SemaChecking.cpp revision d3292c88ad6360823818b78d67875eceb3caedfb
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/SemaInternal.h" 16#include "clang/AST/ASTContext.h" 17#include "clang/AST/CharUnits.h" 18#include "clang/AST/DeclCXX.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/EvaluatedExprVisitor.h" 21#include "clang/AST/Expr.h" 22#include "clang/AST/ExprCXX.h" 23#include "clang/AST/ExprObjC.h" 24#include "clang/AST/StmtCXX.h" 25#include "clang/AST/StmtObjC.h" 26#include "clang/Analysis/Analyses/FormatString.h" 27#include "clang/Basic/ConvertUTF.h" 28#include "clang/Basic/TargetBuiltins.h" 29#include "clang/Basic/TargetInfo.h" 30#include "clang/Lex/Preprocessor.h" 31#include "clang/Sema/Initialization.h" 32#include "clang/Sema/Lookup.h" 33#include "clang/Sema/ScopeInfo.h" 34#include "clang/Sema/Sema.h" 35#include "llvm/ADT/BitVector.h" 36#include "llvm/ADT/STLExtras.h" 37#include "llvm/ADT/SmallString.h" 38#include "llvm/Support/raw_ostream.h" 39#include <limits> 40using namespace clang; 41using namespace sema; 42 43SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 44 unsigned ByteNo) const { 45 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 46 PP.getLangOpts(), PP.getTargetInfo()); 47} 48 49/// Checks that a call expression's argument count is the desired number. 50/// This is useful when doing custom type-checking. Returns true on error. 51static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 52 unsigned argCount = call->getNumArgs(); 53 if (argCount == desiredArgCount) return false; 54 55 if (argCount < desiredArgCount) 56 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 57 << 0 /*function call*/ << desiredArgCount << argCount 58 << call->getSourceRange(); 59 60 // Highlight all the excess arguments. 61 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 62 call->getArg(argCount - 1)->getLocEnd()); 63 64 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 65 << 0 /*function call*/ << desiredArgCount << argCount 66 << call->getArg(1)->getSourceRange(); 67} 68 69/// Check that the first argument to __builtin_annotation is an integer 70/// and the second argument is a non-wide string literal. 71static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 72 if (checkArgCount(S, TheCall, 2)) 73 return true; 74 75 // First argument should be an integer. 76 Expr *ValArg = TheCall->getArg(0); 77 QualType Ty = ValArg->getType(); 78 if (!Ty->isIntegerType()) { 79 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 80 << ValArg->getSourceRange(); 81 return true; 82 } 83 84 // Second argument should be a constant string. 85 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 86 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 87 if (!Literal || !Literal->isAscii()) { 88 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 89 << StrArg->getSourceRange(); 90 return true; 91 } 92 93 TheCall->setType(Ty); 94 return false; 95} 96 97ExprResult 98Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 99 ExprResult TheCallResult(Owned(TheCall)); 100 101 // Find out if any arguments are required to be integer constant expressions. 102 unsigned ICEArguments = 0; 103 ASTContext::GetBuiltinTypeError Error; 104 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 105 if (Error != ASTContext::GE_None) 106 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 107 108 // If any arguments are required to be ICE's, check and diagnose. 109 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 110 // Skip arguments not required to be ICE's. 111 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 112 113 llvm::APSInt Result; 114 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 115 return true; 116 ICEArguments &= ~(1 << ArgNo); 117 } 118 119 switch (BuiltinID) { 120 case Builtin::BI__builtin___CFStringMakeConstantString: 121 assert(TheCall->getNumArgs() == 1 && 122 "Wrong # arguments to builtin CFStringMakeConstantString"); 123 if (CheckObjCString(TheCall->getArg(0))) 124 return ExprError(); 125 break; 126 case Builtin::BI__builtin_stdarg_start: 127 case Builtin::BI__builtin_va_start: 128 if (SemaBuiltinVAStart(TheCall)) 129 return ExprError(); 130 break; 131 case Builtin::BI__builtin_isgreater: 132 case Builtin::BI__builtin_isgreaterequal: 133 case Builtin::BI__builtin_isless: 134 case Builtin::BI__builtin_islessequal: 135 case Builtin::BI__builtin_islessgreater: 136 case Builtin::BI__builtin_isunordered: 137 if (SemaBuiltinUnorderedCompare(TheCall)) 138 return ExprError(); 139 break; 140 case Builtin::BI__builtin_fpclassify: 141 if (SemaBuiltinFPClassification(TheCall, 6)) 142 return ExprError(); 143 break; 144 case Builtin::BI__builtin_isfinite: 145 case Builtin::BI__builtin_isinf: 146 case Builtin::BI__builtin_isinf_sign: 147 case Builtin::BI__builtin_isnan: 148 case Builtin::BI__builtin_isnormal: 149 if (SemaBuiltinFPClassification(TheCall, 1)) 150 return ExprError(); 151 break; 152 case Builtin::BI__builtin_shufflevector: 153 return SemaBuiltinShuffleVector(TheCall); 154 // TheCall will be freed by the smart pointer here, but that's fine, since 155 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 156 case Builtin::BI__builtin_prefetch: 157 if (SemaBuiltinPrefetch(TheCall)) 158 return ExprError(); 159 break; 160 case Builtin::BI__builtin_object_size: 161 if (SemaBuiltinObjectSize(TheCall)) 162 return ExprError(); 163 break; 164 case Builtin::BI__builtin_longjmp: 165 if (SemaBuiltinLongjmp(TheCall)) 166 return ExprError(); 167 break; 168 169 case Builtin::BI__builtin_classify_type: 170 if (checkArgCount(*this, TheCall, 1)) return true; 171 TheCall->setType(Context.IntTy); 172 break; 173 case Builtin::BI__builtin_constant_p: 174 if (checkArgCount(*this, TheCall, 1)) return true; 175 TheCall->setType(Context.IntTy); 176 break; 177 case Builtin::BI__sync_fetch_and_add: 178 case Builtin::BI__sync_fetch_and_add_1: 179 case Builtin::BI__sync_fetch_and_add_2: 180 case Builtin::BI__sync_fetch_and_add_4: 181 case Builtin::BI__sync_fetch_and_add_8: 182 case Builtin::BI__sync_fetch_and_add_16: 183 case Builtin::BI__sync_fetch_and_sub: 184 case Builtin::BI__sync_fetch_and_sub_1: 185 case Builtin::BI__sync_fetch_and_sub_2: 186 case Builtin::BI__sync_fetch_and_sub_4: 187 case Builtin::BI__sync_fetch_and_sub_8: 188 case Builtin::BI__sync_fetch_and_sub_16: 189 case Builtin::BI__sync_fetch_and_or: 190 case Builtin::BI__sync_fetch_and_or_1: 191 case Builtin::BI__sync_fetch_and_or_2: 192 case Builtin::BI__sync_fetch_and_or_4: 193 case Builtin::BI__sync_fetch_and_or_8: 194 case Builtin::BI__sync_fetch_and_or_16: 195 case Builtin::BI__sync_fetch_and_and: 196 case Builtin::BI__sync_fetch_and_and_1: 197 case Builtin::BI__sync_fetch_and_and_2: 198 case Builtin::BI__sync_fetch_and_and_4: 199 case Builtin::BI__sync_fetch_and_and_8: 200 case Builtin::BI__sync_fetch_and_and_16: 201 case Builtin::BI__sync_fetch_and_xor: 202 case Builtin::BI__sync_fetch_and_xor_1: 203 case Builtin::BI__sync_fetch_and_xor_2: 204 case Builtin::BI__sync_fetch_and_xor_4: 205 case Builtin::BI__sync_fetch_and_xor_8: 206 case Builtin::BI__sync_fetch_and_xor_16: 207 case Builtin::BI__sync_add_and_fetch: 208 case Builtin::BI__sync_add_and_fetch_1: 209 case Builtin::BI__sync_add_and_fetch_2: 210 case Builtin::BI__sync_add_and_fetch_4: 211 case Builtin::BI__sync_add_and_fetch_8: 212 case Builtin::BI__sync_add_and_fetch_16: 213 case Builtin::BI__sync_sub_and_fetch: 214 case Builtin::BI__sync_sub_and_fetch_1: 215 case Builtin::BI__sync_sub_and_fetch_2: 216 case Builtin::BI__sync_sub_and_fetch_4: 217 case Builtin::BI__sync_sub_and_fetch_8: 218 case Builtin::BI__sync_sub_and_fetch_16: 219 case Builtin::BI__sync_and_and_fetch: 220 case Builtin::BI__sync_and_and_fetch_1: 221 case Builtin::BI__sync_and_and_fetch_2: 222 case Builtin::BI__sync_and_and_fetch_4: 223 case Builtin::BI__sync_and_and_fetch_8: 224 case Builtin::BI__sync_and_and_fetch_16: 225 case Builtin::BI__sync_or_and_fetch: 226 case Builtin::BI__sync_or_and_fetch_1: 227 case Builtin::BI__sync_or_and_fetch_2: 228 case Builtin::BI__sync_or_and_fetch_4: 229 case Builtin::BI__sync_or_and_fetch_8: 230 case Builtin::BI__sync_or_and_fetch_16: 231 case Builtin::BI__sync_xor_and_fetch: 232 case Builtin::BI__sync_xor_and_fetch_1: 233 case Builtin::BI__sync_xor_and_fetch_2: 234 case Builtin::BI__sync_xor_and_fetch_4: 235 case Builtin::BI__sync_xor_and_fetch_8: 236 case Builtin::BI__sync_xor_and_fetch_16: 237 case Builtin::BI__sync_val_compare_and_swap: 238 case Builtin::BI__sync_val_compare_and_swap_1: 239 case Builtin::BI__sync_val_compare_and_swap_2: 240 case Builtin::BI__sync_val_compare_and_swap_4: 241 case Builtin::BI__sync_val_compare_and_swap_8: 242 case Builtin::BI__sync_val_compare_and_swap_16: 243 case Builtin::BI__sync_bool_compare_and_swap: 244 case Builtin::BI__sync_bool_compare_and_swap_1: 245 case Builtin::BI__sync_bool_compare_and_swap_2: 246 case Builtin::BI__sync_bool_compare_and_swap_4: 247 case Builtin::BI__sync_bool_compare_and_swap_8: 248 case Builtin::BI__sync_bool_compare_and_swap_16: 249 case Builtin::BI__sync_lock_test_and_set: 250 case Builtin::BI__sync_lock_test_and_set_1: 251 case Builtin::BI__sync_lock_test_and_set_2: 252 case Builtin::BI__sync_lock_test_and_set_4: 253 case Builtin::BI__sync_lock_test_and_set_8: 254 case Builtin::BI__sync_lock_test_and_set_16: 255 case Builtin::BI__sync_lock_release: 256 case Builtin::BI__sync_lock_release_1: 257 case Builtin::BI__sync_lock_release_2: 258 case Builtin::BI__sync_lock_release_4: 259 case Builtin::BI__sync_lock_release_8: 260 case Builtin::BI__sync_lock_release_16: 261 case Builtin::BI__sync_swap: 262 case Builtin::BI__sync_swap_1: 263 case Builtin::BI__sync_swap_2: 264 case Builtin::BI__sync_swap_4: 265 case Builtin::BI__sync_swap_8: 266 case Builtin::BI__sync_swap_16: 267 return SemaBuiltinAtomicOverloaded(TheCallResult); 268#define BUILTIN(ID, TYPE, ATTRS) 269#define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 270 case Builtin::BI##ID: \ 271 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 272#include "clang/Basic/Builtins.def" 273 case Builtin::BI__builtin_annotation: 274 if (SemaBuiltinAnnotation(*this, TheCall)) 275 return ExprError(); 276 break; 277 } 278 279 // Since the target specific builtins for each arch overlap, only check those 280 // of the arch we are compiling for. 281 if (BuiltinID >= Builtin::FirstTSBuiltin) { 282 switch (Context.getTargetInfo().getTriple().getArch()) { 283 case llvm::Triple::arm: 284 case llvm::Triple::thumb: 285 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 286 return ExprError(); 287 break; 288 case llvm::Triple::mips: 289 case llvm::Triple::mipsel: 290 case llvm::Triple::mips64: 291 case llvm::Triple::mips64el: 292 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 293 return ExprError(); 294 break; 295 default: 296 break; 297 } 298 } 299 300 return TheCallResult; 301} 302 303// Get the valid immediate range for the specified NEON type code. 304static unsigned RFT(unsigned t, bool shift = false) { 305 NeonTypeFlags Type(t); 306 int IsQuad = Type.isQuad(); 307 switch (Type.getEltType()) { 308 case NeonTypeFlags::Int8: 309 case NeonTypeFlags::Poly8: 310 return shift ? 7 : (8 << IsQuad) - 1; 311 case NeonTypeFlags::Int16: 312 case NeonTypeFlags::Poly16: 313 return shift ? 15 : (4 << IsQuad) - 1; 314 case NeonTypeFlags::Int32: 315 return shift ? 31 : (2 << IsQuad) - 1; 316 case NeonTypeFlags::Int64: 317 return shift ? 63 : (1 << IsQuad) - 1; 318 case NeonTypeFlags::Float16: 319 assert(!shift && "cannot shift float types!"); 320 return (4 << IsQuad) - 1; 321 case NeonTypeFlags::Float32: 322 assert(!shift && "cannot shift float types!"); 323 return (2 << IsQuad) - 1; 324 } 325 llvm_unreachable("Invalid NeonTypeFlag!"); 326} 327 328/// getNeonEltType - Return the QualType corresponding to the elements of 329/// the vector type specified by the NeonTypeFlags. This is used to check 330/// the pointer arguments for Neon load/store intrinsics. 331static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 332 switch (Flags.getEltType()) { 333 case NeonTypeFlags::Int8: 334 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 335 case NeonTypeFlags::Int16: 336 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 337 case NeonTypeFlags::Int32: 338 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 339 case NeonTypeFlags::Int64: 340 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 341 case NeonTypeFlags::Poly8: 342 return Context.SignedCharTy; 343 case NeonTypeFlags::Poly16: 344 return Context.ShortTy; 345 case NeonTypeFlags::Float16: 346 return Context.UnsignedShortTy; 347 case NeonTypeFlags::Float32: 348 return Context.FloatTy; 349 } 350 llvm_unreachable("Invalid NeonTypeFlag!"); 351} 352 353bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 354 llvm::APSInt Result; 355 356 uint64_t mask = 0; 357 unsigned TV = 0; 358 int PtrArgNum = -1; 359 bool HasConstPtr = false; 360 switch (BuiltinID) { 361#define GET_NEON_OVERLOAD_CHECK 362#include "clang/Basic/arm_neon.inc" 363#undef GET_NEON_OVERLOAD_CHECK 364 } 365 366 // For NEON intrinsics which are overloaded on vector element type, validate 367 // the immediate which specifies which variant to emit. 368 unsigned ImmArg = TheCall->getNumArgs()-1; 369 if (mask) { 370 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 371 return true; 372 373 TV = Result.getLimitedValue(64); 374 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 375 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 376 << TheCall->getArg(ImmArg)->getSourceRange(); 377 } 378 379 if (PtrArgNum >= 0) { 380 // Check that pointer arguments have the specified type. 381 Expr *Arg = TheCall->getArg(PtrArgNum); 382 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 383 Arg = ICE->getSubExpr(); 384 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 385 QualType RHSTy = RHS.get()->getType(); 386 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 387 if (HasConstPtr) 388 EltTy = EltTy.withConst(); 389 QualType LHSTy = Context.getPointerType(EltTy); 390 AssignConvertType ConvTy; 391 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 392 if (RHS.isInvalid()) 393 return true; 394 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 395 RHS.get(), AA_Assigning)) 396 return true; 397 } 398 399 // For NEON intrinsics which take an immediate value as part of the 400 // instruction, range check them here. 401 unsigned i = 0, l = 0, u = 0; 402 switch (BuiltinID) { 403 default: return false; 404 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 405 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 406 case ARM::BI__builtin_arm_vcvtr_f: 407 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 408#define GET_NEON_IMMEDIATE_CHECK 409#include "clang/Basic/arm_neon.inc" 410#undef GET_NEON_IMMEDIATE_CHECK 411 }; 412 413 // We can't check the value of a dependent argument. 414 if (TheCall->getArg(i)->isTypeDependent() || 415 TheCall->getArg(i)->isValueDependent()) 416 return false; 417 418 // Check that the immediate argument is actually a constant. 419 if (SemaBuiltinConstantArg(TheCall, i, Result)) 420 return true; 421 422 // Range check against the upper/lower values for this isntruction. 423 unsigned Val = Result.getZExtValue(); 424 if (Val < l || Val > (u + l)) 425 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 426 << l << u+l << TheCall->getArg(i)->getSourceRange(); 427 428 // FIXME: VFP Intrinsics should error if VFP not present. 429 return false; 430} 431 432bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 433 unsigned i = 0, l = 0, u = 0; 434 switch (BuiltinID) { 435 default: return false; 436 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 437 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 438 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 439 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 440 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 441 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 442 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 443 }; 444 445 // We can't check the value of a dependent argument. 446 if (TheCall->getArg(i)->isTypeDependent() || 447 TheCall->getArg(i)->isValueDependent()) 448 return false; 449 450 // Check that the immediate argument is actually a constant. 451 llvm::APSInt Result; 452 if (SemaBuiltinConstantArg(TheCall, i, Result)) 453 return true; 454 455 // Range check against the upper/lower values for this instruction. 456 unsigned Val = Result.getZExtValue(); 457 if (Val < l || Val > u) 458 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 459 << l << u << TheCall->getArg(i)->getSourceRange(); 460 461 return false; 462} 463 464/// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 465/// parameter with the FormatAttr's correct format_idx and firstDataArg. 466/// Returns true when the format fits the function and the FormatStringInfo has 467/// been populated. 468bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 469 FormatStringInfo *FSI) { 470 FSI->HasVAListArg = Format->getFirstArg() == 0; 471 FSI->FormatIdx = Format->getFormatIdx() - 1; 472 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 473 474 // The way the format attribute works in GCC, the implicit this argument 475 // of member functions is counted. However, it doesn't appear in our own 476 // lists, so decrement format_idx in that case. 477 if (IsCXXMember) { 478 if(FSI->FormatIdx == 0) 479 return false; 480 --FSI->FormatIdx; 481 if (FSI->FirstDataArg != 0) 482 --FSI->FirstDataArg; 483 } 484 return true; 485} 486 487/// Handles the checks for format strings, non-POD arguments to vararg 488/// functions, and NULL arguments passed to non-NULL parameters. 489void Sema::checkCall(NamedDecl *FDecl, Expr **Args, 490 unsigned NumArgs, 491 unsigned NumProtoArgs, 492 bool IsMemberFunction, 493 SourceLocation Loc, 494 SourceRange Range, 495 VariadicCallType CallType) { 496 if (CurContext->isDependentContext()) 497 return; 498 499 // Printf and scanf checking. 500 bool HandledFormatString = false; 501 for (specific_attr_iterator<FormatAttr> 502 I = FDecl->specific_attr_begin<FormatAttr>(), 503 E = FDecl->specific_attr_end<FormatAttr>(); I != E ; ++I) 504 if (CheckFormatArguments(*I, Args, NumArgs, IsMemberFunction, CallType, 505 Loc, Range)) 506 HandledFormatString = true; 507 508 // Refuse POD arguments that weren't caught by the format string 509 // checks above. 510 if (!HandledFormatString && CallType != VariadicDoesNotApply) 511 for (unsigned ArgIdx = NumProtoArgs; ArgIdx < NumArgs; ++ArgIdx) { 512 // Args[ArgIdx] can be null in malformed code. 513 if (Expr *Arg = Args[ArgIdx]) 514 variadicArgumentPODCheck(Arg, CallType); 515 } 516 517 for (specific_attr_iterator<NonNullAttr> 518 I = FDecl->specific_attr_begin<NonNullAttr>(), 519 E = FDecl->specific_attr_end<NonNullAttr>(); I != E; ++I) 520 CheckNonNullArguments(*I, Args, Loc); 521 522 // Type safety checking. 523 for (specific_attr_iterator<ArgumentWithTypeTagAttr> 524 i = FDecl->specific_attr_begin<ArgumentWithTypeTagAttr>(), 525 e = FDecl->specific_attr_end<ArgumentWithTypeTagAttr>(); i != e; ++i) { 526 CheckArgumentWithTypeTag(*i, Args); 527 } 528} 529 530/// CheckConstructorCall - Check a constructor call for correctness and safety 531/// properties not enforced by the C type system. 532void Sema::CheckConstructorCall(FunctionDecl *FDecl, Expr **Args, 533 unsigned NumArgs, 534 const FunctionProtoType *Proto, 535 SourceLocation Loc) { 536 VariadicCallType CallType = 537 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 538 checkCall(FDecl, Args, NumArgs, Proto->getNumArgs(), 539 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 540} 541 542/// CheckFunctionCall - Check a direct function call for various correctness 543/// and safety properties not strictly enforced by the C type system. 544bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 545 const FunctionProtoType *Proto) { 546 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 547 isa<CXXMethodDecl>(FDecl); 548 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 549 IsMemberOperatorCall; 550 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 551 TheCall->getCallee()); 552 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 553 Expr** Args = TheCall->getArgs(); 554 unsigned NumArgs = TheCall->getNumArgs(); 555 if (IsMemberOperatorCall) { 556 // If this is a call to a member operator, hide the first argument 557 // from checkCall. 558 // FIXME: Our choice of AST representation here is less than ideal. 559 ++Args; 560 --NumArgs; 561 } 562 checkCall(FDecl, Args, NumArgs, NumProtoArgs, 563 IsMemberFunction, TheCall->getRParenLoc(), 564 TheCall->getCallee()->getSourceRange(), CallType); 565 566 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 567 // None of the checks below are needed for functions that don't have 568 // simple names (e.g., C++ conversion functions). 569 if (!FnInfo) 570 return false; 571 572 unsigned CMId = FDecl->getMemoryFunctionKind(); 573 if (CMId == 0) 574 return false; 575 576 // Handle memory setting and copying functions. 577 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 578 CheckStrlcpycatArguments(TheCall, FnInfo); 579 else if (CMId == Builtin::BIstrncat) 580 CheckStrncatArguments(TheCall, FnInfo); 581 else 582 CheckMemaccessArguments(TheCall, CMId, FnInfo); 583 584 return false; 585} 586 587bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 588 Expr **Args, unsigned NumArgs) { 589 VariadicCallType CallType = 590 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 591 592 checkCall(Method, Args, NumArgs, Method->param_size(), 593 /*IsMemberFunction=*/false, 594 lbrac, Method->getSourceRange(), CallType); 595 596 return false; 597} 598 599bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall, 600 const FunctionProtoType *Proto) { 601 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 602 if (!V) 603 return false; 604 605 QualType Ty = V->getType(); 606 if (!Ty->isBlockPointerType()) 607 return false; 608 609 VariadicCallType CallType = 610 Proto && Proto->isVariadic() ? VariadicBlock : VariadicDoesNotApply ; 611 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 612 613 checkCall(NDecl, TheCall->getArgs(), TheCall->getNumArgs(), 614 NumProtoArgs, /*IsMemberFunction=*/false, 615 TheCall->getRParenLoc(), 616 TheCall->getCallee()->getSourceRange(), CallType); 617 618 return false; 619} 620 621ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 622 AtomicExpr::AtomicOp Op) { 623 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 624 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 625 626 // All these operations take one of the following forms: 627 enum { 628 // C __c11_atomic_init(A *, C) 629 Init, 630 // C __c11_atomic_load(A *, int) 631 Load, 632 // void __atomic_load(A *, CP, int) 633 Copy, 634 // C __c11_atomic_add(A *, M, int) 635 Arithmetic, 636 // C __atomic_exchange_n(A *, CP, int) 637 Xchg, 638 // void __atomic_exchange(A *, C *, CP, int) 639 GNUXchg, 640 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 641 C11CmpXchg, 642 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 643 GNUCmpXchg 644 } Form = Init; 645 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 646 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 647 // where: 648 // C is an appropriate type, 649 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 650 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 651 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 652 // the int parameters are for orderings. 653 654 assert(AtomicExpr::AO__c11_atomic_init == 0 && 655 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 656 && "need to update code for modified C11 atomics"); 657 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 658 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 659 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 660 Op == AtomicExpr::AO__atomic_store_n || 661 Op == AtomicExpr::AO__atomic_exchange_n || 662 Op == AtomicExpr::AO__atomic_compare_exchange_n; 663 bool IsAddSub = false; 664 665 switch (Op) { 666 case AtomicExpr::AO__c11_atomic_init: 667 Form = Init; 668 break; 669 670 case AtomicExpr::AO__c11_atomic_load: 671 case AtomicExpr::AO__atomic_load_n: 672 Form = Load; 673 break; 674 675 case AtomicExpr::AO__c11_atomic_store: 676 case AtomicExpr::AO__atomic_load: 677 case AtomicExpr::AO__atomic_store: 678 case AtomicExpr::AO__atomic_store_n: 679 Form = Copy; 680 break; 681 682 case AtomicExpr::AO__c11_atomic_fetch_add: 683 case AtomicExpr::AO__c11_atomic_fetch_sub: 684 case AtomicExpr::AO__atomic_fetch_add: 685 case AtomicExpr::AO__atomic_fetch_sub: 686 case AtomicExpr::AO__atomic_add_fetch: 687 case AtomicExpr::AO__atomic_sub_fetch: 688 IsAddSub = true; 689 // Fall through. 690 case AtomicExpr::AO__c11_atomic_fetch_and: 691 case AtomicExpr::AO__c11_atomic_fetch_or: 692 case AtomicExpr::AO__c11_atomic_fetch_xor: 693 case AtomicExpr::AO__atomic_fetch_and: 694 case AtomicExpr::AO__atomic_fetch_or: 695 case AtomicExpr::AO__atomic_fetch_xor: 696 case AtomicExpr::AO__atomic_fetch_nand: 697 case AtomicExpr::AO__atomic_and_fetch: 698 case AtomicExpr::AO__atomic_or_fetch: 699 case AtomicExpr::AO__atomic_xor_fetch: 700 case AtomicExpr::AO__atomic_nand_fetch: 701 Form = Arithmetic; 702 break; 703 704 case AtomicExpr::AO__c11_atomic_exchange: 705 case AtomicExpr::AO__atomic_exchange_n: 706 Form = Xchg; 707 break; 708 709 case AtomicExpr::AO__atomic_exchange: 710 Form = GNUXchg; 711 break; 712 713 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 714 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 715 Form = C11CmpXchg; 716 break; 717 718 case AtomicExpr::AO__atomic_compare_exchange: 719 case AtomicExpr::AO__atomic_compare_exchange_n: 720 Form = GNUCmpXchg; 721 break; 722 } 723 724 // Check we have the right number of arguments. 725 if (TheCall->getNumArgs() < NumArgs[Form]) { 726 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 727 << 0 << NumArgs[Form] << TheCall->getNumArgs() 728 << TheCall->getCallee()->getSourceRange(); 729 return ExprError(); 730 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 731 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 732 diag::err_typecheck_call_too_many_args) 733 << 0 << NumArgs[Form] << TheCall->getNumArgs() 734 << TheCall->getCallee()->getSourceRange(); 735 return ExprError(); 736 } 737 738 // Inspect the first argument of the atomic operation. 739 Expr *Ptr = TheCall->getArg(0); 740 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 741 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 742 if (!pointerType) { 743 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 744 << Ptr->getType() << Ptr->getSourceRange(); 745 return ExprError(); 746 } 747 748 // For a __c11 builtin, this should be a pointer to an _Atomic type. 749 QualType AtomTy = pointerType->getPointeeType(); // 'A' 750 QualType ValType = AtomTy; // 'C' 751 if (IsC11) { 752 if (!AtomTy->isAtomicType()) { 753 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 754 << Ptr->getType() << Ptr->getSourceRange(); 755 return ExprError(); 756 } 757 if (AtomTy.isConstQualified()) { 758 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 759 << Ptr->getType() << Ptr->getSourceRange(); 760 return ExprError(); 761 } 762 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 763 } 764 765 // For an arithmetic operation, the implied arithmetic must be well-formed. 766 if (Form == Arithmetic) { 767 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 768 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 769 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 770 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 771 return ExprError(); 772 } 773 if (!IsAddSub && !ValType->isIntegerType()) { 774 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 775 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 776 return ExprError(); 777 } 778 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 779 // For __atomic_*_n operations, the value type must be a scalar integral or 780 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 781 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 782 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 783 return ExprError(); 784 } 785 786 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context)) { 787 // For GNU atomics, require a trivially-copyable type. This is not part of 788 // the GNU atomics specification, but we enforce it for sanity. 789 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 790 << Ptr->getType() << Ptr->getSourceRange(); 791 return ExprError(); 792 } 793 794 // FIXME: For any builtin other than a load, the ValType must not be 795 // const-qualified. 