SemaChecking.cpp revision ef8225444452a1486bd721f3285301fe84643b00
1//===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file implements extra semantic analysis beyond what is enforced 11// by the C type system. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/Sema/SemaInternal.h" 16#include "clang/AST/ASTContext.h" 17#include "clang/AST/CharUnits.h" 18#include "clang/AST/DeclCXX.h" 19#include "clang/AST/DeclObjC.h" 20#include "clang/AST/EvaluatedExprVisitor.h" 21#include "clang/AST/Expr.h" 22#include "clang/AST/ExprCXX.h" 23#include "clang/AST/ExprObjC.h" 24#include "clang/AST/StmtCXX.h" 25#include "clang/AST/StmtObjC.h" 26#include "clang/Analysis/Analyses/FormatString.h" 27#include "clang/Basic/CharInfo.h" 28#include "clang/Basic/TargetBuiltins.h" 29#include "clang/Basic/TargetInfo.h" 30#include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering. 31#include "clang/Sema/Initialization.h" 32#include "clang/Sema/Lookup.h" 33#include "clang/Sema/ScopeInfo.h" 34#include "clang/Sema/Sema.h" 35#include "llvm/ADT/STLExtras.h" 36#include "llvm/ADT/SmallBitVector.h" 37#include "llvm/ADT/SmallString.h" 38#include "llvm/Support/ConvertUTF.h" 39#include "llvm/Support/raw_ostream.h" 40#include <limits> 41using namespace clang; 42using namespace sema; 43 44SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 45 unsigned ByteNo) const { 46 return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts, 47 Context.getTargetInfo()); 48} 49 50/// Checks that a call expression's argument count is the desired number. 51/// This is useful when doing custom type-checking. Returns true on error. 52static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 53 unsigned argCount = call->getNumArgs(); 54 if (argCount == desiredArgCount) return false; 55 56 if (argCount < desiredArgCount) 57 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 58 << 0 /*function call*/ << desiredArgCount << argCount 59 << call->getSourceRange(); 60 61 // Highlight all the excess arguments. 62 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 63 call->getArg(argCount - 1)->getLocEnd()); 64 65 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 66 << 0 /*function call*/ << desiredArgCount << argCount 67 << call->getArg(1)->getSourceRange(); 68} 69 70/// Check that the first argument to __builtin_annotation is an integer 71/// and the second argument is a non-wide string literal. 72static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 73 if (checkArgCount(S, TheCall, 2)) 74 return true; 75 76 // First argument should be an integer. 77 Expr *ValArg = TheCall->getArg(0); 78 QualType Ty = ValArg->getType(); 79 if (!Ty->isIntegerType()) { 80 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 81 << ValArg->getSourceRange(); 82 return true; 83 } 84 85 // Second argument should be a constant string. 86 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 87 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 88 if (!Literal || !Literal->isAscii()) { 89 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 90 << StrArg->getSourceRange(); 91 return true; 92 } 93 94 TheCall->setType(Ty); 95 return false; 96} 97 98/// Check that the argument to __builtin_addressof is a glvalue, and set the 99/// result type to the corresponding pointer type. 100static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) { 101 if (checkArgCount(S, TheCall, 1)) 102 return true; 103 104 ExprResult Arg(TheCall->getArg(0)); 105 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart()); 106 if (ResultType.isNull()) 107 return true; 108 109 TheCall->setArg(0, Arg.get()); 110 TheCall->setType(ResultType); 111 return false; 112} 113 114ExprResult 115Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 116 ExprResult TheCallResult(TheCall); 117 118 // Find out if any arguments are required to be integer constant expressions. 119 unsigned ICEArguments = 0; 120 ASTContext::GetBuiltinTypeError Error; 121 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 122 if (Error != ASTContext::GE_None) 123 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 124 125 // If any arguments are required to be ICE's, check and diagnose. 126 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 127 // Skip arguments not required to be ICE's. 128 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 129 130 llvm::APSInt Result; 131 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 132 return true; 133 ICEArguments &= ~(1 << ArgNo); 134 } 135 136 switch (BuiltinID) { 137 case Builtin::BI__builtin___CFStringMakeConstantString: 138 assert(TheCall->getNumArgs() == 1 && 139 "Wrong # arguments to builtin CFStringMakeConstantString"); 140 if (CheckObjCString(TheCall->getArg(0))) 141 return ExprError(); 142 break; 143 case Builtin::BI__builtin_stdarg_start: 144 case Builtin::BI__builtin_va_start: 145 case Builtin::BI__va_start: 146 if (SemaBuiltinVAStart(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_isgreater: 150 case Builtin::BI__builtin_isgreaterequal: 151 case Builtin::BI__builtin_isless: 152 case Builtin::BI__builtin_islessequal: 153 case Builtin::BI__builtin_islessgreater: 154 case Builtin::BI__builtin_isunordered: 155 if (SemaBuiltinUnorderedCompare(TheCall)) 156 return ExprError(); 157 break; 158 case Builtin::BI__builtin_fpclassify: 159 if (SemaBuiltinFPClassification(TheCall, 6)) 160 return ExprError(); 161 break; 162 case Builtin::BI__builtin_isfinite: 163 case Builtin::BI__builtin_isinf: 164 case Builtin::BI__builtin_isinf_sign: 165 case Builtin::BI__builtin_isnan: 166 case Builtin::BI__builtin_isnormal: 167 if (SemaBuiltinFPClassification(TheCall, 1)) 168 return ExprError(); 169 break; 170 case Builtin::BI__builtin_shufflevector: 171 return SemaBuiltinShuffleVector(TheCall); 172 // TheCall will be freed by the smart pointer here, but that's fine, since 173 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 174 case Builtin::BI__builtin_prefetch: 175 if (SemaBuiltinPrefetch(TheCall)) 176 return ExprError(); 177 break; 178 case Builtin::BI__builtin_object_size: 179 if (SemaBuiltinConstantArgRange(TheCall, 1, 0, 3)) 180 return ExprError(); 181 break; 182 case Builtin::BI__builtin_longjmp: 183 if (SemaBuiltinLongjmp(TheCall)) 184 return ExprError(); 185 break; 186 187 case Builtin::BI__builtin_classify_type: 188 if (checkArgCount(*this, TheCall, 1)) return true; 189 TheCall->setType(Context.IntTy); 190 break; 191 case Builtin::BI__builtin_constant_p: 192 if (checkArgCount(*this, TheCall, 1)) return true; 193 TheCall->setType(Context.IntTy); 194 break; 195 case Builtin::BI__sync_fetch_and_add: 196 case Builtin::BI__sync_fetch_and_add_1: 197 case Builtin::BI__sync_fetch_and_add_2: 198 case Builtin::BI__sync_fetch_and_add_4: 199 case Builtin::BI__sync_fetch_and_add_8: 200 case Builtin::BI__sync_fetch_and_add_16: 201 case Builtin::BI__sync_fetch_and_sub: 202 case Builtin::BI__sync_fetch_and_sub_1: 203 case Builtin::BI__sync_fetch_and_sub_2: 204 case Builtin::BI__sync_fetch_and_sub_4: 205 case Builtin::BI__sync_fetch_and_sub_8: 206 case Builtin::BI__sync_fetch_and_sub_16: 207 case Builtin::BI__sync_fetch_and_or: 208 case Builtin::BI__sync_fetch_and_or_1: 209 case Builtin::BI__sync_fetch_and_or_2: 210 case Builtin::BI__sync_fetch_and_or_4: 211 case Builtin::BI__sync_fetch_and_or_8: 212 case Builtin::BI__sync_fetch_and_or_16: 213 case Builtin::BI__sync_fetch_and_and: 214 case Builtin::BI__sync_fetch_and_and_1: 215 case Builtin::BI__sync_fetch_and_and_2: 216 case Builtin::BI__sync_fetch_and_and_4: 217 case Builtin::BI__sync_fetch_and_and_8: 218 case Builtin::BI__sync_fetch_and_and_16: 219 case Builtin::BI__sync_fetch_and_xor: 220 case Builtin::BI__sync_fetch_and_xor_1: 221 case Builtin::BI__sync_fetch_and_xor_2: 222 case Builtin::BI__sync_fetch_and_xor_4: 223 case Builtin::BI__sync_fetch_and_xor_8: 224 case Builtin::BI__sync_fetch_and_xor_16: 225 case Builtin::BI__sync_add_and_fetch: 226 case Builtin::BI__sync_add_and_fetch_1: 227 case Builtin::BI__sync_add_and_fetch_2: 228 case Builtin::BI__sync_add_and_fetch_4: 229 case Builtin::BI__sync_add_and_fetch_8: 230 case Builtin::BI__sync_add_and_fetch_16: 231 case Builtin::BI__sync_sub_and_fetch: 232 case Builtin::BI__sync_sub_and_fetch_1: 233 case Builtin::BI__sync_sub_and_fetch_2: 234 case Builtin::BI__sync_sub_and_fetch_4: 235 case Builtin::BI__sync_sub_and_fetch_8: 236 case Builtin::BI__sync_sub_and_fetch_16: 237 case Builtin::BI__sync_and_and_fetch: 238 case Builtin::BI__sync_and_and_fetch_1: 239 case Builtin::BI__sync_and_and_fetch_2: 240 case Builtin::BI__sync_and_and_fetch_4: 241 case Builtin::BI__sync_and_and_fetch_8: 242 case Builtin::BI__sync_and_and_fetch_16: 243 case Builtin::BI__sync_or_and_fetch: 244 case Builtin::BI__sync_or_and_fetch_1: 245 case Builtin::BI__sync_or_and_fetch_2: 246 case Builtin::BI__sync_or_and_fetch_4: 247 case Builtin::BI__sync_or_and_fetch_8: 248 case Builtin::BI__sync_or_and_fetch_16: 249 case Builtin::BI__sync_xor_and_fetch: 250 case Builtin::BI__sync_xor_and_fetch_1: 251 case Builtin::BI__sync_xor_and_fetch_2: 252 case Builtin::BI__sync_xor_and_fetch_4: 253 case Builtin::BI__sync_xor_and_fetch_8: 254 case Builtin::BI__sync_xor_and_fetch_16: 255 case Builtin::BI__sync_val_compare_and_swap: 256 case Builtin::BI__sync_val_compare_and_swap_1: 257 case Builtin::BI__sync_val_compare_and_swap_2: 258 case Builtin::BI__sync_val_compare_and_swap_4: 259 case Builtin::BI__sync_val_compare_and_swap_8: 260 case Builtin::BI__sync_val_compare_and_swap_16: 261 case Builtin::BI__sync_bool_compare_and_swap: 262 case Builtin::BI__sync_bool_compare_and_swap_1: 263 case Builtin::BI__sync_bool_compare_and_swap_2: 264 case Builtin::BI__sync_bool_compare_and_swap_4: 265 case Builtin::BI__sync_bool_compare_and_swap_8: 266 case Builtin::BI__sync_bool_compare_and_swap_16: 267 case Builtin::BI__sync_lock_test_and_set: 268 case Builtin::BI__sync_lock_test_and_set_1: 269 case Builtin::BI__sync_lock_test_and_set_2: 270 case Builtin::BI__sync_lock_test_and_set_4: 271 case Builtin::BI__sync_lock_test_and_set_8: 272 case Builtin::BI__sync_lock_test_and_set_16: 273 case Builtin::BI__sync_lock_release: 274 case Builtin::BI__sync_lock_release_1: 275 case Builtin::BI__sync_lock_release_2: 276 case Builtin::BI__sync_lock_release_4: 277 case Builtin::BI__sync_lock_release_8: 278 case Builtin::BI__sync_lock_release_16: 279 case Builtin::BI__sync_swap: 280 case Builtin::BI__sync_swap_1: 281 case Builtin::BI__sync_swap_2: 282 case Builtin::BI__sync_swap_4: 283 case Builtin::BI__sync_swap_8: 284 case Builtin::BI__sync_swap_16: 285 return SemaBuiltinAtomicOverloaded(TheCallResult); 286#define BUILTIN(ID, TYPE, ATTRS) 287#define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 288 case Builtin::BI##ID: \ 289 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 290#include "clang/Basic/Builtins.def" 291 case Builtin::BI__builtin_annotation: 292 if (SemaBuiltinAnnotation(*this, TheCall)) 293 return ExprError(); 294 break; 295 case Builtin::BI__builtin_addressof: 296 if (SemaBuiltinAddressof(*this, TheCall)) 297 return ExprError(); 298 break; 299 case Builtin::BI__builtin_operator_new: 300 case Builtin::BI__builtin_operator_delete: 301 if (!getLangOpts().CPlusPlus) { 302 Diag(TheCall->getExprLoc(), diag::err_builtin_requires_language) 303 << (BuiltinID == Builtin::BI__builtin_operator_new 304 ? "__builtin_operator_new" 305 : "__builtin_operator_delete") 306 << "C++"; 307 return ExprError(); 308 } 309 // CodeGen assumes it can find the global new and delete to call, 310 // so ensure that they are declared. 311 DeclareGlobalNewDelete(); 312 break; 313 } 314 315 // Since the target specific builtins for each arch overlap, only check those 316 // of the arch we are compiling for. 317 if (BuiltinID >= Builtin::FirstTSBuiltin) { 318 switch (Context.getTargetInfo().getTriple().getArch()) { 319 case llvm::Triple::arm: 320 case llvm::Triple::armeb: 321 case llvm::Triple::thumb: 322 case llvm::Triple::thumbeb: 323 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 324 return ExprError(); 325 break; 326 case llvm::Triple::aarch64: 327 case llvm::Triple::aarch64_be: 328 case llvm::Triple::arm64: 329 case llvm::Triple::arm64_be: 330 if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall)) 331 return ExprError(); 332 break; 333 case llvm::Triple::mips: 334 case llvm::Triple::mipsel: 335 case llvm::Triple::mips64: 336 case llvm::Triple::mips64el: 337 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 338 return ExprError(); 339 break; 340 case llvm::Triple::x86: 341 case llvm::Triple::x86_64: 342 if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall)) 343 return ExprError(); 344 break; 345 default: 346 break; 347 } 348 } 349 350 return TheCallResult; 351} 352 353// Get the valid immediate range for the specified NEON type code. 354static unsigned RFT(unsigned t, bool shift = false, bool ForceQuad = false) { 355 NeonTypeFlags Type(t); 356 int IsQuad = ForceQuad ? true : Type.isQuad(); 357 switch (Type.getEltType()) { 358 case NeonTypeFlags::Int8: 359 case NeonTypeFlags::Poly8: 360 return shift ? 7 : (8 << IsQuad) - 1; 361 case NeonTypeFlags::Int16: 362 case NeonTypeFlags::Poly16: 363 return shift ? 15 : (4 << IsQuad) - 1; 364 case NeonTypeFlags::Int32: 365 return shift ? 31 : (2 << IsQuad) - 1; 366 case NeonTypeFlags::Int64: 367 case NeonTypeFlags::Poly64: 368 return shift ? 63 : (1 << IsQuad) - 1; 369 case NeonTypeFlags::Poly128: 370 return shift ? 127 : (1 << IsQuad) - 1; 371 case NeonTypeFlags::Float16: 372 assert(!shift && "cannot shift float types!"); 373 return (4 << IsQuad) - 1; 374 case NeonTypeFlags::Float32: 375 assert(!shift && "cannot shift float types!"); 376 return (2 << IsQuad) - 1; 377 case NeonTypeFlags::Float64: 378 assert(!shift && "cannot shift float types!"); 379 return (1 << IsQuad) - 1; 380 } 381 llvm_unreachable("Invalid NeonTypeFlag!"); 382} 383 384/// getNeonEltType - Return the QualType corresponding to the elements of 385/// the vector type specified by the NeonTypeFlags. This is used to check 386/// the pointer arguments for Neon load/store intrinsics. 387static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context, 388 bool IsPolyUnsigned, bool IsInt64Long) { 389 switch (Flags.getEltType()) { 390 case NeonTypeFlags::Int8: 391 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 392 case NeonTypeFlags::Int16: 393 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 394 case NeonTypeFlags::Int32: 395 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 396 case NeonTypeFlags::Int64: 397 if (IsInt64Long) 398 return Flags.isUnsigned() ? Context.UnsignedLongTy : Context.LongTy; 399 else 400 return Flags.isUnsigned() ? Context.UnsignedLongLongTy 401 : Context.LongLongTy; 402 case NeonTypeFlags::Poly8: 403 return IsPolyUnsigned ? Context.UnsignedCharTy : Context.SignedCharTy; 404 case NeonTypeFlags::Poly16: 405 return IsPolyUnsigned ? Context.UnsignedShortTy : Context.ShortTy; 406 case NeonTypeFlags::Poly64: 407 return Context.UnsignedLongTy; 408 case NeonTypeFlags::Poly128: 409 break; 410 case NeonTypeFlags::Float16: 411 return Context.HalfTy; 412 case NeonTypeFlags::Float32: 413 return Context.FloatTy; 414 case NeonTypeFlags::Float64: 415 return Context.DoubleTy; 416 } 417 llvm_unreachable("Invalid NeonTypeFlag!"); 418} 419 420bool Sema::CheckNeonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 421 llvm::APSInt Result; 422 uint64_t mask = 0; 423 unsigned TV = 0; 424 int PtrArgNum = -1; 425 bool HasConstPtr = false; 426 switch (BuiltinID) { 427#define GET_NEON_OVERLOAD_CHECK 428#include "clang/Basic/arm_neon.inc" 429#undef GET_NEON_OVERLOAD_CHECK 430 } 431 432 // For NEON intrinsics which are overloaded on vector element type, validate 433 // the immediate which specifies which variant to emit. 434 unsigned ImmArg = TheCall->getNumArgs()-1; 435 if (mask) { 436 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 437 return true; 438 439 TV = Result.getLimitedValue(64); 440 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 441 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 442 << TheCall->getArg(ImmArg)->getSourceRange(); 443 } 444 445 if (PtrArgNum >= 0) { 446 // Check that pointer arguments have the specified type. 447 Expr *Arg = TheCall->getArg(PtrArgNum); 448 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 449 Arg = ICE->getSubExpr(); 450 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 451 QualType RHSTy = RHS.get()->getType(); 452 453 llvm::Triple::ArchType Arch = Context.getTargetInfo().getTriple().getArch(); 454 bool IsPolyUnsigned = 455 Arch == llvm::Triple::aarch64 || Arch == llvm::Triple::arm64; 456 bool IsInt64Long = 457 Context.getTargetInfo().getInt64Type() == TargetInfo::SignedLong; 458 QualType EltTy = 459 getNeonEltType(NeonTypeFlags(TV), Context, IsPolyUnsigned, IsInt64Long); 460 if (HasConstPtr) 461 EltTy = EltTy.withConst(); 462 QualType LHSTy = Context.getPointerType(EltTy); 463 AssignConvertType ConvTy; 464 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 465 if (RHS.isInvalid()) 466 return true; 467 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 468 RHS.get(), AA_Assigning)) 469 return true; 470 } 471 472 // For NEON intrinsics which take an immediate value as part of the 473 // instruction, range check them here. 474 unsigned i = 0, l = 0, u = 0; 475 switch (BuiltinID) { 476 default: 477 return false; 478#define GET_NEON_IMMEDIATE_CHECK 479#include "clang/Basic/arm_neon.inc" 480#undef GET_NEON_IMMEDIATE_CHECK 481 } 482 483 return SemaBuiltinConstantArgRange(TheCall, i, l, u + l); 484} 485 486bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall, 487 unsigned MaxWidth) { 488 assert((BuiltinID == ARM::BI__builtin_arm_ldrex || 489 BuiltinID == ARM::BI__builtin_arm_ldaex || 490 BuiltinID == ARM::BI__builtin_arm_strex || 491 BuiltinID == ARM::BI__builtin_arm_stlex || 492 BuiltinID == AArch64::BI__builtin_arm_ldrex || 493 BuiltinID == AArch64::BI__builtin_arm_ldaex || 494 BuiltinID == AArch64::BI__builtin_arm_strex || 495 BuiltinID == AArch64::BI__builtin_arm_stlex) && 496 "unexpected ARM builtin"); 497 bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex || 498 BuiltinID == ARM::BI__builtin_arm_ldaex || 499 BuiltinID == AArch64::BI__builtin_arm_ldrex || 500 BuiltinID == AArch64::BI__builtin_arm_ldaex; 501 502 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 503 504 // Ensure that we have the proper number of arguments. 505 if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2)) 506 return true; 507 508 // Inspect the pointer argument of the atomic builtin. This should always be 509 // a pointer type, whose element is an integral scalar or pointer type. 510 // Because it is a pointer type, we don't have to worry about any implicit 511 // casts here. 512 Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1); 513 ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg); 514 if (PointerArgRes.isInvalid()) 515 return true; 516 PointerArg = PointerArgRes.get(); 517 518 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 519 if (!pointerType) { 520 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 521 << PointerArg->getType() << PointerArg->getSourceRange(); 522 return true; 523 } 524 525 // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next 526 // task is to insert the appropriate casts into the AST. First work out just 527 // what the appropriate type is. 528 QualType ValType = pointerType->getPointeeType(); 529 QualType AddrType = ValType.getUnqualifiedType().withVolatile(); 530 if (IsLdrex) 531 AddrType.addConst(); 532 533 // Issue a warning if the cast is dodgy. 534 CastKind CastNeeded = CK_NoOp; 535 if (!AddrType.isAtLeastAsQualifiedAs(ValType)) { 536 CastNeeded = CK_BitCast; 537 Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers) 538 << PointerArg->getType() 539 << Context.getPointerType(AddrType) 540 << AA_Passing << PointerArg->getSourceRange(); 541 } 542 543 // Finally, do the cast and replace the argument with the corrected version. 544 AddrType = Context.getPointerType(AddrType); 545 PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded); 546 if (PointerArgRes.isInvalid()) 547 return true; 548 PointerArg = PointerArgRes.get(); 549 550 TheCall->setArg(IsLdrex ? 0 : 1, PointerArg); 551 552 // In general, we allow ints, floats and pointers to be loaded and stored. 553 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 554 !ValType->isBlockPointerType() && !ValType->isFloatingType()) { 555 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr) 556 << PointerArg->getType() << PointerArg->getSourceRange(); 557 return true; 558 } 559 560 // But ARM doesn't have instructions to deal with 128-bit versions. 561 if (Context.getTypeSize(ValType) > MaxWidth) { 562 assert(MaxWidth == 64 && "Diagnostic unexpectedly inaccurate"); 563 Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size) 564 << PointerArg->getType() << PointerArg->getSourceRange(); 565 return true; 566 } 567 568 switch (ValType.getObjCLifetime()) { 569 case Qualifiers::OCL_None: 570 case Qualifiers::OCL_ExplicitNone: 571 // okay 572 break; 573 574 case Qualifiers::OCL_Weak: 575 case Qualifiers::OCL_Strong: 576 case Qualifiers::OCL_Autoreleasing: 577 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 578 << ValType << PointerArg->getSourceRange(); 579 return true; 580 } 581 582 583 if (IsLdrex) { 584 TheCall->setType(ValType); 585 return false; 586 } 587 588 // Initialize the argument to be stored. 589 ExprResult ValArg = TheCall->getArg(0); 590 InitializedEntity Entity = InitializedEntity::InitializeParameter( 591 Context, ValType, /*consume*/ false); 592 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 593 if (ValArg.isInvalid()) 594 return true; 595 TheCall->setArg(0, ValArg.get()); 596 597 // __builtin_arm_strex always returns an int. It's marked as such in the .def, 598 // but the custom checker bypasses all default analysis. 599 TheCall->setType(Context.IntTy); 600 return false; 601} 602 603bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 604 llvm::APSInt Result; 605 606 if (BuiltinID == ARM::BI__builtin_arm_ldrex || 607 BuiltinID == ARM::BI__builtin_arm_ldaex || 608 BuiltinID == ARM::BI__builtin_arm_strex || 609 BuiltinID == ARM::BI__builtin_arm_stlex) { 610 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 64); 611 } 612 613 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 614 return true; 615 616 // For intrinsics which take an immediate value as part of the instruction, 617 // range check them here. 618 unsigned i = 0, l = 0, u = 0; 619 switch (BuiltinID) { 620 default: return false; 621 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 622 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 623 case ARM::BI__builtin_arm_vcvtr_f: 624 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 625 case ARM::BI__builtin_arm_dmb: 626 case ARM::BI__builtin_arm_dsb: 627 case ARM::BI__builtin_arm_isb: l = 0; u = 15; break; 628 } 629 630 // FIXME: VFP Intrinsics should error if VFP not present. 631 return SemaBuiltinConstantArgRange(TheCall, i, l, u + l); 632} 633 634bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, 635 CallExpr *TheCall) { 636 llvm::APSInt Result; 637 638 if (BuiltinID == AArch64::BI__builtin_arm_ldrex || 639 BuiltinID == AArch64::BI__builtin_arm_ldaex || 640 BuiltinID == AArch64::BI__builtin_arm_strex || 641 BuiltinID == AArch64::BI__builtin_arm_stlex) { 642 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 128); 643 } 644 645 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 646 return true; 647 648 return false; 649} 650 651bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 652 unsigned i = 0, l = 0, u = 0; 653 switch (BuiltinID) { 654 default: return false; 655 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 656 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 657 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 658 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 659 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 660 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 661 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 662 } 663 664 return SemaBuiltinConstantArgRange(TheCall, i, l, u); 665} 666 667bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 668 switch (BuiltinID) { 669 case X86::BI_mm_prefetch: 670 // This is declared to take (const char*, int) 671 return SemaBuiltinConstantArgRange(TheCall, 1, 0, 3); 672 } 673 return false; 674} 675 676/// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 677/// parameter with the FormatAttr's correct format_idx and firstDataArg. 678/// Returns true when the format fits the function and the FormatStringInfo has 679/// been populated. 680bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 681 FormatStringInfo *FSI) { 682 FSI->HasVAListArg = Format->getFirstArg() == 0; 683 FSI->FormatIdx = Format->getFormatIdx() - 1; 684 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 685 686 // The way the format attribute works in GCC, the implicit this argument 687 // of member functions is counted. However, it doesn't appear in our own 688 // lists, so decrement format_idx in that case. 689 if (IsCXXMember) { 690 if(FSI->FormatIdx == 0) 691 return false; 692 --FSI->FormatIdx; 693 if (FSI->FirstDataArg != 0) 694 --FSI->FirstDataArg; 695 } 696 return true; 697} 698 699/// Checks if a the given expression evaluates to null. 700/// 701/// \brief Returns true if the value evaluates to null. 702static bool CheckNonNullExpr(Sema &S, 703 const Expr *Expr) { 704 // As a special case, transparent unions initialized with zero are 705 // considered null for the purposes of the nonnull attribute. 706 if (const RecordType *UT = Expr->getType()->getAsUnionType()) { 707 if (UT->getDecl()->hasAttr<TransparentUnionAttr>()) 708 if (const CompoundLiteralExpr *CLE = 709 dyn_cast<CompoundLiteralExpr>(Expr)) 710 if (const InitListExpr *ILE = 711 dyn_cast<InitListExpr>(CLE->getInitializer())) 712 Expr = ILE->getInit(0); 713 } 714 715 bool Result; 716 return (!Expr->isValueDependent() && 717 Expr->EvaluateAsBooleanCondition(Result, S.Context) && 718 !Result); 719} 720 721static void CheckNonNullArgument(Sema &S, 722 const Expr *ArgExpr, 723 SourceLocation CallSiteLoc) { 724 if (CheckNonNullExpr(S, ArgExpr)) 725 S.Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 726} 727 728static void CheckNonNullArguments(Sema &S, 729 const NamedDecl *FDecl, 730 const Expr * const *ExprArgs, 731 SourceLocation CallSiteLoc) { 732 // Check the attributes attached to the method/function itself. 733 for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) { 734 for (const auto &Val : NonNull->args()) 735 CheckNonNullArgument(S, ExprArgs[Val], CallSiteLoc); 736 } 737 738 // Check the attributes on the parameters. 739 ArrayRef<ParmVarDecl*> parms; 740 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl)) 741 parms = FD->parameters(); 742 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(FDecl)) 743 parms = MD->parameters(); 744 745 unsigned argIndex = 0; 746 for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end(); 747 I != E; ++I, ++argIndex) { 748 const ParmVarDecl *PVD = *I; 749 if (PVD->hasAttr<NonNullAttr>()) 750 CheckNonNullArgument(S, ExprArgs[argIndex], CallSiteLoc); 751 } 752} 753 754/// Handles the checks for format strings, non-POD arguments to vararg 755/// functions, and NULL arguments passed to non-NULL parameters. 756void Sema::checkCall(NamedDecl *FDecl, ArrayRef<const Expr *> Args, 757 unsigned NumParams, bool IsMemberFunction, 758 SourceLocation Loc, SourceRange Range, 759 VariadicCallType CallType) { 760 // FIXME: We should check as much as we can in the template definition. 761 if (CurContext->isDependentContext()) 762 return; 763 764 // Printf and scanf checking. 765 llvm::SmallBitVector CheckedVarArgs; 766 if (FDecl) { 767 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) { 768 // Only create vector if there are format attributes. 769 CheckedVarArgs.resize(Args.size()); 770 771 CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range, 772 CheckedVarArgs); 773 } 774 } 775 776 // Refuse POD arguments that weren't caught by the format string 777 // checks above. 778 if (CallType != VariadicDoesNotApply) { 779 for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) { 780 // Args[ArgIdx] can be null in malformed code. 781 if (const Expr *Arg = Args[ArgIdx]) { 782 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx]) 783 checkVariadicArgument(Arg, CallType); 784 } 785 } 786 } 787 788 if (FDecl) { 789 CheckNonNullArguments(*this, FDecl, Args.data(), Loc); 790 791 // Type safety checking. 