SemaChecking.cpp revision b90f4b3fb94056609da9cca5eef7358d95a363b2
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "Sema.h" 16#include "clang/Analysis/Analyses/PrintfFormatString.h" 17#include "clang/AST/ASTContext.h" 18#include "clang/AST/CharUnits.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/ExprCXX.h" 21#include "clang/AST/ExprObjC.h" 22#include "clang/AST/DeclObjC.h" 23#include "clang/AST/StmtCXX.h" 24#include "clang/AST/StmtObjC.h" 25#include "clang/Lex/LiteralSupport.h" 26#include "clang/Lex/Preprocessor.h" 27#include "llvm/ADT/BitVector.h" 28#include "llvm/ADT/STLExtras.h" 29#include "clang/Basic/TargetBuiltins.h" 30#include <limits> 31using namespace clang; 32 33/// getLocationOfStringLiteralByte - Return a source location that points to the 34/// specified byte of the specified string literal. 35/// 36/// Strings are amazingly complex. They can be formed from multiple tokens and 37/// can have escape sequences in them in addition to the usual trigraph and 38/// escaped newline business. This routine handles this complexity. 39/// 40SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 41 unsigned ByteNo) const { 42 assert(!SL->isWide() && "This doesn't work for wide strings yet"); 43 44 // Loop over all of the tokens in this string until we find the one that 45 // contains the byte we're looking for. 46 unsigned TokNo = 0; 47 while (1) { 48 assert(TokNo < SL->getNumConcatenated() && "Invalid byte number!"); 49 SourceLocation StrTokLoc = SL->getStrTokenLoc(TokNo); 50 51 // Get the spelling of the string so that we can get the data that makes up 52 // the string literal, not the identifier for the macro it is potentially 53 // expanded through. 54 SourceLocation StrTokSpellingLoc = SourceMgr.getSpellingLoc(StrTokLoc); 55 56 // Re-lex the token to get its length and original spelling. 57 std::pair<FileID, unsigned> LocInfo = 58 SourceMgr.getDecomposedLoc(StrTokSpellingLoc); 59 bool Invalid = false; 60 llvm::StringRef Buffer = SourceMgr.getBufferData(LocInfo.first, &Invalid); 61 if (Invalid) 62 return StrTokSpellingLoc; 63 64 const char *StrData = Buffer.data()+LocInfo.second; 65 66 // Create a langops struct and enable trigraphs. This is sufficient for 67 // relexing tokens. 68 LangOptions LangOpts; 69 LangOpts.Trigraphs = true; 70 71 // Create a lexer starting at the beginning of this token. 72 Lexer TheLexer(StrTokSpellingLoc, LangOpts, Buffer.begin(), StrData, 73 Buffer.end()); 74 Token TheTok; 75 TheLexer.LexFromRawLexer(TheTok); 76 77 // Use the StringLiteralParser to compute the length of the string in bytes. 78 StringLiteralParser SLP(&TheTok, 1, PP, /*Complain=*/false); 79 unsigned TokNumBytes = SLP.GetStringLength(); 80 81 // If the byte is in this token, return the location of the byte. 82 if (ByteNo < TokNumBytes || 83 (ByteNo == TokNumBytes && TokNo == SL->getNumConcatenated())) { 84 unsigned Offset = 85 StringLiteralParser::getOffsetOfStringByte(TheTok, ByteNo, PP, 86 /*Complain=*/false); 87 88 // Now that we know the offset of the token in the spelling, use the 89 // preprocessor to get the offset in the original source. 90 return PP.AdvanceToTokenCharacter(StrTokLoc, Offset); 91 } 92 93 // Move to the next string token. 94 ++TokNo; 95 ByteNo -= TokNumBytes; 96 } 97} 98 99/// CheckablePrintfAttr - does a function call have a "printf" attribute 100/// and arguments that merit checking? 101bool Sema::CheckablePrintfAttr(const FormatAttr *Format, CallExpr *TheCall) { 102 if (Format->getType() == "printf") return true; 103 if (Format->getType() == "printf0") { 104 // printf0 allows null "format" string; if so don't check format/args 105 unsigned format_idx = Format->getFormatIdx() - 1; 106 // Does the index refer to the implicit object argument? 107 if (isa<CXXMemberCallExpr>(TheCall)) { 108 if (format_idx == 0) 109 return false; 110 --format_idx; 111 } 112 if (format_idx < TheCall->getNumArgs()) { 113 Expr *Format = TheCall->getArg(format_idx)->IgnoreParenCasts(); 114 if (!Format->isNullPointerConstant(Context, 115 Expr::NPC_ValueDependentIsNull)) 116 return true; 117 } 118 } 119 return false; 120} 121 122Action::OwningExprResult 123Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 124 OwningExprResult TheCallResult(Owned(TheCall)); 125 126 switch (BuiltinID) { 127 case Builtin::BI__builtin___CFStringMakeConstantString: 128 assert(TheCall->getNumArgs() == 1 && 129 "Wrong # arguments to builtin CFStringMakeConstantString"); 130 if (CheckObjCString(TheCall->getArg(0))) 131 return ExprError(); 132 break; 133 case Builtin::BI__builtin_stdarg_start: 134 case Builtin::BI__builtin_va_start: 135 if (SemaBuiltinVAStart(TheCall)) 136 return ExprError(); 137 break; 138 case Builtin::BI__builtin_isgreater: 139 case Builtin::BI__builtin_isgreaterequal: 140 case Builtin::BI__builtin_isless: 141 case Builtin::BI__builtin_islessequal: 142 case Builtin::BI__builtin_islessgreater: 143 case Builtin::BI__builtin_isunordered: 144 if (SemaBuiltinUnorderedCompare(TheCall)) 145 return ExprError(); 146 break; 147 case Builtin::BI__builtin_fpclassify: 148 if (SemaBuiltinFPClassification(TheCall, 6)) 149 return ExprError(); 150 break; 151 case Builtin::BI__builtin_isfinite: 152 case Builtin::BI__builtin_isinf: 153 case Builtin::BI__builtin_isinf_sign: 154 case Builtin::BI__builtin_isnan: 155 case Builtin::BI__builtin_isnormal: 156 if (SemaBuiltinFPClassification(TheCall, 1)) 157 return ExprError(); 158 break; 159 case Builtin::BI__builtin_return_address: 160 case Builtin::BI__builtin_frame_address: { 161 llvm::APSInt Result; 162 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 163 return ExprError(); 164 break; 165 } 166 case Builtin::BI__builtin_eh_return_data_regno: { 167 llvm::APSInt Result; 168 if (SemaBuiltinConstantArg(TheCall, 0, Result)) 169 return ExprError(); 170 break; 171 } 172 case Builtin::BI__builtin_shufflevector: 173 return SemaBuiltinShuffleVector(TheCall); 174 // TheCall will be freed by the smart pointer here, but that's fine, since 175 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 176 case Builtin::BI__builtin_prefetch: 177 if (SemaBuiltinPrefetch(TheCall)) 178 return ExprError(); 179 break; 180 case Builtin::BI__builtin_object_size: 181 if (SemaBuiltinObjectSize(TheCall)) 182 return ExprError(); 183 break; 184 case Builtin::BI__builtin_longjmp: 185 if (SemaBuiltinLongjmp(TheCall)) 186 return ExprError(); 187 break; 188 case Builtin::BI__sync_fetch_and_add: 189 case Builtin::BI__sync_fetch_and_sub: 190 case Builtin::BI__sync_fetch_and_or: 191 case Builtin::BI__sync_fetch_and_and: 192 case Builtin::BI__sync_fetch_and_xor: 193 case Builtin::BI__sync_add_and_fetch: 194 case Builtin::BI__sync_sub_and_fetch: 195 case Builtin::BI__sync_and_and_fetch: 196 case Builtin::BI__sync_or_and_fetch: 197 case Builtin::BI__sync_xor_and_fetch: 198 case Builtin::BI__sync_val_compare_and_swap: 199 case Builtin::BI__sync_bool_compare_and_swap: 200 case Builtin::BI__sync_lock_test_and_set: 201 case Builtin::BI__sync_lock_release: 202 if (SemaBuiltinAtomicOverloaded(TheCall)) 203 return ExprError(); 204 break; 205 206 // Target specific builtins start here. 207 case X86::BI__builtin_ia32_palignr128: 208 case X86::BI__builtin_ia32_palignr: { 209 llvm::APSInt Result; 210 if (SemaBuiltinConstantArg(TheCall, 2, Result)) 211 return ExprError(); 212 break; 213 } 214 } 215 216 return move(TheCallResult); 217} 218 219/// CheckFunctionCall - Check a direct function call for various correctness 220/// and safety properties not strictly enforced by the C type system. 221bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 222 // Get the IdentifierInfo* for the called function. 223 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 224 225 // None of the checks below are needed for functions that don't have 226 // simple names (e.g., C++ conversion functions). 227 if (!FnInfo) 228 return false; 229 230 // FIXME: This mechanism should be abstracted to be less fragile and 231 // more efficient. For example, just map function ids to custom 232 // handlers. 233 234 // Printf checking. 235 if (const FormatAttr *Format = FDecl->getAttr<FormatAttr>()) { 236 if (CheckablePrintfAttr(Format, TheCall)) { 237 bool HasVAListArg = Format->getFirstArg() == 0; 238 CheckPrintfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 239 HasVAListArg ? 0 : Format->getFirstArg() - 1); 240 } 241 } 242 243 for (const NonNullAttr *NonNull = FDecl->getAttr<NonNullAttr>(); NonNull; 244 NonNull = NonNull->getNext<NonNullAttr>()) 245 CheckNonNullArguments(NonNull, TheCall); 246 247 return false; 248} 249 250bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 251 // Printf checking. 252 const FormatAttr *Format = NDecl->getAttr<FormatAttr>(); 253 if (!Format) 254 return false; 255 256 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 257 if (!V) 258 return false; 259 260 QualType Ty = V->getType(); 261 if (!Ty->isBlockPointerType()) 262 return false; 263 264 if (!CheckablePrintfAttr(Format, TheCall)) 265 return false; 266 267 bool HasVAListArg = Format->getFirstArg() == 0; 268 CheckPrintfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 269 HasVAListArg ? 0 : Format->getFirstArg() - 1); 270 271 return false; 272} 273 274/// SemaBuiltinAtomicOverloaded - We have a call to a function like 275/// __sync_fetch_and_add, which is an overloaded function based on the pointer 276/// type of its first argument. The main ActOnCallExpr routines have already 277/// promoted the types of arguments because all of these calls are prototyped as 278/// void(...). 279/// 280/// This function goes through and does final semantic checking for these 281/// builtins, 282bool Sema::SemaBuiltinAtomicOverloaded(CallExpr *TheCall) { 283 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 284 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 285 286 // Ensure that we have at least one argument to do type inference from. 287 if (TheCall->getNumArgs() < 1) 288 return Diag(TheCall->getLocEnd(), 289 diag::err_typecheck_call_too_few_args_at_least) 290 << 0 << 1 << TheCall->getNumArgs() 291 << TheCall->getCallee()->getSourceRange(); 292 293 // Inspect the first argument of the atomic builtin. This should always be 294 // a pointer type, whose element is an integral scalar or pointer type. 295 // Because it is a pointer type, we don't have to worry about any implicit 296 // casts here. 297 Expr *FirstArg = TheCall->getArg(0); 298 if (!FirstArg->getType()->isPointerType()) 299 return Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 300 << FirstArg->getType() << FirstArg->getSourceRange(); 301 302 QualType ValType = FirstArg->getType()->getAs<PointerType>()->getPointeeType(); 303 if (!ValType->isIntegerType() && !ValType->isPointerType() && 304 !ValType->isBlockPointerType()) 305 return Diag(DRE->getLocStart(), 306 diag::err_atomic_builtin_must_be_pointer_intptr) 307 << FirstArg->getType() << FirstArg->getSourceRange(); 308 309 // We need to figure out which concrete builtin this maps onto. For example, 310 // __sync_fetch_and_add with a 2 byte object turns into 311 // __sync_fetch_and_add_2. 