SemaChecking.cpp revision ba44712b0e578a851751e199bb75dbbff5836fed
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/Sema.h" 16#include "clang/Sema/SemaInternal.h" 17#include "clang/Sema/ScopeInfo.h" 18#include "clang/Analysis/Analyses/FormatString.h" 19#include "clang/AST/ASTContext.h" 20#include "clang/AST/CharUnits.h" 21#include "clang/AST/DeclCXX.h" 22#include "clang/AST/DeclObjC.h" 23#include "clang/AST/ExprCXX.h" 24#include "clang/AST/ExprObjC.h" 25#include "clang/AST/EvaluatedExprVisitor.h" 26#include "clang/AST/DeclObjC.h" 27#include "clang/AST/StmtCXX.h" 28#include "clang/AST/StmtObjC.h" 29#include "clang/Lex/Preprocessor.h" 30#include "llvm/ADT/BitVector.h" 31#include "llvm/ADT/STLExtras.h" 32#include "llvm/Support/raw_ostream.h" 33#include "clang/Basic/TargetBuiltins.h" 34#include "clang/Basic/TargetInfo.h" 35#include "clang/Basic/ConvertUTF.h" 36#include <limits> 37using namespace clang; 38using namespace sema; 39 40SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 41 unsigned ByteNo) const { 42 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 43 PP.getLangOptions(), PP.getTargetInfo()); 44} 45 46 47/// CheckablePrintfAttr - does a function call have a "printf" attribute 48/// and arguments that merit checking? 49bool Sema::CheckablePrintfAttr(const FormatAttr *Format, CallExpr *TheCall) { 50 if (Format->getType() == "printf") return true; 51 if (Format->getType() == "printf0") { 52 // printf0 allows null "format" string; if so don't check format/args 53 unsigned format_idx = Format->getFormatIdx() - 1; 54 // Does the index refer to the implicit object argument? 55 if (isa<CXXMemberCallExpr>(TheCall)) { 56 if (format_idx == 0) 57 return false; 58 --format_idx; 59 } 60 if (format_idx < TheCall->getNumArgs()) { 61 Expr *Format = TheCall->getArg(format_idx)->IgnoreParenCasts(); 62 if (!Format->isNullPointerConstant(Context, 63 Expr::NPC_ValueDependentIsNull)) 64 return true; 65 } 66 } 67 return false; 68} 69 70/// Checks that a call expression's argument count is the desired number. 71/// This is useful when doing custom type-checking. Returns true on error. 72static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 73 unsigned argCount = call->getNumArgs(); 74 if (argCount == desiredArgCount) return false; 75 76 if (argCount < desiredArgCount) 77 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 78 << 0 /*function call*/ << desiredArgCount << argCount 79 << call->getSourceRange(); 80 81 // Highlight all the excess arguments. 82 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 83 call->getArg(argCount - 1)->getLocEnd()); 84 85 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 86 << 0 /*function call*/ << desiredArgCount << argCount 87 << call->getArg(1)->getSourceRange(); 88} 89 90ExprResult 91Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 92 ExprResult TheCallResult(Owned(TheCall)); 93 94 // Find out if any arguments are required to be integer constant expressions. 95 unsigned ICEArguments = 0; 96 ASTContext::GetBuiltinTypeError Error; 97 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 98 if (Error != ASTContext::GE_None) 99 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 100 101 // If any arguments are required to be ICE's, check and diagnose. 102 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 103 // Skip arguments not required to be ICE's. 104 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 105 106 llvm::APSInt Result; 107 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 108 return true; 109 ICEArguments &= ~(1 << ArgNo); 110 } 111 112 switch (BuiltinID) { 113 case Builtin::BI__builtin___CFStringMakeConstantString: 114 assert(TheCall->getNumArgs() == 1 && 115 "Wrong # arguments to builtin CFStringMakeConstantString"); 116 if (CheckObjCString(TheCall->getArg(0))) 117 return ExprError(); 118 break; 119 case Builtin::BI__builtin_stdarg_start: 120 case Builtin::BI__builtin_va_start: 121 if (SemaBuiltinVAStart(TheCall)) 122 return ExprError(); 123 break; 124 case Builtin::BI__builtin_isgreater: 125 case Builtin::BI__builtin_isgreaterequal: 126 case Builtin::BI__builtin_isless: 127 case Builtin::BI__builtin_islessequal: 128 case Builtin::BI__builtin_islessgreater: 129 case Builtin::BI__builtin_isunordered: 130 if (SemaBuiltinUnorderedCompare(TheCall)) 131 return ExprError(); 132 break; 133 case Builtin::BI__builtin_fpclassify: 134 if (SemaBuiltinFPClassification(TheCall, 6)) 135 return ExprError(); 136 break; 137 case Builtin::BI__builtin_isfinite: 138 case Builtin::BI__builtin_isinf: 139 case Builtin::BI__builtin_isinf_sign: 140 case Builtin::BI__builtin_isnan: 141 case Builtin::BI__builtin_isnormal: 142 if (SemaBuiltinFPClassification(TheCall, 1)) 143 return ExprError(); 144 break; 145 case Builtin::BI__builtin_shufflevector: 146 return SemaBuiltinShuffleVector(TheCall); 147 // TheCall will be freed by the smart pointer here, but that's fine, since 148 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 149 case Builtin::BI__builtin_prefetch: 150 if (SemaBuiltinPrefetch(TheCall)) 151 return ExprError(); 152 break; 153 case Builtin::BI__builtin_object_size: 154 if (SemaBuiltinObjectSize(TheCall)) 155 return ExprError(); 156 break; 157 case Builtin::BI__builtin_longjmp: 158 if (SemaBuiltinLongjmp(TheCall)) 159 return ExprError(); 160 break; 161 162 case Builtin::BI__builtin_classify_type: 163 if (checkArgCount(*this, TheCall, 1)) return true; 164 TheCall->setType(Context.IntTy); 165 break; 166 case Builtin::BI__builtin_constant_p: 167 if (checkArgCount(*this, TheCall, 1)) return true; 168 TheCall->setType(Context.IntTy); 169 break; 170 case Builtin::BI__sync_fetch_and_add: 171 case Builtin::BI__sync_fetch_and_sub: 172 case Builtin::BI__sync_fetch_and_or: 173 case Builtin::BI__sync_fetch_and_and: 174 case Builtin::BI__sync_fetch_and_xor: 175 case Builtin::BI__sync_add_and_fetch: 176 case Builtin::BI__sync_sub_and_fetch: 177 case Builtin::BI__sync_and_and_fetch: 178 case Builtin::BI__sync_or_and_fetch: 179 case Builtin::BI__sync_xor_and_fetch: 180 case Builtin::BI__sync_val_compare_and_swap: 181 case Builtin::BI__sync_bool_compare_and_swap: 182 case Builtin::BI__sync_lock_test_and_set: 183 case Builtin::BI__sync_lock_release: 184 case Builtin::BI__sync_swap: 185 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 186 } 187 188 // Since the target specific builtins for each arch overlap, only check those 189 // of the arch we are compiling for. 190 if (BuiltinID >= Builtin::FirstTSBuiltin) { 191 switch (Context.Target.getTriple().getArch()) { 192 case llvm::Triple::arm: 193 case llvm::Triple::thumb: 194 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 195 return ExprError(); 196 break; 197 default: 198 break; 199 } 200 } 201 202 return move(TheCallResult); 203} 204 205// Get the valid immediate range for the specified NEON type code. 206static unsigned RFT(unsigned t, bool shift = false) { 207 bool quad = t & 0x10; 208 209 switch (t & 0x7) { 210 case 0: // i8 211 return shift ? 7 : (8 << (int)quad) - 1; 212 case 1: // i16 213 return shift ? 15 : (4 << (int)quad) - 1; 214 case 2: // i32 215 return shift ? 31 : (2 << (int)quad) - 1; 216 case 3: // i64 217 return shift ? 63 : (1 << (int)quad) - 1; 218 case 4: // f32 219 assert(!shift && "cannot shift float types!"); 220 return (2 << (int)quad) - 1; 221 case 5: // poly8 222 return shift ? 7 : (8 << (int)quad) - 1; 223 case 6: // poly16 224 return shift ? 15 : (4 << (int)quad) - 1; 225 case 7: // float16 226 assert(!shift && "cannot shift float types!"); 227 return (4 << (int)quad) - 1; 228 } 229 return 0; 230} 231 232bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 233 llvm::APSInt Result; 234 235 unsigned mask = 0; 236 unsigned TV = 0; 237 switch (BuiltinID) { 238#define GET_NEON_OVERLOAD_CHECK 239#include "clang/Basic/arm_neon.inc" 240#undef GET_NEON_OVERLOAD_CHECK 241 } 242 243 // For NEON intrinsics which are overloaded on vector element type, validate 244 // the immediate which specifies which variant to emit. 245 if (mask) { 246 unsigned ArgNo = TheCall->getNumArgs()-1; 247 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 248 return true; 249 250 TV = Result.getLimitedValue(32); 251 if ((TV > 31) || (mask & (1 << TV)) == 0) 252 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 253 << TheCall->getArg(ArgNo)->getSourceRange(); 254 } 255 256 // For NEON intrinsics which take an immediate value as part of the 257 // instruction, range check them here. 258 unsigned i = 0, l = 0, u = 0; 259 switch (BuiltinID) { 260 default: return false; 261 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 262 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 263 case ARM::BI__builtin_arm_vcvtr_f: 264 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 265#define GET_NEON_IMMEDIATE_CHECK 266#include "clang/Basic/arm_neon.inc" 267#undef GET_NEON_IMMEDIATE_CHECK 268 }; 269 270 // Check that the immediate argument is actually a constant. 271 if (SemaBuiltinConstantArg(TheCall, i, Result)) 272 return true; 273 274 // Range check against the upper/lower values for this isntruction. 275 unsigned Val = Result.getZExtValue(); 276 if (Val < l || Val > (u + l)) 277 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 278 << l << u+l << TheCall->getArg(i)->getSourceRange(); 279 280 // FIXME: VFP Intrinsics should error if VFP not present. 281 return false; 282} 283 284/// CheckFunctionCall - Check a direct function call for various correctness 285/// and safety properties not strictly enforced by the C type system. 286bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 287 // Get the IdentifierInfo* for the called function. 288 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 289 290 // None of the checks below are needed for functions that don't have 291 // simple names (e.g., C++ conversion functions). 292 if (!FnInfo) 293 return false; 294 295 // FIXME: This mechanism should be abstracted to be less fragile and 296 // more efficient. For example, just map function ids to custom 297 // handlers. 298 299 // Printf and scanf checking. 300 for (specific_attr_iterator<FormatAttr> 301 i = FDecl->specific_attr_begin<FormatAttr>(), 302 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 303 304 const FormatAttr *Format = *i; 305 const bool b = Format->getType() == "scanf"; 306 if (b || CheckablePrintfAttr(Format, TheCall)) { 307 bool HasVAListArg = Format->getFirstArg() == 0; 308 CheckPrintfScanfArguments(TheCall, HasVAListArg, 309 Format->getFormatIdx() - 1, 310 HasVAListArg ? 0 : Format->getFirstArg() - 1, 311 !b); 312 } 313 } 314 315 for (specific_attr_iterator<NonNullAttr> 316 i = FDecl->specific_attr_begin<NonNullAttr>(), 317 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 318 CheckNonNullArguments(*i, TheCall->getArgs(), 319 TheCall->getCallee()->getLocStart()); 320 } 321 322 // Memset/memcpy/memmove/memcmp handling 323 int CMF = -1; 324 switch (FDecl->getBuiltinID()) { 325 case Builtin::BI__builtin_memset: 326 case Builtin::BI__builtin___memset_chk: 327 case Builtin::BImemset: 328 CMF = CMF_Memset; 329 break; 330 331 case Builtin::BI__builtin_memcpy: 332 case Builtin::BI__builtin___memcpy_chk: 333 case Builtin::BImemcpy: 334 CMF = CMF_Memcpy; 335 break; 336 337 case Builtin::BI__builtin_memmove: 338 case Builtin::BI__builtin___memmove_chk: 339 case Builtin::BImemmove: 340 CMF = CMF_Memmove; 341 break; 342 343 case Builtin::BI__builtin_memcmp: 344 CMF = CMF_Memcmp; 345 break; 346 347 default: 348 if (FDecl->getLinkage() == ExternalLinkage && 349 (!getLangOptions().CPlusPlus || FDecl->isExternC())) { 350 if (FnInfo->isStr("memset")) 351 CMF = CMF_Memset; 352 else if (FnInfo->isStr("memcpy")) 353 CMF = CMF_Memcpy; 354 else if (FnInfo->isStr("memmove")) 355 CMF = CMF_Memmove; 356 else if (FnInfo->isStr("memcmp")) 357 CMF = CMF_Memcmp; 358 } 359 break; 360 } 361 362 if (CMF != -1) 363 CheckMemaccessArguments(TheCall, CheckedMemoryFunction(CMF), FnInfo); 364 365 return false; 366} 367 368bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 369 // Printf checking. 370 const FormatAttr *Format = NDecl->getAttr<FormatAttr>(); 371 if (!Format) 372 return false; 373 374 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 375 if (!V) 376 return false; 377 378 QualType Ty = V->getType(); 379 if (!Ty->isBlockPointerType()) 380 return false; 381 382 const bool b = Format->getType() == "scanf"; 383 if (!b && !CheckablePrintfAttr(Format, TheCall)) 384 return false; 385 386 bool HasVAListArg = Format->getFirstArg() == 0; 387 CheckPrintfScanfArguments(TheCall, HasVAListArg, Format->getFormatIdx() - 1, 388 HasVAListArg ? 0 : Format->getFirstArg() - 1, !b); 389 390 return false; 391} 392 393/// SemaBuiltinAtomicOverloaded - We have a call to a function like 394/// __sync_fetch_and_add, which is an overloaded function based on the pointer 395/// type of its first argument. The main ActOnCallExpr routines have already 396/// promoted the types of arguments because all of these calls are prototyped as 397/// void(...). 398/// 399/// This function goes through and does final semantic checking for these 400/// builtins, 401ExprResult 402Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 403 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 404 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 405 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 406 407 // Ensure that we have at least one argument to do type inference from. 408 if (TheCall->getNumArgs() < 1) { 409 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 410 << 0 << 1 << TheCall->getNumArgs() 411 << TheCall->getCallee()->getSourceRange(); 412 return ExprError(); 413 } 414 415 // Inspect the first argument of the atomic builtin. This should always be 416 // a pointer type, whose element is an integral scalar or pointer type. 417 // Because it is a pointer type, we don't have to worry about any implicit 418 // casts here. 419 // FIXME: We don't allow floating point scalars as input. 420 Expr *FirstArg = TheCall->getArg(0); 421 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 422 if (!pointerType) { 423 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 424 << FirstArg->getType() << FirstArg->getSourceRange(); 425 return ExprError(); 426 } 427 428 QualType ValType = pointerType->getPointeeType(); 429 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 430 !ValType->isBlockPointerType()) { 431 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 432 << FirstArg->getType() << FirstArg->getSourceRange(); 433 return ExprError(); 434 } 435 436 switch (ValType.getObjCLifetime()) { 437 case Qualifiers::OCL_None: 438 case Qualifiers::OCL_ExplicitNone: 439 // okay 440 break; 441 442 case Qualifiers::OCL_Weak: 443 case Qualifiers::OCL_Strong: 444 case Qualifiers::OCL_Autoreleasing: 445 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 446 << ValType << FirstArg->getSourceRange(); 447 return ExprError(); 448 } 449 450 // The majority of builtins return a value, but a few have special return 451 // types, so allow them to override appropriately below. 452 QualType ResultType = ValType; 453 454 // We need to figure out which concrete builtin this maps onto. For example, 455 // __sync_fetch_and_add with a 2 byte object turns into 456 // __sync_fetch_and_add_2. 