792 for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>()) 793 CheckArgumentWithTypeTag(I, Args.data()); 794 } 795} 796 797/// CheckConstructorCall - Check a constructor call for correctness and safety 798/// properties not enforced by the C type system. 799void Sema::CheckConstructorCall(FunctionDecl *FDecl, 800 ArrayRef<const Expr *> Args, 801 const FunctionProtoType *Proto, 802 SourceLocation Loc) { 803 VariadicCallType CallType = 804 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 805 checkCall(FDecl, Args, Proto->getNumParams(), 806 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 807} 808 809/// CheckFunctionCall - Check a direct function call for various correctness 810/// and safety properties not strictly enforced by the C type system. 811bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 812 const FunctionProtoType *Proto) { 813 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 814 isa<CXXMethodDecl>(FDecl); 815 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 816 IsMemberOperatorCall; 817 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 818 TheCall->getCallee()); 819 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 820 Expr** Args = TheCall->getArgs(); 821 unsigned NumArgs = TheCall->getNumArgs(); 822 if (IsMemberOperatorCall) { 823 // If this is a call to a member operator, hide the first argument 824 // from checkCall. 825 // FIXME: Our choice of AST representation here is less than ideal. 826 ++Args; 827 --NumArgs; 828 } 829 checkCall(FDecl, llvm::makeArrayRef<const Expr *>(Args, NumArgs), NumParams, 830 IsMemberFunction, TheCall->getRParenLoc(), 831 TheCall->getCallee()->getSourceRange(), CallType); 832 833 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 834 // None of the checks below are needed for functions that don't have 835 // simple names (e.g., C++ conversion functions). 836 if (!FnInfo) 837 return false; 838 839 CheckAbsoluteValueFunction(TheCall, FDecl, FnInfo); 840 841 unsigned CMId = FDecl->getMemoryFunctionKind(); 842 if (CMId == 0) 843 return false; 844 845 // Handle memory setting and copying functions. 846 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 847 CheckStrlcpycatArguments(TheCall, FnInfo); 848 else if (CMId == Builtin::BIstrncat) 849 CheckStrncatArguments(TheCall, FnInfo); 850 else 851 CheckMemaccessArguments(TheCall, CMId, FnInfo); 852 853 return false; 854} 855 856bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 857 ArrayRef<const Expr *> Args) { 858 VariadicCallType CallType = 859 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 860 861 checkCall(Method, Args, Method->param_size(), 862 /*IsMemberFunction=*/false, 863 lbrac, Method->getSourceRange(), CallType); 864 865 return false; 866} 867 868bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, 869 const FunctionProtoType *Proto) { 870 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 871 if (!V) 872 return false; 873 874 QualType Ty = V->getType(); 875 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType()) 876 return false; 877 878 VariadicCallType CallType; 879 if (!Proto || !Proto->isVariadic()) { 880 CallType = VariadicDoesNotApply; 881 } else if (Ty->isBlockPointerType()) { 882 CallType = VariadicBlock; 883 } else { // Ty->isFunctionPointerType() 884 CallType = VariadicFunction; 885 } 886 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 887 888 checkCall(NDecl, llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 889 TheCall->getNumArgs()), 890 NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 891 TheCall->getCallee()->getSourceRange(), CallType); 892 893 return false; 894} 895 896/// Checks function calls when a FunctionDecl or a NamedDecl is not available, 897/// such as function pointers returned from functions. 898bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) { 899 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto, 900 TheCall->getCallee()); 901 unsigned NumParams = Proto ? Proto->getNumParams() : 0; 902 903 checkCall(/*FDecl=*/nullptr, 904 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 905 TheCall->getNumArgs()), 906 NumParams, /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 907 TheCall->getCallee()->getSourceRange(), CallType); 908 909 return false; 910} 911 912static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) { 913 if (Ordering < AtomicExpr::AO_ABI_memory_order_relaxed || 914 Ordering > AtomicExpr::AO_ABI_memory_order_seq_cst) 915 return false; 916 917 switch (Op) { 918 case AtomicExpr::AO__c11_atomic_init: 919 llvm_unreachable("There is no ordering argument for an init"); 920 921 case AtomicExpr::AO__c11_atomic_load: 922 case AtomicExpr::AO__atomic_load_n: 923 case AtomicExpr::AO__atomic_load: 924 return Ordering != AtomicExpr::AO_ABI_memory_order_release && 925 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 926 927 case AtomicExpr::AO__c11_atomic_store: 928 case AtomicExpr::AO__atomic_store: 929 case AtomicExpr::AO__atomic_store_n: 930 return Ordering != AtomicExpr::AO_ABI_memory_order_consume && 931 Ordering != AtomicExpr::AO_ABI_memory_order_acquire && 932 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 933 934 default: 935 return true; 936 } 937} 938 939ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 940 AtomicExpr::AtomicOp Op) { 941 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 942 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 943 944 // All these operations take one of the following forms: 945 enum { 946 // C __c11_atomic_init(A *, C) 947 Init, 948 // C __c11_atomic_load(A *, int) 949 Load, 950 // void __atomic_load(A *, CP, int) 951 Copy, 952 // C __c11_atomic_add(A *, M, int) 953 Arithmetic, 954 // C __atomic_exchange_n(A *, CP, int) 955 Xchg, 956 // void __atomic_exchange(A *, C *, CP, int) 957 GNUXchg, 958 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 959 C11CmpXchg, 960 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 961 GNUCmpXchg 962 } Form = Init; 963 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 964 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 965 // where: 966 // C is an appropriate type, 967 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 968 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 969 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 970 // the int parameters are for orderings. 971 972 assert(AtomicExpr::AO__c11_atomic_init == 0 && 973 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 974 && "need to update code for modified C11 atomics"); 975 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 976 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 977 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 978 Op == AtomicExpr::AO__atomic_store_n || 979 Op == AtomicExpr::AO__atomic_exchange_n || 980 Op == AtomicExpr::AO__atomic_compare_exchange_n; 981 bool IsAddSub = false; 982 983 switch (Op) { 984 case AtomicExpr::AO__c11_atomic_init: 985 Form = Init; 986 break; 987 988 case AtomicExpr::AO__c11_atomic_load: 989 case AtomicExpr::AO__atomic_load_n: 990 Form = Load; 991 break; 992 993 case AtomicExpr::AO__c11_atomic_store: 994 case AtomicExpr::AO__atomic_load: 995 case AtomicExpr::AO__atomic_store: 996 case AtomicExpr::AO__atomic_store_n: 997 Form = Copy; 998 break; 999 1000 case AtomicExpr::AO__c11_atomic_fetch_add: 1001 case AtomicExpr::AO__c11_atomic_fetch_sub: 1002 case AtomicExpr::AO__atomic_fetch_add: 1003 case AtomicExpr::AO__atomic_fetch_sub: 1004 case AtomicExpr::AO__atomic_add_fetch: 1005 case AtomicExpr::AO__atomic_sub_fetch: 1006 IsAddSub = true; 1007 // Fall through. 1008 case AtomicExpr::AO__c11_atomic_fetch_and: 1009 case AtomicExpr::AO__c11_atomic_fetch_or: 1010 case AtomicExpr::AO__c11_atomic_fetch_xor: 1011 case AtomicExpr::AO__atomic_fetch_and: 1012 case AtomicExpr::AO__atomic_fetch_or: 1013 case AtomicExpr::AO__atomic_fetch_xor: 1014 case AtomicExpr::AO__atomic_fetch_nand: 1015 case AtomicExpr::AO__atomic_and_fetch: 1016 case AtomicExpr::AO__atomic_or_fetch: 1017 case AtomicExpr::AO__atomic_xor_fetch: 1018 case AtomicExpr::AO__atomic_nand_fetch: 1019 Form = Arithmetic; 1020 break; 1021 1022 case AtomicExpr::AO__c11_atomic_exchange: 1023 case AtomicExpr::AO__atomic_exchange_n: 1024 Form = Xchg; 1025 break; 1026 1027 case AtomicExpr::AO__atomic_exchange: 1028 Form = GNUXchg; 1029 break; 1030 1031 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 1032 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 1033 Form = C11CmpXchg; 1034 break; 1035 1036 case AtomicExpr::AO__atomic_compare_exchange: 1037 case AtomicExpr::AO__atomic_compare_exchange_n: 1038 Form = GNUCmpXchg; 1039 break; 1040 } 1041 1042 // Check we have the right number of arguments. 1043 if (TheCall->getNumArgs() < NumArgs[Form]) { 1044 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1045 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1046 << TheCall->getCallee()->getSourceRange(); 1047 return ExprError(); 1048 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 1049 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 1050 diag::err_typecheck_call_too_many_args) 1051 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1052 << TheCall->getCallee()->getSourceRange(); 1053 return ExprError(); 1054 } 1055 1056 // Inspect the first argument of the atomic operation. 1057 Expr *Ptr = TheCall->getArg(0); 1058 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 1059 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 1060 if (!pointerType) { 1061 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1062 << Ptr->getType() << Ptr->getSourceRange(); 1063 return ExprError(); 1064 } 1065 1066 // For a __c11 builtin, this should be a pointer to an _Atomic type. 1067 QualType AtomTy = pointerType->getPointeeType(); // 'A' 1068 QualType ValType = AtomTy; // 'C' 1069 if (IsC11) { 1070 if (!AtomTy->isAtomicType()) { 1071 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 1072 << Ptr->getType() << Ptr->getSourceRange(); 1073 return ExprError(); 1074 } 1075 if (AtomTy.isConstQualified()) { 1076 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 1077 << Ptr->getType() << Ptr->getSourceRange(); 1078 return ExprError(); 1079 } 1080 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 1081 } 1082 1083 // For an arithmetic operation, the implied arithmetic must be well-formed. 1084 if (Form == Arithmetic) { 1085 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 1086 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 1087 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1088 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1089 return ExprError(); 1090 } 1091 if (!IsAddSub && !ValType->isIntegerType()) { 1092 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 1093 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1094 return ExprError(); 1095 } 1096 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 1097 // For __atomic_*_n operations, the value type must be a scalar integral or 1098 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 1099 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1100 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1101 return ExprError(); 1102 } 1103 1104 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) && 1105 !AtomTy->isScalarType()) { 1106 // For GNU atomics, require a trivially-copyable type. This is not part of 1107 // the GNU atomics specification, but we enforce it for sanity. 1108 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 1109 << Ptr->getType() << Ptr->getSourceRange(); 1110 return ExprError(); 1111 } 1112 1113 // FIXME: For any builtin other than a load, the ValType must not be 1114 // const-qualified. 1115 1116 switch (ValType.getObjCLifetime()) { 1117 case Qualifiers::OCL_None: 1118 case Qualifiers::OCL_ExplicitNone: 1119 // okay 1120 break; 1121 1122 case Qualifiers::OCL_Weak: 1123 case Qualifiers::OCL_Strong: 1124 case Qualifiers::OCL_Autoreleasing: 1125 // FIXME: Can this happen? By this point, ValType should be known 1126 // to be trivially copyable. 1127 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1128 << ValType << Ptr->getSourceRange(); 1129 return ExprError(); 1130 } 1131 1132 QualType ResultType = ValType; 1133 if (Form == Copy || Form == GNUXchg || Form == Init) 1134 ResultType = Context.VoidTy; 1135 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 1136 ResultType = Context.BoolTy; 1137 1138 // The type of a parameter passed 'by value'. In the GNU atomics, such 1139 // arguments are actually passed as pointers. 1140 QualType ByValType = ValType; // 'CP' 1141 if (!IsC11 && !IsN) 1142 ByValType = Ptr->getType(); 1143 1144 // The first argument --- the pointer --- has a fixed type; we 1145 // deduce the types of the rest of the arguments accordingly. Walk 1146 // the remaining arguments, converting them to the deduced value type. 1147 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 1148 QualType Ty; 1149 if (i < NumVals[Form] + 1) { 1150 switch (i) { 1151 case 1: 1152 // The second argument is the non-atomic operand. For arithmetic, this 1153 // is always passed by value, and for a compare_exchange it is always 1154 // passed by address. For the rest, GNU uses by-address and C11 uses 1155 // by-value. 1156 assert(Form != Load); 1157 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 1158 Ty = ValType; 1159 else if (Form == Copy || Form == Xchg) 1160 Ty = ByValType; 1161 else if (Form == Arithmetic) 1162 Ty = Context.getPointerDiffType(); 1163 else 1164 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 1165 break; 1166 case 2: 1167 // The third argument to compare_exchange / GNU exchange is a 1168 // (pointer to a) desired value. 1169 Ty = ByValType; 1170 break; 1171 case 3: 1172 // The fourth argument to GNU compare_exchange is a 'weak' flag. 1173 Ty = Context.BoolTy; 1174 break; 1175 } 1176 } else { 1177 // The order(s) are always converted to int. 1178 Ty = Context.IntTy; 1179 } 1180 1181 InitializedEntity Entity = 1182 InitializedEntity::InitializeParameter(Context, Ty, false); 1183 ExprResult Arg = TheCall->getArg(i); 1184 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1185 if (Arg.isInvalid()) 1186 return true; 1187 TheCall->setArg(i, Arg.get()); 1188 } 1189 1190 // Permute the arguments into a 'consistent' order. 1191 SmallVector<Expr*, 5> SubExprs; 1192 SubExprs.push_back(Ptr); 1193 switch (Form) { 1194 case Init: 1195 // Note, AtomicExpr::getVal1() has a special case for this atomic. 1196 SubExprs.push_back(TheCall->getArg(1)); // Val1 1197 break; 1198 case Load: 1199 SubExprs.push_back(TheCall->getArg(1)); // Order 1200 break; 1201 case Copy: 1202 case Arithmetic: 1203 case Xchg: 1204 SubExprs.push_back(TheCall->getArg(2)); // Order 1205 SubExprs.push_back(TheCall->getArg(1)); // Val1 1206 break; 1207 case GNUXchg: 1208 // Note, AtomicExpr::getVal2() has a special case for this atomic. 1209 SubExprs.push_back(TheCall->getArg(3)); // Order 1210 SubExprs.push_back(TheCall->getArg(1)); // Val1 1211 SubExprs.push_back(TheCall->getArg(2)); // Val2 1212 break; 1213 case C11CmpXchg: 1214 SubExprs.push_back(TheCall->getArg(3)); // Order 1215 SubExprs.push_back(TheCall->getArg(1)); // Val1 1216 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 1217 SubExprs.push_back(TheCall->getArg(2)); // Val2 1218 break; 1219 case GNUCmpXchg: 1220 SubExprs.push_back(TheCall->getArg(4)); // Order 1221 SubExprs.push_back(TheCall->getArg(1)); // Val1 1222 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 1223 SubExprs.push_back(TheCall->getArg(2)); // Val2 1224 SubExprs.push_back(TheCall->getArg(3)); // Weak 1225 break; 1226 } 1227 1228 if (SubExprs.size() >= 2 && Form != Init) { 1229 llvm::APSInt Result(32); 1230 if (SubExprs[1]->isIntegerConstantExpr(Result, Context) && 1231 !isValidOrderingForOp(Result.getSExtValue(), Op)) 1232 Diag(SubExprs[1]->getLocStart(), 1233 diag::warn_atomic_op_has_invalid_memory_order) 1234 << SubExprs[1]->getSourceRange(); 1235 } 1236 1237 AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 1238 SubExprs, ResultType, Op, 1239 TheCall->getRParenLoc()); 1240 1241 if ((Op == AtomicExpr::AO__c11_atomic_load || 1242 (Op == AtomicExpr::AO__c11_atomic_store)) && 1243 Context.AtomicUsesUnsupportedLibcall(AE)) 1244 Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) << 1245 ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1); 1246 1247 return AE; 1248} 1249 1250 1251/// checkBuiltinArgument - Given a call to a builtin function, perform 1252/// normal type-checking on the given argument, updating the call in 1253/// place. This is useful when a builtin function requires custom 1254/// type-checking for some of its arguments but not necessarily all of 1255/// them. 1256/// 1257/// Returns true on error. 1258static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 1259 FunctionDecl *Fn = E->getDirectCallee(); 1260 assert(Fn && "builtin call without direct callee!"); 1261 1262 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 1263 InitializedEntity Entity = 1264 InitializedEntity::InitializeParameter(S.Context, Param); 1265 1266 ExprResult Arg = E->getArg(0); 1267 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 1268 if (Arg.isInvalid()) 1269 return true; 1270 1271 E->setArg(ArgIndex, Arg.get()); 1272 return false; 1273} 1274 1275/// SemaBuiltinAtomicOverloaded - We have a call to a function like 1276/// __sync_fetch_and_add, which is an overloaded function based on the pointer 1277/// type of its first argument. The main ActOnCallExpr routines have already 1278/// promoted the types of arguments because all of these calls are prototyped as 1279/// void(...). 1280/// 1281/// This function goes through and does final semantic checking for these 1282/// builtins, 1283ExprResult 1284Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 1285 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 1286 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1287 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1288 1289 // Ensure that we have at least one argument to do type inference from. 1290 if (TheCall->getNumArgs() < 1) { 1291 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1292 << 0 << 1 << TheCall->getNumArgs() 1293 << TheCall->getCallee()->getSourceRange(); 1294 return ExprError(); 1295 } 1296 1297 // Inspect the first argument of the atomic builtin. This should always be 1298 // a pointer type, whose element is an integral scalar or pointer type. 1299 // Because it is a pointer type, we don't have to worry about any implicit 1300 // casts here. 1301 // FIXME: We don't allow floating point scalars as input. 1302 Expr *FirstArg = TheCall->getArg(0); 1303 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 1304 if (FirstArgResult.isInvalid()) 1305 return ExprError(); 1306 FirstArg = FirstArgResult.get(); 1307 TheCall->setArg(0, FirstArg); 1308 1309 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 1310 if (!pointerType) { 1311 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1312 << FirstArg->getType() << FirstArg->getSourceRange(); 1313 return ExprError(); 1314 } 1315 1316 QualType ValType = pointerType->getPointeeType(); 1317 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 1318 !ValType->isBlockPointerType()) { 1319 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 1320 << FirstArg->getType() << FirstArg->getSourceRange(); 1321 return ExprError(); 1322 } 1323 1324 switch (ValType.getObjCLifetime()) { 1325 case Qualifiers::OCL_None: 1326 case Qualifiers::OCL_ExplicitNone: 1327 // okay 1328 break; 1329 1330 case Qualifiers::OCL_Weak: 1331 case Qualifiers::OCL_Strong: 1332 case Qualifiers::OCL_Autoreleasing: 1333 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1334 << ValType << FirstArg->getSourceRange(); 1335 return ExprError(); 1336 } 1337 1338 // Strip any qualifiers off ValType. 1339 ValType = ValType.getUnqualifiedType(); 1340 1341 // The majority of builtins return a value, but a few have special return 1342 // types, so allow them to override appropriately below. 1343 QualType ResultType = ValType; 1344 1345 // We need to figure out which concrete builtin this maps onto. For example, 1346 // __sync_fetch_and_add with a 2 byte object turns into 1347 // __sync_fetch_and_add_2. 1348#define BUILTIN_ROW(x) \ 1349 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1350 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1351 1352 static const unsigned BuiltinIndices[][5] = { 1353 BUILTIN_ROW(__sync_fetch_and_add), 1354 BUILTIN_ROW(__sync_fetch_and_sub), 1355 BUILTIN_ROW(__sync_fetch_and_or), 1356 BUILTIN_ROW(__sync_fetch_and_and), 1357 BUILTIN_ROW(__sync_fetch_and_xor), 1358 1359 BUILTIN_ROW(__sync_add_and_fetch), 1360 BUILTIN_ROW(__sync_sub_and_fetch), 1361 BUILTIN_ROW(__sync_and_and_fetch), 1362 BUILTIN_ROW(__sync_or_and_fetch), 1363 BUILTIN_ROW(__sync_xor_and_fetch), 1364 1365 BUILTIN_ROW(__sync_val_compare_and_swap), 1366 BUILTIN_ROW(__sync_bool_compare_and_swap), 1367 BUILTIN_ROW(__sync_lock_test_and_set), 1368 BUILTIN_ROW(__sync_lock_release), 1369 BUILTIN_ROW(__sync_swap) 1370 }; 1371#undef BUILTIN_ROW 1372 1373 // Determine the index of the size. 1374 unsigned SizeIndex; 1375 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1376 case 1: SizeIndex = 0; break; 1377 case 2: SizeIndex = 1; break; 1378 case 4: SizeIndex = 2; break; 1379 case 8: SizeIndex = 3; break; 1380 case 16: SizeIndex = 4; break; 1381 default: 1382 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1383 << FirstArg->getType() << FirstArg->getSourceRange(); 1384 return ExprError(); 1385 } 1386 1387 // Each of these builtins has one pointer argument, followed by some number of 1388 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1389 // that we ignore. Find out which row of BuiltinIndices to read from as well 1390 // as the number of fixed args. 1391 unsigned BuiltinID = FDecl->getBuiltinID(); 1392 unsigned BuiltinIndex, NumFixed = 1; 1393 switch (BuiltinID) { 1394 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1395 case Builtin::BI__sync_fetch_and_add: 1396 case Builtin::BI__sync_fetch_and_add_1: 1397 case Builtin::BI__sync_fetch_and_add_2: 1398 case Builtin::BI__sync_fetch_and_add_4: 1399 case Builtin::BI__sync_fetch_and_add_8: 1400 case Builtin::BI__sync_fetch_and_add_16: 1401 BuiltinIndex = 0; 1402 break; 1403 1404 case Builtin::BI__sync_fetch_and_sub: 1405 case Builtin::BI__sync_fetch_and_sub_1: 1406 case Builtin::BI__sync_fetch_and_sub_2: 1407 case Builtin::BI__sync_fetch_and_sub_4: 1408 case Builtin::BI__sync_fetch_and_sub_8: 1409 case Builtin::BI__sync_fetch_and_sub_16: 1410 BuiltinIndex = 1; 1411 break; 1412 1413 case Builtin::BI__sync_fetch_and_or: 1414 case Builtin::BI__sync_fetch_and_or_1: 1415 case Builtin::BI__sync_fetch_and_or_2: 1416 case Builtin::BI__sync_fetch_and_or_4: 1417 case Builtin::BI__sync_fetch_and_or_8: 1418 case Builtin::BI__sync_fetch_and_or_16: 1419 BuiltinIndex = 2; 1420 break; 1421 1422 case Builtin::BI__sync_fetch_and_and: 1423 case Builtin::BI__sync_fetch_and_and_1: 1424 case Builtin::BI__sync_fetch_and_and_2: 1425 case Builtin::BI__sync_fetch_and_and_4: 1426 case Builtin::BI__sync_fetch_and_and_8: 1427 case Builtin::BI__sync_fetch_and_and_16: 1428 BuiltinIndex = 3; 1429 break; 1430 1431 case Builtin::BI__sync_fetch_and_xor: 1432 case Builtin::BI__sync_fetch_and_xor_1: 1433 case Builtin::BI__sync_fetch_and_xor_2: 1434 case Builtin::BI__sync_fetch_and_xor_4: 1435 case Builtin::BI__sync_fetch_and_xor_8: 1436 case Builtin::BI__sync_fetch_and_xor_16: 1437 BuiltinIndex = 4; 1438 break; 1439 1440 case Builtin::BI__sync_add_and_fetch: 1441 case Builtin::BI__sync_add_and_fetch_1: 1442 case Builtin::BI__sync_add_and_fetch_2: 1443 case Builtin::BI__sync_add_and_fetch_4: 1444 case Builtin::BI__sync_add_and_fetch_8: 1445 case Builtin::BI__sync_add_and_fetch_16: 1446 BuiltinIndex = 5; 1447 break; 1448 1449 case Builtin::BI__sync_sub_and_fetch: 1450 case Builtin::BI__sync_sub_and_fetch_1: 1451 case Builtin::BI__sync_sub_and_fetch_2: 1452 case Builtin::BI__sync_sub_and_fetch_4: 1453 case Builtin::BI__sync_sub_and_fetch_8: 1454 case Builtin::BI__sync_sub_and_fetch_16: 1455 BuiltinIndex = 6; 1456 break; 1457 1458 case Builtin::BI__sync_and_and_fetch: 1459 case Builtin::BI__sync_and_and_fetch_1: 1460 case Builtin::BI__sync_and_and_fetch_2: 1461 case Builtin::BI__sync_and_and_fetch_4: 1462 case Builtin::BI__sync_and_and_fetch_8: 1463 case Builtin::BI__sync_and_and_fetch_16: 1464 BuiltinIndex = 7; 1465 break; 1466 1467 case Builtin::BI__sync_or_and_fetch: 1468 case Builtin::BI__sync_or_and_fetch_1: 1469 case Builtin::BI__sync_or_and_fetch_2: 1470 case Builtin::BI__sync_or_and_fetch_4: 1471 case Builtin::BI__sync_or_and_fetch_8: 1472 case Builtin::BI__sync_or_and_fetch_16: 1473 BuiltinIndex = 8; 1474 break; 1475 1476 case Builtin::BI__sync_xor_and_fetch: 1477 case Builtin::BI__sync_xor_and_fetch_1: 1478 case Builtin::BI__sync_xor_and_fetch_2: 1479 case Builtin::BI__sync_xor_and_fetch_4: 1480 case Builtin::BI__sync_xor_and_fetch_8: 1481 case Builtin::BI__sync_xor_and_fetch_16: 1482 BuiltinIndex = 9; 1483 break; 1484 1485 case Builtin::BI__sync_val_compare_and_swap: 1486 case Builtin::BI__sync_val_compare_and_swap_1: 1487 case Builtin::BI__sync_val_compare_and_swap_2: 1488 case Builtin::BI__sync_val_compare_and_swap_4: 1489 case Builtin::BI__sync_val_compare_and_swap_8: 1490 case Builtin::BI__sync_val_compare_and_swap_16: 1491 BuiltinIndex = 10; 1492 NumFixed = 2; 1493 break; 1494 1495 case Builtin::BI__sync_bool_compare_and_swap: 1496 case Builtin::BI__sync_bool_compare_and_swap_1: 1497 case Builtin::BI__sync_bool_compare_and_swap_2: 1498 case Builtin::BI__sync_bool_compare_and_swap_4: 1499 case Builtin::BI__sync_bool_compare_and_swap_8: 1500 case Builtin::BI__sync_bool_compare_and_swap_16: 1501 BuiltinIndex = 11; 1502 NumFixed = 2; 1503 ResultType = Context.BoolTy; 1504 break; 1505 1506 case Builtin::BI__sync_lock_test_and_set: 1507 case Builtin::BI__sync_lock_test_and_set_1: 1508 case Builtin::BI__sync_lock_test_and_set_2: 1509 case Builtin::BI__sync_lock_test_and_set_4: 1510 case Builtin::BI__sync_lock_test_and_set_8: 1511 case Builtin::BI__sync_lock_test_and_set_16: 1512 BuiltinIndex = 12; 1513 break; 1514 1515 case Builtin::BI__sync_lock_release: 1516 case Builtin::BI__sync_lock_release_1: 1517 case Builtin::BI__sync_lock_release_2: 1518 case Builtin::BI__sync_lock_release_4: 1519 case Builtin::BI__sync_lock_release_8: 1520 case Builtin::BI__sync_lock_release_16: 1521 BuiltinIndex = 13; 1522 NumFixed = 0; 1523 ResultType = Context.VoidTy; 1524 break; 1525 1526 case Builtin::BI__sync_swap: 1527 case Builtin::BI__sync_swap_1: 1528 case Builtin::BI__sync_swap_2: 1529 case Builtin::BI__sync_swap_4: 1530 case Builtin::BI__sync_swap_8: 1531 case Builtin::BI__sync_swap_16: 1532 BuiltinIndex = 14; 1533 break; 1534 } 1535 1536 // Now that we know how many fixed arguments we expect, first check that we 1537 // have at least that many. 1538 if (TheCall->getNumArgs() < 1+NumFixed) { 1539 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1540 << 0 << 1+NumFixed << TheCall->getNumArgs() 1541 << TheCall->getCallee()->getSourceRange(); 1542 return ExprError(); 1543 } 1544 1545 // Get the decl for the concrete builtin from this, we can tell what the 1546 // concrete integer type we should convert to is. 1547 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1548 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1549 FunctionDecl *NewBuiltinDecl; 1550 if (NewBuiltinID == BuiltinID) 1551 NewBuiltinDecl = FDecl; 1552 else { 1553 // Perform builtin lookup to avoid redeclaring it. 1554 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 1555 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 1556 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 1557 assert(Res.getFoundDecl()); 1558 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 1559 if (!NewBuiltinDecl) 1560 return ExprError(); 1561 } 1562 1563 // The first argument --- the pointer --- has a fixed type; we 1564 // deduce the types of the rest of the arguments accordingly. Walk 1565 // the remaining arguments, converting them to the deduced value type. 1566 for (unsigned i = 0; i != NumFixed; ++i) { 1567 ExprResult Arg = TheCall->getArg(i+1); 1568 1569 // GCC does an implicit conversion to the pointer or integer ValType. This 1570 // can fail in some cases (1i -> int**), check for this error case now. 1571 // Initialize the argument. 1572 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1573 ValType, /*consume*/ false); 1574 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1575 if (Arg.isInvalid()) 1576 return ExprError(); 1577 1578 // Okay, we have something that *can* be converted to the right type. Check 1579 // to see if there is a potentially weird extension going on here. This can 1580 // happen when you do an atomic operation on something like an char* and 1581 // pass in 42. The 42 gets converted to char. This is even more strange 1582 // for things like 45.123 -> char, etc. 1583 // FIXME: Do this check. 