data argument? 1100/// 1101/// Moreover, for all printf functions we can: 1102/// 1103/// (3) Check for a missing format string (when not caught by type checking). 1104/// 1105/// (4) Check for no-operation flags; e.g. using "#" with format 1106/// conversion 'c' (TODO) 1107/// 1108/// (5) Check the use of '%n', a major source of security holes. 1109/// 1110/// (6) Check for malformed format conversions that don't specify anything. 1111/// 1112/// (7) Check for empty format strings. e.g: printf(""); 1113/// 1114/// (8) Check that the format string is a wide literal. 1115/// 1116/// All of these checks can be done by parsing the format string. 1117/// 1118void 1119Sema::CheckPrintfArguments(const CallExpr *TheCall, bool HasVAListArg, 1120 unsigned format_idx, unsigned firstDataArg) { 1121 const Expr *Fn = TheCall->getCallee(); 1122 1123 // The way the format attribute works in GCC, the implicit this argument 1124 // of member functions is counted. However, it doesn't appear in our own 1125 // lists, so decrement format_idx in that case. 1126 if (isa<CXXMemberCallExpr>(TheCall)) { 1127 // Catch a format attribute mistakenly referring to the object argument. 1128 if (format_idx == 0) 1129 return; 1130 --format_idx; 1131 if(firstDataArg != 0) 1132 --firstDataArg; 1133 } 1134 1135 // CHECK: printf-like function is called with no format string. 1136 if (format_idx >= TheCall->getNumArgs()) { 1137 Diag(TheCall->getRParenLoc(), diag::warn_printf_missing_format_string) 1138 << Fn->getSourceRange(); 1139 return; 1140 } 1141 1142 const Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 1143 1144 // CHECK: format string is not a string literal. 1145 // 1146 // Dynamically generated format strings are difficult to 1147 // automatically vet at compile time. Requiring that format strings 1148 // are string literals: (1) permits the checking of format strings by 1149 // the compiler and thereby (2) can practically remove the source of 1150 // many format string exploits. 1151 1152 // Format string can be either ObjC string (e.g. @"%d") or 1153 // C string (e.g. "%d") 1154 // ObjC string uses the same format specifiers as C string, so we can use 1155 // the same format string checking logic for both ObjC and C strings. 1156 if (SemaCheckStringLiteral(OrigFormatExpr, TheCall, HasVAListArg, format_idx, 1157 firstDataArg)) 1158 return; // Literal format string found, check done! 1159 1160 // If there are no arguments specified, warn with -Wformat-security, otherwise 1161 // warn only with -Wformat-nonliteral. 1162 if (TheCall->getNumArgs() == format_idx+1) 1163 Diag(TheCall->getArg(format_idx)->getLocStart(), 1164 diag::warn_printf_nonliteral_noargs) 1165 << OrigFormatExpr->getSourceRange(); 1166 else 1167 Diag(TheCall->getArg(format_idx)->getLocStart(), 1168 diag::warn_printf_nonliteral) 1169 << OrigFormatExpr->getSourceRange(); 1170} 1171 1172namespace { 1173class CheckPrintfHandler : public analyze_printf::FormatStringHandler { 1174 Sema &S; 1175 const StringLiteral *FExpr; 1176 const Expr *OrigFormatExpr; 1177 const unsigned FirstDataArg; 1178 const unsigned NumDataArgs; 1179 const bool IsObjCLiteral; 1180 const char *Beg; // Start of format string. 1181 const bool HasVAListArg; 1182 const CallExpr *TheCall; 1183 unsigned FormatIdx; 1184 llvm::BitVector CoveredArgs; 1185 bool usesPositionalArgs; 1186 bool atFirstArg; 1187public: 1188 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1189 const Expr *origFormatExpr, unsigned firstDataArg, 1190 unsigned numDataArgs, bool isObjCLiteral, 1191 const char *beg, bool hasVAListArg, 1192 const CallExpr *theCall, unsigned formatIdx) 1193 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1194 FirstDataArg(firstDataArg), 1195 NumDataArgs(numDataArgs), 1196 IsObjCLiteral(isObjCLiteral), Beg(beg), 1197 HasVAListArg(hasVAListArg), 1198 TheCall(theCall), FormatIdx(formatIdx), 1199 usesPositionalArgs(false), atFirstArg(true) { 1200 CoveredArgs.resize(numDataArgs); 1201 CoveredArgs.reset(); 1202 } 1203 1204 void DoneProcessing(); 1205 1206 void HandleIncompleteFormatSpecifier(const char *startSpecifier, 1207 unsigned specifierLen); 1208 1209 bool 1210 HandleInvalidConversionSpecifier(const analyze_printf::FormatSpecifier &FS, 1211 const char *startSpecifier, 1212 unsigned specifierLen); 1213 1214 virtual void HandleInvalidPosition(const char *startSpecifier, 1215 unsigned specifierLen, 1216 analyze_printf::PositionContext p); 1217 1218 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1219 1220 void HandleNullChar(const char *nullCharacter); 1221 1222 bool HandleFormatSpecifier(const analyze_printf::FormatSpecifier &FS, 1223 const char *startSpecifier, 1224 unsigned specifierLen); 1225private: 1226 SourceRange getFormatStringRange(); 1227 CharSourceRange getFormatSpecifierRange(const char *startSpecifier, 1228 unsigned specifierLen); 1229 SourceLocation getLocationOfByte(const char *x); 1230 1231 bool HandleAmount(const analyze_printf::OptionalAmount &Amt, unsigned k, 1232 const char *startSpecifier, unsigned specifierLen); 1233 void HandleInvalidAmount(const analyze_printf::FormatSpecifier &FS, 1234 const analyze_printf::OptionalAmount &Amt, 1235 unsigned type, 1236 const char *startSpecifier, unsigned specifierLen); 1237 void HandleFlag(const analyze_printf::FormatSpecifier &FS, 1238 const analyze_printf::OptionalFlag &flag, 1239 const char *startSpecifier, unsigned specifierLen); 1240 void HandleIgnoredFlag(const analyze_printf::FormatSpecifier &FS, 1241 const analyze_printf::OptionalFlag &ignoredFlag, 1242 const analyze_printf::OptionalFlag &flag, 1243 const char *startSpecifier, unsigned specifierLen); 1244 1245 const Expr *getDataArg(unsigned i) const; 1246}; 1247} 1248 1249SourceRange CheckPrintfHandler::getFormatStringRange() { 1250 return OrigFormatExpr->getSourceRange(); 1251} 1252 1253CharSourceRange CheckPrintfHandler:: 1254getFormatSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1255 SourceLocation Start = getLocationOfByte(startSpecifier); 1256 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1257 1258 // Advance the end SourceLocation by one due to half-open ranges. 1259 End = End.getFileLocWithOffset(1); 1260 1261 return CharSourceRange::getCharRange(Start, End); 1262} 1263 1264SourceLocation CheckPrintfHandler::getLocationOfByte(const char *x) { 1265 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1266} 1267 1268void CheckPrintfHandler:: 1269HandleIncompleteFormatSpecifier(const char *startSpecifier, 1270 unsigned specifierLen) { 1271 SourceLocation Loc = getLocationOfByte(startSpecifier); 1272 S.Diag(Loc, diag::warn_printf_incomplete_specifier) 1273 << getFormatSpecifierRange(startSpecifier, specifierLen); 1274} 1275 1276void 1277CheckPrintfHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1278 analyze_printf::PositionContext p) { 1279 SourceLocation Loc = getLocationOfByte(startPos); 1280 S.Diag(Loc, diag::warn_printf_invalid_positional_specifier) 1281 << (unsigned) p << getFormatSpecifierRange(startPos, posLen); 1282} 1283 1284void CheckPrintfHandler::HandleZeroPosition(const char *startPos, 1285 unsigned posLen) { 1286 SourceLocation Loc = getLocationOfByte(startPos); 1287 S.Diag(Loc, diag::warn_printf_zero_positional_specifier) 1288 << getFormatSpecifierRange(startPos, posLen); 1289} 1290 1291bool CheckPrintfHandler:: 1292HandleInvalidConversionSpecifier(const analyze_printf::FormatSpecifier &FS, 1293 const char *startSpecifier, 1294 unsigned specifierLen) { 1295 1296 unsigned argIndex = FS.getArgIndex(); 1297 bool keepGoing = true; 1298 if (argIndex < NumDataArgs) { 1299 // Consider the argument coverered, even though the specifier doesn't 1300 // make sense. 