457#define BUILTIN_ROW(x) \ 458 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 459 Builtin::BI##x##_8, Builtin::BI##x##_16 } 460 461 static const unsigned BuiltinIndices[][5] = { 462 BUILTIN_ROW(__sync_fetch_and_add), 463 BUILTIN_ROW(__sync_fetch_and_sub), 464 BUILTIN_ROW(__sync_fetch_and_or), 465 BUILTIN_ROW(__sync_fetch_and_and), 466 BUILTIN_ROW(__sync_fetch_and_xor), 467 468 BUILTIN_ROW(__sync_add_and_fetch), 469 BUILTIN_ROW(__sync_sub_and_fetch), 470 BUILTIN_ROW(__sync_and_and_fetch), 471 BUILTIN_ROW(__sync_or_and_fetch), 472 BUILTIN_ROW(__sync_xor_and_fetch), 473 474 BUILTIN_ROW(__sync_val_compare_and_swap), 475 BUILTIN_ROW(__sync_bool_compare_and_swap), 476 BUILTIN_ROW(__sync_lock_test_and_set), 477 BUILTIN_ROW(__sync_lock_release), 478 BUILTIN_ROW(__sync_swap) 479 }; 480#undef BUILTIN_ROW 481 482 // Determine the index of the size. 483 unsigned SizeIndex; 484 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 485 case 1: SizeIndex = 0; break; 486 case 2: SizeIndex = 1; break; 487 case 4: SizeIndex = 2; break; 488 case 8: SizeIndex = 3; break; 489 case 16: SizeIndex = 4; break; 490 default: 491 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 492 << FirstArg->getType() << FirstArg->getSourceRange(); 493 return ExprError(); 494 } 495 496 // Each of these builtins has one pointer argument, followed by some number of 497 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 498 // that we ignore. Find out which row of BuiltinIndices to read from as well 499 // as the number of fixed args. 500 unsigned BuiltinID = FDecl->getBuiltinID(); 501 unsigned BuiltinIndex, NumFixed = 1; 502 switch (BuiltinID) { 503 default: assert(0 && "Unknown overloaded atomic builtin!"); 504 case Builtin::BI__sync_fetch_and_add: BuiltinIndex = 0; break; 505 case Builtin::BI__sync_fetch_and_sub: BuiltinIndex = 1; break; 506 case Builtin::BI__sync_fetch_and_or: BuiltinIndex = 2; break; 507 case Builtin::BI__sync_fetch_and_and: BuiltinIndex = 3; break; 508 case Builtin::BI__sync_fetch_and_xor: BuiltinIndex = 4; break; 509 510 case Builtin::BI__sync_add_and_fetch: BuiltinIndex = 5; break; 511 case Builtin::BI__sync_sub_and_fetch: BuiltinIndex = 6; break; 512 case Builtin::BI__sync_and_and_fetch: BuiltinIndex = 7; break; 513 case Builtin::BI__sync_or_and_fetch: BuiltinIndex = 8; break; 514 case Builtin::BI__sync_xor_and_fetch: BuiltinIndex = 9; break; 515 516 case Builtin::BI__sync_val_compare_and_swap: 517 BuiltinIndex = 10; 518 NumFixed = 2; 519 break; 520 case Builtin::BI__sync_bool_compare_and_swap: 521 BuiltinIndex = 11; 522 NumFixed = 2; 523 ResultType = Context.BoolTy; 524 break; 525 case Builtin::BI__sync_lock_test_and_set: BuiltinIndex = 12; break; 526 case Builtin::BI__sync_lock_release: 527 BuiltinIndex = 13; 528 NumFixed = 0; 529 ResultType = Context.VoidTy; 530 break; 531 case Builtin::BI__sync_swap: BuiltinIndex = 14; break; 532 } 533 534 // Now that we know how many fixed arguments we expect, first check that we 535 // have at least that many. 536 if (TheCall->getNumArgs() < 1+NumFixed) { 537 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 538 << 0 << 1+NumFixed << TheCall->getNumArgs() 539 << TheCall->getCallee()->getSourceRange(); 540 return ExprError(); 541 } 542 543 // Get the decl for the concrete builtin from this, we can tell what the 544 // concrete integer type we should convert to is. 545 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 546 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 547 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 548 FunctionDecl *NewBuiltinDecl = 549 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 550 TUScope, false, DRE->getLocStart())); 551 552 // The first argument --- the pointer --- has a fixed type; we 553 // deduce the types of the rest of the arguments accordingly. Walk 554 // the remaining arguments, converting them to the deduced value type. 555 for (unsigned i = 0; i != NumFixed; ++i) { 556 ExprResult Arg = TheCall->getArg(i+1); 557 558 // If the argument is an implicit cast, then there was a promotion due to 559 // "...", just remove it now. 560 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg.get())) { 561 Arg = ICE->getSubExpr(); 562 ICE->setSubExpr(0); 563 TheCall->setArg(i+1, Arg.get()); 564 } 565 566 // GCC does an implicit conversion to the pointer or integer ValType. This 567 // can fail in some cases (1i -> int**), check for this error case now. 568 CastKind Kind = CK_Invalid; 569 ExprValueKind VK = VK_RValue; 570 CXXCastPath BasePath; 571 Arg = CheckCastTypes(Arg.get()->getLocStart(), Arg.get()->getSourceRange(), 572 ValType, Arg.take(), Kind, VK, BasePath); 573 if (Arg.isInvalid()) 574 return ExprError(); 575 576 // Okay, we have something that *can* be converted to the right type. Check 577 // to see if there is a potentially weird extension going on here. This can 578 // happen when you do an atomic operation on something like an char* and 579 // pass in 42. The 42 gets converted to char. This is even more strange 580 // for things like 45.123 -> char, etc. 581 // FIXME: Do this check. 582 Arg = ImpCastExprToType(Arg.take(), ValType, Kind, VK, &BasePath); 583 TheCall->setArg(i+1, Arg.get()); 584 } 585 586 // Switch the DeclRefExpr to refer to the new decl. 587 DRE->setDecl(NewBuiltinDecl); 588 DRE->setType(NewBuiltinDecl->getType()); 589 590 // Set the callee in the CallExpr. 591 // FIXME: This leaks the original parens and implicit casts. 592 ExprResult PromotedCall = UsualUnaryConversions(DRE); 593 if (PromotedCall.isInvalid()) 594 return ExprError(); 595 TheCall->setCallee(PromotedCall.take()); 596 597 // Change the result type of the call to match the original value type. This 598 // is arbitrary, but the codegen for these builtins ins design to handle it 599 // gracefully. 600 TheCall->setType(ResultType); 601 602 return move(TheCallResult); 603} 604 605 606/// CheckObjCString - Checks that the argument to the builtin 607/// CFString constructor is correct 608/// Note: It might also make sense to do the UTF-16 conversion here (would 609/// simplify the backend). 610bool Sema::CheckObjCString(Expr *Arg) { 611 Arg = Arg->IgnoreParenCasts(); 612 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 613 614 if (!Literal || !Literal->isAscii()) { 615 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 616 << Arg->getSourceRange(); 617 return true; 618 } 619 620 if (Literal->containsNonAsciiOrNull()) { 621 StringRef String = Literal->getString(); 622 unsigned NumBytes = String.size(); 623 SmallVector<UTF16, 128> ToBuf(NumBytes); 624 const UTF8 *FromPtr = (UTF8 *)String.data(); 625 UTF16 *ToPtr = &ToBuf[0]; 626 627 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 628 &ToPtr, ToPtr + NumBytes, 629 strictConversion); 630 // Check for conversion failure. 631 if (Result != conversionOK) 632 Diag(Arg->getLocStart(), 633 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 634 } 635 return false; 636} 637 638/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 639/// Emit an error and return true on failure, return false on success. 640bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 641 Expr *Fn = TheCall->getCallee(); 642 if (TheCall->getNumArgs() > 2) { 643 Diag(TheCall->getArg(2)->getLocStart(), 644 diag::err_typecheck_call_too_many_args) 645 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 646 << Fn->getSourceRange() 647 << SourceRange(TheCall->getArg(2)->getLocStart(), 648 (*(TheCall->arg_end()-1))->getLocEnd()); 649 return true; 650 } 651 652 if (TheCall->getNumArgs() < 2) { 653 return Diag(TheCall->getLocEnd(), 654 diag::err_typecheck_call_too_few_args_at_least) 655 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 656 } 657 658 // Determine whether the current function is variadic or not. 659 BlockScopeInfo *CurBlock = getCurBlock(); 660 bool isVariadic; 661 if (CurBlock) 662 isVariadic = CurBlock->TheDecl->isVariadic(); 663 else if (FunctionDecl *FD = getCurFunctionDecl()) 664 isVariadic = FD->isVariadic(); 665 else 666 isVariadic = getCurMethodDecl()->isVariadic(); 667 668 if (!isVariadic) { 669 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 670 return true; 671 } 672 673 // Verify that the second argument to the builtin is the last argument of the 674 // current function or method. 675 bool SecondArgIsLastNamedArgument = false; 676 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 677 678 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 679 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 680 // FIXME: This isn't correct for methods (results in bogus warning). 681 // Get the last formal in the current function. 682 const ParmVarDecl *LastArg; 683 if (CurBlock) 684 LastArg = *(CurBlock->TheDecl->param_end()-1); 685 else if (FunctionDecl *FD = getCurFunctionDecl()) 686 LastArg = *(FD->param_end()-1); 687 else 688 LastArg = *(getCurMethodDecl()->param_end()-1); 689 SecondArgIsLastNamedArgument = PV == LastArg; 690 } 691 } 692 693 if (!SecondArgIsLastNamedArgument) 694 Diag(TheCall->getArg(1)->getLocStart(), 695 diag::warn_second_parameter_of_va_start_not_last_named_argument); 696 return false; 697} 698 699/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 700/// friends. This is declared to take (...), so we have to check everything. 701bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 702 if (TheCall->getNumArgs() < 2) 703 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 704 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 705 if (TheCall->getNumArgs() > 2) 706 return Diag(TheCall->getArg(2)->getLocStart(), 707 diag::err_typecheck_call_too_many_args) 708 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 709 << SourceRange(TheCall->getArg(2)->getLocStart(), 710 (*(TheCall->arg_end()-1))->getLocEnd()); 711 712 ExprResult OrigArg0 = TheCall->getArg(0); 713 ExprResult OrigArg1 = TheCall->getArg(1); 714 715 // Do standard promotions between the two arguments, returning their common 716 // type. 717 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 718 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 719 return true; 720 721 // Make sure any conversions are pushed back into the call; this is 722 // type safe since unordered compare builtins are declared as "_Bool 723 // foo(...)". 724 TheCall->setArg(0, OrigArg0.get()); 725 TheCall->setArg(1, OrigArg1.get()); 726 727 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 728 return false; 729 730 // If the common type isn't a real floating type, then the arguments were 731 // invalid for this operation. 732 if (!Res->isRealFloatingType()) 733 return Diag(OrigArg0.get()->getLocStart(), 734 diag::err_typecheck_call_invalid_ordered_compare) 735 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 736 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 737 738 return false; 739} 740 741/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 742/// __builtin_isnan and friends. This is declared to take (...), so we have 743/// to check everything. We expect the last argument to be a floating point 744/// value. 745bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 746 if (TheCall->getNumArgs() < NumArgs) 747 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 748 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 749 if (TheCall->getNumArgs() > NumArgs) 750 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 751 diag::err_typecheck_call_too_many_args) 752 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 753 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 754 (*(TheCall->arg_end()-1))->getLocEnd()); 755 756 Expr *OrigArg = TheCall->getArg(NumArgs-1); 757 758 if (OrigArg->isTypeDependent()) 759 return false; 760 761 // This operation requires a non-_Complex floating-point number. 762 if (!OrigArg->getType()->isRealFloatingType()) 763 return Diag(OrigArg->getLocStart(), 764 diag::err_typecheck_call_invalid_unary_fp) 765 << OrigArg->getType() << OrigArg->getSourceRange(); 766 767 // If this is an implicit conversion from float -> double, remove it. 768 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 769 Expr *CastArg = Cast->getSubExpr(); 770 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 771 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 772 "promotion from float to double is the only expected cast here"); 773 Cast->setSubExpr(0); 774 TheCall->setArg(NumArgs-1, CastArg); 775 OrigArg = CastArg; 776 } 777 } 778 779 return false; 780} 781 782/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 783// This is declared to take (...), so we have to check everything. 784ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 785 if (TheCall->getNumArgs() < 2) 786 return ExprError(Diag(TheCall->getLocEnd(), 787 diag::err_typecheck_call_too_few_args_at_least) 788 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 789 << TheCall->getSourceRange()); 790 791 // Determine which of the following types of shufflevector we're checking: 792 // 1) unary, vector mask: (lhs, mask) 793 // 2) binary, vector mask: (lhs, rhs, mask) 794 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 795 QualType resType = TheCall->getArg(0)->getType(); 796 unsigned numElements = 0; 797 798 if (!TheCall->getArg(0)->isTypeDependent() && 799 !TheCall->getArg(1)->isTypeDependent()) { 800 QualType LHSType = TheCall->getArg(0)->getType(); 801 QualType RHSType = TheCall->getArg(1)->getType(); 802 803 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 804 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 805 << SourceRange(TheCall->getArg(0)->getLocStart(), 806 TheCall->getArg(1)->getLocEnd()); 807 return ExprError(); 808 } 809 810 numElements = LHSType->getAs<VectorType>()->getNumElements(); 811 unsigned numResElements = TheCall->getNumArgs() - 2; 812 813 // Check to see if we have a call with 2 vector arguments, the unary shuffle 814 // with mask. If so, verify that RHS is an integer vector type with the 815 // same number of elts as lhs. 816 if (TheCall->getNumArgs() == 2) { 817 if (!RHSType->hasIntegerRepresentation() || 818 RHSType->getAs<VectorType>()->getNumElements() != numElements) 819 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 820 << SourceRange(TheCall->getArg(1)->getLocStart(), 821 TheCall->getArg(1)->getLocEnd()); 822 numResElements = numElements; 823 } 824 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 825 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 826 << SourceRange(TheCall->getArg(0)->getLocStart(), 827 TheCall->getArg(1)->getLocEnd()); 828 return ExprError(); 829 } else if (numElements != numResElements) { 830 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 831 resType = Context.getVectorType(eltType, numResElements, 832 VectorType::GenericVector); 833 } 834 } 835 836 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 837 if (TheCall->getArg(i)->isTypeDependent() || 838 TheCall->getArg(i)->isValueDependent()) 839 continue; 840 841 llvm::APSInt Result(32); 842 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 843 return ExprError(Diag(TheCall->getLocStart(), 844 diag::err_shufflevector_nonconstant_argument) 845 << TheCall->getArg(i)->getSourceRange()); 846 847 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 848 return ExprError(Diag(TheCall->getLocStart(), 849 diag::err_shufflevector_argument_too_large) 850 << TheCall->getArg(i)->getSourceRange()); 851 } 852 853 SmallVector<Expr*, 32> exprs; 854 855 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 856 exprs.push_back(TheCall->getArg(i)); 857 TheCall->setArg(i, 0); 858 } 859 860 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 861 exprs.size(), resType, 862 TheCall->getCallee()->getLocStart(), 863 TheCall->getRParenLoc())); 864} 865 866/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 867// This is declared to take (const void*, ...) and can take two 868// optional constant int args. 869bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 870 unsigned NumArgs = TheCall->getNumArgs(); 871 872 if (NumArgs > 3) 873 return Diag(TheCall->getLocEnd(), 874 diag::err_typecheck_call_too_many_args_at_most) 875 << 0 /*function call*/ << 3 << NumArgs 876 << TheCall->getSourceRange(); 877 878 // Argument 0 is checked for us and the remaining arguments must be 879 // constant integers. 880 for (unsigned i = 1; i != NumArgs; ++i) { 881 Expr *Arg = TheCall->getArg(i); 882 883 llvm::APSInt Result; 884 if (SemaBuiltinConstantArg(TheCall, i, Result)) 885 return true; 886 887 // FIXME: gcc issues a warning and rewrites these to 0. These 888 // seems especially odd for the third argument since the default 889 // is 3. 890 if (i == 1) { 891 if (Result.getLimitedValue() > 1) 892 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 893 << "0" << "1" << Arg->getSourceRange(); 894 } else { 895 if (Result.getLimitedValue() > 3) 896 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 897 << "0" << "3" << Arg->getSourceRange(); 898 } 899 } 900 901 return false; 902} 903 904/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 905/// TheCall is a constant expression. 906bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 907 llvm::APSInt &Result) { 908 Expr *Arg = TheCall->getArg(ArgNum); 909 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 910 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 911 912 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 913 914 if (!Arg->isIntegerConstantExpr(Result, Context)) 915 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 916 << FDecl->getDeclName() << Arg->getSourceRange(); 917 918 return false; 919} 920 921/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 922/// int type). This simply type checks that type is one of the defined 923/// constants (0-3). 924// For compatibility check 0-3, llvm only handles 0 and 2. 925bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 926 llvm::APSInt Result; 927 928 // Check constant-ness first. 929 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 930 return true; 931 932 Expr *Arg = TheCall->getArg(1); 933 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 934 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 935 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 936 } 937 938 return false; 939} 940 941/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 942/// This checks that val is a constant 1. 943bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 944 Expr *Arg = TheCall->getArg(1); 945 llvm::APSInt Result; 946 947 // TODO: This is less than ideal. Overload this to take a value. 948 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 949 return true; 950 951 if (Result != 1) 952 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 953 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 954 955 return false; 956} 957 958// Handle i > 1 ? "x" : "y", recursively. 959bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall, 960 bool HasVAListArg, 961 unsigned format_idx, unsigned firstDataArg, 962 bool isPrintf) { 963 tryAgain: 964 if (E->isTypeDependent() || E->isValueDependent()) 965 return false; 966 967 E = E->IgnoreParens(); 968 969 switch (E->getStmtClass()) { 970 case Stmt::BinaryConditionalOperatorClass: 971 case Stmt::ConditionalOperatorClass: { 972 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 973 return SemaCheckStringLiteral(C->getTrueExpr(), TheCall, HasVAListArg, 974 format_idx, firstDataArg, isPrintf) 975 && SemaCheckStringLiteral(C->getFalseExpr(), TheCall, HasVAListArg, 976 format_idx, firstDataArg, isPrintf); 977 } 978 979 case Stmt::IntegerLiteralClass: 980 // Technically -Wformat-nonliteral does not warn about this case. 981 // The behavior of printf and friends in this case is implementation 982 // dependent. Ideally if the format string cannot be null then 983 // it should have a 'nonnull' attribute in the function prototype. 984 return true; 985 986 case Stmt::ImplicitCastExprClass: { 987 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 988 goto tryAgain; 989 } 990 991 case Stmt::OpaqueValueExprClass: 992 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 993 E = src; 994 goto tryAgain; 995 } 996 return false; 997 998 case Stmt::PredefinedExprClass: 999 // While __func__, etc., are technically not string literals, they 1000 // cannot contain format specifiers and thus are not a security 1001 // liability. 1002 return true; 1003 1004 case Stmt::DeclRefExprClass: { 1005 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1006 1007 // As an exception, do not flag errors for variables binding to 1008 // const string literals. 1009 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1010 bool isConstant = false; 1011 QualType T = DR->getType(); 1012 1013 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1014 isConstant = AT->getElementType().isConstant(Context); 1015 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1016 isConstant = T.isConstant(Context) && 1017 PT->getPointeeType().isConstant(Context); 1018 } 1019 1020 if (isConstant) { 1021 if (const Expr *Init = VD->getAnyInitializer()) 1022 return SemaCheckStringLiteral(Init, TheCall, 1023 HasVAListArg, format_idx, firstDataArg, 1024 isPrintf); 1025 } 1026 1027 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1028 // special check to see if the format string is a function parameter 1029 // of the function calling the printf function. If the function 1030 // has an attribute indicating it is a printf-like function, then we 1031 // should suppress warnings concerning non-literals being used in a call 1032 // to a vprintf function. For example: 1033 // 1034 // void 1035 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1036 // va_list ap; 1037 // va_start(ap, fmt); 1038 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1039 // ... 1040 // 1041 // 1042 // FIXME: We don't have full attribute support yet, so just check to see 1043 // if the argument is a DeclRefExpr that references a parameter. We'll 1044 // add proper support for checking the attribute later. 1045 if (HasVAListArg) 1046 if (isa<ParmVarDecl>(VD)) 1047 return true; 1048 } 1049 1050 return false; 1051 } 1052 1053 case Stmt::CallExprClass: { 1054 const CallExpr *CE = cast<CallExpr>(E); 1055 if (const ImplicitCastExpr *ICE 1056 = dyn_cast<ImplicitCastExpr>(CE->getCallee())) { 1057 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ICE->getSubExpr())) { 1058 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(DRE->getDecl())) { 1059 if (const FormatArgAttr *FA = FD->getAttr<FormatArgAttr>()) { 1060 unsigned ArgIndex = FA->getFormatIdx(); 1061 const Expr *Arg = CE->getArg(ArgIndex - 1); 1062 1063 return SemaCheckStringLiteral(Arg, TheCall, HasVAListArg, 1064 format_idx, firstDataArg, isPrintf); 1065 } 1066 } 1067 } 1068 } 1069 1070 return false; 1071 } 1072 case Stmt::ObjCStringLiteralClass: 1073 case Stmt::StringLiteralClass: { 1074 const StringLiteral *StrE = NULL; 1075 1076 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1077 StrE = ObjCFExpr->getString(); 1078 else 1079 StrE = cast<StringLiteral>(E); 1080 1081 if (StrE) { 1082 CheckFormatString(StrE, E, TheCall, HasVAListArg, format_idx, 1083 firstDataArg, isPrintf); 1084 return true; 1085 } 1086 1087 return false; 1088 } 1089 1090 default: 1091 return false; 1092 } 1093} 1094 1095void 1096Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1097 const Expr * const *ExprArgs, 1098 SourceLocation CallSiteLoc) { 1099 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1100 e = NonNull->args_end(); 1101 i != e; ++i) { 1102 const Expr *ArgExpr = ExprArgs[*i]; 1103 if (ArgExpr->isNullPointerConstant(Context, 1104 Expr::NPC_ValueDependentIsNotNull)) 1105 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1106 } 1107} 1108 1109/// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1110/// functions) for correct use of format strings. 1111void 1112Sema::CheckPrintfScanfArguments(const CallExpr *TheCall, bool HasVAListArg, 1113 unsigned format_idx, unsigned firstDataArg, 1114 bool isPrintf) { 1115 1116 const Expr *Fn = TheCall->getCallee(); 1117 1118 // The way the format attribute works in GCC, the implicit this argument 1119 // of member functions is counted. However, it doesn't appear in our own 1120 // lists, so decrement format_idx in that case. 1121 if (isa<CXXMemberCallExpr>(TheCall)) { 1122 const CXXMethodDecl *method_decl = 1123 dyn_cast<CXXMethodDecl>(TheCall->getCalleeDecl()); 1124 if (method_decl && method_decl->isInstance()) { 1125 // Catch a format attribute mistakenly referring to the object argument. 1126 if (format_idx == 0) 1127 return; 1128 --format_idx; 1129 if(firstDataArg != 0) 1130 --firstDataArg; 1131 } 1132 } 1133 1134 // CHECK: printf/scanf-like function is called with no format string. 1135 if (format_idx >= TheCall->getNumArgs()) { 1136 Diag(TheCall->getRParenLoc(), diag::warn_missing_format_string) 1137 << Fn->getSourceRange(); 1138 return; 1139 } 1140 1141 const Expr *OrigFormatExpr = TheCall->getArg(format_idx)->IgnoreParenCasts(); 1142 1143 // CHECK: format string is not a string literal. 1144 // 1145 // Dynamically generated format strings are difficult to 1146 // automatically vet at compile time. Requiring that format strings 1147 // are string literals: (1) permits the checking of format strings by 1148 // the compiler and thereby (2) can practically remove the source of 1149 // many format string exploits. 1150 1151 // Format string can be either ObjC string (e.g. @"%d") or 1152 // C string (e.g. "%d") 1153 // ObjC string uses the same format specifiers as C string, so we can use 1154 // the same format string checking logic for both ObjC and C strings. 1155 if (SemaCheckStringLiteral(OrigFormatExpr, TheCall, HasVAListArg, format_idx, 1156 firstDataArg, isPrintf)) 1157 return; // Literal format string found, check done! 1158 1159 // If there are no arguments specified, warn with -Wformat-security, otherwise 1160 // warn only with -Wformat-nonliteral. 1161 if (TheCall->getNumArgs() == format_idx+1) 1162 Diag(TheCall->getArg(format_idx)->getLocStart(), 1163 diag::warn_format_nonliteral_noargs) 1164 << OrigFormatExpr->getSourceRange(); 1165 else 1166 Diag(TheCall->getArg(format_idx)->getLocStart(), 1167 diag::warn_format_nonliteral) 1168 << OrigFormatExpr->getSourceRange(); 1169} 1170 1171namespace { 1172class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1173protected: 1174 Sema &S; 1175 const StringLiteral *FExpr; 1176 const Expr *OrigFormatExpr; 1177 const unsigned FirstDataArg; 1178 const unsigned NumDataArgs; 1179 const bool IsObjCLiteral; 1180 const char *Beg; // Start of format string. 1181 const bool HasVAListArg; 1182 const CallExpr *TheCall; 1183 unsigned FormatIdx; 1184 llvm::BitVector CoveredArgs; 1185 bool usesPositionalArgs; 1186 bool atFirstArg; 1187public: 1188 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1189 const Expr *origFormatExpr, unsigned firstDataArg, 1190 unsigned numDataArgs, bool isObjCLiteral, 1191 const char *beg, bool hasVAListArg, 1192 const CallExpr *theCall, unsigned formatIdx) 1193 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1194 FirstDataArg(firstDataArg), 1195 NumDataArgs(numDataArgs), 1196 IsObjCLiteral(isObjCLiteral), Beg(beg), 1197 HasVAListArg(hasVAListArg), 1198 TheCall(theCall), FormatIdx(formatIdx), 1199 usesPositionalArgs(false), atFirstArg(true) { 1200 CoveredArgs.resize(numDataArgs); 1201 CoveredArgs.reset(); 1202 } 1203 1204 void DoneProcessing(); 1205 1206 void HandleIncompleteSpecifier(const char *startSpecifier, 1207 unsigned specifierLen); 1208 1209 virtual void HandleInvalidPosition(const char *startSpecifier, 1210 unsigned specifierLen, 1211 analyze_format_string::PositionContext p); 1212 1213 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1214 1215 void HandleNullChar(const char *nullCharacter); 1216 1217protected: 1218 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1219 const char *startSpec, 1220 unsigned specifierLen, 1221 const char *csStart, unsigned csLen); 1222 1223 SourceRange getFormatStringRange(); 1224 CharSourceRange getSpecifierRange(const char *startSpecifier, 1225 unsigned specifierLen); 1226 SourceLocation getLocationOfByte(const char *x); 1227 1228 const Expr *getDataArg(unsigned i) const; 1229 1230 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1231 const analyze_format_string::ConversionSpecifier &CS, 1232 const char *startSpecifier, unsigned specifierLen, 1233 unsigned argIndex); 1234}; 1235} 1236 1237SourceRange CheckFormatHandler::getFormatStringRange() { 1238 return OrigFormatExpr->getSourceRange(); 1239} 1240 1241CharSourceRange CheckFormatHandler:: 1242getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1243 SourceLocation Start = getLocationOfByte(startSpecifier); 1244 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1245 1246 // Advance the end SourceLocation by one due to half-open ranges. 1247 End = End.getFileLocWithOffset(1); 1248 1249 return CharSourceRange::getCharRange(Start, End); 1250} 1251 1252SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1253 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1254} 1255 1256void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1257 unsigned specifierLen){ 1258 SourceLocation Loc = getLocationOfByte(startSpecifier); 1259 S.Diag(Loc, diag::warn_printf_incomplete_specifier) 1260 << getSpecifierRange(startSpecifier, specifierLen); 1261} 1262 1263void 1264CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1265 analyze_format_string::PositionContext p) { 1266 SourceLocation Loc = getLocationOfByte(startPos); 1267 S.Diag(Loc, diag::warn_format_invalid_positional_specifier) 1268 << (unsigned) p << getSpecifierRange(startPos, posLen); 1269} 1270 1271void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1272 unsigned posLen) { 1273 SourceLocation Loc = getLocationOfByte(startPos); 1274 S.Diag(Loc, diag::warn_format_zero_positional_specifier) 1275 << getSpecifierRange(startPos, posLen); 1276} 1277 1278void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1279 if (!IsObjCLiteral) { 1280 // The presence of a null character is likely an error. 1281 S.Diag(getLocationOfByte(nullCharacter), 1282 diag::warn_printf_format_string_contains_null_char) 1283 << getFormatStringRange(); 1284 } 1285} 1286 1287const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1288 return TheCall->getArg(FirstDataArg + i); 1289} 1290 1291void CheckFormatHandler::DoneProcessing() { 1292 // Does the number of data arguments exceed the number of 1293 // format conversions in the format string? 1294 if (!HasVAListArg) { 1295 // Find any arguments that weren't covered. 1296 CoveredArgs.flip(); 1297 signed notCoveredArg = CoveredArgs.find_first(); 1298 if (notCoveredArg >= 0) { 1299 assert((unsigned)notCoveredArg < NumDataArgs); 1300 S.Diag(getDataArg((unsigned) notCoveredArg)->getLocStart(), 1301 diag::warn_printf_data_arg_not_used) 1302 << getFormatStringRange(); 1303 } 1304 } 1305} 1306 1307bool 1308CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1309 SourceLocation Loc, 1310 const char *startSpec, 1311 unsigned specifierLen, 1312 const char *csStart, 1313 unsigned csLen) { 1314 1315 bool keepGoing = true; 1316 if (argIndex < NumDataArgs) { 1317 // Consider the argument coverered, even though the specifier doesn't 1318 // make sense. 1319 CoveredArgs.set(argIndex); 1320 } 1321 else { 1322 // If argIndex exceeds the number of data arguments we 1323 // don't issue a warning because that is just a cascade of warnings (and 1324 // they may have intended '%%' anyway). We don't want to continue processing 1325 // the format string after this point, however, as we will like just get 1326 // gibberish when trying to match arguments. 1327 keepGoing = false; 1328 } 1329 1330 S.Diag(Loc, diag::warn_format_invalid_conversion) 1331 << StringRef(csStart, csLen) 1332 << getSpecifierRange(startSpec, specifierLen); 1333 1334 return keepGoing; 1335} 1336 1337bool 1338CheckFormatHandler::CheckNumArgs( 1339 const analyze_format_string::FormatSpecifier &FS, 1340 const analyze_format_string::ConversionSpecifier &CS, 1341 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 1342 1343 if (argIndex >= NumDataArgs) { 1344 if (FS.usesPositionalArg()) { 1345 S.Diag(getLocationOfByte(CS.getStart()), 1346 diag::warn_printf_positional_arg_exceeds_data_args) 1347 << (argIndex+1) << NumDataArgs 1348 << getSpecifierRange(startSpecifier, specifierLen); 1349 } 1350 else { 1351 S.Diag(getLocationOfByte(CS.getStart()), 1352 diag::warn_printf_insufficient_data_args) 1353 << getSpecifierRange(startSpecifier, specifierLen); 1354 } 1355 1356 return false; 1357 } 1358 return true; 1359} 1360 1361//===--- CHECK: Printf format string checking ------------------------------===// 1362 1363namespace { 1364class CheckPrintfHandler : public CheckFormatHandler { 1365public: 1366 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 1367 const Expr *origFormatExpr, unsigned firstDataArg, 1368 unsigned numDataArgs, bool isObjCLiteral, 1369 const char *beg, bool hasVAListArg, 1370 const CallExpr *theCall, unsigned formatIdx) 1371 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1372 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1373 theCall, formatIdx) {} 1374 1375 1376 bool HandleInvalidPrintfConversionSpecifier( 1377 const analyze_printf::PrintfSpecifier &FS, 1378 const char *startSpecifier, 1379 unsigned specifierLen); 1380 1381 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 1382 const char *startSpecifier, 1383 unsigned specifierLen); 1384 1385 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 1386 const char *startSpecifier, unsigned specifierLen); 1387 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 1388 const analyze_printf::OptionalAmount &Amt, 1389 unsigned type, 1390 const char *startSpecifier, unsigned specifierLen); 1391 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1392 const analyze_printf::OptionalFlag &flag, 1393 const char *startSpecifier, unsigned specifierLen); 1394 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 1395 const analyze_printf::OptionalFlag &ignoredFlag, 1396 const analyze_printf::OptionalFlag &flag, 1397 const char *startSpecifier, unsigned specifierLen); 1398}; 1399} 1400 1401bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 1402 const analyze_printf::PrintfSpecifier &FS, 1403 const char *startSpecifier, 1404 unsigned specifierLen) { 1405 const analyze_printf::PrintfConversionSpecifier &CS = 1406 FS.getConversionSpecifier(); 1407 1408 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1409 getLocationOfByte(CS.getStart()), 1410 startSpecifier, specifierLen, 1411 CS.getStart(), CS.getLength()); 1412} 1413 1414bool CheckPrintfHandler::HandleAmount( 1415 const analyze_format_string::OptionalAmount &Amt, 1416 unsigned k, const char *startSpecifier, 1417 unsigned specifierLen) { 1418 1419 if (Amt.hasDataArgument()) { 1420 if (!HasVAListArg) { 1421 unsigned argIndex = Amt.getArgIndex(); 1422 if (argIndex >= NumDataArgs) { 1423 S.Diag(getLocationOfByte(Amt.getStart()), 1424 diag::warn_printf_asterisk_missing_arg) 1425 << k << getSpecifierRange(startSpecifier, specifierLen); 1426 // Don't do any more checking. We will just emit 1427 // spurious errors. 1428 return false; 1429 } 1430 1431 // Type check the data argument. It should be an 'int'. 1432 // Although not in conformance with C99, we also allow the argument to be 1433 // an 'unsigned int' as that is a reasonably safe case. GCC also 1434 // doesn't emit a warning for that case. 1435 CoveredArgs.set(argIndex); 1436 const Expr *Arg = getDataArg(argIndex); 1437 QualType T = Arg->getType(); 1438 1439 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 1440 assert(ATR.isValid()); 1441 1442 if (!ATR.matchesType(S.Context, T)) { 1443 S.Diag(getLocationOfByte(Amt.getStart()), 1444 diag::warn_printf_asterisk_wrong_type) 1445 << k 1446 << ATR.getRepresentativeType(S.Context) << T 1447 << getSpecifierRange(startSpecifier, specifierLen) 1448 << Arg->getSourceRange(); 1449 // Don't do any more checking. We will just emit 1450 // spurious errors. 