312#define BUILTIN_ROW(x) \ 313 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 314 Builtin::BI##x##_8, Builtin::BI##x##_16 } 315 316 static const unsigned BuiltinIndices[][5] = { 317 BUILTIN_ROW(__sync_fetch_and_add), 318 BUILTIN_ROW(__sync_fetch_and_sub), 319 BUILTIN_ROW(__sync_fetch_and_or), 320 BUILTIN_ROW(__sync_fetch_and_and), 321 BUILTIN_ROW(__sync_fetch_and_xor), 322 323 BUILTIN_ROW(__sync_add_and_fetch), 324 BUILTIN_ROW(__sync_sub_and_fetch), 325 BUILTIN_ROW(__sync_and_and_fetch), 326 BUILTIN_ROW(__sync_or_and_fetch), 327 BUILTIN_ROW(__sync_xor_and_fetch), 328 329 BUILTIN_ROW(__sync_val_compare_and_swap), 330 BUILTIN_ROW(__sync_bool_compare_and_swap), 331 BUILTIN_ROW(__sync_lock_test_and_set), 332 BUILTIN_ROW(__sync_lock_release) 333 }; 334#undef BUILTIN_ROW 335 336 // Determine the index of the size. 337 unsigned SizeIndex; 338 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 339 case 1: SizeIndex = 0; break; 340 case 2: SizeIndex = 1; break; 341 case 4: SizeIndex = 2; break; 342 case 8: SizeIndex = 3; break; 343 case 16: SizeIndex = 4; break; 344 default: 345 return Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 346 << FirstArg->getType() << FirstArg->getSourceRange(); 347 } 348 349 // Each of these builtins has one pointer argument, followed by some number of 350 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 351 // that we ignore. Find out which row of BuiltinIndices to read from as well 352 // as the number of fixed args. 353 unsigned BuiltinID = FDecl->getBuiltinID(); 354 unsigned BuiltinIndex, NumFixed = 1; 355 switch (BuiltinID) { 356 default: assert(0 && "Unknown overloaded atomic builtin!"); 357 case Builtin::BI__sync_fetch_and_add: BuiltinIndex = 0; break; 358 case Builtin::BI__sync_fetch_and_sub: BuiltinIndex = 1; break; 359 case Builtin::BI__sync_fetch_and_or: BuiltinIndex = 2; break; 360 case Builtin::BI__sync_fetch_and_and: BuiltinIndex = 3; break; 361 case Builtin::BI__sync_fetch_and_xor: BuiltinIndex = 4; break; 362 363 case Builtin::BI__sync_add_and_fetch: BuiltinIndex = 5; break; 364 case Builtin::BI__sync_sub_and_fetch: BuiltinIndex = 6; break; 365 case Builtin::BI__sync_and_and_fetch: BuiltinIndex = 7; break; 366 case Builtin::BI__sync_or_and_fetch: BuiltinIndex = 8; break; 367 case Builtin::BI__sync_xor_and_fetch: BuiltinIndex = 9; break; 368 369 case Builtin::BI__sync_val_compare_and_swap: 370 BuiltinIndex = 10; 371 NumFixed = 2; 372 break; 373 case Builtin::BI__sync_bool_compare_and_swap: 374 BuiltinIndex = 11; 375 NumFixed = 2; 376 break; 377 case Builtin::BI__sync_lock_test_and_set: BuiltinIndex = 12; break; 378 case Builtin::BI__sync_lock_release: 379 BuiltinIndex = 13; 380 NumFixed = 0; 381 break; 382 } 383 384 // Now that we know how many fixed arguments we expect, first check that we 385 // have at least that many. 386 if (TheCall->getNumArgs() < 1+NumFixed) 387 return Diag(TheCall->getLocEnd(), 388 diag::err_typecheck_call_too_few_args_at_least) 389 << 0 << 1+NumFixed << TheCall->getNumArgs() 390 << TheCall->getCallee()->getSourceRange(); 391 392 393 // Get the decl for the concrete builtin from this, we can tell what the 394 // concrete integer type we should convert to is. 395 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 396 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 397 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 398 FunctionDecl *NewBuiltinDecl = 399 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 400 TUScope, false, DRE->getLocStart())); 401 const FunctionProtoType *BuiltinFT = 402 NewBuiltinDecl->getType()->getAs<FunctionProtoType>(); 403 ValType = BuiltinFT->getArgType(0)->getAs<PointerType>()->getPointeeType(); 404 405 // If the first type needs to be converted (e.g. void** -> int*), do it now. 406 if (BuiltinFT->getArgType(0) != FirstArg->getType()) { 407 ImpCastExprToType(FirstArg, BuiltinFT->getArgType(0), CastExpr::CK_BitCast); 408 TheCall->setArg(0, FirstArg); 409 } 410 411 // Next, walk the valid ones promoting to the right type. 412 for (unsigned i = 0; i != NumFixed; ++i) { 413 Expr *Arg = TheCall->getArg(i+1); 414 415 // If the argument is an implicit cast, then there was a promotion due to 416 // "...", just remove it now. 417 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) { 418 Arg = ICE->getSubExpr(); 419 ICE->setSubExpr(0); 420 ICE->Destroy(Context); 421 TheCall->setArg(i+1, Arg); 422 } 423 424 // GCC does an implicit conversion to the pointer or integer ValType. This 425 // can fail in some cases (1i -> int**), check for this error case now. 426 CastExpr::CastKind Kind = CastExpr::CK_Unknown; 427 CXXBaseSpecifierArray BasePath; 428 if (CheckCastTypes(Arg->getSourceRange(), ValType, Arg, Kind, BasePath)) 429 return true; 430 431 // Okay, we have something that *can* be converted to the right type. Check 432 // to see if there is a potentially weird extension going on here. This can 433 // happen when you do an atomic operation on something like an char* and 434 // pass in 42. The 42 gets converted to char. This is even more strange 435 // for things like 45.123 -> char, etc. 436 // FIXME: Do this check. 437 ImpCastExprToType(Arg, ValType, Kind); 438 TheCall->setArg(i+1, Arg); 439 } 440 441 // Switch the DeclRefExpr to refer to the new decl. 442 DRE->setDecl(NewBuiltinDecl); 443 DRE->setType(NewBuiltinDecl->getType()); 444 445 // Set the callee in the CallExpr. 446 // FIXME: This leaks the original parens and implicit casts. 447 Expr *PromotedCall = DRE; 448 UsualUnaryConversions(PromotedCall); 449 TheCall->setCallee(PromotedCall); 450 451 452 // Change the result type of the call to match the result type of the decl. 453 TheCall->setType(NewBuiltinDecl->getResultType()); 454 return false; 455} 456 457 458/// CheckObjCString - Checks that the argument to the builtin 459/// CFString constructor is correct 460/// FIXME: GCC currently emits the following warning: 461/// "warning: input conversion stopped due to an input byte that does not 462/// belong to the input codeset UTF-8" 463/// Note: It might also make sense to do the UTF-16 conversion here (would 464/// simplify the backend). 465bool Sema::CheckObjCString(Expr *Arg) { 466 Arg = Arg->IgnoreParenCasts(); 467 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 468 469 if (!Literal || Literal->isWide()) { 470 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 471 << Arg->getSourceRange(); 472 return true; 473 } 474 475 const char *Data = Literal->getStrData(); 476 unsigned Length = Literal->getByteLength(); 477 478 for (unsigned i = 0; i < Length; ++i) { 479 if (!Data[i]) { 480 Diag(getLocationOfStringLiteralByte(Literal, i), 481 diag::warn_cfstring_literal_contains_nul_character) 482 << Arg->getSourceRange(); 483 break; 484 } 485 } 486 487 return false; 488} 489 490/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 491/// Emit an error and return true on failure, return false on success. 492bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 493 Expr *Fn = TheCall->getCallee(); 494 if (TheCall->getNumArgs() > 2) { 495 Diag(TheCall->getArg(2)->getLocStart(), 496 diag::err_typecheck_call_too_many_args) 497 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 498 << Fn->getSourceRange() 499 << SourceRange(TheCall->getArg(2)->getLocStart(), 500 (*(TheCall->arg_end()-1))->getLocEnd()); 501 return true; 502 } 503 504 if (TheCall->getNumArgs() < 2) { 505 return Diag(TheCall->getLocEnd(), 506 diag::err_typecheck_call_too_few_args_at_least) 507 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 508 } 509 510 // Determine whether the current function is variadic or not. 511 BlockScopeInfo *CurBlock = getCurBlock(); 512 bool isVariadic; 513 if (CurBlock) 514 isVariadic = CurBlock->isVariadic; 515 else if (FunctionDecl *FD = getCurFunctionDecl()) 516 isVariadic = FD->isVariadic(); 517 else 518 isVariadic = getCurMethodDecl()->isVariadic(); 519 520 if (!isVariadic) { 521 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 522 return true; 523 } 524 525 // Verify that the second argument to the builtin is the last argument of the 526 // current function or method. 527 bool SecondArgIsLastNamedArgument = false; 528 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 529 530 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 531 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 532 // FIXME: This isn't correct for methods (results in bogus warning). 533 // Get the last formal in the current function. 534 const ParmVarDecl *LastArg; 535 if (CurBlock) 536 LastArg = *(CurBlock->TheDecl->param_end()-1); 537 else if (FunctionDecl *FD = getCurFunctionDecl()) 538 LastArg = *(FD->param_end()-1); 539 else 540 LastArg = *(getCurMethodDecl()->param_end()-1); 541 SecondArgIsLastNamedArgument = PV == LastArg; 542 } 543 } 544 545 if (!SecondArgIsLastNamedArgument) 546 Diag(TheCall->getArg(1)->getLocStart(), 547 diag::warn_second_parameter_of_va_start_not_last_named_argument); 548 return false; 549} 550 551/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 552/// friends. This is declared to take (...), so we have to check everything. 553bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 554 if (TheCall->getNumArgs() < 2) 555 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 556 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 557 if (TheCall->getNumArgs() > 2) 558 return Diag(TheCall->getArg(2)->getLocStart(), 559 diag::err_typecheck_call_too_many_args) 560 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 561 << SourceRange(TheCall->getArg(2)->getLocStart(), 562 (*(TheCall->arg_end()-1))->getLocEnd()); 563 564 Expr *OrigArg0 = TheCall->getArg(0); 565 Expr *OrigArg1 = TheCall->getArg(1); 566 567 // Do standard promotions between the two arguments, returning their common 568 // type. 569 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 570 571 // Make sure any conversions are pushed back into the call; this is 572 // type safe since unordered compare builtins are declared as "_Bool 573 // foo(...)". 574 TheCall->setArg(0, OrigArg0); 575 TheCall->setArg(1, OrigArg1); 576 577 if (OrigArg0->isTypeDependent() || OrigArg1->isTypeDependent()) 578 return false; 579 580 // If the common type isn't a real floating type, then the arguments were 581 // invalid for this operation. 582 if (!Res->isRealFloatingType()) 583 return Diag(OrigArg0->getLocStart(), 584 diag::err_typecheck_call_invalid_ordered_compare) 585 << OrigArg0->getType() << OrigArg1->getType() 586 << SourceRange(OrigArg0->getLocStart(), OrigArg1->getLocEnd()); 587 588 return false; 589} 590 591/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 592/// __builtin_isnan and friends. This is declared to take (...), so we have 593/// to check everything. We expect the last argument to be a floating point 594/// value. 595bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 596 if (TheCall->getNumArgs() < NumArgs) 597 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 598 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 599 if (TheCall->getNumArgs() > NumArgs) 600 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 601 diag::err_typecheck_call_too_many_args) 602 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 603 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 604 (*(TheCall->arg_end()-1))->getLocEnd()); 605 606 Expr *OrigArg = TheCall->getArg(NumArgs-1); 607 608 if (OrigArg->isTypeDependent()) 609 return false; 610 611 // This operation requires a non-_Complex floating-point number. 612 if (!OrigArg->getType()->isRealFloatingType()) 613 return Diag(OrigArg->getLocStart(), 614 diag::err_typecheck_call_invalid_unary_fp) 615 << OrigArg->getType() << OrigArg->getSourceRange(); 616 617 // If this is an implicit conversion from float -> double, remove it. 618 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 619 Expr *CastArg = Cast->getSubExpr(); 620 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 621 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 622 "promotion from float to double is the only expected cast here"); 623 Cast->setSubExpr(0); 624 Cast->Destroy(Context); 625 TheCall->setArg(NumArgs-1, CastArg); 626 OrigArg = CastArg; 627 } 628 } 629 630 return false; 631} 632 633/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 634// This is declared to take (...), so we have to check everything. 635Action::OwningExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 636 if (TheCall->getNumArgs() < 3) 637 return ExprError(Diag(TheCall->getLocEnd(), 638 diag::err_typecheck_call_too_few_args_at_least) 639 << 0 /*function call*/ << 3 << TheCall->getNumArgs() 640 << TheCall->getSourceRange()); 641 642 unsigned numElements = std::numeric_limits<unsigned>::max(); 643 if (!TheCall->getArg(0)->isTypeDependent() && 644 !TheCall->getArg(1)->isTypeDependent()) { 645 QualType FAType = TheCall->getArg(0)->getType(); 646 QualType SAType = TheCall->getArg(1)->getType(); 647 648 if (!FAType->isVectorType() || !SAType->isVectorType()) { 649 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 650 << SourceRange(TheCall->getArg(0)->getLocStart(), 651 TheCall->getArg(1)->getLocEnd()); 652 return ExprError(); 653 } 654 655 if (!Context.hasSameUnqualifiedType(FAType, SAType)) { 656 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 657 << SourceRange(TheCall->getArg(0)->getLocStart(), 658 TheCall->getArg(1)->getLocEnd()); 659 return ExprError(); 660 } 661 662 numElements = FAType->getAs<VectorType>()->getNumElements(); 663 if (TheCall->getNumArgs() != numElements+2) { 664 if (TheCall->getNumArgs() < numElements+2) 665 return ExprError(Diag(TheCall->getLocEnd(), 666 diag::err_typecheck_call_too_few_args) 667 << 0 /*function call*/ 668 << numElements+2 << TheCall->getNumArgs() 669 << TheCall->getSourceRange()); 670 return ExprError(Diag(TheCall->getLocEnd(), 671 diag::err_typecheck_call_too_many_args) 672 << 0 /*function call*/ 673 << numElements+2 << TheCall->getNumArgs() 674 << TheCall->getSourceRange()); 675 } 676 } 677 678 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 679 if (TheCall->getArg(i)->isTypeDependent() || 680 TheCall->getArg(i)->isValueDependent()) 681 continue; 682 683 llvm::APSInt Result; 684 if (SemaBuiltinConstantArg(TheCall, i, Result)) 685 return ExprError(); 686 687 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 688 return ExprError(Diag(TheCall->getLocStart(), 689 diag::err_shufflevector_argument_too_large) 690 << TheCall->getArg(i)->getSourceRange()); 691 } 692 693 llvm::SmallVector<Expr*, 32> exprs; 694 695 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 696 exprs.push_back(TheCall->getArg(i)); 697 TheCall->setArg(i, 0); 698 } 699 700 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 701 exprs.size(), exprs[0]->getType(), 702 TheCall->getCallee()->getLocStart(), 703 TheCall->getRParenLoc())); 704} 705 706/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 707// This is declared to take (const void*, ...) and can take two 708// optional constant int args. 709bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 710 unsigned NumArgs = TheCall->getNumArgs(); 711 712 if (NumArgs > 3) 713 return Diag(TheCall->getLocEnd(), 714 diag::err_typecheck_call_too_many_args_at_most) 715 << 0 /*function call*/ << 3 << NumArgs 716 << TheCall->getSourceRange(); 717 718 // Argument 0 is checked for us and the remaining arguments must be 719 // constant integers. 720 for (unsigned i = 1; i != NumArgs; ++i) { 721 Expr *Arg = TheCall->getArg(i); 722 723 llvm::APSInt Result; 724 if (SemaBuiltinConstantArg(TheCall, i, Result)) 725 return true; 726 727 // FIXME: gcc issues a warning and rewrites these to 0. These 728 // seems especially odd for the third argument since the default 729 // is 3. 730 if (i == 1) { 731 if (Result.getLimitedValue() > 1) 732 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 733 << "0" << "1" << Arg->getSourceRange(); 734 } else { 735 if (Result.getLimitedValue() > 3) 736 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 737 << "0" << "3" << Arg->getSourceRange(); 738 } 739 } 740 741 return false; 742} 743 744/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 745/// TheCall is a constant expression. 746bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 747 llvm::APSInt &Result) { 748 Expr *Arg = TheCall->getArg(ArgNum); 749 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 750 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 751 752 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 753 754 if (!Arg->isIntegerConstantExpr(Result, Context)) 755 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 756 << FDecl->getDeclName() << Arg->getSourceRange(); 757 758 return false; 759} 760 761/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 762/// int type). This simply type checks that type is one of the defined 763/// constants (0-3). 764// For compatability check 0-3, llvm only handles 0 and 2. 765bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 766 llvm::APSInt Result; 767 768 // Check constant-ness first. 769 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 770 return true; 771 772 Expr *Arg = TheCall->getArg(1); 773 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 774 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 775 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 776 } 777 778 return false; 779} 780 781/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 782/// This checks that val is a constant 1. 783bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 784 Expr *Arg = TheCall->getArg(1); 785 llvm::APSInt Result; 786 787 // TODO: This is less than ideal. Overload this to take a value. 788 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 789 return true; 790 791 if (Result != 1) 792 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 793 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 794 795 return false; 796} 797 798// Handle i > 1 ? "x" : "y", recursivelly 799bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall, 800 bool HasVAListArg, 801 unsigned format_idx, unsigned firstDataArg) { 802 if (E->isTypeDependent() || E->isValueDependent()) 803 return false; 804 805 switch (E->getStmtClass()) { 806 case Stmt::ConditionalOperatorClass: { 807 const ConditionalOperator *C = cast<ConditionalOperator>(E); 808 return SemaCheckStringLiteral(C->getTrueExpr(), TheCall, 809 HasVAListArg, format_idx, firstDataArg) 810 && SemaCheckStringLiteral(C->getRHS(), TheCall, 811 HasVAListArg, format_idx, firstDataArg); 812 } 813 814 case Stmt::ImplicitCastExprClass: { 815 const ImplicitCastExpr *Expr = cast<ImplicitCastExpr>(E); 816 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 817 format_idx, firstDataArg); 818 } 819 820 case Stmt::ParenExprClass: { 821 const ParenExpr *Expr = cast<ParenExpr>(E); 822 return SemaCheckStringLiteral(Expr->getSubExpr(), TheCall, HasVAListArg, 823 format_idx, firstDataArg); 824 } 825 826 case Stmt::DeclRefExprClass: { 827 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 828 829 // As an exception, do not flag errors for variables binding to 830 // const string literals. 831 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 832 bool isConstant = false; 833 QualType T = DR->getType(); 834 835 if (const ArrayType *AT = Context.getAsArrayType(T)) { 836 isConstant = AT->getElementType().isConstant(Context); 837 } else if (const PointerType *PT = T->getAs<PointerType>()) { 838 isConstant = T.isConstant(Context) && 839 PT->getPointeeType().isConstant(Context); 840 } 841 842 if (isConstant) { 843 if (const Expr *Init = VD->getAnyInitializer()) 844 return SemaCheckStringLiteral(Init, TheCall, 845 HasVAListArg, format_idx, firstDataArg); 846 } 847 848 // For vprintf* functions (i.e., HasVAListArg==true), we add a 849 // special check to see if the format string is a function parameter 850 // of the function calling the printf function. If the function 851 // has an attribute indicating it is a printf-like function, then we 852 // should suppress warnings concerning non-literals being used in a call 853 // to a vprintf function. For example: 854 // 855 // void 856 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 857 // va_list ap; 858 // va_start(ap, fmt); 859 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 860 // ... 861 // 862 // 863 // FIXME: We don't have full attribute support yet, so just check to see 864 // if the argument is a DeclRefExpr that references a parameter. We'll 865 // add proper support for checking the attribute later. 866 if (HasVAListArg) 867 if (isa<ParmVarDecl>(VD)) 868 return true; 869 } 870 871 return false; 872 } 873 874 case Stmt::CallExprClass: { 875 const CallExpr *CE = cast<CallExpr>(E); 876 if (const ImplicitCastExpr *ICE 877 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 878 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 879 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 880 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 881 unsigned ArgIndex = FA->getFormatIdx(); 882 const Expr *Arg = CE->getArg(ArgIndex - 1); 883 884 return SemaCheckStringLiteral(Arg, TheCall, HasVAListArg, 885 format_idx, firstDataArg); 886 } 887 } 888 } 889 } 890 891 return false; 892 } 893 case Stmt::ObjCStringLiteralClass: 894 case Stmt::StringLiteralClass: { 895 const StringLiteral *StrE = NULL; 896 897 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 898 StrE = ObjCFExpr->getString(); 899 else 900 StrE = cast<StringLiteral>(E); 901 902 if (StrE) { 903 CheckPrintfString(StrE, E, TheCall, HasVAListArg, format_idx, 904 firstDataArg); 905 return true; 906 } 907 908 return false; 909 } 910 911 default: 912 return false; 913 } 914} 915 916void 917Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 918 const CallExpr *TheCall) { 919 for (NonNullAttr::iterator i = NonNull->begin(), e = NonNull->end(); 920 i != e; ++i) { 921 const Expr *ArgExpr = TheCall->getArg(*i); 922 if (ArgExpr->isNullPointerConstant(Context, 923 Expr::NPC_ValueDependentIsNotNull)) 924 Diag(TheCall->getCallee()->getLocStart(), diag::warn_null_arg) 925 << ArgExpr->getSourceRange(); 926 } 927} 928 929/// CheckPrintfArguments - Check calls to printf (and similar functions) for 930/// correct use of format strings. 