796 797 switch (ValType.getObjCLifetime()) { 798 case Qualifiers::OCL_None: 799 case Qualifiers::OCL_ExplicitNone: 800 // okay 801 break; 802 803 case Qualifiers::OCL_Weak: 804 case Qualifiers::OCL_Strong: 805 case Qualifiers::OCL_Autoreleasing: 806 // FIXME: Can this happen? By this point, ValType should be known 807 // to be trivially copyable. 808 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 809 << ValType << Ptr->getSourceRange(); 810 return ExprError(); 811 } 812 813 QualType ResultType = ValType; 814 if (Form == Copy || Form == GNUXchg || Form == Init) 815 ResultType = Context.VoidTy; 816 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 817 ResultType = Context.BoolTy; 818 819 // The type of a parameter passed 'by value'. In the GNU atomics, such 820 // arguments are actually passed as pointers. 821 QualType ByValType = ValType; // 'CP' 822 if (!IsC11 && !IsN) 823 ByValType = Ptr->getType(); 824 825 // The first argument --- the pointer --- has a fixed type; we 826 // deduce the types of the rest of the arguments accordingly. Walk 827 // the remaining arguments, converting them to the deduced value type. 828 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 829 QualType Ty; 830 if (i < NumVals[Form] + 1) { 831 switch (i) { 832 case 1: 833 // The second argument is the non-atomic operand. For arithmetic, this 834 // is always passed by value, and for a compare_exchange it is always 835 // passed by address. For the rest, GNU uses by-address and C11 uses 836 // by-value. 837 assert(Form != Load); 838 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 839 Ty = ValType; 840 else if (Form == Copy || Form == Xchg) 841 Ty = ByValType; 842 else if (Form == Arithmetic) 843 Ty = Context.getPointerDiffType(); 844 else 845 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 846 break; 847 case 2: 848 // The third argument to compare_exchange / GNU exchange is a 849 // (pointer to a) desired value. 850 Ty = ByValType; 851 break; 852 case 3: 853 // The fourth argument to GNU compare_exchange is a 'weak' flag. 854 Ty = Context.BoolTy; 855 break; 856 } 857 } else { 858 // The order(s) are always converted to int. 859 Ty = Context.IntTy; 860 } 861 862 InitializedEntity Entity = 863 InitializedEntity::InitializeParameter(Context, Ty, false); 864 ExprResult Arg = TheCall->getArg(i); 865 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 866 if (Arg.isInvalid()) 867 return true; 868 TheCall->setArg(i, Arg.get()); 869 } 870 871 // Permute the arguments into a 'consistent' order. 872 SmallVector<Expr*, 5> SubExprs; 873 SubExprs.push_back(Ptr); 874 switch (Form) { 875 case Init: 876 // Note, AtomicExpr::getVal1() has a special case for this atomic. 877 SubExprs.push_back(TheCall->getArg(1)); // Val1 878 break; 879 case Load: 880 SubExprs.push_back(TheCall->getArg(1)); // Order 881 break; 882 case Copy: 883 case Arithmetic: 884 case Xchg: 885 SubExprs.push_back(TheCall->getArg(2)); // Order 886 SubExprs.push_back(TheCall->getArg(1)); // Val1 887 break; 888 case GNUXchg: 889 // Note, AtomicExpr::getVal2() has a special case for this atomic. 890 SubExprs.push_back(TheCall->getArg(3)); // Order 891 SubExprs.push_back(TheCall->getArg(1)); // Val1 892 SubExprs.push_back(TheCall->getArg(2)); // Val2 893 break; 894 case C11CmpXchg: 895 SubExprs.push_back(TheCall->getArg(3)); // Order 896 SubExprs.push_back(TheCall->getArg(1)); // Val1 897 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 898 SubExprs.push_back(TheCall->getArg(2)); // Val2 899 break; 900 case GNUCmpXchg: 901 SubExprs.push_back(TheCall->getArg(4)); // Order 902 SubExprs.push_back(TheCall->getArg(1)); // Val1 903 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 904 SubExprs.push_back(TheCall->getArg(2)); // Val2 905 SubExprs.push_back(TheCall->getArg(3)); // Weak 906 break; 907 } 908 909 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 910 SubExprs, ResultType, Op, 911 TheCall->getRParenLoc())); 912} 913 914 915/// checkBuiltinArgument - Given a call to a builtin function, perform 916/// normal type-checking on the given argument, updating the call in 917/// place. This is useful when a builtin function requires custom 918/// type-checking for some of its arguments but not necessarily all of 919/// them. 920/// 921/// Returns true on error. 922static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 923 FunctionDecl *Fn = E->getDirectCallee(); 924 assert(Fn && "builtin call without direct callee!"); 925 926 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 927 InitializedEntity Entity = 928 InitializedEntity::InitializeParameter(S.Context, Param); 929 930 ExprResult Arg = E->getArg(0); 931 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 932 if (Arg.isInvalid()) 933 return true; 934 935 E->setArg(ArgIndex, Arg.take()); 936 return false; 937} 938 939/// SemaBuiltinAtomicOverloaded - We have a call to a function like 940/// __sync_fetch_and_add, which is an overloaded function based on the pointer 941/// type of its first argument. The main ActOnCallExpr routines have already 942/// promoted the types of arguments because all of these calls are prototyped as 943/// void(...). 944/// 945/// This function goes through and does final semantic checking for these 946/// builtins, 947ExprResult 948Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 949 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 950 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 951 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 952 953 // Ensure that we have at least one argument to do type inference from. 954 if (TheCall->getNumArgs() < 1) { 955 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 956 << 0 << 1 << TheCall->getNumArgs() 957 << TheCall->getCallee()->getSourceRange(); 958 return ExprError(); 959 } 960 961 // Inspect the first argument of the atomic builtin. This should always be 962 // a pointer type, whose element is an integral scalar or pointer type. 963 // Because it is a pointer type, we don't have to worry about any implicit 964 // casts here. 965 // FIXME: We don't allow floating point scalars as input. 966 Expr *FirstArg = TheCall->getArg(0); 967 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 968 if (FirstArgResult.isInvalid()) 969 return ExprError(); 970 FirstArg = FirstArgResult.take(); 971 TheCall->setArg(0, FirstArg); 972 973 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 974 if (!pointerType) { 975 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 976 << FirstArg->getType() << FirstArg->getSourceRange(); 977 return ExprError(); 978 } 979 980 QualType ValType = pointerType->getPointeeType(); 981 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 982 !ValType->isBlockPointerType()) { 983 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 984 << FirstArg->getType() << FirstArg->getSourceRange(); 985 return ExprError(); 986 } 987 988 switch (ValType.getObjCLifetime()) { 989 case Qualifiers::OCL_None: 990 case Qualifiers::OCL_ExplicitNone: 991 // okay 992 break; 993 994 case Qualifiers::OCL_Weak: 995 case Qualifiers::OCL_Strong: 996 case Qualifiers::OCL_Autoreleasing: 997 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 998 << ValType << FirstArg->getSourceRange(); 999 return ExprError(); 1000 } 1001 1002 // Strip any qualifiers off ValType. 1003 ValType = ValType.getUnqualifiedType(); 1004 1005 // The majority of builtins return a value, but a few have special return 1006 // types, so allow them to override appropriately below. 1007 QualType ResultType = ValType; 1008 1009 // We need to figure out which concrete builtin this maps onto. For example, 1010 // __sync_fetch_and_add with a 2 byte object turns into 1011 // __sync_fetch_and_add_2. 1012#define BUILTIN_ROW(x) \ 1013 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1014 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1015 1016 static const unsigned BuiltinIndices[][5] = { 1017 BUILTIN_ROW(__sync_fetch_and_add), 1018 BUILTIN_ROW(__sync_fetch_and_sub), 1019 BUILTIN_ROW(__sync_fetch_and_or), 1020 BUILTIN_ROW(__sync_fetch_and_and), 1021 BUILTIN_ROW(__sync_fetch_and_xor), 1022 1023 BUILTIN_ROW(__sync_add_and_fetch), 1024 BUILTIN_ROW(__sync_sub_and_fetch), 1025 BUILTIN_ROW(__sync_and_and_fetch), 1026 BUILTIN_ROW(__sync_or_and_fetch), 1027 BUILTIN_ROW(__sync_xor_and_fetch), 1028 1029 BUILTIN_ROW(__sync_val_compare_and_swap), 1030 BUILTIN_ROW(__sync_bool_compare_and_swap), 1031 BUILTIN_ROW(__sync_lock_test_and_set), 1032 BUILTIN_ROW(__sync_lock_release), 1033 BUILTIN_ROW(__sync_swap) 1034 }; 1035#undef BUILTIN_ROW 1036 1037 // Determine the index of the size. 1038 unsigned SizeIndex; 1039 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1040 case 1: SizeIndex = 0; break; 1041 case 2: SizeIndex = 1; break; 1042 case 4: SizeIndex = 2; break; 1043 case 8: SizeIndex = 3; break; 1044 case 16: SizeIndex = 4; break; 1045 default: 1046 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1047 << FirstArg->getType() << FirstArg->getSourceRange(); 1048 return ExprError(); 1049 } 1050 1051 // Each of these builtins has one pointer argument, followed by some number of 1052 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1053 // that we ignore. Find out which row of BuiltinIndices to read from as well 1054 // as the number of fixed args. 1055 unsigned BuiltinID = FDecl->getBuiltinID(); 1056 unsigned BuiltinIndex, NumFixed = 1; 1057 switch (BuiltinID) { 1058 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1059 case Builtin::BI__sync_fetch_and_add: 1060 case Builtin::BI__sync_fetch_and_add_1: 1061 case Builtin::BI__sync_fetch_and_add_2: 1062 case Builtin::BI__sync_fetch_and_add_4: 1063 case Builtin::BI__sync_fetch_and_add_8: 1064 case Builtin::BI__sync_fetch_and_add_16: 1065 BuiltinIndex = 0; 1066 break; 1067 1068 case Builtin::BI__sync_fetch_and_sub: 1069 case Builtin::BI__sync_fetch_and_sub_1: 1070 case Builtin::BI__sync_fetch_and_sub_2: 1071 case Builtin::BI__sync_fetch_and_sub_4: 1072 case Builtin::BI__sync_fetch_and_sub_8: 1073 case Builtin::BI__sync_fetch_and_sub_16: 1074 BuiltinIndex = 1; 1075 break; 1076 1077 case Builtin::BI__sync_fetch_and_or: 1078 case Builtin::BI__sync_fetch_and_or_1: 1079 case Builtin::BI__sync_fetch_and_or_2: 1080 case Builtin::BI__sync_fetch_and_or_4: 1081 case Builtin::BI__sync_fetch_and_or_8: 1082 case Builtin::BI__sync_fetch_and_or_16: 1083 BuiltinIndex = 2; 1084 break; 1085 1086 case Builtin::BI__sync_fetch_and_and: 1087 case Builtin::BI__sync_fetch_and_and_1: 1088 case Builtin::BI__sync_fetch_and_and_2: 1089 case Builtin::BI__sync_fetch_and_and_4: 1090 case Builtin::BI__sync_fetch_and_and_8: 1091 case Builtin::BI__sync_fetch_and_and_16: 1092 BuiltinIndex = 3; 1093 break; 1094 1095 case Builtin::BI__sync_fetch_and_xor: 1096 case Builtin::BI__sync_fetch_and_xor_1: 1097 case Builtin::BI__sync_fetch_and_xor_2: 1098 case Builtin::BI__sync_fetch_and_xor_4: 1099 case Builtin::BI__sync_fetch_and_xor_8: 1100 case Builtin::BI__sync_fetch_and_xor_16: 1101 BuiltinIndex = 4; 1102 break; 1103 1104 case Builtin::BI__sync_add_and_fetch: 1105 case Builtin::BI__sync_add_and_fetch_1: 1106 case Builtin::BI__sync_add_and_fetch_2: 1107 case Builtin::BI__sync_add_and_fetch_4: 1108 case Builtin::BI__sync_add_and_fetch_8: 1109 case Builtin::BI__sync_add_and_fetch_16: 1110 BuiltinIndex = 5; 1111 break; 1112 1113 case Builtin::BI__sync_sub_and_fetch: 1114 case Builtin::BI__sync_sub_and_fetch_1: 1115 case Builtin::BI__sync_sub_and_fetch_2: 1116 case Builtin::BI__sync_sub_and_fetch_4: 1117 case Builtin::BI__sync_sub_and_fetch_8: 1118 case Builtin::BI__sync_sub_and_fetch_16: 1119 BuiltinIndex = 6; 1120 break; 1121 1122 case Builtin::BI__sync_and_and_fetch: 1123 case Builtin::BI__sync_and_and_fetch_1: 1124 case Builtin::BI__sync_and_and_fetch_2: 1125 case Builtin::BI__sync_and_and_fetch_4: 1126 case Builtin::BI__sync_and_and_fetch_8: 1127 case Builtin::BI__sync_and_and_fetch_16: 1128 BuiltinIndex = 7; 1129 break; 1130 1131 case Builtin::BI__sync_or_and_fetch: 1132 case Builtin::BI__sync_or_and_fetch_1: 1133 case Builtin::BI__sync_or_and_fetch_2: 1134 case Builtin::BI__sync_or_and_fetch_4: 1135 case Builtin::BI__sync_or_and_fetch_8: 1136 case Builtin::BI__sync_or_and_fetch_16: 1137 BuiltinIndex = 8; 1138 break; 1139 1140 case Builtin::BI__sync_xor_and_fetch: 1141 case Builtin::BI__sync_xor_and_fetch_1: 1142 case Builtin::BI__sync_xor_and_fetch_2: 1143 case Builtin::BI__sync_xor_and_fetch_4: 1144 case Builtin::BI__sync_xor_and_fetch_8: 1145 case Builtin::BI__sync_xor_and_fetch_16: 1146 BuiltinIndex = 9; 1147 break; 1148 1149 case Builtin::BI__sync_val_compare_and_swap: 1150 case Builtin::BI__sync_val_compare_and_swap_1: 1151 case Builtin::BI__sync_val_compare_and_swap_2: 1152 case Builtin::BI__sync_val_compare_and_swap_4: 1153 case Builtin::BI__sync_val_compare_and_swap_8: 1154 case Builtin::BI__sync_val_compare_and_swap_16: 1155 BuiltinIndex = 10; 1156 NumFixed = 2; 1157 break; 1158 1159 case Builtin::BI__sync_bool_compare_and_swap: 1160 case Builtin::BI__sync_bool_compare_and_swap_1: 1161 case Builtin::BI__sync_bool_compare_and_swap_2: 1162 case Builtin::BI__sync_bool_compare_and_swap_4: 1163 case Builtin::BI__sync_bool_compare_and_swap_8: 1164 case Builtin::BI__sync_bool_compare_and_swap_16: 1165 BuiltinIndex = 11; 1166 NumFixed = 2; 1167 ResultType = Context.BoolTy; 1168 break; 1169 1170 case Builtin::BI__sync_lock_test_and_set: 1171 case Builtin::BI__sync_lock_test_and_set_1: 1172 case Builtin::BI__sync_lock_test_and_set_2: 1173 case Builtin::BI__sync_lock_test_and_set_4: 1174 case Builtin::BI__sync_lock_test_and_set_8: 1175 case Builtin::BI__sync_lock_test_and_set_16: 1176 BuiltinIndex = 12; 1177 break; 1178 1179 case Builtin::BI__sync_lock_release: 1180 case Builtin::BI__sync_lock_release_1: 1181 case Builtin::BI__sync_lock_release_2: 1182 case Builtin::BI__sync_lock_release_4: 1183 case Builtin::BI__sync_lock_release_8: 1184 case Builtin::BI__sync_lock_release_16: 1185 BuiltinIndex = 13; 1186 NumFixed = 0; 1187 ResultType = Context.VoidTy; 1188 break; 1189 1190 case Builtin::BI__sync_swap: 1191 case Builtin::BI__sync_swap_1: 1192 case Builtin::BI__sync_swap_2: 1193 case Builtin::BI__sync_swap_4: 1194 case Builtin::BI__sync_swap_8: 1195 case Builtin::BI__sync_swap_16: 1196 BuiltinIndex = 14; 1197 break; 1198 } 1199 1200 // Now that we know how many fixed arguments we expect, first check that we 1201 // have at least that many. 1202 if (TheCall->getNumArgs() < 1+NumFixed) { 1203 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1204 << 0 << 1+NumFixed << TheCall->getNumArgs() 1205 << TheCall->getCallee()->getSourceRange(); 1206 return ExprError(); 1207 } 1208 1209 // Get the decl for the concrete builtin from this, we can tell what the 1210 // concrete integer type we should convert to is. 1211 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1212 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1213 FunctionDecl *NewBuiltinDecl; 1214 if (NewBuiltinID == BuiltinID) 1215 NewBuiltinDecl = FDecl; 1216 else { 1217 // Perform builtin lookup to avoid redeclaring it. 1218 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 1219 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 1220 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 1221 assert(Res.getFoundDecl()); 1222 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 1223 if (NewBuiltinDecl == 0) 1224 return ExprError(); 1225 } 1226 1227 // The first argument --- the pointer --- has a fixed type; we 1228 // deduce the types of the rest of the arguments accordingly. Walk 1229 // the remaining arguments, converting them to the deduced value type. 1230 for (unsigned i = 0; i != NumFixed; ++i) { 1231 ExprResult Arg = TheCall->getArg(i+1); 1232 1233 // GCC does an implicit conversion to the pointer or integer ValType. This 1234 // can fail in some cases (1i -> int**), check for this error case now. 1235 // Initialize the argument. 1236 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1237 ValType, /*consume*/ false); 1238 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1239 if (Arg.isInvalid()) 1240 return ExprError(); 1241 1242 // Okay, we have something that *can* be converted to the right type. Check 1243 // to see if there is a potentially weird extension going on here. This can 1244 // happen when you do an atomic operation on something like an char* and 1245 // pass in 42. The 42 gets converted to char. This is even more strange 1246 // for things like 45.123 -> char, etc. 1247 // FIXME: Do this check. 1248 TheCall->setArg(i+1, Arg.take()); 1249 } 1250 1251 ASTContext& Context = this->getASTContext(); 1252 1253 // Create a new DeclRefExpr to refer to the new decl. 1254 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1255 Context, 1256 DRE->getQualifierLoc(), 1257 SourceLocation(), 1258 NewBuiltinDecl, 1259 /*enclosing*/ false, 1260 DRE->getLocation(), 1261 Context.BuiltinFnTy, 1262 DRE->getValueKind()); 1263 1264 // Set the callee in the CallExpr. 1265 // FIXME: This loses syntactic information. 1266 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1267 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1268 CK_BuiltinFnToFnPtr); 1269 TheCall->setCallee(PromotedCall.take()); 1270 1271 // Change the result type of the call to match the original value type. This 1272 // is arbitrary, but the codegen for these builtins ins design to handle it 1273 // gracefully. 1274 TheCall->setType(ResultType); 1275 1276 return TheCallResult; 1277} 1278 1279/// CheckObjCString - Checks that the argument to the builtin 1280/// CFString constructor is correct 1281/// Note: It might also make sense to do the UTF-16 conversion here (would 1282/// simplify the backend). 1283bool Sema::CheckObjCString(Expr *Arg) { 1284 Arg = Arg->IgnoreParenCasts(); 1285 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1286 1287 if (!Literal || !Literal->isAscii()) { 1288 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1289 << Arg->getSourceRange(); 1290 return true; 1291 } 1292 1293 if (Literal->containsNonAsciiOrNull()) { 1294 StringRef String = Literal->getString(); 1295 unsigned NumBytes = String.size(); 1296 SmallVector<UTF16, 128> ToBuf(NumBytes); 1297 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1298 UTF16 *ToPtr = &ToBuf[0]; 1299 1300 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1301 &ToPtr, ToPtr + NumBytes, 1302 strictConversion); 1303 // Check for conversion failure. 1304 if (Result != conversionOK) 1305 Diag(Arg->getLocStart(), 1306 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1307 } 1308 return false; 1309} 1310 1311/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1312/// Emit an error and return true on failure, return false on success. 1313bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1314 Expr *Fn = TheCall->getCallee(); 1315 if (TheCall->getNumArgs() > 2) { 1316 Diag(TheCall->getArg(2)->getLocStart(), 1317 diag::err_typecheck_call_too_many_args) 1318 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1319 << Fn->getSourceRange() 1320 << SourceRange(TheCall->getArg(2)->getLocStart(), 1321 (*(TheCall->arg_end()-1))->getLocEnd()); 1322 return true; 1323 } 1324 1325 if (TheCall->getNumArgs() < 2) { 1326 return Diag(TheCall->getLocEnd(), 1327 diag::err_typecheck_call_too_few_args_at_least) 1328 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1329 } 1330 1331 // Type-check the first argument normally. 1332 if (checkBuiltinArgument(*this, TheCall, 0)) 1333 return true; 1334 1335 // Determine whether the current function is variadic or not. 1336 BlockScopeInfo *CurBlock = getCurBlock(); 1337 bool isVariadic; 1338 if (CurBlock) 1339 isVariadic = CurBlock->TheDecl->isVariadic(); 1340 else if (FunctionDecl *FD = getCurFunctionDecl()) 1341 isVariadic = FD->isVariadic(); 1342 else 1343 isVariadic = getCurMethodDecl()->isVariadic(); 1344 1345 if (!isVariadic) { 1346 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1347 return true; 1348 } 1349 1350 // Verify that the second argument to the builtin is the last argument of the 1351 // current function or method. 1352 bool SecondArgIsLastNamedArgument = false; 1353 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1354 1355 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1356 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1357 // FIXME: This isn't correct for methods (results in bogus warning). 1358 // Get the last formal in the current function. 1359 const ParmVarDecl *LastArg; 1360 if (CurBlock) 1361 LastArg = *(CurBlock->TheDecl->param_end()-1); 1362 else if (FunctionDecl *FD = getCurFunctionDecl()) 1363 LastArg = *(FD->param_end()-1); 1364 else 1365 LastArg = *(getCurMethodDecl()->param_end()-1); 1366 SecondArgIsLastNamedArgument = PV == LastArg; 1367 } 1368 } 1369 1370 if (!SecondArgIsLastNamedArgument) 1371 Diag(TheCall->getArg(1)->getLocStart(), 1372 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1373 return false; 1374} 1375 1376/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1377/// friends. This is declared to take (...), so we have to check everything. 1378bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1379 if (TheCall->getNumArgs() < 2) 1380 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1381 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1382 if (TheCall->getNumArgs() > 2) 1383 return Diag(TheCall->getArg(2)->getLocStart(), 1384 diag::err_typecheck_call_too_many_args) 1385 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1386 << SourceRange(TheCall->getArg(2)->getLocStart(), 1387 (*(TheCall->arg_end()-1))->getLocEnd()); 1388 1389 ExprResult OrigArg0 = TheCall->getArg(0); 1390 ExprResult OrigArg1 = TheCall->getArg(1); 1391 1392 // Do standard promotions between the two arguments, returning their common 1393 // type. 1394 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1395 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1396 return true; 1397 1398 // Make sure any conversions are pushed back into the call; this is 1399 // type safe since unordered compare builtins are declared as "_Bool 1400 // foo(...)". 1401 TheCall->setArg(0, OrigArg0.get()); 1402 TheCall->setArg(1, OrigArg1.get()); 1403 1404 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1405 return false; 1406 1407 // If the common type isn't a real floating type, then the arguments were 1408 // invalid for this operation. 1409 if (Res.isNull() || !Res->isRealFloatingType()) 1410 return Diag(OrigArg0.get()->getLocStart(), 1411 diag::err_typecheck_call_invalid_ordered_compare) 1412 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1413 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1414 1415 return false; 1416} 1417 1418/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1419/// __builtin_isnan and friends. This is declared to take (...), so we have 1420/// to check everything. We expect the last argument to be a floating point 1421/// value. 1422bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1423 if (TheCall->getNumArgs() < NumArgs) 1424 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1425 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1426 if (TheCall->getNumArgs() > NumArgs) 1427 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1428 diag::err_typecheck_call_too_many_args) 1429 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1430 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1431 (*(TheCall->arg_end()-1))->getLocEnd()); 1432 1433 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1434 1435 if (OrigArg->isTypeDependent()) 1436 return false; 1437 1438 // This operation requires a non-_Complex floating-point number. 1439 if (!OrigArg->getType()->isRealFloatingType()) 1440 return Diag(OrigArg->getLocStart(), 1441 diag::err_typecheck_call_invalid_unary_fp) 1442 << OrigArg->getType() << OrigArg->getSourceRange(); 1443 1444 // If this is an implicit conversion from float -> double, remove it. 1445 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1446 Expr *CastArg = Cast->getSubExpr(); 1447 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1448 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1449 "promotion from float to double is the only expected cast here"); 1450 Cast->setSubExpr(0); 1451 TheCall->setArg(NumArgs-1, CastArg); 1452 } 1453 } 1454 1455 return false; 1456} 1457 1458/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1459// This is declared to take (...), so we have to check everything. 1460ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1461 if (TheCall->getNumArgs() < 2) 1462 return ExprError(Diag(TheCall->getLocEnd(), 1463 diag::err_typecheck_call_too_few_args_at_least) 1464 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1465 << TheCall->getSourceRange()); 1466 1467 // Determine which of the following types of shufflevector we're checking: 1468 // 1) unary, vector mask: (lhs, mask) 1469 // 2) binary, vector mask: (lhs, rhs, mask) 1470 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1471 QualType resType = TheCall->getArg(0)->getType(); 1472 unsigned numElements = 0; 1473 1474 if (!TheCall->getArg(0)->isTypeDependent() && 1475 !TheCall->getArg(1)->isTypeDependent()) { 1476 QualType LHSType = TheCall->getArg(0)->getType(); 1477 QualType RHSType = TheCall->getArg(1)->getType(); 1478 1479 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 1480 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 1481 << SourceRange(TheCall->getArg(0)->getLocStart(), 1482 TheCall->getArg(1)->getLocEnd()); 1483 return ExprError(); 1484 } 1485 1486 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1487 unsigned numResElements = TheCall->getNumArgs() - 2; 1488 1489 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1490 // with mask. If so, verify that RHS is an integer vector type with the 1491 // same number of elts as lhs. 1492 if (TheCall->getNumArgs() == 2) { 1493 if (!RHSType->hasIntegerRepresentation() || 1494 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1495 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1496 << SourceRange(TheCall->getArg(1)->getLocStart(), 1497 TheCall->getArg(1)->getLocEnd()); 1498 numResElements = numElements; 1499 } 1500 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1501 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1502 << SourceRange(TheCall->getArg(0)->getLocStart(), 1503 TheCall->getArg(1)->getLocEnd()); 1504 return ExprError(); 1505 } else if (numElements != numResElements) { 1506 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1507 resType = Context.getVectorType(eltType, numResElements, 1508 VectorType::GenericVector); 1509 } 1510 } 1511 1512 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1513 if (TheCall->getArg(i)->isTypeDependent() || 1514 TheCall->getArg(i)->isValueDependent()) 1515 continue; 1516 1517 llvm::APSInt Result(32); 1518 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1519 return ExprError(Diag(TheCall->getLocStart(), 1520 diag::err_shufflevector_nonconstant_argument) 1521 << TheCall->getArg(i)->getSourceRange()); 1522 1523 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1524 return ExprError(Diag(TheCall->getLocStart(), 1525 diag::err_shufflevector_argument_too_large) 1526 << TheCall->getArg(i)->getSourceRange()); 1527 } 1528 1529 SmallVector<Expr*, 32> exprs; 1530 1531 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1532 exprs.push_back(TheCall->getArg(i)); 1533 TheCall->setArg(i, 0); 1534 } 1535 1536 return Owned(new (Context) ShuffleVectorExpr(Context, exprs, resType, 1537 TheCall->getCallee()->getLocStart(), 1538 TheCall->getRParenLoc())); 1539} 1540 1541/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1542// This is declared to take (const void*, ...) and can take two 1543// optional constant int args. 1544bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1545 unsigned NumArgs = TheCall->getNumArgs(); 1546 1547 if (NumArgs > 3) 1548 return Diag(TheCall->getLocEnd(), 1549 diag::err_typecheck_call_too_many_args_at_most) 1550 << 0 /*function call*/ << 3 << NumArgs 1551 << TheCall->getSourceRange(); 1552 1553 // Argument 0 is checked for us and the remaining arguments must be 1554 // constant integers. 1555 for (unsigned i = 1; i != NumArgs; ++i) { 1556 Expr *Arg = TheCall->getArg(i); 1557 1558 // We can't check the value of a dependent argument. 1559 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1560 continue; 1561 1562 llvm::APSInt Result; 1563 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1564 return true; 1565 1566 // FIXME: gcc issues a warning and rewrites these to 0. These 1567 // seems especially odd for the third argument since the default 1568 // is 3. 