1301 CoveredArgs.set(argIndex); 1302 } 1303 else { 1304 // If argIndex exceeds the number of data arguments we 1305 // don't issue a warning because that is just a cascade of warnings (and 1306 // they may have intended '%%' anyway). We don't want to continue processing 1307 // the format string after this point, however, as we will like just get 1308 // gibberish when trying to match arguments. 1309 keepGoing = false; 1310 } 1311 1312 const analyze_printf::ConversionSpecifier &CS = 1313 FS.getConversionSpecifier(); 1314 SourceLocation Loc = getLocationOfByte(CS.getStart()); 1315 S.Diag(Loc, diag::warn_printf_invalid_conversion) 1316 << llvm::StringRef(CS.getStart(), CS.getLength()) 1317 << getFormatSpecifierRange(startSpecifier, specifierLen); 1318 1319 return keepGoing; 1320} 1321 1322void CheckPrintfHandler::HandleNullChar(const char *nullCharacter) { 1323 // The presence of a null character is likely an error. 1324 S.Diag(getLocationOfByte(nullCharacter), 1325 diag::warn_printf_format_string_contains_null_char) 1326 << getFormatStringRange(); 1327} 1328 1329const Expr *CheckPrintfHandler::getDataArg(unsigned i) const { 1330 return TheCall->getArg(FirstDataArg + i); 1331} 1332 1333bool 1334CheckPrintfHandler::HandleAmount(const analyze_printf::OptionalAmount &Amt, 1335 unsigned k, const char *startSpecifier, 1336 unsigned specifierLen) { 1337 1338 if (Amt.hasDataArgument()) { 1339 if (!HasVAListArg) { 1340 unsigned argIndex = Amt.getArgIndex(); 1341 if (argIndex >= NumDataArgs) { 1342 S.Diag(getLocationOfByte(Amt.getStart()), 1343 diag::warn_printf_asterisk_missing_arg) 1344 << k << getFormatSpecifierRange(startSpecifier, specifierLen); 1345 // Don't do any more checking. We will just emit 1346 // spurious errors. 1347 return false; 1348 } 1349 1350 // Type check the data argument. It should be an 'int'. 1351 // Although not in conformance with C99, we also allow the argument to be 1352 // an 'unsigned int' as that is a reasonably safe case. GCC also 1353 // doesn't emit a warning for that case. 1354 CoveredArgs.set(argIndex); 1355 const Expr *Arg = getDataArg(argIndex); 1356 QualType T = Arg->getType(); 1357 1358 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1359 assert(ATR.isValid()); 1360 1361 if (!ATR.matchesType(S.Context, T)) { 1362 S.Diag(getLocationOfByte(Amt.getStart()), 1363 diag::warn_printf_asterisk_wrong_type) 1364 << k 1365 << ATR.getRepresentativeType(S.Context) << T 1366 << getFormatSpecifierRange(startSpecifier, specifierLen) 1367 << Arg->getSourceRange(); 1368 // Don't do any more checking. We will just emit 1369 // spurious errors. 1370 return false; 1371 } 1372 } 1373 } 1374 return true; 1375} 1376 1377void CheckPrintfHandler::HandleInvalidAmount( 1378 const analyze_printf::FormatSpecifier &FS, 1379 const analyze_printf::OptionalAmount &Amt, 1380 unsigned type, 1381 const char *startSpecifier, 1382 unsigned specifierLen) { 1383 const analyze_printf::ConversionSpecifier &CS = FS.getConversionSpecifier(); 1384 switch (Amt.getHowSpecified()) { 1385 case analyze_printf::OptionalAmount::Constant: 1386 S.Diag(getLocationOfByte(Amt.getStart()), 1387 diag::warn_printf_nonsensical_optional_amount) 1388 << type 1389 << CS.toString() 1390 << getFormatSpecifierRange(startSpecifier, specifierLen) 1391 << FixItHint::CreateRemoval(getFormatSpecifierRange(Amt.getStart(), 1392 Amt.getConstantLength())); 1393 break; 1394 1395 default: 1396 S.Diag(getLocationOfByte(Amt.getStart()), 1397 diag::warn_printf_nonsensical_optional_amount) 1398 << type 1399 << CS.toString() 1400 << getFormatSpecifierRange(startSpecifier, specifierLen); 1401 break; 1402 } 1403} 1404 1405void CheckPrintfHandler::HandleFlag(const analyze_printf::FormatSpecifier &FS, 1406 const analyze_printf::OptionalFlag &flag, 1407 const char *startSpecifier, 1408 unsigned specifierLen) { 1409 // Warn about pointless flag with a fixit removal. 1410 const analyze_printf::ConversionSpecifier &CS = FS.getConversionSpecifier(); 1411 S.Diag(getLocationOfByte(flag.getPosition()), 1412 diag::warn_printf_nonsensical_flag) 1413 << flag.toString() << CS.toString() 1414 << getFormatSpecifierRange(startSpecifier, specifierLen) 1415 << FixItHint::CreateRemoval(getFormatSpecifierRange(flag.getPosition(), 1)); 1416} 1417 1418void CheckPrintfHandler::HandleIgnoredFlag( 1419 const analyze_printf::FormatSpecifier &FS, 1420 const analyze_printf::OptionalFlag &ignoredFlag, 1421 const analyze_printf::OptionalFlag &flag, 1422 const char *startSpecifier, 1423 unsigned specifierLen) { 1424 // Warn about ignored flag with a fixit removal. 1425 S.Diag(getLocationOfByte(ignoredFlag.getPosition()), 1426 diag::warn_printf_ignored_flag) 1427 << ignoredFlag.toString() << flag.toString() 1428 << getFormatSpecifierRange(startSpecifier, specifierLen) 1429 << FixItHint::CreateRemoval(getFormatSpecifierRange( 1430 ignoredFlag.getPosition(), 1)); 1431} 1432 1433bool 1434CheckPrintfHandler::HandleFormatSpecifier(const analyze_printf::FormatSpecifier 1435 &FS, 1436 const char *startSpecifier, 1437 unsigned specifierLen) { 1438 1439 using namespace analyze_printf; 1440 const ConversionSpecifier &CS = FS.getConversionSpecifier(); 1441 1442 if (atFirstArg) { 1443 atFirstArg = false; 1444 usesPositionalArgs = FS.usesPositionalArg(); 1445 } 1446 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1447 // Cannot mix-and-match positional and non-positional arguments. 1448 S.Diag(getLocationOfByte(CS.getStart()), 1449 diag::warn_printf_mix_positional_nonpositional_args) 1450 << getFormatSpecifierRange(startSpecifier, specifierLen); 1451 return false; 1452 } 1453 1454 // First check if the field width, precision, and conversion specifier 1455 // have matching data arguments. 1456 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 1457 startSpecifier, specifierLen)) { 1458 return false; 1459 } 1460 1461 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 1462 startSpecifier, specifierLen)) { 1463 return false; 1464 } 1465 1466 if (!CS.consumesDataArgument()) { 1467 // FIXME: Technically specifying a precision or field width here 1468 // makes no sense. Worth issuing a warning at some point. 1469 return true; 1470 } 1471 1472 // Consume the argument. 1473 unsigned argIndex = FS.getArgIndex(); 1474 if (argIndex < NumDataArgs) { 1475 // The check to see if the argIndex is valid will come later. 1476 // We set the bit here because we may exit early from this 1477 // function if we encounter some other error. 1478 CoveredArgs.set(argIndex); 1479 } 1480 1481 // Check for using an Objective-C specific conversion specifier 1482 // in a non-ObjC literal. 