931/// 932/// HasVAListArg - A predicate indicating whether the printf-like 933/// function is passed an explicit va_arg argument (e.g., vprintf) 934/// 935/// format_idx - The index into Args for the format string. 936/// 937/// Improper format strings to functions in the printf family can be 938/// the source of bizarre bugs and very serious security holes. A 939/// good source of information is available in the following paper 940/// (which includes additional references): 941/// 942/// FormatGuard: Automatic Protection From printf Format String 943/// Vulnerabilities, Proceedings of the 10th USENIX Security Symposium, 2001. 944/// 945/// TODO: 946/// Functionality implemented: 947/// 948/// We can statically check the following properties for string 949/// literal format strings for non v.*printf functions (where the 950/// arguments are passed directly): 951// 952/// (1) Are the number of format conversions equal to the number of 953/// data arguments? 954/// 955/// (2) Does each format conversion correctly match the type of the 956/// corresponding data argument? 957/// 958/// Moreover, for all printf functions we can: 959/// 960/// (3) Check for a missing format string (when not caught by type checking). 961/// 962/// (4) Check for no-operation flags; e.g. using "#" with format 963/// conversion 'c' (TODO) 964/// 965/// (5) Check the use of '%n', a major source of security holes. 966/// 967/// (6) Check for malformed format conversions that don't specify anything. 968/// 969/// (7) Check for empty format strings. e.g: printf(""); 970/// 971/// (8) Check that the format string is a wide literal. 972/// 973/// All of these checks can be done by parsing the format string. 974/// 975void 976Sema::CheckPrintfArguments(const CallExpr *TheCall, bool HasVAListArg, 977 unsigned format_idx, unsigned firstDataArg) { 978 const Expr *Fn = TheCall->getCallee(); 979 980 // The way the format attribute works in GCC, the implicit this argument 981 // of member functions is counted. However, it doesn't appear in our own 982 // lists, so decrement format_idx in that case. 983 if (isa<CXXMemberCallExpr>(TheCall)) { 984 // Catch a format attribute mistakenly referring to the object argument. 985 if (format_idx == 0) 986 return; 987 --format_idx; 988 if(firstDataArg != 0) 989 --firstDataArg; 990 } 991 992 // CHECK: printf-like function is called with no format string. 993 if (format_idx >= TheCall->getNumArgs()) { 994 Diag(TheCall->getRParenLoc(), diag::warn_printf_missing_format_string) 995 << Fn->getSourceRange(); 996 return; 997 } 998 999 const Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 1000 1001 // CHECK: format string is not a string literal. 1002 // 1003 // Dynamically generated format strings are difficult to 1004 // automatically vet at compile time. Requiring that format strings 1005 // are string literals: (1) permits the checking of format strings by 1006 // the compiler and thereby (2) can practically remove the source of 1007 // many format string exploits. 1008 1009 // Format string can be either ObjC string (e.g. @"%d") or 1010 // C string (e.g. "%d") 1011 // ObjC string uses the same format specifiers as C string, so we can use 1012 // the same format string checking logic for both ObjC and C strings. 1013 if (SemaCheckStringLiteral(OrigFormatExpr, TheCall, HasVAListArg, format_idx, 1014 firstDataArg)) 1015 return; // Literal format string found, check done! 1016 1017 // If there are no arguments specified, warn with -Wformat-security, otherwise 1018 // warn only with -Wformat-nonliteral. 1019 if (TheCall->getNumArgs() == format_idx+1) 1020 Diag(TheCall->getArg(format_idx)->getLocStart(), 1021 diag::warn_printf_nonliteral_noargs) 1022 << OrigFormatExpr->getSourceRange(); 1023 else 1024 Diag(TheCall->getArg(format_idx)->getLocStart(), 1025 diag::warn_printf_nonliteral) 1026 << OrigFormatExpr->getSourceRange(); 1027} 1028 1029namespace { 1030class CheckPrintfHandler : public analyze_printf::FormatStringHandler { 1031 Sema &S; 1032 const StringLiteral *FExpr; 1033 const Expr *OrigFormatExpr; 1034 const unsigned FirstDataArg; 1035 const unsigned NumDataArgs; 1036 const bool IsObjCLiteral; 1037 const char *Beg; // Start of format string. 1038 const bool HasVAListArg; 1039 const CallExpr *TheCall; 1040 unsigned FormatIdx; 1041 llvm::BitVector CoveredArgs; 1042 bool usesPositionalArgs; 1043 bool atFirstArg; 1044public: 1045 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1046 const Expr *origFormatExpr, unsigned firstDataArg, 1047 unsigned numDataArgs, bool isObjCLiteral, 1048 const char *beg, bool hasVAListArg, 1049 const CallExpr *theCall, unsigned formatIdx) 1050 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1051 FirstDataArg(firstDataArg), 1052 NumDataArgs(numDataArgs), 1053 IsObjCLiteral(isObjCLiteral), Beg(beg), 1054 HasVAListArg(hasVAListArg), 1055 TheCall(theCall), FormatIdx(formatIdx), 1056 usesPositionalArgs(false), atFirstArg(true) { 1057 CoveredArgs.resize(numDataArgs); 1058 CoveredArgs.reset(); 1059 } 1060 1061 void DoneProcessing(); 1062 1063 void HandleIncompleteFormatSpecifier(const char *startSpecifier, 1064 unsigned specifierLen); 1065 1066 bool 1067 HandleInvalidConversionSpecifier(const analyze_printf::FormatSpecifier &FS, 1068 const char *startSpecifier, 1069 unsigned specifierLen); 1070 1071 virtual void HandleInvalidPosition(const char *startSpecifier, 1072 unsigned specifierLen, 1073 analyze_printf::PositionContext p); 1074 1075 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1076 1077 void HandleNullChar(const char *nullCharacter); 1078 1079 bool HandleFormatSpecifier(const analyze_printf::FormatSpecifier &FS, 1080 const char *startSpecifier, 1081 unsigned specifierLen); 1082private: 1083 SourceRange getFormatStringRange(); 1084 SourceRange getFormatSpecifierRange(const char *startSpecifier, 1085 unsigned specifierLen); 1086 SourceLocation getLocationOfByte(const char *x); 1087 1088 bool HandleAmount(const analyze_printf::OptionalAmount &Amt, unsigned k, 1089 const char *startSpecifier, unsigned specifierLen); 1090 void HandleFlags(const analyze_printf::FormatSpecifier &FS, 1091 llvm::StringRef flag, llvm::StringRef cspec, 1092 const char *startSpecifier, unsigned specifierLen); 1093 1094 const Expr *getDataArg(unsigned i) const; 1095}; 1096} 1097 1098SourceRange CheckPrintfHandler::getFormatStringRange() { 1099 return OrigFormatExpr->getSourceRange(); 1100} 1101 1102SourceRange CheckPrintfHandler:: 1103getFormatSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1104 return SourceRange(getLocationOfByte(startSpecifier), 1105 getLocationOfByte(startSpecifier+specifierLen-1)); 1106} 1107 1108SourceLocation CheckPrintfHandler::getLocationOfByte(const char *x) { 1109 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1110} 1111 1112void CheckPrintfHandler:: 1113HandleIncompleteFormatSpecifier(const char *startSpecifier, 1114 unsigned specifierLen) { 1115 SourceLocation Loc = getLocationOfByte(startSpecifier); 1116 S.Diag(Loc, diag::warn_printf_incomplete_specifier) 1117 << getFormatSpecifierRange(startSpecifier, specifierLen); 1118} 1119 1120void 1121CheckPrintfHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1122 analyze_printf::PositionContext p) { 1123 SourceLocation Loc = getLocationOfByte(startPos); 1124 S.Diag(Loc, diag::warn_printf_invalid_positional_specifier) 1125 << (unsigned) p << getFormatSpecifierRange(startPos, posLen); 1126} 1127 1128void CheckPrintfHandler::HandleZeroPosition(const char *startPos, 1129 unsigned posLen) { 1130 SourceLocation Loc = getLocationOfByte(startPos); 1131 S.Diag(Loc, diag::warn_printf_zero_positional_specifier) 1132 << getFormatSpecifierRange(startPos, posLen); 1133} 1134 1135bool CheckPrintfHandler:: 1136HandleInvalidConversionSpecifier(const analyze_printf::FormatSpecifier &FS, 1137 const char *startSpecifier, 1138 unsigned specifierLen) { 1139 1140 unsigned argIndex = FS.getArgIndex(); 1141 bool keepGoing = true; 1142 if (argIndex < NumDataArgs) { 1143 // Consider the argument coverered, even though the specifier doesn't 1144 // make sense. 1145 CoveredArgs.set(argIndex); 1146 } 1147 else { 1148 // If argIndex exceeds the number of data arguments we 1149 // don't issue a warning because that is just a cascade of warnings (and 1150 // they may have intended '%%' anyway). We don't want to continue processing 1151 // the format string after this point, however, as we will like just get 1152 // gibberish when trying to match arguments. 1153 keepGoing = false; 1154 } 1155 1156 const analyze_printf::ConversionSpecifier &CS = 1157 FS.getConversionSpecifier(); 1158 SourceLocation Loc = getLocationOfByte(CS.getStart()); 1159 S.Diag(Loc, diag::warn_printf_invalid_conversion) 1160 << llvm::StringRef(CS.getStart(), CS.getLength()) 1161 << getFormatSpecifierRange(startSpecifier, specifierLen); 1162 1163 return keepGoing; 1164} 1165 1166void CheckPrintfHandler::HandleNullChar(const char *nullCharacter) { 1167 // The presence of a null character is likely an error. 1168 S.Diag(getLocationOfByte(nullCharacter), 1169 diag::warn_printf_format_string_contains_null_char) 1170 << getFormatStringRange(); 1171} 1172 1173const Expr *CheckPrintfHandler::getDataArg(unsigned i) const { 1174 return TheCall->getArg(FirstDataArg + i); 1175} 1176 1177void CheckPrintfHandler::HandleFlags(const analyze_printf::FormatSpecifier &FS, 1178 llvm::StringRef flag, 1179 llvm::StringRef cspec, 1180 const char *startSpecifier, 1181 unsigned specifierLen) { 1182 const analyze_printf::ConversionSpecifier &CS = FS.getConversionSpecifier(); 1183 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_nonsensical_flag) 1184 << flag << cspec << getFormatSpecifierRange(startSpecifier, specifierLen); 1185} 1186 1187bool 1188CheckPrintfHandler::HandleAmount(const analyze_printf::OptionalAmount &Amt, 1189 unsigned k, const char *startSpecifier, 1190 unsigned specifierLen) { 1191 1192 if (Amt.hasDataArgument()) { 1193 if (!HasVAListArg) { 1194 unsigned argIndex = Amt.getArgIndex(); 1195 if (argIndex >= NumDataArgs) { 1196 S.Diag(getLocationOfByte(Amt.getStart()), 1197 diag::warn_printf_asterisk_missing_arg) 1198 << k << getFormatSpecifierRange(startSpecifier, specifierLen); 1199 // Don't do any more checking. We will just emit 1200 // spurious errors. 1201 return false; 1202 } 1203 1204 // Type check the data argument. It should be an 'int'. 