SemaChecking.cpp revision a7da2155167676a6a5d9fca4de947a9cab2a4908
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/Initialization.h" 16#include "clang/Sema/Sema.h" 17#include "clang/Sema/SemaInternal.h" 18#include "clang/Sema/Initialization.h" 19#include "clang/Sema/ScopeInfo.h" 20#include "clang/Analysis/Analyses/FormatString.h" 21#include "clang/AST/ASTContext.h" 22#include "clang/AST/CharUnits.h" 23#include "clang/AST/DeclCXX.h" 24#include "clang/AST/DeclObjC.h" 25#include "clang/AST/ExprCXX.h" 26#include "clang/AST/ExprObjC.h" 27#include "clang/AST/EvaluatedExprVisitor.h" 28#include "clang/AST/DeclObjC.h" 29#include "clang/AST/StmtCXX.h" 30#include "clang/AST/StmtObjC.h" 31#include "clang/Lex/Preprocessor.h" 32#include "llvm/ADT/BitVector.h" 33#include "llvm/ADT/STLExtras.h" 34#include "llvm/Support/raw_ostream.h" 35#include "clang/Basic/TargetBuiltins.h" 36#include "clang/Basic/TargetInfo.h" 37#include "clang/Basic/ConvertUTF.h" 38#include <limits> 39using namespace clang; 40using namespace sema; 41 42SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 43 unsigned ByteNo) const { 44 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 45 PP.getLangOptions(), PP.getTargetInfo()); 46} 47 48 49/// CheckablePrintfAttr - does a function call have a "printf" attribute 50/// and arguments that merit checking? 51bool Sema::CheckablePrintfAttr(const FormatAttr *Format, CallExpr *TheCall) { 52 if (Format->getType() == "printf") return true; 53 if (Format->getType() == "printf0") { 54 // printf0 allows null "format" string; if so don't check format/args 55 unsigned format_idx = Format->getFormatIdx() - 1; 56 // Does the index refer to the implicit object argument? 57 if (isa<CXXMemberCallExpr>(TheCall)) { 58 if (format_idx == 0) 59 return false; 60 --format_idx; 61 } 62 if (format_idx < TheCall->getNumArgs()) { 63 Expr *Format = TheCall->getArg(format_idx)->IgnoreParenCasts(); 64 if (!Format->isNullPointerConstant(Context, 65 Expr::NPC_ValueDependentIsNull)) 66 return true; 67 } 68 } 69 return false; 70} 71 72/// Checks that a call expression's argument count is the desired number. 73/// This is useful when doing custom type-checking. Returns true on error. 74static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 75 unsigned argCount = call->getNumArgs(); 76 if (argCount == desiredArgCount) return false; 77 78 if (argCount < desiredArgCount) 79 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 80 << 0 /*function call*/ << desiredArgCount << argCount 81 << call->getSourceRange(); 82 83 // Highlight all the excess arguments. 84 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 85 call->getArg(argCount - 1)->getLocEnd()); 86 87 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 88 << 0 /*function call*/ << desiredArgCount << argCount 89 << call->getArg(1)->getSourceRange(); 90} 91 92/// CheckBuiltinAnnotationString - Checks that string argument to the builtin 93/// annotation is a non wide string literal. 94static bool CheckBuiltinAnnotationString(Sema &S, Expr *Arg) { 95 Arg = Arg->IgnoreParenCasts(); 96 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 97 if (!Literal || !Literal->isAscii()) { 98 S.Diag(Arg->getLocStart(), diag::err_builtin_annotation_not_string_constant) 99 << Arg->getSourceRange(); 100 return true; 101 } 102 return false; 103} 104 105ExprResult 106Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 107 ExprResult TheCallResult(Owned(TheCall)); 108 109 // Find out if any arguments are required to be integer constant expressions. 110 unsigned ICEArguments = 0; 111 ASTContext::GetBuiltinTypeError Error; 112 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 113 if (Error != ASTContext::GE_None) 114 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 115 116 // If any arguments are required to be ICE's, check and diagnose. 117 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 118 // Skip arguments not required to be ICE's. 119 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 120 121 llvm::APSInt Result; 122 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 123 return true; 124 ICEArguments &= ~(1 << ArgNo); 125 } 126 127 switch (BuiltinID) { 128 case Builtin::BI__builtin___CFStringMakeConstantString: 129 assert(TheCall->getNumArgs() == 1 && 130 "Wrong # arguments to builtin CFStringMakeConstantString"); 131 if (CheckObjCString(TheCall->getArg(0))) 132 return ExprError(); 133 break; 134 case Builtin::BI__builtin_stdarg_start: 135 case Builtin::BI__builtin_va_start: 136 if (SemaBuiltinVAStart(TheCall)) 137 return ExprError(); 138 break; 139 case Builtin::BI__builtin_isgreater: 140 case Builtin::BI__builtin_isgreaterequal: 141 case Builtin::BI__builtin_isless: 142 case Builtin::BI__builtin_islessequal: 143 case Builtin::BI__builtin_islessgreater: 144 case Builtin::BI__builtin_isunordered: 145 if (SemaBuiltinUnorderedCompare(TheCall)) 146 return ExprError(); 147 break; 148 case Builtin::BI__builtin_fpclassify: 149 if (SemaBuiltinFPClassification(TheCall, 6)) 150 return ExprError(); 151 break; 152 case Builtin::BI__builtin_isfinite: 153 case Builtin::BI__builtin_isinf: 154 case Builtin::BI__builtin_isinf_sign: 155 case Builtin::BI__builtin_isnan: 156 case Builtin::BI__builtin_isnormal: 157 if (SemaBuiltinFPClassification(TheCall, 1)) 158 return ExprError(); 159 break; 160 case Builtin::BI__builtin_shufflevector: 161 return SemaBuiltinShuffleVector(TheCall); 162 // TheCall will be freed by the smart pointer here, but that's fine, since 163 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 164 case Builtin::BI__builtin_prefetch: 165 if (SemaBuiltinPrefetch(TheCall)) 166 return ExprError(); 167 break; 168 case Builtin::BI__builtin_object_size: 169 if (SemaBuiltinObjectSize(TheCall)) 170 return ExprError(); 171 break; 172 case Builtin::BI__builtin_longjmp: 173 if (SemaBuiltinLongjmp(TheCall)) 174 return ExprError(); 175 break; 176 177 case Builtin::BI__builtin_classify_type: 178 if (checkArgCount(*this, TheCall, 1)) return true; 179 TheCall->setType(Context.IntTy); 180 break; 181 case Builtin::BI__builtin_constant_p: 182 if (checkArgCount(*this, TheCall, 1)) return true; 183 TheCall->setType(Context.IntTy); 184 break; 185 case Builtin::BI__sync_fetch_and_add: 186 case Builtin::BI__sync_fetch_and_sub: 187 case Builtin::BI__sync_fetch_and_or: 188 case Builtin::BI__sync_fetch_and_and: 189 case Builtin::BI__sync_fetch_and_xor: 190 case Builtin::BI__sync_add_and_fetch: 191 case Builtin::BI__sync_sub_and_fetch: 192 case Builtin::BI__sync_and_and_fetch: 193 case Builtin::BI__sync_or_and_fetch: 194 case Builtin::BI__sync_xor_and_fetch: 195 case Builtin::BI__sync_val_compare_and_swap: 196 case Builtin::BI__sync_bool_compare_and_swap: 197 case Builtin::BI__sync_lock_test_and_set: 198 case Builtin::BI__sync_lock_release: 199 case Builtin::BI__sync_swap: 200 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 201 case Builtin::BI__atomic_load: 202 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Load); 203 case Builtin::BI__atomic_store: 204 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Store); 205 case Builtin::BI__atomic_exchange: 206 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xchg); 207 case Builtin::BI__atomic_compare_exchange_strong: 208 return SemaAtomicOpsOverloaded(move(TheCallResult), 209 AtomicExpr::CmpXchgStrong); 210 case Builtin::BI__atomic_compare_exchange_weak: 211 return SemaAtomicOpsOverloaded(move(TheCallResult), 212 AtomicExpr::CmpXchgWeak); 213 case Builtin::BI__atomic_fetch_add: 214 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Add); 215 case Builtin::BI__atomic_fetch_sub: 216 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Sub); 217 case Builtin::BI__atomic_fetch_and: 218 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::And); 219 case Builtin::BI__atomic_fetch_or: 220 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Or); 221 case Builtin::BI__atomic_fetch_xor: 222 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::Xor); 223 case Builtin::BI__builtin_annotation: 224 if (CheckBuiltinAnnotationString(*this, TheCall->getArg(1))) 225 return ExprError(); 226 break; 227 } 228 229 // Since the target specific builtins for each arch overlap, only check those 230 // of the arch we are compiling for. 231 if (BuiltinID >= Builtin::FirstTSBuiltin) { 232 switch (Context.getTargetInfo().getTriple().getArch()) { 233 case llvm::Triple::arm: 234 case llvm::Triple::thumb: 235 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 236 return ExprError(); 237 break; 238 default: 239 break; 240 } 241 } 242 243 return move(TheCallResult); 244} 245 246// Get the valid immediate range for the specified NEON type code. 247static unsigned RFT(unsigned t, bool shift = false) { 248 bool quad = t & 0x10; 249 250 switch (t & 0x7) { 251 case 0: // i8 252 return shift ? 7 : (8 << (int)quad) - 1; 253 case 1: // i16 254 return shift ? 15 : (4 << (int)quad) - 1; 255 case 2: // i32 256 return shift ? 31 : (2 << (int)quad) - 1; 257 case 3: // i64 258 return shift ? 63 : (1 << (int)quad) - 1; 259 case 4: // f32 260 assert(!shift && "cannot shift float types!"); 261 return (2 << (int)quad) - 1; 262 case 5: // poly8 263 return shift ? 7 : (8 << (int)quad) - 1; 264 case 6: // poly16 265 return shift ? 15 : (4 << (int)quad) - 1; 266 case 7: // float16 267 assert(!shift && "cannot shift float types!"); 268 return (4 << (int)quad) - 1; 269 } 270 return 0; 271} 272 273bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 274 llvm::APSInt Result; 275 276 unsigned mask = 0; 277 unsigned TV = 0; 278 switch (BuiltinID) { 279#define GET_NEON_OVERLOAD_CHECK 280#include "clang/Basic/arm_neon.inc" 281#undef GET_NEON_OVERLOAD_CHECK 282 } 283 284 // For NEON intrinsics which are overloaded on vector element type, validate 285 // the immediate which specifies which variant to emit. 286 if (mask) { 287 unsigned ArgNo = TheCall->getNumArgs()-1; 288 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 289 return true; 290 291 TV = Result.getLimitedValue(32); 292 if ((TV > 31) || (mask & (1 << TV)) == 0) 293 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 294 << TheCall->getArg(ArgNo)->getSourceRange(); 295 } 296 297 // For NEON intrinsics which take an immediate value as part of the 298 // instruction, range check them here. 299 unsigned i = 0, l = 0, u = 0; 300 switch (BuiltinID) { 301 default: return false; 302 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 303 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 304 case ARM::BI__builtin_arm_vcvtr_f: 305 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 306#define GET_NEON_IMMEDIATE_CHECK 307#include "clang/Basic/arm_neon.inc" 308#undef GET_NEON_IMMEDIATE_CHECK 309 }; 310 311 // Check that the immediate argument is actually a constant. 312 if (SemaBuiltinConstantArg(TheCall, i, Result)) 313 return true; 314 315 // Range check against the upper/lower values for this isntruction. 316 unsigned Val = Result.getZExtValue(); 317 if (Val < l || Val > (u + l)) 318 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 319 << l << u+l << TheCall->getArg(i)->getSourceRange(); 320 321 // FIXME: VFP Intrinsics should error if VFP not present. 322 return false; 323} 324 325/// CheckFunctionCall - Check a direct function call for various correctness 326/// and safety properties not strictly enforced by the C type system. 327bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 328 // Get the IdentifierInfo* for the called function. 329 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 330 331 // None of the checks below are needed for functions that don't have 332 // simple names (e.g., C++ conversion functions). 333 if (!FnInfo) 334 return false; 335 336 // FIXME: This mechanism should be abstracted to be less fragile and 337 // more efficient. For example, just map function ids to custom 338 // handlers. 339 340 // Printf and scanf checking. 341 for (specific_attr_iterator<FormatAttr> 342 i = FDecl->specific_attr_begin<FormatAttr>(), 343 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 344 345 const FormatAttr *Format = *i; 346 const bool b = Format->getType() == "scanf"; 347 if (b || CheckablePrintfAttr(Format, TheCall)) { 348 bool HasVAListArg = Format->getFirstArg() == 0; 349 CheckPrintfScanfArguments(TheCall, HasVAListArg, 350 Format->getFormatIdx() - 1, 351 HasVAListArg ? 0 : Format->getFirstArg() - 1, 352 !b); 353 } 354 } 355 356 for (specific_attr_iterator<NonNullAttr> 357 i = FDecl->specific_attr_begin<NonNullAttr>(), 358 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 359 CheckNonNullArguments(*i, TheCall->getArgs(), 360 TheCall->getCallee()->getLocStart()); 361 } 362 363 CheckStaticArrayArguments(FDecl, TheCall->getArgs(), 364 TheCall->getCallee()->getLocStart()); 365 366 // Builtin handling 367 int CMF = -1; 368 switch (FDecl->getBuiltinID()) { 369 case Builtin::BI__builtin_memset: 370 case Builtin::BI__builtin___memset_chk: 371 case Builtin::BImemset: 372 CMF = CMF_Memset; 373 break; 374 375 case Builtin::BI__builtin_memcpy: 376 case Builtin::BI__builtin___memcpy_chk: 377 case Builtin::BImemcpy: 378 CMF = CMF_Memcpy; 379 break; 380 381 case Builtin::BI__builtin_memmove: 382 case Builtin::BI__builtin___memmove_chk: 383 case Builtin::BImemmove: 384 CMF = CMF_Memmove; 385 break; 386 387 case Builtin::BIstrlcpy: 388 case Builtin::BIstrlcat: 389 CheckStrlcpycatArguments(TheCall, FnInfo); 390 break; 391 392 case Builtin::BI__builtin_memcmp: 393 CMF = CMF_Memcmp; 394 break; 395 396 case Builtin::BI__builtin_strncpy: 397 case Builtin::BI__builtin___strncpy_chk: 398 case Builtin::BIstrncpy: 399 CMF = CMF_Strncpy; 400 break; 401 402 case Builtin::BI__builtin_strncmp: 403 CMF = CMF_Strncmp; 404 break; 405 406 case Builtin::BI__builtin_strncasecmp: 407 CMF = CMF_Strncasecmp; 408 break; 409 410 case Builtin::BI__builtin_strncat: 411 case Builtin::BIstrncat: 412 CMF = CMF_Strncat; 413 break; 414 415 case Builtin::BI__builtin_strndup: 416 case Builtin::BIstrndup: 417 CMF = CMF_Strndup; 418 break; 419 420 default: 421 if (FDecl->getLinkage() == ExternalLinkage && 422 (!getLangOptions().CPlusPlus || FDecl->isExternC())) { 423 if (FnInfo->isStr("memset")) 424 CMF = CMF_Memset; 425 else if (FnInfo->isStr("memcpy")) 426 CMF = CMF_Memcpy; 427 else if (FnInfo->isStr("memmove")) 428 CMF = CMF_Memmove; 429 else if (FnInfo->isStr("memcmp")) 430 CMF = CMF_Memcmp; 431 else if (FnInfo->isStr("strncpy")) 432 CMF = CMF_Strncpy; 433 else if (FnInfo->isStr("strncmp")) 434 CMF = CMF_Strncmp; 435 else if (FnInfo->isStr("strncasecmp")) 436 CMF = CMF_Strncasecmp; 437 else if (FnInfo->isStr("strncat")) 438 CMF = CMF_Strncat; 439 else if (FnInfo->isStr("strndup")) 440 CMF = CMF_Strndup; 441 } 442 break; 443 } 444 445 // Memset/memcpy/memmove handling 446 if (CMF != -1) 447 CheckMemaccessArguments(TheCall, CheckedMemoryFunction(CMF), FnInfo); 448 449 return false; 450} 451 452bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 453 // Printf checking. 454 const FormatAttr *Format = NDecl->getAttr<FormatAttr>(); 455 if (!Format) 456 return false; 457 458 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 459 if (!V) 460 return false; 461 462 QualType Ty = V->getType(); 463 if (!Ty->isBlockPointerType()) 464 return false; 465 466 const bool b = Format->getType() == "scanf"; 467 if (!b && !CheckablePrintfAttr(Format, TheCall)) 468 return false; 469 470 bool HasVAListArg = Format->getFirstArg() == 0; 471 CheckPrintfScanfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 472 HasVAListArg ? 0 : Format->getFirstArg() - 1, !b); 473 474 return false; 475} 476 477ExprResult 478Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, AtomicExpr::AtomicOp Op) { 479 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 480 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 481 482 // All these operations take one of the following four forms: 483 // T __atomic_load(_Atomic(T)*, int) (loads) 484 // T* __atomic_add(_Atomic(T*)*, ptrdiff_t, int) (pointer add/sub) 485 // int __atomic_compare_exchange_strong(_Atomic(T)*, T*, T, int, int) 486 // (cmpxchg) 487 // T __atomic_exchange(_Atomic(T)*, T, int) (everything else) 488 // where T is an appropriate type, and the int paremeterss are for orderings. 489 unsigned NumVals = 1; 490 unsigned NumOrders = 1; 491 if (Op == AtomicExpr::Load) { 492 NumVals = 0; 493 } else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) { 494 NumVals = 2; 495 NumOrders = 2; 496 } 497 498 if (TheCall->getNumArgs() < NumVals+NumOrders+1) { 499 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 500 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 501 << TheCall->getCallee()->getSourceRange(); 502 return ExprError(); 503 } else if (TheCall->getNumArgs() > NumVals+NumOrders+1) { 504 Diag(TheCall->getArg(NumVals+NumOrders+1)->getLocStart(), 505 diag::err_typecheck_call_too_many_args) 506 << 0 << NumVals+NumOrders+1 << TheCall->getNumArgs() 507 << TheCall->getCallee()->getSourceRange(); 508 return ExprError(); 509 } 510 511 // Inspect the first argument of the atomic operation. This should always be 512 // a pointer to an _Atomic type. 513 Expr *Ptr = TheCall->getArg(0); 514 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 515 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 516 if (!pointerType) { 517 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 518 << Ptr->getType() << Ptr->getSourceRange(); 519 return ExprError(); 520 } 521 522 QualType AtomTy = pointerType->getPointeeType(); 523 if (!AtomTy->isAtomicType()) { 524 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 525 << Ptr->getType() << Ptr->getSourceRange(); 526 return ExprError(); 527 } 528 QualType ValType = AtomTy->getAs<AtomicType>()->getValueType(); 529 530 if ((Op == AtomicExpr::Add || Op == AtomicExpr::Sub) && 531 !ValType->isIntegerType() && !ValType->isPointerType()) { 532 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 533 << Ptr->getType() << Ptr->getSourceRange(); 534 return ExprError(); 535 } 536 537 if (!ValType->isIntegerType() && 538 (Op == AtomicExpr::And || Op == AtomicExpr::Or || Op == AtomicExpr::Xor)){ 539 Diag(DRE->getLocStart(), diag::err_atomic_op_logical_needs_atomic_int) 540 << Ptr->getType() << Ptr->getSourceRange(); 541 return ExprError(); 542 } 543 544 switch (ValType.getObjCLifetime()) { 545 case Qualifiers::OCL_None: 546 case Qualifiers::OCL_ExplicitNone: 547 // okay 548 break; 549 550 case Qualifiers::OCL_Weak: 551 case Qualifiers::OCL_Strong: 552 case Qualifiers::OCL_Autoreleasing: 553 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 554 << ValType << Ptr->getSourceRange(); 555 return ExprError(); 556 } 557 558 QualType ResultType = ValType; 559 if (Op == AtomicExpr::Store) 560 ResultType = Context.VoidTy; 561 else if (Op == AtomicExpr::CmpXchgWeak || Op == AtomicExpr::CmpXchgStrong) 562 ResultType = Context.BoolTy; 563 564 // The first argument --- the pointer --- has a fixed type; we 565 // deduce the types of the rest of the arguments accordingly. Walk 566 // the remaining arguments, converting them to the deduced value type. 567 for (unsigned i = 1; i != NumVals+NumOrders+1; ++i) { 568 ExprResult Arg = TheCall->getArg(i); 569 QualType Ty; 570 if (i < NumVals+1) { 571 // The second argument to a cmpxchg is a pointer to the data which will 572 // be exchanged. The second argument to a pointer add/subtract is the 573 // amount to add/subtract, which must be a ptrdiff_t. The third 574 // argument to a cmpxchg and the second argument in all other cases 575 // is the type of the value. 