1483 if (!IsObjCLiteral && CS.isObjCArg()) { 1484 return HandleInvalidConversionSpecifier(FS, startSpecifier, specifierLen); 1485 } 1486 1487 // Check for invalid use of field width 1488 if (!FS.hasValidFieldWidth()) { 1489 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 1490 startSpecifier, specifierLen); 1491 } 1492 1493 // Check for invalid use of precision 1494 if (!FS.hasValidPrecision()) { 1495 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 1496 startSpecifier, specifierLen); 1497 } 1498 1499 // Check each flag does not conflict with any other component. 1500 if (!FS.hasValidLeadingZeros()) 1501 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 1502 if (!FS.hasValidPlusPrefix()) 1503 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 1504 if (!FS.hasValidSpacePrefix()) 1505 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 1506 if (!FS.hasValidAlternativeForm()) 1507 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 1508 if (!FS.hasValidLeftJustified()) 1509 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 1510 1511 // Check that flags are not ignored by another flag 1512 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 1513 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 1514 startSpecifier, specifierLen); 1515 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 1516 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 1517 startSpecifier, specifierLen); 1518 1519 // Check the length modifier is valid with the given conversion specifier. 1520 const LengthModifier &LM = FS.getLengthModifier(); 1521 if (!FS.hasValidLengthModifier()) 1522 S.Diag(getLocationOfByte(LM.getStart()), 1523 diag::warn_printf_nonsensical_length) 1524 << LM.toString() << CS.toString() 1525 << getFormatSpecifierRange(startSpecifier, specifierLen) 1526 << FixItHint::CreateRemoval(getFormatSpecifierRange(LM.getStart(), 1527 LM.getLength())); 1528 1529 // Are we using '%n'? 1530 if (CS.getKind() == ConversionSpecifier::OutIntPtrArg) { 1531 // Issue a warning about this being a possible security issue. 1532 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back) 1533 << getFormatSpecifierRange(startSpecifier, specifierLen); 1534 // Continue checking the other format specifiers. 1535 return true; 1536 } 1537 1538 // The remaining checks depend on the data arguments. 1539 if (HasVAListArg) 1540 return true; 1541 1542 if (argIndex >= NumDataArgs) { 1543 if (FS.usesPositionalArg()) { 1544 S.Diag(getLocationOfByte(CS.getStart()), 1545 diag::warn_printf_positional_arg_exceeds_data_args) 1546 << (argIndex+1) << NumDataArgs 1547 << getFormatSpecifierRange(startSpecifier, specifierLen); 1548 } 1549 else { 1550 S.Diag(getLocationOfByte(CS.getStart()), 1551 diag::warn_printf_insufficient_data_args) 1552 << getFormatSpecifierRange(startSpecifier, specifierLen); 1553 } 1554 1555 // Don't do any more checking. 1556 return false; 1557 } 1558 1559 // Now type check the data expression that matches the 1560 // format specifier. 1561 const Expr *Ex = getDataArg(argIndex); 1562 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 1563 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 1564 // Check if we didn't match because of an implicit cast from a 'char' 1565 // or 'short' to an 'int'. This is done because printf is a varargs 1566 // function. 1567 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 1568 if (ICE->getType() == S.Context.IntTy) 1569 if (ATR.matchesType(S.Context, ICE->getSubExpr()->getType())) 1570 return true; 1571 1572 // We may be able to offer a FixItHint if it is a supported type. 1573 FormatSpecifier fixedFS = FS; 1574 bool success = fixedFS.fixType(Ex->getType()); 1575 1576 if (success) { 1577 // Get the fix string from the fixed format specifier 1578 llvm::SmallString<128> buf; 1579 llvm::raw_svector_ostream os(buf); 1580 fixedFS.toString(os); 1581 1582 S.Diag(getLocationOfByte(CS.getStart()), 1583 diag::warn_printf_conversion_argument_type_mismatch) 1584 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1585 << getFormatSpecifierRange(startSpecifier, specifierLen) 1586 << Ex->getSourceRange() 1587 << FixItHint::CreateReplacement( 1588 getFormatSpecifierRange(startSpecifier, specifierLen), 1589 os.str()); 1590 } 1591 else { 1592 S.Diag(getLocationOfByte(CS.getStart()), 1593 diag::warn_printf_conversion_argument_type_mismatch) 1594 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1595 << getFormatSpecifierRange(startSpecifier, specifierLen) 1596 << Ex->getSourceRange(); 1597 } 1598 } 1599 1600 return true; 1601} 1602 1603void CheckPrintfHandler::DoneProcessing() { 1604 // Does the number of data arguments exceed the number of 1605 // format conversions in the format string? 1606 if (!HasVAListArg) { 1607 // Find any arguments that weren't covered. 1608 CoveredArgs.flip(); 1609 signed notCoveredArg = CoveredArgs.find_first(); 1610 if (notCoveredArg >= 0) { 1611 assert((unsigned)notCoveredArg < NumDataArgs); 1612 S.Diag(getDataArg((unsigned) notCoveredArg)->getLocStart(), 1613 diag::warn_printf_data_arg_not_used) 1614 << getFormatStringRange(); 1615 } 1616 } 1617} 1618 1619void Sema::CheckPrintfString(const StringLiteral *FExpr, 1620 const Expr *OrigFormatExpr, 1621 const CallExpr *TheCall, bool HasVAListArg, 1622 unsigned format_idx, unsigned firstDataArg) { 1623 1624 // CHECK: is the format string a wide literal? 1625 if (FExpr->isWide()) { 1626 Diag(FExpr->getLocStart(), 1627 diag::warn_printf_format_string_is_wide_literal) 1628 << OrigFormatExpr->getSourceRange(); 1629 return; 1630 } 1631 1632 // Str - The format string. NOTE: this is NOT null-terminated! 1633 const char *Str = FExpr->getStrData(); 1634 1635 // CHECK: empty format string? 1636 unsigned StrLen = FExpr->getByteLength(); 1637 1638 if (StrLen == 0) { 1639 Diag(FExpr->getLocStart(), diag::warn_printf_empty_format_string) 1640 << OrigFormatExpr->getSourceRange(); 1641 return; 1642 } 1643 1644 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1645 TheCall->getNumArgs() - firstDataArg, 1646 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1647 HasVAListArg, TheCall, format_idx); 1648 1649 if (!analyze_printf::ParseFormatString(H, Str, Str + StrLen)) 1650 H.DoneProcessing(); 1651} 1652 1653//===--- CHECK: Return Address of Stack Variable --------------------------===// 1654 1655static DeclRefExpr* EvalVal(Expr *E); 1656static DeclRefExpr* EvalAddr(Expr* E); 1657 1658/// CheckReturnStackAddr - Check if a return statement returns the address 1659/// of a stack variable. 1660void 1661Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 1662 SourceLocation ReturnLoc) { 1663 1664 // Perform checking for returned stack addresses. 1665 if (lhsType->isPointerType() || lhsType->isBlockPointerType()) { 1666 if (DeclRefExpr *DR = EvalAddr(RetValExp)) 1667 Diag(DR->getLocStart(), diag::warn_ret_stack_addr) 1668 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1669 1670 // Skip over implicit cast expressions when checking for block expressions. 1671 RetValExp = RetValExp->IgnoreParenCasts(); 1672 1673 if (BlockExpr *C = dyn_cast<BlockExpr>(RetValExp)) 1674 if (C->hasBlockDeclRefExprs()) 1675 Diag(C->getLocStart(), diag::err_ret_local_block) 1676 << C->getSourceRange(); 1677 1678 if (AddrLabelExpr *ALE = dyn_cast<AddrLabelExpr>(RetValExp)) 1679 Diag(ALE->getLocStart(), diag::warn_ret_addr_label) 1680 << ALE->getSourceRange(); 1681 1682 } else if (lhsType->isReferenceType()) { 1683 // Perform checking for stack values returned by reference. 