1451 return false; 1452 } 1453 } 1454 } 1455 return true; 1456} 1457 1458void CheckPrintfHandler::HandleInvalidAmount( 1459 const analyze_printf::PrintfSpecifier &FS, 1460 const analyze_printf::OptionalAmount &Amt, 1461 unsigned type, 1462 const char *startSpecifier, 1463 unsigned specifierLen) { 1464 const analyze_printf::PrintfConversionSpecifier &CS = 1465 FS.getConversionSpecifier(); 1466 switch (Amt.getHowSpecified()) { 1467 case analyze_printf::OptionalAmount::Constant: 1468 S.Diag(getLocationOfByte(Amt.getStart()), 1469 diag::warn_printf_nonsensical_optional_amount) 1470 << type 1471 << CS.toString() 1472 << getSpecifierRange(startSpecifier, specifierLen) 1473 << FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 1474 Amt.getConstantLength())); 1475 break; 1476 1477 default: 1478 S.Diag(getLocationOfByte(Amt.getStart()), 1479 diag::warn_printf_nonsensical_optional_amount) 1480 << type 1481 << CS.toString() 1482 << getSpecifierRange(startSpecifier, specifierLen); 1483 break; 1484 } 1485} 1486 1487void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 1488 const analyze_printf::OptionalFlag &flag, 1489 const char *startSpecifier, 1490 unsigned specifierLen) { 1491 // Warn about pointless flag with a fixit removal. 1492 const analyze_printf::PrintfConversionSpecifier &CS = 1493 FS.getConversionSpecifier(); 1494 S.Diag(getLocationOfByte(flag.getPosition()), 1495 diag::warn_printf_nonsensical_flag) 1496 << flag.toString() << CS.toString() 1497 << getSpecifierRange(startSpecifier, specifierLen) 1498 << FixItHint::CreateRemoval(getSpecifierRange(flag.getPosition(), 1)); 1499} 1500 1501void CheckPrintfHandler::HandleIgnoredFlag( 1502 const analyze_printf::PrintfSpecifier &FS, 1503 const analyze_printf::OptionalFlag &ignoredFlag, 1504 const analyze_printf::OptionalFlag &flag, 1505 const char *startSpecifier, 1506 unsigned specifierLen) { 1507 // Warn about ignored flag with a fixit removal. 1508 S.Diag(getLocationOfByte(ignoredFlag.getPosition()), 1509 diag::warn_printf_ignored_flag) 1510 << ignoredFlag.toString() << flag.toString() 1511 << getSpecifierRange(startSpecifier, specifierLen) 1512 << FixItHint::CreateRemoval(getSpecifierRange( 1513 ignoredFlag.getPosition(), 1)); 1514} 1515 1516bool 1517CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 1518 &FS, 1519 const char *startSpecifier, 1520 unsigned specifierLen) { 1521 1522 using namespace analyze_format_string; 1523 using namespace analyze_printf; 1524 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 1525 1526 if (FS.consumesDataArgument()) { 1527 if (atFirstArg) { 1528 atFirstArg = false; 1529 usesPositionalArgs = FS.usesPositionalArg(); 1530 } 1531 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1532 // Cannot mix-and-match positional and non-positional arguments. 1533 S.Diag(getLocationOfByte(CS.getStart()), 1534 diag::warn_format_mix_positional_nonpositional_args) 1535 << getSpecifierRange(startSpecifier, specifierLen); 1536 return false; 1537 } 1538 } 1539 1540 // First check if the field width, precision, and conversion specifier 1541 // have matching data arguments. 1542 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 1543 startSpecifier, specifierLen)) { 1544 return false; 1545 } 1546 1547 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 1548 startSpecifier, specifierLen)) { 1549 return false; 1550 } 1551 1552 if (!CS.consumesDataArgument()) { 1553 // FIXME: Technically specifying a precision or field width here 1554 // makes no sense. Worth issuing a warning at some point. 1555 return true; 1556 } 1557 1558 // Consume the argument. 1559 unsigned argIndex = FS.getArgIndex(); 1560 if (argIndex < NumDataArgs) { 1561 // The check to see if the argIndex is valid will come later. 1562 // We set the bit here because we may exit early from this 1563 // function if we encounter some other error. 1564 CoveredArgs.set(argIndex); 1565 } 1566 1567 // Check for using an Objective-C specific conversion specifier 1568 // in a non-ObjC literal. 1569 if (!IsObjCLiteral && CS.isObjCArg()) { 1570 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 1571 specifierLen); 1572 } 1573 1574 // Check for invalid use of field width 1575 if (!FS.hasValidFieldWidth()) { 1576 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 1577 startSpecifier, specifierLen); 1578 } 1579 1580 // Check for invalid use of precision 1581 if (!FS.hasValidPrecision()) { 1582 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 1583 startSpecifier, specifierLen); 1584 } 1585 1586 // Check each flag does not conflict with any other component. 1587 if (!FS.hasValidThousandsGroupingPrefix()) 1588 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 1589 if (!FS.hasValidLeadingZeros()) 1590 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 1591 if (!FS.hasValidPlusPrefix()) 1592 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 1593 if (!FS.hasValidSpacePrefix()) 1594 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 1595 if (!FS.hasValidAlternativeForm()) 1596 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 1597 if (!FS.hasValidLeftJustified()) 1598 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 1599 1600 // Check that flags are not ignored by another flag 1601 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 1602 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 1603 startSpecifier, specifierLen); 1604 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 1605 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 1606 startSpecifier, specifierLen); 1607 1608 // Check the length modifier is valid with the given conversion specifier. 1609 const LengthModifier &LM = FS.getLengthModifier(); 1610 if (!FS.hasValidLengthModifier()) 1611 S.Diag(getLocationOfByte(LM.getStart()), 1612 diag::warn_format_nonsensical_length) 1613 << LM.toString() << CS.toString() 1614 << getSpecifierRange(startSpecifier, specifierLen) 1615 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 1616 LM.getLength())); 1617 1618 // Are we using '%n'? 1619 if (CS.getKind() == ConversionSpecifier::nArg) { 1620 // Issue a warning about this being a possible security issue. 1621 S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back) 1622 << getSpecifierRange(startSpecifier, specifierLen); 1623 // Continue checking the other format specifiers. 1624 return true; 1625 } 1626 1627 // The remaining checks depend on the data arguments. 1628 if (HasVAListArg) 1629 return true; 1630 1631 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 1632 return false; 1633 1634 // Now type check the data expression that matches the 1635 // format specifier. 1636 const Expr *Ex = getDataArg(argIndex); 1637 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context); 1638 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 1639 // Check if we didn't match because of an implicit cast from a 'char' 1640 // or 'short' to an 'int'. This is done because printf is a varargs 1641 // function. 1642 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 1643 if (ICE->getType() == S.Context.IntTy) { 1644 // All further checking is done on the subexpression. 1645 Ex = ICE->getSubExpr(); 1646 if (ATR.matchesType(S.Context, Ex->getType())) 1647 return true; 1648 } 1649 1650 // We may be able to offer a FixItHint if it is a supported type. 1651 PrintfSpecifier fixedFS = FS; 1652 bool success = fixedFS.fixType(Ex->getType()); 1653 1654 if (success) { 1655 // Get the fix string from the fixed format specifier 1656 llvm::SmallString<128> buf; 1657 llvm::raw_svector_ostream os(buf); 1658 fixedFS.toString(os); 1659 1660 // FIXME: getRepresentativeType() perhaps should return a string 1661 // instead of a QualType to better handle when the representative 1662 // type is 'wint_t' (which is defined in the system headers). 1663 S.Diag(getLocationOfByte(CS.getStart()), 1664 diag::warn_printf_conversion_argument_type_mismatch) 1665 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1666 << getSpecifierRange(startSpecifier, specifierLen) 1667 << Ex->getSourceRange() 1668 << FixItHint::CreateReplacement( 1669 getSpecifierRange(startSpecifier, specifierLen), 1670 os.str()); 1671 } 1672 else { 1673 S.Diag(getLocationOfByte(CS.getStart()), 1674 diag::warn_printf_conversion_argument_type_mismatch) 1675 << ATR.getRepresentativeType(S.Context) << Ex->getType() 1676 << getSpecifierRange(startSpecifier, specifierLen) 1677 << Ex->getSourceRange(); 1678 } 1679 } 1680 1681 return true; 1682} 1683 1684//===--- CHECK: Scanf format string checking ------------------------------===// 1685 1686namespace { 1687class CheckScanfHandler : public CheckFormatHandler { 1688public: 1689 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 1690 const Expr *origFormatExpr, unsigned firstDataArg, 1691 unsigned numDataArgs, bool isObjCLiteral, 1692 const char *beg, bool hasVAListArg, 1693 const CallExpr *theCall, unsigned formatIdx) 1694 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 1695 numDataArgs, isObjCLiteral, beg, hasVAListArg, 1696 theCall, formatIdx) {} 1697 1698 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 1699 const char *startSpecifier, 1700 unsigned specifierLen); 1701 1702 bool HandleInvalidScanfConversionSpecifier( 1703 const analyze_scanf::ScanfSpecifier &FS, 1704 const char *startSpecifier, 1705 unsigned specifierLen); 1706 1707 void HandleIncompleteScanList(const char *start, const char *end); 1708}; 1709} 1710 1711void CheckScanfHandler::HandleIncompleteScanList(const char *start, 1712 const char *end) { 1713 S.Diag(getLocationOfByte(end), diag::warn_scanf_scanlist_incomplete) 1714 << getSpecifierRange(start, end - start); 1715} 1716 1717bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 1718 const analyze_scanf::ScanfSpecifier &FS, 1719 const char *startSpecifier, 1720 unsigned specifierLen) { 1721 1722 const analyze_scanf::ScanfConversionSpecifier &CS = 1723 FS.getConversionSpecifier(); 1724 1725 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 1726 getLocationOfByte(CS.getStart()), 1727 startSpecifier, specifierLen, 1728 CS.getStart(), CS.getLength()); 1729} 1730 1731bool CheckScanfHandler::HandleScanfSpecifier( 1732 const analyze_scanf::ScanfSpecifier &FS, 1733 const char *startSpecifier, 1734 unsigned specifierLen) { 1735 1736 using namespace analyze_scanf; 1737 using namespace analyze_format_string; 1738 1739 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 1740 1741 // Handle case where '%' and '*' don't consume an argument. These shouldn't 1742 // be used to decide if we are using positional arguments consistently. 1743 if (FS.consumesDataArgument()) { 1744 if (atFirstArg) { 1745 atFirstArg = false; 1746 usesPositionalArgs = FS.usesPositionalArg(); 1747 } 1748 else if (usesPositionalArgs != FS.usesPositionalArg()) { 1749 // Cannot mix-and-match positional and non-positional arguments. 1750 S.Diag(getLocationOfByte(CS.getStart()), 1751 diag::warn_format_mix_positional_nonpositional_args) 1752 << getSpecifierRange(startSpecifier, specifierLen); 1753 return false; 1754 } 1755 } 1756 1757 // Check if the field with is non-zero. 1758 const OptionalAmount &Amt = FS.getFieldWidth(); 1759 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 1760 if (Amt.getConstantAmount() == 0) { 1761 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 1762 Amt.getConstantLength()); 1763 S.Diag(getLocationOfByte(Amt.getStart()), 1764 diag::warn_scanf_nonzero_width) 1765 << R << FixItHint::CreateRemoval(R); 1766 } 1767 } 1768 1769 if (!FS.consumesDataArgument()) { 1770 // FIXME: Technically specifying a precision or field width here 1771 // makes no sense. Worth issuing a warning at some point. 1772 return true; 1773 } 1774 1775 // Consume the argument. 1776 unsigned argIndex = FS.getArgIndex(); 1777 if (argIndex < NumDataArgs) { 1778 // The check to see if the argIndex is valid will come later. 1779 // We set the bit here because we may exit early from this 1780 // function if we encounter some other error. 1781 CoveredArgs.set(argIndex); 1782 } 1783 1784 // Check the length modifier is valid with the given conversion specifier. 1785 const LengthModifier &LM = FS.getLengthModifier(); 1786 if (!FS.hasValidLengthModifier()) { 1787 S.Diag(getLocationOfByte(LM.getStart()), 1788 diag::warn_format_nonsensical_length) 1789 << LM.toString() << CS.toString() 1790 << getSpecifierRange(startSpecifier, specifierLen) 1791 << FixItHint::CreateRemoval(getSpecifierRange(LM.getStart(), 1792 LM.getLength())); 1793 } 1794 1795 // The remaining checks depend on the data arguments. 1796 if (HasVAListArg) 1797 return true; 1798 1799 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 1800 return false; 1801 1802 // FIXME: Check that the argument type matches the format specifier. 1803 1804 return true; 1805} 1806 1807void Sema::CheckFormatString(const StringLiteral *FExpr, 1808 const Expr *OrigFormatExpr, 1809 const CallExpr *TheCall, bool HasVAListArg, 1810 unsigned format_idx, unsigned firstDataArg, 1811 bool isPrintf) { 1812 1813 // CHECK: is the format string a wide literal? 1814 if (!FExpr->isAscii()) { 1815 Diag(FExpr->getLocStart(), 1816 diag::warn_format_string_is_wide_literal) 1817 << OrigFormatExpr->getSourceRange(); 1818 return; 1819 } 1820 1821 // Str - The format string. NOTE: this is NOT null-terminated! 1822 StringRef StrRef = FExpr->getString(); 1823 const char *Str = StrRef.data(); 1824 unsigned StrLen = StrRef.size(); 1825 1826 // CHECK: empty format string? 1827 if (StrLen == 0) { 1828 Diag(FExpr->getLocStart(), diag::warn_empty_format_string) 1829 << OrigFormatExpr->getSourceRange(); 1830 return; 1831 } 1832 1833 if (isPrintf) { 1834 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1835 TheCall->getNumArgs() - firstDataArg, 1836 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1837 HasVAListArg, TheCall, format_idx); 1838 1839 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen)) 1840 H.DoneProcessing(); 1841 } 1842 else { 1843 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 1844 TheCall->getNumArgs() - firstDataArg, 1845 isa<ObjCStringLiteral>(OrigFormatExpr), Str, 1846 HasVAListArg, TheCall, format_idx); 1847 1848 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen)) 1849 H.DoneProcessing(); 1850 } 1851} 1852 1853//===--- CHECK: Standard memory functions ---------------------------------===// 1854 1855/// \brief Determine whether the given type is a dynamic class type (e.g., 1856/// whether it has a vtable). 1857static bool isDynamicClassType(QualType T) { 1858 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 1859 if (CXXRecordDecl *Definition = Record->getDefinition()) 1860 if (Definition->isDynamicClass()) 1861 return true; 1862 1863 return false; 1864} 1865 1866/// \brief If E is a sizeof expression, returns its argument expression, 1867/// otherwise returns NULL. 1868static const Expr *getSizeOfExprArg(const Expr* E) { 1869 if (const UnaryExprOrTypeTraitExpr *SizeOf = 1870 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 1871 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 1872 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 1873 1874 return 0; 1875} 1876 1877/// \brief If E is a sizeof expression, returns its argument type. 1878static QualType getSizeOfArgType(const Expr* E) { 1879 if (const UnaryExprOrTypeTraitExpr *SizeOf = 1880 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 1881 if (SizeOf->getKind() == clang::UETT_SizeOf) 1882 return SizeOf->getTypeOfArgument(); 1883 1884 return QualType(); 1885} 1886 1887/// \brief Check for dangerous or invalid arguments to memset(). 1888/// 1889/// This issues warnings on known problematic, dangerous or unspecified 1890/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 1891/// function calls. 1892/// 1893/// \param Call The call expression to diagnose. 1894void Sema::CheckMemaccessArguments(const CallExpr *Call, 1895 CheckedMemoryFunction CMF, 1896 IdentifierInfo *FnName) { 1897 // It is possible to have a non-standard definition of memset. Validate 1898 // we have enough arguments, and if not, abort further checking. 1899 if (Call->getNumArgs() < 3) 1900 return; 1901 1902 unsigned LastArg = (CMF == CMF_Memset? 1 : 2); 1903 const Expr *LenExpr = Call->getArg(2)->IgnoreParenImpCasts(); 1904 1905 // We have special checking when the length is a sizeof expression. 1906 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 1907 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 1908 llvm::FoldingSetNodeID SizeOfArgID; 1909 1910 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 1911 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 1912 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 1913 1914 QualType DestTy = Dest->getType(); 1915 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 1916 QualType PointeeTy = DestPtrTy->getPointeeType(); 1917 1918 // Never warn about void type pointers. This can be used to suppress 1919 // false positives. 