576 if (i == 1 && (Op == AtomicExpr::CmpXchgWeak || 577 Op == AtomicExpr::CmpXchgStrong)) 578 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 579 else if (!ValType->isIntegerType() && 580 (Op == AtomicExpr::Add || Op == AtomicExpr::Sub)) 581 Ty = Context.getPointerDiffType(); 582 else 583 Ty = ValType; 584 } else { 585 // The order(s) are always converted to int. 586 Ty = Context.IntTy; 587 } 588 InitializedEntity Entity = 589 InitializedEntity::InitializeParameter(Context, Ty, false); 590 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 591 if (Arg.isInvalid()) 592 return true; 593 TheCall->setArg(i, Arg.get()); 594 } 595 596 SmallVector<Expr*, 5> SubExprs; 597 SubExprs.push_back(Ptr); 598 if (Op == AtomicExpr::Load) { 599 SubExprs.push_back(TheCall->getArg(1)); // Order 600 } else if (Op != AtomicExpr::CmpXchgWeak && Op != AtomicExpr::CmpXchgStrong) { 601 SubExprs.push_back(TheCall->getArg(2)); // Order 602 SubExprs.push_back(TheCall->getArg(1)); // Val1 603 } else { 604 SubExprs.push_back(TheCall->getArg(3)); // Order 605 SubExprs.push_back(TheCall->getArg(1)); // Val1 606 SubExprs.push_back(TheCall->getArg(2)); // Val2 607 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 608 } 609 610 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 611 SubExprs.data(), SubExprs.size(), 612 ResultType, Op, 613 TheCall->getRParenLoc())); 614} 615 616 617/// checkBuiltinArgument - Given a call to a builtin function, perform 618/// normal type-checking on the given argument, updating the call in 619/// place. This is useful when a builtin function requires custom 620/// type-checking for some of its arguments but not necessarily all of 621/// them. 622/// 623/// Returns true on error. 624static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 625 FunctionDecl *Fn = E->getDirectCallee(); 626 assert(Fn && "builtin call without direct callee!"); 627 628 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 629 InitializedEntity Entity = 630 InitializedEntity::InitializeParameter(S.Context, Param); 631 632 ExprResult Arg = E->getArg(0); 633 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 634 if (Arg.isInvalid()) 635 return true; 636 637 E->setArg(ArgIndex, Arg.take()); 638 return false; 639} 640 641/// SemaBuiltinAtomicOverloaded - We have a call to a function like 642/// __sync_fetch_and_add, which is an overloaded function based on the pointer 643/// type of its first argument. The main ActOnCallExpr routines have already 644/// promoted the types of arguments because all of these calls are prototyped as 645/// void(...). 646/// 647/// This function goes through and does final semantic checking for these 648/// builtins, 649ExprResult 650Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 651 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 652 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 653 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 654 655 // Ensure that we have at least one argument to do type inference from. 656 if (TheCall->getNumArgs() < 1) { 657 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 658 << 0 << 1 << TheCall->getNumArgs() 659 << TheCall->getCallee()->getSourceRange(); 660 return ExprError(); 661 } 662 663 // Inspect the first argument of the atomic builtin. This should always be 664 // a pointer type, whose element is an integral scalar or pointer type. 665 // Because it is a pointer type, we don't have to worry about any implicit 666 // casts here. 667 // FIXME: We don't allow floating point scalars as input. 668 Expr *FirstArg = TheCall->getArg(0); 669 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 670 if (!pointerType) { 671 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 672 << FirstArg->getType() << FirstArg->getSourceRange(); 673 return ExprError(); 674 } 675 676 QualType ValType = pointerType->getPointeeType(); 677 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 678 !ValType->isBlockPointerType()) { 679 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 680 << FirstArg->getType() << FirstArg->getSourceRange(); 681 return ExprError(); 682 } 683 684 switch (ValType.getObjCLifetime()) { 685 case Qualifiers::OCL_None: 686 case Qualifiers::OCL_ExplicitNone: 687 // okay 688 break; 689 690 case Qualifiers::OCL_Weak: 691 case Qualifiers::OCL_Strong: 692 case Qualifiers::OCL_Autoreleasing: 693 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 694 << ValType << FirstArg->getSourceRange(); 695 return ExprError(); 696 } 697 698 // Strip any qualifiers off ValType. 699 ValType = ValType.getUnqualifiedType(); 700 701 // The majority of builtins return a value, but a few have special return 702 // types, so allow them to override appropriately below. 703 QualType ResultType = ValType; 704 705 // We need to figure out which concrete builtin this maps onto. For example, 706 // __sync_fetch_and_add with a 2 byte object turns into 707 // __sync_fetch_and_add_2. 708#define BUILTIN_ROW(x) \ 709 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 710 Builtin::BI##x##_8, Builtin::BI##x##_16 } 711 712 static const unsigned BuiltinIndices[][5] = { 713 BUILTIN_ROW(__sync_fetch_and_add), 714 BUILTIN_ROW(__sync_fetch_and_sub), 715 BUILTIN_ROW(__sync_fetch_and_or), 716 BUILTIN_ROW(__sync_fetch_and_and), 717 BUILTIN_ROW(__sync_fetch_and_xor), 718 719 BUILTIN_ROW(__sync_add_and_fetch), 720 BUILTIN_ROW(__sync_sub_and_fetch), 721 BUILTIN_ROW(__sync_and_and_fetch), 722 BUILTIN_ROW(__sync_or_and_fetch), 723 BUILTIN_ROW(__sync_xor_and_fetch), 724 725 BUILTIN_ROW(__sync_val_compare_and_swap), 726 BUILTIN_ROW(__sync_bool_compare_and_swap), 727 BUILTIN_ROW(__sync_lock_test_and_set), 728 BUILTIN_ROW(__sync_lock_release), 729 BUILTIN_ROW(__sync_swap) 730 }; 731#undef BUILTIN_ROW 732 733 // Determine the index of the size. 734 unsigned SizeIndex; 735 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 736 case 1: SizeIndex = 0; break; 737 case 2: SizeIndex = 1; break; 738 case 4: SizeIndex = 2; break; 739 case 8: SizeIndex = 3; break; 740 case 16: SizeIndex = 4; break; 741 default: 742 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 743 << FirstArg->getType() << FirstArg->getSourceRange(); 744 return ExprError(); 745 } 746 747 // Each of these builtins has one pointer argument, followed by some number of 748 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 749 // that we ignore. Find out which row of BuiltinIndices to read from as well 750 // as the number of fixed args. 751 unsigned BuiltinID = FDecl->getBuiltinID(); 752 unsigned BuiltinIndex, NumFixed = 1; 753 switch (BuiltinID) { 754 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 755 case Builtin::BI__sync_fetch_and_add: BuiltinIndex = 0; break; 756 case Builtin::BI__sync_fetch_and_sub: BuiltinIndex = 1; break; 757 case Builtin::BI__sync_fetch_and_or: BuiltinIndex = 2; break; 758 case Builtin::BI__sync_fetch_and_and: BuiltinIndex = 3; break; 759 case Builtin::BI__sync_fetch_and_xor: BuiltinIndex = 4; break; 760 761 case Builtin::BI__sync_add_and_fetch: BuiltinIndex = 5; break; 762 case Builtin::BI__sync_sub_and_fetch: BuiltinIndex = 6; break; 763 case Builtin::BI__sync_and_and_fetch: BuiltinIndex = 7; break; 764 case Builtin::BI__sync_or_and_fetch: BuiltinIndex = 8; break; 765 case Builtin::BI__sync_xor_and_fetch: BuiltinIndex = 9; break; 766 767 case Builtin::BI__sync_val_compare_and_swap: 768 BuiltinIndex = 10; 769 NumFixed = 2; 770 break; 771 case Builtin::BI__sync_bool_compare_and_swap: 772 BuiltinIndex = 11; 773 NumFixed = 2; 774 ResultType = Context.BoolTy; 775 break; 776 case Builtin::BI__sync_lock_test_and_set: BuiltinIndex = 12; break; 777 case Builtin::BI__sync_lock_release: 778 BuiltinIndex = 13; 779 NumFixed = 0; 780 ResultType = Context.VoidTy; 781 break; 782 case Builtin::BI__sync_swap: BuiltinIndex = 14; break; 783 } 784 785 // Now that we know how many fixed arguments we expect, first check that we 786 // have at least that many. 787 if (TheCall->getNumArgs() < 1+NumFixed) { 788 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 789 << 0 << 1+NumFixed << TheCall->getNumArgs() 790 << TheCall->getCallee()->getSourceRange(); 791 return ExprError(); 792 } 793 794 // Get the decl for the concrete builtin from this, we can tell what the 795 // concrete integer type we should convert to is. 796 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 797 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 798 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 799 FunctionDecl *NewBuiltinDecl = 800 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 801 TUScope, false, DRE->getLocStart())); 802 803 // The first argument --- the pointer --- has a fixed type; we 804 // deduce the types of the rest of the arguments accordingly. Walk 805 // the remaining arguments, converting them to the deduced value type. 806 for (unsigned i = 0; i != NumFixed; ++i) { 807 ExprResult Arg = TheCall->getArg(i+1); 808 809 // If the argument is an implicit cast, then there was a promotion due to 810 // "...", just remove it now. 811 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg.get())) { 812 Arg = ICE->getSubExpr(); 813 ICE->setSubExpr(0); 814 TheCall->setArg(i+1, Arg.get()); 815 } 816 817 // GCC does an implicit conversion to the pointer or integer ValType. This 818 // can fail in some cases (1i -> int**), check for this error case now. 819 // Initialize the argument. 820 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 821 ValType, /*consume*/ false); 822 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 823 if (Arg.isInvalid()) 824 return ExprError(); 825 826 // Okay, we have something that *can* be converted to the right type. Check 827 // to see if there is a potentially weird extension going on here. This can 828 // happen when you do an atomic operation on something like an char* and 829 // pass in 42. The 42 gets converted to char. This is even more strange 830 // for things like 45.123 -> char, etc. 831 // FIXME: Do this check. 832 TheCall->setArg(i+1, Arg.take()); 833 } 834 835 ASTContext& Context = this->getASTContext(); 836 837 // Create a new DeclRefExpr to refer to the new decl. 838 DeclRefExpr* NewDRE = DeclRefExpr::Create( 839 Context, 840 DRE->getQualifierLoc(), 841 NewBuiltinDecl, 842 DRE->getLocation(), 843 NewBuiltinDecl->getType(), 844 DRE->getValueKind()); 845 846 // Set the callee in the CallExpr. 847 // FIXME: This leaks the original parens and implicit casts. 848 ExprResult PromotedCall = UsualUnaryConversions(NewDRE); 849 if (PromotedCall.isInvalid()) 850 return ExprError(); 851 TheCall->setCallee(PromotedCall.take()); 852 853 // Change the result type of the call to match the original value type. This 854 // is arbitrary, but the codegen for these builtins ins design to handle it 855 // gracefully. 856 TheCall->setType(ResultType); 857 858 return move(TheCallResult); 859} 860 861/// CheckObjCString - Checks that the argument to the builtin 862/// CFString constructor is correct 863/// Note: It might also make sense to do the UTF-16 conversion here (would 864/// simplify the backend). 865bool Sema::CheckObjCString(Expr *Arg) { 866 Arg = Arg->IgnoreParenCasts(); 867 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 868 869 if (!Literal || !Literal->isAscii()) { 870 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 871 << Arg->getSourceRange(); 872 return true; 873 } 874 875 if (Literal->containsNonAsciiOrNull()) { 876 StringRef String = Literal->getString(); 877 unsigned NumBytes = String.size(); 878 SmallVector<UTF16, 128> ToBuf(NumBytes); 879 const UTF8 *FromPtr = (UTF8 *)String.data(); 880 UTF16 *ToPtr = &ToBuf[0]; 881 882 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 883 &ToPtr, ToPtr + NumBytes, 884 strictConversion); 885 // Check for conversion failure. 886 if (Result != conversionOK) 887 Diag(Arg->getLocStart(), 888 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 889 } 890 return false; 891} 892 893/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 894/// Emit an error and return true on failure, return false on success. 895bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 896 Expr *Fn = TheCall->getCallee(); 897 if (TheCall->getNumArgs() > 2) { 898 Diag(TheCall->getArg(2)->getLocStart(), 899 diag::err_typecheck_call_too_many_args) 900 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 901 << Fn->getSourceRange() 902 << SourceRange(TheCall->getArg(2)->getLocStart(), 903 (*(TheCall->arg_end()-1))->getLocEnd()); 904 return true; 905 } 906 907 if (TheCall->getNumArgs() < 2) { 908 return Diag(TheCall->getLocEnd(), 909 diag::err_typecheck_call_too_few_args_at_least) 910 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 911 } 912 913 // Type-check the first argument normally. 914 if (checkBuiltinArgument(*this, TheCall, 0)) 915 return true; 916 917 // Determine whether the current function is variadic or not. 918 BlockScopeInfo *CurBlock = getCurBlock(); 919 bool isVariadic; 920 if (CurBlock) 921 isVariadic = CurBlock->TheDecl->isVariadic(); 922 else if (FunctionDecl *FD = getCurFunctionDecl()) 923 isVariadic = FD->isVariadic(); 924 else 925 isVariadic = getCurMethodDecl()->isVariadic(); 926 927 if (!isVariadic) { 928 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 929 return true; 930 } 931 932 // Verify that the second argument to the builtin is the last argument of the 933 // current function or method. 934 bool SecondArgIsLastNamedArgument = false; 935 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 936 937 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 938 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 939 // FIXME: This isn't correct for methods (results in bogus warning). 940 // Get the last formal in the current function. 941 const ParmVarDecl *LastArg; 942 if (CurBlock) 943 LastArg = *(CurBlock->TheDecl->param_end()-1); 944 else if (FunctionDecl *FD = getCurFunctionDecl()) 945 LastArg = *(FD->param_end()-1); 946 else 947 LastArg = *(getCurMethodDecl()->param_end()-1); 948 SecondArgIsLastNamedArgument = PV == LastArg; 949 } 950 } 951 952 if (!SecondArgIsLastNamedArgument) 953 Diag(TheCall->getArg(1)->getLocStart(), 954 diag::warn_second_parameter_of_va_start_not_last_named_argument); 955 return false; 956} 957 958/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 959/// friends. This is declared to take (...), so we have to check everything. 960bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 961 if (TheCall->getNumArgs() < 2) 962 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 963 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 964 if (TheCall->getNumArgs() > 2) 965 return Diag(TheCall->getArg(2)->getLocStart(), 966 diag::err_typecheck_call_too_many_args) 967 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 968 << SourceRange(TheCall->getArg(2)->getLocStart(), 969 (*(TheCall->arg_end()-1))->getLocEnd()); 970 971 ExprResult OrigArg0 = TheCall->getArg(0); 972 ExprResult OrigArg1 = TheCall->getArg(1); 973 974 // Do standard promotions between the two arguments, returning their common 975 // type. 976 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 977 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 978 return true; 979 980 // Make sure any conversions are pushed back into the call; this is 981 // type safe since unordered compare builtins are declared as "_Bool 982 // foo(...)". 983 TheCall->setArg(0, OrigArg0.get()); 984 TheCall->setArg(1, OrigArg1.get()); 985 986 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 987 return false; 988 989 // If the common type isn't a real floating type, then the arguments were 990 // invalid for this operation. 991 if (!Res->isRealFloatingType()) 992 return Diag(OrigArg0.get()->getLocStart(), 993 diag::err_typecheck_call_invalid_ordered_compare) 994 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 995 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 996 997 return false; 998} 999 1000/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1001/// __builtin_isnan and friends. This is declared to take (...), so we have 1002/// to check everything. We expect the last argument to be a floating point 1003/// value. 1004bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1005 if (TheCall->getNumArgs() < NumArgs) 1006 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1007 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1008 if (TheCall->getNumArgs() > NumArgs) 1009 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1010 diag::err_typecheck_call_too_many_args) 1011 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1012 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1013 (*(TheCall->arg_end()-1))->getLocEnd()); 1014 1015 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1016 1017 if (OrigArg->isTypeDependent()) 1018 return false; 1019 1020 // This operation requires a non-_Complex floating-point number. 1021 if (!OrigArg->getType()->isRealFloatingType()) 1022 return Diag(OrigArg->getLocStart(), 1023 diag::err_typecheck_call_invalid_unary_fp) 1024 << OrigArg->getType() << OrigArg->getSourceRange(); 1025 1026 // If this is an implicit conversion from float -> double, remove it. 1027 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1028 Expr *CastArg = Cast->getSubExpr(); 1029 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1030 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1031 "promotion from float to double is the only expected cast here"); 1032 Cast->setSubExpr(0); 1033 TheCall->setArg(NumArgs-1, CastArg); 1034 OrigArg = CastArg; 1035 } 1036 } 1037 1038 return false; 1039} 1040 1041/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1042// This is declared to take (...), so we have to check everything. 