1569 if (i == 1) { 1570 if (Result.getLimitedValue() > 1) 1571 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1572 << "0" << "1" << Arg->getSourceRange(); 1573 } else { 1574 if (Result.getLimitedValue() > 3) 1575 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1576 << "0" << "3" << Arg->getSourceRange(); 1577 } 1578 } 1579 1580 return false; 1581} 1582 1583/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1584/// TheCall is a constant expression. 1585bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1586 llvm::APSInt &Result) { 1587 Expr *Arg = TheCall->getArg(ArgNum); 1588 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1589 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1590 1591 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1592 1593 if (!Arg->isIntegerConstantExpr(Result, Context)) 1594 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1595 << FDecl->getDeclName() << Arg->getSourceRange(); 1596 1597 return false; 1598} 1599 1600/// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1601/// int type). This simply type checks that type is one of the defined 1602/// constants (0-3). 1603// For compatibility check 0-3, llvm only handles 0 and 2. 1604bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1605 llvm::APSInt Result; 1606 1607 // We can't check the value of a dependent argument. 1608 if (TheCall->getArg(1)->isTypeDependent() || 1609 TheCall->getArg(1)->isValueDependent()) 1610 return false; 1611 1612 // Check constant-ness first. 1613 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1614 return true; 1615 1616 Expr *Arg = TheCall->getArg(1); 1617 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1618 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1619 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1620 } 1621 1622 return false; 1623} 1624 1625/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1626/// This checks that val is a constant 1. 1627bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1628 Expr *Arg = TheCall->getArg(1); 1629 llvm::APSInt Result; 1630 1631 // TODO: This is less than ideal. Overload this to take a value. 1632 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1633 return true; 1634 1635 if (Result != 1) 1636 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1637 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1638 1639 return false; 1640} 1641 1642// Determine if an expression is a string literal or constant string. 1643// If this function returns false on the arguments to a function expecting a 1644// format string, we will usually need to emit a warning. 1645// True string literals are then checked by CheckFormatString. 1646Sema::StringLiteralCheckType 1647Sema::checkFormatStringExpr(const Expr *E, Expr **Args, 1648 unsigned NumArgs, bool HasVAListArg, 1649 unsigned format_idx, unsigned firstDataArg, 1650 FormatStringType Type, VariadicCallType CallType, 1651 bool inFunctionCall) { 1652 tryAgain: 1653 if (E->isTypeDependent() || E->isValueDependent()) 1654 return SLCT_NotALiteral; 1655 1656 E = E->IgnoreParenCasts(); 1657 1658 if (E->isNullPointerConstant(Context, Expr::NPC_ValueDependentIsNotNull)) 1659 // Technically -Wformat-nonliteral does not warn about this case. 1660 // The behavior of printf and friends in this case is implementation 1661 // dependent. Ideally if the format string cannot be null then 1662 // it should have a 'nonnull' attribute in the function prototype. 1663 return SLCT_CheckedLiteral; 1664 1665 switch (E->getStmtClass()) { 1666 case Stmt::BinaryConditionalOperatorClass: 1667 case Stmt::ConditionalOperatorClass: { 1668 // The expression is a literal if both sub-expressions were, and it was 1669 // completely checked only if both sub-expressions were checked. 1670 const AbstractConditionalOperator *C = 1671 cast<AbstractConditionalOperator>(E); 1672 StringLiteralCheckType Left = 1673 checkFormatStringExpr(C->getTrueExpr(), Args, NumArgs, 1674 HasVAListArg, format_idx, firstDataArg, 1675 Type, CallType, inFunctionCall); 1676 if (Left == SLCT_NotALiteral) 1677 return SLCT_NotALiteral; 1678 StringLiteralCheckType Right = 1679 checkFormatStringExpr(C->getFalseExpr(), Args, NumArgs, 1680 HasVAListArg, format_idx, firstDataArg, 1681 Type, CallType, inFunctionCall); 1682 return Left < Right ? Left : Right; 1683 } 1684 1685 case Stmt::ImplicitCastExprClass: { 1686 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1687 goto tryAgain; 1688 } 1689 1690 case Stmt::OpaqueValueExprClass: 1691 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1692 E = src; 1693 goto tryAgain; 1694 } 1695 return SLCT_NotALiteral; 1696 1697 case Stmt::PredefinedExprClass: 1698 // While __func__, etc., are technically not string literals, they 1699 // cannot contain format specifiers and thus are not a security 1700 // liability. 1701 return SLCT_UncheckedLiteral; 1702 1703 case Stmt::DeclRefExprClass: { 1704 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1705 1706 // As an exception, do not flag errors for variables binding to 1707 // const string literals. 1708 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1709 bool isConstant = false; 1710 QualType T = DR->getType(); 1711 1712 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1713 isConstant = AT->getElementType().isConstant(Context); 1714 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1715 isConstant = T.isConstant(Context) && 1716 PT->getPointeeType().isConstant(Context); 1717 } else if (T->isObjCObjectPointerType()) { 1718 // In ObjC, there is usually no "const ObjectPointer" type, 1719 // so don't check if the pointee type is constant. 1720 isConstant = T.isConstant(Context); 1721 } 1722 1723 if (isConstant) { 1724 if (const Expr *Init = VD->getAnyInitializer()) { 1725 // Look through initializers like const char c[] = { "foo" } 1726 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 1727 if (InitList->isStringLiteralInit()) 1728 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 1729 } 1730 return checkFormatStringExpr(Init, Args, NumArgs, 1731 HasVAListArg, format_idx, 1732 firstDataArg, Type, CallType, 1733 /*inFunctionCall*/false); 1734 } 1735 } 1736 1737 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1738 // special check to see if the format string is a function parameter 1739 // of the function calling the printf function. If the function 1740 // has an attribute indicating it is a printf-like function, then we 1741 // should suppress warnings concerning non-literals being used in a call 1742 // to a vprintf function. For example: 1743 // 1744 // void 1745 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1746 // va_list ap; 1747 // va_start(ap, fmt); 1748 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1749 // ... 1750 // 1751 if (HasVAListArg) { 1752 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 1753 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 1754 int PVIndex = PV->getFunctionScopeIndex() + 1; 1755 for (specific_attr_iterator<FormatAttr> 1756 i = ND->specific_attr_begin<FormatAttr>(), 1757 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 1758 FormatAttr *PVFormat = *i; 1759 // adjust for implicit parameter 1760 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1761 if (MD->isInstance()) 1762 ++PVIndex; 1763 // We also check if the formats are compatible. 1764 // We can't pass a 'scanf' string to a 'printf' function. 1765 if (PVIndex == PVFormat->getFormatIdx() && 1766 Type == GetFormatStringType(PVFormat)) 1767 return SLCT_UncheckedLiteral; 1768 } 1769 } 1770 } 1771 } 1772 } 1773 1774 return SLCT_NotALiteral; 1775 } 1776 1777 case Stmt::CallExprClass: 1778 case Stmt::CXXMemberCallExprClass: { 1779 const CallExpr *CE = cast<CallExpr>(E); 1780 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 1781 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 1782 unsigned ArgIndex = FA->getFormatIdx(); 1783 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1784 if (MD->isInstance()) 1785 --ArgIndex; 1786 const Expr *Arg = CE->getArg(ArgIndex - 1); 1787 1788 return checkFormatStringExpr(Arg, Args, NumArgs, 1789 HasVAListArg, format_idx, firstDataArg, 1790 Type, CallType, inFunctionCall); 1791 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 1792 unsigned BuiltinID = FD->getBuiltinID(); 1793 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 1794 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 1795 const Expr *Arg = CE->getArg(0); 1796 return checkFormatStringExpr(Arg, Args, NumArgs, 1797 HasVAListArg, format_idx, 1798 firstDataArg, Type, CallType, 1799 inFunctionCall); 1800 } 1801 } 1802 } 1803 1804 return SLCT_NotALiteral; 1805 } 1806 case Stmt::ObjCStringLiteralClass: 1807 case Stmt::StringLiteralClass: { 1808 const StringLiteral *StrE = NULL; 1809 1810 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1811 StrE = ObjCFExpr->getString(); 1812 else 1813 StrE = cast<StringLiteral>(E); 1814 1815 if (StrE) { 1816 CheckFormatString(StrE, E, Args, NumArgs, HasVAListArg, format_idx, 1817 firstDataArg, Type, inFunctionCall, CallType); 1818 return SLCT_CheckedLiteral; 1819 } 1820 1821 return SLCT_NotALiteral; 1822 } 1823 1824 default: 1825 return SLCT_NotALiteral; 1826 } 1827} 1828 1829void 1830Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1831 const Expr * const *ExprArgs, 1832 SourceLocation CallSiteLoc) { 1833 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1834 e = NonNull->args_end(); 1835 i != e; ++i) { 1836 const Expr *ArgExpr = ExprArgs[*i]; 1837 if (ArgExpr->isNullPointerConstant(Context, 1838 Expr::NPC_ValueDependentIsNotNull)) 1839 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1840 } 1841} 1842 1843Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 1844 return llvm::StringSwitch<FormatStringType>(Format->getType()) 1845 .Case("scanf", FST_Scanf) 1846 .Cases("printf", "printf0", FST_Printf) 1847 .Cases("NSString", "CFString", FST_NSString) 1848 .Case("strftime", FST_Strftime) 1849 .Case("strfmon", FST_Strfmon) 1850 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 1851 .Default(FST_Unknown); 1852} 1853 1854/// CheckFormatArguments - Check calls to printf and scanf (and similar 1855/// functions) for correct use of format strings. 1856/// Returns true if a format string has been fully checked. 1857bool Sema::CheckFormatArguments(const FormatAttr *Format, Expr **Args, 1858 unsigned NumArgs, bool IsCXXMember, 1859 VariadicCallType CallType, 1860 SourceLocation Loc, SourceRange Range) { 1861 FormatStringInfo FSI; 1862 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 1863 return CheckFormatArguments(Args, NumArgs, FSI.HasVAListArg, FSI.FormatIdx, 1864 FSI.FirstDataArg, GetFormatStringType(Format), 1865 CallType, Loc, Range); 1866 return false; 1867} 1868 1869bool Sema::CheckFormatArguments(Expr **Args, unsigned NumArgs, 1870 bool HasVAListArg, unsigned format_idx, 1871 unsigned firstDataArg, FormatStringType Type, 1872 VariadicCallType CallType, 1873 SourceLocation Loc, SourceRange Range) { 1874 // CHECK: printf/scanf-like function is called with no format string. 1875 if (format_idx >= NumArgs) { 1876 Diag(Loc, diag::warn_missing_format_string) << Range; 1877 return false; 1878 } 1879 1880 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 1881 1882 // CHECK: format string is not a string literal. 1883 // 1884 // Dynamically generated format strings are difficult to 1885 // automatically vet at compile time. Requiring that format strings 1886 // are string literals: (1) permits the checking of format strings by 1887 // the compiler and thereby (2) can practically remove the source of 1888 // many format string exploits. 1889 1890 // Format string can be either ObjC string (e.g. @"%d") or 1891 // C string (e.g. "%d") 1892 // ObjC string uses the same format specifiers as C string, so we can use 1893 // the same format string checking logic for both ObjC and C strings. 1894 StringLiteralCheckType CT = 1895 checkFormatStringExpr(OrigFormatExpr, Args, NumArgs, HasVAListArg, 1896 format_idx, firstDataArg, Type, CallType); 1897 if (CT != SLCT_NotALiteral) 1898 // Literal format string found, check done! 1899 return CT == SLCT_CheckedLiteral; 1900 1901 // Strftime is particular as it always uses a single 'time' argument, 1902 // so it is safe to pass a non-literal string. 1903 if (Type == FST_Strftime) 1904 return false; 1905 1906 // Do not emit diag when the string param is a macro expansion and the 1907 // format is either NSString or CFString. This is a hack to prevent 1908 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 1909 // which are usually used in place of NS and CF string literals. 1910 if (Type == FST_NSString && 1911 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 1912 return false; 1913 1914 // If there are no arguments specified, warn with -Wformat-security, otherwise 1915 // warn only with -Wformat-nonliteral. 1916 if (NumArgs == format_idx+1) 1917 Diag(Args[format_idx]->getLocStart(), 1918 diag::warn_format_nonliteral_noargs) 1919 << OrigFormatExpr->getSourceRange(); 1920 else 1921 Diag(Args[format_idx]->getLocStart(), 1922 diag::warn_format_nonliteral) 1923 << OrigFormatExpr->getSourceRange(); 1924 return false; 1925} 1926 1927namespace { 1928class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1929protected: 1930 Sema &S; 1931 const StringLiteral *FExpr; 1932 const Expr *OrigFormatExpr; 1933 const unsigned FirstDataArg; 1934 const unsigned NumDataArgs; 1935 const char *Beg; // Start of format string. 1936 const bool HasVAListArg; 1937 const Expr * const *Args; 1938 const unsigned NumArgs; 1939 unsigned FormatIdx; 1940 llvm::BitVector CoveredArgs; 1941 bool usesPositionalArgs; 1942 bool atFirstArg; 1943 bool inFunctionCall; 1944 Sema::VariadicCallType CallType; 1945public: 1946 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1947 const Expr *origFormatExpr, unsigned firstDataArg, 1948 unsigned numDataArgs, const char *beg, bool hasVAListArg, 1949 Expr **args, unsigned numArgs, 1950 unsigned formatIdx, bool inFunctionCall, 1951 Sema::VariadicCallType callType) 1952 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1953 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 1954 Beg(beg), HasVAListArg(hasVAListArg), 1955 Args(args), NumArgs(numArgs), FormatIdx(formatIdx), 1956 usesPositionalArgs(false), atFirstArg(true), 1957 inFunctionCall(inFunctionCall), CallType(callType) { 1958 CoveredArgs.resize(numDataArgs); 1959 CoveredArgs.reset(); 1960 } 1961 1962 void DoneProcessing(); 1963 1964 void HandleIncompleteSpecifier(const char *startSpecifier, 1965 unsigned specifierLen); 1966 1967 void HandleInvalidLengthModifier( 1968 const analyze_format_string::FormatSpecifier &FS, 1969 const analyze_format_string::ConversionSpecifier &CS, 1970 const char *startSpecifier, unsigned specifierLen, unsigned DiagID); 1971 1972 void HandleNonStandardLengthModifier( 1973 const analyze_format_string::FormatSpecifier &FS, 1974 const char *startSpecifier, unsigned specifierLen); 1975 1976 void HandleNonStandardConversionSpecifier( 1977 const analyze_format_string::ConversionSpecifier &CS, 1978 const char *startSpecifier, unsigned specifierLen); 1979 1980 virtual void HandlePosition(const char *startPos, unsigned posLen); 1981 1982 virtual void HandleInvalidPosition(const char *startSpecifier, 1983 unsigned specifierLen, 1984 analyze_format_string::PositionContext p); 1985 1986 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1987 1988 void HandleNullChar(const char *nullCharacter); 1989 1990 template <typename Range> 1991 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 1992 const Expr *ArgumentExpr, 1993 PartialDiagnostic PDiag, 1994 SourceLocation StringLoc, 1995 bool IsStringLocation, Range StringRange, 1996 ArrayRef<FixItHint> Fixit = ArrayRef<FixItHint>()); 1997 1998protected: 1999 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 2000 const char *startSpec, 2001 unsigned specifierLen, 2002 const char *csStart, unsigned csLen); 2003 2004 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 2005 const char *startSpec, 2006 unsigned specifierLen); 2007 2008 SourceRange getFormatStringRange(); 2009 CharSourceRange getSpecifierRange(const char *startSpecifier, 2010 unsigned specifierLen); 2011 SourceLocation getLocationOfByte(const char *x); 2012 2013 const Expr *getDataArg(unsigned i) const; 2014 2015 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 2016 const analyze_format_string::ConversionSpecifier &CS, 2017 const char *startSpecifier, unsigned specifierLen, 2018 unsigned argIndex); 2019 2020 template <typename Range> 2021 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 2022 bool IsStringLocation, Range StringRange, 2023 ArrayRef<FixItHint> Fixit = ArrayRef<FixItHint>()); 2024 2025 void CheckPositionalAndNonpositionalArgs( 2026 const analyze_format_string::FormatSpecifier *FS); 2027}; 2028} 2029 2030SourceRange CheckFormatHandler::getFormatStringRange() { 2031 return OrigFormatExpr->getSourceRange(); 2032} 2033 2034CharSourceRange CheckFormatHandler:: 2035getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2036 SourceLocation Start = getLocationOfByte(startSpecifier); 2037 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2038 2039 // Advance the end SourceLocation by one due to half-open ranges. 2040 End = End.getLocWithOffset(1); 2041 2042 return CharSourceRange::getCharRange(Start, End); 2043} 2044 2045SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2046 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2047} 2048 2049void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2050 unsigned specifierLen){ 2051 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2052 getLocationOfByte(startSpecifier), 2053 /*IsStringLocation*/true, 2054 getSpecifierRange(startSpecifier, specifierLen)); 2055} 2056 2057void CheckFormatHandler::HandleInvalidLengthModifier( 2058 const analyze_format_string::FormatSpecifier &FS, 2059 const analyze_format_string::ConversionSpecifier &CS, 2060 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2061 using namespace analyze_format_string; 2062 2063 const LengthModifier &LM = FS.getLengthModifier(); 2064 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2065 2066 // See if we know how to fix this length modifier. 2067 llvm::Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2068 if (FixedLM) { 2069 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2070 getLocationOfByte(LM.getStart()), 2071 /*IsStringLocation*/true, 2072 getSpecifierRange(startSpecifier, specifierLen)); 2073 2074 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2075 << FixedLM->toString() 2076 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2077 2078 } else { 2079 FixItHint Hint; 2080 if (DiagID == diag::warn_format_nonsensical_length) 2081 Hint = FixItHint::CreateRemoval(LMRange); 2082 2083 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2084 getLocationOfByte(LM.getStart()), 2085 /*IsStringLocation*/true, 2086 getSpecifierRange(startSpecifier, specifierLen), 2087 Hint); 2088 } 2089} 2090 2091void CheckFormatHandler::HandleNonStandardLengthModifier( 2092 const analyze_format_string::FormatSpecifier &FS, 2093 const char *startSpecifier, unsigned specifierLen) { 2094 using namespace analyze_format_string; 2095 2096 const LengthModifier &LM = FS.getLengthModifier(); 2097 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2098 2099 // See if we know how to fix this length modifier. 2100 llvm::Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2101 if (FixedLM) { 2102 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2103 << LM.toString() << 0, 2104 getLocationOfByte(LM.getStart()), 2105 /*IsStringLocation*/true, 2106 getSpecifierRange(startSpecifier, specifierLen)); 2107 2108 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2109 << FixedLM->toString() 2110 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2111 2112 } else { 2113 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2114 << LM.toString() << 0, 2115 getLocationOfByte(LM.getStart()), 2116 /*IsStringLocation*/true, 2117 getSpecifierRange(startSpecifier, specifierLen)); 2118 } 2119} 2120 2121void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2122 const analyze_format_string::ConversionSpecifier &CS, 2123 const char *startSpecifier, unsigned specifierLen) { 2124 using namespace analyze_format_string; 2125 2126 // See if we know how to fix this conversion specifier. 2127 llvm::Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 2128 if (FixedCS) { 2129 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2130 << CS.toString() << /*conversion specifier*/1, 2131 getLocationOfByte(CS.getStart()), 2132 /*IsStringLocation*/true, 2133 getSpecifierRange(startSpecifier, specifierLen)); 2134 2135 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 2136 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 2137 << FixedCS->toString() 2138 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 2139 } else { 2140 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2141 << CS.toString() << /*conversion specifier*/1, 2142 getLocationOfByte(CS.getStart()), 2143 /*IsStringLocation*/true, 2144 getSpecifierRange(startSpecifier, specifierLen)); 2145 } 2146} 2147 2148void CheckFormatHandler::HandlePosition(const char *startPos, 2149 unsigned posLen) { 2150 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2151 getLocationOfByte(startPos), 2152 /*IsStringLocation*/true, 2153 getSpecifierRange(startPos, posLen)); 2154} 2155 2156void 2157CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2158 analyze_format_string::PositionContext p) { 2159 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2160 << (unsigned) p, 2161 getLocationOfByte(startPos), /*IsStringLocation*/true, 2162 getSpecifierRange(startPos, posLen)); 2163} 2164 2165void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2166 unsigned posLen) { 2167 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2168 getLocationOfByte(startPos), 2169 /*IsStringLocation*/true, 2170 getSpecifierRange(startPos, posLen)); 2171} 2172 2173void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2174 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2175 // The presence of a null character is likely an error. 2176 EmitFormatDiagnostic( 2177 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2178 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2179 getFormatStringRange()); 2180 } 2181} 2182 2183// Note that this may return NULL if there was an error parsing or building 2184// one of the argument expressions. 2185const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2186 return Args[FirstDataArg + i]; 2187} 2188 2189void CheckFormatHandler::DoneProcessing() { 2190 // Does the number of data arguments exceed the number of 2191 // format conversions in the format string? 2192 if (!HasVAListArg) { 2193 // Find any arguments that weren't covered. 2194 CoveredArgs.flip(); 2195 signed notCoveredArg = CoveredArgs.find_first(); 2196 if (notCoveredArg >= 0) { 2197 assert((unsigned)notCoveredArg < NumDataArgs); 2198 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2199 SourceLocation Loc = E->getLocStart(); 2200 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2201 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2202 Loc, /*IsStringLocation*/false, 2203 getFormatStringRange()); 2204 } 2205 } 2206 } 2207 } 2208} 2209 2210bool 2211CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2212 SourceLocation Loc, 2213 const char *startSpec, 2214 unsigned specifierLen, 2215 const char *csStart, 2216 unsigned csLen) { 2217 2218 bool keepGoing = true; 2219 if (argIndex < NumDataArgs) { 2220 // Consider the argument coverered, even though the specifier doesn't 2221 // make sense. 2222 CoveredArgs.set(argIndex); 2223 } 2224 else { 2225 // If argIndex exceeds the number of data arguments we 2226 // don't issue a warning because that is just a cascade of warnings (and 2227 // they may have intended '%%' anyway). We don't want to continue processing 2228 // the format string after this point, however, as we will like just get 2229 // gibberish when trying to match arguments. 2230 keepGoing = false; 2231 } 2232 2233 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2234 << StringRef(csStart, csLen), 2235 Loc, /*IsStringLocation*/true, 2236 getSpecifierRange(startSpec, specifierLen)); 2237 2238 return keepGoing; 2239} 2240 2241void 2242CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2243 const char *startSpec, 2244 unsigned specifierLen) { 2245 EmitFormatDiagnostic( 2246 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2247 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2248} 2249 2250bool 2251CheckFormatHandler::CheckNumArgs( 2252 const analyze_format_string::FormatSpecifier &FS, 2253 const analyze_format_string::ConversionSpecifier &CS, 2254 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2255 2256 if (argIndex >= NumDataArgs) { 2257 PartialDiagnostic PDiag = FS.usesPositionalArg() 2258 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2259 << (argIndex+1) << NumDataArgs) 2260 : S.PDiag(diag::warn_printf_insufficient_data_args); 2261 EmitFormatDiagnostic( 2262 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2263 getSpecifierRange(startSpecifier, specifierLen)); 2264 return false; 2265 } 2266 return true; 2267} 2268 2269template<typename Range> 2270void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2271 SourceLocation Loc, 2272 bool IsStringLocation, 2273 Range StringRange, 2274 ArrayRef<FixItHint> FixIt) { 2275 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2276 Loc, IsStringLocation, StringRange, FixIt); 2277} 2278 2279/// \brief If the format string is not within the funcion call, emit a note 2280/// so that the function call and string are in diagnostic messages. 2281/// 2282/// \param InFunctionCall if true, the format string is within the function 2283/// call and only one diagnostic message will be produced. Otherwise, an 2284/// extra note will be emitted pointing to location of the format string. 2285/// 2286/// \param ArgumentExpr the expression that is passed as the format string 2287/// argument in the function call. Used for getting locations when two 2288/// diagnostics are emitted. 2289/// 2290/// \param PDiag the callee should already have provided any strings for the 2291/// diagnostic message. This function only adds locations and fixits 2292/// to diagnostics. 2293/// 2294/// \param Loc primary location for diagnostic. If two diagnostics are 2295/// required, one will be at Loc and a new SourceLocation will be created for 2296/// the other one. 2297/// 2298/// \param IsStringLocation if true, Loc points to the format string should be 2299/// used for the note. Otherwise, Loc points to the argument list and will 2300/// be used with PDiag. 2301/// 2302/// \param StringRange some or all of the string to highlight. This is 2303/// templated so it can accept either a CharSourceRange or a SourceRange. 2304/// 2305/// \param FixIt optional fix it hint for the format string. 