1684 // Check for a reference to the stack 1685 if (DeclRefExpr *DR = EvalVal(RetValExp)) 1686 Diag(DR->getLocStart(), diag::warn_ret_stack_ref) 1687 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1688 } 1689} 1690 1691/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 1692/// check if the expression in a return statement evaluates to an address 1693/// to a location on the stack. The recursion is used to traverse the 1694/// AST of the return expression, with recursion backtracking when we 1695/// encounter a subexpression that (1) clearly does not lead to the address 1696/// of a stack variable or (2) is something we cannot determine leads to 1697/// the address of a stack variable based on such local checking. 1698/// 1699/// EvalAddr processes expressions that are pointers that are used as 1700/// references (and not L-values). EvalVal handles all other values. 1701/// At the base case of the recursion is a check for a DeclRefExpr* in 1702/// the refers to a stack variable. 1703/// 1704/// This implementation handles: 1705/// 1706/// * pointer-to-pointer casts 1707/// * implicit conversions from array references to pointers 1708/// * taking the address of fields 1709/// * arbitrary interplay between "&" and "*" operators 1710/// * pointer arithmetic from an address of a stack variable 1711/// * taking the address of an array element where the array is on the stack 1712static DeclRefExpr* EvalAddr(Expr *E) { 1713 // We should only be called for evaluating pointer expressions. 1714 assert((E->getType()->isAnyPointerType() || 1715 E->getType()->isBlockPointerType() || 1716 E->getType()->isObjCQualifiedIdType()) && 1717 "EvalAddr only works on pointers"); 1718 1719 // Our "symbolic interpreter" is just a dispatch off the currently 1720 // viewed AST node. We then recursively traverse the AST by calling 1721 // EvalAddr and EvalVal appropriately. 1722 switch (E->getStmtClass()) { 1723 case Stmt::ParenExprClass: 1724 // Ignore parentheses. 1725 return EvalAddr(cast<ParenExpr>(E)->getSubExpr()); 1726 1727 case Stmt::UnaryOperatorClass: { 1728 // The only unary operator that make sense to handle here 1729 // is AddrOf. All others don't make sense as pointers. 1730 UnaryOperator *U = cast<UnaryOperator>(E); 1731 1732 if (U->getOpcode() == UnaryOperator::AddrOf) 1733 return EvalVal(U->getSubExpr()); 1734 else 1735 return NULL; 1736 } 1737 1738 case Stmt::BinaryOperatorClass: { 1739 // Handle pointer arithmetic. All other binary operators are not valid 1740 // in this context. 1741 BinaryOperator *B = cast<BinaryOperator>(E); 1742 BinaryOperator::Opcode op = B->getOpcode(); 1743 1744 if (op != BinaryOperator::Add && op != BinaryOperator::Sub) 1745 return NULL; 1746 1747 Expr *Base = B->getLHS(); 1748 1749 // Determine which argument is the real pointer base. It could be 1750 // the RHS argument instead of the LHS. 1751 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 1752 1753 assert (Base->getType()->isPointerType()); 1754 return EvalAddr(Base); 1755 } 1756 1757 // For conditional operators we need to see if either the LHS or RHS are 1758 // valid DeclRefExpr*s. If one of them is valid, we return it. 1759 case Stmt::ConditionalOperatorClass: { 1760 ConditionalOperator *C = cast<ConditionalOperator>(E); 1761 1762 // Handle the GNU extension for missing LHS. 1763 if (Expr *lhsExpr = C->getLHS()) 1764 if (DeclRefExpr* LHS = EvalAddr(lhsExpr)) 1765 return LHS; 1766 1767 return EvalAddr(C->getRHS()); 1768 } 1769 1770 // For casts, we need to handle conversions from arrays to 1771 // pointer values, and pointer-to-pointer conversions. 1772 case Stmt::ImplicitCastExprClass: 1773 case Stmt::CStyleCastExprClass: 1774 case Stmt::CXXFunctionalCastExprClass: { 1775 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 1776 QualType T = SubExpr->getType(); 1777 1778 if (SubExpr->getType()->isPointerType() || 1779 SubExpr->getType()->isBlockPointerType() || 1780 SubExpr->getType()->isObjCQualifiedIdType()) 1781 return EvalAddr(SubExpr); 1782 else if (T->isArrayType()) 1783 return EvalVal(SubExpr); 1784 else 1785 return 0; 1786 } 1787 1788 // C++ casts. For dynamic casts, static casts, and const casts, we 1789 // are always converting from a pointer-to-pointer, so we just blow 1790 // through the cast. In the case the dynamic cast doesn't fail (and 1791 // return NULL), we take the conservative route and report cases 1792 // where we return the address of a stack variable. For Reinterpre 1793 // FIXME: The comment about is wrong; we're not always converting 1794 // from pointer to pointer. I'm guessing that this code should also 1795 // handle references to objects. 1796 case Stmt::CXXStaticCastExprClass: 1797 case Stmt::CXXDynamicCastExprClass: 1798 case Stmt::CXXConstCastExprClass: 1799 case Stmt::CXXReinterpretCastExprClass: { 1800 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 1801 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 1802 return EvalAddr(S); 1803 else 1804 return NULL; 1805 } 1806 1807 // Everything else: we simply don't reason about them. 1808 default: 1809 return NULL; 1810 } 1811} 1812 1813 1814/// EvalVal - This function is complements EvalAddr in the mutual recursion. 1815/// See the comments for EvalAddr for more details. 1816static DeclRefExpr* EvalVal(Expr *E) { 1817 1818 // We should only be called for evaluating non-pointer expressions, or 1819 // expressions with a pointer type that are not used as references but instead 1820 // are l-values (e.g., DeclRefExpr with a pointer type). 1821 1822 // Our "symbolic interpreter" is just a dispatch off the currently 1823 // viewed AST node. We then recursively traverse the AST by calling 1824 // EvalAddr and EvalVal appropriately. 1825 switch (E->getStmtClass()) { 1826 case Stmt::DeclRefExprClass: { 1827 // DeclRefExpr: the base case. When we hit a DeclRefExpr we are looking 1828 // at code that refers to a variable's name. We check if it has local 1829 // storage within the function, and if so, return the expression. 1830 DeclRefExpr *DR = cast<DeclRefExpr>(E); 1831 1832 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 1833 if (V->hasLocalStorage() && !V->getType()->isReferenceType()) return DR; 1834 1835 return NULL; 1836 } 1837 1838 case Stmt::ParenExprClass: 1839 // Ignore parentheses. 1840 return EvalVal(cast<ParenExpr>(E)->getSubExpr()); 1841 1842 case Stmt::UnaryOperatorClass: { 1843 // The only unary operator that make sense to handle here 1844 // is Deref. All others don't resolve to a "name." This includes 1845 // handling all sorts of rvalues passed to a unary operator. 1846 UnaryOperator *U = cast<UnaryOperator>(E); 1847 1848 if (U->getOpcode() == UnaryOperator::Deref) 1849 return EvalAddr(U->getSubExpr()); 1850 1851 return NULL; 1852 } 1853 1854 case Stmt::ArraySubscriptExprClass: { 1855 // Array subscripts are potential references to data on the stack. We 1856 // retrieve the DeclRefExpr* for the array variable if it indeed 1857 // has local storage. 