1043ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1044 if (TheCall->getNumArgs() < 2) 1045 return ExprError(Diag(TheCall->getLocEnd(), 1046 diag::err_typecheck_call_too_few_args_at_least) 1047 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1048 << TheCall->getSourceRange()); 1049 1050 // Determine which of the following types of shufflevector we're checking: 1051 // 1) unary, vector mask: (lhs, mask) 1052 // 2) binary, vector mask: (lhs, rhs, mask) 1053 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1054 QualType resType = TheCall->getArg(0)->getType(); 1055 unsigned numElements = 0; 1056 1057 if (!TheCall->getArg(0)->isTypeDependent() && 1058 !TheCall->getArg(1)->isTypeDependent()) { 1059 QualType LHSType = TheCall->getArg(0)->getType(); 1060 QualType RHSType = TheCall->getArg(1)->getType(); 1061 1062 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 1063 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 1064 << SourceRange(TheCall->getArg(0)->getLocStart(), 1065 TheCall->getArg(1)->getLocEnd()); 1066 return ExprError(); 1067 } 1068 1069 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1070 unsigned numResElements = TheCall->getNumArgs() - 2; 1071 1072 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1073 // with mask. If so, verify that RHS is an integer vector type with the 1074 // same number of elts as lhs. 1075 if (TheCall->getNumArgs() == 2) { 1076 if (!RHSType->hasIntegerRepresentation() || 1077 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1078 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1079 << SourceRange(TheCall->getArg(1)->getLocStart(), 1080 TheCall->getArg(1)->getLocEnd()); 1081 numResElements = numElements; 1082 } 1083 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1084 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1085 << SourceRange(TheCall->getArg(0)->getLocStart(), 1086 TheCall->getArg(1)->getLocEnd()); 1087 return ExprError(); 1088 } else if (numElements != numResElements) { 1089 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1090 resType = Context.getVectorType(eltType, numResElements, 1091 VectorType::GenericVector); 1092 } 1093 } 1094 1095 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1096 if (TheCall->getArg(i)->isTypeDependent() || 1097 TheCall->getArg(i)->isValueDependent()) 1098 continue; 1099 1100 llvm::APSInt Result(32); 1101 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1102 return ExprError(Diag(TheCall->getLocStart(), 1103 diag::err_shufflevector_nonconstant_argument) 1104 << TheCall->getArg(i)->getSourceRange()); 1105 1106 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1107 return ExprError(Diag(TheCall->getLocStart(), 1108 diag::err_shufflevector_argument_too_large) 1109 << TheCall->getArg(i)->getSourceRange()); 1110 } 1111 1112 SmallVector<Expr*, 32> exprs; 1113 1114 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1115 exprs.push_back(TheCall->getArg(i)); 1116 TheCall->setArg(i, 0); 1117 } 1118 1119 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 1120 exprs.size(), resType, 1121 TheCall->getCallee()->getLocStart(), 1122 TheCall->getRParenLoc())); 1123} 1124 1125/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1126// This is declared to take (const void*, ...) and can take two 1127// optional constant int args. 1128bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1129 unsigned NumArgs = TheCall->getNumArgs(); 1130 1131 if (NumArgs > 3) 1132 return Diag(TheCall->getLocEnd(), 1133 diag::err_typecheck_call_too_many_args_at_most) 1134 << 0 /*function call*/ << 3 << NumArgs 1135 << TheCall->getSourceRange(); 1136 1137 // Argument 0 is checked for us and the remaining arguments must be 1138 // constant integers. 1139 for (unsigned i = 1; i != NumArgs; ++i) { 1140 Expr *Arg = TheCall->getArg(i); 1141 1142 llvm::APSInt Result; 1143 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1144 return true; 1145 1146 // FIXME: gcc issues a warning and rewrites these to 0. These 1147 // seems especially odd for the third argument since the default 1148 // is 3. 1149 if (i == 1) { 1150 if (Result.getLimitedValue() > 1) 1151 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1152 << "0" << "1" << Arg->getSourceRange(); 1153 } else { 1154 if (Result.getLimitedValue() > 3) 1155 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1156 << "0" << "3" << Arg->getSourceRange(); 1157 } 1158 } 1159 1160 return false; 1161} 1162 1163/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1164/// TheCall is a constant expression. 1165bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1166 llvm::APSInt &Result) { 1167 Expr *Arg = TheCall->getArg(ArgNum); 1168 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1169 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1170 1171 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1172 1173 if (!Arg->isIntegerConstantExpr(Result, Context)) 1174 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1175 << FDecl->getDeclName() << Arg->getSourceRange(); 1176 1177 return false; 1178} 1179 1180/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1181/// int type). This simply type checks that type is one of the defined 1182/// constants (0-3). 1183// For compatibility check 0-3, llvm only handles 0 and 2. 1184bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1185 llvm::APSInt Result; 1186 1187 // Check constant-ness first. 1188 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1189 return true; 1190 1191 Expr *Arg = TheCall->getArg(1); 1192 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1193 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1194 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1195 } 1196 1197 return false; 1198} 1199 1200/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1201/// This checks that val is a constant 1. 1202bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1203 Expr *Arg = TheCall->getArg(1); 1204 llvm::APSInt Result; 1205 1206 // TODO: This is less than ideal. Overload this to take a value. 1207 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1208 return true; 1209 1210 if (Result != 1) 1211 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1212 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1213 1214 return false; 1215} 1216 1217// Handle i > 1 ? "x" : "y", recursively. 1218bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall, 1219 bool HasVAListArg, 1220 unsigned format_idx, unsigned firstDataArg, 1221 bool isPrintf) { 1222 tryAgain: 1223 if (E->isTypeDependent() || E->isValueDependent()) 1224 return false; 1225 1226 E = E->IgnoreParens(); 1227 1228 switch (E->getStmtClass()) { 1229 case Stmt::BinaryConditionalOperatorClass: 1230 case Stmt::ConditionalOperatorClass: { 1231 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 1232 return SemaCheckStringLiteral(C->getTrueExpr(), TheCall, HasVAListArg, 1233 format_idx, firstDataArg, isPrintf) 1234 && SemaCheckStringLiteral(C->getFalseExpr(), TheCall, HasVAListArg, 1235 format_idx, firstDataArg, isPrintf); 1236 } 1237 1238 case Stmt::IntegerLiteralClass: 1239 // Technically -Wformat-nonliteral does not warn about this case. 1240 // The behavior of printf and friends in this case is implementation 1241 // dependent. Ideally if the format string cannot be null then 1242 // it should have a 'nonnull' attribute in the function prototype. 1243 return true; 1244 1245 case Stmt::ImplicitCastExprClass: { 1246 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1247 goto tryAgain; 1248 } 1249 1250 case Stmt::OpaqueValueExprClass: 1251 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1252 E = src; 1253 goto tryAgain; 1254 } 1255 return false; 1256 1257 case Stmt::PredefinedExprClass: 1258 // While __func__, etc., are technically not string literals, they 1259 // cannot contain format specifiers and thus are not a security 1260 // liability. 1261 return true; 1262 1263 case Stmt::DeclRefExprClass: { 1264 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1265 1266 // As an exception, do not flag errors for variables binding to 1267 // const string literals. 1268 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1269 bool isConstant = false; 1270 QualType T = DR->getType(); 1271 1272 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1273 isConstant = AT->getElementType().isConstant(Context); 1274 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1275 isConstant = T.isConstant(Context) && 1276 PT->getPointeeType().isConstant(Context); 1277 } 1278 1279 if (isConstant) { 1280 if (const Expr *Init = VD->getAnyInitializer()) 1281 return SemaCheckStringLiteral(Init, TheCall, 1282 HasVAListArg, format_idx, firstDataArg, 1283 isPrintf); 1284 } 1285 1286 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1287 // special check to see if the format string is a function parameter 1288 // of the function calling the printf function. If the function 1289 // has an attribute indicating it is a printf-like function, then we 1290 // should suppress warnings concerning non-literals being used in a call 1291 // to a vprintf function. For example: 1292 // 1293 // void 1294 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1295 // va_list ap; 1296 // va_start(ap, fmt); 1297 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1298 // ... 1299 // 1300 // 1301 // FIXME: We don't have full attribute support yet, so just check to see 1302 // if the argument is a DeclRefExpr that references a parameter. We'll 1303 // add proper support for checking the attribute later. 1304 if (HasVAListArg) 1305 if (isa<ParmVarDecl>(VD)) 1306 return true; 1307 } 1308 1309 return false; 1310 } 1311 1312 case Stmt::CallExprClass: { 1313 const CallExpr *CE = cast<CallExpr>(E); 1314 if (const ImplicitCastExpr *ICE 1315 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 1316 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 1317 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 1318 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 1319 unsigned ArgIndex = FA->getFormatIdx(); 1320 const Expr *Arg = CE->getArg(ArgIndex - 1); 1321 1322 return SemaCheckStringLiteral(Arg, TheCall, HasVAListArg, 1323 format_idx, firstDataArg, isPrintf); 1324 } 1325 } 1326 } 1327 } 1328 1329 return false; 1330 } 1331 case Stmt::ObjCStringLiteralClass: 1332 case Stmt::StringLiteralClass: { 1333 const StringLiteral *StrE = NULL; 1334 1335 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1336 StrE = ObjCFExpr->getString(); 1337 else 1338 StrE = cast<StringLiteral>(E); 1339 1340 if (StrE) { 1341 CheckFormatString(StrE, E, TheCall, HasVAListArg, format_idx, 1342 firstDataArg, isPrintf); 1343 return true; 1344 } 1345 1346 return false; 1347 } 1348 1349 default: 1350 return false; 1351 } 1352} 1353 1354void 1355Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1356 const Expr * const *ExprArgs, 1357 SourceLocation CallSiteLoc) { 1358 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1359 e = NonNull->args_end(); 1360 i != e; ++i) { 1361 const Expr *ArgExpr = ExprArgs[*i]; 1362 if (ArgExpr->isNullPointerConstant(Context, 1363 Expr::NPC_ValueDependentIsNotNull)) 1364 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1365 } 1366} 1367 1368static void DiagnoseCalleeStaticArrayParam(Sema &S, ParmVarDecl *PVD) { 1369 TypeLoc TL = PVD->getTypeSourceInfo()->getTypeLoc(); 1370 if (ArrayTypeLoc *ATL = dyn_cast<ArrayTypeLoc>(&TL)) 1371 S.Diag(PVD->getLocation(), diag::note_callee_static_array) 1372 << ATL->getLocalSourceRange(); 1373} 1374 1375/// CheckStaticArrayArguments - Check that each argument corresponding to a 1376/// static array parameter is non-null, and that if it is formed by 1377/// array-to-pointer decay, the underlying array is sufficiently large. 1378/// 1379/// C99 6.7.5.3p7: If the keyword static also appears within the [ and ] of the 1380/// array type derivation, then for each call to the function, the value of the 1381/// corresponding actual argument shall provide access to the first element of 1382/// an array with at least as many elements as specified by the size expression. 1383void 1384Sema::CheckStaticArrayArguments(const FunctionDecl *FDecl, 1385 const Expr * const *ExprArgs, 1386 SourceLocation CallSiteLoc) { 1387 // Static array parameters are not supported in C++. 1388 if (getLangOptions().CPlusPlus) 1389 return; 1390 1391 for (FunctionDecl::param_const_iterator i = FDecl->param_begin(), 1392 e = FDecl->param_end(); i != e; ++i, ++ExprArgs) { 1393 const Expr *ArgExpr = *ExprArgs; 1394 QualType OrigTy = (*i)->getOriginalType(); 1395 1396 const ArrayType *AT = Context.getAsArrayType(OrigTy); 1397 if (!AT || AT->getSizeModifier() != ArrayType::Static) 1398 continue; 1399 1400 if (ArgExpr->isNullPointerConstant(Context, 1401 Expr::NPC_NeverValueDependent)) { 1402 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1403 DiagnoseCalleeStaticArrayParam(*this, *i); 1404 continue; 1405 } 1406 1407 const ConstantArrayType *CAT = dyn_cast<ConstantArrayType>(AT); 1408 if (!CAT) 1409 continue; 1410 1411 const ConstantArrayType *ArgCAT = 1412 Context.getAsConstantArrayType(ArgExpr->IgnoreParenImpCasts()->getType()); 1413 if (!ArgCAT) 1414 continue; 1415 1416 if (ArgCAT->getSize().ult(CAT->getSize())) { 1417 Diag(CallSiteLoc, diag::warn_static_array_too_small) 1418 << ArgExpr->getSourceRange() 1419 << (unsigned) ArgCAT->getSize().getZExtValue() 1420 << (unsigned) CAT->getSize().getZExtValue(); 1421 DiagnoseCalleeStaticArrayParam(*this, *i); 1422 } 1423 } 1424} 1425 1426/// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1427/// functions) for correct use of format strings. 1428void 1429Sema::CheckPrintfScanfArguments(const CallExpr *TheCall, bool HasVAListArg, 1430 unsigned format_idx, unsigned firstDataArg, 1431 bool isPrintf) { 1432 1433 const Expr *Fn = TheCall->getCallee(); 1434 1435 // The way the format attribute works in GCC, the implicit this argument 1436 // of member functions is counted. However, it doesn't appear in our own 1437 // lists, so decrement format_idx in that case. 1438 if (isa<CXXMemberCallExpr>(TheCall)) { 1439 const CXXMethodDecl *method_decl = 1440 dyn_cast<CXXMethodDecl>(TheCall->getCalleeDecl()); 1441 if (method_decl && method_decl->isInstance()) { 1442 // Catch a format attribute mistakenly referring to the object argument. 1443 if (format_idx == 0) 1444 return; 1445 --format_idx; 1446 if(firstDataArg != 0) 1447 --firstDataArg; 1448 } 1449 } 1450 1451 // CHECK: printf/scanf-like function is called with no format string. 1452 if (format_idx >= TheCall->getNumArgs()) { 1453 Diag(TheCall->getRParenLoc(), diag::warn_missing_format_string) 1454 << Fn->getSourceRange(); 1455 return; 1456 } 1457 1458 const Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 1459 1460 // CHECK: format string is not a string literal. 1461 // 1462 // Dynamically generated format strings are difficult to 1463 // automatically vet at compile time. Requiring that format strings 1464 // are string literals: (1) permits the checking of format strings by 1465 // the compiler and thereby (2) can practically remove the source of 1466 // many format string exploits. 1467 1468 // Format string can be either ObjC string (e.g. @"%d") or 1469 // C string (e.g. "%d") 1470 // ObjC string uses the same format specifiers as C string, so we can use 1471 // the same format string checking logic for both ObjC and C strings. 1472 if (SemaCheckStringLiteral(OrigFormatExpr, TheCall, HasVAListArg, format_idx, 1473 firstDataArg, isPrintf)) 1474 return; // Literal format string found, check done! 1475 1476 // If there are no arguments specified, warn with -Wformat-security, otherwise 1477 // warn only with -Wformat-nonliteral. 1478 if (TheCall->getNumArgs() == format_idx+1) 1479 Diag(TheCall->getArg(format_idx)->getLocStart(), 1480 diag::warn_format_nonliteral_noargs) 1481 << OrigFormatExpr->getSourceRange(); 1482 else 1483 Diag(TheCall->getArg(format_idx)->getLocStart(), 1484 diag::warn_format_nonliteral) 1485 << OrigFormatExpr->getSourceRange(); 1486} 1487 1488namespace { 1489class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1490protected: 1491 Sema &S; 1492 const StringLiteral *FExpr; 1493 const Expr *OrigFormatExpr; 1494 const unsigned FirstDataArg; 1495 const unsigned NumDataArgs; 1496 const bool IsObjCLiteral; 1497 const char *Beg; // Start of format string. 1498 const bool HasVAListArg; 1499 const CallExpr *TheCall; 1500 unsigned FormatIdx; 1501 llvm::BitVector CoveredArgs; 1502 bool usesPositionalArgs; 1503 bool atFirstArg; 1504public: 1505 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1506 const Expr *origFormatExpr, unsigned firstDataArg, 1507 unsigned numDataArgs, bool isObjCLiteral, 1508 const char *beg, bool hasVAListArg, 1509 const CallExpr *theCall, unsigned formatIdx) 1510 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1511 FirstDataArg(firstDataArg), 1512 NumDataArgs(numDataArgs), 1513 IsObjCLiteral(isObjCLiteral), Beg(beg), 1514 HasVAListArg(hasVAListArg), 1515 TheCall(theCall), FormatIdx(formatIdx), 1516 usesPositionalArgs(false), atFirstArg(true) { 1517 CoveredArgs.resize(numDataArgs); 1518 CoveredArgs.reset(); 1519 } 1520 1521 void DoneProcessing(); 1522 1523 void HandleIncompleteSpecifier(const char *startSpecifier, 1524 unsigned specifierLen); 1525 1526 virtual void HandleInvalidPosition(const char *startSpecifier, 1527 unsigned specifierLen, 1528 analyze_format_string::PositionContext p); 1529 1530 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1531 1532 void HandleNullChar(const char *nullCharacter); 1533 1534protected: 1535 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1536 const char *startSpec, 1537 unsigned specifierLen, 1538 const char *csStart, unsigned csLen); 1539 1540 SourceRange getFormatStringRange(); 1541 CharSourceRange getSpecifierRange(const char *startSpecifier, 1542 unsigned specifierLen); 1543 SourceLocation getLocationOfByte(const char *x); 1544 1545 const Expr *getDataArg(unsigned i) const; 1546 1547 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1548 const analyze_format_string::ConversionSpecifier &CS, 1549 const char *startSpecifier, unsigned specifierLen, 1550 unsigned argIndex); 1551}; 1552} 1553 1554SourceRange CheckFormatHandler::getFormatStringRange() { 1555 return OrigFormatExpr->getSourceRange(); 1556} 1557 1558CharSourceRange CheckFormatHandler:: 1559getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1560 SourceLocation Start = getLocationOfByte(startSpecifier); 1561 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1562 1563 // Advance the end SourceLocation by one due to half-open ranges. 1564 End = End.getLocWithOffset(1); 1565 1566 return CharSourceRange::getCharRange(Start, End); 1567} 1568 1569SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1570 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1571} 1572 1573void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1574 unsigned specifierLen){ 1575 SourceLocation Loc = getLocationOfByte(startSpecifier); 1576 S.Diag(Loc, diag::warn_printf_incomplete_specifier) 1577 << getSpecifierRange(startSpecifier, specifierLen); 1578} 1579 1580void 1581CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1582 analyze_format_string::PositionContext p) { 1583 SourceLocation Loc = getLocationOfByte(startPos); 1584 S.Diag(Loc, diag::warn_format_invalid_positional_specifier) 1585 << (unsigned) p << getSpecifierRange(startPos, posLen); 1586} 1587 1588void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1589 unsigned posLen) { 1590 SourceLocation Loc = getLocationOfByte(startPos); 1591 S.Diag(Loc, diag::warn_format_zero_positional_specifier) 1592 << getSpecifierRange(startPos, posLen); 1593} 1594 1595void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1596 if (!IsObjCLiteral) { 1597 // The presence of a null character is likely an error. 1598 S.Diag(getLocationOfByte(nullCharacter), 1599 diag::warn_printf_format_string_contains_null_char) 1600 << getFormatStringRange(); 1601 } 1602} 1603 1604const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1605 return TheCall->getArg(FirstDataArg + i); 1606} 1607 1608void CheckFormatHandler::DoneProcessing() { 1609 // Does the number of data arguments exceed the number of 1610 // format conversions in the format string? 1611 if (!HasVAListArg) { 1612 // Find any arguments that weren't covered. 1613 CoveredArgs.flip(); 1614 signed notCoveredArg = CoveredArgs.find_first(); 1615 if (notCoveredArg >= 0) { 1616 assert((unsigned)notCoveredArg < NumDataArgs); 1617 S.Diag(getDataArg((unsigned) notCoveredArg)->getLocStart(), 1618 diag::warn_printf_data_arg_not_used) 1619 << getFormatStringRange(); 1620 } 1621 } 1622} 1623 1624bool 1625CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1626 SourceLocation Loc, 1627 const char *startSpec, 1628 unsigned specifierLen, 1629 const char *csStart, 1630 unsigned csLen) { 1631 1632 bool keepGoing = true; 1633 if (argIndex < NumDataArgs) { 1634 // Consider the argument coverered, even though the specifier doesn't 1635 // make sense. 