1584 TheCall->setArg(i+1, Arg.get()); 1585 } 1586 1587 ASTContext& Context = this->getASTContext(); 1588 1589 // Create a new DeclRefExpr to refer to the new decl. 1590 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1591 Context, 1592 DRE->getQualifierLoc(), 1593 SourceLocation(), 1594 NewBuiltinDecl, 1595 /*enclosing*/ false, 1596 DRE->getLocation(), 1597 Context.BuiltinFnTy, 1598 DRE->getValueKind()); 1599 1600 // Set the callee in the CallExpr. 1601 // FIXME: This loses syntactic information. 1602 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1603 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1604 CK_BuiltinFnToFnPtr); 1605 TheCall->setCallee(PromotedCall.get()); 1606 1607 // Change the result type of the call to match the original value type. This 1608 // is arbitrary, but the codegen for these builtins ins design to handle it 1609 // gracefully. 1610 TheCall->setType(ResultType); 1611 1612 return TheCallResult; 1613} 1614 1615/// CheckObjCString - Checks that the argument to the builtin 1616/// CFString constructor is correct 1617/// Note: It might also make sense to do the UTF-16 conversion here (would 1618/// simplify the backend). 1619bool Sema::CheckObjCString(Expr *Arg) { 1620 Arg = Arg->IgnoreParenCasts(); 1621 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1622 1623 if (!Literal || !Literal->isAscii()) { 1624 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1625 << Arg->getSourceRange(); 1626 return true; 1627 } 1628 1629 if (Literal->containsNonAsciiOrNull()) { 1630 StringRef String = Literal->getString(); 1631 unsigned NumBytes = String.size(); 1632 SmallVector<UTF16, 128> ToBuf(NumBytes); 1633 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1634 UTF16 *ToPtr = &ToBuf[0]; 1635 1636 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1637 &ToPtr, ToPtr + NumBytes, 1638 strictConversion); 1639 // Check for conversion failure. 1640 if (Result != conversionOK) 1641 Diag(Arg->getLocStart(), 1642 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1643 } 1644 return false; 1645} 1646 1647/// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1648/// Emit an error and return true on failure, return false on success. 1649bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1650 Expr *Fn = TheCall->getCallee(); 1651 if (TheCall->getNumArgs() > 2) { 1652 Diag(TheCall->getArg(2)->getLocStart(), 1653 diag::err_typecheck_call_too_many_args) 1654 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1655 << Fn->getSourceRange() 1656 << SourceRange(TheCall->getArg(2)->getLocStart(), 1657 (*(TheCall->arg_end()-1))->getLocEnd()); 1658 return true; 1659 } 1660 1661 if (TheCall->getNumArgs() < 2) { 1662 return Diag(TheCall->getLocEnd(), 1663 diag::err_typecheck_call_too_few_args_at_least) 1664 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1665 } 1666 1667 // Type-check the first argument normally. 1668 if (checkBuiltinArgument(*this, TheCall, 0)) 1669 return true; 1670 1671 // Determine whether the current function is variadic or not. 1672 BlockScopeInfo *CurBlock = getCurBlock(); 1673 bool isVariadic; 1674 if (CurBlock) 1675 isVariadic = CurBlock->TheDecl->isVariadic(); 1676 else if (FunctionDecl *FD = getCurFunctionDecl()) 1677 isVariadic = FD->isVariadic(); 1678 else 1679 isVariadic = getCurMethodDecl()->isVariadic(); 1680 1681 if (!isVariadic) { 1682 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1683 return true; 1684 } 1685 1686 // Verify that the second argument to the builtin is the last argument of the 1687 // current function or method. 1688 bool SecondArgIsLastNamedArgument = false; 1689 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1690 1691 // These are valid if SecondArgIsLastNamedArgument is false after the next 1692 // block. 1693 QualType Type; 1694 SourceLocation ParamLoc; 1695 1696 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1697 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1698 // FIXME: This isn't correct for methods (results in bogus warning). 1699 // Get the last formal in the current function. 1700 const ParmVarDecl *LastArg; 1701 if (CurBlock) 1702 LastArg = *(CurBlock->TheDecl->param_end()-1); 1703 else if (FunctionDecl *FD = getCurFunctionDecl()) 1704 LastArg = *(FD->param_end()-1); 1705 else 1706 LastArg = *(getCurMethodDecl()->param_end()-1); 1707 SecondArgIsLastNamedArgument = PV == LastArg; 1708 1709 Type = PV->getType(); 1710 ParamLoc = PV->getLocation(); 1711 } 1712 } 1713 1714 if (!SecondArgIsLastNamedArgument) 1715 Diag(TheCall->getArg(1)->getLocStart(), 1716 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1717 else if (Type->isReferenceType()) { 1718 Diag(Arg->getLocStart(), 1719 diag::warn_va_start_of_reference_type_is_undefined); 1720 Diag(ParamLoc, diag::note_parameter_type) << Type; 1721 } 1722 1723 TheCall->setType(Context.VoidTy); 1724 return false; 1725} 1726 1727/// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1728/// friends. This is declared to take (...), so we have to check everything. 1729bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1730 if (TheCall->getNumArgs() < 2) 1731 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1732 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1733 if (TheCall->getNumArgs() > 2) 1734 return Diag(TheCall->getArg(2)->getLocStart(), 1735 diag::err_typecheck_call_too_many_args) 1736 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1737 << SourceRange(TheCall->getArg(2)->getLocStart(), 1738 (*(TheCall->arg_end()-1))->getLocEnd()); 1739 1740 ExprResult OrigArg0 = TheCall->getArg(0); 1741 ExprResult OrigArg1 = TheCall->getArg(1); 1742 1743 // Do standard promotions between the two arguments, returning their common 1744 // type. 1745 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1746 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1747 return true; 1748 1749 // Make sure any conversions are pushed back into the call; this is 1750 // type safe since unordered compare builtins are declared as "_Bool 1751 // foo(...)". 1752 TheCall->setArg(0, OrigArg0.get()); 1753 TheCall->setArg(1, OrigArg1.get()); 1754 1755 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1756 return false; 1757 1758 // If the common type isn't a real floating type, then the arguments were 1759 // invalid for this operation. 1760 if (Res.isNull() || !Res->isRealFloatingType()) 1761 return Diag(OrigArg0.get()->getLocStart(), 1762 diag::err_typecheck_call_invalid_ordered_compare) 1763 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1764 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1765 1766 return false; 1767} 1768 1769/// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1770/// __builtin_isnan and friends. This is declared to take (...), so we have 1771/// to check everything. We expect the last argument to be a floating point 1772/// value. 1773bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1774 if (TheCall->getNumArgs() < NumArgs) 1775 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1776 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1777 if (TheCall->getNumArgs() > NumArgs) 1778 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1779 diag::err_typecheck_call_too_many_args) 1780 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1781 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1782 (*(TheCall->arg_end()-1))->getLocEnd()); 1783 1784 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1785 1786 if (OrigArg->isTypeDependent()) 1787 return false; 1788 1789 // This operation requires a non-_Complex floating-point number. 1790 if (!OrigArg->getType()->isRealFloatingType()) 1791 return Diag(OrigArg->getLocStart(), 1792 diag::err_typecheck_call_invalid_unary_fp) 1793 << OrigArg->getType() << OrigArg->getSourceRange(); 1794 1795 // If this is an implicit conversion from float -> double, remove it. 1796 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1797 Expr *CastArg = Cast->getSubExpr(); 1798 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1799 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1800 "promotion from float to double is the only expected cast here"); 1801 Cast->setSubExpr(nullptr); 1802 TheCall->setArg(NumArgs-1, CastArg); 1803 } 1804 } 1805 1806 return false; 1807} 1808 1809/// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1810// This is declared to take (...), so we have to check everything. 1811ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1812 if (TheCall->getNumArgs() < 2) 1813 return ExprError(Diag(TheCall->getLocEnd(), 1814 diag::err_typecheck_call_too_few_args_at_least) 1815 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1816 << TheCall->getSourceRange()); 1817 1818 // Determine which of the following types of shufflevector we're checking: 1819 // 1) unary, vector mask: (lhs, mask) 1820 // 2) binary, vector mask: (lhs, rhs, mask) 1821 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1822 QualType resType = TheCall->getArg(0)->getType(); 1823 unsigned numElements = 0; 1824 1825 if (!TheCall->getArg(0)->isTypeDependent() && 1826 !TheCall->getArg(1)->isTypeDependent()) { 1827 QualType LHSType = TheCall->getArg(0)->getType(); 1828 QualType RHSType = TheCall->getArg(1)->getType(); 1829 1830 if (!LHSType->isVectorType() || !RHSType->isVectorType()) 1831 return ExprError(Diag(TheCall->getLocStart(), 1832 diag::err_shufflevector_non_vector) 1833 << SourceRange(TheCall->getArg(0)->getLocStart(), 1834 TheCall->getArg(1)->getLocEnd())); 1835 1836 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1837 unsigned numResElements = TheCall->getNumArgs() - 2; 1838 1839 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1840 // with mask. If so, verify that RHS is an integer vector type with the 1841 // same number of elts as lhs. 1842 if (TheCall->getNumArgs() == 2) { 1843 if (!RHSType->hasIntegerRepresentation() || 1844 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1845 return ExprError(Diag(TheCall->getLocStart(), 1846 diag::err_shufflevector_incompatible_vector) 1847 << SourceRange(TheCall->getArg(1)->getLocStart(), 1848 TheCall->getArg(1)->getLocEnd())); 1849 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1850 return ExprError(Diag(TheCall->getLocStart(), 1851 diag::err_shufflevector_incompatible_vector) 1852 << SourceRange(TheCall->getArg(0)->getLocStart(), 1853 TheCall->getArg(1)->getLocEnd())); 1854 } else if (numElements != numResElements) { 1855 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1856 resType = Context.getVectorType(eltType, numResElements, 1857 VectorType::GenericVector); 1858 } 1859 } 1860 1861 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1862 if (TheCall->getArg(i)->isTypeDependent() || 1863 TheCall->getArg(i)->isValueDependent()) 1864 continue; 1865 1866 llvm::APSInt Result(32); 1867 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1868 return ExprError(Diag(TheCall->getLocStart(), 1869 diag::err_shufflevector_nonconstant_argument) 1870 << TheCall->getArg(i)->getSourceRange()); 1871 1872 // Allow -1 which will be translated to undef in the IR. 1873 if (Result.isSigned() && Result.isAllOnesValue()) 1874 continue; 1875 1876 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1877 return ExprError(Diag(TheCall->getLocStart(), 1878 diag::err_shufflevector_argument_too_large) 1879 << TheCall->getArg(i)->getSourceRange()); 1880 } 1881 1882 SmallVector<Expr*, 32> exprs; 1883 1884 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1885 exprs.push_back(TheCall->getArg(i)); 1886 TheCall->setArg(i, nullptr); 1887 } 1888 1889 return new (Context) ShuffleVectorExpr(Context, exprs, resType, 1890 TheCall->getCallee()->getLocStart(), 1891 TheCall->getRParenLoc()); 1892} 1893 1894/// SemaConvertVectorExpr - Handle __builtin_convertvector 1895ExprResult Sema::SemaConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo, 1896 SourceLocation BuiltinLoc, 1897 SourceLocation RParenLoc) { 1898 ExprValueKind VK = VK_RValue; 1899 ExprObjectKind OK = OK_Ordinary; 1900 QualType DstTy = TInfo->getType(); 1901 QualType SrcTy = E->getType(); 1902 1903 if (!SrcTy->isVectorType() && !SrcTy->isDependentType()) 1904 return ExprError(Diag(BuiltinLoc, 1905 diag::err_convertvector_non_vector) 1906 << E->getSourceRange()); 1907 if (!DstTy->isVectorType() && !DstTy->isDependentType()) 1908 return ExprError(Diag(BuiltinLoc, 1909 diag::err_convertvector_non_vector_type)); 1910 1911 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) { 1912 unsigned SrcElts = SrcTy->getAs<VectorType>()->getNumElements(); 1913 unsigned DstElts = DstTy->getAs<VectorType>()->getNumElements(); 1914 if (SrcElts != DstElts) 1915 return ExprError(Diag(BuiltinLoc, 1916 diag::err_convertvector_incompatible_vector) 1917 << E->getSourceRange()); 1918 } 1919 1920 return new (Context) 1921 ConvertVectorExpr(E, TInfo, DstTy, VK, OK, BuiltinLoc, RParenLoc); 1922} 1923 1924/// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1925// This is declared to take (const void*, ...) and can take two 1926// optional constant int args. 1927bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1928 unsigned NumArgs = TheCall->getNumArgs(); 1929 1930 if (NumArgs > 3) 1931 return Diag(TheCall->getLocEnd(), 1932 diag::err_typecheck_call_too_many_args_at_most) 1933 << 0 /*function call*/ << 3 << NumArgs 1934 << TheCall->getSourceRange(); 1935 1936 // Argument 0 is checked for us and the remaining arguments must be 1937 // constant integers. 1938 for (unsigned i = 1; i != NumArgs; ++i) 1939 if (SemaBuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3)) 1940 return true; 1941 1942 return false; 1943} 1944 1945/// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1946/// TheCall is a constant expression. 1947bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1948 llvm::APSInt &Result) { 1949 Expr *Arg = TheCall->getArg(ArgNum); 1950 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1951 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1952 1953 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1954 1955 if (!Arg->isIntegerConstantExpr(Result, Context)) 1956 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1957 << FDecl->getDeclName() << Arg->getSourceRange(); 1958 1959 return false; 1960} 1961 1962/// SemaBuiltinConstantArgRange - Handle a check if argument ArgNum of CallExpr 1963/// TheCall is a constant expression in the range [Low, High]. 1964bool Sema::SemaBuiltinConstantArgRange(CallExpr *TheCall, int ArgNum, 1965 int Low, int High) { 1966 llvm::APSInt Result; 1967 1968 // We can't check the value of a dependent argument. 1969 Expr *Arg = TheCall->getArg(ArgNum); 1970 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1971 return false; 1972 1973 // Check constant-ness first. 1974 if (SemaBuiltinConstantArg(TheCall, ArgNum, Result)) 1975 return true; 1976 1977 if (Result.getSExtValue() < Low || Result.getSExtValue() > High) 1978 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1979 << Low << High << Arg->getSourceRange(); 1980 1981 return false; 1982} 1983 1984/// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1985/// This checks that val is a constant 1. 1986bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1987 Expr *Arg = TheCall->getArg(1); 1988 llvm::APSInt Result; 1989 1990 // TODO: This is less than ideal. Overload this to take a value. 1991 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1992 return true; 1993 1994 if (Result != 1) 1995 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1996 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1997 1998 return false; 1999} 2000 2001namespace { 2002enum StringLiteralCheckType { 2003 SLCT_NotALiteral, 2004 SLCT_UncheckedLiteral, 2005 SLCT_CheckedLiteral 2006}; 2007} 2008 2009// Determine if an expression is a string literal or constant string. 2010// If this function returns false on the arguments to a function expecting a 2011// format string, we will usually need to emit a warning. 2012// True string literals are then checked by CheckFormatString. 2013static StringLiteralCheckType 2014checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, 2015 bool HasVAListArg, unsigned format_idx, 2016 unsigned firstDataArg, Sema::FormatStringType Type, 2017 Sema::VariadicCallType CallType, bool InFunctionCall, 2018 llvm::SmallBitVector &CheckedVarArgs) { 2019 tryAgain: 2020 if (E->isTypeDependent() || E->isValueDependent()) 2021 return SLCT_NotALiteral; 2022 2023 E = E->IgnoreParenCasts(); 2024 2025 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) 2026 // Technically -Wformat-nonliteral does not warn about this case. 2027 // The behavior of printf and friends in this case is implementation 2028 // dependent. Ideally if the format string cannot be null then 2029 // it should have a 'nonnull' attribute in the function prototype. 2030 return SLCT_UncheckedLiteral; 2031 2032 switch (E->getStmtClass()) { 2033 case Stmt::BinaryConditionalOperatorClass: 2034 case Stmt::ConditionalOperatorClass: { 2035 // The expression is a literal if both sub-expressions were, and it was 2036 // completely checked only if both sub-expressions were checked. 2037 const AbstractConditionalOperator *C = 2038 cast<AbstractConditionalOperator>(E); 2039 StringLiteralCheckType Left = 2040 checkFormatStringExpr(S, C->getTrueExpr(), Args, 2041 HasVAListArg, format_idx, firstDataArg, 2042 Type, CallType, InFunctionCall, CheckedVarArgs); 2043 if (Left == SLCT_NotALiteral) 2044 return SLCT_NotALiteral; 2045 StringLiteralCheckType Right = 2046 checkFormatStringExpr(S, C->getFalseExpr(), Args, 2047 HasVAListArg, format_idx, firstDataArg, 2048 Type, CallType, InFunctionCall, CheckedVarArgs); 2049 return Left < Right ? Left : Right; 2050 } 2051 2052 case Stmt::ImplicitCastExprClass: { 2053 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 2054 goto tryAgain; 2055 } 2056 2057 case Stmt::OpaqueValueExprClass: 2058 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 2059 E = src; 2060 goto tryAgain; 2061 } 2062 return SLCT_NotALiteral; 2063 2064 case Stmt::PredefinedExprClass: 2065 // While __func__, etc., are technically not string literals, they 2066 // cannot contain format specifiers and thus are not a security 2067 // liability. 2068 return SLCT_UncheckedLiteral; 2069 2070 case Stmt::DeclRefExprClass: { 2071 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 2072 2073 // As an exception, do not flag errors for variables binding to 2074 // const string literals. 2075 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 2076 bool isConstant = false; 2077 QualType T = DR->getType(); 2078 2079 if (const ArrayType *AT = S.Context.getAsArrayType(T)) { 2080 isConstant = AT->getElementType().isConstant(S.Context); 2081 } else if (const PointerType *PT = T->getAs<PointerType>()) { 2082 isConstant = T.isConstant(S.Context) && 2083 PT->getPointeeType().isConstant(S.Context); 2084 } else if (T->isObjCObjectPointerType()) { 2085 // In ObjC, there is usually no "const ObjectPointer" type, 2086 // so don't check if the pointee type is constant. 2087 isConstant = T.isConstant(S.Context); 2088 } 2089 2090 if (isConstant) { 2091 if (const Expr *Init = VD->getAnyInitializer()) { 2092 // Look through initializers like const char c[] = { "foo" } 2093 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 2094 if (InitList->isStringLiteralInit()) 2095 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 2096 } 2097 return checkFormatStringExpr(S, Init, Args, 2098 HasVAListArg, format_idx, 2099 firstDataArg, Type, CallType, 2100 /*InFunctionCall*/false, CheckedVarArgs); 2101 } 2102 } 2103 2104 // For vprintf* functions (i.e., HasVAListArg==true), we add a 2105 // special check to see if the format string is a function parameter 2106 // of the function calling the printf function. If the function 2107 // has an attribute indicating it is a printf-like function, then we 2108 // should suppress warnings concerning non-literals being used in a call 2109 // to a vprintf function. For example: 2110 // 2111 // void 2112 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 2113 // va_list ap; 2114 // va_start(ap, fmt); 2115 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 2116 // ... 2117 // } 2118 if (HasVAListArg) { 2119 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 2120 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 2121 int PVIndex = PV->getFunctionScopeIndex() + 1; 2122 for (const auto *PVFormat : ND->specific_attrs<FormatAttr>()) { 2123 // adjust for implicit parameter 2124 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2125 if (MD->isInstance()) 2126 ++PVIndex; 2127 // We also check if the formats are compatible. 2128 // We can't pass a 'scanf' string to a 'printf' function. 2129 if (PVIndex == PVFormat->getFormatIdx() && 2130 Type == S.GetFormatStringType(PVFormat)) 2131 return SLCT_UncheckedLiteral; 2132 } 2133 } 2134 } 2135 } 2136 } 2137 2138 return SLCT_NotALiteral; 2139 } 2140 2141 case Stmt::CallExprClass: 2142 case Stmt::CXXMemberCallExprClass: { 2143 const CallExpr *CE = cast<CallExpr>(E); 2144 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 2145 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2146 unsigned ArgIndex = FA->getFormatIdx(); 2147 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2148 if (MD->isInstance()) 2149 --ArgIndex; 2150 const Expr *Arg = CE->getArg(ArgIndex - 1); 2151 2152 return checkFormatStringExpr(S, Arg, Args, 2153 HasVAListArg, format_idx, firstDataArg, 2154 Type, CallType, InFunctionCall, 2155 CheckedVarArgs); 2156 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 2157 unsigned BuiltinID = FD->getBuiltinID(); 2158 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 2159 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 2160 const Expr *Arg = CE->getArg(0); 2161 return checkFormatStringExpr(S, Arg, Args, 2162 HasVAListArg, format_idx, 2163 firstDataArg, Type, CallType, 2164 InFunctionCall, CheckedVarArgs); 2165 } 2166 } 2167 } 2168 2169 return SLCT_NotALiteral; 2170 } 2171 case Stmt::ObjCStringLiteralClass: 2172 case Stmt::StringLiteralClass: { 2173 const StringLiteral *StrE = nullptr; 2174 2175 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 2176 StrE = ObjCFExpr->getString(); 2177 else 2178 StrE = cast<StringLiteral>(E); 2179 2180 if (StrE) { 2181 S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg, 2182 Type, InFunctionCall, CallType, CheckedVarArgs); 2183 return SLCT_CheckedLiteral; 2184 } 2185 2186 return SLCT_NotALiteral; 2187 } 2188 2189 default: 2190 return SLCT_NotALiteral; 2191 } 2192} 2193 2194Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 2195 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName()) 2196 .Case("scanf", FST_Scanf) 2197 .Cases("printf", "printf0", FST_Printf) 2198 .Cases("NSString", "CFString", FST_NSString) 2199 .Case("strftime", FST_Strftime) 2200 .Case("strfmon", FST_Strfmon) 2201 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 2202 .Default(FST_Unknown); 2203} 2204 2205/// CheckFormatArguments - Check calls to printf and scanf (and similar 2206/// functions) for correct use of format strings. 2207/// Returns true if a format string has been fully checked. 2208bool Sema::CheckFormatArguments(const FormatAttr *Format, 2209 ArrayRef<const Expr *> Args, 2210 bool IsCXXMember, 2211 VariadicCallType CallType, 2212 SourceLocation Loc, SourceRange Range, 2213 llvm::SmallBitVector &CheckedVarArgs) { 2214 FormatStringInfo FSI; 2215 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 2216 return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, 2217 FSI.FirstDataArg, GetFormatStringType(Format), 2218 CallType, Loc, Range, CheckedVarArgs); 2219 return false; 2220} 2221 2222bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, 2223 bool HasVAListArg, unsigned format_idx, 2224 unsigned firstDataArg, FormatStringType Type, 2225 VariadicCallType CallType, 2226 SourceLocation Loc, SourceRange Range, 2227 llvm::SmallBitVector &CheckedVarArgs) { 2228 // CHECK: printf/scanf-like function is called with no format string. 2229 if (format_idx >= Args.size()) { 2230 Diag(Loc, diag::warn_missing_format_string) << Range; 2231 return false; 2232 } 2233 2234 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 2235 2236 // CHECK: format string is not a string literal. 2237 // 2238 // Dynamically generated format strings are difficult to 2239 // automatically vet at compile time. Requiring that format strings 2240 // are string literals: (1) permits the checking of format strings by 2241 // the compiler and thereby (2) can practically remove the source of 2242 // many format string exploits. 2243 2244 // Format string can be either ObjC string (e.g. @"%d") or 2245 // C string (e.g. "%d") 2246 // ObjC string uses the same format specifiers as C string, so we can use 2247 // the same format string checking logic for both ObjC and C strings. 2248 StringLiteralCheckType CT = 2249 checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, 2250 format_idx, firstDataArg, Type, CallType, 2251 /*IsFunctionCall*/true, CheckedVarArgs); 2252 if (CT != SLCT_NotALiteral) 2253 // Literal format string found, check done! 2254 return CT == SLCT_CheckedLiteral; 2255 2256 // Strftime is particular as it always uses a single 'time' argument, 2257 // so it is safe to pass a non-literal string. 2258 if (Type == FST_Strftime) 2259 return false; 2260 2261 // Do not emit diag when the string param is a macro expansion and the 2262 // format is either NSString or CFString. This is a hack to prevent 2263 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 2264 // which are usually used in place of NS and CF string literals. 2265 if (Type == FST_NSString && 2266 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 2267 return false; 2268 2269 // If there are no arguments specified, warn with -Wformat-security, otherwise 2270 // warn only with -Wformat-nonliteral. 2271 if (Args.size() == firstDataArg) 2272 Diag(Args[format_idx]->getLocStart(), 2273 diag::warn_format_nonliteral_noargs) 2274 << OrigFormatExpr->getSourceRange(); 2275 else 2276 Diag(Args[format_idx]->getLocStart(), 2277 diag::warn_format_nonliteral) 2278 << OrigFormatExpr->getSourceRange(); 2279 return false; 2280} 2281 2282namespace { 2283class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 2284protected: 2285 Sema &S; 2286 const StringLiteral *FExpr; 2287 const Expr *OrigFormatExpr; 2288 const unsigned FirstDataArg; 2289 const unsigned NumDataArgs; 2290 const char *Beg; // Start of format string. 2291 const bool HasVAListArg; 2292 ArrayRef<const Expr *> Args; 2293 unsigned FormatIdx; 2294 llvm::SmallBitVector CoveredArgs; 2295 bool usesPositionalArgs; 2296 bool atFirstArg; 2297 bool inFunctionCall; 2298 Sema::VariadicCallType CallType; 2299 llvm::SmallBitVector &CheckedVarArgs; 2300public: 2301 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 2302 const Expr *origFormatExpr, unsigned firstDataArg, 2303 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2304 ArrayRef<const Expr *> Args, 2305 unsigned formatIdx, bool inFunctionCall, 2306 Sema::VariadicCallType callType, 2307 llvm::SmallBitVector &CheckedVarArgs) 2308 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 2309 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 2310 Beg(beg), HasVAListArg(hasVAListArg), 2311 Args(Args), FormatIdx(formatIdx), 2312 usesPositionalArgs(false), atFirstArg(true), 2313 inFunctionCall(inFunctionCall), CallType(callType), 2314 CheckedVarArgs(CheckedVarArgs) { 2315 CoveredArgs.resize(numDataArgs); 2316 CoveredArgs.reset(); 2317 } 2318 2319 void DoneProcessing(); 2320 2321 void HandleIncompleteSpecifier(const char *startSpecifier, 2322 unsigned specifierLen) override; 2323 2324 void HandleInvalidLengthModifier( 2325 const analyze_format_string::FormatSpecifier &FS, 2326 const analyze_format_string::ConversionSpecifier &CS, 2327 const char *startSpecifier, unsigned specifierLen, 2328 unsigned DiagID); 2329 2330 void HandleNonStandardLengthModifier( 2331 const analyze_format_string::FormatSpecifier &FS, 2332 const char *startSpecifier, unsigned specifierLen); 2333 2334 void HandleNonStandardConversionSpecifier( 2335 const analyze_format_string::ConversionSpecifier &CS, 2336 const char *startSpecifier, unsigned specifierLen); 2337 2338 void HandlePosition(const char *startPos, unsigned posLen) override; 2339 2340 void HandleInvalidPosition(const char *startSpecifier, 2341 unsigned specifierLen, 2342 analyze_format_string::PositionContext p) override; 2343 2344 void HandleZeroPosition(const char *startPos, unsigned posLen) override; 2345 2346 void HandleNullChar(const char *nullCharacter) override; 2347 2348 template <typename Range> 2349 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 2350 const Expr *ArgumentExpr, 2351 PartialDiagnostic PDiag, 2352 SourceLocation StringLoc, 2353 bool IsStringLocation, Range StringRange, 2354 ArrayRef<FixItHint> Fixit = None); 2355 2356protected: 2357 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 2358 const char *startSpec, 2359 unsigned specifierLen, 2360 const char *csStart, unsigned csLen); 2361 2362 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 2363 const char *startSpec, 2364 unsigned specifierLen); 2365 2366 SourceRange getFormatStringRange(); 2367 CharSourceRange getSpecifierRange(const char *startSpecifier, 2368 unsigned specifierLen); 2369 SourceLocation getLocationOfByte(const char *x); 2370 2371 const Expr *getDataArg(unsigned i) const; 2372 2373 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 2374 const analyze_format_string::ConversionSpecifier &CS, 2375 const char *startSpecifier, unsigned specifierLen, 2376 unsigned argIndex); 2377 2378 template <typename Range> 2379 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 2380 bool IsStringLocation, Range StringRange, 2381 ArrayRef<FixItHint> Fixit = None); 2382}; 2383} 2384 2385SourceRange CheckFormatHandler::getFormatStringRange() { 2386 return OrigFormatExpr->getSourceRange(); 2387} 2388 2389CharSourceRange CheckFormatHandler:: 2390getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2391 SourceLocation Start = getLocationOfByte(startSpecifier); 2392 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2393 2394 // Advance the end SourceLocation by one due to half-open ranges. 