1858 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase()); 1859 } 1860 1861 case Stmt::ConditionalOperatorClass: { 1862 // For conditional operators we need to see if either the LHS or RHS are 1863 // non-NULL DeclRefExpr's. If one is non-NULL, we return it. 1864 ConditionalOperator *C = cast<ConditionalOperator>(E); 1865 1866 // Handle the GNU extension for missing LHS. 1867 if (Expr *lhsExpr = C->getLHS()) 1868 if (DeclRefExpr *LHS = EvalVal(lhsExpr)) 1869 return LHS; 1870 1871 return EvalVal(C->getRHS()); 1872 } 1873 1874 // Accesses to members are potential references to data on the stack. 1875 case Stmt::MemberExprClass: { 1876 MemberExpr *M = cast<MemberExpr>(E); 1877 1878 // Check for indirect access. We only want direct field accesses. 1879 if (!M->isArrow()) 1880 return EvalVal(M->getBase()); 1881 else 1882 return NULL; 1883 } 1884 1885 // Everything else: we simply don't reason about them. 1886 default: 1887 return NULL; 1888 } 1889} 1890 1891//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 1892 1893/// Check for comparisons of floating point operands using != and ==. 1894/// Issue a warning if these are no self-comparisons, as they are not likely 1895/// to do what the programmer intended. 1896void Sema::CheckFloatComparison(SourceLocation loc, Expr* lex, Expr *rex) { 1897 bool EmitWarning = true; 1898 1899 Expr* LeftExprSansParen = lex->IgnoreParens(); 1900 Expr* RightExprSansParen = rex->IgnoreParens(); 1901 1902 // Special case: check for x == x (which is OK). 1903 // Do not emit warnings for such cases. 1904 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 1905 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 1906 if (DRL->getDecl() == DRR->getDecl()) 1907 EmitWarning = false; 1908 1909 1910 // Special case: check for comparisons against literals that can be exactly 1911 // represented by APFloat. In such cases, do not emit a warning. This 1912 // is a heuristic: often comparison against such literals are used to 1913 // detect if a value in a variable has not changed. This clearly can 1914 // lead to false negatives. 1915 if (EmitWarning) { 1916 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 1917 if (FLL->isExact()) 1918 EmitWarning = false; 1919 } else 1920 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 1921 if (FLR->isExact()) 1922 EmitWarning = false; 1923 } 1924 } 1925 1926 // Check for comparisons with builtin types. 1927 if (EmitWarning) 1928 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 1929 if (CL->isBuiltinCall(Context)) 1930 EmitWarning = false; 1931 1932 if (EmitWarning) 1933 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 1934 if (CR->isBuiltinCall(Context)) 1935 EmitWarning = false; 1936 1937 // Emit the diagnostic. 1938 if (EmitWarning) 1939 Diag(loc, diag::warn_floatingpoint_eq) 1940 << lex->getSourceRange() << rex->getSourceRange(); 1941} 1942 1943//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 1944//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 1945 1946namespace { 1947 1948/// Structure recording the 'active' range of an integer-valued 1949/// expression. 1950struct IntRange { 1951 /// The number of bits active in the int. 1952 unsigned Width; 1953 1954 /// True if the int is known not to have negative values. 1955 bool NonNegative; 1956 1957 IntRange() {} 1958 IntRange(unsigned Width, bool NonNegative) 1959 : Width(Width), NonNegative(NonNegative) 1960 {} 1961 1962 // Returns the range of the bool type. 1963 static IntRange forBoolType() { 1964 return IntRange(1, true); 1965 } 1966 1967 // Returns the range of an integral type. 1968 static IntRange forType(ASTContext &C, QualType T) { 1969 return forCanonicalType(C, T->getCanonicalTypeInternal().getTypePtr()); 1970 } 1971 1972 // Returns the range of an integeral type based on its canonical 1973 // representation. 1974 static IntRange forCanonicalType(ASTContext &C, const Type *T) { 1975 assert(T->isCanonicalUnqualified()); 1976 1977 if (const VectorType *VT = dyn_cast<VectorType>(T)) 1978 T = VT->getElementType().getTypePtr(); 1979 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 1980 T = CT->getElementType().getTypePtr(); 1981 1982 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 1983 EnumDecl *Enum = ET->getDecl(); 1984 unsigned NumPositive = Enum->getNumPositiveBits(); 1985 unsigned NumNegative = Enum->getNumNegativeBits(); 1986 1987 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 1988 } 1989 1990 const BuiltinType *BT = cast<BuiltinType>(T); 1991 assert(BT->isInteger()); 1992 1993 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 1994 } 1995 1996 // Returns the supremum of two ranges: i.e. their conservative merge. 1997 static IntRange join(IntRange L, IntRange R) { 1998 return IntRange(std::max(L.Width, R.Width), 1999 L.NonNegative && R.NonNegative); 2000 } 2001 2002 // Returns the infinum of two ranges: i.e. their aggressive merge. 2003 static IntRange meet(IntRange L, IntRange R) { 2004 return IntRange(std::min(L.Width, R.Width), 2005 L.NonNegative || R.NonNegative); 2006 } 2007}; 2008 2009IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 2010 if (value.isSigned() && value.isNegative()) 2011 return IntRange(value.getMinSignedBits(), false); 2012 2013 if (value.getBitWidth() > MaxWidth) 2014 value.trunc(MaxWidth); 2015 2016 // isNonNegative() just checks the sign bit without considering 2017 // signedness. 2018 return IntRange(value.getActiveBits(), true); 2019} 2020 2021IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 2022 unsigned MaxWidth) { 2023 if (result.isInt()) 2024 return GetValueRange(C, result.getInt(), MaxWidth); 2025 2026 if (result.isVector()) { 2027 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 2028 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 2029 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 2030 R = IntRange::join(R, El); 2031 } 2032 return R; 2033 } 2034 2035 if (result.isComplexInt()) { 2036 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 2037 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 2038 return IntRange::join(R, I); 2039 } 2040 2041 // This can happen with lossless casts to intptr_t of "based" lvalues. 2042 // Assume it might use arbitrary bits. 2043 // FIXME: The only reason we need to pass the type in here is to get 2044 // the sign right on this one case. It would be nice if APValue 2045 // preserved this. 2046 assert(result.isLValue()); 2047 return IntRange(MaxWidth, Ty->isUnsignedIntegerType()); 2048} 2049 2050/// Pseudo-evaluate the given integer expression, estimating the 2051/// range of values it might take. 2052/// 2053/// \param MaxWidth - the width to which the value will be truncated 2054IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 2055 E = E->IgnoreParens(); 2056 2057 // Try a full evaluation first. 