2306template<typename Range> 2307void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2308 const Expr *ArgumentExpr, 2309 PartialDiagnostic PDiag, 2310 SourceLocation Loc, 2311 bool IsStringLocation, 2312 Range StringRange, 2313 ArrayRef<FixItHint> FixIt) { 2314 if (InFunctionCall) { 2315 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2316 D << StringRange; 2317 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2318 I != E; ++I) { 2319 D << *I; 2320 } 2321 } else { 2322 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2323 << ArgumentExpr->getSourceRange(); 2324 2325 const Sema::SemaDiagnosticBuilder &Note = 2326 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2327 diag::note_format_string_defined); 2328 2329 Note << StringRange; 2330 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2331 I != E; ++I) { 2332 Note << *I; 2333 } 2334 } 2335} 2336 2337//===--- CHECK: Printf format string checking ------------------------------===// 2338 2339namespace { 2340class CheckPrintfHandler : public CheckFormatHandler { 2341 bool ObjCContext; 2342public: 2343 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2344 const Expr *origFormatExpr, unsigned firstDataArg, 2345 unsigned numDataArgs, bool isObjC, 2346 const char *beg, bool hasVAListArg, 2347 Expr **Args, unsigned NumArgs, 2348 unsigned formatIdx, bool inFunctionCall, 2349 Sema::VariadicCallType CallType) 2350 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2351 numDataArgs, beg, hasVAListArg, Args, NumArgs, 2352 formatIdx, inFunctionCall, CallType), ObjCContext(isObjC) 2353 {} 2354 2355 2356 bool HandleInvalidPrintfConversionSpecifier( 2357 const analyze_printf::PrintfSpecifier &FS, 2358 const char *startSpecifier, 2359 unsigned specifierLen); 2360 2361 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2362 const char *startSpecifier, 2363 unsigned specifierLen); 2364 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2365 const char *StartSpecifier, 2366 unsigned SpecifierLen, 2367 const Expr *E); 2368 2369 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2370 const char *startSpecifier, unsigned specifierLen); 2371 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2372 const analyze_printf::OptionalAmount &Amt, 2373 unsigned type, 2374 const char *startSpecifier, unsigned specifierLen); 2375 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2376 const analyze_printf::OptionalFlag &flag, 2377 const char *startSpecifier, unsigned specifierLen); 2378 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2379 const analyze_printf::OptionalFlag &ignoredFlag, 2380 const analyze_printf::OptionalFlag &flag, 2381 const char *startSpecifier, unsigned specifierLen); 2382 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2383 const Expr *E, const CharSourceRange &CSR); 2384 2385}; 2386} 2387 2388bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2389 const analyze_printf::PrintfSpecifier &FS, 2390 const char *startSpecifier, 2391 unsigned specifierLen) { 2392 const analyze_printf::PrintfConversionSpecifier &CS = 2393 FS.getConversionSpecifier(); 2394 2395 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2396 getLocationOfByte(CS.getStart()), 2397 startSpecifier, specifierLen, 2398 CS.getStart(), CS.getLength()); 2399} 2400 2401bool CheckPrintfHandler::HandleAmount( 2402 const analyze_format_string::OptionalAmount &Amt, 2403 unsigned k, const char *startSpecifier, 2404 unsigned specifierLen) { 2405 2406 if (Amt.hasDataArgument()) { 2407 if (!HasVAListArg) { 2408 unsigned argIndex = Amt.getArgIndex(); 2409 if (argIndex >= NumDataArgs) { 2410 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2411 << k, 2412 getLocationOfByte(Amt.getStart()), 2413 /*IsStringLocation*/true, 2414 getSpecifierRange(startSpecifier, specifierLen)); 2415 // Don't do any more checking. We will just emit 2416 // spurious errors. 2417 return false; 2418 } 2419 2420 // Type check the data argument. It should be an 'int'. 2421 // Although not in conformance with C99, we also allow the argument to be 2422 // an 'unsigned int' as that is a reasonably safe case. GCC also 2423 // doesn't emit a warning for that case. 2424 CoveredArgs.set(argIndex); 2425 const Expr *Arg = getDataArg(argIndex); 2426 if (!Arg) 2427 return false; 2428 2429 QualType T = Arg->getType(); 2430 2431 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2432 assert(AT.isValid()); 2433 2434 if (!AT.matchesType(S.Context, T)) { 2435 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2436 << k << AT.getRepresentativeTypeName(S.Context) 2437 << T << Arg->getSourceRange(), 2438 getLocationOfByte(Amt.getStart()), 2439 /*IsStringLocation*/true, 2440 getSpecifierRange(startSpecifier, specifierLen)); 2441 // Don't do any more checking. We will just emit 2442 // spurious errors. 2443 return false; 2444 } 2445 } 2446 } 2447 return true; 2448} 2449 2450void CheckPrintfHandler::HandleInvalidAmount( 2451 const analyze_printf::PrintfSpecifier &FS, 2452 const analyze_printf::OptionalAmount &Amt, 2453 unsigned type, 2454 const char *startSpecifier, 2455 unsigned specifierLen) { 2456 const analyze_printf::PrintfConversionSpecifier &CS = 2457 FS.getConversionSpecifier(); 2458 2459 FixItHint fixit = 2460 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2461 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2462 Amt.getConstantLength())) 2463 : FixItHint(); 2464 2465 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2466 << type << CS.toString(), 2467 getLocationOfByte(Amt.getStart()), 2468 /*IsStringLocation*/true, 2469 getSpecifierRange(startSpecifier, specifierLen), 2470 fixit); 2471} 2472 2473void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2474 const analyze_printf::OptionalFlag &flag, 2475 const char *startSpecifier, 2476 unsigned specifierLen) { 2477 // Warn about pointless flag with a fixit removal. 2478 const analyze_printf::PrintfConversionSpecifier &CS = 2479 FS.getConversionSpecifier(); 2480 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2481 << flag.toString() << CS.toString(), 2482 getLocationOfByte(flag.getPosition()), 2483 /*IsStringLocation*/true, 2484 getSpecifierRange(startSpecifier, specifierLen), 2485 FixItHint::CreateRemoval( 2486 getSpecifierRange(flag.getPosition(), 1))); 2487} 2488 2489void CheckPrintfHandler::HandleIgnoredFlag( 2490 const analyze_printf::PrintfSpecifier &FS, 2491 const analyze_printf::OptionalFlag &ignoredFlag, 2492 const analyze_printf::OptionalFlag &flag, 2493 const char *startSpecifier, 2494 unsigned specifierLen) { 2495 // Warn about ignored flag with a fixit removal. 2496 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2497 << ignoredFlag.toString() << flag.toString(), 2498 getLocationOfByte(ignoredFlag.getPosition()), 2499 /*IsStringLocation*/true, 2500 getSpecifierRange(startSpecifier, specifierLen), 2501 FixItHint::CreateRemoval( 2502 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2503} 2504 2505// Determines if the specified is a C++ class or struct containing 2506// a member with the specified name and kind (e.g. a CXXMethodDecl named 2507// "c_str()"). 2508template<typename MemberKind> 2509static llvm::SmallPtrSet<MemberKind*, 1> 2510CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2511 const RecordType *RT = Ty->getAs<RecordType>(); 2512 llvm::SmallPtrSet<MemberKind*, 1> Results; 2513 2514 if (!RT) 2515 return Results; 2516 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2517 if (!RD) 2518 return Results; 2519 2520 LookupResult R(S, &S.PP.getIdentifierTable().get(Name), SourceLocation(), 2521 Sema::LookupMemberName); 2522 2523 // We just need to include all members of the right kind turned up by the 2524 // filter, at this point. 2525 if (S.LookupQualifiedName(R, RT->getDecl())) 2526 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2527 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2528 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2529 Results.insert(FK); 2530 } 2531 return Results; 2532} 2533 2534// Check if a (w)string was passed when a (w)char* was needed, and offer a 2535// better diagnostic if so. AT is assumed to be valid. 2536// Returns true when a c_str() conversion method is found. 2537bool CheckPrintfHandler::checkForCStrMembers( 2538 const analyze_printf::ArgType &AT, const Expr *E, 2539 const CharSourceRange &CSR) { 2540 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2541 2542 MethodSet Results = 2543 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2544 2545 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2546 MI != ME; ++MI) { 2547 const CXXMethodDecl *Method = *MI; 2548 if (Method->getNumParams() == 0 && 2549 AT.matchesType(S.Context, Method->getResultType())) { 2550 // FIXME: Suggest parens if the expression needs them. 2551 SourceLocation EndLoc = 2552 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()); 2553 S.Diag(E->getLocStart(), diag::note_printf_c_str) 2554 << "c_str()" 2555 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 2556 return true; 2557 } 2558 } 2559 2560 return false; 2561} 2562 2563bool 2564CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2565 &FS, 2566 const char *startSpecifier, 2567 unsigned specifierLen) { 2568 2569 using namespace analyze_format_string; 2570 using namespace analyze_printf; 2571 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2572 2573 if (FS.consumesDataArgument()) { 2574 if (atFirstArg) { 2575 atFirstArg = false; 2576 usesPositionalArgs = FS.usesPositionalArg(); 2577 } 2578 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2579 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2580 startSpecifier, specifierLen); 2581 return false; 2582 } 2583 } 2584 2585 // First check if the field width, precision, and conversion specifier 2586 // have matching data arguments. 2587 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2588 startSpecifier, specifierLen)) { 2589 return false; 2590 } 2591 2592 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2593 startSpecifier, specifierLen)) { 2594 return false; 2595 } 2596 2597 if (!CS.consumesDataArgument()) { 2598 // FIXME: Technically specifying a precision or field width here 2599 // makes no sense. Worth issuing a warning at some point. 2600 return true; 2601 } 2602 2603 // Consume the argument. 2604 unsigned argIndex = FS.getArgIndex(); 2605 if (argIndex < NumDataArgs) { 2606 // The check to see if the argIndex is valid will come later. 2607 // We set the bit here because we may exit early from this 2608 // function if we encounter some other error. 2609 CoveredArgs.set(argIndex); 2610 } 2611 2612 // Check for using an Objective-C specific conversion specifier 2613 // in a non-ObjC literal. 2614 if (!ObjCContext && CS.isObjCArg()) { 2615 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2616 specifierLen); 2617 } 2618 2619 // Check for invalid use of field width 2620 if (!FS.hasValidFieldWidth()) { 2621 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2622 startSpecifier, specifierLen); 2623 } 2624 2625 // Check for invalid use of precision 2626 if (!FS.hasValidPrecision()) { 2627 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2628 startSpecifier, specifierLen); 2629 } 2630 2631 // Check each flag does not conflict with any other component. 2632 if (!FS.hasValidThousandsGroupingPrefix()) 2633 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2634 if (!FS.hasValidLeadingZeros()) 2635 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2636 if (!FS.hasValidPlusPrefix()) 2637 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2638 if (!FS.hasValidSpacePrefix()) 2639 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2640 if (!FS.hasValidAlternativeForm()) 2641 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2642 if (!FS.hasValidLeftJustified()) 2643 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2644 2645 // Check that flags are not ignored by another flag 2646 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2647 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2648 startSpecifier, specifierLen); 2649 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2650 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2651 startSpecifier, specifierLen); 2652 2653 // Check the length modifier is valid with the given conversion specifier. 2654 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 2655 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2656 diag::warn_format_nonsensical_length); 2657 else if (!FS.hasStandardLengthModifier()) 2658 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 2659 else if (!FS.hasStandardLengthConversionCombination()) 2660 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2661 diag::warn_format_non_standard_conversion_spec); 2662 2663 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2664 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2665 2666 // The remaining checks depend on the data arguments. 2667 if (HasVAListArg) 2668 return true; 2669 2670 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2671 return false; 2672 2673 const Expr *Arg = getDataArg(argIndex); 2674 if (!Arg) 2675 return true; 2676 2677 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 2678} 2679 2680static bool requiresParensToAddCast(const Expr *E) { 2681 // FIXME: We should have a general way to reason about operator 2682 // precedence and whether parens are actually needed here. 2683 // Take care of a few common cases where they aren't. 2684 const Expr *Inside = E->IgnoreImpCasts(); 2685 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 2686 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 2687 2688 switch (Inside->getStmtClass()) { 2689 case Stmt::ArraySubscriptExprClass: 2690 case Stmt::CallExprClass: 2691 case Stmt::CharacterLiteralClass: 2692 case Stmt::CXXBoolLiteralExprClass: 2693 case Stmt::DeclRefExprClass: 2694 case Stmt::FloatingLiteralClass: 2695 case Stmt::IntegerLiteralClass: 2696 case Stmt::MemberExprClass: 2697 case Stmt::ObjCArrayLiteralClass: 2698 case Stmt::ObjCBoolLiteralExprClass: 2699 case Stmt::ObjCBoxedExprClass: 2700 case Stmt::ObjCDictionaryLiteralClass: 2701 case Stmt::ObjCEncodeExprClass: 2702 case Stmt::ObjCIvarRefExprClass: 2703 case Stmt::ObjCMessageExprClass: 2704 case Stmt::ObjCPropertyRefExprClass: 2705 case Stmt::ObjCStringLiteralClass: 2706 case Stmt::ObjCSubscriptRefExprClass: 2707 case Stmt::ParenExprClass: 2708 case Stmt::StringLiteralClass: 2709 case Stmt::UnaryOperatorClass: 2710 return false; 2711 default: 2712 return true; 2713 } 2714} 2715 2716bool 2717CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2718 const char *StartSpecifier, 2719 unsigned SpecifierLen, 2720 const Expr *E) { 2721 using namespace analyze_format_string; 2722 using namespace analyze_printf; 2723 // Now type check the data expression that matches the 2724 // format specifier. 2725 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 2726 ObjCContext); 2727 if (!AT.isValid()) 2728 return true; 2729 2730 QualType ExprTy = E->getType(); 2731 if (AT.matchesType(S.Context, ExprTy)) 2732 return true; 2733 2734 // Look through argument promotions for our error message's reported type. 2735 // This includes the integral and floating promotions, but excludes array 2736 // and function pointer decay; seeing that an argument intended to be a 2737 // string has type 'char [6]' is probably more confusing than 'char *'. 2738 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 2739 if (ICE->getCastKind() == CK_IntegralCast || 2740 ICE->getCastKind() == CK_FloatingCast) { 2741 E = ICE->getSubExpr(); 2742 ExprTy = E->getType(); 2743 2744 // Check if we didn't match because of an implicit cast from a 'char' 2745 // or 'short' to an 'int'. This is done because printf is a varargs 2746 // function. 2747 if (ICE->getType() == S.Context.IntTy || 2748 ICE->getType() == S.Context.UnsignedIntTy) { 2749 // All further checking is done on the subexpression. 2750 if (AT.matchesType(S.Context, ExprTy)) 2751 return true; 2752 } 2753 } 2754 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 2755 // Special case for 'a', which has type 'int' in C. 2756 // Note, however, that we do /not/ want to treat multibyte constants like 2757 // 'MooV' as characters! This form is deprecated but still exists. 2758 if (ExprTy == S.Context.IntTy) 2759 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 2760 ExprTy = S.Context.CharTy; 2761 } 2762 2763 // %C in an Objective-C context prints a unichar, not a wchar_t. 2764 // If the argument is an integer of some kind, believe the %C and suggest 2765 // a cast instead of changing the conversion specifier. 2766 QualType IntendedTy = ExprTy; 2767 if (ObjCContext && 2768 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 2769 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 2770 !ExprTy->isCharType()) { 2771 // 'unichar' is defined as a typedef of unsigned short, but we should 2772 // prefer using the typedef if it is visible. 2773 IntendedTy = S.Context.UnsignedShortTy; 2774 2775 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 2776 Sema::LookupOrdinaryName); 2777 if (S.LookupName(Result, S.getCurScope())) { 2778 NamedDecl *ND = Result.getFoundDecl(); 2779 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 2780 if (TD->getUnderlyingType() == IntendedTy) 2781 IntendedTy = S.Context.getTypedefType(TD); 2782 } 2783 } 2784 } 2785 2786 // Special-case some of Darwin's platform-independence types by suggesting 2787 // casts to primitive types that are known to be large enough. 2788 bool ShouldNotPrintDirectly = false; 2789 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 2790 if (const TypedefType *UserTy = IntendedTy->getAs<TypedefType>()) { 2791 StringRef Name = UserTy->getDecl()->getName(); 2792 QualType CastTy = llvm::StringSwitch<QualType>(Name) 2793 .Case("NSInteger", S.Context.LongTy) 2794 .Case("NSUInteger", S.Context.UnsignedLongTy) 2795 .Case("SInt32", S.Context.IntTy) 2796 .Case("UInt32", S.Context.UnsignedIntTy) 2797 .Default(QualType()); 2798 2799 if (!CastTy.isNull()) { 2800 ShouldNotPrintDirectly = true; 2801 IntendedTy = CastTy; 2802 } 2803 } 2804 } 2805 2806 // We may be able to offer a FixItHint if it is a supported type. 2807 PrintfSpecifier fixedFS = FS; 2808 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 2809 S.Context, ObjCContext); 2810 2811 if (success) { 2812 // Get the fix string from the fixed format specifier 2813 SmallString<16> buf; 2814 llvm::raw_svector_ostream os(buf); 2815 fixedFS.toString(os); 2816 2817 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 2818 2819 if (IntendedTy == ExprTy) { 2820 // In this case, the specifier is wrong and should be changed to match 2821 // the argument. 2822 EmitFormatDiagnostic( 2823 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2824 << AT.getRepresentativeTypeName(S.Context) << IntendedTy 2825 << E->getSourceRange(), 2826 E->getLocStart(), 2827 /*IsStringLocation*/false, 2828 SpecRange, 2829 FixItHint::CreateReplacement(SpecRange, os.str())); 2830 2831 } else { 2832 // The canonical type for formatting this value is different from the 2833 // actual type of the expression. (This occurs, for example, with Darwin's 2834 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 2835 // should be printed as 'long' for 64-bit compatibility.) 2836 // Rather than emitting a normal format/argument mismatch, we want to 2837 // add a cast to the recommended type (and correct the format string 2838 // if necessary). 2839 SmallString<16> CastBuf; 2840 llvm::raw_svector_ostream CastFix(CastBuf); 2841 CastFix << "("; 2842 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 2843 CastFix << ")"; 2844 2845 SmallVector<FixItHint,4> Hints; 2846 if (!AT.matchesType(S.Context, IntendedTy)) 2847 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 2848 2849 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 2850 // If there's already a cast present, just replace it. 2851 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 2852 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 2853 2854 } else if (!requiresParensToAddCast(E)) { 2855 // If the expression has high enough precedence, 2856 // just write the C-style cast. 2857 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 2858 CastFix.str())); 2859 } else { 2860 // Otherwise, add parens around the expression as well as the cast. 2861 CastFix << "("; 2862 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 2863 CastFix.str())); 2864 2865 SourceLocation After = S.PP.getLocForEndOfToken(E->getLocEnd()); 2866 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 2867 } 2868 2869 if (ShouldNotPrintDirectly) { 2870 // The expression has a type that should not be printed directly. 2871 // We extract the name from the typedef because we don't want to show 2872 // the underlying type in the diagnostic. 2873 StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName(); 2874 2875 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 2876 << Name << IntendedTy 2877 << E->getSourceRange(), 2878 E->getLocStart(), /*IsStringLocation=*/false, 2879 SpecRange, Hints); 2880 } else { 2881 // In this case, the expression could be printed using a different 2882 // specifier, but we've decided that the specifier is probably correct 2883 // and we should cast instead. Just use the normal warning message. 2884 EmitFormatDiagnostic( 2885 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2886 << AT.getRepresentativeTypeName(S.Context) << ExprTy 2887 << E->getSourceRange(), 2888 E->getLocStart(), /*IsStringLocation*/false, 2889 SpecRange, Hints); 2890 } 2891 } 2892 } else { 2893 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 2894 SpecifierLen); 2895 // Since the warning for passing non-POD types to variadic functions 2896 // was deferred until now, we emit a warning for non-POD 2897 // arguments here. 2898 if (S.isValidVarArgType(ExprTy) == Sema::VAK_Invalid) { 2899 unsigned DiagKind; 2900 if (ExprTy->isObjCObjectType()) 2901 DiagKind = diag::err_cannot_pass_objc_interface_to_vararg_format; 2902 else 2903 DiagKind = diag::warn_non_pod_vararg_with_format_string; 2904 2905 EmitFormatDiagnostic( 2906 S.PDiag(DiagKind) 2907 << S.getLangOpts().CPlusPlus0x 2908 << ExprTy 2909 << CallType 2910 << AT.getRepresentativeTypeName(S.Context) 2911 << CSR 2912 << E->getSourceRange(), 2913 E->getLocStart(), /*IsStringLocation*/false, CSR); 2914 2915 checkForCStrMembers(AT, E, CSR); 2916 } else 2917 EmitFormatDiagnostic( 2918 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2919 << AT.getRepresentativeTypeName(S.Context) << ExprTy 2920 << CSR 2921 << E->getSourceRange(), 2922 E->getLocStart(), /*IsStringLocation*/false, CSR); 2923 } 2924 2925 return true; 2926} 2927 2928//===--- CHECK: Scanf format string checking ------------------------------===// 2929 2930namespace { 2931class CheckScanfHandler : public CheckFormatHandler { 2932public: 2933 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 2934 const Expr *origFormatExpr, unsigned firstDataArg, 2935 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2936 Expr **Args, unsigned NumArgs, 2937 unsigned formatIdx, bool inFunctionCall, 2938 Sema::VariadicCallType CallType) 2939 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2940 numDataArgs, beg, hasVAListArg, 2941 Args, NumArgs, formatIdx, inFunctionCall, CallType) 2942 {} 2943 2944 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 2945 const char *startSpecifier, 2946 unsigned specifierLen); 2947 2948 bool HandleInvalidScanfConversionSpecifier( 2949 const analyze_scanf::ScanfSpecifier &FS, 2950 const char *startSpecifier, 2951 unsigned specifierLen); 2952 2953 void HandleIncompleteScanList(const char *start, const char *end); 2954}; 2955} 2956 2957void CheckScanfHandler::HandleIncompleteScanList(const char *start, 2958 const char *end) { 2959 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 2960 getLocationOfByte(end), /*IsStringLocation*/true, 2961 getSpecifierRange(start, end - start)); 2962} 2963 2964bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 2965 const analyze_scanf::ScanfSpecifier &FS, 2966 const char *startSpecifier, 2967 unsigned specifierLen) { 2968 2969 const analyze_scanf::ScanfConversionSpecifier &CS = 2970 FS.getConversionSpecifier(); 2971 2972 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2973 getLocationOfByte(CS.getStart()), 2974 startSpecifier, specifierLen, 2975 CS.getStart(), CS.getLength()); 2976} 2977 2978bool CheckScanfHandler::HandleScanfSpecifier( 2979 const analyze_scanf::ScanfSpecifier &FS, 2980 const char *startSpecifier, 2981 unsigned specifierLen) { 2982 2983 using namespace analyze_scanf; 2984 using namespace analyze_format_string; 2985 2986 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 2987 2988 // Handle case where '%' and '*' don't consume an argument. These shouldn't 2989 // be used to decide if we are using positional arguments consistently. 2990 if (FS.consumesDataArgument()) { 2991 if (atFirstArg) { 2992 atFirstArg = false; 2993 usesPositionalArgs = FS.usesPositionalArg(); 2994 } 2995 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2996 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2997 startSpecifier, specifierLen); 2998 return false; 2999 } 3000 } 3001 3002 // Check if the field with is non-zero. 3003 const OptionalAmount &Amt = FS.getFieldWidth(); 3004 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 3005 if (Amt.getConstantAmount() == 0) { 3006 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 3007 Amt.getConstantLength()); 3008 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 3009 getLocationOfByte(Amt.getStart()), 3010 /*IsStringLocation*/true, R, 3011 FixItHint::CreateRemoval(R)); 3012 } 3013 } 3014 3015 if (!FS.consumesDataArgument()) { 3016 // FIXME: Technically specifying a precision or field width here 3017 // makes no sense. Worth issuing a warning at some point. 3018 return true; 3019 } 3020 3021 // Consume the argument. 3022 unsigned argIndex = FS.getArgIndex(); 3023 if (argIndex < NumDataArgs) { 3024 // The check to see if the argIndex is valid will come later. 3025 // We set the bit here because we may exit early from this 3026 // function if we encounter some other error. 3027 CoveredArgs.set(argIndex); 3028 } 3029 3030 // Check the length modifier is valid with the given conversion specifier. 3031 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3032 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3033 diag::warn_format_nonsensical_length); 3034 else if (!FS.hasStandardLengthModifier()) 3035 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3036 else if (!FS.hasStandardLengthConversionCombination()) 3037 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3038 diag::warn_format_non_standard_conversion_spec); 3039 3040 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3041 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3042 3043 // The remaining checks depend on the data arguments. 3044 if (HasVAListArg) 3045 return true; 3046 3047 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3048 return false; 3049 3050 // Check that the argument type matches the format specifier. 3051 const Expr *Ex = getDataArg(argIndex); 3052 if (!Ex) 3053 return true; 3054 3055 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 3056 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 3057 ScanfSpecifier fixedFS = FS; 3058 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 3059 S.Context); 3060 3061 if (success) { 3062 // Get the fix string from the fixed format specifier. 3063 SmallString<128> buf; 3064 llvm::raw_svector_ostream os(buf); 3065 fixedFS.toString(os); 3066 3067 EmitFormatDiagnostic( 3068 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3069 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3070 << Ex->getSourceRange(), 3071 Ex->getLocStart(), 3072 /*IsStringLocation*/false, 3073 getSpecifierRange(startSpecifier, specifierLen), 3074 FixItHint::CreateReplacement( 3075 getSpecifierRange(startSpecifier, specifierLen), 3076 os.str())); 3077 } else { 3078 EmitFormatDiagnostic( 3079 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3080 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3081 << Ex->getSourceRange(), 3082 Ex->getLocStart(), 3083 /*IsStringLocation*/false, 3084 getSpecifierRange(startSpecifier, specifierLen)); 3085 } 3086 } 3087 3088 return true; 3089} 3090 3091void Sema::CheckFormatString(const StringLiteral *FExpr, 3092 const Expr *OrigFormatExpr, 3093 Expr **Args, unsigned NumArgs, 3094 bool HasVAListArg, unsigned format_idx, 3095 unsigned firstDataArg, FormatStringType Type, 3096 bool inFunctionCall, VariadicCallType CallType) { 3097 3098 // CHECK: is the format string a wide literal? 3099 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 3100 CheckFormatHandler::EmitFormatDiagnostic( 3101 *this, inFunctionCall, Args[format_idx], 3102 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 3103 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3104 return; 3105 } 3106 3107 // Str - The format string. NOTE: this is NOT null-terminated! 3108 StringRef StrRef = FExpr->getString(); 3109 const char *Str = StrRef.data(); 3110 unsigned StrLen = StrRef.size(); 3111 const unsigned numDataArgs = NumArgs - firstDataArg; 3112 3113 // CHECK: empty format string? 3114 if (StrLen == 0 && numDataArgs > 0) { 3115 CheckFormatHandler::EmitFormatDiagnostic( 3116 *this, inFunctionCall, Args[format_idx], 3117 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3118 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3119 return; 3120 } 3121 3122 if (Type == FST_Printf || Type == FST_NSString) { 3123 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3124 numDataArgs, (Type == FST_NSString), 3125 Str, HasVAListArg, Args, NumArgs, format_idx, 3126 inFunctionCall, CallType); 3127 3128 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3129 getLangOpts(), 3130 Context.getTargetInfo())) 3131 H.DoneProcessing(); 3132 } else if (Type == FST_Scanf) { 3133 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3134 Str, HasVAListArg, Args, NumArgs, format_idx, 3135 inFunctionCall, CallType); 3136 3137 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3138 getLangOpts(), 3139 Context.getTargetInfo())) 3140 H.DoneProcessing(); 3141 } // TODO: handle other formats 3142} 3143 3144//===--- CHECK: Standard memory functions ---------------------------------===// 3145 3146/// \brief Determine whether the given type is a dynamic class type (e.g., 3147/// whether it has a vtable). 