2395 End = End.getLocWithOffset(1); 2396 2397 return CharSourceRange::getCharRange(Start, End); 2398} 2399 2400SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2401 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2402} 2403 2404void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2405 unsigned specifierLen){ 2406 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2407 getLocationOfByte(startSpecifier), 2408 /*IsStringLocation*/true, 2409 getSpecifierRange(startSpecifier, specifierLen)); 2410} 2411 2412void CheckFormatHandler::HandleInvalidLengthModifier( 2413 const analyze_format_string::FormatSpecifier &FS, 2414 const analyze_format_string::ConversionSpecifier &CS, 2415 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2416 using namespace analyze_format_string; 2417 2418 const LengthModifier &LM = FS.getLengthModifier(); 2419 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2420 2421 // See if we know how to fix this length modifier. 2422 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2423 if (FixedLM) { 2424 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2425 getLocationOfByte(LM.getStart()), 2426 /*IsStringLocation*/true, 2427 getSpecifierRange(startSpecifier, specifierLen)); 2428 2429 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2430 << FixedLM->toString() 2431 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2432 2433 } else { 2434 FixItHint Hint; 2435 if (DiagID == diag::warn_format_nonsensical_length) 2436 Hint = FixItHint::CreateRemoval(LMRange); 2437 2438 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2439 getLocationOfByte(LM.getStart()), 2440 /*IsStringLocation*/true, 2441 getSpecifierRange(startSpecifier, specifierLen), 2442 Hint); 2443 } 2444} 2445 2446void CheckFormatHandler::HandleNonStandardLengthModifier( 2447 const analyze_format_string::FormatSpecifier &FS, 2448 const char *startSpecifier, unsigned specifierLen) { 2449 using namespace analyze_format_string; 2450 2451 const LengthModifier &LM = FS.getLengthModifier(); 2452 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2453 2454 // See if we know how to fix this length modifier. 2455 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2456 if (FixedLM) { 2457 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2458 << LM.toString() << 0, 2459 getLocationOfByte(LM.getStart()), 2460 /*IsStringLocation*/true, 2461 getSpecifierRange(startSpecifier, specifierLen)); 2462 2463 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2464 << FixedLM->toString() 2465 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2466 2467 } else { 2468 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2469 << LM.toString() << 0, 2470 getLocationOfByte(LM.getStart()), 2471 /*IsStringLocation*/true, 2472 getSpecifierRange(startSpecifier, specifierLen)); 2473 } 2474} 2475 2476void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2477 const analyze_format_string::ConversionSpecifier &CS, 2478 const char *startSpecifier, unsigned specifierLen) { 2479 using namespace analyze_format_string; 2480 2481 // See if we know how to fix this conversion specifier. 2482 Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 2483 if (FixedCS) { 2484 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2485 << CS.toString() << /*conversion specifier*/1, 2486 getLocationOfByte(CS.getStart()), 2487 /*IsStringLocation*/true, 2488 getSpecifierRange(startSpecifier, specifierLen)); 2489 2490 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 2491 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 2492 << FixedCS->toString() 2493 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 2494 } else { 2495 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2496 << CS.toString() << /*conversion specifier*/1, 2497 getLocationOfByte(CS.getStart()), 2498 /*IsStringLocation*/true, 2499 getSpecifierRange(startSpecifier, specifierLen)); 2500 } 2501} 2502 2503void CheckFormatHandler::HandlePosition(const char *startPos, 2504 unsigned posLen) { 2505 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2506 getLocationOfByte(startPos), 2507 /*IsStringLocation*/true, 2508 getSpecifierRange(startPos, posLen)); 2509} 2510 2511void 2512CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2513 analyze_format_string::PositionContext p) { 2514 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2515 << (unsigned) p, 2516 getLocationOfByte(startPos), /*IsStringLocation*/true, 2517 getSpecifierRange(startPos, posLen)); 2518} 2519 2520void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2521 unsigned posLen) { 2522 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2523 getLocationOfByte(startPos), 2524 /*IsStringLocation*/true, 2525 getSpecifierRange(startPos, posLen)); 2526} 2527 2528void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2529 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2530 // The presence of a null character is likely an error. 2531 EmitFormatDiagnostic( 2532 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2533 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2534 getFormatStringRange()); 2535 } 2536} 2537 2538// Note that this may return NULL if there was an error parsing or building 2539// one of the argument expressions. 2540const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2541 return Args[FirstDataArg + i]; 2542} 2543 2544void CheckFormatHandler::DoneProcessing() { 2545 // Does the number of data arguments exceed the number of 2546 // format conversions in the format string? 2547 if (!HasVAListArg) { 2548 // Find any arguments that weren't covered. 2549 CoveredArgs.flip(); 2550 signed notCoveredArg = CoveredArgs.find_first(); 2551 if (notCoveredArg >= 0) { 2552 assert((unsigned)notCoveredArg < NumDataArgs); 2553 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2554 SourceLocation Loc = E->getLocStart(); 2555 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2556 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2557 Loc, /*IsStringLocation*/false, 2558 getFormatStringRange()); 2559 } 2560 } 2561 } 2562 } 2563} 2564 2565bool 2566CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2567 SourceLocation Loc, 2568 const char *startSpec, 2569 unsigned specifierLen, 2570 const char *csStart, 2571 unsigned csLen) { 2572 2573 bool keepGoing = true; 2574 if (argIndex < NumDataArgs) { 2575 // Consider the argument coverered, even though the specifier doesn't 2576 // make sense. 2577 CoveredArgs.set(argIndex); 2578 } 2579 else { 2580 // If argIndex exceeds the number of data arguments we 2581 // don't issue a warning because that is just a cascade of warnings (and 2582 // they may have intended '%%' anyway). We don't want to continue processing 2583 // the format string after this point, however, as we will like just get 2584 // gibberish when trying to match arguments. 2585 keepGoing = false; 2586 } 2587 2588 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2589 << StringRef(csStart, csLen), 2590 Loc, /*IsStringLocation*/true, 2591 getSpecifierRange(startSpec, specifierLen)); 2592 2593 return keepGoing; 2594} 2595 2596void 2597CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2598 const char *startSpec, 2599 unsigned specifierLen) { 2600 EmitFormatDiagnostic( 2601 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2602 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2603} 2604 2605bool 2606CheckFormatHandler::CheckNumArgs( 2607 const analyze_format_string::FormatSpecifier &FS, 2608 const analyze_format_string::ConversionSpecifier &CS, 2609 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2610 2611 if (argIndex >= NumDataArgs) { 2612 PartialDiagnostic PDiag = FS.usesPositionalArg() 2613 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2614 << (argIndex+1) << NumDataArgs) 2615 : S.PDiag(diag::warn_printf_insufficient_data_args); 2616 EmitFormatDiagnostic( 2617 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2618 getSpecifierRange(startSpecifier, specifierLen)); 2619 return false; 2620 } 2621 return true; 2622} 2623 2624template<typename Range> 2625void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2626 SourceLocation Loc, 2627 bool IsStringLocation, 2628 Range StringRange, 2629 ArrayRef<FixItHint> FixIt) { 2630 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2631 Loc, IsStringLocation, StringRange, FixIt); 2632} 2633 2634/// \brief If the format string is not within the funcion call, emit a note 2635/// so that the function call and string are in diagnostic messages. 2636/// 2637/// \param InFunctionCall if true, the format string is within the function 2638/// call and only one diagnostic message will be produced. Otherwise, an 2639/// extra note will be emitted pointing to location of the format string. 2640/// 2641/// \param ArgumentExpr the expression that is passed as the format string 2642/// argument in the function call. Used for getting locations when two 2643/// diagnostics are emitted. 2644/// 2645/// \param PDiag the callee should already have provided any strings for the 2646/// diagnostic message. This function only adds locations and fixits 2647/// to diagnostics. 2648/// 2649/// \param Loc primary location for diagnostic. If two diagnostics are 2650/// required, one will be at Loc and a new SourceLocation will be created for 2651/// the other one. 2652/// 2653/// \param IsStringLocation if true, Loc points to the format string should be 2654/// used for the note. Otherwise, Loc points to the argument list and will 2655/// be used with PDiag. 2656/// 2657/// \param StringRange some or all of the string to highlight. This is 2658/// templated so it can accept either a CharSourceRange or a SourceRange. 2659/// 2660/// \param FixIt optional fix it hint for the format string. 2661template<typename Range> 2662void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2663 const Expr *ArgumentExpr, 2664 PartialDiagnostic PDiag, 2665 SourceLocation Loc, 2666 bool IsStringLocation, 2667 Range StringRange, 2668 ArrayRef<FixItHint> FixIt) { 2669 if (InFunctionCall) { 2670 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2671 D << StringRange; 2672 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2673 I != E; ++I) { 2674 D << *I; 2675 } 2676 } else { 2677 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2678 << ArgumentExpr->getSourceRange(); 2679 2680 const Sema::SemaDiagnosticBuilder &Note = 2681 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2682 diag::note_format_string_defined); 2683 2684 Note << StringRange; 2685 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2686 I != E; ++I) { 2687 Note << *I; 2688 } 2689 } 2690} 2691 2692//===--- CHECK: Printf format string checking ------------------------------===// 2693 2694namespace { 2695class CheckPrintfHandler : public CheckFormatHandler { 2696 bool ObjCContext; 2697public: 2698 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2699 const Expr *origFormatExpr, unsigned firstDataArg, 2700 unsigned numDataArgs, bool isObjC, 2701 const char *beg, bool hasVAListArg, 2702 ArrayRef<const Expr *> Args, 2703 unsigned formatIdx, bool inFunctionCall, 2704 Sema::VariadicCallType CallType, 2705 llvm::SmallBitVector &CheckedVarArgs) 2706 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2707 numDataArgs, beg, hasVAListArg, Args, 2708 formatIdx, inFunctionCall, CallType, CheckedVarArgs), 2709 ObjCContext(isObjC) 2710 {} 2711 2712 2713 bool HandleInvalidPrintfConversionSpecifier( 2714 const analyze_printf::PrintfSpecifier &FS, 2715 const char *startSpecifier, 2716 unsigned specifierLen) override; 2717 2718 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2719 const char *startSpecifier, 2720 unsigned specifierLen) override; 2721 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2722 const char *StartSpecifier, 2723 unsigned SpecifierLen, 2724 const Expr *E); 2725 2726 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2727 const char *startSpecifier, unsigned specifierLen); 2728 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2729 const analyze_printf::OptionalAmount &Amt, 2730 unsigned type, 2731 const char *startSpecifier, unsigned specifierLen); 2732 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2733 const analyze_printf::OptionalFlag &flag, 2734 const char *startSpecifier, unsigned specifierLen); 2735 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2736 const analyze_printf::OptionalFlag &ignoredFlag, 2737 const analyze_printf::OptionalFlag &flag, 2738 const char *startSpecifier, unsigned specifierLen); 2739 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2740 const Expr *E); 2741 2742}; 2743} 2744 2745bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2746 const analyze_printf::PrintfSpecifier &FS, 2747 const char *startSpecifier, 2748 unsigned specifierLen) { 2749 const analyze_printf::PrintfConversionSpecifier &CS = 2750 FS.getConversionSpecifier(); 2751 2752 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2753 getLocationOfByte(CS.getStart()), 2754 startSpecifier, specifierLen, 2755 CS.getStart(), CS.getLength()); 2756} 2757 2758bool CheckPrintfHandler::HandleAmount( 2759 const analyze_format_string::OptionalAmount &Amt, 2760 unsigned k, const char *startSpecifier, 2761 unsigned specifierLen) { 2762 2763 if (Amt.hasDataArgument()) { 2764 if (!HasVAListArg) { 2765 unsigned argIndex = Amt.getArgIndex(); 2766 if (argIndex >= NumDataArgs) { 2767 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2768 << k, 2769 getLocationOfByte(Amt.getStart()), 2770 /*IsStringLocation*/true, 2771 getSpecifierRange(startSpecifier, specifierLen)); 2772 // Don't do any more checking. We will just emit 2773 // spurious errors. 2774 return false; 2775 } 2776 2777 // Type check the data argument. It should be an 'int'. 2778 // Although not in conformance with C99, we also allow the argument to be 2779 // an 'unsigned int' as that is a reasonably safe case. GCC also 2780 // doesn't emit a warning for that case. 2781 CoveredArgs.set(argIndex); 2782 const Expr *Arg = getDataArg(argIndex); 2783 if (!Arg) 2784 return false; 2785 2786 QualType T = Arg->getType(); 2787 2788 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2789 assert(AT.isValid()); 2790 2791 if (!AT.matchesType(S.Context, T)) { 2792 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2793 << k << AT.getRepresentativeTypeName(S.Context) 2794 << T << Arg->getSourceRange(), 2795 getLocationOfByte(Amt.getStart()), 2796 /*IsStringLocation*/true, 2797 getSpecifierRange(startSpecifier, specifierLen)); 2798 // Don't do any more checking. We will just emit 2799 // spurious errors. 2800 return false; 2801 } 2802 } 2803 } 2804 return true; 2805} 2806 2807void CheckPrintfHandler::HandleInvalidAmount( 2808 const analyze_printf::PrintfSpecifier &FS, 2809 const analyze_printf::OptionalAmount &Amt, 2810 unsigned type, 2811 const char *startSpecifier, 2812 unsigned specifierLen) { 2813 const analyze_printf::PrintfConversionSpecifier &CS = 2814 FS.getConversionSpecifier(); 2815 2816 FixItHint fixit = 2817 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2818 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2819 Amt.getConstantLength())) 2820 : FixItHint(); 2821 2822 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2823 << type << CS.toString(), 2824 getLocationOfByte(Amt.getStart()), 2825 /*IsStringLocation*/true, 2826 getSpecifierRange(startSpecifier, specifierLen), 2827 fixit); 2828} 2829 2830void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2831 const analyze_printf::OptionalFlag &flag, 2832 const char *startSpecifier, 2833 unsigned specifierLen) { 2834 // Warn about pointless flag with a fixit removal. 2835 const analyze_printf::PrintfConversionSpecifier &CS = 2836 FS.getConversionSpecifier(); 2837 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2838 << flag.toString() << CS.toString(), 2839 getLocationOfByte(flag.getPosition()), 2840 /*IsStringLocation*/true, 2841 getSpecifierRange(startSpecifier, specifierLen), 2842 FixItHint::CreateRemoval( 2843 getSpecifierRange(flag.getPosition(), 1))); 2844} 2845 2846void CheckPrintfHandler::HandleIgnoredFlag( 2847 const analyze_printf::PrintfSpecifier &FS, 2848 const analyze_printf::OptionalFlag &ignoredFlag, 2849 const analyze_printf::OptionalFlag &flag, 2850 const char *startSpecifier, 2851 unsigned specifierLen) { 2852 // Warn about ignored flag with a fixit removal. 2853 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2854 << ignoredFlag.toString() << flag.toString(), 2855 getLocationOfByte(ignoredFlag.getPosition()), 2856 /*IsStringLocation*/true, 2857 getSpecifierRange(startSpecifier, specifierLen), 2858 FixItHint::CreateRemoval( 2859 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2860} 2861 2862// Determines if the specified is a C++ class or struct containing 2863// a member with the specified name and kind (e.g. a CXXMethodDecl named 2864// "c_str()"). 2865template<typename MemberKind> 2866static llvm::SmallPtrSet<MemberKind*, 1> 2867CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2868 const RecordType *RT = Ty->getAs<RecordType>(); 2869 llvm::SmallPtrSet<MemberKind*, 1> Results; 2870 2871 if (!RT) 2872 return Results; 2873 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2874 if (!RD || !RD->getDefinition()) 2875 return Results; 2876 2877 LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(), 2878 Sema::LookupMemberName); 2879 R.suppressDiagnostics(); 2880 2881 // We just need to include all members of the right kind turned up by the 2882 // filter, at this point. 2883 if (S.LookupQualifiedName(R, RT->getDecl())) 2884 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2885 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2886 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2887 Results.insert(FK); 2888 } 2889 return Results; 2890} 2891 2892/// Check if we could call '.c_str()' on an object. 2893/// 2894/// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't 2895/// allow the call, or if it would be ambiguous). 2896bool Sema::hasCStrMethod(const Expr *E) { 2897 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2898 MethodSet Results = 2899 CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType()); 2900 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2901 MI != ME; ++MI) 2902 if ((*MI)->getMinRequiredArguments() == 0) 2903 return true; 2904 return false; 2905} 2906 2907// Check if a (w)string was passed when a (w)char* was needed, and offer a 2908// better diagnostic if so. AT is assumed to be valid. 2909// Returns true when a c_str() conversion method is found. 2910bool CheckPrintfHandler::checkForCStrMembers( 2911 const analyze_printf::ArgType &AT, const Expr *E) { 2912 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2913 2914 MethodSet Results = 2915 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2916 2917 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2918 MI != ME; ++MI) { 2919 const CXXMethodDecl *Method = *MI; 2920 if (Method->getMinRequiredArguments() == 0 && 2921 AT.matchesType(S.Context, Method->getReturnType())) { 2922 // FIXME: Suggest parens if the expression needs them. 2923 SourceLocation EndLoc = S.getLocForEndOfToken(E->getLocEnd()); 2924 S.Diag(E->getLocStart(), diag::note_printf_c_str) 2925 << "c_str()" 2926 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 2927 return true; 2928 } 2929 } 2930 2931 return false; 2932} 2933 2934bool 2935CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2936 &FS, 2937 const char *startSpecifier, 2938 unsigned specifierLen) { 2939 2940 using namespace analyze_format_string; 2941 using namespace analyze_printf; 2942 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2943 2944 if (FS.consumesDataArgument()) { 2945 if (atFirstArg) { 2946 atFirstArg = false; 2947 usesPositionalArgs = FS.usesPositionalArg(); 2948 } 2949 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2950 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2951 startSpecifier, specifierLen); 2952 return false; 2953 } 2954 } 2955 2956 // First check if the field width, precision, and conversion specifier 2957 // have matching data arguments. 2958 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2959 startSpecifier, specifierLen)) { 2960 return false; 2961 } 2962 2963 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2964 startSpecifier, specifierLen)) { 2965 return false; 2966 } 2967 2968 if (!CS.consumesDataArgument()) { 2969 // FIXME: Technically specifying a precision or field width here 2970 // makes no sense. Worth issuing a warning at some point. 2971 return true; 2972 } 2973 2974 // Consume the argument. 2975 unsigned argIndex = FS.getArgIndex(); 2976 if (argIndex < NumDataArgs) { 2977 // The check to see if the argIndex is valid will come later. 2978 // We set the bit here because we may exit early from this 2979 // function if we encounter some other error. 2980 CoveredArgs.set(argIndex); 2981 } 2982 2983 // Check for using an Objective-C specific conversion specifier 2984 // in a non-ObjC literal. 2985 if (!ObjCContext && CS.isObjCArg()) { 2986 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2987 specifierLen); 2988 } 2989 2990 // Check for invalid use of field width 2991 if (!FS.hasValidFieldWidth()) { 2992 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2993 startSpecifier, specifierLen); 2994 } 2995 2996 // Check for invalid use of precision 2997 if (!FS.hasValidPrecision()) { 2998 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2999 startSpecifier, specifierLen); 3000 } 3001 3002 // Check each flag does not conflict with any other component. 3003 if (!FS.hasValidThousandsGroupingPrefix()) 3004 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 3005 if (!FS.hasValidLeadingZeros()) 3006 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 3007 if (!FS.hasValidPlusPrefix()) 3008 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 3009 if (!FS.hasValidSpacePrefix()) 3010 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 3011 if (!FS.hasValidAlternativeForm()) 3012 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 3013 if (!FS.hasValidLeftJustified()) 3014 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 3015 3016 // Check that flags are not ignored by another flag 3017 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 3018 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 3019 startSpecifier, specifierLen); 3020 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 3021 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 3022 startSpecifier, specifierLen); 3023 3024 // Check the length modifier is valid with the given conversion specifier. 3025 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3026 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3027 diag::warn_format_nonsensical_length); 3028 else if (!FS.hasStandardLengthModifier()) 3029 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3030 else if (!FS.hasStandardLengthConversionCombination()) 3031 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3032 diag::warn_format_non_standard_conversion_spec); 3033 3034 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3035 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3036 3037 // The remaining checks depend on the data arguments. 3038 if (HasVAListArg) 3039 return true; 3040 3041 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3042 return false; 3043 3044 const Expr *Arg = getDataArg(argIndex); 3045 if (!Arg) 3046 return true; 3047 3048 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 3049} 3050 3051static bool requiresParensToAddCast(const Expr *E) { 3052 // FIXME: We should have a general way to reason about operator 3053 // precedence and whether parens are actually needed here. 3054 // Take care of a few common cases where they aren't. 3055 const Expr *Inside = E->IgnoreImpCasts(); 3056 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 3057 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 3058 3059 switch (Inside->getStmtClass()) { 3060 case Stmt::ArraySubscriptExprClass: 3061 case Stmt::CallExprClass: 3062 case Stmt::CharacterLiteralClass: 3063 case Stmt::CXXBoolLiteralExprClass: 3064 case Stmt::DeclRefExprClass: 3065 case Stmt::FloatingLiteralClass: 3066 case Stmt::IntegerLiteralClass: 3067 case Stmt::MemberExprClass: 3068 case Stmt::ObjCArrayLiteralClass: 3069 case Stmt::ObjCBoolLiteralExprClass: 3070 case Stmt::ObjCBoxedExprClass: 3071 case Stmt::ObjCDictionaryLiteralClass: 3072 case Stmt::ObjCEncodeExprClass: 3073 case Stmt::ObjCIvarRefExprClass: 3074 case Stmt::ObjCMessageExprClass: 3075 case Stmt::ObjCPropertyRefExprClass: 3076 case Stmt::ObjCStringLiteralClass: 3077 case Stmt::ObjCSubscriptRefExprClass: 3078 case Stmt::ParenExprClass: 3079 case Stmt::StringLiteralClass: 3080 case Stmt::UnaryOperatorClass: 3081 return false; 3082 default: 3083 return true; 3084 } 3085} 3086 3087bool 3088CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 3089 const char *StartSpecifier, 3090 unsigned SpecifierLen, 3091 const Expr *E) { 3092 using namespace analyze_format_string; 3093 using namespace analyze_printf; 3094 // Now type check the data expression that matches the 3095 // format specifier. 3096 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 3097 ObjCContext); 3098 if (!AT.isValid()) 3099 return true; 3100 3101 QualType ExprTy = E->getType(); 3102 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { 3103 ExprTy = TET->getUnderlyingExpr()->getType(); 3104 } 3105 3106 if (AT.matchesType(S.Context, ExprTy)) 3107 return true; 3108 3109 // Look through argument promotions for our error message's reported type. 3110 // This includes the integral and floating promotions, but excludes array 3111 // and function pointer decay; seeing that an argument intended to be a 3112 // string has type 'char [6]' is probably more confusing than 'char *'. 3113 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3114 if (ICE->getCastKind() == CK_IntegralCast || 3115 ICE->getCastKind() == CK_FloatingCast) { 3116 E = ICE->getSubExpr(); 3117 ExprTy = E->getType(); 3118 3119 // Check if we didn't match because of an implicit cast from a 'char' 3120 // or 'short' to an 'int'. This is done because printf is a varargs 3121 // function. 3122 if (ICE->getType() == S.Context.IntTy || 3123 ICE->getType() == S.Context.UnsignedIntTy) { 3124 // All further checking is done on the subexpression. 3125 if (AT.matchesType(S.Context, ExprTy)) 3126 return true; 3127 } 3128 } 3129 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 3130 // Special case for 'a', which has type 'int' in C. 3131 // Note, however, that we do /not/ want to treat multibyte constants like 3132 // 'MooV' as characters! This form is deprecated but still exists. 3133 if (ExprTy == S.Context.IntTy) 3134 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 3135 ExprTy = S.Context.CharTy; 3136 } 3137 3138 // Look through enums to their underlying type. 3139 bool IsEnum = false; 3140 if (auto EnumTy = ExprTy->getAs<EnumType>()) { 3141 ExprTy = EnumTy->getDecl()->getIntegerType(); 3142 IsEnum = true; 3143 } 3144 3145 // %C in an Objective-C context prints a unichar, not a wchar_t. 3146 // If the argument is an integer of some kind, believe the %C and suggest 3147 // a cast instead of changing the conversion specifier. 