1636 CoveredArgs.set(argIndex); 1637 } 1638 else { 1639 // If argIndex exceeds the number of data arguments we 1640 // don't issue a warning because that is just a cascade of warnings (and 1641 // they may have intended '%%' anyway). We don't want to continue processing 1642 // the format string after this point, however, as we will like just get 1643 // gibberish when trying to match arguments. 1644 keepGoing = false; 1645 } 1646 1647 S.Diag(Loc, diag::warn_format_invalid_conversion) 1648 << StringRef(csStart, csLen) 1649 << getSpecifierRange(startSpec, specifierLen); 1650 1651 return keepGoing; 1652} 1653 1654bool 1655CheckFormatHandler::CheckNumArgs( 1656 const analyze_format_string::FormatSpecifier &FS, 1657 const analyze_format_string::ConversionSpecifier &CS, 1658 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 1659 1660 if (argIndex >= NumDataArgs) { 1661 if (FS.usesPositionalArg()) { 1662 S.Diag(getLocationOfByte(CS.getStart()), 1663 diag::warn_printf_positional_arg_exceeds_data_args) 1664 << (argIndex+1) << NumDataArgs 1665 << getSpecifierRange(startSpecifier, specifierLen); 1666 } 1667 else { 1668 S.Diag(getLocationOfByte(CS.getStart()), 1669 diag::warn_printf_insufficient_data_args) 1670 << getSpecifierRange(startSpecifier, specifierLen); 1671 } 1672 1673 return false; 1674 } 1675 return true; 1676} 1677 1678//===--- CHECK: Printf format string checking ------------------------------===// 1679 1680namespace { 1681class CheckPrintfHandler : public CheckFormatHandler { 1682public: 1683 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1684 const Expr *origFormatExpr, unsigned firstDataArg, 1685 unsigned numDataArgs, bool isObjCLiteral, 1686 const char *beg, bool hasVAListArg, 1687 const CallExpr *theCall, unsigned formatIdx) 1688 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1689 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1690 theCall, formatIdx) {} 1691 1692 1693 bool HandleInvalidPrintfConversionSpecifier( 1694 const analyze_printf::PrintfSpecifier &FS, 1695 const char *startSpecifier, 1696 unsigned specifierLen); 1697 1698 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 1699 const char *startSpecifier, 1700 unsigned specifierLen); 1701 1702 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 1703 const char *startSpecifier, unsigned specifierLen); 1704 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 1705 const analyze_printf::OptionalAmount &Amt, 1706 unsigned type, 1707 const char *startSpecifier, unsigned specifierLen); 1708 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1709 const analyze_printf::OptionalFlag &flag, 1710 const char *startSpecifier, unsigned specifierLen); 1711 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 1712 const analyze_printf::OptionalFlag &ignoredFlag, 1713 const analyze_printf::OptionalFlag &flag, 1714 const char *startSpecifier, unsigned specifierLen); 1715}; 1716} 1717 1718bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 1719 const analyze_printf::PrintfSpecifier &FS, 1720 const char *startSpecifier, 1721 unsigned specifierLen) { 1722 const analyze_printf::PrintfConversionSpecifier &CS = 1723 FS.getConversionSpecifier(); 1724 1725 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1726 getLocationOfByte(CS.getStart()), 1727 startSpecifier, specifierLen, 1728 CS.getStart(), CS.getLength()); 1729} 1730 1731bool CheckPrintfHandler::HandleAmount( 1732 const analyze_format_string::OptionalAmount &Amt, 1733 unsigned k, const char *startSpecifier, 1734 unsigned specifierLen) { 1735 1736 if (Amt.hasDataArgument()) { 1737 if (!HasVAListArg) { 1738 unsigned argIndex = Amt.getArgIndex(); 1739 if (argIndex >= NumDataArgs) { 1740 S.Diag(getLocationOfByte(Amt.getStart()), 1741 diag::warn_printf_asterisk_missing_arg) 1742 << k << getSpecifierRange(startSpecifier, specifierLen); 1743 // Don't do any more checking. We will just emit 1744 // spurious errors. 1745 return false; 1746 } 1747 1748 // Type check the data argument. It should be an 'int'. 1749 // Although not in conformance with C99, we also allow the argument to be 1750 // an 'unsigned int' as that is a reasonably safe case. GCC also 1751 // doesn't emit a warning for that case. 1752 CoveredArgs.set(argIndex); 1753 const Expr *Arg = getDataArg(argIndex); 1754 QualType T = Arg->getType(); 1755 1756 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1757 assert(ATR.isValid()); 1758 1759 if (!ATR.matchesType(S.Context, T)) { 1760 S.Diag(getLocationOfByte(Amt.getStart()), 1761 diag::warn_printf_asterisk_wrong_type) 1762 << k 1763 << ATR.getRepresentativeType(S.Context) << T 1764 << getSpecifierRange(startSpecifier, specifierLen) 1765 << Arg->getSourceRange(); 1766 // Don't do any more checking. We will just emit 1767 // spurious errors. 1768 return false; 1769 } 1770 } 1771 } 1772 return true; 1773} 1774 1775void CheckPrintfHandler::HandleInvalidAmount( 1776 const analyze_printf::PrintfSpecifier &FS, 1777 const analyze_printf::OptionalAmount &Amt, 1778 unsigned type, 1779 const char *startSpecifier, 1780 unsigned specifierLen) { 1781 const analyze_printf::PrintfConversionSpecifier &CS = 1782 FS.getConversionSpecifier(); 1783 switch (Amt.getHowSpecified()) { 1784 case analyze_printf::OptionalAmount::Constant: 1785 S.Diag(getLocationOfByte(Amt.getStart()), 1786 diag::warn_printf_nonsensical_optional_amount) 1787 << type 1788 << CS.toString() 1789 << getSpecifierRange(startSpecifier, specifierLen) 1790 << FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 1791 Amt.getConstantLength())); 1792 break; 1793 1794 default: 1795 S.Diag(getLocationOfByte(Amt.getStart()), 1796 diag::warn_printf_nonsensical_optional_amount) 1797 << type 1798 << CS.toString() 1799 << getSpecifierRange(startSpecifier, specifierLen); 1800 break; 1801 } 1802} 1803 1804void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1805 const analyze_printf::OptionalFlag &flag, 1806 const char *startSpecifier, 1807 unsigned specifierLen) { 1808 // Warn about pointless flag with a fixit removal. 1809 const analyze_printf::PrintfConversionSpecifier &CS = 1810 FS.getConversionSpecifier(); 1811 S.Diag(getLocationOfByte(flag.getPosition()), 1812 diag::warn_printf_nonsensical_flag) 1813 << flag.toString() << CS.toString() 1814 << getSpecifierRange(startSpecifier, specifierLen) 1815 << FixItHint::CreateRemoval(getSpecifierRange(flag.getPosition(), 1)); 1816} 1817 1818void CheckPrintfHandler::HandleIgnoredFlag( 1819 const analyze_printf::PrintfSpecifier &FS, 1820 const analyze_printf::OptionalFlag &ignoredFlag, 1821 const analyze_printf::OptionalFlag &flag, 1822 const char *startSpecifier, 1823 unsigned specifierLen) { 1824 // Warn about ignored flag with a fixit removal. 1825 S.Diag(getLocationOfByte(ignoredFlag.getPosition()), 1826 diag::warn_printf_ignored_flag) 1827 << ignoredFlag.toString() << flag.toString() 1828 << getSpecifierRange(startSpecifier, specifierLen) 1829 << FixItHint::CreateRemoval(getSpecifierRange( 1830 ignoredFlag.getPosition(), 1)); 1831} 1832 1833bool 1834CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 1835 &FS, 1836 const char *startSpecifier, 1837 unsigned specifierLen) { 1838 1839 using namespace analyze_format_string; 1840 using namespace analyze_printf; 1841 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 1842 1843 if (FS.consumesDataArgument()) { 1844 if (atFirstArg) { 1845 atFirstArg = false; 1846 usesPositionalArgs = FS.usesPositionalArg(); 1847 } 1848 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1849 // Cannot mix-and-match positional and non-positional arguments. 1850 S.Diag(getLocationOfByte(CS.getStart()), 1851 diag::warn_format_mix_positional_nonpositional_args) 1852 << getSpecifierRange(startSpecifier, specifierLen); 1853 return false; 1854 } 1855 } 1856 1857 // First check if the field width, precision, and conversion specifier 1858 // have matching data arguments. 1859 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 1860 startSpecifier, specifierLen)) { 1861 return false; 1862 } 1863 1864 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 1865 startSpecifier, specifierLen)) { 1866 return false; 1867 } 1868 1869 if (!CS.consumesDataArgument()) { 1870 // FIXME: Technically specifying a precision or field width here 1871 // makes no sense. Worth issuing a warning at some point. 1872 return true; 1873 } 1874 1875 // Consume the argument. 1876 unsigned argIndex = FS.getArgIndex(); 1877 if (argIndex < NumDataArgs) { 1878 // The check to see if the argIndex is valid will come later. 1879 // We set the bit here because we may exit early from this 1880 // function if we encounter some other error. 1881 CoveredArgs.set(argIndex); 1882 } 1883 1884 // Check for using an Objective-C specific conversion specifier 1885 // in a non-ObjC literal. 1886 if (!IsObjCLiteral && CS.isObjCArg()) { 1887 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 1888 specifierLen); 1889 } 1890 1891 // Check for invalid use of field width 1892 if (!FS.hasValidFieldWidth()) { 1893 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 1894 startSpecifier, specifierLen); 1895 } 1896 1897 // Check for invalid use of precision 1898 if (!FS.hasValidPrecision()) { 1899 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 1900 startSpecifier, specifierLen); 1901 } 1902 1903 // Check each flag does not conflict with any other component. 1904 if (!FS.hasValidThousandsGroupingPrefix()) 1905 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 1906 if (!FS.hasValidLeadingZeros()) 1907 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 1908 if (!FS.hasValidPlusPrefix()) 1909 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 1910 if (!FS.hasValidSpacePrefix()) 1911 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 1912 if (!FS.hasValidAlternativeForm()) 1913 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 1914 if (!FS.hasValidLeftJustified()) 1915 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 1916 1917 // Check that flags are not ignored by another flag 1918 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 1919 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 1920 startSpecifier, specifierLen); 1921 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 1922 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 1923 startSpecifier, specifierLen); 1924 1925 // Check the length modifier is valid with the given conversion specifier. 1926 const LengthModifier &LM = FS.getLengthModifier(); 1927 if (!FS.hasValidLengthModifier()) 1928 S.Diag(getLocationOfByte(LM.getStart()), 1929 diag::warn_format_nonsensical_length) 1930 << LM.toString() << CS.toString() 1931 << getSpecifierRange(startSpecifier, specifierLen) 1932 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 1933 LM.getLength())); 1934 1935 // Are we using '%n'? 1936 if (CS.getKind() == ConversionSpecifier::nArg) { 1937 // Issue a warning about this being a possible security issue. 1938 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back) 1939 << getSpecifierRange(startSpecifier, specifierLen); 1940 // Continue checking the other format specifiers. 1941 return true; 1942 } 1943 1944 // The remaining checks depend on the data arguments. 1945 if (HasVAListArg) 1946 return true; 1947 1948 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 1949 return false; 1950 1951 // Now type check the data expression that matches the 1952 // format specifier. 1953 const Expr *Ex = getDataArg(argIndex); 1954 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 1955 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 1956 // Check if we didn't match because of an implicit cast from a 'char' 1957 // or 'short' to an 'int'. This is done because printf is a varargs 1958 // function. 1959 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 1960 if (ICE->getType() == S.Context.IntTy) { 1961 // All further checking is done on the subexpression. 1962 Ex = ICE->getSubExpr(); 1963 if (ATR.matchesType(S.Context, Ex->getType())) 1964 return true; 1965 } 1966 1967 // We may be able to offer a FixItHint if it is a supported type. 1968 PrintfSpecifier fixedFS = FS; 1969 bool success = fixedFS.fixType(Ex->getType(), S.getLangOptions()); 1970 1971 if (success) { 1972 // Get the fix string from the fixed format specifier 1973 llvm::SmallString<128> buf; 1974 llvm::raw_svector_ostream os(buf); 1975 fixedFS.toString(os); 1976 1977 // FIXME: getRepresentativeType() perhaps should return a string 1978 // instead of a QualType to better handle when the representative 1979 // type is 'wint_t' (which is defined in the system headers). 1980 S.Diag(getLocationOfByte(CS.getStart()), 1981 diag::warn_printf_conversion_argument_type_mismatch) 1982 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1983 << getSpecifierRange(startSpecifier, specifierLen) 1984 << Ex->getSourceRange() 1985 << FixItHint::CreateReplacement( 1986 getSpecifierRange(startSpecifier, specifierLen), 1987 os.str()); 1988 } 1989 else { 1990 S.Diag(getLocationOfByte(CS.getStart()), 1991 diag::warn_printf_conversion_argument_type_mismatch) 1992 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1993 << getSpecifierRange(startSpecifier, specifierLen) 1994 << Ex->getSourceRange(); 1995 } 1996 } 1997 1998 return true; 1999} 2000 2001//===--- CHECK: Scanf format string checking ------------------------------===// 2002 2003namespace { 2004class CheckScanfHandler : public CheckFormatHandler { 2005public: 2006 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 2007 const Expr *origFormatExpr, unsigned firstDataArg, 2008 unsigned numDataArgs, bool isObjCLiteral, 2009 const char *beg, bool hasVAListArg, 2010 const CallExpr *theCall, unsigned formatIdx) 2011 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2012 numDataArgs, isObjCLiteral, beg, hasVAListArg, 2013 theCall, formatIdx) {} 2014 2015 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 2016 const char *startSpecifier, 2017 unsigned specifierLen); 2018 2019 bool HandleInvalidScanfConversionSpecifier( 2020 const analyze_scanf::ScanfSpecifier &FS, 2021 const char *startSpecifier, 2022 unsigned specifierLen); 2023 2024 void HandleIncompleteScanList(const char *start, const char *end); 2025}; 2026} 2027 2028void CheckScanfHandler::HandleIncompleteScanList(const char *start, 2029 const char *end) { 2030 S.Diag(getLocationOfByte(end), diag::warn_scanf_scanlist_incomplete) 2031 << getSpecifierRange(start, end - start); 2032} 2033 2034bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 2035 const analyze_scanf::ScanfSpecifier &FS, 2036 const char *startSpecifier, 2037 unsigned specifierLen) { 2038 2039 const analyze_scanf::ScanfConversionSpecifier &CS = 2040 FS.getConversionSpecifier(); 2041 2042 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2043 getLocationOfByte(CS.getStart()), 2044 startSpecifier, specifierLen, 2045 CS.getStart(), CS.getLength()); 2046} 2047 2048bool CheckScanfHandler::HandleScanfSpecifier( 2049 const analyze_scanf::ScanfSpecifier &FS, 2050 const char *startSpecifier, 2051 unsigned specifierLen) { 2052 2053 using namespace analyze_scanf; 2054 using namespace analyze_format_string; 2055 2056 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 2057 2058 // Handle case where '%' and '*' don't consume an argument. These shouldn't 2059 // be used to decide if we are using positional arguments consistently. 2060 if (FS.consumesDataArgument()) { 2061 if (atFirstArg) { 2062 atFirstArg = false; 2063 usesPositionalArgs = FS.usesPositionalArg(); 2064 } 2065 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2066 // Cannot mix-and-match positional and non-positional arguments. 2067 S.Diag(getLocationOfByte(CS.getStart()), 2068 diag::warn_format_mix_positional_nonpositional_args) 2069 << getSpecifierRange(startSpecifier, specifierLen); 2070 return false; 2071 } 2072 } 2073 2074 // Check if the field with is non-zero. 2075 const OptionalAmount &Amt = FS.getFieldWidth(); 2076 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 2077 if (Amt.getConstantAmount() == 0) { 2078 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 2079 Amt.getConstantLength()); 2080 S.Diag(getLocationOfByte(Amt.getStart()), 2081 diag::warn_scanf_nonzero_width) 2082 << R << FixItHint::CreateRemoval(R); 2083 } 2084 } 2085 2086 if (!FS.consumesDataArgument()) { 2087 // FIXME: Technically specifying a precision or field width here 2088 // makes no sense. Worth issuing a warning at some point. 2089 return true; 2090 } 2091 2092 // Consume the argument. 2093 unsigned argIndex = FS.getArgIndex(); 2094 if (argIndex < NumDataArgs) { 2095 // The check to see if the argIndex is valid will come later. 2096 // We set the bit here because we may exit early from this 2097 // function if we encounter some other error. 2098 CoveredArgs.set(argIndex); 2099 } 2100 2101 // Check the length modifier is valid with the given conversion specifier. 2102 const LengthModifier &LM = FS.getLengthModifier(); 2103 if (!FS.hasValidLengthModifier()) { 2104 S.Diag(getLocationOfByte(LM.getStart()), 2105 diag::warn_format_nonsensical_length) 2106 << LM.toString() << CS.toString() 2107 << getSpecifierRange(startSpecifier, specifierLen) 2108 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 2109 LM.getLength())); 2110 } 2111 2112 // The remaining checks depend on the data arguments. 2113 if (HasVAListArg) 2114 return true; 2115 2116 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2117 return false; 2118 2119 // FIXME: Check that the argument type matches the format specifier. 2120 2121 return true; 2122} 2123 2124void Sema::CheckFormatString(const StringLiteral *FExpr, 2125 const Expr *OrigFormatExpr, 2126 const CallExpr *TheCall, bool HasVAListArg, 2127 unsigned format_idx, unsigned firstDataArg, 2128 bool isPrintf) { 2129 2130 // CHECK: is the format string a wide literal? 2131 if (!FExpr->isAscii()) { 2132 Diag(FExpr->getLocStart(), 2133 diag::warn_format_string_is_wide_literal) 2134 << OrigFormatExpr->getSourceRange(); 2135 return; 2136 } 2137 2138 // Str - The format string. NOTE: this is NOT null-terminated! 2139 StringRef StrRef = FExpr->getString(); 2140 const char *Str = StrRef.data(); 2141 unsigned StrLen = StrRef.size(); 2142 const unsigned numDataArgs = TheCall->getNumArgs() - firstDataArg; 2143 2144 // CHECK: empty format string? 2145 if (StrLen == 0 && numDataArgs > 0) { 2146 Diag(FExpr->getLocStart(), diag::warn_empty_format_string) 2147 << OrigFormatExpr->getSourceRange(); 2148 return; 2149 } 2150 2151 if (isPrintf) { 2152 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2153 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2154 Str, HasVAListArg, TheCall, format_idx); 2155 2156 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen)) 2157 H.DoneProcessing(); 2158 } 2159 else { 2160 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2161 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2162 Str, HasVAListArg, TheCall, format_idx); 2163 2164 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen)) 2165 H.DoneProcessing(); 2166 } 2167} 2168 2169//===--- CHECK: Standard memory functions ---------------------------------===// 2170 2171/// \brief Determine whether the given type is a dynamic class type (e.g., 2172/// whether it has a vtable). 