3148static bool isDynamicClassType(QualType T) { 3149 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 3150 if (CXXRecordDecl *Definition = Record->getDefinition()) 3151 if (Definition->isDynamicClass()) 3152 return true; 3153 3154 return false; 3155} 3156 3157/// \brief If E is a sizeof expression, returns its argument expression, 3158/// otherwise returns NULL. 3159static const Expr *getSizeOfExprArg(const Expr* E) { 3160 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3161 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3162 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 3163 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 3164 3165 return 0; 3166} 3167 3168/// \brief If E is a sizeof expression, returns its argument type. 3169static QualType getSizeOfArgType(const Expr* E) { 3170 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3171 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3172 if (SizeOf->getKind() == clang::UETT_SizeOf) 3173 return SizeOf->getTypeOfArgument(); 3174 3175 return QualType(); 3176} 3177 3178/// \brief Check for dangerous or invalid arguments to memset(). 3179/// 3180/// This issues warnings on known problematic, dangerous or unspecified 3181/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 3182/// function calls. 3183/// 3184/// \param Call The call expression to diagnose. 3185void Sema::CheckMemaccessArguments(const CallExpr *Call, 3186 unsigned BId, 3187 IdentifierInfo *FnName) { 3188 assert(BId != 0); 3189 3190 // It is possible to have a non-standard definition of memset. Validate 3191 // we have enough arguments, and if not, abort further checking. 3192 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 3193 if (Call->getNumArgs() < ExpectedNumArgs) 3194 return; 3195 3196 unsigned LastArg = (BId == Builtin::BImemset || 3197 BId == Builtin::BIstrndup ? 1 : 2); 3198 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 3199 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 3200 3201 // We have special checking when the length is a sizeof expression. 3202 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 3203 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 3204 llvm::FoldingSetNodeID SizeOfArgID; 3205 3206 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 3207 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 3208 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 3209 3210 QualType DestTy = Dest->getType(); 3211 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 3212 QualType PointeeTy = DestPtrTy->getPointeeType(); 3213 3214 // Never warn about void type pointers. This can be used to suppress 3215 // false positives. 3216 if (PointeeTy->isVoidType()) 3217 continue; 3218 3219 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 3220 // actually comparing the expressions for equality. Because computing the 3221 // expression IDs can be expensive, we only do this if the diagnostic is 3222 // enabled. 3223 if (SizeOfArg && 3224 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 3225 SizeOfArg->getExprLoc())) { 3226 // We only compute IDs for expressions if the warning is enabled, and 3227 // cache the sizeof arg's ID. 3228 if (SizeOfArgID == llvm::FoldingSetNodeID()) 3229 SizeOfArg->Profile(SizeOfArgID, Context, true); 3230 llvm::FoldingSetNodeID DestID; 3231 Dest->Profile(DestID, Context, true); 3232 if (DestID == SizeOfArgID) { 3233 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 3234 // over sizeof(src) as well. 3235 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 3236 StringRef ReadableName = FnName->getName(); 3237 3238 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 3239 if (UnaryOp->getOpcode() == UO_AddrOf) 3240 ActionIdx = 1; // If its an address-of operator, just remove it. 3241 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 3242 ActionIdx = 2; // If the pointee's size is sizeof(char), 3243 // suggest an explicit length. 3244 3245 // If the function is defined as a builtin macro, do not show macro 3246 // expansion. 3247 SourceLocation SL = SizeOfArg->getExprLoc(); 3248 SourceRange DSR = Dest->getSourceRange(); 3249 SourceRange SSR = SizeOfArg->getSourceRange(); 3250 SourceManager &SM = PP.getSourceManager(); 3251 3252 if (SM.isMacroArgExpansion(SL)) { 3253 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 3254 SL = SM.getSpellingLoc(SL); 3255 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 3256 SM.getSpellingLoc(DSR.getEnd())); 3257 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 3258 SM.getSpellingLoc(SSR.getEnd())); 3259 } 3260 3261 DiagRuntimeBehavior(SL, SizeOfArg, 3262 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 3263 << ReadableName 3264 << PointeeTy 3265 << DestTy 3266 << DSR 3267 << SSR); 3268 DiagRuntimeBehavior(SL, SizeOfArg, 3269 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 3270 << ActionIdx 3271 << SSR); 3272 3273 break; 3274 } 3275 } 3276 3277 // Also check for cases where the sizeof argument is the exact same 3278 // type as the memory argument, and where it points to a user-defined 3279 // record type. 3280 if (SizeOfArgTy != QualType()) { 3281 if (PointeeTy->isRecordType() && 3282 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 3283 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 3284 PDiag(diag::warn_sizeof_pointer_type_memaccess) 3285 << FnName << SizeOfArgTy << ArgIdx 3286 << PointeeTy << Dest->getSourceRange() 3287 << LenExpr->getSourceRange()); 3288 break; 3289 } 3290 } 3291 3292 // Always complain about dynamic classes. 3293 if (isDynamicClassType(PointeeTy)) { 3294 3295 unsigned OperationType = 0; 3296 // "overwritten" if we're warning about the destination for any call 3297 // but memcmp; otherwise a verb appropriate to the call. 3298 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 3299 if (BId == Builtin::BImemcpy) 3300 OperationType = 1; 3301 else if(BId == Builtin::BImemmove) 3302 OperationType = 2; 3303 else if (BId == Builtin::BImemcmp) 3304 OperationType = 3; 3305 } 3306 3307 DiagRuntimeBehavior( 3308 Dest->getExprLoc(), Dest, 3309 PDiag(diag::warn_dyn_class_memaccess) 3310 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 3311 << FnName << PointeeTy 3312 << OperationType 3313 << Call->getCallee()->getSourceRange()); 3314 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 3315 BId != Builtin::BImemset) 3316 DiagRuntimeBehavior( 3317 Dest->getExprLoc(), Dest, 3318 PDiag(diag::warn_arc_object_memaccess) 3319 << ArgIdx << FnName << PointeeTy 3320 << Call->getCallee()->getSourceRange()); 3321 else 3322 continue; 3323 3324 DiagRuntimeBehavior( 3325 Dest->getExprLoc(), Dest, 3326 PDiag(diag::note_bad_memaccess_silence) 3327 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 3328 break; 3329 } 3330 } 3331} 3332 3333// A little helper routine: ignore addition and subtraction of integer literals. 3334// This intentionally does not ignore all integer constant expressions because 3335// we don't want to remove sizeof(). 3336static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 3337 Ex = Ex->IgnoreParenCasts(); 3338 3339 for (;;) { 3340 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 3341 if (!BO || !BO->isAdditiveOp()) 3342 break; 3343 3344 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 3345 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 3346 3347 if (isa<IntegerLiteral>(RHS)) 3348 Ex = LHS; 3349 else if (isa<IntegerLiteral>(LHS)) 3350 Ex = RHS; 3351 else 3352 break; 3353 } 3354 3355 return Ex; 3356} 3357 3358static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 3359 ASTContext &Context) { 3360 // Only handle constant-sized or VLAs, but not flexible members. 3361 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 3362 // Only issue the FIXIT for arrays of size > 1. 3363 if (CAT->getSize().getSExtValue() <= 1) 3364 return false; 3365 } else if (!Ty->isVariableArrayType()) { 3366 return false; 3367 } 3368 return true; 3369} 3370 3371// Warn if the user has made the 'size' argument to strlcpy or strlcat 3372// be the size of the source, instead of the destination. 3373void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 3374 IdentifierInfo *FnName) { 3375 3376 // Don't crash if the user has the wrong number of arguments 3377 if (Call->getNumArgs() != 3) 3378 return; 3379 3380 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 3381 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 3382 const Expr *CompareWithSrc = NULL; 3383 3384 // Look for 'strlcpy(dst, x, sizeof(x))' 3385 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 3386 CompareWithSrc = Ex; 3387 else { 3388 // Look for 'strlcpy(dst, x, strlen(x))' 3389 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 3390 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 3391 && SizeCall->getNumArgs() == 1) 3392 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 3393 } 3394 } 3395 3396 if (!CompareWithSrc) 3397 return; 3398 3399 // Determine if the argument to sizeof/strlen is equal to the source 3400 // argument. In principle there's all kinds of things you could do 3401 // here, for instance creating an == expression and evaluating it with 3402 // EvaluateAsBooleanCondition, but this uses a more direct technique: 3403 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 3404 if (!SrcArgDRE) 3405 return; 3406 3407 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 3408 if (!CompareWithSrcDRE || 3409 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 3410 return; 3411 3412 const Expr *OriginalSizeArg = Call->getArg(2); 3413 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 3414 << OriginalSizeArg->getSourceRange() << FnName; 3415 3416 // Output a FIXIT hint if the destination is an array (rather than a 3417 // pointer to an array). This could be enhanced to handle some 3418 // pointers if we know the actual size, like if DstArg is 'array+2' 3419 // we could say 'sizeof(array)-2'. 3420 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 3421 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 3422 return; 3423 3424 SmallString<128> sizeString; 3425 llvm::raw_svector_ostream OS(sizeString); 3426 OS << "sizeof("; 3427 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3428 OS << ")"; 3429 3430 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 3431 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 3432 OS.str()); 3433} 3434 3435/// Check if two expressions refer to the same declaration. 3436static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 3437 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 3438 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 3439 return D1->getDecl() == D2->getDecl(); 3440 return false; 3441} 3442 3443static const Expr *getStrlenExprArg(const Expr *E) { 3444 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 3445 const FunctionDecl *FD = CE->getDirectCallee(); 3446 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 3447 return 0; 3448 return CE->getArg(0)->IgnoreParenCasts(); 3449 } 3450 return 0; 3451} 3452 3453// Warn on anti-patterns as the 'size' argument to strncat. 3454// The correct size argument should look like following: 3455// strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 3456void Sema::CheckStrncatArguments(const CallExpr *CE, 3457 IdentifierInfo *FnName) { 3458 // Don't crash if the user has the wrong number of arguments. 3459 if (CE->getNumArgs() < 3) 3460 return; 3461 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 3462 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 3463 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 3464 3465 // Identify common expressions, which are wrongly used as the size argument 3466 // to strncat and may lead to buffer overflows. 3467 unsigned PatternType = 0; 3468 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 3469 // - sizeof(dst) 3470 if (referToTheSameDecl(SizeOfArg, DstArg)) 3471 PatternType = 1; 3472 // - sizeof(src) 3473 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 3474 PatternType = 2; 3475 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 3476 if (BE->getOpcode() == BO_Sub) { 3477 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 3478 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 3479 // - sizeof(dst) - strlen(dst) 3480 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 3481 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 3482 PatternType = 1; 3483 // - sizeof(src) - (anything) 3484 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 3485 PatternType = 2; 3486 } 3487 } 3488 3489 if (PatternType == 0) 3490 return; 3491 3492 // Generate the diagnostic. 3493 SourceLocation SL = LenArg->getLocStart(); 3494 SourceRange SR = LenArg->getSourceRange(); 3495 SourceManager &SM = PP.getSourceManager(); 3496 3497 // If the function is defined as a builtin macro, do not show macro expansion. 3498 if (SM.isMacroArgExpansion(SL)) { 3499 SL = SM.getSpellingLoc(SL); 3500 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 3501 SM.getSpellingLoc(SR.getEnd())); 3502 } 3503 3504 // Check if the destination is an array (rather than a pointer to an array). 3505 QualType DstTy = DstArg->getType(); 3506 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 3507 Context); 3508 if (!isKnownSizeArray) { 3509 if (PatternType == 1) 3510 Diag(SL, diag::warn_strncat_wrong_size) << SR; 3511 else 3512 Diag(SL, diag::warn_strncat_src_size) << SR; 3513 return; 3514 } 3515 3516 if (PatternType == 1) 3517 Diag(SL, diag::warn_strncat_large_size) << SR; 3518 else 3519 Diag(SL, diag::warn_strncat_src_size) << SR; 3520 3521 SmallString<128> sizeString; 3522 llvm::raw_svector_ostream OS(sizeString); 3523 OS << "sizeof("; 3524 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3525 OS << ") - "; 3526 OS << "strlen("; 3527 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3528 OS << ") - 1"; 3529 3530 Diag(SL, diag::note_strncat_wrong_size) 3531 << FixItHint::CreateReplacement(SR, OS.str()); 3532} 3533 3534//===--- CHECK: Return Address of Stack Variable --------------------------===// 3535 3536static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3537 Decl *ParentDecl); 3538static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 3539 Decl *ParentDecl); 3540 3541/// CheckReturnStackAddr - Check if a return statement returns the address 3542/// of a stack variable. 3543void 3544Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 3545 SourceLocation ReturnLoc) { 3546 3547 Expr *stackE = 0; 3548 SmallVector<DeclRefExpr *, 8> refVars; 3549 3550 // Perform checking for returned stack addresses, local blocks, 3551 // label addresses or references to temporaries. 3552 if (lhsType->isPointerType() || 3553 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 3554 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/0); 3555 } else if (lhsType->isReferenceType()) { 3556 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/0); 3557 } 3558 3559 if (stackE == 0) 3560 return; // Nothing suspicious was found. 3561 3562 SourceLocation diagLoc; 3563 SourceRange diagRange; 3564 if (refVars.empty()) { 3565 diagLoc = stackE->getLocStart(); 3566 diagRange = stackE->getSourceRange(); 3567 } else { 3568 // We followed through a reference variable. 'stackE' contains the 3569 // problematic expression but we will warn at the return statement pointing 3570 // at the reference variable. We will later display the "trail" of 3571 // reference variables using notes. 3572 diagLoc = refVars[0]->getLocStart(); 3573 diagRange = refVars[0]->getSourceRange(); 3574 } 3575 3576 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 3577 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 3578 : diag::warn_ret_stack_addr) 3579 << DR->getDecl()->getDeclName() << diagRange; 3580 } else if (isa<BlockExpr>(stackE)) { // local block. 3581 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 3582 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 3583 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 3584 } else { // local temporary. 3585 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 3586 : diag::warn_ret_local_temp_addr) 3587 << diagRange; 3588 } 3589 3590 // Display the "trail" of reference variables that we followed until we 3591 // found the problematic expression using notes. 3592 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 3593 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 3594 // If this var binds to another reference var, show the range of the next 3595 // var, otherwise the var binds to the problematic expression, in which case 3596 // show the range of the expression. 3597 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 3598 : stackE->getSourceRange(); 3599 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 3600 << VD->getDeclName() << range; 3601 } 3602} 3603 3604/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 3605/// check if the expression in a return statement evaluates to an address 3606/// to a location on the stack, a local block, an address of a label, or a 3607/// reference to local temporary. The recursion is used to traverse the 3608/// AST of the return expression, with recursion backtracking when we 3609/// encounter a subexpression that (1) clearly does not lead to one of the 3610/// above problematic expressions (2) is something we cannot determine leads to 3611/// a problematic expression based on such local checking. 3612/// 3613/// Both EvalAddr and EvalVal follow through reference variables to evaluate 3614/// the expression that they point to. Such variables are added to the 3615/// 'refVars' vector so that we know what the reference variable "trail" was. 3616/// 3617/// EvalAddr processes expressions that are pointers that are used as 3618/// references (and not L-values). EvalVal handles all other values. 3619/// At the base case of the recursion is a check for the above problematic 3620/// expressions. 3621/// 3622/// This implementation handles: 3623/// 3624/// * pointer-to-pointer casts 3625/// * implicit conversions from array references to pointers 3626/// * taking the address of fields 3627/// * arbitrary interplay between "&" and "*" operators 3628/// * pointer arithmetic from an address of a stack variable 3629/// * taking the address of an array element where the array is on the stack 3630static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3631 Decl *ParentDecl) { 3632 if (E->isTypeDependent()) 3633 return NULL; 3634 3635 // We should only be called for evaluating pointer expressions. 3636 assert((E->getType()->isAnyPointerType() || 3637 E->getType()->isBlockPointerType() || 3638 E->getType()->isObjCQualifiedIdType()) && 3639 "EvalAddr only works on pointers"); 3640 3641 E = E->IgnoreParens(); 3642 3643 // Our "symbolic interpreter" is just a dispatch off the currently 3644 // viewed AST node. We then recursively traverse the AST by calling 3645 // EvalAddr and EvalVal appropriately. 3646 switch (E->getStmtClass()) { 3647 case Stmt::DeclRefExprClass: { 3648 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3649 3650 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 3651 // If this is a reference variable, follow through to the expression that 3652 // it points to. 3653 if (V->hasLocalStorage() && 3654 V->getType()->isReferenceType() && V->hasInit()) { 3655 // Add the reference variable to the "trail". 3656 refVars.push_back(DR); 3657 return EvalAddr(V->getInit(), refVars, ParentDecl); 3658 } 3659 3660 return NULL; 3661 } 3662 3663 case Stmt::UnaryOperatorClass: { 3664 // The only unary operator that make sense to handle here 3665 // is AddrOf. All others don't make sense as pointers. 3666 UnaryOperator *U = cast<UnaryOperator>(E); 3667 3668 if (U->getOpcode() == UO_AddrOf) 3669 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 3670 else 3671 return NULL; 3672 } 3673 3674 case Stmt::BinaryOperatorClass: { 3675 // Handle pointer arithmetic. All other binary operators are not valid 3676 // in this context. 3677 BinaryOperator *B = cast<BinaryOperator>(E); 3678 BinaryOperatorKind op = B->getOpcode(); 3679 3680 if (op != BO_Add && op != BO_Sub) 3681 return NULL; 3682 3683 Expr *Base = B->getLHS(); 3684 3685 // Determine which argument is the real pointer base. It could be 3686 // the RHS argument instead of the LHS. 3687 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 3688 3689 assert (Base->getType()->isPointerType()); 3690 return EvalAddr(Base, refVars, ParentDecl); 3691 } 3692 3693 // For conditional operators we need to see if either the LHS or RHS are 3694 // valid DeclRefExpr*s. If one of them is valid, we return it. 3695 case Stmt::ConditionalOperatorClass: { 3696 ConditionalOperator *C = cast<ConditionalOperator>(E); 3697 3698 // Handle the GNU extension for missing LHS. 3699 if (Expr *lhsExpr = C->getLHS()) { 3700 // In C++, we can have a throw-expression, which has 'void' type. 3701 if (!lhsExpr->getType()->isVoidType()) 3702 if (Expr* LHS = EvalAddr(lhsExpr, refVars, ParentDecl)) 3703 return LHS; 3704 } 3705 3706 // In C++, we can have a throw-expression, which has 'void' type. 3707 if (C->getRHS()->getType()->isVoidType()) 3708 return NULL; 3709 3710 return EvalAddr(C->getRHS(), refVars, ParentDecl); 3711 } 3712 3713 case Stmt::BlockExprClass: 3714 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 3715 return E; // local block. 3716 return NULL; 3717 3718 case Stmt::AddrLabelExprClass: 3719 return E; // address of label. 3720 3721 case Stmt::ExprWithCleanupsClass: 3722 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 3723 ParentDecl); 3724 3725 // For casts, we need to handle conversions from arrays to 3726 // pointer values, and pointer-to-pointer conversions. 3727 case Stmt::ImplicitCastExprClass: 3728 case Stmt::CStyleCastExprClass: 3729 case Stmt::CXXFunctionalCastExprClass: 3730 case Stmt::ObjCBridgedCastExprClass: 3731 case Stmt::CXXStaticCastExprClass: 3732 case Stmt::CXXDynamicCastExprClass: 3733 case Stmt::CXXConstCastExprClass: 3734 case Stmt::CXXReinterpretCastExprClass: { 3735 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 3736 switch (cast<CastExpr>(E)->getCastKind()) { 3737 case CK_BitCast: 3738 case CK_LValueToRValue: 3739 case CK_NoOp: 3740 case CK_BaseToDerived: 3741 case CK_DerivedToBase: 3742 case CK_UncheckedDerivedToBase: 3743 case CK_Dynamic: 3744 case CK_CPointerToObjCPointerCast: 3745 case CK_BlockPointerToObjCPointerCast: 3746 case CK_AnyPointerToBlockPointerCast: 3747 return EvalAddr(SubExpr, refVars, ParentDecl); 3748 3749 case CK_ArrayToPointerDecay: 3750 return EvalVal(SubExpr, refVars, ParentDecl); 3751 3752 default: 3753 return 0; 3754 } 3755 } 3756 3757 case Stmt::MaterializeTemporaryExprClass: 3758 if (Expr *Result = EvalAddr( 3759 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3760 refVars, ParentDecl)) 3761 return Result; 3762 3763 return E; 3764 3765 // Everything else: we simply don't reason about them. 3766 default: 3767 return NULL; 3768 } 3769} 3770 3771 3772/// EvalVal - This function is complements EvalAddr in the mutual recursion. 3773/// See the comments for EvalAddr for more details. 3774static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3775 Decl *ParentDecl) { 3776do { 3777 // We should only be called for evaluating non-pointer expressions, or 3778 // expressions with a pointer type that are not used as references but instead 3779 // are l-values (e.g., DeclRefExpr with a pointer type). 3780 3781 // Our "symbolic interpreter" is just a dispatch off the currently 3782 // viewed AST node. We then recursively traverse the AST by calling 3783 // EvalAddr and EvalVal appropriately. 3784 3785 E = E->IgnoreParens(); 3786 switch (E->getStmtClass()) { 3787 case Stmt::ImplicitCastExprClass: { 3788 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 3789 if (IE->getValueKind() == VK_LValue) { 3790 E = IE->getSubExpr(); 3791 continue; 3792 } 3793 return NULL; 3794 } 3795 3796 case Stmt::ExprWithCleanupsClass: 3797 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 3798 3799 case Stmt::DeclRefExprClass: { 3800 // When we hit a DeclRefExpr we are looking at code that refers to a 3801 // variable's name. If it's not a reference variable we check if it has 3802 // local storage within the function, and if so, return the expression. 3803 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3804 3805 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 3806 // Check if it refers to itself, e.g. "int& i = i;". 3807 if (V == ParentDecl) 3808 return DR; 3809 3810 if (V->hasLocalStorage()) { 3811 if (!V->getType()->isReferenceType()) 3812 return DR; 3813 3814 // Reference variable, follow through to the expression that 3815 // it points to. 3816 if (V->hasInit()) { 3817 // Add the reference variable to the "trail". 3818 refVars.push_back(DR); 3819 return EvalVal(V->getInit(), refVars, V); 3820 } 3821 } 3822 } 3823 3824 return NULL; 3825 } 3826 3827 case Stmt::UnaryOperatorClass: { 3828 // The only unary operator that make sense to handle here 3829 // is Deref. All others don't resolve to a "name." This includes 3830 // handling all sorts of rvalues passed to a unary operator. 3831 UnaryOperator *U = cast<UnaryOperator>(E); 3832 3833 if (U->getOpcode() == UO_Deref) 3834 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 3835 3836 return NULL; 3837 } 3838 3839 case Stmt::ArraySubscriptExprClass: { 3840 // Array subscripts are potential references to data on the stack. We 3841 // retrieve the DeclRefExpr* for the array variable if it indeed 3842 // has local storage. 3843 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 3844 } 3845 3846 case Stmt::ConditionalOperatorClass: { 3847 // For conditional operators we need to see if either the LHS or RHS are 3848 // non-NULL Expr's. If one is non-NULL, we return it. 3849 ConditionalOperator *C = cast<ConditionalOperator>(E); 3850 3851 // Handle the GNU extension for missing LHS. 3852 if (Expr *lhsExpr = C->getLHS()) 3853 if (Expr *LHS = EvalVal(lhsExpr, refVars, ParentDecl)) 3854 return LHS; 3855 3856 return EvalVal(C->getRHS(), refVars, ParentDecl); 3857 } 3858 3859 // Accesses to members are potential references to data on the stack. 3860 case Stmt::MemberExprClass: { 3861 MemberExpr *M = cast<MemberExpr>(E); 3862 3863 // Check for indirect access. We only want direct field accesses. 3864 if (M->isArrow()) 3865 return NULL; 3866 3867 // Check whether the member type is itself a reference, in which case 3868 // we're not going to refer to the member, but to what the member refers to. 3869 if (M->getMemberDecl()->getType()->isReferenceType()) 3870 return NULL; 3871 3872 return EvalVal(M->getBase(), refVars, ParentDecl); 3873 } 3874 3875 case Stmt::MaterializeTemporaryExprClass: 3876 if (Expr *Result = EvalVal( 3877 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3878 refVars, ParentDecl)) 3879 return Result; 3880 3881 return E; 3882 3883 default: 3884 // Check that we don't return or take the address of a reference to a 3885 // temporary. This is only useful in C++. 3886 if (!E->isTypeDependent() && E->isRValue()) 3887 return E; 3888 3889 // Everything else: we simply don't reason about them. 3890 return NULL; 3891 } 3892} while (true); 3893} 3894 3895//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 3896 3897/// Check for comparisons of floating point operands using != and ==. 3898/// Issue a warning if these are no self-comparisons, as they are not likely 3899/// to do what the programmer intended. 3900void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 3901 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 3902 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 3903 3904 // Special case: check for x == x (which is OK). 3905 // Do not emit warnings for such cases. 3906 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 3907 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 3908 if (DRL->getDecl() == DRR->getDecl()) 3909 return; 3910 3911 3912 // Special case: check for comparisons against literals that can be exactly 3913 // represented by APFloat. In such cases, do not emit a warning. This 3914 // is a heuristic: often comparison against such literals are used to 3915 // detect if a value in a variable has not changed. This clearly can 3916 // lead to false negatives. 