1920 if (PointeeTy->isVoidType()) 1921 continue; 1922 1923 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 1924 // actually comparing the expressions for equality. Because computing the 1925 // expression IDs can be expensive, we only do this if the diagnostic is 1926 // enabled. 1927 if (SizeOfArg && 1928 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 1929 SizeOfArg->getExprLoc())) { 1930 // We only compute IDs for expressions if the warning is enabled, and 1931 // cache the sizeof arg's ID. 1932 if (SizeOfArgID == llvm::FoldingSetNodeID()) 1933 SizeOfArg->Profile(SizeOfArgID, Context, true); 1934 llvm::FoldingSetNodeID DestID; 1935 Dest->Profile(DestID, Context, true); 1936 if (DestID == SizeOfArgID) { 1937 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 1938 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 1939 if (UnaryOp->getOpcode() == UO_AddrOf) 1940 ActionIdx = 1; // If its an address-of operator, just remove it. 1941 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 1942 ActionIdx = 2; // If the pointee's size is sizeof(char), 1943 // suggest an explicit length. 1944 DiagRuntimeBehavior(SizeOfArg->getExprLoc(), Dest, 1945 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 1946 << FnName << ArgIdx << ActionIdx 1947 << Dest->getSourceRange() 1948 << SizeOfArg->getSourceRange()); 1949 break; 1950 } 1951 } 1952 1953 // Also check for cases where the sizeof argument is the exact same 1954 // type as the memory argument, and where it points to a user-defined 1955 // record type. 1956 if (SizeOfArgTy != QualType()) { 1957 if (PointeeTy->isRecordType() && 1958 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 1959 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 1960 PDiag(diag::warn_sizeof_pointer_type_memaccess) 1961 << FnName << SizeOfArgTy << ArgIdx 1962 << PointeeTy << Dest->getSourceRange() 1963 << LenExpr->getSourceRange()); 1964 break; 1965 } 1966 } 1967 1968 unsigned DiagID; 1969 1970 // Always complain about dynamic classes. 1971 if (isDynamicClassType(PointeeTy)) 1972 DiagID = diag::warn_dyn_class_memaccess; 1973 else if (PointeeTy.hasNonTrivialObjCLifetime() && CMF != CMF_Memset) 1974 DiagID = diag::warn_arc_object_memaccess; 1975 else 1976 continue; 1977 1978 DiagRuntimeBehavior( 1979 Dest->getExprLoc(), Dest, 1980 PDiag(DiagID) 1981 << ArgIdx << FnName << PointeeTy 1982 << Call->getCallee()->getSourceRange()); 1983 1984 DiagRuntimeBehavior( 1985 Dest->getExprLoc(), Dest, 1986 PDiag(diag::note_bad_memaccess_silence) 1987 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 1988 break; 1989 } 1990 } 1991} 1992 1993//===--- CHECK: Return Address of Stack Variable --------------------------===// 1994 1995static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars); 1996static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars); 1997 1998/// CheckReturnStackAddr - Check if a return statement returns the address 1999/// of a stack variable. 2000void 2001Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 2002 SourceLocation ReturnLoc) { 2003 2004 Expr *stackE = 0; 2005 SmallVector<DeclRefExpr *, 8> refVars; 2006 2007 // Perform checking for returned stack addresses, local blocks, 2008 // label addresses or references to temporaries. 2009 if (lhsType->isPointerType() || 2010 (!getLangOptions().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 2011 stackE = EvalAddr(RetValExp, refVars); 2012 } else if (lhsType->isReferenceType()) { 2013 stackE = EvalVal(RetValExp, refVars); 2014 } 2015 2016 if (stackE == 0) 2017 return; // Nothing suspicious was found. 2018 2019 SourceLocation diagLoc; 2020 SourceRange diagRange; 2021 if (refVars.empty()) { 2022 diagLoc = stackE->getLocStart(); 2023 diagRange = stackE->getSourceRange(); 2024 } else { 2025 // We followed through a reference variable. 'stackE' contains the 2026 // problematic expression but we will warn at the return statement pointing 2027 // at the reference variable. We will later display the "trail" of 2028 // reference variables using notes. 2029 diagLoc = refVars[0]->getLocStart(); 2030 diagRange = refVars[0]->getSourceRange(); 2031 } 2032 2033 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 2034 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 2035 : diag::warn_ret_stack_addr) 2036 << DR->getDecl()->getDeclName() << diagRange; 2037 } else if (isa<BlockExpr>(stackE)) { // local block. 2038 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 2039 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 2040 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 2041 } else { // local temporary. 2042 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 2043 : diag::warn_ret_local_temp_addr) 2044 << diagRange; 2045 } 2046 2047 // Display the "trail" of reference variables that we followed until we 2048 // found the problematic expression using notes. 2049 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 2050 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 2051 // If this var binds to another reference var, show the range of the next 2052 // var, otherwise the var binds to the problematic expression, in which case 2053 // show the range of the expression. 2054 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 2055 : stackE->getSourceRange(); 2056 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 2057 << VD->getDeclName() << range; 2058 } 2059} 2060 2061/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 2062/// check if the expression in a return statement evaluates to an address 2063/// to a location on the stack, a local block, an address of a label, or a 2064/// reference to local temporary. The recursion is used to traverse the 2065/// AST of the return expression, with recursion backtracking when we 2066/// encounter a subexpression that (1) clearly does not lead to one of the 2067/// above problematic expressions (2) is something we cannot determine leads to 2068/// a problematic expression based on such local checking. 2069/// 2070/// Both EvalAddr and EvalVal follow through reference variables to evaluate 2071/// the expression that they point to. Such variables are added to the 2072/// 'refVars' vector so that we know what the reference variable "trail" was. 2073/// 2074/// EvalAddr processes expressions that are pointers that are used as 2075/// references (and not L-values). EvalVal handles all other values. 2076/// At the base case of the recursion is a check for the above problematic 2077/// expressions. 2078/// 2079/// This implementation handles: 2080/// 2081/// * pointer-to-pointer casts 2082/// * implicit conversions from array references to pointers 2083/// * taking the address of fields 2084/// * arbitrary interplay between "&" and "*" operators 2085/// * pointer arithmetic from an address of a stack variable 2086/// * taking the address of an array element where the array is on the stack 2087static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2088 if (E->isTypeDependent()) 2089 return NULL; 2090 2091 // We should only be called for evaluating pointer expressions. 2092 assert((E->getType()->isAnyPointerType() || 2093 E->getType()->isBlockPointerType() || 2094 E->getType()->isObjCQualifiedIdType()) && 2095 "EvalAddr only works on pointers"); 2096 2097 E = E->IgnoreParens(); 2098 2099 // Our "symbolic interpreter" is just a dispatch off the currently 2100 // viewed AST node. We then recursively traverse the AST by calling 2101 // EvalAddr and EvalVal appropriately. 2102 switch (E->getStmtClass()) { 2103 case Stmt::DeclRefExprClass: { 2104 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2105 2106 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2107 // If this is a reference variable, follow through to the expression that 2108 // it points to. 2109 if (V->hasLocalStorage() && 2110 V->getType()->isReferenceType() && V->hasInit()) { 2111 // Add the reference variable to the "trail". 2112 refVars.push_back(DR); 2113 return EvalAddr(V->getInit(), refVars); 2114 } 2115 2116 return NULL; 2117 } 2118 2119 case Stmt::UnaryOperatorClass: { 2120 // The only unary operator that make sense to handle here 2121 // is AddrOf. All others don't make sense as pointers. 2122 UnaryOperator *U = cast<UnaryOperator>(E); 2123 2124 if (U->getOpcode() == UO_AddrOf) 2125 return EvalVal(U->getSubExpr(), refVars); 2126 else 2127 return NULL; 2128 } 2129 2130 case Stmt::BinaryOperatorClass: { 2131 // Handle pointer arithmetic. All other binary operators are not valid 2132 // in this context. 2133 BinaryOperator *B = cast<BinaryOperator>(E); 2134 BinaryOperatorKind op = B->getOpcode(); 2135 2136 if (op != BO_Add && op != BO_Sub) 2137 return NULL; 2138 2139 Expr *Base = B->getLHS(); 2140 2141 // Determine which argument is the real pointer base. It could be 2142 // the RHS argument instead of the LHS. 2143 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 2144 2145 assert (Base->getType()->isPointerType()); 2146 return EvalAddr(Base, refVars); 2147 } 2148 2149 // For conditional operators we need to see if either the LHS or RHS are 2150 // valid DeclRefExpr*s. If one of them is valid, we return it. 2151 case Stmt::ConditionalOperatorClass: { 2152 ConditionalOperator *C = cast<ConditionalOperator>(E); 2153 2154 // Handle the GNU extension for missing LHS. 2155 if (Expr *lhsExpr = C->getLHS()) { 2156 // In C++, we can have a throw-expression, which has 'void' type. 2157 if (!lhsExpr->getType()->isVoidType()) 2158 if (Expr* LHS = EvalAddr(lhsExpr, refVars)) 2159 return LHS; 2160 } 2161 2162 // In C++, we can have a throw-expression, which has 'void' type. 2163 if (C->getRHS()->getType()->isVoidType()) 2164 return NULL; 2165 2166 return EvalAddr(C->getRHS(), refVars); 2167 } 2168 2169 case Stmt::BlockExprClass: 2170 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 2171 return E; // local block. 2172 return NULL; 2173 2174 case Stmt::AddrLabelExprClass: 2175 return E; // address of label. 2176 2177 // For casts, we need to handle conversions from arrays to 2178 // pointer values, and pointer-to-pointer conversions. 2179 case Stmt::ImplicitCastExprClass: 2180 case Stmt::CStyleCastExprClass: 2181 case Stmt::CXXFunctionalCastExprClass: 2182 case Stmt::ObjCBridgedCastExprClass: { 2183 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 2184 QualType T = SubExpr->getType(); 2185 2186 if (SubExpr->getType()->isPointerType() || 2187 SubExpr->getType()->isBlockPointerType() || 2188 SubExpr->getType()->isObjCQualifiedIdType()) 2189 return EvalAddr(SubExpr, refVars); 2190 else if (T->isArrayType()) 2191 return EvalVal(SubExpr, refVars); 2192 else 2193 return 0; 2194 } 2195 2196 // C++ casts. For dynamic casts, static casts, and const casts, we 2197 // are always converting from a pointer-to-pointer, so we just blow 2198 // through the cast. In the case the dynamic cast doesn't fail (and 2199 // return NULL), we take the conservative route and report cases 2200 // where we return the address of a stack variable. For Reinterpre 2201 // FIXME: The comment about is wrong; we're not always converting 2202 // from pointer to pointer. I'm guessing that this code should also 2203 // handle references to objects. 2204 case Stmt::CXXStaticCastExprClass: 2205 case Stmt::CXXDynamicCastExprClass: 2206 case Stmt::CXXConstCastExprClass: 2207 case Stmt::CXXReinterpretCastExprClass: { 2208 Expr *S = cast<CXXNamedCastExpr>(E)->getSubExpr(); 2209 if (S->getType()->isPointerType() || S->getType()->isBlockPointerType()) 2210 return EvalAddr(S, refVars); 2211 else 2212 return NULL; 2213 } 2214 2215 case Stmt::MaterializeTemporaryExprClass: 2216 if (Expr *Result = EvalAddr( 2217 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 2218 refVars)) 2219 return Result; 2220 2221 return E; 2222 2223 // Everything else: we simply don't reason about them. 2224 default: 2225 return NULL; 2226 } 2227} 2228 2229 2230/// EvalVal - This function is complements EvalAddr in the mutual recursion. 2231/// See the comments for EvalAddr for more details. 2232static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 2233do { 2234 // We should only be called for evaluating non-pointer expressions, or 2235 // expressions with a pointer type that are not used as references but instead 2236 // are l-values (e.g., DeclRefExpr with a pointer type). 2237 2238 // Our "symbolic interpreter" is just a dispatch off the currently 2239 // viewed AST node. We then recursively traverse the AST by calling 2240 // EvalAddr and EvalVal appropriately. 2241 2242 E = E->IgnoreParens(); 2243 switch (E->getStmtClass()) { 2244 case Stmt::ImplicitCastExprClass: { 2245 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 2246 if (IE->getValueKind() == VK_LValue) { 2247 E = IE->getSubExpr(); 2248 continue; 2249 } 2250 return NULL; 2251 } 2252 2253 case Stmt::DeclRefExprClass: { 2254 // When we hit a DeclRefExpr we are looking at code that refers to a 2255 // variable's name. If it's not a reference variable we check if it has 2256 // local storage within the function, and if so, return the expression. 2257 DeclRefExpr *DR = cast<DeclRefExpr>(E); 2258 2259 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 2260 if (V->hasLocalStorage()) { 2261 if (!V->getType()->isReferenceType()) 2262 return DR; 2263 2264 // Reference variable, follow through to the expression that 2265 // it points to. 2266 if (V->hasInit()) { 2267 // Add the reference variable to the "trail". 2268 refVars.push_back(DR); 2269 return EvalVal(V->getInit(), refVars); 2270 } 2271 } 2272 2273 return NULL; 2274 } 2275 2276 case Stmt::UnaryOperatorClass: { 2277 // The only unary operator that make sense to handle here 2278 // is Deref. All others don't resolve to a "name." This includes 2279 // handling all sorts of rvalues passed to a unary operator. 2280 UnaryOperator *U = cast<UnaryOperator>(E); 2281 2282 if (U->getOpcode() == UO_Deref) 2283 return EvalAddr(U->getSubExpr(), refVars); 2284 2285 return NULL; 2286 } 2287 2288 case Stmt::ArraySubscriptExprClass: { 2289 // Array subscripts are potential references to data on the stack. We 2290 // retrieve the DeclRefExpr* for the array variable if it indeed 2291 // has local storage. 2292 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars); 2293 } 2294 2295 case Stmt::ConditionalOperatorClass: { 2296 // For conditional operators we need to see if either the LHS or RHS are 2297 // non-NULL Expr's. If one is non-NULL, we return it. 2298 ConditionalOperator *C = cast<ConditionalOperator>(E); 2299 2300 // Handle the GNU extension for missing LHS. 2301 if (Expr *lhsExpr = C->getLHS()) 2302 if (Expr *LHS = EvalVal(lhsExpr, refVars)) 2303 return LHS; 2304 2305 return EvalVal(C->getRHS(), refVars); 2306 } 2307 2308 // Accesses to members are potential references to data on the stack. 2309 case Stmt::MemberExprClass: { 2310 MemberExpr *M = cast<MemberExpr>(E); 2311 2312 // Check for indirect access. We only want direct field accesses. 2313 if (M->isArrow()) 2314 return NULL; 2315 2316 // Check whether the member type is itself a reference, in which case 2317 // we're not going to refer to the member, but to what the member refers to. 2318 if (M->getMemberDecl()->getType()->isReferenceType()) 2319 return NULL; 2320 2321 return EvalVal(M->getBase(), refVars); 2322 } 2323 2324 case Stmt::MaterializeTemporaryExprClass: 2325 if (Expr *Result = EvalVal( 2326 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 2327 refVars)) 2328 return Result; 2329 2330 return E; 2331 2332 default: 2333 // Check that we don't return or take the address of a reference to a 2334 // temporary. This is only useful in C++. 2335 if (!E->isTypeDependent() && E->isRValue()) 2336 return E; 2337 2338 // Everything else: we simply don't reason about them. 2339 return NULL; 2340 } 2341} while (true); 2342} 2343 2344//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 2345 2346/// Check for comparisons of floating point operands using != and ==. 2347/// Issue a warning if these are no self-comparisons, as they are not likely 2348/// to do what the programmer intended. 2349void Sema::CheckFloatComparison(SourceLocation loc, Expr* lex, Expr *rex) { 2350 bool EmitWarning = true; 2351 2352 Expr* LeftExprSansParen = lex->IgnoreParenImpCasts(); 2353 Expr* RightExprSansParen = rex->IgnoreParenImpCasts(); 2354 2355 // Special case: check for x == x (which is OK). 2356 // Do not emit warnings for such cases. 2357 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 2358 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 2359 if (DRL->getDecl() == DRR->getDecl()) 2360 EmitWarning = false; 2361 2362 2363 // Special case: check for comparisons against literals that can be exactly 2364 // represented by APFloat. In such cases, do not emit a warning. This 2365 // is a heuristic: often comparison against such literals are used to 2366 // detect if a value in a variable has not changed. This clearly can 2367 // lead to false negatives. 2368 if (EmitWarning) { 2369 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 2370 if (FLL->isExact()) 2371 EmitWarning = false; 2372 } else 2373 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 2374 if (FLR->isExact()) 2375 EmitWarning = false; 2376 } 2377 } 2378 2379 // Check for comparisons with builtin types. 