1205 // Although not in conformance with C99, we also allow the argument to be 1206 // an 'unsigned int' as that is a reasonably safe case. GCC also 1207 // doesn't emit a warning for that case. 1208 CoveredArgs.set(argIndex); 1209 const Expr *Arg = getDataArg(argIndex); 1210 QualType T = Arg->getType(); 1211 1212 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1213 assert(ATR.isValid()); 1214 1215 if (!ATR.matchesType(S.Context, T)) { 1216 S.Diag(getLocationOfByte(Amt.getStart()), 1217 diag::warn_printf_asterisk_wrong_type) 1218 << k 1219 << ATR.getRepresentativeType(S.Context) << T 1220 << getFormatSpecifierRange(startSpecifier, specifierLen) 1221 << Arg->getSourceRange(); 1222 // Don't do any more checking. We will just emit 1223 // spurious errors. 1224 return false; 1225 } 1226 } 1227 } 1228 return true; 1229} 1230 1231bool 1232CheckPrintfHandler::HandleFormatSpecifier(const analyze_printf::FormatSpecifier 1233 &FS, 1234 const char *startSpecifier, 1235 unsigned specifierLen) { 1236 1237 using namespace analyze_printf; 1238 const ConversionSpecifier &CS = FS.getConversionSpecifier(); 1239 1240 if (atFirstArg) { 1241 atFirstArg = false; 1242 usesPositionalArgs = FS.usesPositionalArg(); 1243 } 1244 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1245 // Cannot mix-and-match positional and non-positional arguments. 1246 S.Diag(getLocationOfByte(CS.getStart()), 1247 diag::warn_printf_mix_positional_nonpositional_args) 1248 << getFormatSpecifierRange(startSpecifier, specifierLen); 1249 return false; 1250 } 1251 1252 // First check if the field width, precision, and conversion specifier 1253 // have matching data arguments. 1254 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 1255 startSpecifier, specifierLen)) { 1256 return false; 1257 } 1258 1259 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 1260 startSpecifier, specifierLen)) { 1261 return false; 1262 } 1263 1264 if (!CS.consumesDataArgument()) { 1265 // FIXME: Technically specifying a precision or field width here 1266 // makes no sense. Worth issuing a warning at some point. 1267 return true; 1268 } 1269 1270 // Consume the argument. 1271 unsigned argIndex = FS.getArgIndex(); 1272 if (argIndex < NumDataArgs) { 1273 // The check to see if the argIndex is valid will come later. 1274 // We set the bit here because we may exit early from this 1275 // function if we encounter some other error. 1276 CoveredArgs.set(argIndex); 1277 } 1278 1279 // Check for using an Objective-C specific conversion specifier 1280 // in a non-ObjC literal. 1281 if (!IsObjCLiteral && CS.isObjCArg()) { 1282 return HandleInvalidConversionSpecifier(FS, startSpecifier, specifierLen); 1283 } 1284 1285 // Are we using '%n'? Issue a warning about this being 1286 // a possible security issue. 1287 if (CS.getKind() == ConversionSpecifier::OutIntPtrArg) { 1288 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back) 1289 << getFormatSpecifierRange(startSpecifier, specifierLen); 1290 // Continue checking the other format specifiers. 1291 return true; 1292 } 1293 1294 if (CS.getKind() == ConversionSpecifier::VoidPtrArg) { 1295 if (FS.getPrecision().getHowSpecified() != OptionalAmount::NotSpecified) 1296 S.Diag(getLocationOfByte(CS.getStart()), 1297 diag::warn_printf_nonsensical_precision) 1298 << CS.getCharacters() 1299 << getFormatSpecifierRange(startSpecifier, specifierLen); 1300 } 1301 if (CS.getKind() == ConversionSpecifier::VoidPtrArg || 1302 CS.getKind() == ConversionSpecifier::CStrArg) { 1303 // FIXME: Instead of using "0", "+", etc., eventually get them from 1304 // the FormatSpecifier. 1305 if (FS.hasLeadingZeros()) 1306 HandleFlags(FS, "0", CS.getCharacters(), startSpecifier, specifierLen); 1307 if (FS.hasPlusPrefix()) 1308 HandleFlags(FS, "+", CS.getCharacters(), startSpecifier, specifierLen); 1309 if (FS.hasSpacePrefix()) 1310 HandleFlags(FS, " ", CS.getCharacters(), startSpecifier, specifierLen); 1311 } 1312 1313 // The remaining checks depend on the data arguments. 1314 if (HasVAListArg) 1315 return true; 1316 1317 if (argIndex >= NumDataArgs) { 1318 if (FS.usesPositionalArg()) { 1319 S.Diag(getLocationOfByte(CS.getStart()), 1320 diag::warn_printf_positional_arg_exceeds_data_args) 1321 << (argIndex+1) << NumDataArgs 1322 << getFormatSpecifierRange(startSpecifier, specifierLen); 1323 } 1324 else { 1325 S.Diag(getLocationOfByte(CS.getStart()), 1326 diag::warn_printf_insufficient_data_args) 1327 << getFormatSpecifierRange(startSpecifier, specifierLen); 1328 } 1329 1330 // Don't do any more checking. 1331 return false; 1332 } 1333 1334 // Now type check the data expression that matches the 1335 // format specifier. 1336 const Expr *Ex = getDataArg(argIndex); 1337 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 1338 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 1339 // Check if we didn't match because of an implicit cast from a 'char' 1340 // or 'short' to an 'int'. This is done because printf is a varargs 1341 // function. 1342 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 1343 if (ICE->getType() == S.Context.IntTy) 1344 if (ATR.matchesType(S.Context, ICE->getSubExpr()->getType())) 1345 return true; 1346 1347 S.Diag(getLocationOfByte(CS.getStart()), 1348 diag::warn_printf_conversion_argument_type_mismatch) 1349 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1350 << getFormatSpecifierRange(startSpecifier, specifierLen) 1351 << Ex->getSourceRange(); 1352 } 1353 1354 return true; 1355} 1356 1357void CheckPrintfHandler::DoneProcessing() { 1358 // Does the number of data arguments exceed the number of 1359 // format conversions in the format string? 1360 if (!HasVAListArg) { 1361 // Find any arguments that weren't covered. 1362 CoveredArgs.flip(); 1363 signed notCoveredArg = CoveredArgs.find_first(); 1364 if (notCoveredArg >= 0) { 1365 assert((unsigned)notCoveredArg < NumDataArgs); 1366 S.Diag(getDataArg((unsigned) notCoveredArg)->getLocStart(), 1367 diag::warn_printf_data_arg_not_used) 1368 << getFormatStringRange(); 1369 } 1370 } 1371} 1372 1373void Sema::CheckPrintfString(const StringLiteral *FExpr, 1374 const Expr *OrigFormatExpr, 1375 const CallExpr *TheCall, bool HasVAListArg, 1376 unsigned format_idx, unsigned firstDataArg) { 1377 1378 // CHECK: is the format string a wide literal? 1379 if (FExpr->isWide()) { 1380 Diag(FExpr->getLocStart(), 1381 diag::warn_printf_format_string_is_wide_literal) 1382 << OrigFormatExpr->getSourceRange(); 1383 return; 1384 } 1385 1386 // Str - The format string. NOTE: this is NOT null-terminated! 1387 const char *Str = FExpr->getStrData(); 1388 1389 // CHECK: empty format string? 1390 unsigned StrLen = FExpr->getByteLength(); 1391 1392 if (StrLen == 0) { 1393 Diag(FExpr->getLocStart(), diag::warn_printf_empty_format_string) 1394 << OrigFormatExpr->getSourceRange(); 1395 return; 1396 } 1397 1398 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1399 TheCall->getNumArgs() - firstDataArg, 1400 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1401 HasVAListArg, TheCall, format_idx); 1402 1403 if (!analyze_printf::ParseFormatString(H, Str, Str + StrLen)) 1404 H.DoneProcessing(); 1405} 1406 1407//===--- CHECK: Return Address of Stack Variable --------------------------===// 1408 1409static DeclRefExpr* EvalVal(Expr *E); 1410static DeclRefExpr* EvalAddr(Expr* E); 1411 1412/// CheckReturnStackAddr - Check if a return statement returns the address 1413/// of a stack variable. 1414void 1415Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 1416 SourceLocation ReturnLoc) { 1417 1418 // Perform checking for returned stack addresses. 1419 if (lhsType->isPointerType() || lhsType->isBlockPointerType()) { 1420 if (DeclRefExpr *DR = EvalAddr(RetValExp)) 1421 Diag(DR->getLocStart(), diag::warn_ret_stack_addr) 1422 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1423 1424 // Skip over implicit cast expressions when checking for block expressions. 1425 RetValExp = RetValExp->IgnoreParenCasts(); 1426 1427 if (BlockExpr *C = dyn_cast<BlockExpr>(RetValExp)) 1428 if (C->hasBlockDeclRefExprs()) 1429 Diag(C->getLocStart(), diag::err_ret_local_block) 1430 << C->getSourceRange(); 1431 1432 if (AddrLabelExpr *ALE = dyn_cast<AddrLabelExpr>(RetValExp)) 1433 Diag(ALE->getLocStart(), diag::warn_ret_addr_label) 1434 << ALE->getSourceRange(); 1435 1436 } else if (lhsType->isReferenceType()) { 1437 // Perform checking for stack values returned by reference. 1438 // Check for a reference to the stack 1439 if (DeclRefExpr *DR = EvalVal(RetValExp)) 1440 Diag(DR->getLocStart(), diag::warn_ret_stack_ref) 1441 << DR->getDecl()->getDeclName() << RetValExp->getSourceRange(); 1442 } 1443} 1444 1445/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 1446/// check if the expression in a return statement evaluates to an address 1447/// to a location on the stack. The recursion is used to traverse the 1448/// AST of the return expression, with recursion backtracking when we 1449/// encounter a subexpression that (1) clearly does not lead to the address 1450/// of a stack variable or (2) is something we cannot determine leads to 1451/// the address of a stack variable based on such local checking. 1452/// 1453/// EvalAddr processes expressions that are pointers that are used as 1454/// references (and not L-values). EvalVal handles all other values. 1455/// At the base case of the recursion is a check for a DeclRefExpr* in 1456/// the refers to a stack variable. 1457/// 1458/// This implementation handles: 1459/// 1460/// * pointer-to-pointer casts 1461/// * implicit conversions from array references to pointers 1462/// * taking the address of fields 1463/// * arbitrary interplay between "&" and "*" operators 1464/// * pointer arithmetic from an address of a stack variable 1465/// * taking the address of an array element where the array is on the stack 1466static DeclRefExpr* EvalAddr(Expr *E) { 1467 // We should only be called for evaluating pointer expressions. 1468 assert((E->getType()->isAnyPointerType() || 1469 E->getType()->isBlockPointerType() || 1470 E->getType()->isObjCQualifiedIdType()) && 1471 "EvalAddr only works on pointers"); 1472 1473 // Our "symbolic interpreter" is just a dispatch off the currently 1474 // viewed AST node. We then recursively traverse the AST by calling 1475 // EvalAddr and EvalVal appropriately. 1476 switch (E->getStmtClass()) { 1477 case Stmt::ParenExprClass: 1478 // Ignore parentheses. 1479 return EvalAddr(cast<ParenExpr>(E)->getSubExpr()); 1480 1481 case Stmt::UnaryOperatorClass: { 1482 // The only unary operator that make sense to handle here 1483 // is AddrOf. All others don't make sense as pointers. 1484 UnaryOperator *U = cast<UnaryOperator>(E); 1485 1486 if (U->getOpcode() == UnaryOperator::AddrOf) 1487 return EvalVal(U->getSubExpr()); 1488 else 1489 return NULL; 1490 } 1491 1492 case Stmt::BinaryOperatorClass: { 1493 // Handle pointer arithmetic. All other binary operators are not valid 1494 // in this context. 