3917 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 3918 if (FLL->isExact()) 3919 return; 3920 } else 3921 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 3922 if (FLR->isExact()) 3923 return; 3924 3925 // Check for comparisons with builtin types. 3926 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 3927 if (CL->isBuiltinCall()) 3928 return; 3929 3930 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 3931 if (CR->isBuiltinCall()) 3932 return; 3933 3934 // Emit the diagnostic. 3935 Diag(Loc, diag::warn_floatingpoint_eq) 3936 << LHS->getSourceRange() << RHS->getSourceRange(); 3937} 3938 3939//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 3940//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 3941 3942namespace { 3943 3944/// Structure recording the 'active' range of an integer-valued 3945/// expression. 3946struct IntRange { 3947 /// The number of bits active in the int. 3948 unsigned Width; 3949 3950 /// True if the int is known not to have negative values. 3951 bool NonNegative; 3952 3953 IntRange(unsigned Width, bool NonNegative) 3954 : Width(Width), NonNegative(NonNegative) 3955 {} 3956 3957 /// Returns the range of the bool type. 3958 static IntRange forBoolType() { 3959 return IntRange(1, true); 3960 } 3961 3962 /// Returns the range of an opaque value of the given integral type. 3963 static IntRange forValueOfType(ASTContext &C, QualType T) { 3964 return forValueOfCanonicalType(C, 3965 T->getCanonicalTypeInternal().getTypePtr()); 3966 } 3967 3968 /// Returns the range of an opaque value of a canonical integral type. 3969 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 3970 assert(T->isCanonicalUnqualified()); 3971 3972 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3973 T = VT->getElementType().getTypePtr(); 3974 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3975 T = CT->getElementType().getTypePtr(); 3976 3977 // For enum types, use the known bit width of the enumerators. 3978 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 3979 EnumDecl *Enum = ET->getDecl(); 3980 if (!Enum->isCompleteDefinition()) 3981 return IntRange(C.getIntWidth(QualType(T, 0)), false); 3982 3983 unsigned NumPositive = Enum->getNumPositiveBits(); 3984 unsigned NumNegative = Enum->getNumNegativeBits(); 3985 3986 if (NumNegative == 0) 3987 return IntRange(NumPositive, true/*NonNegative*/); 3988 else 3989 return IntRange(std::max(NumPositive + 1, NumNegative), 3990 false/*NonNegative*/); 3991 } 3992 3993 const BuiltinType *BT = cast<BuiltinType>(T); 3994 assert(BT->isInteger()); 3995 3996 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3997 } 3998 3999 /// Returns the "target" range of a canonical integral type, i.e. 4000 /// the range of values expressible in the type. 4001 /// 4002 /// This matches forValueOfCanonicalType except that enums have the 4003 /// full range of their type, not the range of their enumerators. 4004 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 4005 assert(T->isCanonicalUnqualified()); 4006 4007 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4008 T = VT->getElementType().getTypePtr(); 4009 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4010 T = CT->getElementType().getTypePtr(); 4011 if (const EnumType *ET = dyn_cast<EnumType>(T)) 4012 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 4013 4014 const BuiltinType *BT = cast<BuiltinType>(T); 4015 assert(BT->isInteger()); 4016 4017 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4018 } 4019 4020 /// Returns the supremum of two ranges: i.e. their conservative merge. 4021 static IntRange join(IntRange L, IntRange R) { 4022 return IntRange(std::max(L.Width, R.Width), 4023 L.NonNegative && R.NonNegative); 4024 } 4025 4026 /// Returns the infinum of two ranges: i.e. their aggressive merge. 4027 static IntRange meet(IntRange L, IntRange R) { 4028 return IntRange(std::min(L.Width, R.Width), 4029 L.NonNegative || R.NonNegative); 4030 } 4031}; 4032 4033static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 4034 unsigned MaxWidth) { 4035 if (value.isSigned() && value.isNegative()) 4036 return IntRange(value.getMinSignedBits(), false); 4037 4038 if (value.getBitWidth() > MaxWidth) 4039 value = value.trunc(MaxWidth); 4040 4041 // isNonNegative() just checks the sign bit without considering 4042 // signedness. 4043 return IntRange(value.getActiveBits(), true); 4044} 4045 4046static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 4047 unsigned MaxWidth) { 4048 if (result.isInt()) 4049 return GetValueRange(C, result.getInt(), MaxWidth); 4050 4051 if (result.isVector()) { 4052 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 4053 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 4054 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 4055 R = IntRange::join(R, El); 4056 } 4057 return R; 4058 } 4059 4060 if (result.isComplexInt()) { 4061 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 4062 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 4063 return IntRange::join(R, I); 4064 } 4065 4066 // This can happen with lossless casts to intptr_t of "based" lvalues. 4067 // Assume it might use arbitrary bits. 4068 // FIXME: The only reason we need to pass the type in here is to get 4069 // the sign right on this one case. It would be nice if APValue 4070 // preserved this. 4071 assert(result.isLValue() || result.isAddrLabelDiff()); 4072 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 4073} 4074 4075/// Pseudo-evaluate the given integer expression, estimating the 4076/// range of values it might take. 4077/// 4078/// \param MaxWidth - the width to which the value will be truncated 4079static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 4080 E = E->IgnoreParens(); 4081 4082 // Try a full evaluation first. 4083 Expr::EvalResult result; 4084 if (E->EvaluateAsRValue(result, C)) 4085 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 4086 4087 // I think we only want to look through implicit casts here; if the 4088 // user has an explicit widening cast, we should treat the value as 4089 // being of the new, wider type. 4090 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 4091 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 4092 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 4093 4094 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 4095 4096 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 4097 4098 // Assume that non-integer casts can span the full range of the type. 4099 if (!isIntegerCast) 4100 return OutputTypeRange; 4101 4102 IntRange SubRange 4103 = GetExprRange(C, CE->getSubExpr(), 4104 std::min(MaxWidth, OutputTypeRange.Width)); 4105 4106 // Bail out if the subexpr's range is as wide as the cast type. 4107 if (SubRange.Width >= OutputTypeRange.Width) 4108 return OutputTypeRange; 4109 4110 // Otherwise, we take the smaller width, and we're non-negative if 4111 // either the output type or the subexpr is. 4112 return IntRange(SubRange.Width, 4113 SubRange.NonNegative || OutputTypeRange.NonNegative); 4114 } 4115 4116 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 4117 // If we can fold the condition, just take that operand. 4118 bool CondResult; 4119 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 4120 return GetExprRange(C, CondResult ? CO->getTrueExpr() 4121 : CO->getFalseExpr(), 4122 MaxWidth); 4123 4124 // Otherwise, conservatively merge. 4125 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 4126 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 4127 return IntRange::join(L, R); 4128 } 4129 4130 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4131 switch (BO->getOpcode()) { 4132 4133 // Boolean-valued operations are single-bit and positive. 4134 case BO_LAnd: 4135 case BO_LOr: 4136 case BO_LT: 4137 case BO_GT: 4138 case BO_LE: 4139 case BO_GE: 4140 case BO_EQ: 4141 case BO_NE: 4142 return IntRange::forBoolType(); 4143 4144 // The type of the assignments is the type of the LHS, so the RHS 4145 // is not necessarily the same type. 4146 case BO_MulAssign: 4147 case BO_DivAssign: 4148 case BO_RemAssign: 4149 case BO_AddAssign: 4150 case BO_SubAssign: 4151 case BO_XorAssign: 4152 case BO_OrAssign: 4153 // TODO: bitfields? 4154 return IntRange::forValueOfType(C, E->getType()); 4155 4156 // Simple assignments just pass through the RHS, which will have 4157 // been coerced to the LHS type. 4158 case BO_Assign: 4159 // TODO: bitfields? 4160 return GetExprRange(C, BO->getRHS(), MaxWidth); 4161 4162 // Operations with opaque sources are black-listed. 4163 case BO_PtrMemD: 4164 case BO_PtrMemI: 4165 return IntRange::forValueOfType(C, E->getType()); 4166 4167 // Bitwise-and uses the *infinum* of the two source ranges. 4168 case BO_And: 4169 case BO_AndAssign: 4170 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 4171 GetExprRange(C, BO->getRHS(), MaxWidth)); 4172 4173 // Left shift gets black-listed based on a judgement call. 4174 case BO_Shl: 4175 // ...except that we want to treat '1 << (blah)' as logically 4176 // positive. It's an important idiom. 4177 if (IntegerLiteral *I 4178 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 4179 if (I->getValue() == 1) { 4180 IntRange R = IntRange::forValueOfType(C, E->getType()); 4181 return IntRange(R.Width, /*NonNegative*/ true); 4182 } 4183 } 4184 // fallthrough 4185 4186 case BO_ShlAssign: 4187 return IntRange::forValueOfType(C, E->getType()); 4188 4189 // Right shift by a constant can narrow its left argument. 4190 case BO_Shr: 4191 case BO_ShrAssign: { 4192 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4193 4194 // If the shift amount is a positive constant, drop the width by 4195 // that much. 4196 llvm::APSInt shift; 4197 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 4198 shift.isNonNegative()) { 4199 unsigned zext = shift.getZExtValue(); 4200 if (zext >= L.Width) 4201 L.Width = (L.NonNegative ? 0 : 1); 4202 else 4203 L.Width -= zext; 4204 } 4205 4206 return L; 4207 } 4208 4209 // Comma acts as its right operand. 4210 case BO_Comma: 4211 return GetExprRange(C, BO->getRHS(), MaxWidth); 4212 4213 // Black-list pointer subtractions. 4214 case BO_Sub: 4215 if (BO->getLHS()->getType()->isPointerType()) 4216 return IntRange::forValueOfType(C, E->getType()); 4217 break; 4218 4219 // The width of a division result is mostly determined by the size 4220 // of the LHS. 4221 case BO_Div: { 4222 // Don't 'pre-truncate' the operands. 4223 unsigned opWidth = C.getIntWidth(E->getType()); 4224 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4225 4226 // If the divisor is constant, use that. 4227 llvm::APSInt divisor; 4228 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 4229 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 4230 if (log2 >= L.Width) 4231 L.Width = (L.NonNegative ? 0 : 1); 4232 else 4233 L.Width = std::min(L.Width - log2, MaxWidth); 4234 return L; 4235 } 4236 4237 // Otherwise, just use the LHS's width. 4238 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4239 return IntRange(L.Width, L.NonNegative && R.NonNegative); 4240 } 4241 4242 // The result of a remainder can't be larger than the result of 4243 // either side. 4244 case BO_Rem: { 4245 // Don't 'pre-truncate' the operands. 4246 unsigned opWidth = C.getIntWidth(E->getType()); 4247 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4248 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4249 4250 IntRange meet = IntRange::meet(L, R); 4251 meet.Width = std::min(meet.Width, MaxWidth); 4252 return meet; 4253 } 4254 4255 // The default behavior is okay for these. 4256 case BO_Mul: 4257 case BO_Add: 4258 case BO_Xor: 4259 case BO_Or: 4260 break; 4261 } 4262 4263 // The default case is to treat the operation as if it were closed 4264 // on the narrowest type that encompasses both operands. 4265 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4266 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 4267 return IntRange::join(L, R); 4268 } 4269 4270 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 4271 switch (UO->getOpcode()) { 4272 // Boolean-valued operations are white-listed. 4273 case UO_LNot: 4274 return IntRange::forBoolType(); 4275 4276 // Operations with opaque sources are black-listed. 4277 case UO_Deref: 4278 case UO_AddrOf: // should be impossible 4279 return IntRange::forValueOfType(C, E->getType()); 4280 4281 default: 4282 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 4283 } 4284 } 4285 4286 if (dyn_cast<OffsetOfExpr>(E)) { 4287 IntRange::forValueOfType(C, E->getType()); 4288 } 4289 4290 if (FieldDecl *BitField = E->getBitField()) 4291 return IntRange(BitField->getBitWidthValue(C), 4292 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 4293 4294 return IntRange::forValueOfType(C, E->getType()); 4295} 4296 4297static IntRange GetExprRange(ASTContext &C, Expr *E) { 4298 return GetExprRange(C, E, C.getIntWidth(E->getType())); 4299} 4300 4301/// Checks whether the given value, which currently has the given 4302/// source semantics, has the same value when coerced through the 4303/// target semantics. 4304static bool IsSameFloatAfterCast(const llvm::APFloat &value, 4305 const llvm::fltSemantics &Src, 4306 const llvm::fltSemantics &Tgt) { 4307 llvm::APFloat truncated = value; 4308 4309 bool ignored; 4310 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 4311 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 4312 4313 return truncated.bitwiseIsEqual(value); 4314} 4315 4316/// Checks whether the given value, which currently has the given 4317/// source semantics, has the same value when coerced through the 4318/// target semantics. 4319/// 4320/// The value might be a vector of floats (or a complex number). 4321static bool IsSameFloatAfterCast(const APValue &value, 4322 const llvm::fltSemantics &Src, 4323 const llvm::fltSemantics &Tgt) { 4324 if (value.isFloat()) 4325 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 4326 4327 if (value.isVector()) { 4328 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 4329 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 4330 return false; 4331 return true; 4332 } 4333 4334 assert(value.isComplexFloat()); 4335 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 4336 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 4337} 4338 4339static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 4340 4341static bool IsZero(Sema &S, Expr *E) { 4342 // Suppress cases where we are comparing against an enum constant. 4343 if (const DeclRefExpr *DR = 4344 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 4345 if (isa<EnumConstantDecl>(DR->getDecl())) 4346 return false; 4347 4348 // Suppress cases where the '0' value is expanded from a macro. 4349 if (E->getLocStart().isMacroID()) 4350 return false; 4351 4352 llvm::APSInt Value; 4353 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 4354} 4355 4356static bool HasEnumType(Expr *E) { 4357 // Strip off implicit integral promotions. 4358 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 4359 if (ICE->getCastKind() != CK_IntegralCast && 4360 ICE->getCastKind() != CK_NoOp) 4361 break; 4362 E = ICE->getSubExpr(); 4363 } 4364 4365 return E->getType()->isEnumeralType(); 4366} 4367 4368static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 4369 BinaryOperatorKind op = E->getOpcode(); 4370 if (E->isValueDependent()) 4371 return; 4372 4373 if (op == BO_LT && IsZero(S, E->getRHS())) { 4374 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4375 << "< 0" << "false" << HasEnumType(E->getLHS()) 4376 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4377 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 4378 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4379 << ">= 0" << "true" << HasEnumType(E->getLHS()) 4380 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4381 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 4382 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4383 << "0 >" << "false" << HasEnumType(E->getRHS()) 4384 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4385 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 4386 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4387 << "0 <=" << "true" << HasEnumType(E->getRHS()) 4388 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4389 } 4390} 4391 4392static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 4393 Expr *Constant, Expr *Other, 4394 llvm::APSInt Value, 4395 bool RhsConstant) { 4396 // 0 values are handled later by CheckTrivialUnsignedComparison(). 4397 if (Value == 0) 4398 return; 4399 4400 BinaryOperatorKind op = E->getOpcode(); 4401 QualType OtherT = Other->getType(); 4402 QualType ConstantT = Constant->getType(); 4403 QualType CommonT = E->getLHS()->getType(); 4404 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 4405 return; 4406 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) 4407 && "comparison with non-integer type"); 4408 4409 bool ConstantSigned = ConstantT->isSignedIntegerType(); 4410 bool CommonSigned = CommonT->isSignedIntegerType(); 4411 4412 bool EqualityOnly = false; 4413 4414 // TODO: Investigate using GetExprRange() to get tighter bounds on 4415 // on the bit ranges. 4416 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 4417 unsigned OtherWidth = OtherRange.Width; 4418 4419 if (CommonSigned) { 4420 // The common type is signed, therefore no signed to unsigned conversion. 4421 if (!OtherRange.NonNegative) { 4422 // Check that the constant is representable in type OtherT. 4423 if (ConstantSigned) { 4424 if (OtherWidth >= Value.getMinSignedBits()) 4425 return; 4426 } else { // !ConstantSigned 4427 if (OtherWidth >= Value.getActiveBits() + 1) 4428 return; 4429 } 4430 } else { // !OtherSigned 4431 // Check that the constant is representable in type OtherT. 4432 // Negative values are out of range. 4433 if (ConstantSigned) { 4434 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 4435 return; 4436 } else { // !ConstantSigned 4437 if (OtherWidth >= Value.getActiveBits()) 4438 return; 4439 } 4440 } 4441 } else { // !CommonSigned 4442 if (OtherRange.NonNegative) { 4443 if (OtherWidth >= Value.getActiveBits()) 4444 return; 4445 } else if (!OtherRange.NonNegative && !ConstantSigned) { 4446 // Check to see if the constant is representable in OtherT. 4447 if (OtherWidth > Value.getActiveBits()) 4448 return; 4449 // Check to see if the constant is equivalent to a negative value 4450 // cast to CommonT. 4451 if (S.Context.getIntWidth(ConstantT) == S.Context.getIntWidth(CommonT) && 4452 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 4453 return; 4454 // The constant value rests between values that OtherT can represent after 4455 // conversion. Relational comparison still works, but equality 4456 // comparisons will be tautological. 4457 EqualityOnly = true; 4458 } else { // OtherSigned && ConstantSigned 4459 assert(0 && "Two signed types converted to unsigned types."); 4460 } 4461 } 4462 4463 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 4464 4465 bool IsTrue = true; 4466 if (op == BO_EQ || op == BO_NE) { 4467 IsTrue = op == BO_NE; 4468 } else if (EqualityOnly) { 4469 return; 4470 } else if (RhsConstant) { 4471 if (op == BO_GT || op == BO_GE) 4472 IsTrue = !PositiveConstant; 4473 else // op == BO_LT || op == BO_LE 4474 IsTrue = PositiveConstant; 4475 } else { 4476 if (op == BO_LT || op == BO_LE) 4477 IsTrue = !PositiveConstant; 4478 else // op == BO_GT || op == BO_GE 4479 IsTrue = PositiveConstant; 4480 } 4481 SmallString<16> PrettySourceValue(Value.toString(10)); 4482 S.Diag(E->getOperatorLoc(), diag::warn_out_of_range_compare) 4483 << PrettySourceValue << OtherT << IsTrue 4484 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4485} 4486 4487/// Analyze the operands of the given comparison. Implements the 4488/// fallback case from AnalyzeComparison. 4489static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 4490 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 4491 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4492} 4493 4494/// \brief Implements -Wsign-compare. 4495/// 4496/// \param E the binary operator to check for warnings 4497static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 4498 // The type the comparison is being performed in. 4499 QualType T = E->getLHS()->getType(); 4500 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 4501 && "comparison with mismatched types"); 4502 if (E->isValueDependent()) 4503 return AnalyzeImpConvsInComparison(S, E); 4504 4505 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 4506 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 4507 4508 bool IsComparisonConstant = false; 4509 4510 // Check whether an integer constant comparison results in a value 4511 // of 'true' or 'false'. 4512 if (T->isIntegralType(S.Context)) { 4513 llvm::APSInt RHSValue; 4514 bool IsRHSIntegralLiteral = 4515 RHS->isIntegerConstantExpr(RHSValue, S.Context); 4516 llvm::APSInt LHSValue; 4517 bool IsLHSIntegralLiteral = 4518 LHS->isIntegerConstantExpr(LHSValue, S.Context); 4519 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 4520 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 4521 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 4522 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 4523 else 4524 IsComparisonConstant = 4525 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 4526 } else if (!T->hasUnsignedIntegerRepresentation()) 4527 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 4528 4529 // We don't do anything special if this isn't an unsigned integral 4530 // comparison: we're only interested in integral comparisons, and 4531 // signed comparisons only happen in cases we don't care to warn about. 4532 // 4533 // We also don't care about value-dependent expressions or expressions 4534 // whose result is a constant. 4535 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 4536 return AnalyzeImpConvsInComparison(S, E); 4537 4538 // Check to see if one of the (unmodified) operands is of different 4539 // signedness. 4540 Expr *signedOperand, *unsignedOperand; 4541 if (LHS->getType()->hasSignedIntegerRepresentation()) { 4542 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 4543 "unsigned comparison between two signed integer expressions?"); 4544 signedOperand = LHS; 4545 unsignedOperand = RHS; 4546 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 4547 signedOperand = RHS; 4548 unsignedOperand = LHS; 4549 } else { 4550 CheckTrivialUnsignedComparison(S, E); 4551 return AnalyzeImpConvsInComparison(S, E); 4552 } 4553 4554 // Otherwise, calculate the effective range of the signed operand. 4555 IntRange signedRange = GetExprRange(S.Context, signedOperand); 4556 4557 // Go ahead and analyze implicit conversions in the operands. Note 4558 // that we skip the implicit conversions on both sides. 4559 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 4560 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 4561 4562 // If the signed range is non-negative, -Wsign-compare won't fire, 4563 // but we should still check for comparisons which are always true 4564 // or false. 4565 if (signedRange.NonNegative) 4566 return CheckTrivialUnsignedComparison(S, E); 4567 4568 // For (in)equality comparisons, if the unsigned operand is a 4569 // constant which cannot collide with a overflowed signed operand, 4570 // then reinterpreting the signed operand as unsigned will not 4571 // change the result of the comparison. 4572 if (E->isEqualityOp()) { 4573 unsigned comparisonWidth = S.Context.getIntWidth(T); 4574 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 4575 4576 // We should never be unable to prove that the unsigned operand is 4577 // non-negative. 4578 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 4579 4580 if (unsignedRange.Width < comparisonWidth) 4581 return; 4582 } 4583 4584 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 4585 S.PDiag(diag::warn_mixed_sign_comparison) 4586 << LHS->getType() << RHS->getType() 4587 << LHS->getSourceRange() << RHS->getSourceRange()); 4588} 4589 4590/// Analyzes an attempt to assign the given value to a bitfield. 4591/// 4592/// Returns true if there was something fishy about the attempt. 4593static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 4594 SourceLocation InitLoc) { 4595 assert(Bitfield->isBitField()); 4596 if (Bitfield->isInvalidDecl()) 4597 return false; 4598 4599 // White-list bool bitfields. 4600 if (Bitfield->getType()->isBooleanType()) 4601 return false; 4602 4603 // Ignore value- or type-dependent expressions. 4604 if (Bitfield->getBitWidth()->isValueDependent() || 4605 Bitfield->getBitWidth()->isTypeDependent() || 4606 Init->isValueDependent() || 4607 Init->isTypeDependent()) 4608 return false; 4609 4610 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 4611 4612 llvm::APSInt Value; 4613 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 4614 return false; 4615 4616 unsigned OriginalWidth = Value.getBitWidth(); 4617 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 4618 4619 if (OriginalWidth <= FieldWidth) 4620 return false; 4621 4622 // Compute the value which the bitfield will contain. 4623 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 4624 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 4625 4626 // Check whether the stored value is equal to the original value. 4627 TruncatedValue = TruncatedValue.extend(OriginalWidth); 4628 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 4629 return false; 4630 4631 // Special-case bitfields of width 1: booleans are naturally 0/1, and 4632 // therefore don't strictly fit into a signed bitfield of width 1. 4633 if (FieldWidth == 1 && Value == 1) 4634 return false; 4635 4636 std::string PrettyValue = Value.toString(10); 4637 std::string PrettyTrunc = TruncatedValue.toString(10); 4638 4639 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 4640 << PrettyValue << PrettyTrunc << OriginalInit->getType() 4641 << Init->getSourceRange(); 4642 4643 return true; 4644} 4645 4646/// Analyze the given simple or compound assignment for warning-worthy 4647/// operations. 4648static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 4649 // Just recurse on the LHS. 4650 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 4651 4652 // We want to recurse on the RHS as normal unless we're assigning to 4653 // a bitfield. 4654 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 4655 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 4656 E->getOperatorLoc())) { 4657 // Recurse, ignoring any implicit conversions on the RHS. 4658 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 4659 E->getOperatorLoc()); 4660 } 4661 } 4662 4663 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4664} 4665 4666/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 4667static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 4668 SourceLocation CContext, unsigned diag, 4669 bool pruneControlFlow = false) { 4670 if (pruneControlFlow) { 4671 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4672 S.PDiag(diag) 4673 << SourceType << T << E->getSourceRange() 4674 << SourceRange(CContext)); 4675 return; 4676 } 4677 S.Diag(E->getExprLoc(), diag) 4678 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 4679} 4680 4681/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 4682static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 4683 SourceLocation CContext, unsigned diag, 4684 bool pruneControlFlow = false) { 4685 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 4686} 4687 4688/// Diagnose an implicit cast from a literal expression. Does not warn when the 4689/// cast wouldn't lose information. 