2058 Expr::EvalResult result; 2059 if (E->Evaluate(result, C)) 2060 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 2061 2062 // I think we only want to look through implicit casts here; if the 2063 // user has an explicit widening cast, we should treat the value as 2064 // being of the new, wider type. 2065 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 2066 if (CE->getCastKind() == CastExpr::CK_NoOp) 2067 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 2068 2069 IntRange OutputTypeRange = IntRange::forType(C, CE->getType()); 2070 2071 bool isIntegerCast = (CE->getCastKind() == CastExpr::CK_IntegralCast); 2072 if (!isIntegerCast && CE->getCastKind() == CastExpr::CK_Unknown) 2073 isIntegerCast = CE->getSubExpr()->getType()->isIntegerType(); 2074 2075 // Assume that non-integer casts can span the full range of the type. 2076 if (!isIntegerCast) 2077 return OutputTypeRange; 2078 2079 IntRange SubRange 2080 = GetExprRange(C, CE->getSubExpr(), 2081 std::min(MaxWidth, OutputTypeRange.Width)); 2082 2083 // Bail out if the subexpr's range is as wide as the cast type. 2084 if (SubRange.Width >= OutputTypeRange.Width) 2085 return OutputTypeRange; 2086 2087 // Otherwise, we take the smaller width, and we're non-negative if 2088 // either the output type or the subexpr is. 2089 return IntRange(SubRange.Width, 2090 SubRange.NonNegative || OutputTypeRange.NonNegative); 2091 } 2092 2093 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 2094 // If we can fold the condition, just take that operand. 2095 bool CondResult; 2096 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 2097 return GetExprRange(C, CondResult ? CO->getTrueExpr() 2098 : CO->getFalseExpr(), 2099 MaxWidth); 2100 2101 // Otherwise, conservatively merge. 2102 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 2103 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 2104 return IntRange::join(L, R); 2105 } 2106 2107 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 2108 switch (BO->getOpcode()) { 2109 2110 // Boolean-valued operations are single-bit and positive. 2111 case BinaryOperator::LAnd: 2112 case BinaryOperator::LOr: 2113 case BinaryOperator::LT: 2114 case BinaryOperator::GT: 2115 case BinaryOperator::LE: 2116 case BinaryOperator::GE: 2117 case BinaryOperator::EQ: 2118 case BinaryOperator::NE: 2119 return IntRange::forBoolType(); 2120 2121 // The type of these compound assignments is the type of the LHS, 2122 // so the RHS is not necessarily an integer. 2123 case BinaryOperator::MulAssign: 2124 case BinaryOperator::DivAssign: 2125 case BinaryOperator::RemAssign: 2126 case BinaryOperator::AddAssign: 2127 case BinaryOperator::SubAssign: 2128 return IntRange::forType(C, E->getType()); 2129 2130 // Operations with opaque sources are black-listed. 2131 case BinaryOperator::PtrMemD: 2132 case BinaryOperator::PtrMemI: 2133 return IntRange::forType(C, E->getType()); 2134 2135 // Bitwise-and uses the *infinum* of the two source ranges. 2136 case BinaryOperator::And: 2137 case BinaryOperator::AndAssign: 2138 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 2139 GetExprRange(C, BO->getRHS(), MaxWidth)); 2140 2141 // Left shift gets black-listed based on a judgement call. 2142 case BinaryOperator::Shl: 2143 // ...except that we want to treat '1 << (blah)' as logically 2144 // positive. It's an important idiom. 2145 if (IntegerLiteral *I 2146 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 2147 if (I->getValue() == 1) { 2148 IntRange R = IntRange::forType(C, E->getType()); 2149 return IntRange(R.Width, /*NonNegative*/ true); 2150 } 2151 } 2152 // fallthrough 2153 2154 case BinaryOperator::ShlAssign: 2155 return IntRange::forType(C, E->getType()); 2156 2157 // Right shift by a constant can narrow its left argument. 2158 case BinaryOperator::Shr: 2159 case BinaryOperator::ShrAssign: { 2160 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2161 2162 // If the shift amount is a positive constant, drop the width by 2163 // that much. 2164 llvm::APSInt shift; 2165 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 2166 shift.isNonNegative()) { 2167 unsigned zext = shift.getZExtValue(); 2168 if (zext >= L.Width) 2169 L.Width = (L.NonNegative ? 0 : 1); 2170 else 2171 L.Width -= zext; 2172 } 2173 2174 return L; 2175 } 2176 2177 // Comma acts as its right operand. 2178 case BinaryOperator::Comma: 2179 return GetExprRange(C, BO->getRHS(), MaxWidth); 2180 2181 // Black-list pointer subtractions. 2182 case BinaryOperator::Sub: 2183 if (BO->getLHS()->getType()->isPointerType()) 2184 return IntRange::forType(C, E->getType()); 2185 // fallthrough 2186 2187 default: 2188 break; 2189 } 2190 2191 // Treat every other operator as if it were closed on the 2192 // narrowest type that encompasses both operands. 2193 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2194 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 2195 return IntRange::join(L, R); 2196 } 2197 2198 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 2199 switch (UO->getOpcode()) { 2200 // Boolean-valued operations are white-listed. 2201 case UnaryOperator::LNot: 2202 return IntRange::forBoolType(); 2203 2204 // Operations with opaque sources are black-listed. 2205 case UnaryOperator::Deref: 2206 case UnaryOperator::AddrOf: // should be impossible 2207 case UnaryOperator::OffsetOf: 2208 return IntRange::forType(C, E->getType()); 2209 2210 default: 2211 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 2212 } 2213 } 2214 2215 if (dyn_cast<OffsetOfExpr>(E)) { 2216 IntRange::forType(C, E->getType()); 2217 } 2218 2219 FieldDecl *BitField = E->getBitField(); 2220 if (BitField) { 2221 llvm::APSInt BitWidthAP = BitField->getBitWidth()->EvaluateAsInt(C); 2222 unsigned BitWidth = BitWidthAP.getZExtValue(); 2223 2224 return IntRange(BitWidth, BitField->getType()->isUnsignedIntegerType()); 2225 } 2226 2227 return IntRange::forType(C, E->getType()); 2228} 2229 2230IntRange GetExprRange(ASTContext &C, Expr *E) { 2231 return GetExprRange(C, E, C.getIntWidth(E->getType())); 2232} 2233 2234/// Checks whether the given value, which currently has the given 2235/// source semantics, has the same value when coerced through the 2236/// target semantics. 2237bool IsSameFloatAfterCast(const llvm::APFloat &value, 2238 const llvm::fltSemantics &Src, 2239 const llvm::fltSemantics &Tgt) { 2240 llvm::APFloat truncated = value; 2241 2242 bool ignored; 2243 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 2244 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 2245 2246 return truncated.bitwiseIsEqual(value); 2247} 2248 2249/// Checks whether the given value, which currently has the given 2250/// source semantics, has the same value when coerced through the 2251/// target semantics. 2252/// 2253/// The value might be a vector of floats (or a complex number). 