2173static bool isDynamicClassType(QualType T) { 2174 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 2175 if (CXXRecordDecl *Definition = Record->getDefinition()) 2176 if (Definition->isDynamicClass()) 2177 return true; 2178 2179 return false; 2180} 2181 2182/// \brief If E is a sizeof expression, returns its argument expression, 2183/// otherwise returns NULL. 2184static const Expr *getSizeOfExprArg(const Expr* E) { 2185 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2186 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2187 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 2188 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 2189 2190 return 0; 2191} 2192 2193/// \brief If E is a sizeof expression, returns its argument type. 2194static QualType getSizeOfArgType(const Expr* E) { 2195 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2196 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2197 if (SizeOf->getKind() == clang::UETT_SizeOf) 2198 return SizeOf->getTypeOfArgument(); 2199 2200 return QualType(); 2201} 2202 2203/// \brief Check for dangerous or invalid arguments to memset(). 2204/// 2205/// This issues warnings on known problematic, dangerous or unspecified 2206/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 2207/// function calls. 2208/// 2209/// \param Call The call expression to diagnose. 2210void Sema::CheckMemaccessArguments(const CallExpr *Call, 2211 CheckedMemoryFunction CMF, 2212 IdentifierInfo *FnName) { 2213 // It is possible to have a non-standard definition of memset. Validate 2214 // we have enough arguments, and if not, abort further checking. 2215 unsigned ExpectedNumArgs = (CMF == CMF_Strndup ? 2 : 3); 2216 if (Call->getNumArgs() < ExpectedNumArgs) 2217 return; 2218 2219 unsigned LastArg = (CMF == CMF_Memset || CMF == CMF_Strndup ? 1 : 2); 2220 unsigned LenArg = (CMF == CMF_Strndup ? 1 : 2); 2221 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 2222 2223 // We have special checking when the length is a sizeof expression. 2224 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 2225 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 2226 llvm::FoldingSetNodeID SizeOfArgID; 2227 2228 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 2229 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 2230 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 2231 2232 QualType DestTy = Dest->getType(); 2233 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 2234 QualType PointeeTy = DestPtrTy->getPointeeType(); 2235 2236 // Never warn about void type pointers. This can be used to suppress 2237 // false positives. 2238 if (PointeeTy->isVoidType()) 2239 continue; 2240 2241 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 2242 // actually comparing the expressions for equality. Because computing the 2243 // expression IDs can be expensive, we only do this if the diagnostic is 2244 // enabled. 2245 if (SizeOfArg && 2246 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 2247 SizeOfArg->getExprLoc())) { 2248 // We only compute IDs for expressions if the warning is enabled, and 2249 // cache the sizeof arg's ID. 2250 if (SizeOfArgID == llvm::FoldingSetNodeID()) 2251 SizeOfArg->Profile(SizeOfArgID, Context, true); 2252 llvm::FoldingSetNodeID DestID; 2253 Dest->Profile(DestID, Context, true); 2254 if (DestID == SizeOfArgID) { 2255 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 2256 // over sizeof(src) as well. 2257 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 2258 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 2259 if (UnaryOp->getOpcode() == UO_AddrOf) 2260 ActionIdx = 1; // If its an address-of operator, just remove it. 2261 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 2262 ActionIdx = 2; // If the pointee's size is sizeof(char), 2263 // suggest an explicit length. 2264 unsigned DestSrcSelect = (CMF == CMF_Strndup ? 1 : ArgIdx); 2265 DiagRuntimeBehavior(SizeOfArg->getExprLoc(), Dest, 2266 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 2267 << FnName << DestSrcSelect << ActionIdx 2268 << Dest->getSourceRange() 2269 << SizeOfArg->getSourceRange()); 2270 break; 2271 } 2272 } 2273 2274 // Also check for cases where the sizeof argument is the exact same 2275 // type as the memory argument, and where it points to a user-defined 2276 // record type. 2277 if (SizeOfArgTy != QualType()) { 2278 if (PointeeTy->isRecordType() && 2279 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 2280 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 2281 PDiag(diag::warn_sizeof_pointer_type_memaccess) 2282 << FnName << SizeOfArgTy << ArgIdx 2283 << PointeeTy << Dest->getSourceRange() 2284 << LenExpr->getSourceRange()); 2285 break; 2286 } 2287 } 2288 2289 // Always complain about dynamic classes. 2290 if (isDynamicClassType(PointeeTy)) 2291 DiagRuntimeBehavior( 2292 Dest->getExprLoc(), Dest, 2293 PDiag(diag::warn_dyn_class_memaccess) 2294 << (CMF == CMF_Memcmp ? ArgIdx + 2 : ArgIdx) << FnName << PointeeTy 2295 // "overwritten" if we're warning about the destination for any call 2296 // but memcmp; otherwise a verb appropriate to the call. 2297 << (ArgIdx == 0 && CMF != CMF_Memcmp ? 0 : (unsigned)CMF) 2298 << Call->getCallee()->getSourceRange()); 2299 else if (PointeeTy.hasNonTrivialObjCLifetime() && CMF != CMF_Memset) 2300 DiagRuntimeBehavior( 2301 Dest->getExprLoc(), Dest, 2302 PDiag(diag::warn_arc_object_memaccess) 2303 << ArgIdx << FnName << PointeeTy 2304 << Call->getCallee()->getSourceRange()); 2305 else 2306 continue; 2307 2308 DiagRuntimeBehavior( 2309 Dest->getExprLoc(), Dest, 2310 PDiag(diag::note_bad_memaccess_silence) 2311 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 2312 break; 2313 } 2314 } 2315} 2316 2317// A little helper routine: ignore addition and subtraction of integer literals. 2318// This intentionally does not ignore all integer constant expressions because 2319// we don't want to remove sizeof(). 2320static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 2321 Ex = Ex->IgnoreParenCasts(); 2322 2323 for (;;) { 2324 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 2325 if (!BO || !BO->isAdditiveOp()) 2326 break; 2327 2328 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 2329 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 2330 2331 if (isa<IntegerLiteral>(RHS)) 2332 Ex = LHS; 2333 else if (isa<IntegerLiteral>(LHS)) 2334 Ex = RHS; 2335 else 2336 break; 2337 } 2338 2339 return Ex; 2340} 2341 2342// Warn if the user has made the 'size' argument to strlcpy or strlcat 2343// be the size of the source, instead of the destination. 2344void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 2345 IdentifierInfo *FnName) { 2346 2347 // Don't crash if the user has the wrong number of arguments 2348 if (Call->getNumArgs() != 3) 2349 return; 2350 2351 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 2352 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 2353 const Expr *CompareWithSrc = NULL; 2354 2355 // Look for 'strlcpy(dst, x, sizeof(x))' 2356 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 2357 CompareWithSrc = Ex; 2358 else { 2359 // Look for 'strlcpy(dst, x, strlen(x))' 2360 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 2361 if (SizeCall->isBuiltinCall(Context) == Builtin::BIstrlen 2362 && SizeCall->getNumArgs() == 1) 2363 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 2364 } 2365 } 2366 2367 if (!CompareWithSrc) 2368 return; 2369 2370 // Determine if the argument to sizeof/strlen is equal to the source 2371 // argument. In principle there's all kinds of things you could do 2372 // here, for instance creating an == expression and evaluating it with 2373 // EvaluateAsBooleanCondition, but this uses a more direct technique: 2374 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 2375 if (!SrcArgDRE) 2376 return; 2377 2378 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 2379 if (!CompareWithSrcDRE || 2380 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 2381 return; 2382 2383 const Expr *OriginalSizeArg = Call->getArg(2); 2384 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 2385 << OriginalSizeArg->getSourceRange() << FnName; 2386 2387 // Output a FIXIT hint if the destination is an array (rather than a 2388 // pointer to an array). This could be enhanced to handle some 2389 // pointers if we know the actual size, like if DstArg is 'array+2' 2390 // we could say 'sizeof(array)-2'. 2391 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 2392 QualType DstArgTy = DstArg->getType(); 2393 2394 // Only handle constant-sized or VLAs, but not flexible members. 2395 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2396 // Only issue the FIXIT for arrays of size > 1. 2397 if (CAT->getSize().getSExtValue() <= 1) 2398 return; 2399 } else if (!DstArgTy->isVariableArrayType()) { 2400 return; 2401 } 2402 2403 llvm::SmallString<128> sizeString; 2404 llvm::raw_svector_ostream OS(sizeString); 2405 OS << "sizeof("; 2406 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2407 OS << ")"; 2408 2409 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 2410 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 2411 OS.str()); 2412} 2413 2414//===--- CHECK: Return Address of Stack Variable --------------------------===// 2415 2416static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars); 2417static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars); 2418 2419/// CheckReturnStackAddr - Check if a return statement returns the address 2420/// of a stack variable. 2421void 2422Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 2423 SourceLocation ReturnLoc) { 2424 2425 Expr *stackE = 0; 2426 SmallVector<DeclRefExpr *, 8> refVars; 2427 2428 // Perform checking for returned stack addresses, local blocks, 2429 // label addresses or references to temporaries. 2430 if (lhsType->isPointerType() || 2431 (!getLangOptions().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 2432 stackE = EvalAddr(RetValExp, refVars); 2433 } else if (lhsType->isReferenceType()) { 2434 stackE = EvalVal(RetValExp, refVars); 2435 } 2436 2437 if (stackE == 0) 2438 return; // Nothing suspicious was found. 2439 2440 SourceLocation diagLoc; 2441 SourceRange diagRange; 2442 if (refVars.empty()) { 2443 diagLoc = stackE->getLocStart(); 2444 diagRange = stackE->getSourceRange(); 2445 } else { 2446 // We followed through a reference variable. 'stackE' contains the 2447 // problematic expression but we will warn at the return statement pointing 2448 // at the reference variable. We will later display the "trail" of 2449 // reference variables using notes. 2450 diagLoc = refVars[0]->getLocStart(); 2451 diagRange = refVars[0]->getSourceRange(); 2452 } 2453 2454 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 2455 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 2456 : diag::warn_ret_stack_addr) 2457 << DR->getDecl()->getDeclName() << diagRange; 2458 } else if (isa<BlockExpr>(stackE)) { // local block. 2459 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 2460 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 2461 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 2462 } else { // local temporary. 2463 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 2464 : diag::warn_ret_local_temp_addr) 2465 << diagRange; 2466 } 2467 2468 // Display the "trail" of reference variables that we followed until we 2469 // found the problematic expression using notes. 2470 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 2471 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 2472 // If this var binds to another reference var, show the range of the next 2473 // var, otherwise the var binds to the problematic expression, in which case 2474 // show the range of the expression. 2475 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 2476 : stackE->getSourceRange(); 2477 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 2478 << VD->getDeclName() << range; 2479 } 2480} 2481 2482/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 2483/// check if the expression in a return statement evaluates to an address 2484/// to a location on the stack, a local block, an address of a label, or a 2485/// reference to local temporary. The recursion is used to traverse the 2486/// AST of the return expression, with recursion backtracking when we 2487/// encounter a subexpression that (1) clearly does not lead to one of the 2488/// above problematic expressions (2) is something we cannot determine leads to 2489/// a problematic expression based on such local checking. 2490/// 2491/// Both EvalAddr and EvalVal follow through reference variables to evaluate 2492/// the expression that they point to. Such variables are added to the 2493/// 'refVars' vector so that we know what the reference variable "trail" was. 2494/// 2495/// EvalAddr processes expressions that are pointers that are used as 2496/// references (and not L-values). EvalVal handles all other values. 2497/// At the base case of the recursion is a check for the above problematic 2498/// expressions. 2499/// 2500/// This implementation handles: 2501/// 2502/// * pointer-to-pointer casts 2503/// * implicit conversions from array references to pointers 2504/// * taking the address of fields 2505/// * arbitrary interplay between "&" and "*" operators 2506/// * pointer arithmetic from an address of a stack variable 2507/// * taking the address of an array element where the array is on the stack 2508static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2509 if (E->isTypeDependent()) 2510 return NULL; 2511 2512 // We should only be called for evaluating pointer expressions. 2513 assert((E->getType()->isAnyPointerType() || 2514 E->getType()->isBlockPointerType() || 2515 E->getType()->isObjCQualifiedIdType()) && 2516 "EvalAddr only works on pointers"); 2517 2518 E = E->IgnoreParens(); 2519 2520 // Our "symbolic interpreter" is just a dispatch off the currently 2521 // viewed AST node. We then recursively traverse the AST by calling 2522 // EvalAddr and EvalVal appropriately. 2523 switch (E->getStmtClass()) { 2524 case Stmt::DeclRefExprClass: { 2525 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2526 2527 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2528 // If this is a reference variable, follow through to the expression that 2529 // it points to. 2530 if (V->hasLocalStorage() && 2531 V->getType()->isReferenceType() && V->hasInit()) { 2532 // Add the reference variable to the "trail". 2533 refVars.push_back(DR); 2534 return EvalAddr(V->getInit(), refVars); 2535 } 2536 2537 return NULL; 2538 } 2539 2540 case Stmt::UnaryOperatorClass: { 2541 // The only unary operator that make sense to handle here 2542 // is AddrOf. All others don't make sense as pointers. 2543 UnaryOperator *U = cast<UnaryOperator>(E); 2544 2545 if (U->getOpcode() == UO_AddrOf) 2546 return EvalVal(U->getSubExpr(), refVars); 2547 else 2548 return NULL; 2549 } 2550 2551 case Stmt::BinaryOperatorClass: { 2552 // Handle pointer arithmetic. All other binary operators are not valid 2553 // in this context. 2554 BinaryOperator *B = cast<BinaryOperator>(E); 2555 BinaryOperatorKind op = B->getOpcode(); 2556 2557 if (op != BO_Add && op != BO_Sub) 2558 return NULL; 2559 2560 Expr *Base = B->getLHS(); 2561 2562 // Determine which argument is the real pointer base. It could be 2563 // the RHS argument instead of the LHS. 2564 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 2565 2566 assert (Base->getType()->isPointerType()); 2567 return EvalAddr(Base, refVars); 2568 } 2569 2570 // For conditional operators we need to see if either the LHS or RHS are 2571 // valid DeclRefExpr*s. If one of them is valid, we return it. 2572 case Stmt::ConditionalOperatorClass: { 2573 ConditionalOperator *C = cast<ConditionalOperator>(E); 2574 2575 // Handle the GNU extension for missing LHS. 2576 if (Expr *lhsExpr = C->getLHS()) { 2577 // In C++, we can have a throw-expression, which has 'void' type. 2578 if (!lhsExpr->getType()->isVoidType()) 2579 if (Expr* LHS = EvalAddr(lhsExpr, refVars)) 2580 return LHS; 2581 } 2582 2583 // In C++, we can have a throw-expression, which has 'void' type. 2584 if (C->getRHS()->getType()->isVoidType()) 2585 return NULL; 2586 2587 return EvalAddr(C->getRHS(), refVars); 2588 } 2589 2590 case Stmt::BlockExprClass: 2591 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 2592 return E; // local block. 2593 return NULL; 2594 2595 case Stmt::AddrLabelExprClass: 2596 return E; // address of label. 2597 2598 // For casts, we need to handle conversions from arrays to 2599 // pointer values, and pointer-to-pointer conversions. 2600 case Stmt::ImplicitCastExprClass: 2601 case Stmt::CStyleCastExprClass: 2602 case Stmt::CXXFunctionalCastExprClass: 2603 case Stmt::ObjCBridgedCastExprClass: { 2604 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 2605 QualType T = SubExpr->getType(); 2606 2607 if (SubExpr->getType()->isPointerType() || 2608 SubExpr->getType()->isBlockPointerType() || 2609 SubExpr->getType()->isObjCQualifiedIdType()) 2610 return EvalAddr(SubExpr, refVars); 2611 else if (T->isArrayType()) 2612 return EvalVal(SubExpr, refVars); 2613 else 2614 return 0; 2615 } 2616 2617 // C++ casts. For dynamic casts, static casts, and const casts, we 2618 // are always converting from a pointer-to-pointer, so we just blow 2619 // through the cast. In the case the dynamic cast doesn't fail (and 2620 // return NULL), we take the conservative route and report cases 2621 // where we return the address of a stack variable. For Reinterpre 2622 // FIXME: The comment about is wrong; we're not always converting 2623 // from pointer to pointer. I'm guessing that this code should also 2624 // handle references to objects. 2625 case Stmt::CXXStaticCastExprClass: 2626 case Stmt::CXXDynamicCastExprClass: 2627 case Stmt::CXXConstCastExprClass: 2628 case Stmt::CXXReinterpretCastExprClass: { 2629 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 2630 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 2631 return EvalAddr(S, refVars); 2632 else 2633 return NULL; 2634 } 2635 2636 case Stmt::MaterializeTemporaryExprClass: 2637 if (Expr *Result = EvalAddr( 2638 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 2639 refVars)) 2640 return Result; 2641 2642 return E; 2643 2644 // Everything else: we simply don't reason about them. 2645 default: 2646 return NULL; 2647 } 2648} 2649 2650 2651/// EvalVal - This function is complements EvalAddr in the mutual recursion. 2652/// See the comments for EvalAddr for more details. 2653static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2654do { 2655 // We should only be called for evaluating non-pointer expressions, or 2656 // expressions with a pointer type that are not used as references but instead 2657 // are l-values (e.g., DeclRefExpr with a pointer type). 2658 2659 // Our "symbolic interpreter" is just a dispatch off the currently 2660 // viewed AST node. We then recursively traverse the AST by calling 2661 // EvalAddr and EvalVal appropriately. 2662 2663 E = E->IgnoreParens(); 2664 switch (E->getStmtClass()) { 2665 case Stmt::ImplicitCastExprClass: { 2666 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 2667 if (IE->getValueKind() == VK_LValue) { 2668 E = IE->getSubExpr(); 2669 continue; 2670 } 2671 return NULL; 2672 } 2673 2674 case Stmt::DeclRefExprClass: { 2675 // When we hit a DeclRefExpr we are looking at code that refers to a 2676 // variable's name. If it's not a reference variable we check if it has 2677 // local storage within the function, and if so, return the expression. 2678 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2679 2680 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2681 if (V->hasLocalStorage()) { 2682 if (!V->getType()->isReferenceType()) 2683 return DR; 2684 2685 // Reference variable, follow through to the expression that 2686 // it points to. 2687 if (V->hasInit()) { 2688 // Add the reference variable to the "trail". 