4690void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 4691 SourceLocation CContext) { 4692 // Try to convert the literal exactly to an integer. If we can, don't warn. 4693 bool isExact = false; 4694 const llvm::APFloat &Value = FL->getValue(); 4695 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 4696 T->hasUnsignedIntegerRepresentation()); 4697 if (Value.convertToInteger(IntegerValue, 4698 llvm::APFloat::rmTowardZero, &isExact) 4699 == llvm::APFloat::opOK && isExact) 4700 return; 4701 4702 SmallString<16> PrettySourceValue; 4703 Value.toString(PrettySourceValue); 4704 SmallString<16> PrettyTargetValue; 4705 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 4706 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 4707 else 4708 IntegerValue.toString(PrettyTargetValue); 4709 4710 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 4711 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 4712 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 4713} 4714 4715std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 4716 if (!Range.Width) return "0"; 4717 4718 llvm::APSInt ValueInRange = Value; 4719 ValueInRange.setIsSigned(!Range.NonNegative); 4720 ValueInRange = ValueInRange.trunc(Range.Width); 4721 return ValueInRange.toString(10); 4722} 4723 4724static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 4725 if (!isa<ImplicitCastExpr>(Ex)) 4726 return false; 4727 4728 Expr *InnerE = Ex->IgnoreParenImpCasts(); 4729 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 4730 const Type *Source = 4731 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 4732 if (Target->isDependentType()) 4733 return false; 4734 4735 const BuiltinType *FloatCandidateBT = 4736 dyn_cast<BuiltinType>(ToBool ? Source : Target); 4737 const Type *BoolCandidateType = ToBool ? Target : Source; 4738 4739 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 4740 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 4741} 4742 4743void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 4744 SourceLocation CC) { 4745 unsigned NumArgs = TheCall->getNumArgs(); 4746 for (unsigned i = 0; i < NumArgs; ++i) { 4747 Expr *CurrA = TheCall->getArg(i); 4748 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 4749 continue; 4750 4751 bool IsSwapped = ((i > 0) && 4752 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 4753 IsSwapped |= ((i < (NumArgs - 1)) && 4754 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 4755 if (IsSwapped) { 4756 // Warn on this floating-point to bool conversion. 4757 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 4758 CurrA->getType(), CC, 4759 diag::warn_impcast_floating_point_to_bool); 4760 } 4761 } 4762} 4763 4764void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 4765 SourceLocation CC, bool *ICContext = 0) { 4766 if (E->isTypeDependent() || E->isValueDependent()) return; 4767 4768 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 4769 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 4770 if (Source == Target) return; 4771 if (Target->isDependentType()) return; 4772 4773 // If the conversion context location is invalid don't complain. We also 4774 // don't want to emit a warning if the issue occurs from the expansion of 4775 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 4776 // delay this check as long as possible. Once we detect we are in that 4777 // scenario, we just return. 4778 if (CC.isInvalid()) 4779 return; 4780 4781 // Diagnose implicit casts to bool. 4782 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 4783 if (isa<StringLiteral>(E)) 4784 // Warn on string literal to bool. Checks for string literals in logical 4785 // expressions, for instances, assert(0 && "error here"), is prevented 4786 // by a check in AnalyzeImplicitConversions(). 4787 return DiagnoseImpCast(S, E, T, CC, 4788 diag::warn_impcast_string_literal_to_bool); 4789 if (Source->isFunctionType()) { 4790 // Warn on function to bool. Checks free functions and static member 4791 // functions. Weakly imported functions are excluded from the check, 4792 // since it's common to test their value to check whether the linker 4793 // found a definition for them. 4794 ValueDecl *D = 0; 4795 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 4796 D = R->getDecl(); 4797 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 4798 D = M->getMemberDecl(); 4799 } 4800 4801 if (D && !D->isWeak()) { 4802 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 4803 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 4804 << F << E->getSourceRange() << SourceRange(CC); 4805 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 4806 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 4807 QualType ReturnType; 4808 UnresolvedSet<4> NonTemplateOverloads; 4809 S.isExprCallable(*E, ReturnType, NonTemplateOverloads); 4810 if (!ReturnType.isNull() 4811 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 4812 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 4813 << FixItHint::CreateInsertion( 4814 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 4815 return; 4816 } 4817 } 4818 } 4819 } 4820 4821 // Strip vector types. 4822 if (isa<VectorType>(Source)) { 4823 if (!isa<VectorType>(Target)) { 4824 if (S.SourceMgr.isInSystemMacro(CC)) 4825 return; 4826 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 4827 } 4828 4829 // If the vector cast is cast between two vectors of the same size, it is 4830 // a bitcast, not a conversion. 4831 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 4832 return; 4833 4834 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 4835 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 4836 } 4837 4838 // Strip complex types. 4839 if (isa<ComplexType>(Source)) { 4840 if (!isa<ComplexType>(Target)) { 4841 if (S.SourceMgr.isInSystemMacro(CC)) 4842 return; 4843 4844 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 4845 } 4846 4847 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 4848 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 4849 } 4850 4851 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 4852 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 4853 4854 // If the source is floating point... 4855 if (SourceBT && SourceBT->isFloatingPoint()) { 4856 // ...and the target is floating point... 4857 if (TargetBT && TargetBT->isFloatingPoint()) { 4858 // ...then warn if we're dropping FP rank. 4859 4860 // Builtin FP kinds are ordered by increasing FP rank. 4861 if (SourceBT->getKind() > TargetBT->getKind()) { 4862 // Don't warn about float constants that are precisely 4863 // representable in the target type. 4864 Expr::EvalResult result; 4865 if (E->EvaluateAsRValue(result, S.Context)) { 4866 // Value might be a float, a float vector, or a float complex. 4867 if (IsSameFloatAfterCast(result.Val, 4868 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 4869 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 4870 return; 4871 } 4872 4873 if (S.SourceMgr.isInSystemMacro(CC)) 4874 return; 4875 4876 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 4877 } 4878 return; 4879 } 4880 4881 // If the target is integral, always warn. 4882 if (TargetBT && TargetBT->isInteger()) { 4883 if (S.SourceMgr.isInSystemMacro(CC)) 4884 return; 4885 4886 Expr *InnerE = E->IgnoreParenImpCasts(); 4887 // We also want to warn on, e.g., "int i = -1.234" 4888 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 4889 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 4890 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 4891 4892 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 4893 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 4894 } else { 4895 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 4896 } 4897 } 4898 4899 // If the target is bool, warn if expr is a function or method call. 4900 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 4901 isa<CallExpr>(E)) { 4902 // Check last argument of function call to see if it is an 4903 // implicit cast from a type matching the type the result 4904 // is being cast to. 4905 CallExpr *CEx = cast<CallExpr>(E); 4906 unsigned NumArgs = CEx->getNumArgs(); 4907 if (NumArgs > 0) { 4908 Expr *LastA = CEx->getArg(NumArgs - 1); 4909 Expr *InnerE = LastA->IgnoreParenImpCasts(); 4910 const Type *InnerType = 4911 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 4912 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 4913 // Warn on this floating-point to bool conversion 4914 DiagnoseImpCast(S, E, T, CC, 4915 diag::warn_impcast_floating_point_to_bool); 4916 } 4917 } 4918 } 4919 return; 4920 } 4921 4922 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 4923 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 4924 && !Target->isBlockPointerType() && !Target->isMemberPointerType() 4925 && Target->isScalarType()) { 4926 SourceLocation Loc = E->getSourceRange().getBegin(); 4927 if (Loc.isMacroID()) 4928 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 4929 if (!Loc.isMacroID() || CC.isMacroID()) 4930 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 4931 << T << clang::SourceRange(CC) 4932 << FixItHint::CreateReplacement(Loc, S.getFixItZeroLiteralForType(T)); 4933 } 4934 4935 if (!Source->isIntegerType() || !Target->isIntegerType()) 4936 return; 4937 4938 // TODO: remove this early return once the false positives for constant->bool 4939 // in templates, macros, etc, are reduced or removed. 4940 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 4941 return; 4942 4943 IntRange SourceRange = GetExprRange(S.Context, E); 4944 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 4945 4946 if (SourceRange.Width > TargetRange.Width) { 4947 // If the source is a constant, use a default-on diagnostic. 4948 // TODO: this should happen for bitfield stores, too. 4949 llvm::APSInt Value(32); 4950 if (E->isIntegerConstantExpr(Value, S.Context)) { 4951 if (S.SourceMgr.isInSystemMacro(CC)) 4952 return; 4953 4954 std::string PrettySourceValue = Value.toString(10); 4955 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 4956 4957 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4958 S.PDiag(diag::warn_impcast_integer_precision_constant) 4959 << PrettySourceValue << PrettyTargetValue 4960 << E->getType() << T << E->getSourceRange() 4961 << clang::SourceRange(CC)); 4962 return; 4963 } 4964 4965 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 4966 if (S.SourceMgr.isInSystemMacro(CC)) 4967 return; 4968 4969 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 4970 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 4971 /* pruneControlFlow */ true); 4972 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 4973 } 4974 4975 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 4976 (!TargetRange.NonNegative && SourceRange.NonNegative && 4977 SourceRange.Width == TargetRange.Width)) { 4978 4979 if (S.SourceMgr.isInSystemMacro(CC)) 4980 return; 4981 4982 unsigned DiagID = diag::warn_impcast_integer_sign; 4983 4984 // Traditionally, gcc has warned about this under -Wsign-compare. 4985 // We also want to warn about it in -Wconversion. 4986 // So if -Wconversion is off, use a completely identical diagnostic 4987 // in the sign-compare group. 4988 // The conditional-checking code will 4989 if (ICContext) { 4990 DiagID = diag::warn_impcast_integer_sign_conditional; 4991 *ICContext = true; 4992 } 4993 4994 return DiagnoseImpCast(S, E, T, CC, DiagID); 4995 } 4996 4997 // Diagnose conversions between different enumeration types. 4998 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 4999 // type, to give us better diagnostics. 5000 QualType SourceType = E->getType(); 5001 if (!S.getLangOpts().CPlusPlus) { 5002 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5003 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 5004 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 5005 SourceType = S.Context.getTypeDeclType(Enum); 5006 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 5007 } 5008 } 5009 5010 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 5011 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 5012 if ((SourceEnum->getDecl()->getIdentifier() || 5013 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 5014 (TargetEnum->getDecl()->getIdentifier() || 5015 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 5016 SourceEnum != TargetEnum) { 5017 if (S.SourceMgr.isInSystemMacro(CC)) 5018 return; 5019 5020 return DiagnoseImpCast(S, E, SourceType, T, CC, 5021 diag::warn_impcast_different_enum_types); 5022 } 5023 5024 return; 5025} 5026 5027void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5028 SourceLocation CC, QualType T); 5029 5030void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 5031 SourceLocation CC, bool &ICContext) { 5032 E = E->IgnoreParenImpCasts(); 5033 5034 if (isa<ConditionalOperator>(E)) 5035 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 5036 5037 AnalyzeImplicitConversions(S, E, CC); 5038 if (E->getType() != T) 5039 return CheckImplicitConversion(S, E, T, CC, &ICContext); 5040 return; 5041} 5042 5043void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5044 SourceLocation CC, QualType T) { 5045 AnalyzeImplicitConversions(S, E->getCond(), CC); 5046 5047 bool Suspicious = false; 5048 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 5049 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 5050 5051 // If -Wconversion would have warned about either of the candidates 5052 // for a signedness conversion to the context type... 5053 if (!Suspicious) return; 5054 5055 // ...but it's currently ignored... 5056 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 5057 CC)) 5058 return; 5059 5060 // ...then check whether it would have warned about either of the 5061 // candidates for a signedness conversion to the condition type. 5062 if (E->getType() == T) return; 5063 5064 Suspicious = false; 5065 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 5066 E->getType(), CC, &Suspicious); 5067 if (!Suspicious) 5068 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 5069 E->getType(), CC, &Suspicious); 5070} 5071 5072/// AnalyzeImplicitConversions - Find and report any interesting 5073/// implicit conversions in the given expression. There are a couple 5074/// of competing diagnostics here, -Wconversion and -Wsign-compare. 5075void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 5076 QualType T = OrigE->getType(); 5077 Expr *E = OrigE->IgnoreParenImpCasts(); 5078 5079 if (E->isTypeDependent() || E->isValueDependent()) 5080 return; 5081 5082 // For conditional operators, we analyze the arguments as if they 5083 // were being fed directly into the output. 5084 if (isa<ConditionalOperator>(E)) { 5085 ConditionalOperator *CO = cast<ConditionalOperator>(E); 5086 CheckConditionalOperator(S, CO, CC, T); 5087 return; 5088 } 5089 5090 // Check implicit argument conversions for function calls. 5091 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 5092 CheckImplicitArgumentConversions(S, Call, CC); 5093 5094 // Go ahead and check any implicit conversions we might have skipped. 5095 // The non-canonical typecheck is just an optimization; 5096 // CheckImplicitConversion will filter out dead implicit conversions. 5097 if (E->getType() != T) 5098 CheckImplicitConversion(S, E, T, CC); 5099 5100 // Now continue drilling into this expression. 5101 5102 // Skip past explicit casts. 5103 if (isa<ExplicitCastExpr>(E)) { 5104 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 5105 return AnalyzeImplicitConversions(S, E, CC); 5106 } 5107 5108 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5109 // Do a somewhat different check with comparison operators. 5110 if (BO->isComparisonOp()) 5111 return AnalyzeComparison(S, BO); 5112 5113 // And with simple assignments. 5114 if (BO->getOpcode() == BO_Assign) 5115 return AnalyzeAssignment(S, BO); 5116 } 5117 5118 // These break the otherwise-useful invariant below. Fortunately, 5119 // we don't really need to recurse into them, because any internal 5120 // expressions should have been analyzed already when they were 5121 // built into statements. 5122 if (isa<StmtExpr>(E)) return; 5123 5124 // Don't descend into unevaluated contexts. 5125 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 5126 5127 // Now just recurse over the expression's children. 5128 CC = E->getExprLoc(); 5129 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 5130 bool IsLogicalOperator = BO && BO->isLogicalOp(); 5131 for (Stmt::child_range I = E->children(); I; ++I) { 5132 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 5133 if (!ChildExpr) 5134 continue; 5135 5136 if (IsLogicalOperator && 5137 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 5138 // Ignore checking string literals that are in logical operators. 5139 continue; 5140 AnalyzeImplicitConversions(S, ChildExpr, CC); 5141 } 5142} 5143 5144} // end anonymous namespace 5145 5146/// Diagnoses "dangerous" implicit conversions within the given 5147/// expression (which is a full expression). Implements -Wconversion 5148/// and -Wsign-compare. 5149/// 5150/// \param CC the "context" location of the implicit conversion, i.e. 5151/// the most location of the syntactic entity requiring the implicit 5152/// conversion 5153void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 5154 // Don't diagnose in unevaluated contexts. 5155 if (isUnevaluatedContext()) 5156 return; 5157 5158 // Don't diagnose for value- or type-dependent expressions. 5159 if (E->isTypeDependent() || E->isValueDependent()) 5160 return; 5161 5162 // Check for array bounds violations in cases where the check isn't triggered 5163 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 5164 // ArraySubscriptExpr is on the RHS of a variable initialization. 5165 CheckArrayAccess(E); 5166 5167 // This is not the right CC for (e.g.) a variable initialization. 5168 AnalyzeImplicitConversions(*this, E, CC); 5169} 5170 5171void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 5172 FieldDecl *BitField, 5173 Expr *Init) { 5174 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 5175} 5176 5177/// CheckParmsForFunctionDef - Check that the parameters of the given 5178/// function are appropriate for the definition of a function. This 5179/// takes care of any checks that cannot be performed on the 5180/// declaration itself, e.g., that the types of each of the function 5181/// parameters are complete. 5182bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 5183 bool CheckParameterNames) { 5184 bool HasInvalidParm = false; 5185 for (; P != PEnd; ++P) { 5186 ParmVarDecl *Param = *P; 5187 5188 // C99 6.7.5.3p4: the parameters in a parameter type list in a 5189 // function declarator that is part of a function definition of 5190 // that function shall not have incomplete type. 5191 // 5192 // This is also C++ [dcl.fct]p6. 5193 if (!Param->isInvalidDecl() && 5194 RequireCompleteType(Param->getLocation(), Param->getType(), 5195 diag::err_typecheck_decl_incomplete_type)) { 5196 Param->setInvalidDecl(); 5197 HasInvalidParm = true; 5198 } 5199 5200 // C99 6.9.1p5: If the declarator includes a parameter type list, the 5201 // declaration of each parameter shall include an identifier. 5202 if (CheckParameterNames && 5203 Param->getIdentifier() == 0 && 5204 !Param->isImplicit() && 5205 !getLangOpts().CPlusPlus) 5206 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 5207 5208 // C99 6.7.5.3p12: 5209 // If the function declarator is not part of a definition of that 5210 // function, parameters may have incomplete type and may use the [*] 5211 // notation in their sequences of declarator specifiers to specify 5212 // variable length array types. 5213 QualType PType = Param->getOriginalType(); 5214 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 5215 if (AT->getSizeModifier() == ArrayType::Star) { 5216 // FIXME: This diagnosic should point the '[*]' if source-location 5217 // information is added for it. 5218 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 5219 } 5220 } 5221 } 5222 5223 return HasInvalidParm; 5224} 5225 5226/// CheckCastAlign - Implements -Wcast-align, which warns when a 5227/// pointer cast increases the alignment requirements. 5228void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 5229 // This is actually a lot of work to potentially be doing on every 5230 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 5231 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 5232 TRange.getBegin()) 5233 == DiagnosticsEngine::Ignored) 5234 return; 5235 5236 // Ignore dependent types. 5237 if (T->isDependentType() || Op->getType()->isDependentType()) 5238 return; 5239 5240 // Require that the destination be a pointer type. 5241 const PointerType *DestPtr = T->getAs<PointerType>(); 5242 if (!DestPtr) return; 5243 5244 // If the destination has alignment 1, we're done. 5245 QualType DestPointee = DestPtr->getPointeeType(); 5246 if (DestPointee->isIncompleteType()) return; 5247 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 5248 if (DestAlign.isOne()) return; 5249 5250 // Require that the source be a pointer type. 5251 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 5252 if (!SrcPtr) return; 5253 QualType SrcPointee = SrcPtr->getPointeeType(); 5254 5255 // Whitelist casts from cv void*. We already implicitly 5256 // whitelisted casts to cv void*, since they have alignment 1. 5257 // Also whitelist casts involving incomplete types, which implicitly 5258 // includes 'void'. 5259 if (SrcPointee->isIncompleteType()) return; 5260 5261 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 5262 if (SrcAlign >= DestAlign) return; 5263 5264 Diag(TRange.getBegin(), diag::warn_cast_align) 5265 << Op->getType() << T 5266 << static_cast<unsigned>(SrcAlign.getQuantity()) 5267 << static_cast<unsigned>(DestAlign.getQuantity()) 5268 << TRange << Op->getSourceRange(); 5269} 5270 5271static const Type* getElementType(const Expr *BaseExpr) { 5272 const Type* EltType = BaseExpr->getType().getTypePtr(); 5273 if (EltType->isAnyPointerType()) 5274 return EltType->getPointeeType().getTypePtr(); 5275 else if (EltType->isArrayType()) 5276 return EltType->getBaseElementTypeUnsafe(); 5277 return EltType; 5278} 5279 5280/// \brief Check whether this array fits the idiom of a size-one tail padded 5281/// array member of a struct. 5282/// 5283/// We avoid emitting out-of-bounds access warnings for such arrays as they are 5284/// commonly used to emulate flexible arrays in C89 code. 5285static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 5286 const NamedDecl *ND) { 5287 if (Size != 1 || !ND) return false; 5288 5289 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 5290 if (!FD) return false; 5291 5292 // Don't consider sizes resulting from macro expansions or template argument 5293 // substitution to form C89 tail-padded arrays. 5294 5295 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 5296 while (TInfo) { 5297 TypeLoc TL = TInfo->getTypeLoc(); 5298 // Look through typedefs. 5299 const TypedefTypeLoc *TTL = dyn_cast<TypedefTypeLoc>(&TL); 5300 if (TTL) { 5301 const TypedefNameDecl *TDL = TTL->getTypedefNameDecl(); 5302 TInfo = TDL->getTypeSourceInfo(); 5303 continue; 5304 } 5305 ConstantArrayTypeLoc CTL = cast<ConstantArrayTypeLoc>(TL); 5306 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 5307 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 5308 return false; 5309 break; 5310 } 5311 5312 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 5313 if (!RD) return false; 5314 if (RD->isUnion()) return false; 5315 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 5316 if (!CRD->isStandardLayout()) return false; 5317 } 5318 5319 // See if this is the last field decl in the record. 5320 const Decl *D = FD; 5321 while ((D = D->getNextDeclInContext())) 5322 if (isa<FieldDecl>(D)) 5323 return false; 5324 return true; 5325} 5326 5327void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 5328 const ArraySubscriptExpr *ASE, 5329 bool AllowOnePastEnd, bool IndexNegated) { 5330 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 5331 if (IndexExpr->isValueDependent()) 5332 return; 5333 5334 const Type *EffectiveType = getElementType(BaseExpr); 5335 BaseExpr = BaseExpr->IgnoreParenCasts(); 5336 const ConstantArrayType *ArrayTy = 5337 Context.getAsConstantArrayType(BaseExpr->getType()); 5338 if (!ArrayTy) 5339 return; 5340 5341 llvm::APSInt index; 5342 if (!IndexExpr->EvaluateAsInt(index, Context)) 5343 return; 5344 if (IndexNegated) 5345 index = -index; 5346 5347 const NamedDecl *ND = NULL; 5348 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 5349 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 5350 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 5351 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 5352 5353 if (index.isUnsigned() || !index.isNegative()) { 5354 llvm::APInt size = ArrayTy->getSize(); 5355 if (!size.isStrictlyPositive()) 5356 return; 5357 5358 const Type* BaseType = getElementType(BaseExpr); 5359 if (BaseType != EffectiveType) { 5360 // Make sure we're comparing apples to apples when comparing index to size 5361 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 5362 uint64_t array_typesize = Context.getTypeSize(BaseType); 5363 // Handle ptrarith_typesize being zero, such as when casting to void* 5364 if (!ptrarith_typesize) ptrarith_typesize = 1; 5365 if (ptrarith_typesize != array_typesize) { 5366 // There's a cast to a different size type involved 5367 uint64_t ratio = array_typesize / ptrarith_typesize; 5368 // TODO: Be smarter about handling cases where array_typesize is not a 5369 // multiple of ptrarith_typesize 5370 if (ptrarith_typesize * ratio == array_typesize) 5371 size *= llvm::APInt(size.getBitWidth(), ratio); 5372 } 5373 } 5374 5375 if (size.getBitWidth() > index.getBitWidth()) 5376 index = index.zext(size.getBitWidth()); 5377 else if (size.getBitWidth() < index.getBitWidth()) 5378 size = size.zext(index.getBitWidth()); 5379 5380 // For array subscripting the index must be less than size, but for pointer 5381 // arithmetic also allow the index (offset) to be equal to size since 5382 // computing the next address after the end of the array is legal and 5383 // commonly done e.g. in C++ iterators and range-based for loops. 5384 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 5385 return; 5386 5387 // Also don't warn for arrays of size 1 which are members of some 5388 // structure. These are often used to approximate flexible arrays in C89 5389 // code. 5390 if (IsTailPaddedMemberArray(*this, size, ND)) 5391 return; 5392 5393 // Suppress the warning if the subscript expression (as identified by the 5394 // ']' location) and the index expression are both from macro expansions 5395 // within a system header. 5396 if (ASE) { 5397 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 5398 ASE->getRBracketLoc()); 5399 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 5400 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 5401 IndexExpr->getLocStart()); 5402 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 5403 return; 5404 } 5405 } 5406 5407 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 5408 if (ASE) 5409 DiagID = diag::warn_array_index_exceeds_bounds; 5410 5411 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 5412 PDiag(DiagID) << index.toString(10, true) 5413 << size.toString(10, true) 5414 << (unsigned)size.getLimitedValue(~0U) 5415 << IndexExpr->getSourceRange()); 5416 } else { 5417 unsigned DiagID = diag::warn_array_index_precedes_bounds; 5418 if (!ASE) { 5419 DiagID = diag::warn_ptr_arith_precedes_bounds; 5420 if (index.isNegative()) index = -index; 5421 } 5422 5423 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 5424 PDiag(DiagID) << index.toString(10, true) 5425 << IndexExpr->getSourceRange()); 5426 } 5427 5428 if (!ND) { 5429 // Try harder to find a NamedDecl to point at in the note. 5430 while (const ArraySubscriptExpr *ASE = 5431 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 5432 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 5433 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 5434 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 5435 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 5436 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 5437 } 5438 5439 if (ND) 5440 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 5441 PDiag(diag::note_array_index_out_of_bounds) 5442 << ND->getDeclName()); 5443} 5444 5445void Sema::CheckArrayAccess(const Expr *expr) { 5446 int AllowOnePastEnd = 0; 5447 while (expr) { 5448 expr = expr->IgnoreParenImpCasts(); 5449 switch (expr->getStmtClass()) { 5450 case Stmt::ArraySubscriptExprClass: { 5451 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 5452 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 5453 AllowOnePastEnd > 0); 5454 return; 5455 } 5456 case Stmt::UnaryOperatorClass: { 5457 // Only unwrap the * and & unary operators 5458 const UnaryOperator *UO = cast<UnaryOperator>(expr); 5459 expr = UO->getSubExpr(); 5460 switch (UO->getOpcode()) { 5461 case UO_AddrOf: 5462 AllowOnePastEnd++; 5463 break; 5464 case UO_Deref: 5465 AllowOnePastEnd--; 5466 break; 5467 default: 5468 return; 5469 } 5470 break; 5471 } 5472 case Stmt::ConditionalOperatorClass: { 5473 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 5474 if (const Expr *lhs = cond->getLHS()) 5475 CheckArrayAccess(lhs); 5476 if (const Expr *rhs = cond->getRHS()) 5477 CheckArrayAccess(rhs); 5478 return; 5479 } 5480 default: 5481 return; 5482 } 5483 } 5484} 5485 5486//===--- CHECK: Objective-C retain cycles ----------------------------------// 5487 5488namespace { 5489 struct RetainCycleOwner { 5490 RetainCycleOwner() : Variable(0), Indirect(false) {} 5491 VarDecl *Variable; 5492 SourceRange Range; 5493 SourceLocation Loc; 5494 bool Indirect; 5495 5496 void setLocsFrom(Expr *e) { 5497 Loc = e->getExprLoc(); 5498 Range = e->getSourceRange(); 5499 } 5500 }; 5501} 5502 5503/// Consider whether capturing the given variable can possibly lead to 5504/// a retain cycle. 