3148 QualType IntendedTy = ExprTy; 3149 if (ObjCContext && 3150 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 3151 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 3152 !ExprTy->isCharType()) { 3153 // 'unichar' is defined as a typedef of unsigned short, but we should 3154 // prefer using the typedef if it is visible. 3155 IntendedTy = S.Context.UnsignedShortTy; 3156 3157 // While we are here, check if the value is an IntegerLiteral that happens 3158 // to be within the valid range. 3159 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) { 3160 const llvm::APInt &V = IL->getValue(); 3161 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy)) 3162 return true; 3163 } 3164 3165 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 3166 Sema::LookupOrdinaryName); 3167 if (S.LookupName(Result, S.getCurScope())) { 3168 NamedDecl *ND = Result.getFoundDecl(); 3169 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 3170 if (TD->getUnderlyingType() == IntendedTy) 3171 IntendedTy = S.Context.getTypedefType(TD); 3172 } 3173 } 3174 } 3175 3176 // Special-case some of Darwin's platform-independence types by suggesting 3177 // casts to primitive types that are known to be large enough. 3178 bool ShouldNotPrintDirectly = false; 3179 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 3180 // Use a 'while' to peel off layers of typedefs. 3181 QualType TyTy = IntendedTy; 3182 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) { 3183 StringRef Name = UserTy->getDecl()->getName(); 3184 QualType CastTy = llvm::StringSwitch<QualType>(Name) 3185 .Case("NSInteger", S.Context.LongTy) 3186 .Case("NSUInteger", S.Context.UnsignedLongTy) 3187 .Case("SInt32", S.Context.IntTy) 3188 .Case("UInt32", S.Context.UnsignedIntTy) 3189 .Default(QualType()); 3190 3191 if (!CastTy.isNull()) { 3192 ShouldNotPrintDirectly = true; 3193 IntendedTy = CastTy; 3194 break; 3195 } 3196 TyTy = UserTy->desugar(); 3197 } 3198 } 3199 3200 // We may be able to offer a FixItHint if it is a supported type. 3201 PrintfSpecifier fixedFS = FS; 3202 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 3203 S.Context, ObjCContext); 3204 3205 if (success) { 3206 // Get the fix string from the fixed format specifier 3207 SmallString<16> buf; 3208 llvm::raw_svector_ostream os(buf); 3209 fixedFS.toString(os); 3210 3211 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 3212 3213 if (IntendedTy == ExprTy) { 3214 // In this case, the specifier is wrong and should be changed to match 3215 // the argument. 3216 EmitFormatDiagnostic( 3217 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 3218 << AT.getRepresentativeTypeName(S.Context) << IntendedTy << IsEnum 3219 << E->getSourceRange(), 3220 E->getLocStart(), 3221 /*IsStringLocation*/false, 3222 SpecRange, 3223 FixItHint::CreateReplacement(SpecRange, os.str())); 3224 3225 } else { 3226 // The canonical type for formatting this value is different from the 3227 // actual type of the expression. (This occurs, for example, with Darwin's 3228 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 3229 // should be printed as 'long' for 64-bit compatibility.) 3230 // Rather than emitting a normal format/argument mismatch, we want to 3231 // add a cast to the recommended type (and correct the format string 3232 // if necessary). 3233 SmallString<16> CastBuf; 3234 llvm::raw_svector_ostream CastFix(CastBuf); 3235 CastFix << "("; 3236 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 3237 CastFix << ")"; 3238 3239 SmallVector<FixItHint,4> Hints; 3240 if (!AT.matchesType(S.Context, IntendedTy)) 3241 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 3242 3243 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 3244 // If there's already a cast present, just replace it. 3245 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 3246 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 3247 3248 } else if (!requiresParensToAddCast(E)) { 3249 // If the expression has high enough precedence, 3250 // just write the C-style cast. 3251 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3252 CastFix.str())); 3253 } else { 3254 // Otherwise, add parens around the expression as well as the cast. 3255 CastFix << "("; 3256 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3257 CastFix.str())); 3258 3259 SourceLocation After = S.getLocForEndOfToken(E->getLocEnd()); 3260 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 3261 } 3262 3263 if (ShouldNotPrintDirectly) { 3264 // The expression has a type that should not be printed directly. 3265 // We extract the name from the typedef because we don't want to show 3266 // the underlying type in the diagnostic. 3267 StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName(); 3268 3269 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 3270 << Name << IntendedTy << IsEnum 3271 << E->getSourceRange(), 3272 E->getLocStart(), /*IsStringLocation=*/false, 3273 SpecRange, Hints); 3274 } else { 3275 // In this case, the expression could be printed using a different 3276 // specifier, but we've decided that the specifier is probably correct 3277 // and we should cast instead. Just use the normal warning message. 3278 EmitFormatDiagnostic( 3279 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 3280 << AT.getRepresentativeTypeName(S.Context) << ExprTy << IsEnum 3281 << E->getSourceRange(), 3282 E->getLocStart(), /*IsStringLocation*/false, 3283 SpecRange, Hints); 3284 } 3285 } 3286 } else { 3287 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 3288 SpecifierLen); 3289 // Since the warning for passing non-POD types to variadic functions 3290 // was deferred until now, we emit a warning for non-POD 3291 // arguments here. 3292 switch (S.isValidVarArgType(ExprTy)) { 3293 case Sema::VAK_Valid: 3294 case Sema::VAK_ValidInCXX11: 3295 EmitFormatDiagnostic( 3296 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 3297 << AT.getRepresentativeTypeName(S.Context) << ExprTy << IsEnum 3298 << CSR 3299 << E->getSourceRange(), 3300 E->getLocStart(), /*IsStringLocation*/false, CSR); 3301 break; 3302 3303 case Sema::VAK_Undefined: 3304 EmitFormatDiagnostic( 3305 S.PDiag(diag::warn_non_pod_vararg_with_format_string) 3306 << S.getLangOpts().CPlusPlus11 3307 << ExprTy 3308 << CallType 3309 << AT.getRepresentativeTypeName(S.Context) 3310 << CSR 3311 << E->getSourceRange(), 3312 E->getLocStart(), /*IsStringLocation*/false, CSR); 3313 checkForCStrMembers(AT, E); 3314 break; 3315 3316 case Sema::VAK_Invalid: 3317 if (ExprTy->isObjCObjectType()) 3318 EmitFormatDiagnostic( 3319 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) 3320 << S.getLangOpts().CPlusPlus11 3321 << ExprTy 3322 << CallType 3323 << AT.getRepresentativeTypeName(S.Context) 3324 << CSR 3325 << E->getSourceRange(), 3326 E->getLocStart(), /*IsStringLocation*/false, CSR); 3327 else 3328 // FIXME: If this is an initializer list, suggest removing the braces 3329 // or inserting a cast to the target type. 3330 S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format) 3331 << isa<InitListExpr>(E) << ExprTy << CallType 3332 << AT.getRepresentativeTypeName(S.Context) 3333 << E->getSourceRange(); 3334 break; 3335 } 3336 3337 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && 3338 "format string specifier index out of range"); 3339 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; 3340 } 3341 3342 return true; 3343} 3344 3345//===--- CHECK: Scanf format string checking ------------------------------===// 3346 3347namespace { 3348class CheckScanfHandler : public CheckFormatHandler { 3349public: 3350 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 3351 const Expr *origFormatExpr, unsigned firstDataArg, 3352 unsigned numDataArgs, const char *beg, bool hasVAListArg, 3353 ArrayRef<const Expr *> Args, 3354 unsigned formatIdx, bool inFunctionCall, 3355 Sema::VariadicCallType CallType, 3356 llvm::SmallBitVector &CheckedVarArgs) 3357 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 3358 numDataArgs, beg, hasVAListArg, 3359 Args, formatIdx, inFunctionCall, CallType, 3360 CheckedVarArgs) 3361 {} 3362 3363 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 3364 const char *startSpecifier, 3365 unsigned specifierLen) override; 3366 3367 bool HandleInvalidScanfConversionSpecifier( 3368 const analyze_scanf::ScanfSpecifier &FS, 3369 const char *startSpecifier, 3370 unsigned specifierLen) override; 3371 3372 void HandleIncompleteScanList(const char *start, const char *end) override; 3373}; 3374} 3375 3376void CheckScanfHandler::HandleIncompleteScanList(const char *start, 3377 const char *end) { 3378 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 3379 getLocationOfByte(end), /*IsStringLocation*/true, 3380 getSpecifierRange(start, end - start)); 3381} 3382 3383bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 3384 const analyze_scanf::ScanfSpecifier &FS, 3385 const char *startSpecifier, 3386 unsigned specifierLen) { 3387 3388 const analyze_scanf::ScanfConversionSpecifier &CS = 3389 FS.getConversionSpecifier(); 3390 3391 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 3392 getLocationOfByte(CS.getStart()), 3393 startSpecifier, specifierLen, 3394 CS.getStart(), CS.getLength()); 3395} 3396 3397bool CheckScanfHandler::HandleScanfSpecifier( 3398 const analyze_scanf::ScanfSpecifier &FS, 3399 const char *startSpecifier, 3400 unsigned specifierLen) { 3401 3402 using namespace analyze_scanf; 3403 using namespace analyze_format_string; 3404 3405 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 3406 3407 // Handle case where '%' and '*' don't consume an argument. These shouldn't 3408 // be used to decide if we are using positional arguments consistently. 3409 if (FS.consumesDataArgument()) { 3410 if (atFirstArg) { 3411 atFirstArg = false; 3412 usesPositionalArgs = FS.usesPositionalArg(); 3413 } 3414 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3415 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3416 startSpecifier, specifierLen); 3417 return false; 3418 } 3419 } 3420 3421 // Check if the field with is non-zero. 3422 const OptionalAmount &Amt = FS.getFieldWidth(); 3423 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 3424 if (Amt.getConstantAmount() == 0) { 3425 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 3426 Amt.getConstantLength()); 3427 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 3428 getLocationOfByte(Amt.getStart()), 3429 /*IsStringLocation*/true, R, 3430 FixItHint::CreateRemoval(R)); 3431 } 3432 } 3433 3434 if (!FS.consumesDataArgument()) { 3435 // FIXME: Technically specifying a precision or field width here 3436 // makes no sense. Worth issuing a warning at some point. 3437 return true; 3438 } 3439 3440 // Consume the argument. 3441 unsigned argIndex = FS.getArgIndex(); 3442 if (argIndex < NumDataArgs) { 3443 // The check to see if the argIndex is valid will come later. 3444 // We set the bit here because we may exit early from this 3445 // function if we encounter some other error. 3446 CoveredArgs.set(argIndex); 3447 } 3448 3449 // Check the length modifier is valid with the given conversion specifier. 3450 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3451 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3452 diag::warn_format_nonsensical_length); 3453 else if (!FS.hasStandardLengthModifier()) 3454 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3455 else if (!FS.hasStandardLengthConversionCombination()) 3456 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3457 diag::warn_format_non_standard_conversion_spec); 3458 3459 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3460 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3461 3462 // The remaining checks depend on the data arguments. 3463 if (HasVAListArg) 3464 return true; 3465 3466 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3467 return false; 3468 3469 // Check that the argument type matches the format specifier. 3470 const Expr *Ex = getDataArg(argIndex); 3471 if (!Ex) 3472 return true; 3473 3474 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 3475 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 3476 ScanfSpecifier fixedFS = FS; 3477 bool success = fixedFS.fixType(Ex->getType(), 3478 Ex->IgnoreImpCasts()->getType(), 3479 S.getLangOpts(), S.Context); 3480 3481 if (success) { 3482 // Get the fix string from the fixed format specifier. 3483 SmallString<128> buf; 3484 llvm::raw_svector_ostream os(buf); 3485 fixedFS.toString(os); 3486 3487 EmitFormatDiagnostic( 3488 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 3489 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() << false 3490 << Ex->getSourceRange(), 3491 Ex->getLocStart(), 3492 /*IsStringLocation*/false, 3493 getSpecifierRange(startSpecifier, specifierLen), 3494 FixItHint::CreateReplacement( 3495 getSpecifierRange(startSpecifier, specifierLen), 3496 os.str())); 3497 } else { 3498 EmitFormatDiagnostic( 3499 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 3500 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() << false 3501 << Ex->getSourceRange(), 3502 Ex->getLocStart(), 3503 /*IsStringLocation*/false, 3504 getSpecifierRange(startSpecifier, specifierLen)); 3505 } 3506 } 3507 3508 return true; 3509} 3510 3511void Sema::CheckFormatString(const StringLiteral *FExpr, 3512 const Expr *OrigFormatExpr, 3513 ArrayRef<const Expr *> Args, 3514 bool HasVAListArg, unsigned format_idx, 3515 unsigned firstDataArg, FormatStringType Type, 3516 bool inFunctionCall, VariadicCallType CallType, 3517 llvm::SmallBitVector &CheckedVarArgs) { 3518 3519 // CHECK: is the format string a wide literal? 3520 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 3521 CheckFormatHandler::EmitFormatDiagnostic( 3522 *this, inFunctionCall, Args[format_idx], 3523 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 3524 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3525 return; 3526 } 3527 3528 // Str - The format string. NOTE: this is NOT null-terminated! 3529 StringRef StrRef = FExpr->getString(); 3530 const char *Str = StrRef.data(); 3531 // Account for cases where the string literal is truncated in a declaration. 3532 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType()); 3533 assert(T && "String literal not of constant array type!"); 3534 size_t TypeSize = T->getSize().getZExtValue(); 3535 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size()); 3536 const unsigned numDataArgs = Args.size() - firstDataArg; 3537 3538 // Emit a warning if the string literal is truncated and does not contain an 3539 // embedded null character. 3540 if (TypeSize <= StrRef.size() && 3541 StrRef.substr(0, TypeSize).find('\0') == StringRef::npos) { 3542 CheckFormatHandler::EmitFormatDiagnostic( 3543 *this, inFunctionCall, Args[format_idx], 3544 PDiag(diag::warn_printf_format_string_not_null_terminated), 3545 FExpr->getLocStart(), 3546 /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange()); 3547 return; 3548 } 3549 3550 // CHECK: empty format string? 3551 if (StrLen == 0 && numDataArgs > 0) { 3552 CheckFormatHandler::EmitFormatDiagnostic( 3553 *this, inFunctionCall, Args[format_idx], 3554 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3555 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3556 return; 3557 } 3558 3559 if (Type == FST_Printf || Type == FST_NSString) { 3560 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3561 numDataArgs, (Type == FST_NSString), 3562 Str, HasVAListArg, Args, format_idx, 3563 inFunctionCall, CallType, CheckedVarArgs); 3564 3565 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3566 getLangOpts(), 3567 Context.getTargetInfo())) 3568 H.DoneProcessing(); 3569 } else if (Type == FST_Scanf) { 3570 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3571 Str, HasVAListArg, Args, format_idx, 3572 inFunctionCall, CallType, CheckedVarArgs); 3573 3574 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3575 getLangOpts(), 3576 Context.getTargetInfo())) 3577 H.DoneProcessing(); 3578 } // TODO: handle other formats 3579} 3580 3581//===--- CHECK: Warn on use of wrong absolute value function. -------------===// 3582 3583// Returns the related absolute value function that is larger, of 0 if one 3584// does not exist. 3585static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) { 3586 switch (AbsFunction) { 3587 default: 3588 return 0; 3589 3590 case Builtin::BI__builtin_abs: 3591 return Builtin::BI__builtin_labs; 3592 case Builtin::BI__builtin_labs: 3593 return Builtin::BI__builtin_llabs; 3594 case Builtin::BI__builtin_llabs: 3595 return 0; 3596 3597 case Builtin::BI__builtin_fabsf: 3598 return Builtin::BI__builtin_fabs; 3599 case Builtin::BI__builtin_fabs: 3600 return Builtin::BI__builtin_fabsl; 3601 case Builtin::BI__builtin_fabsl: 3602 return 0; 3603 3604 case Builtin::BI__builtin_cabsf: 3605 return Builtin::BI__builtin_cabs; 3606 case Builtin::BI__builtin_cabs: 3607 return Builtin::BI__builtin_cabsl; 3608 case Builtin::BI__builtin_cabsl: 3609 return 0; 3610 3611 case Builtin::BIabs: 3612 return Builtin::BIlabs; 3613 case Builtin::BIlabs: 3614 return Builtin::BIllabs; 3615 case Builtin::BIllabs: 3616 return 0; 3617 3618 case Builtin::BIfabsf: 3619 return Builtin::BIfabs; 3620 case Builtin::BIfabs: 3621 return Builtin::BIfabsl; 3622 case Builtin::BIfabsl: 3623 return 0; 3624 3625 case Builtin::BIcabsf: 3626 return Builtin::BIcabs; 3627 case Builtin::BIcabs: 3628 return Builtin::BIcabsl; 3629 case Builtin::BIcabsl: 3630 return 0; 3631 } 3632} 3633 3634// Returns the argument type of the absolute value function. 3635static QualType getAbsoluteValueArgumentType(ASTContext &Context, 3636 unsigned AbsType) { 3637 if (AbsType == 0) 3638 return QualType(); 3639 3640 ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None; 3641 QualType BuiltinType = Context.GetBuiltinType(AbsType, Error); 3642 if (Error != ASTContext::GE_None) 3643 return QualType(); 3644 3645 const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>(); 3646 if (!FT) 3647 return QualType(); 3648 3649 if (FT->getNumParams() != 1) 3650 return QualType(); 3651 3652 return FT->getParamType(0); 3653} 3654 3655// Returns the best absolute value function, or zero, based on type and 3656// current absolute value function. 3657static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType, 3658 unsigned AbsFunctionKind) { 3659 unsigned BestKind = 0; 3660 uint64_t ArgSize = Context.getTypeSize(ArgType); 3661 for (unsigned Kind = AbsFunctionKind; Kind != 0; 3662 Kind = getLargerAbsoluteValueFunction(Kind)) { 3663 QualType ParamType = getAbsoluteValueArgumentType(Context, Kind); 3664 if (Context.getTypeSize(ParamType) >= ArgSize) { 3665 if (BestKind == 0) 3666 BestKind = Kind; 3667 else if (Context.hasSameType(ParamType, ArgType)) { 3668 BestKind = Kind; 3669 break; 3670 } 3671 } 3672 } 3673 return BestKind; 3674} 3675 3676enum AbsoluteValueKind { 3677 AVK_Integer, 3678 AVK_Floating, 3679 AVK_Complex 3680}; 3681 3682static AbsoluteValueKind getAbsoluteValueKind(QualType T) { 3683 if (T->isIntegralOrEnumerationType()) 3684 return AVK_Integer; 3685 if (T->isRealFloatingType()) 3686 return AVK_Floating; 3687 if (T->isAnyComplexType()) 3688 return AVK_Complex; 3689 3690 llvm_unreachable("Type not integer, floating, or complex"); 3691} 3692 3693// Changes the absolute value function to a different type. Preserves whether 3694// the function is a builtin. 3695static unsigned changeAbsFunction(unsigned AbsKind, 3696 AbsoluteValueKind ValueKind) { 3697 switch (ValueKind) { 3698 case AVK_Integer: 3699 switch (AbsKind) { 3700 default: 3701 return 0; 3702 case Builtin::BI__builtin_fabsf: 3703 case Builtin::BI__builtin_fabs: 3704 case Builtin::BI__builtin_fabsl: 3705 case Builtin::BI__builtin_cabsf: 3706 case Builtin::BI__builtin_cabs: 3707 case Builtin::BI__builtin_cabsl: 3708 return Builtin::BI__builtin_abs; 3709 case Builtin::BIfabsf: 3710 case Builtin::BIfabs: 3711 case Builtin::BIfabsl: 3712 case Builtin::BIcabsf: 3713 case Builtin::BIcabs: 3714 case Builtin::BIcabsl: 3715 return Builtin::BIabs; 3716 } 3717 case AVK_Floating: 3718 switch (AbsKind) { 3719 default: 3720 return 0; 3721 case Builtin::BI__builtin_abs: 3722 case Builtin::BI__builtin_labs: 3723 case Builtin::BI__builtin_llabs: 3724 case Builtin::BI__builtin_cabsf: 3725 case Builtin::BI__builtin_cabs: 3726 case Builtin::BI__builtin_cabsl: 3727 return Builtin::BI__builtin_fabsf; 3728 case Builtin::BIabs: 3729 case Builtin::BIlabs: 3730 case Builtin::BIllabs: 3731 case Builtin::BIcabsf: 3732 case Builtin::BIcabs: 3733 case Builtin::BIcabsl: 3734 return Builtin::BIfabsf; 3735 } 3736 case AVK_Complex: 3737 switch (AbsKind) { 3738 default: 3739 return 0; 3740 case Builtin::BI__builtin_abs: 3741 case Builtin::BI__builtin_labs: 3742 case Builtin::BI__builtin_llabs: 3743 case Builtin::BI__builtin_fabsf: 3744 case Builtin::BI__builtin_fabs: 3745 case Builtin::BI__builtin_fabsl: 3746 return Builtin::BI__builtin_cabsf; 3747 case Builtin::BIabs: 3748 case Builtin::BIlabs: 3749 case Builtin::BIllabs: 3750 case Builtin::BIfabsf: 3751 case Builtin::BIfabs: 3752 case Builtin::BIfabsl: 3753 return Builtin::BIcabsf; 3754 } 3755 } 3756 llvm_unreachable("Unable to convert function"); 3757} 3758 3759static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) { 3760 const IdentifierInfo *FnInfo = FDecl->getIdentifier(); 3761 if (!FnInfo) 3762 return 0; 3763 3764 switch (FDecl->getBuiltinID()) { 3765 default: 3766 return 0; 3767 case Builtin::BI__builtin_abs: 3768 case Builtin::BI__builtin_fabs: 3769 case Builtin::BI__builtin_fabsf: 3770 case Builtin::BI__builtin_fabsl: 3771 case Builtin::BI__builtin_labs: 3772 case Builtin::BI__builtin_llabs: 3773 case Builtin::BI__builtin_cabs: 3774 case Builtin::BI__builtin_cabsf: 3775 case Builtin::BI__builtin_cabsl: 3776 case Builtin::BIabs: 3777 case Builtin::BIlabs: 3778 case Builtin::BIllabs: 3779 case Builtin::BIfabs: 3780 case Builtin::BIfabsf: 3781 case Builtin::BIfabsl: 3782 case Builtin::BIcabs: 3783 case Builtin::BIcabsf: 3784 case Builtin::BIcabsl: 3785 return FDecl->getBuiltinID(); 3786 } 3787 llvm_unreachable("Unknown Builtin type"); 3788} 3789 3790// If the replacement is valid, emit a note with replacement function. 3791// Additionally, suggest including the proper header if not already included. 3792static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range, 3793 unsigned AbsKind, QualType ArgType) { 3794 bool EmitHeaderHint = true; 3795 const char *HeaderName = nullptr; 3796 const char *FunctionName = nullptr; 3797 if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) { 3798 FunctionName = "std::abs"; 3799 if (ArgType->isIntegralOrEnumerationType()) { 3800 HeaderName = "cstdlib"; 3801 } else if (ArgType->isRealFloatingType()) { 3802 HeaderName = "cmath"; 3803 } else { 3804 llvm_unreachable("Invalid Type"); 3805 } 3806 3807 // Lookup all std::abs 3808 if (NamespaceDecl *Std = S.getStdNamespace()) { 3809 LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName); 3810 R.suppressDiagnostics(); 3811 S.LookupQualifiedName(R, Std); 3812 3813 for (const auto *I : R) { 3814 const FunctionDecl *FDecl = nullptr; 3815 if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) { 3816 FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl()); 3817 } else { 3818 FDecl = dyn_cast<FunctionDecl>(I); 3819 } 3820 if (!FDecl) 3821 continue; 3822 3823 // Found std::abs(), check that they are the right ones. 3824 if (FDecl->getNumParams() != 1) 3825 continue; 3826 3827 // Check that the parameter type can handle the argument. 3828 QualType ParamType = FDecl->getParamDecl(0)->getType(); 3829 if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) && 3830 S.Context.getTypeSize(ArgType) <= 3831 S.Context.getTypeSize(ParamType)) { 3832 // Found a function, don't need the header hint. 3833 EmitHeaderHint = false; 3834 break; 3835 } 3836 } 3837 } 3838 } else { 3839 FunctionName = S.Context.BuiltinInfo.GetName(AbsKind); 3840 HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind); 3841 3842 if (HeaderName) { 3843 DeclarationName DN(&S.Context.Idents.get(FunctionName)); 3844 LookupResult R(S, DN, Loc, Sema::LookupAnyName); 3845 R.suppressDiagnostics(); 3846 S.LookupName(R, S.getCurScope()); 3847 3848 if (R.isSingleResult()) { 3849 FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl()); 3850 if (FD && FD->getBuiltinID() == AbsKind) { 3851 EmitHeaderHint = false; 3852 } else { 3853 return; 3854 } 3855 } else if (!R.empty()) { 3856 return; 3857 } 3858 } 3859 } 3860 3861 S.Diag(Loc, diag::note_replace_abs_function) 3862 << FunctionName << FixItHint::CreateReplacement(Range, FunctionName); 3863 3864 if (!HeaderName) 3865 return; 3866 3867 if (!EmitHeaderHint) 3868 return; 3869 3870 S.Diag(Loc, diag::note_please_include_header) << HeaderName << FunctionName; 3871} 3872 3873static bool IsFunctionStdAbs(const FunctionDecl *FDecl) { 3874 if (!FDecl) 3875 return false; 3876 3877 if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr("abs")) 3878 return false; 3879 3880 const NamespaceDecl *ND = dyn_cast<NamespaceDecl>(FDecl->getDeclContext()); 3881 3882 while (ND && ND->isInlineNamespace()) { 3883 ND = dyn_cast<NamespaceDecl>(ND->getDeclContext()); 3884 } 3885 3886 if (!ND || !ND->getIdentifier() || !ND->getIdentifier()->isStr("std")) 3887 return false; 3888 3889 if (!isa<TranslationUnitDecl>(ND->getDeclContext())) 3890 return false; 3891 3892 return true; 3893} 3894 3895// Warn when using the wrong abs() function. 3896void Sema::CheckAbsoluteValueFunction(const CallExpr *Call, 3897 const FunctionDecl *FDecl, 3898 IdentifierInfo *FnInfo) { 3899 if (Call->getNumArgs() != 1) 3900 return; 3901 3902 unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl); 3903 bool IsStdAbs = IsFunctionStdAbs(FDecl); 3904 if (AbsKind == 0 && !IsStdAbs) 3905 return; 3906 3907 QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType(); 3908 QualType ParamType = Call->getArg(0)->getType(); 3909 3910 // Unsigned types can not be negative. Suggest to drop the absolute value 3911 // function. 3912 if (ArgType->isUnsignedIntegerType()) { 3913 const char *FunctionName = 3914 IsStdAbs ? "std::abs" : Context.BuiltinInfo.GetName(AbsKind); 3915 Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType; 3916 Diag(Call->getExprLoc(), diag::note_remove_abs) 3917 << FunctionName 3918 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange()); 3919 return; 3920 } 3921 3922 // std::abs has overloads which prevent most of the absolute value problems 3923 // from occurring. 3924 if (IsStdAbs) 3925 return; 3926 3927 AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType); 3928 AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType); 3929 3930 // The argument and parameter are the same kind. Check if they are the right 3931 // size. 3932 if (ArgValueKind == ParamValueKind) { 3933 if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType)) 3934 return; 3935 3936 unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind); 3937 Diag(Call->getExprLoc(), diag::warn_abs_too_small) 3938 << FDecl << ArgType << ParamType; 3939 3940 if (NewAbsKind == 0) 3941 return; 3942 3943 emitReplacement(*this, Call->getExprLoc(), 3944 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 3945 return; 3946 } 3947 3948 // ArgValueKind != ParamValueKind 3949 // The wrong type of absolute value function was used. Attempt to find the 3950 // proper one. 3951 unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind); 3952 NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind); 3953 if (NewAbsKind == 0) 3954 return; 3955 3956 Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type) 3957 << FDecl << ParamValueKind << ArgValueKind; 3958 3959 emitReplacement(*this, Call->getExprLoc(), 3960 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 3961 return; 3962} 3963 3964//===--- CHECK: Standard memory functions ---------------------------------===// 3965 3966/// \brief Takes the expression passed to the size_t parameter of functions 3967/// such as memcmp, strncat, etc and warns if it's a comparison. 3968/// 3969/// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`. 