2689 refVars.push_back(DR); 2690 return EvalVal(V->getInit(), refVars); 2691 } 2692 } 2693 2694 return NULL; 2695 } 2696 2697 case Stmt::UnaryOperatorClass: { 2698 // The only unary operator that make sense to handle here 2699 // is Deref. All others don't resolve to a "name." This includes 2700 // handling all sorts of rvalues passed to a unary operator. 2701 UnaryOperator *U = cast<UnaryOperator>(E); 2702 2703 if (U->getOpcode() == UO_Deref) 2704 return EvalAddr(U->getSubExpr(), refVars); 2705 2706 return NULL; 2707 } 2708 2709 case Stmt::ArraySubscriptExprClass: { 2710 // Array subscripts are potential references to data on the stack. We 2711 // retrieve the DeclRefExpr* for the array variable if it indeed 2712 // has local storage. 2713 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars); 2714 } 2715 2716 case Stmt::ConditionalOperatorClass: { 2717 // For conditional operators we need to see if either the LHS or RHS are 2718 // non-NULL Expr's. If one is non-NULL, we return it. 2719 ConditionalOperator *C = cast<ConditionalOperator>(E); 2720 2721 // Handle the GNU extension for missing LHS. 2722 if (Expr *lhsExpr = C->getLHS()) 2723 if (Expr *LHS = EvalVal(lhsExpr, refVars)) 2724 return LHS; 2725 2726 return EvalVal(C->getRHS(), refVars); 2727 } 2728 2729 // Accesses to members are potential references to data on the stack. 2730 case Stmt::MemberExprClass: { 2731 MemberExpr *M = cast<MemberExpr>(E); 2732 2733 // Check for indirect access. We only want direct field accesses. 2734 if (M->isArrow()) 2735 return NULL; 2736 2737 // Check whether the member type is itself a reference, in which case 2738 // we're not going to refer to the member, but to what the member refers to. 2739 if (M->getMemberDecl()->getType()->isReferenceType()) 2740 return NULL; 2741 2742 return EvalVal(M->getBase(), refVars); 2743 } 2744 2745 case Stmt::MaterializeTemporaryExprClass: 2746 if (Expr *Result = EvalVal( 2747 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 2748 refVars)) 2749 return Result; 2750 2751 return E; 2752 2753 default: 2754 // Check that we don't return or take the address of a reference to a 2755 // temporary. This is only useful in C++. 2756 if (!E->isTypeDependent() && E->isRValue()) 2757 return E; 2758 2759 // Everything else: we simply don't reason about them. 2760 return NULL; 2761 } 2762} while (true); 2763} 2764 2765//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 2766 2767/// Check for comparisons of floating point operands using != and ==. 2768/// Issue a warning if these are no self-comparisons, as they are not likely 2769/// to do what the programmer intended. 2770void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 2771 bool EmitWarning = true; 2772 2773 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 2774 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 2775 2776 // Special case: check for x == x (which is OK). 2777 // Do not emit warnings for such cases. 2778 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 2779 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 2780 if (DRL->getDecl() == DRR->getDecl()) 2781 EmitWarning = false; 2782 2783 2784 // Special case: check for comparisons against literals that can be exactly 2785 // represented by APFloat. In such cases, do not emit a warning. This 2786 // is a heuristic: often comparison against such literals are used to 2787 // detect if a value in a variable has not changed. This clearly can 2788 // lead to false negatives. 2789 if (EmitWarning) { 2790 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 2791 if (FLL->isExact()) 2792 EmitWarning = false; 2793 } else 2794 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 2795 if (FLR->isExact()) 2796 EmitWarning = false; 2797 } 2798 } 2799 2800 // Check for comparisons with builtin types. 2801 if (EmitWarning) 2802 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 2803 if (CL->isBuiltinCall(Context)) 2804 EmitWarning = false; 2805 2806 if (EmitWarning) 2807 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 2808 if (CR->isBuiltinCall(Context)) 2809 EmitWarning = false; 2810 2811 // Emit the diagnostic. 2812 if (EmitWarning) 2813 Diag(Loc, diag::warn_floatingpoint_eq) 2814 << LHS->getSourceRange() << RHS->getSourceRange(); 2815} 2816 2817//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 2818//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 2819 2820namespace { 2821 2822/// Structure recording the 'active' range of an integer-valued 2823/// expression. 2824struct IntRange { 2825 /// The number of bits active in the int. 2826 unsigned Width; 2827 2828 /// True if the int is known not to have negative values. 2829 bool NonNegative; 2830 2831 IntRange(unsigned Width, bool NonNegative) 2832 : Width(Width), NonNegative(NonNegative) 2833 {} 2834 2835 /// Returns the range of the bool type. 2836 static IntRange forBoolType() { 2837 return IntRange(1, true); 2838 } 2839 2840 /// Returns the range of an opaque value of the given integral type. 2841 static IntRange forValueOfType(ASTContext &C, QualType T) { 2842 return forValueOfCanonicalType(C, 2843 T->getCanonicalTypeInternal().getTypePtr()); 2844 } 2845 2846 /// Returns the range of an opaque value of a canonical integral type. 2847 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 2848 assert(T->isCanonicalUnqualified()); 2849 2850 if (const VectorType *VT = dyn_cast<VectorType>(T)) 2851 T = VT->getElementType().getTypePtr(); 2852 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 2853 T = CT->getElementType().getTypePtr(); 2854 2855 // For enum types, use the known bit width of the enumerators. 2856 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 2857 EnumDecl *Enum = ET->getDecl(); 2858 if (!Enum->isCompleteDefinition()) 2859 return IntRange(C.getIntWidth(QualType(T, 0)), false); 2860 2861 unsigned NumPositive = Enum->getNumPositiveBits(); 2862 unsigned NumNegative = Enum->getNumNegativeBits(); 2863 2864 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 2865 } 2866 2867 const BuiltinType *BT = cast<BuiltinType>(T); 2868 assert(BT->isInteger()); 2869 2870 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 2871 } 2872 2873 /// Returns the "target" range of a canonical integral type, i.e. 2874 /// the range of values expressible in the type. 2875 /// 2876 /// This matches forValueOfCanonicalType except that enums have the 2877 /// full range of their type, not the range of their enumerators. 2878 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 2879 assert(T->isCanonicalUnqualified()); 2880 2881 if (const VectorType *VT = dyn_cast<VectorType>(T)) 2882 T = VT->getElementType().getTypePtr(); 2883 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 2884 T = CT->getElementType().getTypePtr(); 2885 if (const EnumType *ET = dyn_cast<EnumType>(T)) 2886 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 2887 2888 const BuiltinType *BT = cast<BuiltinType>(T); 2889 assert(BT->isInteger()); 2890 2891 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 2892 } 2893 2894 /// Returns the supremum of two ranges: i.e. their conservative merge. 2895 static IntRange join(IntRange L, IntRange R) { 2896 return IntRange(std::max(L.Width, R.Width), 2897 L.NonNegative && R.NonNegative); 2898 } 2899 2900 /// Returns the infinum of two ranges: i.e. their aggressive merge. 2901 static IntRange meet(IntRange L, IntRange R) { 2902 return IntRange(std::min(L.Width, R.Width), 2903 L.NonNegative || R.NonNegative); 2904 } 2905}; 2906 2907IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 2908 if (value.isSigned() && value.isNegative()) 2909 return IntRange(value.getMinSignedBits(), false); 2910 2911 if (value.getBitWidth() > MaxWidth) 2912 value = value.trunc(MaxWidth); 2913 2914 // isNonNegative() just checks the sign bit without considering 2915 // signedness. 2916 return IntRange(value.getActiveBits(), true); 2917} 2918 2919IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 2920 unsigned MaxWidth) { 2921 if (result.isInt()) 2922 return GetValueRange(C, result.getInt(), MaxWidth); 2923 2924 if (result.isVector()) { 2925 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 2926 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 2927 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 2928 R = IntRange::join(R, El); 2929 } 2930 return R; 2931 } 2932 2933 if (result.isComplexInt()) { 2934 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 2935 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 2936 return IntRange::join(R, I); 2937 } 2938 2939 // This can happen with lossless casts to intptr_t of "based" lvalues. 2940 // Assume it might use arbitrary bits. 2941 // FIXME: The only reason we need to pass the type in here is to get 2942 // the sign right on this one case. It would be nice if APValue 2943 // preserved this. 2944 assert(result.isLValue()); 2945 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 2946} 2947 2948/// Pseudo-evaluate the given integer expression, estimating the 2949/// range of values it might take. 2950/// 2951/// \param MaxWidth - the width to which the value will be truncated 2952IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 2953 E = E->IgnoreParens(); 2954 2955 // Try a full evaluation first. 2956 Expr::EvalResult result; 2957 if (E->Evaluate(result, C)) 2958 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 2959 2960 // I think we only want to look through implicit casts here; if the 2961 // user has an explicit widening cast, we should treat the value as 2962 // being of the new, wider type. 2963 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 2964 if (CE->getCastKind() == CK_NoOp) 2965 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 2966 2967 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 2968 2969 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 2970 2971 // Assume that non-integer casts can span the full range of the type. 2972 if (!isIntegerCast) 2973 return OutputTypeRange; 2974 2975 IntRange SubRange 2976 = GetExprRange(C, CE->getSubExpr(), 2977 std::min(MaxWidth, OutputTypeRange.Width)); 2978 2979 // Bail out if the subexpr's range is as wide as the cast type. 2980 if (SubRange.Width >= OutputTypeRange.Width) 2981 return OutputTypeRange; 2982 2983 // Otherwise, we take the smaller width, and we're non-negative if 2984 // either the output type or the subexpr is. 2985 return IntRange(SubRange.Width, 2986 SubRange.NonNegative || OutputTypeRange.NonNegative); 2987 } 2988 2989 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 2990 // If we can fold the condition, just take that operand. 2991 bool CondResult; 2992 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 2993 return GetExprRange(C, CondResult ? CO->getTrueExpr() 2994 : CO->getFalseExpr(), 2995 MaxWidth); 2996 2997 // Otherwise, conservatively merge. 2998 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 2999 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 3000 return IntRange::join(L, R); 3001 } 3002 3003 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3004 switch (BO->getOpcode()) { 3005 3006 // Boolean-valued operations are single-bit and positive. 3007 case BO_LAnd: 3008 case BO_LOr: 3009 case BO_LT: 3010 case BO_GT: 3011 case BO_LE: 3012 case BO_GE: 3013 case BO_EQ: 3014 case BO_NE: 3015 return IntRange::forBoolType(); 3016 3017 // The type of the assignments is the type of the LHS, so the RHS 3018 // is not necessarily the same type. 3019 case BO_MulAssign: 3020 case BO_DivAssign: 3021 case BO_RemAssign: 3022 case BO_AddAssign: 3023 case BO_SubAssign: 3024 case BO_XorAssign: 3025 case BO_OrAssign: 3026 // TODO: bitfields? 3027 return IntRange::forValueOfType(C, E->getType()); 3028 3029 // Simple assignments just pass through the RHS, which will have 3030 // been coerced to the LHS type. 3031 case BO_Assign: 3032 // TODO: bitfields? 3033 return GetExprRange(C, BO->getRHS(), MaxWidth); 3034 3035 // Operations with opaque sources are black-listed. 3036 case BO_PtrMemD: 3037 case BO_PtrMemI: 3038 return IntRange::forValueOfType(C, E->getType()); 3039 3040 // Bitwise-and uses the *infinum* of the two source ranges. 3041 case BO_And: 3042 case BO_AndAssign: 3043 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 3044 GetExprRange(C, BO->getRHS(), MaxWidth)); 3045 3046 // Left shift gets black-listed based on a judgement call. 3047 case BO_Shl: 3048 // ...except that we want to treat '1 << (blah)' as logically 3049 // positive. It's an important idiom. 3050 if (IntegerLiteral *I 3051 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 3052 if (I->getValue() == 1) { 3053 IntRange R = IntRange::forValueOfType(C, E->getType()); 3054 return IntRange(R.Width, /*NonNegative*/ true); 3055 } 3056 } 3057 // fallthrough 3058 3059 case BO_ShlAssign: 3060 return IntRange::forValueOfType(C, E->getType()); 3061 3062 // Right shift by a constant can narrow its left argument. 3063 case BO_Shr: 3064 case BO_ShrAssign: { 3065 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3066 3067 // If the shift amount is a positive constant, drop the width by 3068 // that much. 3069 llvm::APSInt shift; 3070 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 3071 shift.isNonNegative()) { 3072 unsigned zext = shift.getZExtValue(); 3073 if (zext >= L.Width) 3074 L.Width = (L.NonNegative ? 0 : 1); 3075 else 3076 L.Width -= zext; 3077 } 3078 3079 return L; 3080 } 3081 3082 // Comma acts as its right operand. 3083 case BO_Comma: 3084 return GetExprRange(C, BO->getRHS(), MaxWidth); 3085 3086 // Black-list pointer subtractions. 3087 case BO_Sub: 3088 if (BO->getLHS()->getType()->isPointerType()) 3089 return IntRange::forValueOfType(C, E->getType()); 3090 break; 3091 3092 // The width of a division result is mostly determined by the size 3093 // of the LHS. 3094 case BO_Div: { 3095 // Don't 'pre-truncate' the operands. 3096 unsigned opWidth = C.getIntWidth(E->getType()); 3097 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3098 3099 // If the divisor is constant, use that. 3100 llvm::APSInt divisor; 3101 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 3102 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 3103 if (log2 >= L.Width) 3104 L.Width = (L.NonNegative ? 0 : 1); 3105 else 3106 L.Width = std::min(L.Width - log2, MaxWidth); 3107 return L; 3108 } 3109 3110 // Otherwise, just use the LHS's width. 3111 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3112 return IntRange(L.Width, L.NonNegative && R.NonNegative); 3113 } 3114 3115 // The result of a remainder can't be larger than the result of 3116 // either side. 3117 case BO_Rem: { 3118 // Don't 'pre-truncate' the operands. 3119 unsigned opWidth = C.getIntWidth(E->getType()); 3120 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3121 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3122 3123 IntRange meet = IntRange::meet(L, R); 3124 meet.Width = std::min(meet.Width, MaxWidth); 3125 return meet; 3126 } 3127 3128 // The default behavior is okay for these. 3129 case BO_Mul: 3130 case BO_Add: 3131 case BO_Xor: 3132 case BO_Or: 3133 break; 3134 } 3135 3136 // The default case is to treat the operation as if it were closed 3137 // on the narrowest type that encompasses both operands. 3138 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3139 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 3140 return IntRange::join(L, R); 3141 } 3142 3143 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 3144 switch (UO->getOpcode()) { 3145 // Boolean-valued operations are white-listed. 3146 case UO_LNot: 3147 return IntRange::forBoolType(); 3148 3149 // Operations with opaque sources are black-listed. 3150 case UO_Deref: 3151 case UO_AddrOf: // should be impossible 3152 return IntRange::forValueOfType(C, E->getType()); 3153 3154 default: 3155 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 3156 } 3157 } 3158 3159 if (dyn_cast<OffsetOfExpr>(E)) { 3160 IntRange::forValueOfType(C, E->getType()); 3161 } 3162 3163 if (FieldDecl *BitField = E->getBitField()) 3164 return IntRange(BitField->getBitWidthValue(C), 3165 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 3166 3167 return IntRange::forValueOfType(C, E->getType()); 3168} 3169 3170IntRange GetExprRange(ASTContext &C, Expr *E) { 3171 return GetExprRange(C, E, C.getIntWidth(E->getType())); 3172} 3173 3174/// Checks whether the given value, which currently has the given 3175/// source semantics, has the same value when coerced through the 3176/// target semantics. 3177bool IsSameFloatAfterCast(const llvm::APFloat &value, 3178 const llvm::fltSemantics &Src, 3179 const llvm::fltSemantics &Tgt) { 3180 llvm::APFloat truncated = value; 3181 3182 bool ignored; 3183 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 3184 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 3185 3186 return truncated.bitwiseIsEqual(value); 3187} 3188 3189/// Checks whether the given value, which currently has the given 3190/// source semantics, has the same value when coerced through the 3191/// target semantics. 3192/// 3193/// The value might be a vector of floats (or a complex number). 3194bool IsSameFloatAfterCast(const APValue &value, 3195 const llvm::fltSemantics &Src, 3196 const llvm::fltSemantics &Tgt) { 3197 if (value.isFloat()) 3198 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 3199 3200 if (value.isVector()) { 3201 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 3202 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 3203 return false; 3204 return true; 3205 } 3206 3207 assert(value.isComplexFloat()); 3208 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 3209 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 3210} 3211 3212void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 3213 3214static bool IsZero(Sema &S, Expr *E) { 3215 // Suppress cases where we are comparing against an enum constant. 3216 if (const DeclRefExpr *DR = 3217 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 3218 if (isa<EnumConstantDecl>(DR->getDecl())) 3219 return false; 3220 3221 // Suppress cases where the '0' value is expanded from a macro. 3222 if (E->getLocStart().isMacroID()) 3223 return false; 3224 3225 llvm::APSInt Value; 3226 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 3227} 3228 3229static bool HasEnumType(Expr *E) { 3230 // Strip off implicit integral promotions. 3231 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3232 if (ICE->getCastKind() != CK_IntegralCast && 3233 ICE->getCastKind() != CK_NoOp) 3234 break; 3235 E = ICE->getSubExpr(); 3236 } 3237 3238 return E->getType()->isEnumeralType(); 3239} 3240 3241void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 3242 BinaryOperatorKind op = E->getOpcode(); 3243 if (E->isValueDependent()) 3244 return; 3245 3246 if (op == BO_LT && IsZero(S, E->getRHS())) { 3247 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3248 << "< 0" << "false" << HasEnumType(E->getLHS()) 3249 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3250 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 3251 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3252 << ">= 0" << "true" << HasEnumType(E->getLHS()) 3253 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3254 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 3255 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3256 << "0 >" << "false" << HasEnumType(E->getRHS()) 3257 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3258 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 3259 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3260 << "0 <=" << "true" << HasEnumType(E->getRHS()) 3261 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3262 } 3263} 3264 3265/// Analyze the operands of the given comparison. Implements the 3266/// fallback case from AnalyzeComparison. 