2380 if (EmitWarning) 2381 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 2382 if (CL->isBuiltinCall(Context)) 2383 EmitWarning = false; 2384 2385 if (EmitWarning) 2386 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 2387 if (CR->isBuiltinCall(Context)) 2388 EmitWarning = false; 2389 2390 // Emit the diagnostic. 2391 if (EmitWarning) 2392 Diag(loc, diag::warn_floatingpoint_eq) 2393 << lex->getSourceRange() << rex->getSourceRange(); 2394} 2395 2396//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 2397//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 2398 2399namespace { 2400 2401/// Structure recording the 'active' range of an integer-valued 2402/// expression. 2403struct IntRange { 2404 /// The number of bits active in the int. 2405 unsigned Width; 2406 2407 /// True if the int is known not to have negative values. 2408 bool NonNegative; 2409 2410 IntRange(unsigned Width, bool NonNegative) 2411 : Width(Width), NonNegative(NonNegative) 2412 {} 2413 2414 /// Returns the range of the bool type. 2415 static IntRange forBoolType() { 2416 return IntRange(1, true); 2417 } 2418 2419 /// Returns the range of an opaque value of the given integral type. 2420 static IntRange forValueOfType(ASTContext &C, QualType T) { 2421 return forValueOfCanonicalType(C, 2422 T->getCanonicalTypeInternal().getTypePtr()); 2423 } 2424 2425 /// Returns the range of an opaque value of a canonical integral type. 2426 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 2427 assert(T->isCanonicalUnqualified()); 2428 2429 if (const VectorType *VT = dyn_cast<VectorType>(T)) 2430 T = VT->getElementType().getTypePtr(); 2431 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 2432 T = CT->getElementType().getTypePtr(); 2433 2434 // For enum types, use the known bit width of the enumerators. 2435 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 2436 EnumDecl *Enum = ET->getDecl(); 2437 if (!Enum->isDefinition()) 2438 return IntRange(C.getIntWidth(QualType(T, 0)), false); 2439 2440 unsigned NumPositive = Enum->getNumPositiveBits(); 2441 unsigned NumNegative = Enum->getNumNegativeBits(); 2442 2443 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 2444 } 2445 2446 const BuiltinType *BT = cast<BuiltinType>(T); 2447 assert(BT->isInteger()); 2448 2449 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 2450 } 2451 2452 /// Returns the "target" range of a canonical integral type, i.e. 2453 /// the range of values expressible in the type. 2454 /// 2455 /// This matches forValueOfCanonicalType except that enums have the 2456 /// full range of their type, not the range of their enumerators. 2457 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 2458 assert(T->isCanonicalUnqualified()); 2459 2460 if (const VectorType *VT = dyn_cast<VectorType>(T)) 2461 T = VT->getElementType().getTypePtr(); 2462 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 2463 T = CT->getElementType().getTypePtr(); 2464 if (const EnumType *ET = dyn_cast<EnumType>(T)) 2465 T = ET->getDecl()->getIntegerType().getTypePtr(); 2466 2467 const BuiltinType *BT = cast<BuiltinType>(T); 2468 assert(BT->isInteger()); 2469 2470 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 2471 } 2472 2473 /// Returns the supremum of two ranges: i.e. their conservative merge. 2474 static IntRange join(IntRange L, IntRange R) { 2475 return IntRange(std::max(L.Width, R.Width), 2476 L.NonNegative && R.NonNegative); 2477 } 2478 2479 /// Returns the infinum of two ranges: i.e. their aggressive merge. 2480 static IntRange meet(IntRange L, IntRange R) { 2481 return IntRange(std::min(L.Width, R.Width), 2482 L.NonNegative || R.NonNegative); 2483 } 2484}; 2485 2486IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, unsigned MaxWidth) { 2487 if (value.isSigned() && value.isNegative()) 2488 return IntRange(value.getMinSignedBits(), false); 2489 2490 if (value.getBitWidth() > MaxWidth) 2491 value = value.trunc(MaxWidth); 2492 2493 // isNonNegative() just checks the sign bit without considering 2494 // signedness. 2495 return IntRange(value.getActiveBits(), true); 2496} 2497 2498IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 2499 unsigned MaxWidth) { 2500 if (result.isInt()) 2501 return GetValueRange(C, result.getInt(), MaxWidth); 2502 2503 if (result.isVector()) { 2504 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 2505 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 2506 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 2507 R = IntRange::join(R, El); 2508 } 2509 return R; 2510 } 2511 2512 if (result.isComplexInt()) { 2513 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 2514 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 2515 return IntRange::join(R, I); 2516 } 2517 2518 // This can happen with lossless casts to intptr_t of "based" lvalues. 2519 // Assume it might use arbitrary bits. 2520 // FIXME: The only reason we need to pass the type in here is to get 2521 // the sign right on this one case. It would be nice if APValue 2522 // preserved this. 2523 assert(result.isLValue()); 2524 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 2525} 2526 2527/// Pseudo-evaluate the given integer expression, estimating the 2528/// range of values it might take. 2529/// 2530/// \param MaxWidth - the width to which the value will be truncated 2531IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 2532 E = E->IgnoreParens(); 2533 2534 // Try a full evaluation first. 2535 Expr::EvalResult result; 2536 if (E->Evaluate(result, C)) 2537 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 2538 2539 // I think we only want to look through implicit casts here; if the 2540 // user has an explicit widening cast, we should treat the value as 2541 // being of the new, wider type. 2542 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 2543 if (CE->getCastKind() == CK_NoOp) 2544 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 2545 2546 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 2547 2548 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 2549 2550 // Assume that non-integer casts can span the full range of the type. 2551 if (!isIntegerCast) 2552 return OutputTypeRange; 2553 2554 IntRange SubRange 2555 = GetExprRange(C, CE->getSubExpr(), 2556 std::min(MaxWidth, OutputTypeRange.Width)); 2557 2558 // Bail out if the subexpr's range is as wide as the cast type. 2559 if (SubRange.Width >= OutputTypeRange.Width) 2560 return OutputTypeRange; 2561 2562 // Otherwise, we take the smaller width, and we're non-negative if 2563 // either the output type or the subexpr is. 2564 return IntRange(SubRange.Width, 2565 SubRange.NonNegative || OutputTypeRange.NonNegative); 2566 } 2567 2568 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 2569 // If we can fold the condition, just take that operand. 2570 bool CondResult; 2571 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 2572 return GetExprRange(C, CondResult ? CO->getTrueExpr() 2573 : CO->getFalseExpr(), 2574 MaxWidth); 2575 2576 // Otherwise, conservatively merge. 2577 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 2578 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 2579 return IntRange::join(L, R); 2580 } 2581 2582 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 2583 switch (BO->getOpcode()) { 2584 2585 // Boolean-valued operations are single-bit and positive. 2586 case BO_LAnd: 2587 case BO_LOr: 2588 case BO_LT: 2589 case BO_GT: 2590 case BO_LE: 2591 case BO_GE: 2592 case BO_EQ: 2593 case BO_NE: 2594 return IntRange::forBoolType(); 2595 2596 // The type of the assignments is the type of the LHS, so the RHS 2597 // is not necessarily the same type. 2598 case BO_MulAssign: 2599 case BO_DivAssign: 2600 case BO_RemAssign: 2601 case BO_AddAssign: 2602 case BO_SubAssign: 2603 case BO_XorAssign: 2604 case BO_OrAssign: 2605 // TODO: bitfields? 2606 return IntRange::forValueOfType(C, E->getType()); 2607 2608 // Simple assignments just pass through the RHS, which will have 2609 // been coerced to the LHS type. 2610 case BO_Assign: 2611 // TODO: bitfields? 2612 return GetExprRange(C, BO->getRHS(), MaxWidth); 2613 2614 // Operations with opaque sources are black-listed. 2615 case BO_PtrMemD: 2616 case BO_PtrMemI: 2617 return IntRange::forValueOfType(C, E->getType()); 2618 2619 // Bitwise-and uses the *infinum* of the two source ranges. 2620 case BO_And: 2621 case BO_AndAssign: 2622 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 2623 GetExprRange(C, BO->getRHS(), MaxWidth)); 2624 2625 // Left shift gets black-listed based on a judgement call. 2626 case BO_Shl: 2627 // ...except that we want to treat '1 << (blah)' as logically 2628 // positive. It's an important idiom. 2629 if (IntegerLiteral *I 2630 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 2631 if (I->getValue() == 1) { 2632 IntRange R = IntRange::forValueOfType(C, E->getType()); 2633 return IntRange(R.Width, /*NonNegative*/ true); 2634 } 2635 } 2636 // fallthrough 2637 2638 case BO_ShlAssign: 2639 return IntRange::forValueOfType(C, E->getType()); 2640 2641 // Right shift by a constant can narrow its left argument. 2642 case BO_Shr: 2643 case BO_ShrAssign: { 2644 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2645 2646 // If the shift amount is a positive constant, drop the width by 2647 // that much. 2648 llvm::APSInt shift; 2649 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 2650 shift.isNonNegative()) { 2651 unsigned zext = shift.getZExtValue(); 2652 if (zext >= L.Width) 2653 L.Width = (L.NonNegative ? 0 : 1); 2654 else 2655 L.Width -= zext; 2656 } 2657 2658 return L; 2659 } 2660 2661 // Comma acts as its right operand. 2662 case BO_Comma: 2663 return GetExprRange(C, BO->getRHS(), MaxWidth); 2664 2665 // Black-list pointer subtractions. 2666 case BO_Sub: 2667 if (BO->getLHS()->getType()->isPointerType()) 2668 return IntRange::forValueOfType(C, E->getType()); 2669 break; 2670 2671 // The width of a division result is mostly determined by the size 2672 // of the LHS. 2673 case BO_Div: { 2674 // Don't 'pre-truncate' the operands. 2675 unsigned opWidth = C.getIntWidth(E->getType()); 2676 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 2677 2678 // If the divisor is constant, use that. 2679 llvm::APSInt divisor; 2680 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 2681 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 2682 if (log2 >= L.Width) 2683 L.Width = (L.NonNegative ? 0 : 1); 2684 else 2685 L.Width = std::min(L.Width - log2, MaxWidth); 2686 return L; 2687 } 2688 2689 // Otherwise, just use the LHS's width. 2690 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 2691 return IntRange(L.Width, L.NonNegative && R.NonNegative); 2692 } 2693 2694 // The result of a remainder can't be larger than the result of 2695 // either side. 2696 case BO_Rem: { 2697 // Don't 'pre-truncate' the operands. 2698 unsigned opWidth = C.getIntWidth(E->getType()); 2699 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 2700 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 2701 2702 IntRange meet = IntRange::meet(L, R); 2703 meet.Width = std::min(meet.Width, MaxWidth); 2704 return meet; 2705 } 2706 2707 // The default behavior is okay for these. 2708 case BO_Mul: 2709 case BO_Add: 2710 case BO_Xor: 2711 case BO_Or: 2712 break; 2713 } 2714 2715 // The default case is to treat the operation as if it were closed 2716 // on the narrowest type that encompasses both operands. 2717 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 2718 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 2719 return IntRange::join(L, R); 2720 } 2721 2722 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 2723 switch (UO->getOpcode()) { 2724 // Boolean-valued operations are white-listed. 2725 case UO_LNot: 2726 return IntRange::forBoolType(); 2727 2728 // Operations with opaque sources are black-listed. 2729 case UO_Deref: 2730 case UO_AddrOf: // should be impossible 2731 return IntRange::forValueOfType(C, E->getType()); 2732 2733 default: 2734 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 2735 } 2736 } 2737 2738 if (dyn_cast<OffsetOfExpr>(E)) { 2739 IntRange::forValueOfType(C, E->getType()); 2740 } 2741 2742 FieldDecl *BitField = E->getBitField(); 2743 if (BitField) { 2744 llvm::APSInt BitWidthAP = BitField->getBitWidth()->EvaluateAsInt(C); 2745 unsigned BitWidth = BitWidthAP.getZExtValue(); 2746 2747 return IntRange(BitWidth, 2748 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 2749 } 2750 2751 return IntRange::forValueOfType(C, E->getType()); 2752} 2753 2754IntRange GetExprRange(ASTContext &C, Expr *E) { 2755 return GetExprRange(C, E, C.getIntWidth(E->getType())); 2756} 2757 2758/// Checks whether the given value, which currently has the given 2759/// source semantics, has the same value when coerced through the 2760/// target semantics. 2761bool IsSameFloatAfterCast(const llvm::APFloat &value, 2762 const llvm::fltSemantics &Src, 2763 const llvm::fltSemantics &Tgt) { 2764 llvm::APFloat truncated = value; 2765 2766 bool ignored; 2767 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 2768 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 2769 2770 return truncated.bitwiseIsEqual(value); 2771} 2772 2773/// Checks whether the given value, which currently has the given 2774/// source semantics, has the same value when coerced through the 2775/// target semantics. 2776/// 2777/// The value might be a vector of floats (or a complex number). 2778bool IsSameFloatAfterCast(const APValue &value, 2779 const llvm::fltSemantics &Src, 2780 const llvm::fltSemantics &Tgt) { 2781 if (value.isFloat()) 2782 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 2783 2784 if (value.isVector()) { 2785 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 2786 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 2787 return false; 2788 return true; 2789 } 2790 2791 assert(value.isComplexFloat()); 2792 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 2793 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 2794} 2795 2796void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 2797 2798static bool IsZero(Sema &S, Expr *E) { 2799 // Suppress cases where we are comparing against an enum constant. 2800 if (const DeclRefExpr *DR = 2801 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 2802 if (isa<EnumConstantDecl>(DR->getDecl())) 2803 return false; 2804 2805 // Suppress cases where the '0' value is expanded from a macro. 2806 if (E->getLocStart().isMacroID()) 2807 return false; 2808 2809 llvm::APSInt Value; 2810 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 2811} 2812 2813static bool HasEnumType(Expr *E) { 2814 // Strip off implicit integral promotions. 2815 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 2816 if (ICE->getCastKind() != CK_IntegralCast && 2817 ICE->getCastKind() != CK_NoOp) 2818 break; 2819 E = ICE->getSubExpr(); 2820 } 2821 2822 return E->getType()->isEnumeralType(); 2823} 2824 2825void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 2826 BinaryOperatorKind op = E->getOpcode(); 2827 if (E->isValueDependent()) 2828 return; 2829 2830 if (op == BO_LT && IsZero(S, E->getRHS())) { 2831 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2832 << "< 0" << "false" << HasEnumType(E->getLHS()) 2833 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2834 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 2835 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 2836 << ">= 0" << "true" << HasEnumType(E->getLHS()) 2837 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2838 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 2839 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2840 << "0 >" << "false" << HasEnumType(E->getRHS()) 2841 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2842 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 2843 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 2844 << "0 <=" << "true" << HasEnumType(E->getRHS()) 2845 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 2846 } 2847} 2848 2849/// Analyze the operands of the given comparison. Implements the 2850/// fallback case from AnalyzeComparison. 2851void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 2852 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 2853 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 2854} 2855 2856/// \brief Implements -Wsign-compare. 2857/// 2858/// \param lex the left-hand expression 2859/// \param rex the right-hand expression 2860/// \param OpLoc the location of the joining operator 2861/// \param BinOpc binary opcode or 0 2862void AnalyzeComparison(Sema &S, BinaryOperator *E) { 2863 // The type the comparison is being performed in. 2864 QualType T = E->getLHS()->getType(); 2865 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 2866 && "comparison with mismatched types"); 2867 2868 // We don't do anything special if this isn't an unsigned integral 2869 // comparison: we're only interested in integral comparisons, and 2870 // signed comparisons only happen in cases we don't care to warn about. 