1495 BinaryOperator *B = cast<BinaryOperator>(E); 1496 BinaryOperator::Opcode op = B->getOpcode(); 1497 1498 if (op != BinaryOperator::Add && op != BinaryOperator::Sub) 1499 return NULL; 1500 1501 Expr *Base = B->getLHS(); 1502 1503 // Determine which argument is the real pointer base. It could be 1504 // the RHS argument instead of the LHS. 1505 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 1506 1507 assert (Base->getType()->isPointerType()); 1508 return EvalAddr(Base); 1509 } 1510 1511 // For conditional operators we need to see if either the LHS or RHS are 1512 // valid DeclRefExpr*s. If one of them is valid, we return it. 1513 case Stmt::ConditionalOperatorClass: { 1514 ConditionalOperator *C = cast<ConditionalOperator>(E); 1515 1516 // Handle the GNU extension for missing LHS. 1517 if (Expr *lhsExpr = C->getLHS()) 1518 if (DeclRefExpr* LHS = EvalAddr(lhsExpr)) 1519 return LHS; 1520 1521 return EvalAddr(C->getRHS()); 1522 } 1523 1524 // For casts, we need to handle conversions from arrays to 1525 // pointer values, and pointer-to-pointer conversions. 1526 case Stmt::ImplicitCastExprClass: 1527 case Stmt::CStyleCastExprClass: 1528 case Stmt::CXXFunctionalCastExprClass: { 1529 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 1530 QualType T = SubExpr->getType(); 1531 1532 if (SubExpr->getType()->isPointerType() || 1533 SubExpr->getType()->isBlockPointerType() || 1534 SubExpr->getType()->isObjCQualifiedIdType()) 1535 return EvalAddr(SubExpr); 1536 else if (T->isArrayType()) 1537 return EvalVal(SubExpr); 1538 else 1539 return 0; 1540 } 1541 1542 // C++ casts. For dynamic casts, static casts, and const casts, we 1543 // are always converting from a pointer-to-pointer, so we just blow 1544 // through the cast. In the case the dynamic cast doesn't fail (and 1545 // return NULL), we take the conservative route and report cases 1546 // where we return the address of a stack variable. For Reinterpre 1547 // FIXME: The comment about is wrong; we're not always converting 1548 // from pointer to pointer. I'm guessing that this code should also 1549 // handle references to objects. 1550 case Stmt::CXXStaticCastExprClass: 1551 case Stmt::CXXDynamicCastExprClass: 1552 case Stmt::CXXConstCastExprClass: 1553 case Stmt::CXXReinterpretCastExprClass: { 1554 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 1555 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 1556 return EvalAddr(S); 1557 else 1558 return NULL; 1559 } 1560 1561 // Everything else: we simply don't reason about them. 1562 default: 1563 return NULL; 1564 } 1565} 1566 1567 1568/// EvalVal - This function is complements EvalAddr in the mutual recursion. 1569/// See the comments for EvalAddr for more details. 1570static DeclRefExpr* EvalVal(Expr *E) { 1571 1572 // We should only be called for evaluating non-pointer expressions, or 1573 // expressions with a pointer type that are not used as references but instead 1574 // are l-values (e.g., DeclRefExpr with a pointer type). 1575 1576 // Our "symbolic interpreter" is just a dispatch off the currently 1577 // viewed AST node. We then recursively traverse the AST by calling 1578 // EvalAddr and EvalVal appropriately. 1579 switch (E->getStmtClass()) { 1580 case Stmt::DeclRefExprClass: { 1581 // DeclRefExpr: the base case. When we hit a DeclRefExpr we are looking 1582 // at code that refers to a variable's name. We check if it has local 1583 // storage within the function, and if so, return the expression. 1584 DeclRefExpr *DR = cast<DeclRefExpr>(E); 1585 1586 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 1587 if (V->hasLocalStorage() && !V->getType()->isReferenceType()) return DR; 1588 1589 return NULL; 1590 } 1591 1592 case Stmt::ParenExprClass: 1593 // Ignore parentheses. 1594 return EvalVal(cast<ParenExpr>(E)->getSubExpr()); 1595 1596 case Stmt::UnaryOperatorClass: { 1597 // The only unary operator that make sense to handle here 1598 // is Deref. All others don't resolve to a "name." This includes 1599 // handling all sorts of rvalues passed to a unary operator. 1600 UnaryOperator *U = cast<UnaryOperator>(E); 1601 1602 if (U->getOpcode() == UnaryOperator::Deref) 1603 return EvalAddr(U->getSubExpr()); 1604 1605 return NULL; 1606 } 1607 1608 case Stmt::ArraySubscriptExprClass: { 1609 // Array subscripts are potential references to data on the stack. We 1610 // retrieve the DeclRefExpr* for the array variable if it indeed 1611 // has local storage. 1612 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase()); 1613 } 1614 1615 case Stmt::ConditionalOperatorClass: { 1616 // For conditional operators we need to see if either the LHS or RHS are 1617 // non-NULL DeclRefExpr's. If one is non-NULL, we return it. 1618 ConditionalOperator *C = cast<ConditionalOperator>(E); 1619 1620 // Handle the GNU extension for missing LHS. 1621 if (Expr *lhsExpr = C->getLHS()) 1622 if (DeclRefExpr *LHS = EvalVal(lhsExpr)) 1623 return LHS; 1624 1625 return EvalVal(C->getRHS()); 1626 } 1627 1628 // Accesses to members are potential references to data on the stack. 1629 case Stmt::MemberExprClass: { 1630 MemberExpr *M = cast<MemberExpr>(E); 1631 1632 // Check for indirect access. We only want direct field accesses. 1633 if (!M->isArrow()) 1634 return EvalVal(M->getBase()); 1635 else 1636 return NULL; 1637 } 1638 1639 // Everything else: we simply don't reason about them. 1640 default: 1641 return NULL; 1642 } 1643} 1644 1645//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 1646 1647/// Check for comparisons of floating point operands using != and ==. 1648/// Issue a warning if these are no self-comparisons, as they are not likely 1649/// to do what the programmer intended. 1650void Sema::CheckFloatComparison(SourceLocation loc, Expr* lex, Expr *rex) { 1651 bool EmitWarning = true; 1652 1653 Expr* LeftExprSansParen = lex->IgnoreParens(); 1654 Expr* RightExprSansParen = rex->IgnoreParens(); 1655 1656 // Special case: check for x == x (which is OK). 1657 // Do not emit warnings for such cases. 1658 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 1659 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 1660 if (DRL->getDecl() == DRR->getDecl()) 1661 EmitWarning = false; 1662 1663 1664 // Special case: check for comparisons against literals that can be exactly 1665 // represented by APFloat. In such cases, do not emit a warning. This 1666 // is a heuristic: often comparison against such literals are used to 1667 // detect if a value in a variable has not changed. This clearly can 1668 // lead to false negatives. 1669 if (EmitWarning) { 1670 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 1671 if (FLL->isExact()) 1672 EmitWarning = false; 1673 } else 1674 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 1675 if (FLR->isExact()) 1676 EmitWarning = false; 1677 } 1678 } 1679 1680 // Check for comparisons with builtin types. 1681 if (EmitWarning) 1682 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 1683 if (CL->isBuiltinCall(Context)) 1684 EmitWarning = false; 1685 1686 if (EmitWarning) 1687 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 1688 if (CR->isBuiltinCall(Context)) 1689 EmitWarning = false; 1690 1691 // Emit the diagnostic. 1692 if (EmitWarning) 1693 Diag(loc, diag::warn_floatingpoint_eq) 1694 << lex->getSourceRange() << rex->getSourceRange(); 1695} 1696 1697//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 1698//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 1699 1700namespace { 1701 1702/// Structure recording the 'active' range of an integer-valued 1703/// expression. 1704struct IntRange { 1705 /// The number of bits active in the int. 1706 unsigned Width; 1707 1708 /// True if the int is known not to have negative values. 1709 bool NonNegative; 1710 1711 IntRange() {} 1712 IntRange(unsigned Width, bool NonNegative) 1713 : Width(Width), NonNegative(NonNegative) 1714 {} 1715 1716 // Returns the range of the bool type. 1717 static IntRange forBoolType() { 1718 return IntRange(1, true); 1719 } 1720 1721 // Returns the range of an integral type. 1722 static IntRange forType(ASTContext &C, QualType T) { 1723 return forCanonicalType(C, T->getCanonicalTypeInternal().getTypePtr()); 1724 } 1725 1726 // Returns the range of an integeral type based on its canonical 1727 // representation. 1728 static IntRange forCanonicalType(ASTContext &C, const Type *T) { 1729 assert(T->isCanonicalUnqualified()); 1730 1731 if (const VectorType *VT = dyn_cast<VectorType>(T)) 1732 T = VT->getElementType().getTypePtr(); 1733 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 1734 T = CT->getElementType().getTypePtr(); 1735 1736 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 1737 EnumDecl *Enum = ET->getDecl(); 1738 unsigned NumPositive = Enum->getNumPositiveBits(); 1739 unsigned NumNegative = Enum->getNumNegativeBits(); 1740 1741 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 1742 } 1743 1744 const BuiltinType *BT = cast<BuiltinType>(T); 1745 assert(BT->isInteger()); 1746 1747 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 1748 } 1749 1750 // Returns the supremum of two ranges: i.e. their conservative merge. 1751 static IntRange join(IntRange L, IntRange R) { 1752 return IntRange(std::max(L.Width, R.Width), 1753 L.NonNegative && R.NonNegative); 1754 } 1755 1756 // Returns the infinum of two ranges: i.e. their aggressive merge. 1757 static IntRange meet(IntRange L, IntRange R) { 1758 return IntRange(std::min(L.Width, R.Width), 1759 L.NonNegative || R.NonNegative); 1760 } 1761}; 1762 1763IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 1764 if (value.isSigned() && value.isNegative()) 1765 return IntRange(value.getMinSignedBits(), false); 1766 1767 if (value.getBitWidth() > MaxWidth) 1768 value.trunc(MaxWidth); 1769 1770 // isNonNegative() just checks the sign bit without considering 1771 // signedness. 1772 return IntRange(value.getActiveBits(), true); 1773} 1774 1775IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 1776 unsigned MaxWidth) { 1777 if (result.isInt()) 1778 return GetValueRange(C, result.getInt(), MaxWidth); 1779 1780 if (result.isVector()) { 1781 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 1782 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 1783 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 1784 R = IntRange::join(R, El); 1785 } 1786 return R; 1787 } 1788 1789 if (result.isComplexInt()) { 1790 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 1791 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 1792 return IntRange::join(R, I); 1793 } 1794 1795 // This can happen with lossless casts to intptr_t of "based" lvalues. 1796 // Assume it might use arbitrary bits. 1797 // FIXME: The only reason we need to pass the type in here is to get 1798 // the sign right on this one case. It would be nice if APValue 1799 // preserved this. 1800 assert(result.isLValue()); 1801 return IntRange(MaxWidth, Ty->isUnsignedIntegerType()); 1802} 1803 1804/// Pseudo-evaluate the given integer expression, estimating the 1805/// range of values it might take. 1806/// 1807/// \param MaxWidth - the width to which the value will be truncated 1808IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 1809 E = E->IgnoreParens(); 1810 1811 // Try a full evaluation first. 