3267void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 3268 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3269 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3270} 3271 3272/// \brief Implements -Wsign-compare. 3273/// 3274/// \param E the binary operator to check for warnings 3275void AnalyzeComparison(Sema &S, BinaryOperator *E) { 3276 // The type the comparison is being performed in. 3277 QualType T = E->getLHS()->getType(); 3278 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 3279 && "comparison with mismatched types"); 3280 3281 // We don't do anything special if this isn't an unsigned integral 3282 // comparison: we're only interested in integral comparisons, and 3283 // signed comparisons only happen in cases we don't care to warn about. 3284 // 3285 // We also don't care about value-dependent expressions or expressions 3286 // whose result is a constant. 3287 if (!T->hasUnsignedIntegerRepresentation() 3288 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 3289 return AnalyzeImpConvsInComparison(S, E); 3290 3291 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 3292 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 3293 3294 // Check to see if one of the (unmodified) operands is of different 3295 // signedness. 3296 Expr *signedOperand, *unsignedOperand; 3297 if (LHS->getType()->hasSignedIntegerRepresentation()) { 3298 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 3299 "unsigned comparison between two signed integer expressions?"); 3300 signedOperand = LHS; 3301 unsignedOperand = RHS; 3302 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 3303 signedOperand = RHS; 3304 unsignedOperand = LHS; 3305 } else { 3306 CheckTrivialUnsignedComparison(S, E); 3307 return AnalyzeImpConvsInComparison(S, E); 3308 } 3309 3310 // Otherwise, calculate the effective range of the signed operand. 3311 IntRange signedRange = GetExprRange(S.Context, signedOperand); 3312 3313 // Go ahead and analyze implicit conversions in the operands. Note 3314 // that we skip the implicit conversions on both sides. 3315 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 3316 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 3317 3318 // If the signed range is non-negative, -Wsign-compare won't fire, 3319 // but we should still check for comparisons which are always true 3320 // or false. 3321 if (signedRange.NonNegative) 3322 return CheckTrivialUnsignedComparison(S, E); 3323 3324 // For (in)equality comparisons, if the unsigned operand is a 3325 // constant which cannot collide with a overflowed signed operand, 3326 // then reinterpreting the signed operand as unsigned will not 3327 // change the result of the comparison. 3328 if (E->isEqualityOp()) { 3329 unsigned comparisonWidth = S.Context.getIntWidth(T); 3330 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 3331 3332 // We should never be unable to prove that the unsigned operand is 3333 // non-negative. 3334 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 3335 3336 if (unsignedRange.Width < comparisonWidth) 3337 return; 3338 } 3339 3340 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 3341 << LHS->getType() << RHS->getType() 3342 << LHS->getSourceRange() << RHS->getSourceRange(); 3343} 3344 3345/// Analyzes an attempt to assign the given value to a bitfield. 3346/// 3347/// Returns true if there was something fishy about the attempt. 3348bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 3349 SourceLocation InitLoc) { 3350 assert(Bitfield->isBitField()); 3351 if (Bitfield->isInvalidDecl()) 3352 return false; 3353 3354 // White-list bool bitfields. 3355 if (Bitfield->getType()->isBooleanType()) 3356 return false; 3357 3358 // Ignore value- or type-dependent expressions. 3359 if (Bitfield->getBitWidth()->isValueDependent() || 3360 Bitfield->getBitWidth()->isTypeDependent() || 3361 Init->isValueDependent() || 3362 Init->isTypeDependent()) 3363 return false; 3364 3365 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 3366 3367 Expr::EvalResult InitValue; 3368 if (!OriginalInit->Evaluate(InitValue, S.Context) || 3369 !InitValue.Val.isInt()) 3370 return false; 3371 3372 const llvm::APSInt &Value = InitValue.Val.getInt(); 3373 unsigned OriginalWidth = Value.getBitWidth(); 3374 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 3375 3376 if (OriginalWidth <= FieldWidth) 3377 return false; 3378 3379 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 3380 3381 // It's fairly common to write values into signed bitfields 3382 // that, if sign-extended, would end up becoming a different 3383 // value. We don't want to warn about that. 3384 if (Value.isSigned() && Value.isNegative()) 3385 TruncatedValue = TruncatedValue.sext(OriginalWidth); 3386 else 3387 TruncatedValue = TruncatedValue.zext(OriginalWidth); 3388 3389 if (Value == TruncatedValue) 3390 return false; 3391 3392 std::string PrettyValue = Value.toString(10); 3393 std::string PrettyTrunc = TruncatedValue.toString(10); 3394 3395 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 3396 << PrettyValue << PrettyTrunc << OriginalInit->getType() 3397 << Init->getSourceRange(); 3398 3399 return true; 3400} 3401 3402/// Analyze the given simple or compound assignment for warning-worthy 3403/// operations. 3404void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 3405 // Just recurse on the LHS. 3406 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3407 3408 // We want to recurse on the RHS as normal unless we're assigning to 3409 // a bitfield. 3410 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 3411 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 3412 E->getOperatorLoc())) { 3413 // Recurse, ignoring any implicit conversions on the RHS. 3414 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 3415 E->getOperatorLoc()); 3416 } 3417 } 3418 3419 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3420} 3421 3422/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3423void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 3424 SourceLocation CContext, unsigned diag) { 3425 S.Diag(E->getExprLoc(), diag) 3426 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 3427} 3428 3429/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3430void DiagnoseImpCast(Sema &S, Expr *E, QualType T, SourceLocation CContext, 3431 unsigned diag) { 3432 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag); 3433} 3434 3435/// Diagnose an implicit cast from a literal expression. Does not warn when the 3436/// cast wouldn't lose information. 3437void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 3438 SourceLocation CContext) { 3439 // Try to convert the literal exactly to an integer. If we can, don't warn. 3440 bool isExact = false; 3441 const llvm::APFloat &Value = FL->getValue(); 3442 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 3443 T->hasUnsignedIntegerRepresentation()); 3444 if (Value.convertToInteger(IntegerValue, 3445 llvm::APFloat::rmTowardZero, &isExact) 3446 == llvm::APFloat::opOK && isExact) 3447 return; 3448 3449 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 3450 << FL->getType() << T << FL->getSourceRange() << SourceRange(CContext); 3451} 3452 3453std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 3454 if (!Range.Width) return "0"; 3455 3456 llvm::APSInt ValueInRange = Value; 3457 ValueInRange.setIsSigned(!Range.NonNegative); 3458 ValueInRange = ValueInRange.trunc(Range.Width); 3459 return ValueInRange.toString(10); 3460} 3461 3462static bool isFromSystemMacro(Sema &S, SourceLocation loc) { 3463 SourceManager &smgr = S.Context.getSourceManager(); 3464 return loc.isMacroID() && smgr.isInSystemHeader(smgr.getSpellingLoc(loc)); 3465} 3466 3467void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 3468 SourceLocation CC, bool *ICContext = 0) { 3469 if (E->isTypeDependent() || E->isValueDependent()) return; 3470 3471 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 3472 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 3473 if (Source == Target) return; 3474 if (Target->isDependentType()) return; 3475 3476 // If the conversion context location is invalid don't complain. We also 3477 // don't want to emit a warning if the issue occurs from the expansion of 3478 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 3479 // delay this check as long as possible. Once we detect we are in that 3480 // scenario, we just return. 3481 if (CC.isInvalid()) 3482 return; 3483 3484 // Diagnose implicit casts to bool. 3485 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 3486 if (isa<StringLiteral>(E)) 3487 // Warn on string literal to bool. Checks for string literals in logical 3488 // expressions, for instances, assert(0 && "error here"), is prevented 3489 // by a check in AnalyzeImplicitConversions(). 3490 return DiagnoseImpCast(S, E, T, CC, 3491 diag::warn_impcast_string_literal_to_bool); 3492 return; // Other casts to bool are not checked. 3493 } 3494 3495 // Strip vector types. 3496 if (isa<VectorType>(Source)) { 3497 if (!isa<VectorType>(Target)) { 3498 if (isFromSystemMacro(S, CC)) 3499 return; 3500 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 3501 } 3502 3503 // If the vector cast is cast between two vectors of the same size, it is 3504 // a bitcast, not a conversion. 3505 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 3506 return; 3507 3508 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 3509 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 3510 } 3511 3512 // Strip complex types. 3513 if (isa<ComplexType>(Source)) { 3514 if (!isa<ComplexType>(Target)) { 3515 if (isFromSystemMacro(S, CC)) 3516 return; 3517 3518 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 3519 } 3520 3521 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 3522 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 3523 } 3524 3525 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 3526 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 3527 3528 // If the source is floating point... 3529 if (SourceBT && SourceBT->isFloatingPoint()) { 3530 // ...and the target is floating point... 3531 if (TargetBT && TargetBT->isFloatingPoint()) { 3532 // ...then warn if we're dropping FP rank. 3533 3534 // Builtin FP kinds are ordered by increasing FP rank. 3535 if (SourceBT->getKind() > TargetBT->getKind()) { 3536 // Don't warn about float constants that are precisely 3537 // representable in the target type. 3538 Expr::EvalResult result; 3539 if (E->Evaluate(result, S.Context)) { 3540 // Value might be a float, a float vector, or a float complex. 3541 if (IsSameFloatAfterCast(result.Val, 3542 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 3543 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 3544 return; 3545 } 3546 3547 if (isFromSystemMacro(S, CC)) 3548 return; 3549 3550 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 3551 } 3552 return; 3553 } 3554 3555 // If the target is integral, always warn. 3556 if ((TargetBT && TargetBT->isInteger())) { 3557 if (isFromSystemMacro(S, CC)) 3558 return; 3559 3560 Expr *InnerE = E->IgnoreParenImpCasts(); 3561 // We also want to warn on, e.g., "int i = -1.234" 3562 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 3563 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 3564 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 3565 3566 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 3567 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 3568 } else { 3569 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 3570 } 3571 } 3572 3573 return; 3574 } 3575 3576 if (!Source->isIntegerType() || !Target->isIntegerType()) 3577 return; 3578 3579 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 3580 == Expr::NPCK_GNUNull) && Target->isIntegerType()) { 3581 S.Diag(E->getExprLoc(), diag::warn_impcast_null_pointer_to_integer) 3582 << E->getSourceRange() << clang::SourceRange(CC); 3583 return; 3584 } 3585 3586 IntRange SourceRange = GetExprRange(S.Context, E); 3587 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 3588 3589 if (SourceRange.Width > TargetRange.Width) { 3590 // If the source is a constant, use a default-on diagnostic. 3591 // TODO: this should happen for bitfield stores, too. 3592 llvm::APSInt Value(32); 3593 if (E->isIntegerConstantExpr(Value, S.Context)) { 3594 if (isFromSystemMacro(S, CC)) 3595 return; 3596 3597 std::string PrettySourceValue = Value.toString(10); 3598 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 3599 3600 S.Diag(E->getExprLoc(), diag::warn_impcast_integer_precision_constant) 3601 << PrettySourceValue << PrettyTargetValue 3602 << E->getType() << T << E->getSourceRange() << clang::SourceRange(CC); 3603 return; 3604 } 3605 3606 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 3607 if (isFromSystemMacro(S, CC)) 3608 return; 3609 3610 if (SourceRange.Width == 64 && TargetRange.Width == 32) 3611 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32); 3612 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 3613 } 3614 3615 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 3616 (!TargetRange.NonNegative && SourceRange.NonNegative && 3617 SourceRange.Width == TargetRange.Width)) { 3618 3619 if (isFromSystemMacro(S, CC)) 3620 return; 3621 3622 unsigned DiagID = diag::warn_impcast_integer_sign; 3623 3624 // Traditionally, gcc has warned about this under -Wsign-compare. 3625 // We also want to warn about it in -Wconversion. 3626 // So if -Wconversion is off, use a completely identical diagnostic 3627 // in the sign-compare group. 3628 // The conditional-checking code will 3629 if (ICContext) { 3630 DiagID = diag::warn_impcast_integer_sign_conditional; 3631 *ICContext = true; 3632 } 3633 3634 return DiagnoseImpCast(S, E, T, CC, DiagID); 3635 } 3636 3637 // Diagnose conversions between different enumeration types. 3638 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 3639 // type, to give us better diagnostics. 3640 QualType SourceType = E->getType(); 3641 if (!S.getLangOptions().CPlusPlus) { 3642 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 3643 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 3644 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 3645 SourceType = S.Context.getTypeDeclType(Enum); 3646 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 3647 } 3648 } 3649 3650 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 3651 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 3652 if ((SourceEnum->getDecl()->getIdentifier() || 3653 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 3654 (TargetEnum->getDecl()->getIdentifier() || 3655 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 3656 SourceEnum != TargetEnum) { 3657 if (isFromSystemMacro(S, CC)) 3658 return; 3659 3660 return DiagnoseImpCast(S, E, SourceType, T, CC, 3661 diag::warn_impcast_different_enum_types); 3662 } 3663 3664 return; 3665} 3666 3667void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 3668 3669void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 3670 SourceLocation CC, bool &ICContext) { 3671 E = E->IgnoreParenImpCasts(); 3672 3673 if (isa<ConditionalOperator>(E)) 3674 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 3675 3676 AnalyzeImplicitConversions(S, E, CC); 3677 if (E->getType() != T) 3678 return CheckImplicitConversion(S, E, T, CC, &ICContext); 3679 return; 3680} 3681 3682void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 3683 SourceLocation CC = E->getQuestionLoc(); 3684 3685 AnalyzeImplicitConversions(S, E->getCond(), CC); 3686 3687 bool Suspicious = false; 3688 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 3689 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 3690 3691 // If -Wconversion would have warned about either of the candidates 3692 // for a signedness conversion to the context type... 3693 if (!Suspicious) return; 3694 3695 // ...but it's currently ignored... 3696 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 3697 CC)) 3698 return; 3699 3700 // ...then check whether it would have warned about either of the 3701 // candidates for a signedness conversion to the condition type. 3702 if (E->getType() == T) return; 3703 3704 Suspicious = false; 3705 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 3706 E->getType(), CC, &Suspicious); 3707 if (!Suspicious) 3708 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 3709 E->getType(), CC, &Suspicious); 3710} 3711 3712/// AnalyzeImplicitConversions - Find and report any interesting 3713/// implicit conversions in the given expression. There are a couple 3714/// of competing diagnostics here, -Wconversion and -Wsign-compare. 3715void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 3716 QualType T = OrigE->getType(); 3717 Expr *E = OrigE->IgnoreParenImpCasts(); 3718 3719 if (E->isTypeDependent() || E->isValueDependent()) 3720 return; 3721 3722 // For conditional operators, we analyze the arguments as if they 3723 // were being fed directly into the output. 3724 if (isa<ConditionalOperator>(E)) { 3725 ConditionalOperator *CO = cast<ConditionalOperator>(E); 3726 CheckConditionalOperator(S, CO, T); 3727 return; 3728 } 3729 3730 // Go ahead and check any implicit conversions we might have skipped. 3731 // The non-canonical typecheck is just an optimization; 3732 // CheckImplicitConversion will filter out dead implicit conversions. 3733 if (E->getType() != T) 3734 CheckImplicitConversion(S, E, T, CC); 3735 3736 // Now continue drilling into this expression. 3737 3738 // Skip past explicit casts. 3739 if (isa<ExplicitCastExpr>(E)) { 3740 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 3741 return AnalyzeImplicitConversions(S, E, CC); 3742 } 3743 3744 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3745 // Do a somewhat different check with comparison operators. 3746 if (BO->isComparisonOp()) 3747 return AnalyzeComparison(S, BO); 3748 3749 // And with assignments and compound assignments. 3750 if (BO->isAssignmentOp()) 3751 return AnalyzeAssignment(S, BO); 3752 } 3753 3754 // These break the otherwise-useful invariant below. Fortunately, 3755 // we don't really need to recurse into them, because any internal 3756 // expressions should have been analyzed already when they were 3757 // built into statements. 3758 if (isa<StmtExpr>(E)) return; 3759 3760 // Don't descend into unevaluated contexts. 3761 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 3762 3763 // Now just recurse over the expression's children. 3764 CC = E->getExprLoc(); 3765 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 3766 bool IsLogicalOperator = BO && BO->isLogicalOp(); 3767 for (Stmt::child_range I = E->children(); I; ++I) { 3768 Expr *ChildExpr = cast<Expr>(*I); 3769 if (IsLogicalOperator && 3770 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 3771 // Ignore checking string literals that are in logical operators. 3772 continue; 3773 AnalyzeImplicitConversions(S, ChildExpr, CC); 3774 } 3775} 3776 3777} // end anonymous namespace 3778 3779/// Diagnoses "dangerous" implicit conversions within the given 3780/// expression (which is a full expression). Implements -Wconversion 3781/// and -Wsign-compare. 