2254bool IsSameFloatAfterCast(const APValue &value, 2255 const llvm::fltSemantics &Src, 2256 const llvm::fltSemantics &Tgt) { 2257 if (value.isFloat()) 2258 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 2259 2260 if (value.isVector()) { 2261 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 2262 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 2263 return false; 2264 return true; 2265 } 2266 2267 assert(value.isComplexFloat()); 2268 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 2269 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 2270} 2271 2272void AnalyzeImplicitConversions(Sema &S, Expr *E); 2273 2274bool IsZero(Sema &S, Expr *E) { 2275 llvm::APSInt Value; 2276 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 2277} 2278 2279void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 2280 BinaryOperator::Opcode op = E->getOpcode(); 2281 if (op == BinaryOperator::LT && IsZero(S, E->getRHS())) { 2282 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2283 << "< 0" << "false" 2284 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2285 } else if (op == BinaryOperator::GE && IsZero(S, E->getRHS())) { 2286 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2287 << ">= 0" << "true" 2288 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2289 } else if (op == BinaryOperator::GT && IsZero(S, E->getLHS())) { 2290 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2291 << "0 >" << "false" 2292 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2293 } else if (op == BinaryOperator::LE && IsZero(S, E->getLHS())) { 2294 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2295 << "0 <=" << "true" 2296 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2297 } 2298} 2299 2300/// Analyze the operands of the given comparison. Implements the 2301/// fallback case from AnalyzeComparison. 2302void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 2303 AnalyzeImplicitConversions(S, E->getLHS()); 2304 AnalyzeImplicitConversions(S, E->getRHS()); 2305} 2306 2307/// \brief Implements -Wsign-compare. 2308/// 2309/// \param lex the left-hand expression 2310/// \param rex the right-hand expression 2311/// \param OpLoc the location of the joining operator 2312/// \param BinOpc binary opcode or 0 2313void AnalyzeComparison(Sema &S, BinaryOperator *E) { 2314 // The type the comparison is being performed in. 2315 QualType T = E->getLHS()->getType(); 2316 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 2317 && "comparison with mismatched types"); 2318 2319 // We don't do anything special if this isn't an unsigned integral 2320 // comparison: we're only interested in integral comparisons, and 2321 // signed comparisons only happen in cases we don't care to warn about. 2322 if (!T->isUnsignedIntegerType()) 2323 return AnalyzeImpConvsInComparison(S, E); 2324 2325 Expr *lex = E->getLHS()->IgnoreParenImpCasts(); 2326 Expr *rex = E->getRHS()->IgnoreParenImpCasts(); 2327 2328 // Check to see if one of the (unmodified) operands is of different 2329 // signedness. 2330 Expr *signedOperand, *unsignedOperand; 2331 if (lex->getType()->isSignedIntegerType()) { 2332 assert(!rex->getType()->isSignedIntegerType() && 2333 "unsigned comparison between two signed integer expressions?"); 2334 signedOperand = lex; 2335 unsignedOperand = rex; 2336 } else if (rex->getType()->isSignedIntegerType()) { 2337 signedOperand = rex; 2338 unsignedOperand = lex; 2339 } else { 2340 CheckTrivialUnsignedComparison(S, E); 2341 return AnalyzeImpConvsInComparison(S, E); 2342 } 2343 2344 // Otherwise, calculate the effective range of the signed operand. 2345 IntRange signedRange = GetExprRange(S.Context, signedOperand); 2346 2347 // Go ahead and analyze implicit conversions in the operands. Note 2348 // that we skip the implicit conversions on both sides. 2349 AnalyzeImplicitConversions(S, lex); 2350 AnalyzeImplicitConversions(S, rex); 2351 2352 // If the signed range is non-negative, -Wsign-compare won't fire, 2353 // but we should still check for comparisons which are always true 2354 // or false. 2355 if (signedRange.NonNegative) 2356 return CheckTrivialUnsignedComparison(S, E); 2357 2358 // For (in)equality comparisons, if the unsigned operand is a 2359 // constant which cannot collide with a overflowed signed operand, 2360 // then reinterpreting the signed operand as unsigned will not 2361 // change the result of the comparison. 2362 if (E->isEqualityOp()) { 2363 unsigned comparisonWidth = S.Context.getIntWidth(T); 2364 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 2365 2366 // We should never be unable to prove that the unsigned operand is 2367 // non-negative. 2368 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 2369 2370 if (unsignedRange.Width < comparisonWidth) 2371 return; 2372 } 2373 2374 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 2375 << lex->getType() << rex->getType() 2376 << lex->getSourceRange() << rex->getSourceRange(); 2377} 2378 2379/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 2380void DiagnoseImpCast(Sema &S, Expr *E, QualType T, unsigned diag) { 2381 S.Diag(E->getExprLoc(), diag) << E->getType() << T << E->getSourceRange(); 2382} 2383 2384void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 2385 bool *ICContext = 0) { 2386 if (E->isTypeDependent() || E->isValueDependent()) return; 2387 2388 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 2389 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 2390 if (Source == Target) return; 2391 if (Target->isDependentType()) return; 2392 2393 // Never diagnose implicit casts to bool. 2394 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 2395 return; 2396 2397 // Strip vector types. 2398 if (isa<VectorType>(Source)) { 2399 if (!isa<VectorType>(Target)) 2400 return DiagnoseImpCast(S, E, T, diag::warn_impcast_vector_scalar); 2401 2402 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 2403 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 2404 } 2405 2406 // Strip complex types. 2407 if (isa<ComplexType>(Source)) { 2408 if (!isa<ComplexType>(Target)) 2409 return DiagnoseImpCast(S, E, T, diag::warn_impcast_complex_scalar); 2410 2411 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 2412 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 2413 } 2414 2415 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 2416 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 2417 2418 // If the source is floating point... 2419 if (SourceBT && SourceBT->isFloatingPoint()) { 2420 // ...and the target is floating point... 2421 if (TargetBT && TargetBT->isFloatingPoint()) { 2422 // ...then warn if we're dropping FP rank. 2423 2424 // Builtin FP kinds are ordered by increasing FP rank. 2425 if (SourceBT->getKind() > TargetBT->getKind()) { 2426 // Don't warn about float constants that are precisely 2427 // representable in the target type. 2428 Expr::EvalResult result; 2429 if (E->Evaluate(result, S.Context)) { 2430 // Value might be a float, a float vector, or a float complex. 2431 if (IsSameFloatAfterCast(result.Val, 2432 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 2433 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 2434 return; 2435 } 2436 2437 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_precision); 2438 } 2439 return; 2440 } 2441 2442 // If the target is integral, always warn. 2443 if ((TargetBT && TargetBT->isInteger())) 2444 // TODO: don't warn for integer values? 2445 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_integer); 2446 2447 return; 2448 } 2449 2450 if (!Source->isIntegerType() || !Target->isIntegerType()) 2451 return; 2452 2453 IntRange SourceRange = GetExprRange(S.Context, E); 2454 IntRange TargetRange = IntRange::forCanonicalType(S.Context, Target); 2455 2456 if (SourceRange.Width > TargetRange.Width) { 2457 // People want to build with -Wshorten-64-to-32 and not -Wconversion 2458 // and by god we'll let them. 2459 if (SourceRange.Width == 64 && TargetRange.Width == 32) 2460 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_64_32); 2461 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_precision); 2462 } 2463 2464 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 2465 (!TargetRange.NonNegative && SourceRange.NonNegative && 2466 SourceRange.Width == TargetRange.Width)) { 2467 unsigned DiagID = diag::warn_impcast_integer_sign; 2468 2469 // Traditionally, gcc has warned about this under -Wsign-compare. 