3970static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E, 3971 IdentifierInfo *FnName, 3972 SourceLocation FnLoc, 3973 SourceLocation RParenLoc) { 3974 const BinaryOperator *Size = dyn_cast<BinaryOperator>(E); 3975 if (!Size) 3976 return false; 3977 3978 // if E is binop and op is >, <, >=, <=, ==, &&, ||: 3979 if (!Size->isComparisonOp() && !Size->isEqualityOp() && !Size->isLogicalOp()) 3980 return false; 3981 3982 SourceRange SizeRange = Size->getSourceRange(); 3983 S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison) 3984 << SizeRange << FnName; 3985 S.Diag(FnLoc, diag::note_memsize_comparison_paren) 3986 << FnName << FixItHint::CreateInsertion( 3987 S.getLocForEndOfToken(Size->getLHS()->getLocEnd()), ")") 3988 << FixItHint::CreateRemoval(RParenLoc); 3989 S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence) 3990 << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(") 3991 << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()), 3992 ")"); 3993 3994 return true; 3995} 3996 3997/// \brief Determine whether the given type is or contains a dynamic class type 3998/// (e.g., whether it has a vtable). 3999static const CXXRecordDecl *getContainedDynamicClass(QualType T, 4000 bool &IsContained) { 4001 // Look through array types while ignoring qualifiers. 4002 const Type *Ty = T->getBaseElementTypeUnsafe(); 4003 IsContained = false; 4004 4005 const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl(); 4006 RD = RD ? RD->getDefinition() : nullptr; 4007 if (!RD) 4008 return nullptr; 4009 4010 if (RD->isDynamicClass()) 4011 return RD; 4012 4013 // Check all the fields. If any bases were dynamic, the class is dynamic. 4014 // It's impossible for a class to transitively contain itself by value, so 4015 // infinite recursion is impossible. 4016 for (auto *FD : RD->fields()) { 4017 bool SubContained; 4018 if (const CXXRecordDecl *ContainedRD = 4019 getContainedDynamicClass(FD->getType(), SubContained)) { 4020 IsContained = true; 4021 return ContainedRD; 4022 } 4023 } 4024 4025 return nullptr; 4026} 4027 4028/// \brief If E is a sizeof expression, returns its argument expression, 4029/// otherwise returns NULL. 4030static const Expr *getSizeOfExprArg(const Expr* E) { 4031 if (const UnaryExprOrTypeTraitExpr *SizeOf = 4032 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 4033 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 4034 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 4035 4036 return nullptr; 4037} 4038 4039/// \brief If E is a sizeof expression, returns its argument type. 4040static QualType getSizeOfArgType(const Expr* E) { 4041 if (const UnaryExprOrTypeTraitExpr *SizeOf = 4042 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 4043 if (SizeOf->getKind() == clang::UETT_SizeOf) 4044 return SizeOf->getTypeOfArgument(); 4045 4046 return QualType(); 4047} 4048 4049/// \brief Check for dangerous or invalid arguments to memset(). 4050/// 4051/// This issues warnings on known problematic, dangerous or unspecified 4052/// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 4053/// function calls. 4054/// 4055/// \param Call The call expression to diagnose. 4056void Sema::CheckMemaccessArguments(const CallExpr *Call, 4057 unsigned BId, 4058 IdentifierInfo *FnName) { 4059 assert(BId != 0); 4060 4061 // It is possible to have a non-standard definition of memset. Validate 4062 // we have enough arguments, and if not, abort further checking. 4063 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 4064 if (Call->getNumArgs() < ExpectedNumArgs) 4065 return; 4066 4067 unsigned LastArg = (BId == Builtin::BImemset || 4068 BId == Builtin::BIstrndup ? 1 : 2); 4069 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 4070 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 4071 4072 if (CheckMemorySizeofForComparison(*this, LenExpr, FnName, 4073 Call->getLocStart(), Call->getRParenLoc())) 4074 return; 4075 4076 // We have special checking when the length is a sizeof expression. 4077 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 4078 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 4079 llvm::FoldingSetNodeID SizeOfArgID; 4080 4081 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 4082 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 4083 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 4084 4085 QualType DestTy = Dest->getType(); 4086 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 4087 QualType PointeeTy = DestPtrTy->getPointeeType(); 4088 4089 // Never warn about void type pointers. This can be used to suppress 4090 // false positives. 4091 if (PointeeTy->isVoidType()) 4092 continue; 4093 4094 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 4095 // actually comparing the expressions for equality. Because computing the 4096 // expression IDs can be expensive, we only do this if the diagnostic is 4097 // enabled. 4098 if (SizeOfArg && 4099 !Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess, 4100 SizeOfArg->getExprLoc())) { 4101 // We only compute IDs for expressions if the warning is enabled, and 4102 // cache the sizeof arg's ID. 4103 if (SizeOfArgID == llvm::FoldingSetNodeID()) 4104 SizeOfArg->Profile(SizeOfArgID, Context, true); 4105 llvm::FoldingSetNodeID DestID; 4106 Dest->Profile(DestID, Context, true); 4107 if (DestID == SizeOfArgID) { 4108 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 4109 // over sizeof(src) as well. 4110 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 4111 StringRef ReadableName = FnName->getName(); 4112 4113 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 4114 if (UnaryOp->getOpcode() == UO_AddrOf) 4115 ActionIdx = 1; // If its an address-of operator, just remove it. 4116 if (!PointeeTy->isIncompleteType() && 4117 (Context.getTypeSize(PointeeTy) == Context.getCharWidth())) 4118 ActionIdx = 2; // If the pointee's size is sizeof(char), 4119 // suggest an explicit length. 4120 4121 // If the function is defined as a builtin macro, do not show macro 4122 // expansion. 4123 SourceLocation SL = SizeOfArg->getExprLoc(); 4124 SourceRange DSR = Dest->getSourceRange(); 4125 SourceRange SSR = SizeOfArg->getSourceRange(); 4126 SourceManager &SM = getSourceManager(); 4127 4128 if (SM.isMacroArgExpansion(SL)) { 4129 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 4130 SL = SM.getSpellingLoc(SL); 4131 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 4132 SM.getSpellingLoc(DSR.getEnd())); 4133 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 4134 SM.getSpellingLoc(SSR.getEnd())); 4135 } 4136 4137 DiagRuntimeBehavior(SL, SizeOfArg, 4138 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 4139 << ReadableName 4140 << PointeeTy 4141 << DestTy 4142 << DSR 4143 << SSR); 4144 DiagRuntimeBehavior(SL, SizeOfArg, 4145 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 4146 << ActionIdx 4147 << SSR); 4148 4149 break; 4150 } 4151 } 4152 4153 // Also check for cases where the sizeof argument is the exact same 4154 // type as the memory argument, and where it points to a user-defined 4155 // record type. 4156 if (SizeOfArgTy != QualType()) { 4157 if (PointeeTy->isRecordType() && 4158 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 4159 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 4160 PDiag(diag::warn_sizeof_pointer_type_memaccess) 4161 << FnName << SizeOfArgTy << ArgIdx 4162 << PointeeTy << Dest->getSourceRange() 4163 << LenExpr->getSourceRange()); 4164 break; 4165 } 4166 } 4167 4168 // Always complain about dynamic classes. 4169 bool IsContained; 4170 if (const CXXRecordDecl *ContainedRD = 4171 getContainedDynamicClass(PointeeTy, IsContained)) { 4172 4173 unsigned OperationType = 0; 4174 // "overwritten" if we're warning about the destination for any call 4175 // but memcmp; otherwise a verb appropriate to the call. 4176 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 4177 if (BId == Builtin::BImemcpy) 4178 OperationType = 1; 4179 else if(BId == Builtin::BImemmove) 4180 OperationType = 2; 4181 else if (BId == Builtin::BImemcmp) 4182 OperationType = 3; 4183 } 4184 4185 DiagRuntimeBehavior( 4186 Dest->getExprLoc(), Dest, 4187 PDiag(diag::warn_dyn_class_memaccess) 4188 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 4189 << FnName << IsContained << ContainedRD << OperationType 4190 << Call->getCallee()->getSourceRange()); 4191 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 4192 BId != Builtin::BImemset) 4193 DiagRuntimeBehavior( 4194 Dest->getExprLoc(), Dest, 4195 PDiag(diag::warn_arc_object_memaccess) 4196 << ArgIdx << FnName << PointeeTy 4197 << Call->getCallee()->getSourceRange()); 4198 else 4199 continue; 4200 4201 DiagRuntimeBehavior( 4202 Dest->getExprLoc(), Dest, 4203 PDiag(diag::note_bad_memaccess_silence) 4204 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 4205 break; 4206 } 4207 } 4208} 4209 4210// A little helper routine: ignore addition and subtraction of integer literals. 4211// This intentionally does not ignore all integer constant expressions because 4212// we don't want to remove sizeof(). 4213static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 4214 Ex = Ex->IgnoreParenCasts(); 4215 4216 for (;;) { 4217 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 4218 if (!BO || !BO->isAdditiveOp()) 4219 break; 4220 4221 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 4222 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 4223 4224 if (isa<IntegerLiteral>(RHS)) 4225 Ex = LHS; 4226 else if (isa<IntegerLiteral>(LHS)) 4227 Ex = RHS; 4228 else 4229 break; 4230 } 4231 4232 return Ex; 4233} 4234 4235static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 4236 ASTContext &Context) { 4237 // Only handle constant-sized or VLAs, but not flexible members. 4238 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 4239 // Only issue the FIXIT for arrays of size > 1. 4240 if (CAT->getSize().getSExtValue() <= 1) 4241 return false; 4242 } else if (!Ty->isVariableArrayType()) { 4243 return false; 4244 } 4245 return true; 4246} 4247 4248// Warn if the user has made the 'size' argument to strlcpy or strlcat 4249// be the size of the source, instead of the destination. 4250void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 4251 IdentifierInfo *FnName) { 4252 4253 // Don't crash if the user has the wrong number of arguments 4254 if (Call->getNumArgs() != 3) 4255 return; 4256 4257 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 4258 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 4259 const Expr *CompareWithSrc = nullptr; 4260 4261 if (CheckMemorySizeofForComparison(*this, SizeArg, FnName, 4262 Call->getLocStart(), Call->getRParenLoc())) 4263 return; 4264 4265 // Look for 'strlcpy(dst, x, sizeof(x))' 4266 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 4267 CompareWithSrc = Ex; 4268 else { 4269 // Look for 'strlcpy(dst, x, strlen(x))' 4270 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 4271 if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen && 4272 SizeCall->getNumArgs() == 1) 4273 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 4274 } 4275 } 4276 4277 if (!CompareWithSrc) 4278 return; 4279 4280 // Determine if the argument to sizeof/strlen is equal to the source 4281 // argument. In principle there's all kinds of things you could do 4282 // here, for instance creating an == expression and evaluating it with 4283 // EvaluateAsBooleanCondition, but this uses a more direct technique: 4284 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 4285 if (!SrcArgDRE) 4286 return; 4287 4288 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 4289 if (!CompareWithSrcDRE || 4290 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 4291 return; 4292 4293 const Expr *OriginalSizeArg = Call->getArg(2); 4294 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 4295 << OriginalSizeArg->getSourceRange() << FnName; 4296 4297 // Output a FIXIT hint if the destination is an array (rather than a 4298 // pointer to an array). This could be enhanced to handle some 4299 // pointers if we know the actual size, like if DstArg is 'array+2' 4300 // we could say 'sizeof(array)-2'. 4301 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 4302 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 4303 return; 4304 4305 SmallString<128> sizeString; 4306 llvm::raw_svector_ostream OS(sizeString); 4307 OS << "sizeof("; 4308 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 4309 OS << ")"; 4310 4311 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 4312 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 4313 OS.str()); 4314} 4315 4316/// Check if two expressions refer to the same declaration. 4317static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 4318 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 4319 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 4320 return D1->getDecl() == D2->getDecl(); 4321 return false; 4322} 4323 4324static const Expr *getStrlenExprArg(const Expr *E) { 4325 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 4326 const FunctionDecl *FD = CE->getDirectCallee(); 4327 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 4328 return nullptr; 4329 return CE->getArg(0)->IgnoreParenCasts(); 4330 } 4331 return nullptr; 4332} 4333 4334// Warn on anti-patterns as the 'size' argument to strncat. 4335// The correct size argument should look like following: 4336// strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 4337void Sema::CheckStrncatArguments(const CallExpr *CE, 4338 IdentifierInfo *FnName) { 4339 // Don't crash if the user has the wrong number of arguments. 4340 if (CE->getNumArgs() < 3) 4341 return; 4342 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 4343 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 4344 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 4345 4346 if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getLocStart(), 4347 CE->getRParenLoc())) 4348 return; 4349 4350 // Identify common expressions, which are wrongly used as the size argument 4351 // to strncat and may lead to buffer overflows. 4352 unsigned PatternType = 0; 4353 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 4354 // - sizeof(dst) 4355 if (referToTheSameDecl(SizeOfArg, DstArg)) 4356 PatternType = 1; 4357 // - sizeof(src) 4358 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 4359 PatternType = 2; 4360 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 4361 if (BE->getOpcode() == BO_Sub) { 4362 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 4363 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 4364 // - sizeof(dst) - strlen(dst) 4365 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 4366 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 4367 PatternType = 1; 4368 // - sizeof(src) - (anything) 4369 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 4370 PatternType = 2; 4371 } 4372 } 4373 4374 if (PatternType == 0) 4375 return; 4376 4377 // Generate the diagnostic. 4378 SourceLocation SL = LenArg->getLocStart(); 4379 SourceRange SR = LenArg->getSourceRange(); 4380 SourceManager &SM = getSourceManager(); 4381 4382 // If the function is defined as a builtin macro, do not show macro expansion. 4383 if (SM.isMacroArgExpansion(SL)) { 4384 SL = SM.getSpellingLoc(SL); 4385 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 4386 SM.getSpellingLoc(SR.getEnd())); 4387 } 4388 4389 // Check if the destination is an array (rather than a pointer to an array). 4390 QualType DstTy = DstArg->getType(); 4391 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 4392 Context); 4393 if (!isKnownSizeArray) { 4394 if (PatternType == 1) 4395 Diag(SL, diag::warn_strncat_wrong_size) << SR; 4396 else 4397 Diag(SL, diag::warn_strncat_src_size) << SR; 4398 return; 4399 } 4400 4401 if (PatternType == 1) 4402 Diag(SL, diag::warn_strncat_large_size) << SR; 4403 else 4404 Diag(SL, diag::warn_strncat_src_size) << SR; 4405 4406 SmallString<128> sizeString; 4407 llvm::raw_svector_ostream OS(sizeString); 4408 OS << "sizeof("; 4409 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 4410 OS << ") - "; 4411 OS << "strlen("; 4412 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 4413 OS << ") - 1"; 4414 4415 Diag(SL, diag::note_strncat_wrong_size) 4416 << FixItHint::CreateReplacement(SR, OS.str()); 4417} 4418 4419//===--- CHECK: Return Address of Stack Variable --------------------------===// 4420 4421static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4422 Decl *ParentDecl); 4423static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 4424 Decl *ParentDecl); 4425 4426/// CheckReturnStackAddr - Check if a return statement returns the address 4427/// of a stack variable. 4428static void 4429CheckReturnStackAddr(Sema &S, Expr *RetValExp, QualType lhsType, 4430 SourceLocation ReturnLoc) { 4431 4432 Expr *stackE = nullptr; 4433 SmallVector<DeclRefExpr *, 8> refVars; 4434 4435 // Perform checking for returned stack addresses, local blocks, 4436 // label addresses or references to temporaries. 4437 if (lhsType->isPointerType() || 4438 (!S.getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 4439 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/nullptr); 4440 } else if (lhsType->isReferenceType()) { 4441 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/nullptr); 4442 } 4443 4444 if (!stackE) 4445 return; // Nothing suspicious was found. 4446 4447 SourceLocation diagLoc; 4448 SourceRange diagRange; 4449 if (refVars.empty()) { 4450 diagLoc = stackE->getLocStart(); 4451 diagRange = stackE->getSourceRange(); 4452 } else { 4453 // We followed through a reference variable. 'stackE' contains the 4454 // problematic expression but we will warn at the return statement pointing 4455 // at the reference variable. We will later display the "trail" of 4456 // reference variables using notes. 4457 diagLoc = refVars[0]->getLocStart(); 4458 diagRange = refVars[0]->getSourceRange(); 4459 } 4460 4461 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 4462 S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 4463 : diag::warn_ret_stack_addr) 4464 << DR->getDecl()->getDeclName() << diagRange; 4465 } else if (isa<BlockExpr>(stackE)) { // local block. 4466 S.Diag(diagLoc, diag::err_ret_local_block) << diagRange; 4467 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 4468 S.Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 4469 } else { // local temporary. 4470 S.Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 4471 : diag::warn_ret_local_temp_addr) 4472 << diagRange; 4473 } 4474 4475 // Display the "trail" of reference variables that we followed until we 4476 // found the problematic expression using notes. 4477 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 4478 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 4479 // If this var binds to another reference var, show the range of the next 4480 // var, otherwise the var binds to the problematic expression, in which case 4481 // show the range of the expression. 4482 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 4483 : stackE->getSourceRange(); 4484 S.Diag(VD->getLocation(), diag::note_ref_var_local_bind) 4485 << VD->getDeclName() << range; 4486 } 4487} 4488 4489/// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 4490/// check if the expression in a return statement evaluates to an address 4491/// to a location on the stack, a local block, an address of a label, or a 4492/// reference to local temporary. The recursion is used to traverse the 4493/// AST of the return expression, with recursion backtracking when we 4494/// encounter a subexpression that (1) clearly does not lead to one of the 4495/// above problematic expressions (2) is something we cannot determine leads to 4496/// a problematic expression based on such local checking. 4497/// 4498/// Both EvalAddr and EvalVal follow through reference variables to evaluate 4499/// the expression that they point to. Such variables are added to the 4500/// 'refVars' vector so that we know what the reference variable "trail" was. 4501/// 4502/// EvalAddr processes expressions that are pointers that are used as 4503/// references (and not L-values). EvalVal handles all other values. 4504/// At the base case of the recursion is a check for the above problematic 4505/// expressions. 4506/// 4507/// This implementation handles: 4508/// 4509/// * pointer-to-pointer casts 4510/// * implicit conversions from array references to pointers 4511/// * taking the address of fields 4512/// * arbitrary interplay between "&" and "*" operators 4513/// * pointer arithmetic from an address of a stack variable 4514/// * taking the address of an array element where the array is on the stack 4515static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4516 Decl *ParentDecl) { 4517 if (E->isTypeDependent()) 4518 return nullptr; 4519 4520 // We should only be called for evaluating pointer expressions. 4521 assert((E->getType()->isAnyPointerType() || 4522 E->getType()->isBlockPointerType() || 4523 E->getType()->isObjCQualifiedIdType()) && 4524 "EvalAddr only works on pointers"); 4525 4526 E = E->IgnoreParens(); 4527 4528 // Our "symbolic interpreter" is just a dispatch off the currently 4529 // viewed AST node. We then recursively traverse the AST by calling 4530 // EvalAddr and EvalVal appropriately. 4531 switch (E->getStmtClass()) { 4532 case Stmt::DeclRefExprClass: { 4533 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4534 4535 // If we leave the immediate function, the lifetime isn't about to end. 4536 if (DR->refersToEnclosingLocal()) 4537 return nullptr; 4538 4539 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 4540 // If this is a reference variable, follow through to the expression that 4541 // it points to. 4542 if (V->hasLocalStorage() && 4543 V->getType()->isReferenceType() && V->hasInit()) { 4544 // Add the reference variable to the "trail". 4545 refVars.push_back(DR); 4546 return EvalAddr(V->getInit(), refVars, ParentDecl); 4547 } 4548 4549 return nullptr; 4550 } 4551 4552 case Stmt::UnaryOperatorClass: { 4553 // The only unary operator that make sense to handle here 4554 // is AddrOf. All others don't make sense as pointers. 4555 UnaryOperator *U = cast<UnaryOperator>(E); 4556 4557 if (U->getOpcode() == UO_AddrOf) 4558 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 4559 else 4560 return nullptr; 4561 } 4562 4563 case Stmt::BinaryOperatorClass: { 4564 // Handle pointer arithmetic. All other binary operators are not valid 4565 // in this context. 4566 BinaryOperator *B = cast<BinaryOperator>(E); 4567 BinaryOperatorKind op = B->getOpcode(); 4568 4569 if (op != BO_Add && op != BO_Sub) 4570 return nullptr; 4571 4572 Expr *Base = B->getLHS(); 4573 4574 // Determine which argument is the real pointer base. It could be 4575 // the RHS argument instead of the LHS. 4576 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 4577 4578 assert (Base->getType()->isPointerType()); 4579 return EvalAddr(Base, refVars, ParentDecl); 4580 } 4581 4582 // For conditional operators we need to see if either the LHS or RHS are 4583 // valid DeclRefExpr*s. If one of them is valid, we return it. 4584 case Stmt::ConditionalOperatorClass: { 4585 ConditionalOperator *C = cast<ConditionalOperator>(E); 4586 4587 // Handle the GNU extension for missing LHS. 4588 // FIXME: That isn't a ConditionalOperator, so doesn't get here. 4589 if (Expr *LHSExpr = C->getLHS()) { 4590 // In C++, we can have a throw-expression, which has 'void' type. 4591 if (!LHSExpr->getType()->isVoidType()) 4592 if (Expr *LHS = EvalAddr(LHSExpr, refVars, ParentDecl)) 4593 return LHS; 4594 } 4595 4596 // In C++, we can have a throw-expression, which has 'void' type. 4597 if (C->getRHS()->getType()->isVoidType()) 4598 return nullptr; 4599 4600 return EvalAddr(C->getRHS(), refVars, ParentDecl); 4601 } 4602 4603 case Stmt::BlockExprClass: 4604 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 4605 return E; // local block. 4606 return nullptr; 4607 4608 case Stmt::AddrLabelExprClass: 4609 return E; // address of label. 4610 4611 case Stmt::ExprWithCleanupsClass: 4612 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 4613 ParentDecl); 4614 4615 // For casts, we need to handle conversions from arrays to 4616 // pointer values, and pointer-to-pointer conversions. 4617 case Stmt::ImplicitCastExprClass: 4618 case Stmt::CStyleCastExprClass: 4619 case Stmt::CXXFunctionalCastExprClass: 4620 case Stmt::ObjCBridgedCastExprClass: 4621 case Stmt::CXXStaticCastExprClass: 4622 case Stmt::CXXDynamicCastExprClass: 4623 case Stmt::CXXConstCastExprClass: 4624 case Stmt::CXXReinterpretCastExprClass: { 4625 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 4626 switch (cast<CastExpr>(E)->getCastKind()) { 4627 case CK_LValueToRValue: 4628 case CK_NoOp: 4629 case CK_BaseToDerived: 4630 case CK_DerivedToBase: 4631 case CK_UncheckedDerivedToBase: 4632 case CK_Dynamic: 4633 case CK_CPointerToObjCPointerCast: 4634 case CK_BlockPointerToObjCPointerCast: 4635 case CK_AnyPointerToBlockPointerCast: 4636 return EvalAddr(SubExpr, refVars, ParentDecl); 4637 4638 case CK_ArrayToPointerDecay: 4639 return EvalVal(SubExpr, refVars, ParentDecl); 4640 4641 case CK_BitCast: 4642 if (SubExpr->getType()->isAnyPointerType() || 4643 SubExpr->getType()->isBlockPointerType() || 4644 SubExpr->getType()->isObjCQualifiedIdType()) 4645 return EvalAddr(SubExpr, refVars, ParentDecl); 4646 else 4647 return nullptr; 4648 4649 default: 4650 return nullptr; 4651 } 4652 } 4653 4654 case Stmt::MaterializeTemporaryExprClass: 4655 if (Expr *Result = EvalAddr( 4656 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4657 refVars, ParentDecl)) 4658 return Result; 4659 4660 return E; 4661 4662 // Everything else: we simply don't reason about them. 4663 default: 4664 return nullptr; 4665 } 4666} 4667 4668 4669/// EvalVal - This function is complements EvalAddr in the mutual recursion. 4670/// See the comments for EvalAddr for more details. 4671static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4672 Decl *ParentDecl) { 4673do { 4674 // We should only be called for evaluating non-pointer expressions, or 4675 // expressions with a pointer type that are not used as references but instead 4676 // are l-values (e.g., DeclRefExpr with a pointer type). 4677 4678 // Our "symbolic interpreter" is just a dispatch off the currently 4679 // viewed AST node. We then recursively traverse the AST by calling 4680 // EvalAddr and EvalVal appropriately. 4681 4682 E = E->IgnoreParens(); 4683 switch (E->getStmtClass()) { 4684 case Stmt::ImplicitCastExprClass: { 4685 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 4686 if (IE->getValueKind() == VK_LValue) { 4687 E = IE->getSubExpr(); 4688 continue; 4689 } 4690 return nullptr; 4691 } 4692 4693 case Stmt::ExprWithCleanupsClass: 4694 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 4695 4696 case Stmt::DeclRefExprClass: { 4697 // When we hit a DeclRefExpr we are looking at code that refers to a 4698 // variable's name. If it's not a reference variable we check if it has 4699 // local storage within the function, and if so, return the expression. 4700 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4701 4702 // If we leave the immediate function, the lifetime isn't about to end. 4703 if (DR->refersToEnclosingLocal()) 4704 return nullptr; 4705 4706 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 4707 // Check if it refers to itself, e.g. "int& i = i;". 4708 if (V == ParentDecl) 4709 return DR; 4710 4711 if (V->hasLocalStorage()) { 4712 if (!V->getType()->isReferenceType()) 4713 return DR; 4714 4715 // Reference variable, follow through to the expression that 4716 // it points to. 4717 if (V->hasInit()) { 4718 // Add the reference variable to the "trail". 4719 refVars.push_back(DR); 4720 return EvalVal(V->getInit(), refVars, V); 4721 } 4722 } 4723 } 4724 4725 return nullptr; 4726 } 4727 4728 case Stmt::UnaryOperatorClass: { 4729 // The only unary operator that make sense to handle here 4730 // is Deref. All others don't resolve to a "name." This includes 4731 // handling all sorts of rvalues passed to a unary operator. 4732 UnaryOperator *U = cast<UnaryOperator>(E); 4733 4734 if (U->getOpcode() == UO_Deref) 4735 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 4736 4737 return nullptr; 4738 } 4739 4740 case Stmt::ArraySubscriptExprClass: { 4741 // Array subscripts are potential references to data on the stack. We 4742 // retrieve the DeclRefExpr* for the array variable if it indeed 4743 // has local storage. 4744 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 4745 } 4746 4747 case Stmt::ConditionalOperatorClass: { 4748 // For conditional operators we need to see if either the LHS or RHS are 4749 // non-NULL Expr's. If one is non-NULL, we return it. 4750 ConditionalOperator *C = cast<ConditionalOperator>(E); 4751 4752 // Handle the GNU extension for missing LHS. 4753 if (Expr *LHSExpr = C->getLHS()) { 4754 // In C++, we can have a throw-expression, which has 'void' type. 4755 if (!LHSExpr->getType()->isVoidType()) 4756 if (Expr *LHS = EvalVal(LHSExpr, refVars, ParentDecl)) 4757 return LHS; 4758 } 4759 4760 // In C++, we can have a throw-expression, which has 'void' type. 4761 if (C->getRHS()->getType()->isVoidType()) 4762 return nullptr; 4763 4764 return EvalVal(C->getRHS(), refVars, ParentDecl); 4765 } 4766 4767 // Accesses to members are potential references to data on the stack. 