3782/// 3783/// \param CC the "context" location of the implicit conversion, i.e. 3784/// the most location of the syntactic entity requiring the implicit 3785/// conversion 3786void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 3787 // Don't diagnose in unevaluated contexts. 3788 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 3789 return; 3790 3791 // Don't diagnose for value- or type-dependent expressions. 3792 if (E->isTypeDependent() || E->isValueDependent()) 3793 return; 3794 3795 // Check for array bounds violations in cases where the check isn't triggered 3796 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 3797 // ArraySubscriptExpr is on the RHS of a variable initialization. 3798 CheckArrayAccess(E); 3799 3800 // This is not the right CC for (e.g.) a variable initialization. 3801 AnalyzeImplicitConversions(*this, E, CC); 3802} 3803 3804void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 3805 FieldDecl *BitField, 3806 Expr *Init) { 3807 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 3808} 3809 3810/// CheckParmsForFunctionDef - Check that the parameters of the given 3811/// function are appropriate for the definition of a function. This 3812/// takes care of any checks that cannot be performed on the 3813/// declaration itself, e.g., that the types of each of the function 3814/// parameters are complete. 3815bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 3816 bool CheckParameterNames) { 3817 bool HasInvalidParm = false; 3818 for (; P != PEnd; ++P) { 3819 ParmVarDecl *Param = *P; 3820 3821 // C99 6.7.5.3p4: the parameters in a parameter type list in a 3822 // function declarator that is part of a function definition of 3823 // that function shall not have incomplete type. 3824 // 3825 // This is also C++ [dcl.fct]p6. 3826 if (!Param->isInvalidDecl() && 3827 RequireCompleteType(Param->getLocation(), Param->getType(), 3828 diag::err_typecheck_decl_incomplete_type)) { 3829 Param->setInvalidDecl(); 3830 HasInvalidParm = true; 3831 } 3832 3833 // C99 6.9.1p5: If the declarator includes a parameter type list, the 3834 // declaration of each parameter shall include an identifier. 3835 if (CheckParameterNames && 3836 Param->getIdentifier() == 0 && 3837 !Param->isImplicit() && 3838 !getLangOptions().CPlusPlus) 3839 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 3840 3841 // C99 6.7.5.3p12: 3842 // If the function declarator is not part of a definition of that 3843 // function, parameters may have incomplete type and may use the [*] 3844 // notation in their sequences of declarator specifiers to specify 3845 // variable length array types. 3846 QualType PType = Param->getOriginalType(); 3847 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 3848 if (AT->getSizeModifier() == ArrayType::Star) { 3849 // FIXME: This diagnosic should point the the '[*]' if source-location 3850 // information is added for it. 3851 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 3852 } 3853 } 3854 } 3855 3856 return HasInvalidParm; 3857} 3858 3859/// CheckCastAlign - Implements -Wcast-align, which warns when a 3860/// pointer cast increases the alignment requirements. 3861void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 3862 // This is actually a lot of work to potentially be doing on every 3863 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 3864 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 3865 TRange.getBegin()) 3866 == DiagnosticsEngine::Ignored) 3867 return; 3868 3869 // Ignore dependent types. 3870 if (T->isDependentType() || Op->getType()->isDependentType()) 3871 return; 3872 3873 // Require that the destination be a pointer type. 3874 const PointerType *DestPtr = T->getAs<PointerType>(); 3875 if (!DestPtr) return; 3876 3877 // If the destination has alignment 1, we're done. 3878 QualType DestPointee = DestPtr->getPointeeType(); 3879 if (DestPointee->isIncompleteType()) return; 3880 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 3881 if (DestAlign.isOne()) return; 3882 3883 // Require that the source be a pointer type. 3884 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 3885 if (!SrcPtr) return; 3886 QualType SrcPointee = SrcPtr->getPointeeType(); 3887 3888 // Whitelist casts from cv void*. We already implicitly 3889 // whitelisted casts to cv void*, since they have alignment 1. 3890 // Also whitelist casts involving incomplete types, which implicitly 3891 // includes 'void'. 3892 if (SrcPointee->isIncompleteType()) return; 3893 3894 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 3895 if (SrcAlign >= DestAlign) return; 3896 3897 Diag(TRange.getBegin(), diag::warn_cast_align) 3898 << Op->getType() << T 3899 << static_cast<unsigned>(SrcAlign.getQuantity()) 3900 << static_cast<unsigned>(DestAlign.getQuantity()) 3901 << TRange << Op->getSourceRange(); 3902} 3903 3904static const Type* getElementType(const Expr *BaseExpr) { 3905 const Type* EltType = BaseExpr->getType().getTypePtr(); 3906 if (EltType->isAnyPointerType()) 3907 return EltType->getPointeeType().getTypePtr(); 3908 else if (EltType->isArrayType()) 3909 return EltType->getBaseElementTypeUnsafe(); 3910 return EltType; 3911} 3912 3913/// \brief Check whether this array fits the idiom of a size-one tail padded 3914/// array member of a struct. 3915/// 3916/// We avoid emitting out-of-bounds access warnings for such arrays as they are 3917/// commonly used to emulate flexible arrays in C89 code. 3918static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 3919 const NamedDecl *ND) { 3920 if (Size != 1 || !ND) return false; 3921 3922 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 3923 if (!FD) return false; 3924 3925 // Don't consider sizes resulting from macro expansions or template argument 3926 // substitution to form C89 tail-padded arrays. 3927 ConstantArrayTypeLoc TL = 3928 cast<ConstantArrayTypeLoc>(FD->getTypeSourceInfo()->getTypeLoc()); 3929 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(TL.getSizeExpr()); 3930 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 3931 return false; 3932 3933 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 3934 if (!RD || !RD->isStruct()) 3935 return false; 3936 3937 // See if this is the last field decl in the record. 3938 const Decl *D = FD; 3939 while ((D = D->getNextDeclInContext())) 3940 if (isa<FieldDecl>(D)) 3941 return false; 3942 return true; 3943} 3944 3945void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 3946 bool isSubscript, bool AllowOnePastEnd) { 3947 const Type* EffectiveType = getElementType(BaseExpr); 3948 BaseExpr = BaseExpr->IgnoreParenCasts(); 3949 IndexExpr = IndexExpr->IgnoreParenCasts(); 3950 3951 const ConstantArrayType *ArrayTy = 3952 Context.getAsConstantArrayType(BaseExpr->getType()); 3953 if (!ArrayTy) 3954 return; 3955 3956 if (IndexExpr->isValueDependent()) 3957 return; 3958 llvm::APSInt index; 3959 if (!IndexExpr->isIntegerConstantExpr(index, Context)) 3960 return; 3961 3962 const NamedDecl *ND = NULL; 3963 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 3964 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 3965 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 3966 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 3967 3968 if (index.isUnsigned() || !index.isNegative()) { 3969 llvm::APInt size = ArrayTy->getSize(); 3970 if (!size.isStrictlyPositive()) 3971 return; 3972 3973 const Type* BaseType = getElementType(BaseExpr); 3974 if (BaseType != EffectiveType) { 3975 // Make sure we're comparing apples to apples when comparing index to size 3976 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 3977 uint64_t array_typesize = Context.getTypeSize(BaseType); 3978 // Handle ptrarith_typesize being zero, such as when casting to void* 3979 if (!ptrarith_typesize) ptrarith_typesize = 1; 3980 if (ptrarith_typesize != array_typesize) { 3981 // There's a cast to a different size type involved 3982 uint64_t ratio = array_typesize / ptrarith_typesize; 3983 // TODO: Be smarter about handling cases where array_typesize is not a 3984 // multiple of ptrarith_typesize 3985 if (ptrarith_typesize * ratio == array_typesize) 3986 size *= llvm::APInt(size.getBitWidth(), ratio); 3987 } 3988 } 3989 3990 if (size.getBitWidth() > index.getBitWidth()) 3991 index = index.sext(size.getBitWidth()); 3992 else if (size.getBitWidth() < index.getBitWidth()) 3993 size = size.sext(index.getBitWidth()); 3994 3995 // For array subscripting the index must be less than size, but for pointer 3996 // arithmetic also allow the index (offset) to be equal to size since 3997 // computing the next address after the end of the array is legal and 3998 // commonly done e.g. in C++ iterators and range-based for loops. 3999 if (AllowOnePastEnd ? index.sle(size) : index.slt(size)) 4000 return; 4001 4002 // Also don't warn for arrays of size 1 which are members of some 4003 // structure. These are often used to approximate flexible arrays in C89 4004 // code. 4005 if (IsTailPaddedMemberArray(*this, size, ND)) 4006 return; 4007 4008 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 4009 if (isSubscript) 4010 DiagID = diag::warn_array_index_exceeds_bounds; 4011 4012 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4013 PDiag(DiagID) << index.toString(10, true) 4014 << size.toString(10, true) 4015 << (unsigned)size.getLimitedValue(~0U) 4016 << IndexExpr->getSourceRange()); 4017 } else { 4018 unsigned DiagID = diag::warn_array_index_precedes_bounds; 4019 if (!isSubscript) { 4020 DiagID = diag::warn_ptr_arith_precedes_bounds; 4021 if (index.isNegative()) index = -index; 4022 } 4023 4024 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4025 PDiag(DiagID) << index.toString(10, true) 4026 << IndexExpr->getSourceRange()); 4027 } 4028 4029 if (ND) 4030 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 4031 PDiag(diag::note_array_index_out_of_bounds) 4032 << ND->getDeclName()); 4033} 4034 4035void Sema::CheckArrayAccess(const Expr *expr) { 4036 int AllowOnePastEnd = 0; 4037 while (expr) { 4038 expr = expr->IgnoreParenImpCasts(); 4039 switch (expr->getStmtClass()) { 4040 case Stmt::ArraySubscriptExprClass: { 4041 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 4042 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), true, 4043 AllowOnePastEnd > 0); 4044 return; 4045 } 4046 case Stmt::UnaryOperatorClass: { 4047 // Only unwrap the * and & unary operators 4048 const UnaryOperator *UO = cast<UnaryOperator>(expr); 4049 expr = UO->getSubExpr(); 4050 switch (UO->getOpcode()) { 4051 case UO_AddrOf: 4052 AllowOnePastEnd++; 4053 break; 4054 case UO_Deref: 4055 AllowOnePastEnd--; 4056 break; 4057 default: 4058 return; 4059 } 4060 break; 4061 } 4062 case Stmt::ConditionalOperatorClass: { 4063 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 4064 if (const Expr *lhs = cond->getLHS()) 4065 CheckArrayAccess(lhs); 4066 if (const Expr *rhs = cond->getRHS()) 4067 CheckArrayAccess(rhs); 4068 return; 4069 } 4070 default: 4071 return; 4072 } 4073 } 4074} 4075 4076//===--- CHECK: Objective-C retain cycles ----------------------------------// 4077 4078namespace { 4079 struct RetainCycleOwner { 4080 RetainCycleOwner() : Variable(0), Indirect(false) {} 4081 VarDecl *Variable; 4082 SourceRange Range; 4083 SourceLocation Loc; 4084 bool Indirect; 4085 4086 void setLocsFrom(Expr *e) { 4087 Loc = e->getExprLoc(); 4088 Range = e->getSourceRange(); 4089 } 4090 }; 4091} 4092 4093/// Consider whether capturing the given variable can possibly lead to 4094/// a retain cycle. 4095static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 4096 // In ARC, it's captured strongly iff the variable has __strong 4097 // lifetime. In MRR, it's captured strongly if the variable is 4098 // __block and has an appropriate type. 4099 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4100 return false; 4101 4102 owner.Variable = var; 4103 owner.setLocsFrom(ref); 4104 return true; 4105} 4106 4107static bool findRetainCycleOwner(Expr *e, RetainCycleOwner &owner) { 4108 while (true) { 4109 e = e->IgnoreParens(); 4110 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 4111 switch (cast->getCastKind()) { 4112 case CK_BitCast: 4113 case CK_LValueBitCast: 4114 case CK_LValueToRValue: 4115 case CK_ARCReclaimReturnedObject: 4116 e = cast->getSubExpr(); 4117 continue; 4118 4119 case CK_GetObjCProperty: { 4120 // Bail out if this isn't a strong explicit property. 4121 const ObjCPropertyRefExpr *pre = cast->getSubExpr()->getObjCProperty(); 4122 if (pre->isImplicitProperty()) return false; 4123 ObjCPropertyDecl *property = pre->getExplicitProperty(); 4124 if (!property->isRetaining() && 4125 !(property->getPropertyIvarDecl() && 4126 property->getPropertyIvarDecl()->getType() 4127 .getObjCLifetime() == Qualifiers::OCL_Strong)) 4128 return false; 4129 4130 owner.Indirect = true; 4131 e = const_cast<Expr*>(pre->getBase()); 4132 continue; 4133 } 4134 4135 default: 4136 return false; 4137 } 4138 } 4139 4140 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 4141 ObjCIvarDecl *ivar = ref->getDecl(); 4142 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4143 return false; 4144 4145 // Try to find a retain cycle in the base. 4146 if (!findRetainCycleOwner(ref->getBase(), owner)) 4147 return false; 4148 4149 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 4150 owner.Indirect = true; 4151 return true; 4152 } 4153 4154 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 4155 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 4156 if (!var) return false; 4157 return considerVariable(var, ref, owner); 4158 } 4159 4160 if (BlockDeclRefExpr *ref = dyn_cast<BlockDeclRefExpr>(e)) { 4161 owner.Variable = ref->getDecl(); 4162 owner.setLocsFrom(ref); 4163 return true; 4164 } 4165 4166 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 4167 if (member->isArrow()) return false; 4168 4169 // Don't count this as an indirect ownership. 4170 e = member->getBase(); 4171 continue; 4172 } 4173 4174 // Array ivars? 4175 4176 return false; 4177 } 4178} 4179 4180namespace { 4181 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 4182 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 4183 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 4184 Variable(variable), Capturer(0) {} 4185 4186 VarDecl *Variable; 4187 Expr *Capturer; 4188 4189 void VisitDeclRefExpr(DeclRefExpr *ref) { 4190 if (ref->getDecl() == Variable && !Capturer) 4191 Capturer = ref; 4192 } 4193 4194 void VisitBlockDeclRefExpr(BlockDeclRefExpr *ref) { 4195 if (ref->getDecl() == Variable && !Capturer) 4196 Capturer = ref; 4197 } 4198 4199 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 4200 if (Capturer) return; 4201 Visit(ref->getBase()); 4202 if (Capturer && ref->isFreeIvar()) 4203 Capturer = ref; 4204 } 4205 4206 void VisitBlockExpr(BlockExpr *block) { 4207 // Look inside nested blocks 4208 if (block->getBlockDecl()->capturesVariable(Variable)) 4209 Visit(block->getBlockDecl()->getBody()); 4210 } 4211 }; 4212} 4213 4214/// Check whether the given argument is a block which captures a 4215/// variable. 4216static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 4217 assert(owner.Variable && owner.Loc.isValid()); 4218 4219 e = e->IgnoreParenCasts(); 4220 BlockExpr *block = dyn_cast<BlockExpr>(e); 4221 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 4222 return 0; 4223 4224 FindCaptureVisitor visitor(S.Context, owner.Variable); 4225 visitor.Visit(block->getBlockDecl()->getBody()); 4226 return visitor.Capturer; 4227} 4228 4229static void diagnoseRetainCycle(Sema &S, Expr *capturer, 4230 RetainCycleOwner &owner) { 4231 assert(capturer); 4232 assert(owner.Variable && owner.Loc.isValid()); 4233 4234 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 4235 << owner.Variable << capturer->getSourceRange(); 4236 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 4237 << owner.Indirect << owner.Range; 4238} 4239 4240/// Check for a keyword selector that starts with the word 'add' or 4241/// 'set'. 4242static bool isSetterLikeSelector(Selector sel) { 4243 if (sel.isUnarySelector()) return false; 4244 4245 StringRef str = sel.getNameForSlot(0); 4246 while (!str.empty() && str.front() == '_') str = str.substr(1); 4247 if (str.startswith("set") || str.startswith("add")) 4248 str = str.substr(3); 4249 else 4250 return false; 4251 4252 if (str.empty()) return true; 4253 return !islower(str.front()); 4254} 4255 4256/// Check a message send to see if it's likely to cause a retain cycle. 4257void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 4258 // Only check instance methods whose selector looks like a setter. 4259 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 4260 return; 4261 4262 // Try to find a variable that the receiver is strongly owned by. 4263 RetainCycleOwner owner; 4264 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 4265 if (!findRetainCycleOwner(msg->getInstanceReceiver(), owner)) 4266 return; 4267 } else { 4268 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 4269 owner.Variable = getCurMethodDecl()->getSelfDecl(); 4270 owner.Loc = msg->getSuperLoc(); 4271 owner.Range = msg->getSuperLoc(); 4272 } 4273 4274 // Check whether the receiver is captured by any of the arguments. 4275 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 4276 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 4277 return diagnoseRetainCycle(*this, capturer, owner); 4278} 4279 4280/// Check a property assign to see if it's likely to cause a retain cycle. 4281void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 4282 RetainCycleOwner owner; 4283 if (!findRetainCycleOwner(receiver, owner)) 4284 return; 4285 4286 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 4287 diagnoseRetainCycle(*this, capturer, owner); 4288} 4289 4290bool Sema::checkUnsafeAssigns(SourceLocation Loc, 4291 QualType LHS, Expr *RHS) { 4292 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 4293 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 4294 return false; 4295 // strip off any implicit cast added to get to the one arc-specific 4296 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4297 if (cast->getCastKind() == CK_ARCConsumeObject) { 4298 Diag(Loc, diag::warn_arc_retained_assign) 4299 << (LT == Qualifiers::OCL_ExplicitNone) 4300 << RHS->getSourceRange(); 4301 return true; 4302 } 4303 RHS = cast->getSubExpr(); 4304 } 4305 return false; 4306} 4307 4308void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 4309 Expr *LHS, Expr *RHS) { 4310 QualType LHSType = LHS->getType(); 4311 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 4312 return; 4313 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 4314 // FIXME. Check for other life times. 4315 if (LT != Qualifiers::OCL_None) 4316 return; 4317 4318 if (ObjCPropertyRefExpr *PRE = dyn_cast<ObjCPropertyRefExpr>(LHS)) { 4319 if (PRE->isImplicitProperty()) 4320 return; 4321 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4322 if (!PD) 4323 return; 4324 4325 unsigned Attributes = PD->getPropertyAttributes(); 4326 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) 4327 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4328 if (cast->getCastKind() == CK_ARCConsumeObject) { 4329 Diag(Loc, diag::warn_arc_retained_property_assign) 4330 << RHS->getSourceRange(); 4331 return; 4332 } 4333 RHS = cast->getSubExpr(); 4334 } 4335 } 4336} 4337