2871 // 2872 // We also don't care about value-dependent expressions or expressions 2873 // whose result is a constant. 2874 if (!T->hasUnsignedIntegerRepresentation() 2875 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 2876 return AnalyzeImpConvsInComparison(S, E); 2877 2878 Expr *lex = E->getLHS()->IgnoreParenImpCasts(); 2879 Expr *rex = E->getRHS()->IgnoreParenImpCasts(); 2880 2881 // Check to see if one of the (unmodified) operands is of different 2882 // signedness. 2883 Expr *signedOperand, *unsignedOperand; 2884 if (lex->getType()->hasSignedIntegerRepresentation()) { 2885 assert(!rex->getType()->hasSignedIntegerRepresentation() && 2886 "unsigned comparison between two signed integer expressions?"); 2887 signedOperand = lex; 2888 unsignedOperand = rex; 2889 } else if (rex->getType()->hasSignedIntegerRepresentation()) { 2890 signedOperand = rex; 2891 unsignedOperand = lex; 2892 } else { 2893 CheckTrivialUnsignedComparison(S, E); 2894 return AnalyzeImpConvsInComparison(S, E); 2895 } 2896 2897 // Otherwise, calculate the effective range of the signed operand. 2898 IntRange signedRange = GetExprRange(S.Context, signedOperand); 2899 2900 // Go ahead and analyze implicit conversions in the operands. Note 2901 // that we skip the implicit conversions on both sides. 2902 AnalyzeImplicitConversions(S, lex, E->getOperatorLoc()); 2903 AnalyzeImplicitConversions(S, rex, E->getOperatorLoc()); 2904 2905 // If the signed range is non-negative, -Wsign-compare won't fire, 2906 // but we should still check for comparisons which are always true 2907 // or false. 2908 if (signedRange.NonNegative) 2909 return CheckTrivialUnsignedComparison(S, E); 2910 2911 // For (in)equality comparisons, if the unsigned operand is a 2912 // constant which cannot collide with a overflowed signed operand, 2913 // then reinterpreting the signed operand as unsigned will not 2914 // change the result of the comparison. 2915 if (E->isEqualityOp()) { 2916 unsigned comparisonWidth = S.Context.getIntWidth(T); 2917 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 2918 2919 // We should never be unable to prove that the unsigned operand is 2920 // non-negative. 2921 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 2922 2923 if (unsignedRange.Width < comparisonWidth) 2924 return; 2925 } 2926 2927 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 2928 << lex->getType() << rex->getType() 2929 << lex->getSourceRange() << rex->getSourceRange(); 2930} 2931 2932/// Analyzes an attempt to assign the given value to a bitfield. 2933/// 2934/// Returns true if there was something fishy about the attempt. 2935bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 2936 SourceLocation InitLoc) { 2937 assert(Bitfield->isBitField()); 2938 if (Bitfield->isInvalidDecl()) 2939 return false; 2940 2941 // White-list bool bitfields. 2942 if (Bitfield->getType()->isBooleanType()) 2943 return false; 2944 2945 // Ignore value- or type-dependent expressions. 2946 if (Bitfield->getBitWidth()->isValueDependent() || 2947 Bitfield->getBitWidth()->isTypeDependent() || 2948 Init->isValueDependent() || 2949 Init->isTypeDependent()) 2950 return false; 2951 2952 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 2953 2954 llvm::APSInt Width(32); 2955 Expr::EvalResult InitValue; 2956 if (!Bitfield->getBitWidth()->isIntegerConstantExpr(Width, S.Context) || 2957 !OriginalInit->Evaluate(InitValue, S.Context) || 2958 !InitValue.Val.isInt()) 2959 return false; 2960 2961 const llvm::APSInt &Value = InitValue.Val.getInt(); 2962 unsigned OriginalWidth = Value.getBitWidth(); 2963 unsigned FieldWidth = Width.getZExtValue(); 2964 2965 if (OriginalWidth <= FieldWidth) 2966 return false; 2967 2968 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 2969 2970 // It's fairly common to write values into signed bitfields 2971 // that, if sign-extended, would end up becoming a different 2972 // value. We don't want to warn about that. 2973 if (Value.isSigned() && Value.isNegative()) 2974 TruncatedValue = TruncatedValue.sext(OriginalWidth); 2975 else 2976 TruncatedValue = TruncatedValue.zext(OriginalWidth); 2977 2978 if (Value == TruncatedValue) 2979 return false; 2980 2981 std::string PrettyValue = Value.toString(10); 2982 std::string PrettyTrunc = TruncatedValue.toString(10); 2983 2984 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 2985 << PrettyValue << PrettyTrunc << OriginalInit->getType() 2986 << Init->getSourceRange(); 2987 2988 return true; 2989} 2990 2991/// Analyze the given simple or compound assignment for warning-worthy 2992/// operations. 2993void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 2994 // Just recurse on the LHS. 2995 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 2996 2997 // We want to recurse on the RHS as normal unless we're assigning to 2998 // a bitfield. 2999 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 3000 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 3001 E->getOperatorLoc())) { 3002 // Recurse, ignoring any implicit conversions on the RHS. 3003 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 3004 E->getOperatorLoc()); 3005 } 3006 } 3007 3008 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3009} 3010 3011/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3012void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 3013 SourceLocation CContext, unsigned diag) { 3014 S.Diag(E->getExprLoc(), diag) 3015 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 3016} 3017 3018/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 3019void DiagnoseImpCast(Sema &S, Expr *E, QualType T, SourceLocation CContext, 3020 unsigned diag) { 3021 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag); 3022} 3023 3024/// Diagnose an implicit cast from a literal expression. Also attemps to supply 3025/// fixit hints when the cast wouldn't lose information to simply write the 3026/// expression with the expected type. 3027void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 3028 SourceLocation CContext) { 3029 // Emit the primary warning first, then try to emit a fixit hint note if 3030 // reasonable. 3031 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 3032 << FL->getType() << T << FL->getSourceRange() << SourceRange(CContext); 3033 3034 const llvm::APFloat &Value = FL->getValue(); 3035 3036 // Don't attempt to fix PPC double double literals. 3037 if (&Value.getSemantics() == &llvm::APFloat::PPCDoubleDouble) 3038 return; 3039 3040 // Try to convert this exactly to an integer. 3041 bool isExact = false; 3042 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 3043 T->hasUnsignedIntegerRepresentation()); 3044 if (Value.convertToInteger(IntegerValue, 3045 llvm::APFloat::rmTowardZero, &isExact) 3046 != llvm::APFloat::opOK || !isExact) 3047 return; 3048 3049 std::string LiteralValue = IntegerValue.toString(10); 3050 S.Diag(FL->getExprLoc(), diag::note_fix_integral_float_as_integer) 3051 << FixItHint::CreateReplacement(FL->getSourceRange(), LiteralValue); 3052} 3053 3054std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 3055 if (!Range.Width) return "0"; 3056 3057 llvm::APSInt ValueInRange = Value; 3058 ValueInRange.setIsSigned(!Range.NonNegative); 3059 ValueInRange = ValueInRange.trunc(Range.Width); 3060 return ValueInRange.toString(10); 3061} 3062 3063static bool isFromSystemMacro(Sema &S, SourceLocation loc) { 3064 SourceManager &smgr = S.Context.getSourceManager(); 3065 return loc.isMacroID() && smgr.isInSystemHeader(smgr.getSpellingLoc(loc)); 3066} 3067 3068void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 3069 SourceLocation CC, bool *ICContext = 0) { 3070 if (E->isTypeDependent() || E->isValueDependent()) return; 3071 3072 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 3073 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 3074 if (Source == Target) return; 3075 if (Target->isDependentType()) return; 3076 3077 // If the conversion context location is invalid don't complain. We also 3078 // don't want to emit a warning if the issue occurs from the expansion of 3079 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 3080 // delay this check as long as possible. Once we detect we are in that 3081 // scenario, we just return. 3082 if (CC.isInvalid()) 3083 return; 3084 3085 // Never diagnose implicit casts to bool. 3086 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 3087 return; 3088 3089 // Strip vector types. 3090 if (isa<VectorType>(Source)) { 3091 if (!isa<VectorType>(Target)) { 3092 if (isFromSystemMacro(S, CC)) 3093 return; 3094 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 3095 } 3096 3097 // If the vector cast is cast between two vectors of the same size, it is 3098 // a bitcast, not a conversion. 3099 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 3100 return; 3101 3102 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 3103 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 3104 } 3105 3106 // Strip complex types. 3107 if (isa<ComplexType>(Source)) { 3108 if (!isa<ComplexType>(Target)) { 3109 if (isFromSystemMacro(S, CC)) 3110 return; 3111 3112 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 3113 } 3114 3115 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 3116 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 3117 } 3118 3119 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 3120 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 3121 3122 // If the source is floating point... 3123 if (SourceBT && SourceBT->isFloatingPoint()) { 3124 // ...and the target is floating point... 3125 if (TargetBT && TargetBT->isFloatingPoint()) { 3126 // ...then warn if we're dropping FP rank. 3127 3128 // Builtin FP kinds are ordered by increasing FP rank. 3129 if (SourceBT->getKind() > TargetBT->getKind()) { 3130 // Don't warn about float constants that are precisely 3131 // representable in the target type. 3132 Expr::EvalResult result; 3133 if (E->Evaluate(result, S.Context)) { 3134 // Value might be a float, a float vector, or a float complex. 3135 if (IsSameFloatAfterCast(result.Val, 3136 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 3137 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 3138 return; 3139 } 3140 3141 if (isFromSystemMacro(S, CC)) 3142 return; 3143 3144 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 3145 } 3146 return; 3147 } 3148 3149 // If the target is integral, always warn. 3150 if ((TargetBT && TargetBT->isInteger())) { 3151 if (isFromSystemMacro(S, CC)) 3152 return; 3153 3154 Expr *InnerE = E->IgnoreParenImpCasts(); 3155 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 3156 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 3157 } else { 3158 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 3159 } 3160 } 3161 3162 return; 3163 } 3164 3165 if (!Source->isIntegerType() || !Target->isIntegerType()) 3166 return; 3167 3168 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 3169 == Expr::NPCK_GNUNull) && Target->isIntegerType()) { 3170 S.Diag(E->getExprLoc(), diag::warn_impcast_null_pointer_to_integer) 3171 << E->getSourceRange() << clang::SourceRange(CC); 3172 return; 3173 } 3174 3175 IntRange SourceRange = GetExprRange(S.Context, E); 3176 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 3177 3178 if (SourceRange.Width > TargetRange.Width) { 3179 // If the source is a constant, use a default-on diagnostic. 3180 // TODO: this should happen for bitfield stores, too. 3181 llvm::APSInt Value(32); 3182 if (E->isIntegerConstantExpr(Value, S.Context)) { 3183 if (isFromSystemMacro(S, CC)) 3184 return; 3185 3186 std::string PrettySourceValue = Value.toString(10); 3187 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 3188 3189 S.Diag(E->getExprLoc(), diag::warn_impcast_integer_precision_constant) 3190 << PrettySourceValue << PrettyTargetValue 3191 << E->getType() << T << E->getSourceRange() << clang::SourceRange(CC); 3192 return; 3193 } 3194 3195 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 3196 if (isFromSystemMacro(S, CC)) 3197 return; 3198 3199 if (SourceRange.Width == 64 && TargetRange.Width == 32) 3200 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32); 3201 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 3202 } 3203 3204 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 3205 (!TargetRange.NonNegative && SourceRange.NonNegative && 3206 SourceRange.Width == TargetRange.Width)) { 3207 3208 if (isFromSystemMacro(S, CC)) 3209 return; 3210 3211 unsigned DiagID = diag::warn_impcast_integer_sign; 3212 3213 // Traditionally, gcc has warned about this under -Wsign-compare. 3214 // We also want to warn about it in -Wconversion. 3215 // So if -Wconversion is off, use a completely identical diagnostic 3216 // in the sign-compare group. 3217 // The conditional-checking code will 3218 if (ICContext) { 3219 DiagID = diag::warn_impcast_integer_sign_conditional; 3220 *ICContext = true; 3221 } 3222 3223 return DiagnoseImpCast(S, E, T, CC, DiagID); 3224 } 3225 3226 // Diagnose conversions between different enumeration types. 3227 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 3228 // type, to give us better diagnostics. 3229 QualType SourceType = E->getType(); 3230 if (!S.getLangOptions().CPlusPlus) { 3231 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 3232 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 3233 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 3234 SourceType = S.Context.getTypeDeclType(Enum); 3235 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 3236 } 3237 } 3238 3239 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 3240 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 3241 if ((SourceEnum->getDecl()->getIdentifier() || 3242 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 3243 (TargetEnum->getDecl()->getIdentifier() || 3244 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 3245 SourceEnum != TargetEnum) { 3246 if (isFromSystemMacro(S, CC)) 3247 return; 3248 3249 return DiagnoseImpCast(S, E, SourceType, T, CC, 3250 diag::warn_impcast_different_enum_types); 3251 } 3252 3253 return; 3254} 3255 3256void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 3257 3258void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 3259 SourceLocation CC, bool &ICContext) { 3260 E = E->IgnoreParenImpCasts(); 3261 3262 if (isa<ConditionalOperator>(E)) 3263 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 3264 3265 AnalyzeImplicitConversions(S, E, CC); 3266 if (E->getType() != T) 3267 return CheckImplicitConversion(S, E, T, CC, &ICContext); 3268 return; 3269} 3270 3271void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 3272 SourceLocation CC = E->getQuestionLoc(); 3273 3274 AnalyzeImplicitConversions(S, E->getCond(), CC); 3275 3276 bool Suspicious = false; 3277 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 3278 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 3279 3280 // If -Wconversion would have warned about either of the candidates 3281 // for a signedness conversion to the context type... 3282 if (!Suspicious) return; 3283 3284 // ...but it's currently ignored... 3285 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 3286 CC)) 3287 return; 3288 3289 // ...then check whether it would have warned about either of the 3290 // candidates for a signedness conversion to the condition type. 3291 if (E->getType() == T) return; 3292 3293 Suspicious = false; 3294 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 3295 E->getType(), CC, &Suspicious); 3296 if (!Suspicious) 3297 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 3298 E->getType(), CC, &Suspicious); 3299} 3300 3301/// AnalyzeImplicitConversions - Find and report any interesting 3302/// implicit conversions in the given expression. There are a couple 3303/// of competing diagnostics here, -Wconversion and -Wsign-compare. 3304void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 3305 QualType T = OrigE->getType(); 3306 Expr *E = OrigE->IgnoreParenImpCasts(); 3307 3308 // For conditional operators, we analyze the arguments as if they 3309 // were being fed directly into the output. 3310 if (isa<ConditionalOperator>(E)) { 3311 ConditionalOperator *CO = cast<ConditionalOperator>(E); 3312 CheckConditionalOperator(S, CO, T); 3313 return; 3314 } 3315 3316 // Go ahead and check any implicit conversions we might have skipped. 3317 // The non-canonical typecheck is just an optimization; 3318 // CheckImplicitConversion will filter out dead implicit conversions. 3319 if (E->getType() != T) 3320 CheckImplicitConversion(S, E, T, CC); 3321 3322 // Now continue drilling into this expression. 3323 3324 // Skip past explicit casts. 3325 if (isa<ExplicitCastExpr>(E)) { 3326 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 3327 return AnalyzeImplicitConversions(S, E, CC); 3328 } 3329 3330 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3331 // Do a somewhat different check with comparison operators. 