2470 // We also want to warn about it in -Wconversion. 2471 // So if -Wconversion is off, use a completely identical diagnostic 2472 // in the sign-compare group. 2473 // The conditional-checking code will 2474 if (ICContext) { 2475 DiagID = diag::warn_impcast_integer_sign_conditional; 2476 *ICContext = true; 2477 } 2478 2479 return DiagnoseImpCast(S, E, T, DiagID); 2480 } 2481 2482 return; 2483} 2484 2485void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 2486 2487void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 2488 bool &ICContext) { 2489 E = E->IgnoreParenImpCasts(); 2490 2491 if (isa<ConditionalOperator>(E)) 2492 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 2493 2494 AnalyzeImplicitConversions(S, E); 2495 if (E->getType() != T) 2496 return CheckImplicitConversion(S, E, T, &ICContext); 2497 return; 2498} 2499 2500void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 2501 AnalyzeImplicitConversions(S, E->getCond()); 2502 2503 bool Suspicious = false; 2504 CheckConditionalOperand(S, E->getTrueExpr(), T, Suspicious); 2505 CheckConditionalOperand(S, E->getFalseExpr(), T, Suspicious); 2506 2507 // If -Wconversion would have warned about either of the candidates 2508 // for a signedness conversion to the context type... 2509 if (!Suspicious) return; 2510 2511 // ...but it's currently ignored... 2512 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional)) 2513 return; 2514 2515 // ...and -Wsign-compare isn't... 2516 if (!S.Diags.getDiagnosticLevel(diag::warn_mixed_sign_conditional)) 2517 return; 2518 2519 // ...then check whether it would have warned about either of the 2520 // candidates for a signedness conversion to the condition type. 2521 if (E->getType() != T) { 2522 Suspicious = false; 2523 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 2524 E->getType(), &Suspicious); 2525 if (!Suspicious) 2526 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 2527 E->getType(), &Suspicious); 2528 if (!Suspicious) 2529 return; 2530 } 2531 2532 // If so, emit a diagnostic under -Wsign-compare. 2533 Expr *lex = E->getTrueExpr()->IgnoreParenImpCasts(); 2534 Expr *rex = E->getFalseExpr()->IgnoreParenImpCasts(); 2535 S.Diag(E->getQuestionLoc(), diag::warn_mixed_sign_conditional) 2536 << lex->getType() << rex->getType() 2537 << lex->getSourceRange() << rex->getSourceRange(); 2538} 2539 2540/// AnalyzeImplicitConversions - Find and report any interesting 2541/// implicit conversions in the given expression. There are a couple 2542/// of competing diagnostics here, -Wconversion and -Wsign-compare. 2543void AnalyzeImplicitConversions(Sema &S, Expr *OrigE) { 2544 QualType T = OrigE->getType(); 2545 Expr *E = OrigE->IgnoreParenImpCasts(); 2546 2547 // For conditional operators, we analyze the arguments as if they 2548 // were being fed directly into the output. 2549 if (isa<ConditionalOperator>(E)) { 2550 ConditionalOperator *CO = cast<ConditionalOperator>(E); 2551 CheckConditionalOperator(S, CO, T); 2552 return; 2553 } 2554 2555 // Go ahead and check any implicit conversions we might have skipped. 2556 // The non-canonical typecheck is just an optimization; 2557 // CheckImplicitConversion will filter out dead implicit conversions. 2558 if (E->getType() != T) 2559 CheckImplicitConversion(S, E, T); 2560 2561 // Now continue drilling into this expression. 2562 2563 // Skip past explicit casts. 2564 if (isa<ExplicitCastExpr>(E)) { 2565 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 2566 return AnalyzeImplicitConversions(S, E); 2567 } 2568 2569 // Do a somewhat different check with comparison operators. 2570 if (isa<BinaryOperator>(E) && cast<BinaryOperator>(E)->isComparisonOp()) 2571 return AnalyzeComparison(S, cast<BinaryOperator>(E)); 2572 2573 // These break the otherwise-useful invariant below. Fortunately, 2574 // we don't really need to recurse into them, because any internal 2575 // expressions should have been analyzed already when they were 2576 // built into statements. 2577 if (isa<StmtExpr>(E)) return; 2578 2579 // Don't descend into unevaluated contexts. 2580 if (isa<SizeOfAlignOfExpr>(E)) return; 2581 2582 // Now just recurse over the expression's children. 2583 for (Stmt::child_iterator I = E->child_begin(), IE = E->child_end(); 2584 I != IE; ++I) 2585 AnalyzeImplicitConversions(S, cast<Expr>(*I)); 2586} 2587 2588} // end anonymous namespace 2589 2590/// Diagnoses "dangerous" implicit conversions within the given 2591/// expression (which is a full expression). Implements -Wconversion 2592/// and -Wsign-compare. 2593void Sema::CheckImplicitConversions(Expr *E) { 2594 // Don't diagnose in unevaluated contexts. 2595 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 2596 return; 2597 2598 // Don't diagnose for value- or type-dependent expressions. 2599 if (E->isTypeDependent() || E->isValueDependent()) 2600 return; 2601 2602 AnalyzeImplicitConversions(*this, E); 2603} 2604 2605/// CheckParmsForFunctionDef - Check that the parameters of the given 2606/// function are appropriate for the definition of a function. This 2607/// takes care of any checks that cannot be performed on the 2608/// declaration itself, e.g., that the types of each of the function 2609/// parameters are complete. 2610bool Sema::CheckParmsForFunctionDef(FunctionDecl *FD) { 2611 bool HasInvalidParm = false; 2612 for (unsigned p = 0, NumParams = FD->getNumParams(); p < NumParams; ++p) { 2613 ParmVarDecl *Param = FD->getParamDecl(p); 2614 2615 // C99 6.7.5.3p4: the parameters in a parameter type list in a 2616 // function declarator that is part of a function definition of 2617 // that function shall not have incomplete type. 2618 // 2619 // This is also C++ [dcl.fct]p6. 2620 if (!Param->isInvalidDecl() && 2621 RequireCompleteType(Param->getLocation(), Param->getType(), 2622 diag::err_typecheck_decl_incomplete_type)) { 2623 Param->setInvalidDecl(); 2624 HasInvalidParm = true; 2625 } 2626 2627 // C99 6.9.1p5: If the declarator includes a parameter type list, the 2628 // declaration of each parameter shall include an identifier. 2629 if (Param->getIdentifier() == 0 && 2630 !Param->isImplicit() && 2631 !getLangOptions().CPlusPlus) 2632 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 2633 2634 // C99 6.7.5.3p12: 2635 // If the function declarator is not part of a definition of that 2636 // function, parameters may have incomplete type and may use the [*] 2637 // notation in their sequences of declarator specifiers to specify 2638 // variable length array types. 2639 QualType PType = Param->getOriginalType(); 2640 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 2641 if (AT->getSizeModifier() == ArrayType::Star) { 2642 // FIXME: This diagnosic should point the the '[*]' if source-location 2643 // information is added for it. 2644 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 2645 } 2646 } 2647 } 2648 2649 return HasInvalidParm; 2650} 2651