5505static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 5506 // In ARC, it's captured strongly iff the variable has __strong 5507 // lifetime. In MRR, it's captured strongly if the variable is 5508 // __block and has an appropriate type. 5509 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 5510 return false; 5511 5512 owner.Variable = var; 5513 if (ref) 5514 owner.setLocsFrom(ref); 5515 return true; 5516} 5517 5518static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 5519 while (true) { 5520 e = e->IgnoreParens(); 5521 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 5522 switch (cast->getCastKind()) { 5523 case CK_BitCast: 5524 case CK_LValueBitCast: 5525 case CK_LValueToRValue: 5526 case CK_ARCReclaimReturnedObject: 5527 e = cast->getSubExpr(); 5528 continue; 5529 5530 default: 5531 return false; 5532 } 5533 } 5534 5535 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 5536 ObjCIvarDecl *ivar = ref->getDecl(); 5537 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 5538 return false; 5539 5540 // Try to find a retain cycle in the base. 5541 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 5542 return false; 5543 5544 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 5545 owner.Indirect = true; 5546 return true; 5547 } 5548 5549 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 5550 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 5551 if (!var) return false; 5552 return considerVariable(var, ref, owner); 5553 } 5554 5555 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 5556 if (member->isArrow()) return false; 5557 5558 // Don't count this as an indirect ownership. 5559 e = member->getBase(); 5560 continue; 5561 } 5562 5563 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 5564 // Only pay attention to pseudo-objects on property references. 5565 ObjCPropertyRefExpr *pre 5566 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 5567 ->IgnoreParens()); 5568 if (!pre) return false; 5569 if (pre->isImplicitProperty()) return false; 5570 ObjCPropertyDecl *property = pre->getExplicitProperty(); 5571 if (!property->isRetaining() && 5572 !(property->getPropertyIvarDecl() && 5573 property->getPropertyIvarDecl()->getType() 5574 .getObjCLifetime() == Qualifiers::OCL_Strong)) 5575 return false; 5576 5577 owner.Indirect = true; 5578 if (pre->isSuperReceiver()) { 5579 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 5580 if (!owner.Variable) 5581 return false; 5582 owner.Loc = pre->getLocation(); 5583 owner.Range = pre->getSourceRange(); 5584 return true; 5585 } 5586 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 5587 ->getSourceExpr()); 5588 continue; 5589 } 5590 5591 // Array ivars? 5592 5593 return false; 5594 } 5595} 5596 5597namespace { 5598 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 5599 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 5600 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 5601 Variable(variable), Capturer(0) {} 5602 5603 VarDecl *Variable; 5604 Expr *Capturer; 5605 5606 void VisitDeclRefExpr(DeclRefExpr *ref) { 5607 if (ref->getDecl() == Variable && !Capturer) 5608 Capturer = ref; 5609 } 5610 5611 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 5612 if (Capturer) return; 5613 Visit(ref->getBase()); 5614 if (Capturer && ref->isFreeIvar()) 5615 Capturer = ref; 5616 } 5617 5618 void VisitBlockExpr(BlockExpr *block) { 5619 // Look inside nested blocks 5620 if (block->getBlockDecl()->capturesVariable(Variable)) 5621 Visit(block->getBlockDecl()->getBody()); 5622 } 5623 5624 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 5625 if (Capturer) return; 5626 if (OVE->getSourceExpr()) 5627 Visit(OVE->getSourceExpr()); 5628 } 5629 }; 5630} 5631 5632/// Check whether the given argument is a block which captures a 5633/// variable. 5634static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 5635 assert(owner.Variable && owner.Loc.isValid()); 5636 5637 e = e->IgnoreParenCasts(); 5638 5639 // Look through [^{...} copy] and Block_copy(^{...}). 5640 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 5641 Selector Cmd = ME->getSelector(); 5642 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 5643 e = ME->getInstanceReceiver(); 5644 if (!e) 5645 return 0; 5646 e = e->IgnoreParenCasts(); 5647 } 5648 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 5649 if (CE->getNumArgs() == 1) { 5650 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 5651 if (Fn) { 5652 const IdentifierInfo *FnI = Fn->getIdentifier(); 5653 if (FnI && FnI->isStr("_Block_copy")) { 5654 e = CE->getArg(0)->IgnoreParenCasts(); 5655 } 5656 } 5657 } 5658 } 5659 5660 BlockExpr *block = dyn_cast<BlockExpr>(e); 5661 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 5662 return 0; 5663 5664 FindCaptureVisitor visitor(S.Context, owner.Variable); 5665 visitor.Visit(block->getBlockDecl()->getBody()); 5666 return visitor.Capturer; 5667} 5668 5669static void diagnoseRetainCycle(Sema &S, Expr *capturer, 5670 RetainCycleOwner &owner) { 5671 assert(capturer); 5672 assert(owner.Variable && owner.Loc.isValid()); 5673 5674 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 5675 << owner.Variable << capturer->getSourceRange(); 5676 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 5677 << owner.Indirect << owner.Range; 5678} 5679 5680/// Check for a keyword selector that starts with the word 'add' or 5681/// 'set'. 5682static bool isSetterLikeSelector(Selector sel) { 5683 if (sel.isUnarySelector()) return false; 5684 5685 StringRef str = sel.getNameForSlot(0); 5686 while (!str.empty() && str.front() == '_') str = str.substr(1); 5687 if (str.startswith("set")) 5688 str = str.substr(3); 5689 else if (str.startswith("add")) { 5690 // Specially whitelist 'addOperationWithBlock:'. 5691 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 5692 return false; 5693 str = str.substr(3); 5694 } 5695 else 5696 return false; 5697 5698 if (str.empty()) return true; 5699 return !islower(str.front()); 5700} 5701 5702/// Check a message send to see if it's likely to cause a retain cycle. 5703void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 5704 // Only check instance methods whose selector looks like a setter. 5705 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 5706 return; 5707 5708 // Try to find a variable that the receiver is strongly owned by. 5709 RetainCycleOwner owner; 5710 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 5711 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 5712 return; 5713 } else { 5714 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 5715 owner.Variable = getCurMethodDecl()->getSelfDecl(); 5716 owner.Loc = msg->getSuperLoc(); 5717 owner.Range = msg->getSuperLoc(); 5718 } 5719 5720 // Check whether the receiver is captured by any of the arguments. 5721 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 5722 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 5723 return diagnoseRetainCycle(*this, capturer, owner); 5724} 5725 5726/// Check a property assign to see if it's likely to cause a retain cycle. 5727void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 5728 RetainCycleOwner owner; 5729 if (!findRetainCycleOwner(*this, receiver, owner)) 5730 return; 5731 5732 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 5733 diagnoseRetainCycle(*this, capturer, owner); 5734} 5735 5736void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 5737 RetainCycleOwner Owner; 5738 if (!considerVariable(Var, /*DeclRefExpr=*/0, Owner)) 5739 return; 5740 5741 // Because we don't have an expression for the variable, we have to set the 5742 // location explicitly here. 5743 Owner.Loc = Var->getLocation(); 5744 Owner.Range = Var->getSourceRange(); 5745 5746 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 5747 diagnoseRetainCycle(*this, Capturer, Owner); 5748} 5749 5750static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 5751 Expr *RHS, bool isProperty) { 5752 // Check if RHS is an Objective-C object literal, which also can get 5753 // immediately zapped in a weak reference. Note that we explicitly 5754 // allow ObjCStringLiterals, since those are designed to never really die. 5755 RHS = RHS->IgnoreParenImpCasts(); 5756 5757 // This enum needs to match with the 'select' in 5758 // warn_objc_arc_literal_assign (off-by-1). 5759 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 5760 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 5761 return false; 5762 5763 S.Diag(Loc, diag::warn_arc_literal_assign) 5764 << (unsigned) Kind 5765 << (isProperty ? 0 : 1) 5766 << RHS->getSourceRange(); 5767 5768 return true; 5769} 5770 5771static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 5772 Qualifiers::ObjCLifetime LT, 5773 Expr *RHS, bool isProperty) { 5774 // Strip off any implicit cast added to get to the one ARC-specific. 5775 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 5776 if (cast->getCastKind() == CK_ARCConsumeObject) { 5777 S.Diag(Loc, diag::warn_arc_retained_assign) 5778 << (LT == Qualifiers::OCL_ExplicitNone) 5779 << (isProperty ? 0 : 1) 5780 << RHS->getSourceRange(); 5781 return true; 5782 } 5783 RHS = cast->getSubExpr(); 5784 } 5785 5786 if (LT == Qualifiers::OCL_Weak && 5787 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 5788 return true; 5789 5790 return false; 5791} 5792 5793bool Sema::checkUnsafeAssigns(SourceLocation Loc, 5794 QualType LHS, Expr *RHS) { 5795 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 5796 5797 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 5798 return false; 5799 5800 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 5801 return true; 5802 5803 return false; 5804} 5805 5806void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 5807 Expr *LHS, Expr *RHS) { 5808 QualType LHSType; 5809 // PropertyRef on LHS type need be directly obtained from 5810 // its declaration as it has a PsuedoType. 5811 ObjCPropertyRefExpr *PRE 5812 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 5813 if (PRE && !PRE->isImplicitProperty()) { 5814 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 5815 if (PD) 5816 LHSType = PD->getType(); 5817 } 5818 5819 if (LHSType.isNull()) 5820 LHSType = LHS->getType(); 5821 5822 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 5823 5824 if (LT == Qualifiers::OCL_Weak) { 5825 DiagnosticsEngine::Level Level = 5826 Diags.getDiagnosticLevel(diag::warn_arc_repeated_use_of_weak, Loc); 5827 if (Level != DiagnosticsEngine::Ignored) 5828 getCurFunction()->markSafeWeakUse(LHS); 5829 } 5830 5831 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 5832 return; 5833 5834 // FIXME. Check for other life times. 5835 if (LT != Qualifiers::OCL_None) 5836 return; 5837 5838 if (PRE) { 5839 if (PRE->isImplicitProperty()) 5840 return; 5841 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 5842 if (!PD) 5843 return; 5844 5845 unsigned Attributes = PD->getPropertyAttributes(); 5846 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 5847 // when 'assign' attribute was not explicitly specified 5848 // by user, ignore it and rely on property type itself 5849 // for lifetime info. 5850 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 5851 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 5852 LHSType->isObjCRetainableType()) 5853 return; 5854 5855 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 5856 if (cast->getCastKind() == CK_ARCConsumeObject) { 5857 Diag(Loc, diag::warn_arc_retained_property_assign) 5858 << RHS->getSourceRange(); 5859 return; 5860 } 5861 RHS = cast->getSubExpr(); 5862 } 5863 } 5864 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 5865 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 5866 return; 5867 } 5868 } 5869} 5870 5871//===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 5872 5873namespace { 5874bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 5875 SourceLocation StmtLoc, 5876 const NullStmt *Body) { 5877 // Do not warn if the body is a macro that expands to nothing, e.g: 5878 // 5879 // #define CALL(x) 5880 // if (condition) 5881 // CALL(0); 5882 // 5883 if (Body->hasLeadingEmptyMacro()) 5884 return false; 5885 5886 // Get line numbers of statement and body. 5887 bool StmtLineInvalid; 5888 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 5889 &StmtLineInvalid); 5890 if (StmtLineInvalid) 5891 return false; 5892 5893 bool BodyLineInvalid; 5894 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 5895 &BodyLineInvalid); 5896 if (BodyLineInvalid) 5897 return false; 5898 5899 // Warn if null statement and body are on the same line. 5900 if (StmtLine != BodyLine) 5901 return false; 5902 5903 return true; 5904} 5905} // Unnamed namespace 5906 5907void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 5908 const Stmt *Body, 5909 unsigned DiagID) { 5910 // Since this is a syntactic check, don't emit diagnostic for template 5911 // instantiations, this just adds noise. 5912 if (CurrentInstantiationScope) 5913 return; 5914 5915 // The body should be a null statement. 5916 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 5917 if (!NBody) 5918 return; 5919 5920 // Do the usual checks. 5921 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 5922 return; 5923 5924 Diag(NBody->getSemiLoc(), DiagID); 5925 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 5926} 5927 5928void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 5929 const Stmt *PossibleBody) { 5930 assert(!CurrentInstantiationScope); // Ensured by caller 5931 5932 SourceLocation StmtLoc; 5933 const Stmt *Body; 5934 unsigned DiagID; 5935 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 5936 StmtLoc = FS->getRParenLoc(); 5937 Body = FS->getBody(); 5938 DiagID = diag::warn_empty_for_body; 5939 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 5940 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 5941 Body = WS->getBody(); 5942 DiagID = diag::warn_empty_while_body; 5943 } else 5944 return; // Neither `for' nor `while'. 5945 5946 // The body should be a null statement. 5947 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 5948 if (!NBody) 5949 return; 5950 5951 // Skip expensive checks if diagnostic is disabled. 5952 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 5953 DiagnosticsEngine::Ignored) 5954 return; 5955 5956 // Do the usual checks. 5957 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 5958 return; 5959 5960 // `for(...);' and `while(...);' are popular idioms, so in order to keep 5961 // noise level low, emit diagnostics only if for/while is followed by a 5962 // CompoundStmt, e.g.: 5963 // for (int i = 0; i < n; i++); 5964 // { 5965 // a(i); 5966 // } 5967 // or if for/while is followed by a statement with more indentation 5968 // than for/while itself: 5969 // for (int i = 0; i < n; i++); 5970 // a(i); 5971 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 5972 if (!ProbableTypo) { 5973 bool BodyColInvalid; 5974 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 5975 PossibleBody->getLocStart(), 5976 &BodyColInvalid); 5977 if (BodyColInvalid) 5978 return; 5979 5980 bool StmtColInvalid; 5981 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 5982 S->getLocStart(), 5983 &StmtColInvalid); 5984 if (StmtColInvalid) 5985 return; 5986 5987 if (BodyCol > StmtCol) 5988 ProbableTypo = true; 5989 } 5990 5991 if (ProbableTypo) { 5992 Diag(NBody->getSemiLoc(), DiagID); 5993 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 5994 } 5995} 5996 5997//===--- Layout compatibility ----------------------------------------------// 5998 5999namespace { 6000 6001bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 6002 6003/// \brief Check if two enumeration types are layout-compatible. 6004bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 6005 // C++11 [dcl.enum] p8: 6006 // Two enumeration types are layout-compatible if they have the same 6007 // underlying type. 6008 return ED1->isComplete() && ED2->isComplete() && 6009 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 6010} 6011 6012/// \brief Check if two fields are layout-compatible. 6013bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 6014 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 6015 return false; 6016 6017 if (Field1->isBitField() != Field2->isBitField()) 6018 return false; 6019 6020 if (Field1->isBitField()) { 6021 // Make sure that the bit-fields are the same length. 6022 unsigned Bits1 = Field1->getBitWidthValue(C); 6023 unsigned Bits2 = Field2->getBitWidthValue(C); 6024 6025 if (Bits1 != Bits2) 6026 return false; 6027 } 6028 6029 return true; 6030} 6031 6032/// \brief Check if two standard-layout structs are layout-compatible. 6033/// (C++11 [class.mem] p17) 6034bool isLayoutCompatibleStruct(ASTContext &C, 6035 RecordDecl *RD1, 6036 RecordDecl *RD2) { 6037 // If both records are C++ classes, check that base classes match. 6038 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 6039 // If one of records is a CXXRecordDecl we are in C++ mode, 6040 // thus the other one is a CXXRecordDecl, too. 6041 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 6042 // Check number of base classes. 6043 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 6044 return false; 6045 6046 // Check the base classes. 6047 for (CXXRecordDecl::base_class_const_iterator 6048 Base1 = D1CXX->bases_begin(), 6049 BaseEnd1 = D1CXX->bases_end(), 6050 Base2 = D2CXX->bases_begin(); 6051 Base1 != BaseEnd1; 6052 ++Base1, ++Base2) { 6053 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 6054 return false; 6055 } 6056 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 6057 // If only RD2 is a C++ class, it should have zero base classes. 6058 if (D2CXX->getNumBases() > 0) 6059 return false; 6060 } 6061 6062 // Check the fields. 6063 RecordDecl::field_iterator Field2 = RD2->field_begin(), 6064 Field2End = RD2->field_end(), 6065 Field1 = RD1->field_begin(), 6066 Field1End = RD1->field_end(); 6067 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 6068 if (!isLayoutCompatible(C, *Field1, *Field2)) 6069 return false; 6070 } 6071 if (Field1 != Field1End || Field2 != Field2End) 6072 return false; 6073 6074 return true; 6075} 6076 6077/// \brief Check if two standard-layout unions are layout-compatible. 6078/// (C++11 [class.mem] p18) 6079bool isLayoutCompatibleUnion(ASTContext &C, 6080 RecordDecl *RD1, 6081 RecordDecl *RD2) { 6082 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 6083 for (RecordDecl::field_iterator Field2 = RD2->field_begin(), 6084 Field2End = RD2->field_end(); 6085 Field2 != Field2End; ++Field2) { 6086 UnmatchedFields.insert(*Field2); 6087 } 6088 6089 for (RecordDecl::field_iterator Field1 = RD1->field_begin(), 6090 Field1End = RD1->field_end(); 6091 Field1 != Field1End; ++Field1) { 6092 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 6093 I = UnmatchedFields.begin(), 6094 E = UnmatchedFields.end(); 6095 6096 for ( ; I != E; ++I) { 6097 if (isLayoutCompatible(C, *Field1, *I)) { 6098 bool Result = UnmatchedFields.erase(*I); 6099 (void) Result; 6100 assert(Result); 6101 break; 6102 } 6103 } 6104 if (I == E) 6105 return false; 6106 } 6107 6108 return UnmatchedFields.empty(); 6109} 6110 6111bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 6112 if (RD1->isUnion() != RD2->isUnion()) 6113 return false; 6114 6115 if (RD1->isUnion()) 6116 return isLayoutCompatibleUnion(C, RD1, RD2); 6117 else 6118 return isLayoutCompatibleStruct(C, RD1, RD2); 6119} 6120 6121/// \brief Check if two types are layout-compatible in C++11 sense. 6122bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 6123 if (T1.isNull() || T2.isNull()) 6124 return false; 6125 6126 // C++11 [basic.types] p11: 6127 // If two types T1 and T2 are the same type, then T1 and T2 are 6128 // layout-compatible types. 6129 if (C.hasSameType(T1, T2)) 6130 return true; 6131 6132 T1 = T1.getCanonicalType().getUnqualifiedType(); 6133 T2 = T2.getCanonicalType().getUnqualifiedType(); 6134 6135 const Type::TypeClass TC1 = T1->getTypeClass(); 6136 const Type::TypeClass TC2 = T2->getTypeClass(); 6137 6138 if (TC1 != TC2) 6139 return false; 6140 6141 if (TC1 == Type::Enum) { 6142 return isLayoutCompatible(C, 6143 cast<EnumType>(T1)->getDecl(), 6144 cast<EnumType>(T2)->getDecl()); 6145 } else if (TC1 == Type::Record) { 6146 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 6147 return false; 6148 6149 return isLayoutCompatible(C, 6150 cast<RecordType>(T1)->getDecl(), 6151 cast<RecordType>(T2)->getDecl()); 6152 } 6153 6154 return false; 6155} 6156} 6157 6158//===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 6159 6160namespace { 6161/// \brief Given a type tag expression find the type tag itself. 6162/// 6163/// \param TypeExpr Type tag expression, as it appears in user's code. 6164/// 6165/// \param VD Declaration of an identifier that appears in a type tag. 6166/// 6167/// \param MagicValue Type tag magic value. 6168bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 6169 const ValueDecl **VD, uint64_t *MagicValue) { 6170 while(true) { 6171 if (!TypeExpr) 6172 return false; 6173 6174 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 6175 6176 switch (TypeExpr->getStmtClass()) { 6177 case Stmt::UnaryOperatorClass: { 6178 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 6179 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 6180 TypeExpr = UO->getSubExpr(); 6181 continue; 6182 } 6183 return false; 6184 } 6185 6186 case Stmt::DeclRefExprClass: { 6187 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 6188 *VD = DRE->getDecl(); 6189 return true; 6190 } 6191 6192 case Stmt::IntegerLiteralClass: { 6193 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 6194 llvm::APInt MagicValueAPInt = IL->getValue(); 6195 if (MagicValueAPInt.getActiveBits() <= 64) { 6196 *MagicValue = MagicValueAPInt.getZExtValue(); 6197 return true; 6198 } else 6199 return false; 6200 } 6201 6202 case Stmt::BinaryConditionalOperatorClass: 6203 case Stmt::ConditionalOperatorClass: { 6204 const AbstractConditionalOperator *ACO = 6205 cast<AbstractConditionalOperator>(TypeExpr); 6206 bool Result; 6207 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 6208 if (Result) 6209 TypeExpr = ACO->getTrueExpr(); 6210 else 6211 TypeExpr = ACO->getFalseExpr(); 6212 continue; 6213 } 6214 return false; 6215 } 6216 6217 case Stmt::BinaryOperatorClass: { 6218 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 6219 if (BO->getOpcode() == BO_Comma) { 6220 TypeExpr = BO->getRHS(); 6221 continue; 6222 } 6223 return false; 6224 } 6225 6226 default: 6227 return false; 6228 } 6229 } 6230} 6231 6232/// \brief Retrieve the C type corresponding to type tag TypeExpr. 6233/// 6234/// \param TypeExpr Expression that specifies a type tag. 6235/// 6236/// \param MagicValues Registered magic values. 6237/// 6238/// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 6239/// kind. 6240/// 6241/// \param TypeInfo Information about the corresponding C type. 6242/// 6243/// \returns true if the corresponding C type was found. 6244bool GetMatchingCType( 6245 const IdentifierInfo *ArgumentKind, 6246 const Expr *TypeExpr, const ASTContext &Ctx, 6247 const llvm::DenseMap<Sema::TypeTagMagicValue, 6248 Sema::TypeTagData> *MagicValues, 6249 bool &FoundWrongKind, 6250 Sema::TypeTagData &TypeInfo) { 6251 FoundWrongKind = false; 6252 6253 // Variable declaration that has type_tag_for_datatype attribute. 6254 const ValueDecl *VD = NULL; 6255 6256 uint64_t MagicValue; 6257 6258 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 6259 return false; 6260 6261 if (VD) { 6262 for (specific_attr_iterator<TypeTagForDatatypeAttr> 6263 I = VD->specific_attr_begin<TypeTagForDatatypeAttr>(), 6264 E = VD->specific_attr_end<TypeTagForDatatypeAttr>(); 6265 I != E; ++I) { 6266 if (I->getArgumentKind() != ArgumentKind) { 6267 FoundWrongKind = true; 6268 return false; 6269 } 6270 TypeInfo.Type = I->getMatchingCType(); 6271 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 6272 TypeInfo.MustBeNull = I->getMustBeNull(); 6273 return true; 6274 } 6275 return false; 6276 } 6277 6278 if (!MagicValues) 6279 return false; 6280 6281 llvm::DenseMap<Sema::TypeTagMagicValue, 6282 Sema::TypeTagData>::const_iterator I = 6283 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 6284 if (I == MagicValues->end()) 6285 return false; 6286 6287 TypeInfo = I->second; 6288 return true; 6289} 6290} // unnamed namespace 6291 6292void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 6293 uint64_t MagicValue, QualType Type, 6294 bool LayoutCompatible, 6295 bool MustBeNull) { 6296 if (!TypeTagForDatatypeMagicValues) 6297 TypeTagForDatatypeMagicValues.reset( 6298 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 6299 6300 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 6301 (*TypeTagForDatatypeMagicValues)[Magic] = 6302 TypeTagData(Type, LayoutCompatible, MustBeNull); 6303} 6304 6305namespace { 6306bool IsSameCharType(QualType T1, QualType T2) { 6307 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 6308 if (!BT1) 6309 return false; 6310 6311 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 6312 if (!BT2) 6313 return false; 6314 6315 BuiltinType::Kind T1Kind = BT1->getKind(); 6316 BuiltinType::Kind T2Kind = BT2->getKind(); 6317 6318 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 6319 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 6320 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 6321 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 6322} 6323} // unnamed namespace 6324 6325void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 6326 const Expr * const *ExprArgs) { 6327 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 6328 bool IsPointerAttr = Attr->getIsPointer(); 6329 6330 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 6331 bool FoundWrongKind; 6332 TypeTagData TypeInfo; 6333 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 6334 TypeTagForDatatypeMagicValues.get(), 6335 FoundWrongKind, TypeInfo)) { 6336 if (FoundWrongKind) 6337 Diag(TypeTagExpr->getExprLoc(), 6338 diag::warn_type_tag_for_datatype_wrong_kind) 6339 << TypeTagExpr->getSourceRange(); 6340 return; 6341 } 6342 6343 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 6344 if (IsPointerAttr) { 6345 // Skip implicit cast of pointer to `void *' (as a function argument). 6346 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 6347 if (ICE->getType()->isVoidPointerType() && 6348 ICE->getCastKind() == CK_BitCast) 6349 ArgumentExpr = ICE->getSubExpr(); 6350 } 6351 QualType ArgumentType = ArgumentExpr->getType(); 6352 6353 // Passing a `void*' pointer shouldn't trigger a warning. 6354 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 6355 return; 6356 6357 if (TypeInfo.MustBeNull) { 6358 // Type tag with matching void type requires a null pointer. 6359 if (!ArgumentExpr->isNullPointerConstant(Context, 6360 Expr::NPC_ValueDependentIsNotNull)) { 6361 Diag(ArgumentExpr->getExprLoc(), 6362 diag::warn_type_safety_null_pointer_required) 6363 << ArgumentKind->getName() 6364 << ArgumentExpr->getSourceRange() 6365 << TypeTagExpr->getSourceRange(); 6366 } 6367 return; 6368 } 6369 6370 QualType RequiredType = TypeInfo.Type; 6371 if (IsPointerAttr) 6372 RequiredType = Context.getPointerType(RequiredType); 6373 6374 bool mismatch = false; 6375 if (!TypeInfo.LayoutCompatible) { 6376 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 6377 6378 // C++11 [basic.fundamental] p1: 6379 // Plain char, signed char, and unsigned char are three distinct types. 6380 // 6381 // But we treat plain `char' as equivalent to `signed char' or `unsigned 6382 // char' depending on the current char signedness mode. 6383 if (mismatch) 6384 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 6385 RequiredType->getPointeeType())) || 6386 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 6387 mismatch = false; 6388 } else 6389 if (IsPointerAttr) 6390 mismatch = !isLayoutCompatible(Context, 6391 ArgumentType->getPointeeType(), 6392 RequiredType->getPointeeType()); 6393 else 6394 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 6395 6396 if (mismatch) 6397 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 6398 << ArgumentType << ArgumentKind->getName() 6399 << TypeInfo.LayoutCompatible << RequiredType 6400 << ArgumentExpr->getSourceRange() 6401 << TypeTagExpr->getSourceRange(); 6402} 6403