3332 if (BO->isComparisonOp()) 3333 return AnalyzeComparison(S, BO); 3334 3335 // And with assignments and compound assignments. 3336 if (BO->isAssignmentOp()) 3337 return AnalyzeAssignment(S, BO); 3338 } 3339 3340 // These break the otherwise-useful invariant below. Fortunately, 3341 // we don't really need to recurse into them, because any internal 3342 // expressions should have been analyzed already when they were 3343 // built into statements. 3344 if (isa<StmtExpr>(E)) return; 3345 3346 // Don't descend into unevaluated contexts. 3347 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 3348 3349 // Now just recurse over the expression's children. 3350 CC = E->getExprLoc(); 3351 for (Stmt::child_range I = E->children(); I; ++I) 3352 AnalyzeImplicitConversions(S, cast<Expr>(*I), CC); 3353} 3354 3355} // end anonymous namespace 3356 3357/// Diagnoses "dangerous" implicit conversions within the given 3358/// expression (which is a full expression). Implements -Wconversion 3359/// and -Wsign-compare. 3360/// 3361/// \param CC the "context" location of the implicit conversion, i.e. 3362/// the most location of the syntactic entity requiring the implicit 3363/// conversion 3364void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 3365 // Don't diagnose in unevaluated contexts. 3366 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 3367 return; 3368 3369 // Don't diagnose for value- or type-dependent expressions. 3370 if (E->isTypeDependent() || E->isValueDependent()) 3371 return; 3372 3373 // This is not the right CC for (e.g.) a variable initialization. 3374 AnalyzeImplicitConversions(*this, E, CC); 3375} 3376 3377void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 3378 FieldDecl *BitField, 3379 Expr *Init) { 3380 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 3381} 3382 3383/// CheckParmsForFunctionDef - Check that the parameters of the given 3384/// function are appropriate for the definition of a function. This 3385/// takes care of any checks that cannot be performed on the 3386/// declaration itself, e.g., that the types of each of the function 3387/// parameters are complete. 3388bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 3389 bool CheckParameterNames) { 3390 bool HasInvalidParm = false; 3391 for (; P != PEnd; ++P) { 3392 ParmVarDecl *Param = *P; 3393 3394 // C99 6.7.5.3p4: the parameters in a parameter type list in a 3395 // function declarator that is part of a function definition of 3396 // that function shall not have incomplete type. 3397 // 3398 // This is also C++ [dcl.fct]p6. 3399 if (!Param->isInvalidDecl() && 3400 RequireCompleteType(Param->getLocation(), Param->getType(), 3401 diag::err_typecheck_decl_incomplete_type)) { 3402 Param->setInvalidDecl(); 3403 HasInvalidParm = true; 3404 } 3405 3406 // C99 6.9.1p5: If the declarator includes a parameter type list, the 3407 // declaration of each parameter shall include an identifier. 3408 if (CheckParameterNames && 3409 Param->getIdentifier() == 0 && 3410 !Param->isImplicit() && 3411 !getLangOptions().CPlusPlus) 3412 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 3413 3414 // C99 6.7.5.3p12: 3415 // If the function declarator is not part of a definition of that 3416 // function, parameters may have incomplete type and may use the [*] 3417 // notation in their sequences of declarator specifiers to specify 3418 // variable length array types. 3419 QualType PType = Param->getOriginalType(); 3420 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 3421 if (AT->getSizeModifier() == ArrayType::Star) { 3422 // FIXME: This diagnosic should point the the '[*]' if source-location 3423 // information is added for it. 3424 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 3425 } 3426 } 3427 } 3428 3429 return HasInvalidParm; 3430} 3431 3432/// CheckCastAlign - Implements -Wcast-align, which warns when a 3433/// pointer cast increases the alignment requirements. 3434void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 3435 // This is actually a lot of work to potentially be doing on every 3436 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 3437 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 3438 TRange.getBegin()) 3439 == Diagnostic::Ignored) 3440 return; 3441 3442 // Ignore dependent types. 3443 if (T->isDependentType() || Op->getType()->isDependentType()) 3444 return; 3445 3446 // Require that the destination be a pointer type. 3447 const PointerType *DestPtr = T->getAs<PointerType>(); 3448 if (!DestPtr) return; 3449 3450 // If the destination has alignment 1, we're done. 3451 QualType DestPointee = DestPtr->getPointeeType(); 3452 if (DestPointee->isIncompleteType()) return; 3453 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 3454 if (DestAlign.isOne()) return; 3455 3456 // Require that the source be a pointer type. 3457 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 3458 if (!SrcPtr) return; 3459 QualType SrcPointee = SrcPtr->getPointeeType(); 3460 3461 // Whitelist casts from cv void*. We already implicitly 3462 // whitelisted casts to cv void*, since they have alignment 1. 3463 // Also whitelist casts involving incomplete types, which implicitly 3464 // includes 'void'. 3465 if (SrcPointee->isIncompleteType()) return; 3466 3467 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 3468 if (SrcAlign >= DestAlign) return; 3469 3470 Diag(TRange.getBegin(), diag::warn_cast_align) 3471 << Op->getType() << T 3472 << static_cast<unsigned>(SrcAlign.getQuantity()) 3473 << static_cast<unsigned>(DestAlign.getQuantity()) 3474 << TRange << Op->getSourceRange(); 3475} 3476 3477static void CheckArrayAccess_Check(Sema &S, 3478 const clang::ArraySubscriptExpr *E) { 3479 const Expr *BaseExpr = E->getBase()->IgnoreParenImpCasts(); 3480 const ConstantArrayType *ArrayTy = 3481 S.Context.getAsConstantArrayType(BaseExpr->getType()); 3482 if (!ArrayTy) 3483 return; 3484 3485 const Expr *IndexExpr = E->getIdx(); 3486 if (IndexExpr->isValueDependent()) 3487 return; 3488 llvm::APSInt index; 3489 if (!IndexExpr->isIntegerConstantExpr(index, S.Context)) 3490 return; 3491 3492 const NamedDecl *ND = NULL; 3493 bool IsMemberDecl = false; 3494 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 3495 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 3496 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) { 3497 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 3498 IsMemberDecl = true; 3499 } 3500 3501 if (index.isUnsigned() || !index.isNegative()) { 3502 llvm::APInt size = ArrayTy->getSize(); 3503 if (!size.isStrictlyPositive()) 3504 return; 3505 if (size.getBitWidth() > index.getBitWidth()) 3506 index = index.sext(size.getBitWidth()); 3507 else if (size.getBitWidth() < index.getBitWidth()) 3508 size = size.sext(index.getBitWidth()); 3509 3510 // Don't warn for valid indexes 3511 if (index.slt(size)) 3512 return; 3513 3514 // Also don't warn for arrays of size 1 which are members of some 3515 // structure. These are often used to approximate flexible arrays in C89 3516 // code. 3517 // FIXME: We should also check whether there are any members after this 3518 // member within the struct as that precludes the usage as a flexible 3519 // array. We should also potentially check for an explicit '1' as opposed 3520 // to a macro or template argument which might accidentally and erroneously 3521 // expand to '1'. 3522 if (IsMemberDecl && size == 1) 3523 return; 3524 3525 S.DiagRuntimeBehavior(E->getBase()->getLocStart(), BaseExpr, 3526 S.PDiag(diag::warn_array_index_exceeds_bounds) 3527 << index.toString(10, true) 3528 << size.toString(10, true) 3529 << IndexExpr->getSourceRange()); 3530 } else { 3531 S.DiagRuntimeBehavior(E->getBase()->getLocStart(), BaseExpr, 3532 S.PDiag(diag::warn_array_index_precedes_bounds) 3533 << index.toString(10, true) 3534 << IndexExpr->getSourceRange()); 3535 } 3536 3537 if (ND) 3538 S.DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 3539 S.PDiag(diag::note_array_index_out_of_bounds) 3540 << ND->getDeclName()); 3541} 3542 3543void Sema::CheckArrayAccess(const Expr *expr) { 3544 while (true) { 3545 expr = expr->IgnoreParens(); 3546 switch (expr->getStmtClass()) { 3547 case Stmt::ArraySubscriptExprClass: 3548 CheckArrayAccess_Check(*this, cast<ArraySubscriptExpr>(expr)); 3549 return; 3550 case Stmt::ConditionalOperatorClass: { 3551 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 3552 if (const Expr *lhs = cond->getLHS()) 3553 CheckArrayAccess(lhs); 3554 if (const Expr *rhs = cond->getRHS()) 3555 CheckArrayAccess(rhs); 3556 return; 3557 } 3558 default: 3559 return; 3560 } 3561 } 3562} 3563 3564//===--- CHECK: Objective-C retain cycles ----------------------------------// 3565 3566namespace { 3567 struct RetainCycleOwner { 3568 RetainCycleOwner() : Variable(0), Indirect(false) {} 3569 VarDecl *Variable; 3570 SourceRange Range; 3571 SourceLocation Loc; 3572 bool Indirect; 3573 3574 void setLocsFrom(Expr *e) { 3575 Loc = e->getExprLoc(); 3576 Range = e->getSourceRange(); 3577 } 3578 }; 3579} 3580 3581/// Consider whether capturing the given variable can possibly lead to 3582/// a retain cycle. 3583static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 3584 // In ARC, it's captured strongly iff the variable has __strong 3585 // lifetime. In MRR, it's captured strongly if the variable is 3586 // __block and has an appropriate type. 3587 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 3588 return false; 3589 3590 owner.Variable = var; 3591 owner.setLocsFrom(ref); 3592 return true; 3593} 3594 3595static bool findRetainCycleOwner(Expr *e, RetainCycleOwner &owner) { 3596 while (true) { 3597 e = e->IgnoreParens(); 3598 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 3599 switch (cast->getCastKind()) { 3600 case CK_BitCast: 3601 case CK_LValueBitCast: 3602 case CK_LValueToRValue: 3603 case CK_ObjCReclaimReturnedObject: 3604 e = cast->getSubExpr(); 3605 continue; 3606 3607 case CK_GetObjCProperty: { 3608 // Bail out if this isn't a strong explicit property. 3609 const ObjCPropertyRefExpr *pre = cast->getSubExpr()->getObjCProperty(); 3610 if (pre->isImplicitProperty()) return false; 3611 ObjCPropertyDecl *property = pre->getExplicitProperty(); 3612 if (!(property->getPropertyAttributes() & 3613 (ObjCPropertyDecl::OBJC_PR_retain | 3614 ObjCPropertyDecl::OBJC_PR_copy | 3615 ObjCPropertyDecl::OBJC_PR_strong)) && 3616 !(property->getPropertyIvarDecl() && 3617 property->getPropertyIvarDecl()->getType() 3618 .getObjCLifetime() == Qualifiers::OCL_Strong)) 3619 return false; 3620 3621 owner.Indirect = true; 3622 e = const_cast<Expr*>(pre->getBase()); 3623 continue; 3624 } 3625 3626 default: 3627 return false; 3628 } 3629 } 3630 3631 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 3632 ObjCIvarDecl *ivar = ref->getDecl(); 3633 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 3634 return false; 3635 3636 // Try to find a retain cycle in the base. 3637 if (!findRetainCycleOwner(ref->getBase(), owner)) 3638 return false; 3639 3640 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 3641 owner.Indirect = true; 3642 return true; 3643 } 3644 3645 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 3646 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 3647 if (!var) return false; 3648 return considerVariable(var, ref, owner); 3649 } 3650 3651 if (BlockDeclRefExpr *ref = dyn_cast<BlockDeclRefExpr>(e)) { 3652 owner.Variable = ref->getDecl(); 3653 owner.setLocsFrom(ref); 3654 return true; 3655 } 3656 3657 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 3658 if (member->isArrow()) return false; 3659 3660 // Don't count this as an indirect ownership. 3661 e = member->getBase(); 3662 continue; 3663 } 3664 3665 // Array ivars? 3666 3667 return false; 3668 } 3669} 3670 3671namespace { 3672 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 3673 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 3674 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 3675 Variable(variable), Capturer(0) {} 3676 3677 VarDecl *Variable; 3678 Expr *Capturer; 3679 3680 void VisitDeclRefExpr(DeclRefExpr *ref) { 3681 if (ref->getDecl() == Variable && !Capturer) 3682 Capturer = ref; 3683 } 3684 3685 void VisitBlockDeclRefExpr(BlockDeclRefExpr *ref) { 3686 if (ref->getDecl() == Variable && !Capturer) 3687 Capturer = ref; 3688 } 3689 3690 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 3691 if (Capturer) return; 3692 Visit(ref->getBase()); 3693 if (Capturer && ref->isFreeIvar()) 3694 Capturer = ref; 3695 } 3696 3697 void VisitBlockExpr(BlockExpr *block) { 3698 // Look inside nested blocks 3699 if (block->getBlockDecl()->capturesVariable(Variable)) 3700 Visit(block->getBlockDecl()->getBody()); 3701 } 3702 }; 3703} 3704 3705/// Check whether the given argument is a block which captures a 3706/// variable. 3707static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 3708 assert(owner.Variable && owner.Loc.isValid()); 3709 3710 e = e->IgnoreParenCasts(); 3711 BlockExpr *block = dyn_cast<BlockExpr>(e); 3712 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 3713 return 0; 3714 3715 FindCaptureVisitor visitor(S.Context, owner.Variable); 3716 visitor.Visit(block->getBlockDecl()->getBody()); 3717 return visitor.Capturer; 3718} 3719 3720static void diagnoseRetainCycle(Sema &S, Expr *capturer, 3721 RetainCycleOwner &owner) { 3722 assert(capturer); 3723 assert(owner.Variable && owner.Loc.isValid()); 3724 3725 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 3726 << owner.Variable << capturer->getSourceRange(); 3727 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 3728 << owner.Indirect << owner.Range; 3729} 3730 3731/// Check for a keyword selector that starts with the word 'add' or 3732/// 'set'. 3733static bool isSetterLikeSelector(Selector sel) { 3734 if (sel.isUnarySelector()) return false; 3735 3736 StringRef str = sel.getNameForSlot(0); 3737 while (!str.empty() && str.front() == '_') str = str.substr(1); 3738 if (str.startswith("set") || str.startswith("add")) 3739 str = str.substr(3); 3740 else 3741 return false; 3742 3743 if (str.empty()) return true; 3744 return !islower(str.front()); 3745} 3746 3747/// Check a message send to see if it's likely to cause a retain cycle. 3748void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 3749 // Only check instance methods whose selector looks like a setter. 3750 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 3751 return; 3752 3753 // Try to find a variable that the receiver is strongly owned by. 3754 RetainCycleOwner owner; 3755 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 3756 if (!findRetainCycleOwner(msg->getInstanceReceiver(), owner)) 3757 return; 3758 } else { 3759 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 3760 owner.Variable = getCurMethodDecl()->getSelfDecl(); 3761 owner.Loc = msg->getSuperLoc(); 3762 owner.Range = msg->getSuperLoc(); 3763 } 3764 3765 // Check whether the receiver is captured by any of the arguments. 3766 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 3767 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 3768 return diagnoseRetainCycle(*this, capturer, owner); 3769} 3770 3771/// Check a property assign to see if it's likely to cause a retain cycle. 3772void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 3773 RetainCycleOwner owner; 3774 if (!findRetainCycleOwner(receiver, owner)) 3775 return; 3776 3777 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 3778 diagnoseRetainCycle(*this, capturer, owner); 3779} 3780 3781bool Sema::checkUnsafeAssigns(SourceLocation Loc, 3782 QualType LHS, Expr *RHS) { 3783 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 3784 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 3785 return false; 3786 // strip off any implicit cast added to get to the one arc-specific 3787 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 3788 if (cast->getCastKind() == CK_ObjCConsumeObject) { 3789 Diag(Loc, diag::warn_arc_retained_assign) 3790 << (LT == Qualifiers::OCL_ExplicitNone) 3791 << RHS->getSourceRange(); 3792 return true; 3793 } 3794 RHS = cast->getSubExpr(); 3795 } 3796 return false; 3797} 3798 3799void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 3800 Expr *LHS, Expr *RHS) { 3801 QualType LHSType = LHS->getType(); 3802 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 3803 return; 3804 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 3805 // FIXME. Check for other life times. 3806 if (LT != Qualifiers::OCL_None) 3807 return; 3808 3809 if (ObjCPropertyRefExpr *PRE = dyn_cast<ObjCPropertyRefExpr>(LHS)) { 3810 if (PRE->isImplicitProperty()) 3811 return; 3812 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 3813 if (!PD) 3814 return; 3815 3816 unsigned Attributes = PD->getPropertyAttributes(); 3817 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) 3818 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 3819 if (cast->getCastKind() == CK_ObjCConsumeObject) { 3820 Diag(Loc, diag::warn_arc_retained_property_assign) 3821 << RHS->getSourceRange(); 3822 return; 3823 } 3824 RHS = cast->getSubExpr(); 3825 } 3826 } 3827} 3828