1812 Expr::EvalResult result; 1813 if (E->Evaluate(result, C)) 1814 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 1815 1816 // I think we only want to look through implicit casts here; if the 1817 // user has an explicit widening cast, we should treat the value as 1818 // being of the new, wider type. 1819 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 1820 if (CE->getCastKind() == CastExpr::CK_NoOp) 1821 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 1822 1823 IntRange OutputTypeRange = IntRange::forType(C, CE->getType()); 1824 1825 bool isIntegerCast = (CE->getCastKind() == CastExpr::CK_IntegralCast); 1826 if (!isIntegerCast && CE->getCastKind() == CastExpr::CK_Unknown) 1827 isIntegerCast = CE->getSubExpr()->getType()->isIntegerType(); 1828 1829 // Assume that non-integer casts can span the full range of the type. 1830 if (!isIntegerCast) 1831 return OutputTypeRange; 1832 1833 IntRange SubRange 1834 = GetExprRange(C, CE->getSubExpr(), 1835 std::min(MaxWidth, OutputTypeRange.Width)); 1836 1837 // Bail out if the subexpr's range is as wide as the cast type. 1838 if (SubRange.Width >= OutputTypeRange.Width) 1839 return OutputTypeRange; 1840 1841 // Otherwise, we take the smaller width, and we're non-negative if 1842 // either the output type or the subexpr is. 1843 return IntRange(SubRange.Width, 1844 SubRange.NonNegative || OutputTypeRange.NonNegative); 1845 } 1846 1847 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 1848 // If we can fold the condition, just take that operand. 1849 bool CondResult; 1850 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 1851 return GetExprRange(C, CondResult ? CO->getTrueExpr() 1852 : CO->getFalseExpr(), 1853 MaxWidth); 1854 1855 // Otherwise, conservatively merge. 1856 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 1857 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 1858 return IntRange::join(L, R); 1859 } 1860 1861 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 1862 switch (BO->getOpcode()) { 1863 1864 // Boolean-valued operations are single-bit and positive. 1865 case BinaryOperator::LAnd: 1866 case BinaryOperator::LOr: 1867 case BinaryOperator::LT: 1868 case BinaryOperator::GT: 1869 case BinaryOperator::LE: 1870 case BinaryOperator::GE: 1871 case BinaryOperator::EQ: 1872 case BinaryOperator::NE: 1873 return IntRange::forBoolType(); 1874 1875 // The type of these compound assignments is the type of the LHS, 1876 // so the RHS is not necessarily an integer. 1877 case BinaryOperator::MulAssign: 1878 case BinaryOperator::DivAssign: 1879 case BinaryOperator::RemAssign: 1880 case BinaryOperator::AddAssign: 1881 case BinaryOperator::SubAssign: 1882 return IntRange::forType(C, E->getType()); 1883 1884 // Operations with opaque sources are black-listed. 1885 case BinaryOperator::PtrMemD: 1886 case BinaryOperator::PtrMemI: 1887 return IntRange::forType(C, E->getType()); 1888 1889 // Bitwise-and uses the *infinum* of the two source ranges. 1890 case BinaryOperator::And: 1891 case BinaryOperator::AndAssign: 1892 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 1893 GetExprRange(C, BO->getRHS(), MaxWidth)); 1894 1895 // Left shift gets black-listed based on a judgement call. 1896 case BinaryOperator::Shl: 1897 // ...except that we want to treat '1 << (blah)' as logically 1898 // positive. It's an important idiom. 1899 if (IntegerLiteral *I 1900 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 1901 if (I->getValue() == 1) { 1902 IntRange R = IntRange::forType(C, E->getType()); 1903 return IntRange(R.Width, /*NonNegative*/ true); 1904 } 1905 } 1906 // fallthrough 1907 1908 case BinaryOperator::ShlAssign: 1909 return IntRange::forType(C, E->getType()); 1910 1911 // Right shift by a constant can narrow its left argument. 1912 case BinaryOperator::Shr: 1913 case BinaryOperator::ShrAssign: { 1914 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 1915 1916 // If the shift amount is a positive constant, drop the width by 1917 // that much. 1918 llvm::APSInt shift; 1919 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 1920 shift.isNonNegative()) { 1921 unsigned zext = shift.getZExtValue(); 1922 if (zext >= L.Width) 1923 L.Width = (L.NonNegative ? 0 : 1); 1924 else 1925 L.Width -= zext; 1926 } 1927 1928 return L; 1929 } 1930 1931 // Comma acts as its right operand. 1932 case BinaryOperator::Comma: 1933 return GetExprRange(C, BO->getRHS(), MaxWidth); 1934 1935 // Black-list pointer subtractions. 1936 case BinaryOperator::Sub: 1937 if (BO->getLHS()->getType()->isPointerType()) 1938 return IntRange::forType(C, E->getType()); 1939 // fallthrough 1940 1941 default: 1942 break; 1943 } 1944 1945 // Treat every other operator as if it were closed on the 1946 // narrowest type that encompasses both operands. 1947 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 1948 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 1949 return IntRange::join(L, R); 1950 } 1951 1952 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 1953 switch (UO->getOpcode()) { 1954 // Boolean-valued operations are white-listed. 1955 case UnaryOperator::LNot: 1956 return IntRange::forBoolType(); 1957 1958 // Operations with opaque sources are black-listed. 1959 case UnaryOperator::Deref: 1960 case UnaryOperator::AddrOf: // should be impossible 1961 case UnaryOperator::OffsetOf: 1962 return IntRange::forType(C, E->getType()); 1963 1964 default: 1965 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 1966 } 1967 } 1968 1969 if (dyn_cast<OffsetOfExpr>(E)) { 1970 IntRange::forType(C, E->getType()); 1971 } 1972 1973 FieldDecl *BitField = E->getBitField(); 1974 if (BitField) { 1975 llvm::APSInt BitWidthAP = BitField->getBitWidth()->EvaluateAsInt(C); 1976 unsigned BitWidth = BitWidthAP.getZExtValue(); 1977 1978 return IntRange(BitWidth, BitField->getType()->isUnsignedIntegerType()); 1979 } 1980 1981 return IntRange::forType(C, E->getType()); 1982} 1983 1984IntRange GetExprRange(ASTContext &C, Expr *E) { 1985 return GetExprRange(C, E, C.getIntWidth(E->getType())); 1986} 1987 1988/// Checks whether the given value, which currently has the given 1989/// source semantics, has the same value when coerced through the 1990/// target semantics. 1991bool IsSameFloatAfterCast(const llvm::APFloat &value, 1992 const llvm::fltSemantics &Src, 1993 const llvm::fltSemantics &Tgt) { 1994 llvm::APFloat truncated = value; 1995 1996 bool ignored; 1997 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 1998 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 1999 2000 return truncated.bitwiseIsEqual(value); 2001} 2002 2003/// Checks whether the given value, which currently has the given 2004/// source semantics, has the same value when coerced through the 2005/// target semantics. 2006/// 2007/// The value might be a vector of floats (or a complex number). 2008bool IsSameFloatAfterCast(const APValue &value, 2009 const llvm::fltSemantics &Src, 2010 const llvm::fltSemantics &Tgt) { 2011 if (value.isFloat()) 2012 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 2013 2014 if (value.isVector()) { 2015 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 2016 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 2017 return false; 2018 return true; 2019 } 2020 2021 assert(value.isComplexFloat()); 2022 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 2023 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 2024} 2025 2026void AnalyzeImplicitConversions(Sema &S, Expr *E); 2027 2028bool IsZero(Sema &S, Expr *E) { 2029 llvm::APSInt Value; 2030 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 2031} 2032 2033void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 2034 BinaryOperator::Opcode op = E->getOpcode(); 2035 if (op == BinaryOperator::LT && IsZero(S, E->getRHS())) { 2036 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2037 << "< 0" << "false" 2038 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2039 } else if (op == BinaryOperator::GE && IsZero(S, E->getRHS())) { 2040 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2041 << ">= 0" << "true" 2042 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2043 } else if (op == BinaryOperator::GT && IsZero(S, E->getLHS())) { 2044 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2045 << "0 >" << "false" 2046 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2047 } else if (op == BinaryOperator::LE && IsZero(S, E->getLHS())) { 2048 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2049 << "0 <=" << "true" 2050 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2051 } 2052} 2053 2054/// Analyze the operands of the given comparison. Implements the 2055/// fallback case from AnalyzeComparison. 2056void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 2057 AnalyzeImplicitConversions(S, E->getLHS()); 2058 AnalyzeImplicitConversions(S, E->getRHS()); 2059} 2060 2061/// \brief Implements -Wsign-compare. 2062/// 2063/// \param lex the left-hand expression 2064/// \param rex the right-hand expression 2065/// \param OpLoc the location of the joining operator 2066/// \param BinOpc binary opcode or 0 2067void AnalyzeComparison(Sema &S, BinaryOperator *E) { 2068 // The type the comparison is being performed in. 2069 QualType T = E->getLHS()->getType(); 2070 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 2071 && "comparison with mismatched types"); 2072 2073 // We don't do anything special if this isn't an unsigned integral 2074 // comparison: we're only interested in integral comparisons, and 2075 // signed comparisons only happen in cases we don't care to warn about. 2076 if (!T->isUnsignedIntegerType()) 2077 return AnalyzeImpConvsInComparison(S, E); 2078 2079 Expr *lex = E->getLHS()->IgnoreParenImpCasts(); 2080 Expr *rex = E->getRHS()->IgnoreParenImpCasts(); 2081 2082 // Check to see if one of the (unmodified) operands is of different 2083 // signedness. 2084 Expr *signedOperand, *unsignedOperand; 2085 if (lex->getType()->isSignedIntegerType()) { 2086 assert(!rex->getType()->isSignedIntegerType() && 2087 "unsigned comparison between two signed integer expressions?"); 2088 signedOperand = lex; 2089 unsignedOperand = rex; 2090 } else if (rex->getType()->isSignedIntegerType()) { 2091 signedOperand = rex; 2092 unsignedOperand = lex; 2093 } else { 2094 CheckTrivialUnsignedComparison(S, E); 2095 return AnalyzeImpConvsInComparison(S, E); 2096 } 2097 2098 // Otherwise, calculate the effective range of the signed operand. 2099 IntRange signedRange = GetExprRange(S.Context, signedOperand); 2100 2101 // Go ahead and analyze implicit conversions in the operands. Note 2102 // that we skip the implicit conversions on both sides. 2103 AnalyzeImplicitConversions(S, lex); 2104 AnalyzeImplicitConversions(S, rex); 2105 2106 // If the signed range is non-negative, -Wsign-compare won't fire, 2107 // but we should still check for comparisons which are always true 2108 // or false. 2109 if (signedRange.NonNegative) 2110 return CheckTrivialUnsignedComparison(S, E); 2111 2112 // For (in)equality comparisons, if the unsigned operand is a 2113 // constant which cannot collide with a overflowed signed operand, 2114 // then reinterpreting the signed operand as unsigned will not 2115 // change the result of the comparison. 