4768 case Stmt::MemberExprClass: { 4769 MemberExpr *M = cast<MemberExpr>(E); 4770 4771 // Check for indirect access. We only want direct field accesses. 4772 if (M->isArrow()) 4773 return nullptr; 4774 4775 // Check whether the member type is itself a reference, in which case 4776 // we're not going to refer to the member, but to what the member refers to. 4777 if (M->getMemberDecl()->getType()->isReferenceType()) 4778 return nullptr; 4779 4780 return EvalVal(M->getBase(), refVars, ParentDecl); 4781 } 4782 4783 case Stmt::MaterializeTemporaryExprClass: 4784 if (Expr *Result = EvalVal( 4785 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4786 refVars, ParentDecl)) 4787 return Result; 4788 4789 return E; 4790 4791 default: 4792 // Check that we don't return or take the address of a reference to a 4793 // temporary. This is only useful in C++. 4794 if (!E->isTypeDependent() && E->isRValue()) 4795 return E; 4796 4797 // Everything else: we simply don't reason about them. 4798 return nullptr; 4799 } 4800} while (true); 4801} 4802 4803void 4804Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType, 4805 SourceLocation ReturnLoc, 4806 bool isObjCMethod, 4807 const AttrVec *Attrs, 4808 const FunctionDecl *FD) { 4809 CheckReturnStackAddr(*this, RetValExp, lhsType, ReturnLoc); 4810 4811 // Check if the return value is null but should not be. 4812 if (Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs) && 4813 CheckNonNullExpr(*this, RetValExp)) 4814 Diag(ReturnLoc, diag::warn_null_ret) 4815 << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange(); 4816 4817 // C++11 [basic.stc.dynamic.allocation]p4: 4818 // If an allocation function declared with a non-throwing 4819 // exception-specification fails to allocate storage, it shall return 4820 // a null pointer. Any other allocation function that fails to allocate 4821 // storage shall indicate failure only by throwing an exception [...] 4822 if (FD) { 4823 OverloadedOperatorKind Op = FD->getOverloadedOperator(); 4824 if (Op == OO_New || Op == OO_Array_New) { 4825 const FunctionProtoType *Proto 4826 = FD->getType()->castAs<FunctionProtoType>(); 4827 if (!Proto->isNothrow(Context, /*ResultIfDependent*/true) && 4828 CheckNonNullExpr(*this, RetValExp)) 4829 Diag(ReturnLoc, diag::warn_operator_new_returns_null) 4830 << FD << getLangOpts().CPlusPlus11; 4831 } 4832 } 4833} 4834 4835//===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 4836 4837/// Check for comparisons of floating point operands using != and ==. 4838/// Issue a warning if these are no self-comparisons, as they are not likely 4839/// to do what the programmer intended. 4840void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 4841 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 4842 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 4843 4844 // Special case: check for x == x (which is OK). 4845 // Do not emit warnings for such cases. 4846 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 4847 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 4848 if (DRL->getDecl() == DRR->getDecl()) 4849 return; 4850 4851 4852 // Special case: check for comparisons against literals that can be exactly 4853 // represented by APFloat. In such cases, do not emit a warning. This 4854 // is a heuristic: often comparison against such literals are used to 4855 // detect if a value in a variable has not changed. This clearly can 4856 // lead to false negatives. 4857 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 4858 if (FLL->isExact()) 4859 return; 4860 } else 4861 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 4862 if (FLR->isExact()) 4863 return; 4864 4865 // Check for comparisons with builtin types. 4866 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 4867 if (CL->getBuiltinCallee()) 4868 return; 4869 4870 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 4871 if (CR->getBuiltinCallee()) 4872 return; 4873 4874 // Emit the diagnostic. 4875 Diag(Loc, diag::warn_floatingpoint_eq) 4876 << LHS->getSourceRange() << RHS->getSourceRange(); 4877} 4878 4879//===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 4880//===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 4881 4882namespace { 4883 4884/// Structure recording the 'active' range of an integer-valued 4885/// expression. 4886struct IntRange { 4887 /// The number of bits active in the int. 4888 unsigned Width; 4889 4890 /// True if the int is known not to have negative values. 4891 bool NonNegative; 4892 4893 IntRange(unsigned Width, bool NonNegative) 4894 : Width(Width), NonNegative(NonNegative) 4895 {} 4896 4897 /// Returns the range of the bool type. 4898 static IntRange forBoolType() { 4899 return IntRange(1, true); 4900 } 4901 4902 /// Returns the range of an opaque value of the given integral type. 4903 static IntRange forValueOfType(ASTContext &C, QualType T) { 4904 return forValueOfCanonicalType(C, 4905 T->getCanonicalTypeInternal().getTypePtr()); 4906 } 4907 4908 /// Returns the range of an opaque value of a canonical integral type. 4909 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 4910 assert(T->isCanonicalUnqualified()); 4911 4912 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4913 T = VT->getElementType().getTypePtr(); 4914 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4915 T = CT->getElementType().getTypePtr(); 4916 4917 // For enum types, use the known bit width of the enumerators. 4918 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 4919 EnumDecl *Enum = ET->getDecl(); 4920 if (!Enum->isCompleteDefinition()) 4921 return IntRange(C.getIntWidth(QualType(T, 0)), false); 4922 4923 unsigned NumPositive = Enum->getNumPositiveBits(); 4924 unsigned NumNegative = Enum->getNumNegativeBits(); 4925 4926 if (NumNegative == 0) 4927 return IntRange(NumPositive, true/*NonNegative*/); 4928 else 4929 return IntRange(std::max(NumPositive + 1, NumNegative), 4930 false/*NonNegative*/); 4931 } 4932 4933 const BuiltinType *BT = cast<BuiltinType>(T); 4934 assert(BT->isInteger()); 4935 4936 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4937 } 4938 4939 /// Returns the "target" range of a canonical integral type, i.e. 4940 /// the range of values expressible in the type. 4941 /// 4942 /// This matches forValueOfCanonicalType except that enums have the 4943 /// full range of their type, not the range of their enumerators. 4944 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 4945 assert(T->isCanonicalUnqualified()); 4946 4947 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4948 T = VT->getElementType().getTypePtr(); 4949 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4950 T = CT->getElementType().getTypePtr(); 4951 if (const EnumType *ET = dyn_cast<EnumType>(T)) 4952 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 4953 4954 const BuiltinType *BT = cast<BuiltinType>(T); 4955 assert(BT->isInteger()); 4956 4957 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4958 } 4959 4960 /// Returns the supremum of two ranges: i.e. their conservative merge. 4961 static IntRange join(IntRange L, IntRange R) { 4962 return IntRange(std::max(L.Width, R.Width), 4963 L.NonNegative && R.NonNegative); 4964 } 4965 4966 /// Returns the infinum of two ranges: i.e. their aggressive merge. 4967 static IntRange meet(IntRange L, IntRange R) { 4968 return IntRange(std::min(L.Width, R.Width), 4969 L.NonNegative || R.NonNegative); 4970 } 4971}; 4972 4973static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 4974 unsigned MaxWidth) { 4975 if (value.isSigned() && value.isNegative()) 4976 return IntRange(value.getMinSignedBits(), false); 4977 4978 if (value.getBitWidth() > MaxWidth) 4979 value = value.trunc(MaxWidth); 4980 4981 // isNonNegative() just checks the sign bit without considering 4982 // signedness. 4983 return IntRange(value.getActiveBits(), true); 4984} 4985 4986static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 4987 unsigned MaxWidth) { 4988 if (result.isInt()) 4989 return GetValueRange(C, result.getInt(), MaxWidth); 4990 4991 if (result.isVector()) { 4992 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 4993 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 4994 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 4995 R = IntRange::join(R, El); 4996 } 4997 return R; 4998 } 4999 5000 if (result.isComplexInt()) { 5001 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 5002 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 5003 return IntRange::join(R, I); 5004 } 5005 5006 // This can happen with lossless casts to intptr_t of "based" lvalues. 5007 // Assume it might use arbitrary bits. 5008 // FIXME: The only reason we need to pass the type in here is to get 5009 // the sign right on this one case. It would be nice if APValue 5010 // preserved this. 5011 assert(result.isLValue() || result.isAddrLabelDiff()); 5012 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 5013} 5014 5015static QualType GetExprType(Expr *E) { 5016 QualType Ty = E->getType(); 5017 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>()) 5018 Ty = AtomicRHS->getValueType(); 5019 return Ty; 5020} 5021 5022/// Pseudo-evaluate the given integer expression, estimating the 5023/// range of values it might take. 5024/// 5025/// \param MaxWidth - the width to which the value will be truncated 5026static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 5027 E = E->IgnoreParens(); 5028 5029 // Try a full evaluation first. 5030 Expr::EvalResult result; 5031 if (E->EvaluateAsRValue(result, C)) 5032 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth); 5033 5034 // I think we only want to look through implicit casts here; if the 5035 // user has an explicit widening cast, we should treat the value as 5036 // being of the new, wider type. 5037 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 5038 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 5039 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 5040 5041 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE)); 5042 5043 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 5044 5045 // Assume that non-integer casts can span the full range of the type. 5046 if (!isIntegerCast) 5047 return OutputTypeRange; 5048 5049 IntRange SubRange 5050 = GetExprRange(C, CE->getSubExpr(), 5051 std::min(MaxWidth, OutputTypeRange.Width)); 5052 5053 // Bail out if the subexpr's range is as wide as the cast type. 5054 if (SubRange.Width >= OutputTypeRange.Width) 5055 return OutputTypeRange; 5056 5057 // Otherwise, we take the smaller width, and we're non-negative if 5058 // either the output type or the subexpr is. 5059 return IntRange(SubRange.Width, 5060 SubRange.NonNegative || OutputTypeRange.NonNegative); 5061 } 5062 5063 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 5064 // If we can fold the condition, just take that operand. 5065 bool CondResult; 5066 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 5067 return GetExprRange(C, CondResult ? CO->getTrueExpr() 5068 : CO->getFalseExpr(), 5069 MaxWidth); 5070 5071 // Otherwise, conservatively merge. 5072 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 5073 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 5074 return IntRange::join(L, R); 5075 } 5076 5077 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5078 switch (BO->getOpcode()) { 5079 5080 // Boolean-valued operations are single-bit and positive. 5081 case BO_LAnd: 5082 case BO_LOr: 5083 case BO_LT: 5084 case BO_GT: 5085 case BO_LE: 5086 case BO_GE: 5087 case BO_EQ: 5088 case BO_NE: 5089 return IntRange::forBoolType(); 5090 5091 // The type of the assignments is the type of the LHS, so the RHS 5092 // is not necessarily the same type. 5093 case BO_MulAssign: 5094 case BO_DivAssign: 5095 case BO_RemAssign: 5096 case BO_AddAssign: 5097 case BO_SubAssign: 5098 case BO_XorAssign: 5099 case BO_OrAssign: 5100 // TODO: bitfields? 5101 return IntRange::forValueOfType(C, GetExprType(E)); 5102 5103 // Simple assignments just pass through the RHS, which will have 5104 // been coerced to the LHS type. 5105 case BO_Assign: 5106 // TODO: bitfields? 5107 return GetExprRange(C, BO->getRHS(), MaxWidth); 5108 5109 // Operations with opaque sources are black-listed. 5110 case BO_PtrMemD: 5111 case BO_PtrMemI: 5112 return IntRange::forValueOfType(C, GetExprType(E)); 5113 5114 // Bitwise-and uses the *infinum* of the two source ranges. 5115 case BO_And: 5116 case BO_AndAssign: 5117 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 5118 GetExprRange(C, BO->getRHS(), MaxWidth)); 5119 5120 // Left shift gets black-listed based on a judgement call. 5121 case BO_Shl: 5122 // ...except that we want to treat '1 << (blah)' as logically 5123 // positive. It's an important idiom. 5124 if (IntegerLiteral *I 5125 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 5126 if (I->getValue() == 1) { 5127 IntRange R = IntRange::forValueOfType(C, GetExprType(E)); 5128 return IntRange(R.Width, /*NonNegative*/ true); 5129 } 5130 } 5131 // fallthrough 5132 5133 case BO_ShlAssign: 5134 return IntRange::forValueOfType(C, GetExprType(E)); 5135 5136 // Right shift by a constant can narrow its left argument. 5137 case BO_Shr: 5138 case BO_ShrAssign: { 5139 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 5140 5141 // If the shift amount is a positive constant, drop the width by 5142 // that much. 5143 llvm::APSInt shift; 5144 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 5145 shift.isNonNegative()) { 5146 unsigned zext = shift.getZExtValue(); 5147 if (zext >= L.Width) 5148 L.Width = (L.NonNegative ? 0 : 1); 5149 else 5150 L.Width -= zext; 5151 } 5152 5153 return L; 5154 } 5155 5156 // Comma acts as its right operand. 5157 case BO_Comma: 5158 return GetExprRange(C, BO->getRHS(), MaxWidth); 5159 5160 // Black-list pointer subtractions. 5161 case BO_Sub: 5162 if (BO->getLHS()->getType()->isPointerType()) 5163 return IntRange::forValueOfType(C, GetExprType(E)); 5164 break; 5165 5166 // The width of a division result is mostly determined by the size 5167 // of the LHS. 5168 case BO_Div: { 5169 // Don't 'pre-truncate' the operands. 5170 unsigned opWidth = C.getIntWidth(GetExprType(E)); 5171 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 5172 5173 // If the divisor is constant, use that. 5174 llvm::APSInt divisor; 5175 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 5176 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 5177 if (log2 >= L.Width) 5178 L.Width = (L.NonNegative ? 0 : 1); 5179 else 5180 L.Width = std::min(L.Width - log2, MaxWidth); 5181 return L; 5182 } 5183 5184 // Otherwise, just use the LHS's width. 5185 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 5186 return IntRange(L.Width, L.NonNegative && R.NonNegative); 5187 } 5188 5189 // The result of a remainder can't be larger than the result of 5190 // either side. 5191 case BO_Rem: { 5192 // Don't 'pre-truncate' the operands. 5193 unsigned opWidth = C.getIntWidth(GetExprType(E)); 5194 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 5195 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 5196 5197 IntRange meet = IntRange::meet(L, R); 5198 meet.Width = std::min(meet.Width, MaxWidth); 5199 return meet; 5200 } 5201 5202 // The default behavior is okay for these. 5203 case BO_Mul: 5204 case BO_Add: 5205 case BO_Xor: 5206 case BO_Or: 5207 break; 5208 } 5209 5210 // The default case is to treat the operation as if it were closed 5211 // on the narrowest type that encompasses both operands. 5212 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 5213 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 5214 return IntRange::join(L, R); 5215 } 5216 5217 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 5218 switch (UO->getOpcode()) { 5219 // Boolean-valued operations are white-listed. 5220 case UO_LNot: 5221 return IntRange::forBoolType(); 5222 5223 // Operations with opaque sources are black-listed. 5224 case UO_Deref: 5225 case UO_AddrOf: // should be impossible 5226 return IntRange::forValueOfType(C, GetExprType(E)); 5227 5228 default: 5229 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 5230 } 5231 } 5232 5233 if (OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 5234 return GetExprRange(C, OVE->getSourceExpr(), MaxWidth); 5235 5236 if (FieldDecl *BitField = E->getSourceBitField()) 5237 return IntRange(BitField->getBitWidthValue(C), 5238 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 5239 5240 return IntRange::forValueOfType(C, GetExprType(E)); 5241} 5242 5243static IntRange GetExprRange(ASTContext &C, Expr *E) { 5244 return GetExprRange(C, E, C.getIntWidth(GetExprType(E))); 5245} 5246 5247/// Checks whether the given value, which currently has the given 5248/// source semantics, has the same value when coerced through the 5249/// target semantics. 5250static bool IsSameFloatAfterCast(const llvm::APFloat &value, 5251 const llvm::fltSemantics &Src, 5252 const llvm::fltSemantics &Tgt) { 5253 llvm::APFloat truncated = value; 5254 5255 bool ignored; 5256 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 5257 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 5258 5259 return truncated.bitwiseIsEqual(value); 5260} 5261 5262/// Checks whether the given value, which currently has the given 5263/// source semantics, has the same value when coerced through the 5264/// target semantics. 5265/// 5266/// The value might be a vector of floats (or a complex number). 5267static bool IsSameFloatAfterCast(const APValue &value, 5268 const llvm::fltSemantics &Src, 5269 const llvm::fltSemantics &Tgt) { 5270 if (value.isFloat()) 5271 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 5272 5273 if (value.isVector()) { 5274 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 5275 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 5276 return false; 5277 return true; 5278 } 5279 5280 assert(value.isComplexFloat()); 5281 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 5282 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 5283} 5284 5285static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 5286 5287static bool IsZero(Sema &S, Expr *E) { 5288 // Suppress cases where we are comparing against an enum constant. 5289 if (const DeclRefExpr *DR = 5290 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 5291 if (isa<EnumConstantDecl>(DR->getDecl())) 5292 return false; 5293 5294 // Suppress cases where the '0' value is expanded from a macro. 5295 if (E->getLocStart().isMacroID()) 5296 return false; 5297 5298 llvm::APSInt Value; 5299 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 5300} 5301 5302static bool HasEnumType(Expr *E) { 5303 // Strip off implicit integral promotions. 5304 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 5305 if (ICE->getCastKind() != CK_IntegralCast && 5306 ICE->getCastKind() != CK_NoOp) 5307 break; 5308 E = ICE->getSubExpr(); 5309 } 5310 5311 return E->getType()->isEnumeralType(); 5312} 5313 5314static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 5315 // Disable warning in template instantiations. 5316 if (!S.ActiveTemplateInstantiations.empty()) 5317 return; 5318 5319 BinaryOperatorKind op = E->getOpcode(); 5320 if (E->isValueDependent()) 5321 return; 5322 5323 if (op == BO_LT && IsZero(S, E->getRHS())) { 5324 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 5325 << "< 0" << "false" << HasEnumType(E->getLHS()) 5326 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5327 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 5328 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 5329 << ">= 0" << "true" << HasEnumType(E->getLHS()) 5330 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5331 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 5332 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 5333 << "0 >" << "false" << HasEnumType(E->getRHS()) 5334 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5335 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 5336 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 5337 << "0 <=" << "true" << HasEnumType(E->getRHS()) 5338 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 5339 } 5340} 5341 5342static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 5343 Expr *Constant, Expr *Other, 5344 llvm::APSInt Value, 5345 bool RhsConstant) { 5346 // Disable warning in template instantiations. 5347 if (!S.ActiveTemplateInstantiations.empty()) 5348 return; 5349 5350 // TODO: Investigate using GetExprRange() to get tighter bounds 5351 // on the bit ranges. 5352 QualType OtherT = Other->getType(); 5353 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 5354 unsigned OtherWidth = OtherRange.Width; 5355 5356 bool OtherIsBooleanType = Other->isKnownToHaveBooleanValue(); 5357 5358 // 0 values are handled later by CheckTrivialUnsignedComparison(). 5359 if ((Value == 0) && (!OtherIsBooleanType)) 5360 return; 5361 5362 BinaryOperatorKind op = E->getOpcode(); 5363 bool IsTrue = true; 5364 5365 // Used for diagnostic printout. 5366 enum { 5367 LiteralConstant = 0, 5368 CXXBoolLiteralTrue, 5369 CXXBoolLiteralFalse 5370 } LiteralOrBoolConstant = LiteralConstant; 5371 5372 if (!OtherIsBooleanType) { 5373 QualType ConstantT = Constant->getType(); 5374 QualType CommonT = E->getLHS()->getType(); 5375 5376 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 5377 return; 5378 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) && 5379 "comparison with non-integer type"); 5380 5381 bool ConstantSigned = ConstantT->isSignedIntegerType(); 5382 bool CommonSigned = CommonT->isSignedIntegerType(); 5383 5384 bool EqualityOnly = false; 5385 5386 if (CommonSigned) { 5387 // The common type is signed, therefore no signed to unsigned conversion. 5388 if (!OtherRange.NonNegative) { 5389 // Check that the constant is representable in type OtherT. 5390 if (ConstantSigned) { 5391 if (OtherWidth >= Value.getMinSignedBits()) 5392 return; 5393 } else { // !ConstantSigned 5394 if (OtherWidth >= Value.getActiveBits() + 1) 5395 return; 5396 } 5397 } else { // !OtherSigned 5398 // Check that the constant is representable in type OtherT. 5399 // Negative values are out of range. 5400 if (ConstantSigned) { 5401 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 5402 return; 5403 } else { // !ConstantSigned 5404 if (OtherWidth >= Value.getActiveBits()) 5405 return; 5406 } 5407 } 5408 } else { // !CommonSigned 5409 if (OtherRange.NonNegative) { 5410 if (OtherWidth >= Value.getActiveBits()) 5411 return; 5412 } else { // OtherSigned 5413 assert(!ConstantSigned && 5414 "Two signed types converted to unsigned types."); 5415 // Check to see if the constant is representable in OtherT. 5416 if (OtherWidth > Value.getActiveBits()) 5417 return; 5418 // Check to see if the constant is equivalent to a negative value 5419 // cast to CommonT. 5420 if (S.Context.getIntWidth(ConstantT) == 5421 S.Context.getIntWidth(CommonT) && 5422 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 5423 return; 5424 // The constant value rests between values that OtherT can represent 5425 // after conversion. Relational comparison still works, but equality 5426 // comparisons will be tautological. 5427 EqualityOnly = true; 5428 } 5429 } 5430 5431 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 5432 5433 if (op == BO_EQ || op == BO_NE) { 5434 IsTrue = op == BO_NE; 5435 } else if (EqualityOnly) { 5436 return; 5437 } else if (RhsConstant) { 5438 if (op == BO_GT || op == BO_GE) 5439 IsTrue = !PositiveConstant; 5440 else // op == BO_LT || op == BO_LE 5441 IsTrue = PositiveConstant; 5442 } else { 5443 if (op == BO_LT || op == BO_LE) 5444 IsTrue = !PositiveConstant; 5445 else // op == BO_GT || op == BO_GE 5446 IsTrue = PositiveConstant; 5447 } 5448 } else { 5449 // Other isKnownToHaveBooleanValue 5450 enum CompareBoolWithConstantResult { AFals, ATrue, Unkwn }; 5451 enum ConstantValue { LT_Zero, Zero, One, GT_One, SizeOfConstVal }; 5452 enum ConstantSide { Lhs, Rhs, SizeOfConstSides }; 5453 5454 static const struct LinkedConditions { 5455 CompareBoolWithConstantResult BO_LT_OP[SizeOfConstSides][SizeOfConstVal]; 5456 CompareBoolWithConstantResult BO_GT_OP[SizeOfConstSides][SizeOfConstVal]; 5457 CompareBoolWithConstantResult BO_LE_OP[SizeOfConstSides][SizeOfConstVal]; 5458 CompareBoolWithConstantResult BO_GE_OP[SizeOfConstSides][SizeOfConstVal]; 5459 CompareBoolWithConstantResult BO_EQ_OP[SizeOfConstSides][SizeOfConstVal]; 5460 CompareBoolWithConstantResult BO_NE_OP[SizeOfConstSides][SizeOfConstVal]; 5461 5462 } TruthTable = { 5463 // Constant on LHS. | Constant on RHS. | 5464 // LT_Zero| Zero | One |GT_One| LT_Zero| Zero | One |GT_One| 5465 { { ATrue, Unkwn, AFals, AFals }, { AFals, AFals, Unkwn, ATrue } }, 5466 { { AFals, AFals, Unkwn, ATrue }, { ATrue, Unkwn, AFals, AFals } }, 5467 { { ATrue, ATrue, Unkwn, AFals }, { AFals, Unkwn, ATrue, ATrue } }, 5468 { { AFals, Unkwn, ATrue, ATrue }, { ATrue, ATrue, Unkwn, AFals } }, 5469 { { AFals, Unkwn, Unkwn, AFals }, { AFals, Unkwn, Unkwn, AFals } }, 5470 { { ATrue, Unkwn, Unkwn, ATrue }, { ATrue, Unkwn, Unkwn, ATrue } } 5471 }; 5472 5473 bool ConstantIsBoolLiteral = isa<CXXBoolLiteralExpr>(Constant); 5474 5475 enum ConstantValue ConstVal = Zero; 5476 if (Value.isUnsigned() || Value.isNonNegative()) { 5477 if (Value == 0) { 5478 LiteralOrBoolConstant = 5479 ConstantIsBoolLiteral ? CXXBoolLiteralFalse : LiteralConstant; 5480 ConstVal = Zero; 5481 } else if (Value == 1) { 5482 LiteralOrBoolConstant = 5483 ConstantIsBoolLiteral ? CXXBoolLiteralTrue : LiteralConstant; 5484 ConstVal = One; 5485 } else { 5486 LiteralOrBoolConstant = LiteralConstant; 5487 ConstVal = GT_One; 5488 } 5489 } else { 5490 ConstVal = LT_Zero; 5491 } 5492 5493 CompareBoolWithConstantResult CmpRes; 5494 5495 switch (op) { 5496 case BO_LT: 5497 CmpRes = TruthTable.BO_LT_OP[RhsConstant][ConstVal]; 5498 break; 5499 case BO_GT: 5500 CmpRes = TruthTable.BO_GT_OP[RhsConstant][ConstVal]; 5501 break; 5502 case BO_LE: 5503 CmpRes = TruthTable.BO_LE_OP[RhsConstant][ConstVal]; 5504 break; 5505 case BO_GE: 5506 CmpRes = TruthTable.BO_GE_OP[RhsConstant][ConstVal]; 5507 break; 5508 case BO_EQ: 5509 CmpRes = TruthTable.BO_EQ_OP[RhsConstant][ConstVal]; 5510 break; 5511 case BO_NE: 5512 CmpRes = TruthTable.BO_NE_OP[RhsConstant][ConstVal]; 5513 break; 5514 default: 5515 CmpRes = Unkwn; 5516 break; 5517 } 5518 5519 if (CmpRes == AFals) { 5520 IsTrue = false; 5521 } else if (CmpRes == ATrue) { 5522 IsTrue = true; 5523 } else { 5524 return; 5525 } 5526 } 5527 5528 // If this is a comparison to an enum constant, include that 5529 // constant in the diagnostic. 5530 const EnumConstantDecl *ED = nullptr; 5531 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant)) 5532 ED = dyn_cast<EnumConstantDecl>(DR->getDecl()); 5533 5534 SmallString<64> PrettySourceValue; 5535 llvm::raw_svector_ostream OS(PrettySourceValue); 5536 if (ED) 5537 OS << '\'' << *ED << "' (" << Value << ")"; 5538 else 5539 OS << Value; 5540 5541 S.DiagRuntimeBehavior( 5542 E->getOperatorLoc(), E, 5543 S.PDiag(diag::warn_out_of_range_compare) 5544 << OS.str() << LiteralOrBoolConstant 5545 << OtherT << (OtherIsBooleanType && !OtherT->isBooleanType()) << IsTrue 5546 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange()); 5547} 5548 5549/// Analyze the operands of the given comparison. Implements the 5550/// fallback case from AnalyzeComparison. 5551static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 5552 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5553 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5554} 5555 5556/// \brief Implements -Wsign-compare. 5557/// 5558/// \param E the binary operator to check for warnings 5559static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 5560 // The type the comparison is being performed in. 5561 QualType T = E->getLHS()->getType(); 5562 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 5563 && "comparison with mismatched types"); 5564 if (E->isValueDependent()) 5565 return AnalyzeImpConvsInComparison(S, E); 5566 5567 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 5568 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 5569 5570 bool IsComparisonConstant = false; 5571 5572 // Check whether an integer constant comparison results in a value 5573 // of 'true' or 'false'. 