2116 if (E->isEqualityOp()) { 2117 unsigned comparisonWidth = S.Context.getIntWidth(T); 2118 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 2119 2120 // We should never be unable to prove that the unsigned operand is 2121 // non-negative. 2122 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 2123 2124 if (unsignedRange.Width < comparisonWidth) 2125 return; 2126 } 2127 2128 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 2129 << lex->getType() << rex->getType() 2130 << lex->getSourceRange() << rex->getSourceRange(); 2131} 2132 2133/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 2134void DiagnoseImpCast(Sema &S, Expr *E, QualType T, unsigned diag) { 2135 S.Diag(E->getExprLoc(), diag) << E->getType() << T << E->getSourceRange(); 2136} 2137 2138void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 2139 bool *ICContext = 0) { 2140 if (E->isTypeDependent() || E->isValueDependent()) return; 2141 2142 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 2143 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 2144 if (Source == Target) return; 2145 if (Target->isDependentType()) return; 2146 2147 // Never diagnose implicit casts to bool. 2148 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 2149 return; 2150 2151 // Strip vector types. 2152 if (isa<VectorType>(Source)) { 2153 if (!isa<VectorType>(Target)) 2154 return DiagnoseImpCast(S, E, T, diag::warn_impcast_vector_scalar); 2155 2156 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 2157 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 2158 } 2159 2160 // Strip complex types. 2161 if (isa<ComplexType>(Source)) { 2162 if (!isa<ComplexType>(Target)) 2163 return DiagnoseImpCast(S, E, T, diag::warn_impcast_complex_scalar); 2164 2165 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 2166 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 2167 } 2168 2169 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 2170 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 2171 2172 // If the source is floating point... 2173 if (SourceBT && SourceBT->isFloatingPoint()) { 2174 // ...and the target is floating point... 2175 if (TargetBT && TargetBT->isFloatingPoint()) { 2176 // ...then warn if we're dropping FP rank. 2177 2178 // Builtin FP kinds are ordered by increasing FP rank. 2179 if (SourceBT->getKind() > TargetBT->getKind()) { 2180 // Don't warn about float constants that are precisely 2181 // representable in the target type. 2182 Expr::EvalResult result; 2183 if (E->Evaluate(result, S.Context)) { 2184 // Value might be a float, a float vector, or a float complex. 2185 if (IsSameFloatAfterCast(result.Val, 2186 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 2187 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 2188 return; 2189 } 2190 2191 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_precision); 2192 } 2193 return; 2194 } 2195 2196 // If the target is integral, always warn. 2197 if ((TargetBT && TargetBT->isInteger())) 2198 // TODO: don't warn for integer values? 2199 DiagnoseImpCast(S, E, T, diag::warn_impcast_float_integer); 2200 2201 return; 2202 } 2203 2204 if (!Source->isIntegerType() || !Target->isIntegerType()) 2205 return; 2206 2207 IntRange SourceRange = GetExprRange(S.Context, E); 2208 IntRange TargetRange = IntRange::forCanonicalType(S.Context, Target); 2209 2210 if (SourceRange.Width > TargetRange.Width) { 2211 // People want to build with -Wshorten-64-to-32 and not -Wconversion 2212 // and by god we'll let them. 2213 if (SourceRange.Width == 64 && TargetRange.Width == 32) 2214 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_64_32); 2215 return DiagnoseImpCast(S, E, T, diag::warn_impcast_integer_precision); 2216 } 2217 2218 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 2219 (!TargetRange.NonNegative && SourceRange.NonNegative && 2220 SourceRange.Width == TargetRange.Width)) { 2221 unsigned DiagID = diag::warn_impcast_integer_sign; 2222 2223 // Traditionally, gcc has warned about this under -Wsign-compare. 2224 // We also want to warn about it in -Wconversion. 2225 // So if -Wconversion is off, use a completely identical diagnostic 2226 // in the sign-compare group. 2227 // The conditional-checking code will 2228 if (ICContext) { 2229 DiagID = diag::warn_impcast_integer_sign_conditional; 2230 *ICContext = true; 2231 } 2232 2233 return DiagnoseImpCast(S, E, T, DiagID); 2234 } 2235 2236 return; 2237} 2238 2239void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 2240 2241void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 2242 bool &ICContext) { 2243 E = E->IgnoreParenImpCasts(); 2244 2245 if (isa<ConditionalOperator>(E)) 2246 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 2247 2248 AnalyzeImplicitConversions(S, E); 2249 if (E->getType() != T) 2250 return CheckImplicitConversion(S, E, T, &ICContext); 2251 return; 2252} 2253 2254void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 2255 AnalyzeImplicitConversions(S, E->getCond()); 2256 2257 bool Suspicious = false; 2258 CheckConditionalOperand(S, E->getTrueExpr(), T, Suspicious); 2259 CheckConditionalOperand(S, E->getFalseExpr(), T, Suspicious); 2260 2261 // If -Wconversion would have warned about either of the candidates 2262 // for a signedness conversion to the context type... 2263 if (!Suspicious) return; 2264 2265 // ...but it's currently ignored... 2266 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional)) 2267 return; 2268 2269 // ...and -Wsign-compare isn't... 2270 if (!S.Diags.getDiagnosticLevel(diag::warn_mixed_sign_conditional)) 2271 return; 2272 2273 // ...then check whether it would have warned about either of the 2274 // candidates for a signedness conversion to the condition type. 2275 if (E->getType() != T) { 2276 Suspicious = false; 2277 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 2278 E->getType(), &Suspicious); 2279 if (!Suspicious) 2280 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 2281 E->getType(), &Suspicious); 2282 if (!Suspicious) 2283 return; 2284 } 2285 2286 // If so, emit a diagnostic under -Wsign-compare. 2287 Expr *lex = E->getTrueExpr()->IgnoreParenImpCasts(); 2288 Expr *rex = E->getFalseExpr()->IgnoreParenImpCasts(); 2289 S.Diag(E->getQuestionLoc(), diag::warn_mixed_sign_conditional) 2290 << lex->getType() << rex->getType() 2291 << lex->getSourceRange() << rex->getSourceRange(); 2292} 2293 2294/// AnalyzeImplicitConversions - Find and report any interesting 2295/// implicit conversions in the given expression. There are a couple 2296/// of competing diagnostics here, -Wconversion and -Wsign-compare. 2297void AnalyzeImplicitConversions(Sema &S, Expr *OrigE) { 2298 QualType T = OrigE->getType(); 2299 Expr *E = OrigE->IgnoreParenImpCasts(); 2300 2301 // For conditional operators, we analyze the arguments as if they 2302 // were being fed directly into the output. 2303 if (isa<ConditionalOperator>(E)) { 2304 ConditionalOperator *CO = cast<ConditionalOperator>(E); 2305 CheckConditionalOperator(S, CO, T); 2306 return; 2307 } 2308 2309 // Go ahead and check any implicit conversions we might have skipped. 2310 // The non-canonical typecheck is just an optimization; 2311 // CheckImplicitConversion will filter out dead implicit conversions. 2312 if (E->getType() != T) 2313 CheckImplicitConversion(S, E, T); 2314 2315 // Now continue drilling into this expression. 2316 2317 // Skip past explicit casts. 2318 if (isa<ExplicitCastExpr>(E)) { 2319 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 2320 return AnalyzeImplicitConversions(S, E); 2321 } 2322 2323 // Do a somewhat different check with comparison operators. 2324 if (isa<BinaryOperator>(E) && cast<BinaryOperator>(E)->isComparisonOp()) 2325 return AnalyzeComparison(S, cast<BinaryOperator>(E)); 2326 2327 // These break the otherwise-useful invariant below. Fortunately, 2328 // we don't really need to recurse into them, because any internal 2329 // expressions should have been analyzed already when they were 2330 // built into statements. 2331 if (isa<StmtExpr>(E)) return; 2332 2333 // Don't descend into unevaluated contexts. 2334 if (isa<SizeOfAlignOfExpr>(E)) return; 2335 2336 // Now just recurse over the expression's children. 2337 for (Stmt::child_iterator I = E->child_begin(), IE = E->child_end(); 2338 I != IE; ++I) 2339 AnalyzeImplicitConversions(S, cast<Expr>(*I)); 2340} 2341 2342} // end anonymous namespace 2343 2344/// Diagnoses "dangerous" implicit conversions within the given 2345/// expression (which is a full expression). Implements -Wconversion 2346/// and -Wsign-compare. 2347void Sema::CheckImplicitConversions(Expr *E) { 2348 // Don't diagnose in unevaluated contexts. 2349 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 2350 return; 2351 2352 // Don't diagnose for value- or type-dependent expressions. 2353 if (E->isTypeDependent() || E->isValueDependent()) 2354 return; 2355 2356 AnalyzeImplicitConversions(*this, E); 2357} 2358 2359/// CheckParmsForFunctionDef - Check that the parameters of the given 2360/// function are appropriate for the definition of a function. This 2361/// takes care of any checks that cannot be performed on the 2362/// declaration itself, e.g., that the types of each of the function 2363/// parameters are complete. 2364bool Sema::CheckParmsForFunctionDef(FunctionDecl *FD) { 2365 bool HasInvalidParm = false; 2366 for (unsigned p = 0, NumParams = FD->getNumParams(); p < NumParams; ++p) { 2367 ParmVarDecl *Param = FD->getParamDecl(p); 2368 2369 // C99 6.7.5.3p4: the parameters in a parameter type list in a 2370 // function declarator that is part of a function definition of 2371 // that function shall not have incomplete type. 2372 // 2373 // This is also C++ [dcl.fct]p6. 2374 if (!Param->isInvalidDecl() && 2375 RequireCompleteType(Param->getLocation(), Param->getType(), 2376 diag::err_typecheck_decl_incomplete_type)) { 2377 Param->setInvalidDecl(); 2378 HasInvalidParm = true; 2379 } 2380 2381 // C99 6.9.1p5: If the declarator includes a parameter type list, the 2382 // declaration of each parameter shall include an identifier. 2383 if (Param->getIdentifier() == 0 && 2384 !Param->isImplicit() && 2385 !getLangOptions().CPlusPlus) 2386 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 2387 2388 // C99 6.7.5.3p12: 2389 // If the function declarator is not part of a definition of that 2390 // function, parameters may have incomplete type and may use the [*] 2391 // notation in their sequences of declarator specifiers to specify 2392 // variable length array types. 2393 QualType PType = Param->getOriginalType(); 2394 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 2395 if (AT->getSizeModifier() == ArrayType::Star) { 2396 // FIXME: This diagnosic should point the the '[*]' if source-location 2397 // information is added for it. 2398 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 2399 } 2400 } 2401 } 2402 2403 return HasInvalidParm; 2404} 2405