5574 if (T->isIntegralType(S.Context)) { 5575 llvm::APSInt RHSValue; 5576 bool IsRHSIntegralLiteral = 5577 RHS->isIntegerConstantExpr(RHSValue, S.Context); 5578 llvm::APSInt LHSValue; 5579 bool IsLHSIntegralLiteral = 5580 LHS->isIntegerConstantExpr(LHSValue, S.Context); 5581 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 5582 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 5583 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 5584 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 5585 else 5586 IsComparisonConstant = 5587 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 5588 } else if (!T->hasUnsignedIntegerRepresentation()) 5589 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 5590 5591 // We don't do anything special if this isn't an unsigned integral 5592 // comparison: we're only interested in integral comparisons, and 5593 // signed comparisons only happen in cases we don't care to warn about. 5594 // 5595 // We also don't care about value-dependent expressions or expressions 5596 // whose result is a constant. 5597 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 5598 return AnalyzeImpConvsInComparison(S, E); 5599 5600 // Check to see if one of the (unmodified) operands is of different 5601 // signedness. 5602 Expr *signedOperand, *unsignedOperand; 5603 if (LHS->getType()->hasSignedIntegerRepresentation()) { 5604 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 5605 "unsigned comparison between two signed integer expressions?"); 5606 signedOperand = LHS; 5607 unsignedOperand = RHS; 5608 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 5609 signedOperand = RHS; 5610 unsignedOperand = LHS; 5611 } else { 5612 CheckTrivialUnsignedComparison(S, E); 5613 return AnalyzeImpConvsInComparison(S, E); 5614 } 5615 5616 // Otherwise, calculate the effective range of the signed operand. 5617 IntRange signedRange = GetExprRange(S.Context, signedOperand); 5618 5619 // Go ahead and analyze implicit conversions in the operands. Note 5620 // that we skip the implicit conversions on both sides. 5621 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 5622 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 5623 5624 // If the signed range is non-negative, -Wsign-compare won't fire, 5625 // but we should still check for comparisons which are always true 5626 // or false. 5627 if (signedRange.NonNegative) 5628 return CheckTrivialUnsignedComparison(S, E); 5629 5630 // For (in)equality comparisons, if the unsigned operand is a 5631 // constant which cannot collide with a overflowed signed operand, 5632 // then reinterpreting the signed operand as unsigned will not 5633 // change the result of the comparison. 5634 if (E->isEqualityOp()) { 5635 unsigned comparisonWidth = S.Context.getIntWidth(T); 5636 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 5637 5638 // We should never be unable to prove that the unsigned operand is 5639 // non-negative. 5640 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 5641 5642 if (unsignedRange.Width < comparisonWidth) 5643 return; 5644 } 5645 5646 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 5647 S.PDiag(diag::warn_mixed_sign_comparison) 5648 << LHS->getType() << RHS->getType() 5649 << LHS->getSourceRange() << RHS->getSourceRange()); 5650} 5651 5652/// Analyzes an attempt to assign the given value to a bitfield. 5653/// 5654/// Returns true if there was something fishy about the attempt. 5655static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 5656 SourceLocation InitLoc) { 5657 assert(Bitfield->isBitField()); 5658 if (Bitfield->isInvalidDecl()) 5659 return false; 5660 5661 // White-list bool bitfields. 5662 if (Bitfield->getType()->isBooleanType()) 5663 return false; 5664 5665 // Ignore value- or type-dependent expressions. 5666 if (Bitfield->getBitWidth()->isValueDependent() || 5667 Bitfield->getBitWidth()->isTypeDependent() || 5668 Init->isValueDependent() || 5669 Init->isTypeDependent()) 5670 return false; 5671 5672 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 5673 5674 llvm::APSInt Value; 5675 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 5676 return false; 5677 5678 unsigned OriginalWidth = Value.getBitWidth(); 5679 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 5680 5681 if (OriginalWidth <= FieldWidth) 5682 return false; 5683 5684 // Compute the value which the bitfield will contain. 5685 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 5686 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 5687 5688 // Check whether the stored value is equal to the original value. 5689 TruncatedValue = TruncatedValue.extend(OriginalWidth); 5690 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 5691 return false; 5692 5693 // Special-case bitfields of width 1: booleans are naturally 0/1, and 5694 // therefore don't strictly fit into a signed bitfield of width 1. 5695 if (FieldWidth == 1 && Value == 1) 5696 return false; 5697 5698 std::string PrettyValue = Value.toString(10); 5699 std::string PrettyTrunc = TruncatedValue.toString(10); 5700 5701 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 5702 << PrettyValue << PrettyTrunc << OriginalInit->getType() 5703 << Init->getSourceRange(); 5704 5705 return true; 5706} 5707 5708/// Analyze the given simple or compound assignment for warning-worthy 5709/// operations. 5710static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 5711 // Just recurse on the LHS. 5712 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5713 5714 // We want to recurse on the RHS as normal unless we're assigning to 5715 // a bitfield. 5716 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) { 5717 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 5718 E->getOperatorLoc())) { 5719 // Recurse, ignoring any implicit conversions on the RHS. 5720 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 5721 E->getOperatorLoc()); 5722 } 5723 } 5724 5725 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5726} 5727 5728/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5729static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 5730 SourceLocation CContext, unsigned diag, 5731 bool pruneControlFlow = false) { 5732 if (pruneControlFlow) { 5733 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5734 S.PDiag(diag) 5735 << SourceType << T << E->getSourceRange() 5736 << SourceRange(CContext)); 5737 return; 5738 } 5739 S.Diag(E->getExprLoc(), diag) 5740 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 5741} 5742 5743/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5744static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 5745 SourceLocation CContext, unsigned diag, 5746 bool pruneControlFlow = false) { 5747 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 5748} 5749 5750/// Diagnose an implicit cast from a literal expression. Does not warn when the 5751/// cast wouldn't lose information. 5752void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 5753 SourceLocation CContext) { 5754 // Try to convert the literal exactly to an integer. If we can, don't warn. 5755 bool isExact = false; 5756 const llvm::APFloat &Value = FL->getValue(); 5757 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 5758 T->hasUnsignedIntegerRepresentation()); 5759 if (Value.convertToInteger(IntegerValue, 5760 llvm::APFloat::rmTowardZero, &isExact) 5761 == llvm::APFloat::opOK && isExact) 5762 return; 5763 5764 // FIXME: Force the precision of the source value down so we don't print 5765 // digits which are usually useless (we don't really care here if we 5766 // truncate a digit by accident in edge cases). Ideally, APFloat::toString 5767 // would automatically print the shortest representation, but it's a bit 5768 // tricky to implement. 5769 SmallString<16> PrettySourceValue; 5770 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics()); 5771 precision = (precision * 59 + 195) / 196; 5772 Value.toString(PrettySourceValue, precision); 5773 5774 SmallString<16> PrettyTargetValue; 5775 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 5776 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 5777 else 5778 IntegerValue.toString(PrettyTargetValue); 5779 5780 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 5781 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 5782 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 5783} 5784 5785std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 5786 if (!Range.Width) return "0"; 5787 5788 llvm::APSInt ValueInRange = Value; 5789 ValueInRange.setIsSigned(!Range.NonNegative); 5790 ValueInRange = ValueInRange.trunc(Range.Width); 5791 return ValueInRange.toString(10); 5792} 5793 5794static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 5795 if (!isa<ImplicitCastExpr>(Ex)) 5796 return false; 5797 5798 Expr *InnerE = Ex->IgnoreParenImpCasts(); 5799 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 5800 const Type *Source = 5801 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5802 if (Target->isDependentType()) 5803 return false; 5804 5805 const BuiltinType *FloatCandidateBT = 5806 dyn_cast<BuiltinType>(ToBool ? Source : Target); 5807 const Type *BoolCandidateType = ToBool ? Target : Source; 5808 5809 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 5810 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 5811} 5812 5813void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 5814 SourceLocation CC) { 5815 unsigned NumArgs = TheCall->getNumArgs(); 5816 for (unsigned i = 0; i < NumArgs; ++i) { 5817 Expr *CurrA = TheCall->getArg(i); 5818 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 5819 continue; 5820 5821 bool IsSwapped = ((i > 0) && 5822 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 5823 IsSwapped |= ((i < (NumArgs - 1)) && 5824 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 5825 if (IsSwapped) { 5826 // Warn on this floating-point to bool conversion. 5827 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 5828 CurrA->getType(), CC, 5829 diag::warn_impcast_floating_point_to_bool); 5830 } 5831 } 5832} 5833 5834void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 5835 SourceLocation CC, bool *ICContext = nullptr) { 5836 if (E->isTypeDependent() || E->isValueDependent()) return; 5837 5838 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 5839 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 5840 if (Source == Target) return; 5841 if (Target->isDependentType()) return; 5842 5843 // If the conversion context location is invalid don't complain. We also 5844 // don't want to emit a warning if the issue occurs from the expansion of 5845 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 5846 // delay this check as long as possible. Once we detect we are in that 5847 // scenario, we just return. 5848 if (CC.isInvalid()) 5849 return; 5850 5851 // Diagnose implicit casts to bool. 5852 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 5853 if (isa<StringLiteral>(E)) 5854 // Warn on string literal to bool. Checks for string literals in logical 5855 // and expressions, for instance, assert(0 && "error here"), are 5856 // prevented by a check in AnalyzeImplicitConversions(). 5857 return DiagnoseImpCast(S, E, T, CC, 5858 diag::warn_impcast_string_literal_to_bool); 5859 if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) || 5860 isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) { 5861 // This covers the literal expressions that evaluate to Objective-C 5862 // objects. 5863 return DiagnoseImpCast(S, E, T, CC, 5864 diag::warn_impcast_objective_c_literal_to_bool); 5865 } 5866 if (Source->isPointerType() || Source->canDecayToPointerType()) { 5867 // Warn on pointer to bool conversion that is always true. 5868 S.DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false, 5869 SourceRange(CC)); 5870 } 5871 } 5872 5873 // Strip vector types. 5874 if (isa<VectorType>(Source)) { 5875 if (!isa<VectorType>(Target)) { 5876 if (S.SourceMgr.isInSystemMacro(CC)) 5877 return; 5878 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 5879 } 5880 5881 // If the vector cast is cast between two vectors of the same size, it is 5882 // a bitcast, not a conversion. 5883 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 5884 return; 5885 5886 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 5887 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 5888 } 5889 if (auto VecTy = dyn_cast<VectorType>(Target)) 5890 Target = VecTy->getElementType().getTypePtr(); 5891 5892 // Strip complex types. 5893 if (isa<ComplexType>(Source)) { 5894 if (!isa<ComplexType>(Target)) { 5895 if (S.SourceMgr.isInSystemMacro(CC)) 5896 return; 5897 5898 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 5899 } 5900 5901 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 5902 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 5903 } 5904 5905 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 5906 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 5907 5908 // If the source is floating point... 5909 if (SourceBT && SourceBT->isFloatingPoint()) { 5910 // ...and the target is floating point... 5911 if (TargetBT && TargetBT->isFloatingPoint()) { 5912 // ...then warn if we're dropping FP rank. 5913 5914 // Builtin FP kinds are ordered by increasing FP rank. 5915 if (SourceBT->getKind() > TargetBT->getKind()) { 5916 // Don't warn about float constants that are precisely 5917 // representable in the target type. 5918 Expr::EvalResult result; 5919 if (E->EvaluateAsRValue(result, S.Context)) { 5920 // Value might be a float, a float vector, or a float complex. 5921 if (IsSameFloatAfterCast(result.Val, 5922 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 5923 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 5924 return; 5925 } 5926 5927 if (S.SourceMgr.isInSystemMacro(CC)) 5928 return; 5929 5930 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 5931 } 5932 return; 5933 } 5934 5935 // If the target is integral, always warn. 5936 if (TargetBT && TargetBT->isInteger()) { 5937 if (S.SourceMgr.isInSystemMacro(CC)) 5938 return; 5939 5940 Expr *InnerE = E->IgnoreParenImpCasts(); 5941 // We also want to warn on, e.g., "int i = -1.234" 5942 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 5943 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 5944 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 5945 5946 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 5947 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 5948 } else { 5949 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 5950 } 5951 } 5952 5953 // If the target is bool, warn if expr is a function or method call. 5954 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 5955 isa<CallExpr>(E)) { 5956 // Check last argument of function call to see if it is an 5957 // implicit cast from a type matching the type the result 5958 // is being cast to. 5959 CallExpr *CEx = cast<CallExpr>(E); 5960 unsigned NumArgs = CEx->getNumArgs(); 5961 if (NumArgs > 0) { 5962 Expr *LastA = CEx->getArg(NumArgs - 1); 5963 Expr *InnerE = LastA->IgnoreParenImpCasts(); 5964 const Type *InnerType = 5965 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5966 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 5967 // Warn on this floating-point to bool conversion 5968 DiagnoseImpCast(S, E, T, CC, 5969 diag::warn_impcast_floating_point_to_bool); 5970 } 5971 } 5972 } 5973 return; 5974 } 5975 5976 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 5977 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 5978 && !Target->isBlockPointerType() && !Target->isMemberPointerType() 5979 && Target->isScalarType() && !Target->isNullPtrType()) { 5980 SourceLocation Loc = E->getSourceRange().getBegin(); 5981 if (Loc.isMacroID()) 5982 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 5983 if (!Loc.isMacroID() || CC.isMacroID()) 5984 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 5985 << T << clang::SourceRange(CC) 5986 << FixItHint::CreateReplacement(Loc, 5987 S.getFixItZeroLiteralForType(T, Loc)); 5988 } 5989 5990 if (!Source->isIntegerType() || !Target->isIntegerType()) 5991 return; 5992 5993 // TODO: remove this early return once the false positives for constant->bool 5994 // in templates, macros, etc, are reduced or removed. 5995 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 5996 return; 5997 5998 IntRange SourceRange = GetExprRange(S.Context, E); 5999 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 6000 6001 if (SourceRange.Width > TargetRange.Width) { 6002 // If the source is a constant, use a default-on diagnostic. 6003 // TODO: this should happen for bitfield stores, too. 6004 llvm::APSInt Value(32); 6005 if (E->isIntegerConstantExpr(Value, S.Context)) { 6006 if (S.SourceMgr.isInSystemMacro(CC)) 6007 return; 6008 6009 std::string PrettySourceValue = Value.toString(10); 6010 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 6011 6012 S.DiagRuntimeBehavior(E->getExprLoc(), E, 6013 S.PDiag(diag::warn_impcast_integer_precision_constant) 6014 << PrettySourceValue << PrettyTargetValue 6015 << E->getType() << T << E->getSourceRange() 6016 << clang::SourceRange(CC)); 6017 return; 6018 } 6019 6020 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 6021 if (S.SourceMgr.isInSystemMacro(CC)) 6022 return; 6023 6024 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 6025 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 6026 /* pruneControlFlow */ true); 6027 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 6028 } 6029 6030 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 6031 (!TargetRange.NonNegative && SourceRange.NonNegative && 6032 SourceRange.Width == TargetRange.Width)) { 6033 6034 if (S.SourceMgr.isInSystemMacro(CC)) 6035 return; 6036 6037 unsigned DiagID = diag::warn_impcast_integer_sign; 6038 6039 // Traditionally, gcc has warned about this under -Wsign-compare. 6040 // We also want to warn about it in -Wconversion. 6041 // So if -Wconversion is off, use a completely identical diagnostic 6042 // in the sign-compare group. 6043 // The conditional-checking code will 6044 if (ICContext) { 6045 DiagID = diag::warn_impcast_integer_sign_conditional; 6046 *ICContext = true; 6047 } 6048 6049 return DiagnoseImpCast(S, E, T, CC, DiagID); 6050 } 6051 6052 // Diagnose conversions between different enumeration types. 6053 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 6054 // type, to give us better diagnostics. 6055 QualType SourceType = E->getType(); 6056 if (!S.getLangOpts().CPlusPlus) { 6057 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 6058 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 6059 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 6060 SourceType = S.Context.getTypeDeclType(Enum); 6061 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 6062 } 6063 } 6064 6065 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 6066 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 6067 if (SourceEnum->getDecl()->hasNameForLinkage() && 6068 TargetEnum->getDecl()->hasNameForLinkage() && 6069 SourceEnum != TargetEnum) { 6070 if (S.SourceMgr.isInSystemMacro(CC)) 6071 return; 6072 6073 return DiagnoseImpCast(S, E, SourceType, T, CC, 6074 diag::warn_impcast_different_enum_types); 6075 } 6076 6077 return; 6078} 6079 6080void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 6081 SourceLocation CC, QualType T); 6082 6083void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 6084 SourceLocation CC, bool &ICContext) { 6085 E = E->IgnoreParenImpCasts(); 6086 6087 if (isa<ConditionalOperator>(E)) 6088 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 6089 6090 AnalyzeImplicitConversions(S, E, CC); 6091 if (E->getType() != T) 6092 return CheckImplicitConversion(S, E, T, CC, &ICContext); 6093 return; 6094} 6095 6096void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 6097 SourceLocation CC, QualType T) { 6098 AnalyzeImplicitConversions(S, E->getCond(), CC); 6099 6100 bool Suspicious = false; 6101 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 6102 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 6103 6104 // If -Wconversion would have warned about either of the candidates 6105 // for a signedness conversion to the context type... 6106 if (!Suspicious) return; 6107 6108 // ...but it's currently ignored... 6109 if (!S.Diags.isIgnored(diag::warn_impcast_integer_sign_conditional, CC)) 6110 return; 6111 6112 // ...then check whether it would have warned about either of the 6113 // candidates for a signedness conversion to the condition type. 6114 if (E->getType() == T) return; 6115 6116 Suspicious = false; 6117 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 6118 E->getType(), CC, &Suspicious); 6119 if (!Suspicious) 6120 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 6121 E->getType(), CC, &Suspicious); 6122} 6123 6124/// AnalyzeImplicitConversions - Find and report any interesting 6125/// implicit conversions in the given expression. There are a couple 6126/// of competing diagnostics here, -Wconversion and -Wsign-compare. 6127void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 6128 QualType T = OrigE->getType(); 6129 Expr *E = OrigE->IgnoreParenImpCasts(); 6130 6131 if (E->isTypeDependent() || E->isValueDependent()) 6132 return; 6133 6134 // For conditional operators, we analyze the arguments as if they 6135 // were being fed directly into the output. 6136 if (isa<ConditionalOperator>(E)) { 6137 ConditionalOperator *CO = cast<ConditionalOperator>(E); 6138 CheckConditionalOperator(S, CO, CC, T); 6139 return; 6140 } 6141 6142 // Check implicit argument conversions for function calls. 6143 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 6144 CheckImplicitArgumentConversions(S, Call, CC); 6145 6146 // Go ahead and check any implicit conversions we might have skipped. 6147 // The non-canonical typecheck is just an optimization; 6148 // CheckImplicitConversion will filter out dead implicit conversions. 6149 if (E->getType() != T) 6150 CheckImplicitConversion(S, E, T, CC); 6151 6152 // Now continue drilling into this expression. 6153 6154 if (PseudoObjectExpr * POE = dyn_cast<PseudoObjectExpr>(E)) { 6155 if (POE->getResultExpr()) 6156 E = POE->getResultExpr(); 6157 } 6158 6159 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 6160 return AnalyzeImplicitConversions(S, OVE->getSourceExpr(), CC); 6161 6162 // Skip past explicit casts. 6163 if (isa<ExplicitCastExpr>(E)) { 6164 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 6165 return AnalyzeImplicitConversions(S, E, CC); 6166 } 6167 6168 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 6169 // Do a somewhat different check with comparison operators. 6170 if (BO->isComparisonOp()) 6171 return AnalyzeComparison(S, BO); 6172 6173 // And with simple assignments. 6174 if (BO->getOpcode() == BO_Assign) 6175 return AnalyzeAssignment(S, BO); 6176 } 6177 6178 // These break the otherwise-useful invariant below. Fortunately, 6179 // we don't really need to recurse into them, because any internal 6180 // expressions should have been analyzed already when they were 6181 // built into statements. 6182 if (isa<StmtExpr>(E)) return; 6183 6184 // Don't descend into unevaluated contexts. 6185 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 6186 6187 // Now just recurse over the expression's children. 6188 CC = E->getExprLoc(); 6189 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 6190 bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd; 6191 for (Stmt::child_range I = E->children(); I; ++I) { 6192 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 6193 if (!ChildExpr) 6194 continue; 6195 6196 if (IsLogicalAndOperator && 6197 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 6198 // Ignore checking string literals that are in logical and operators. 6199 // This is a common pattern for asserts. 6200 continue; 6201 AnalyzeImplicitConversions(S, ChildExpr, CC); 6202 } 6203} 6204 6205} // end anonymous namespace 6206 6207enum { 6208 AddressOf, 6209 FunctionPointer, 6210 ArrayPointer 6211}; 6212 6213// Helper function for Sema::DiagnoseAlwaysNonNullPointer. 6214// Returns true when emitting a warning about taking the address of a reference. 6215static bool CheckForReference(Sema &SemaRef, const Expr *E, 6216 PartialDiagnostic PD) { 6217 E = E->IgnoreParenImpCasts(); 6218 6219 const FunctionDecl *FD = nullptr; 6220 6221 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) { 6222 if (!DRE->getDecl()->getType()->isReferenceType()) 6223 return false; 6224 } else if (const MemberExpr *M = dyn_cast<MemberExpr>(E)) { 6225 if (!M->getMemberDecl()->getType()->isReferenceType()) 6226 return false; 6227 } else if (const CallExpr *Call = dyn_cast<CallExpr>(E)) { 6228 if (!Call->getCallReturnType()->isReferenceType()) 6229 return false; 6230 FD = Call->getDirectCallee(); 6231 } else { 6232 return false; 6233 } 6234 6235 SemaRef.Diag(E->getExprLoc(), PD); 6236 6237 // If possible, point to location of function. 6238 if (FD) { 6239 SemaRef.Diag(FD->getLocation(), diag::note_reference_is_return_value) << FD; 6240 } 6241 6242 return true; 6243} 6244 6245/// \brief Diagnose pointers that are always non-null. 6246/// \param E the expression containing the pointer 6247/// \param NullKind NPCK_NotNull if E is a cast to bool, otherwise, E is 6248/// compared to a null pointer 6249/// \param IsEqual True when the comparison is equal to a null pointer 6250/// \param Range Extra SourceRange to highlight in the diagnostic 6251void Sema::DiagnoseAlwaysNonNullPointer(Expr *E, 6252 Expr::NullPointerConstantKind NullKind, 6253 bool IsEqual, SourceRange Range) { 6254 if (!E) 6255 return; 6256 6257 // Don't warn inside macros. 6258 if (E->getExprLoc().isMacroID()) 6259 return; 6260 E = E->IgnoreImpCasts(); 6261 6262 const bool IsCompare = NullKind != Expr::NPCK_NotNull; 6263 6264 if (isa<CXXThisExpr>(E)) { 6265 unsigned DiagID = IsCompare ? diag::warn_this_null_compare 6266 : diag::warn_this_bool_conversion; 6267 Diag(E->getExprLoc(), DiagID) << E->getSourceRange() << Range << IsEqual; 6268 return; 6269 } 6270 6271 bool IsAddressOf = false; 6272 6273 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 6274 if (UO->getOpcode() != UO_AddrOf) 6275 return; 6276 IsAddressOf = true; 6277 E = UO->getSubExpr(); 6278 } 6279 6280 if (IsAddressOf) { 6281 unsigned DiagID = IsCompare 6282 ? diag::warn_address_of_reference_null_compare 6283 : diag::warn_address_of_reference_bool_conversion; 6284 PartialDiagnostic PD = PDiag(DiagID) << E->getSourceRange() << Range 6285 << IsEqual; 6286 if (CheckForReference(*this, E, PD)) { 6287 return; 6288 } 6289 } 6290 6291 // Expect to find a single Decl. Skip anything more complicated. 6292 ValueDecl *D = nullptr; 6293 if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) { 6294 D = R->getDecl(); 6295 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 6296 D = M->getMemberDecl(); 6297 } 6298 6299 // Weak Decls can be null. 6300 if (!D || D->isWeak()) 6301 return; 6302 6303 QualType T = D->getType(); 6304 const bool IsArray = T->isArrayType(); 6305 const bool IsFunction = T->isFunctionType(); 6306 6307 // Address of function is used to silence the function warning. 6308 if (IsAddressOf && IsFunction) { 6309 return; 6310 } 6311 6312 // Found nothing. 6313 if (!IsAddressOf && !IsFunction && !IsArray) 6314 return; 6315 6316 // Pretty print the expression for the diagnostic. 6317 std::string Str; 6318 llvm::raw_string_ostream S(Str); 6319 E->printPretty(S, nullptr, getPrintingPolicy()); 6320 6321 unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare 6322 : diag::warn_impcast_pointer_to_bool; 6323 unsigned DiagType; 6324 if (IsAddressOf) 6325 DiagType = AddressOf; 6326 else if (IsFunction) 6327 DiagType = FunctionPointer; 6328 else if (IsArray) 6329 DiagType = ArrayPointer; 6330 else 6331 llvm_unreachable("Could not determine diagnostic."); 6332 Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange() 6333 << Range << IsEqual; 6334 6335 if (!IsFunction) 6336 return; 6337 6338 // Suggest '&' to silence the function warning. 6339 Diag(E->getExprLoc(), diag::note_function_warning_silence) 6340 << FixItHint::CreateInsertion(E->getLocStart(), "&"); 6341 6342 // Check to see if '()' fixit should be emitted. 6343 QualType ReturnType; 6344 UnresolvedSet<4> NonTemplateOverloads; 6345 tryExprAsCall(*E, ReturnType, NonTemplateOverloads); 6346 if (ReturnType.isNull()) 6347 return; 6348 6349 if (IsCompare) { 6350 // There are two cases here. If there is null constant, the only suggest 6351 // for a pointer return type. If the null is 0, then suggest if the return 6352 // type is a pointer or an integer type. 6353 if (!ReturnType->isPointerType()) { 6354 if (NullKind == Expr::NPCK_ZeroExpression || 6355 NullKind == Expr::NPCK_ZeroLiteral) { 6356 if (!ReturnType->isIntegerType()) 6357 return; 6358 } else { 6359 return; 6360 } 6361 } 6362 } else { // !IsCompare 6363 // For function to bool, only suggest if the function pointer has bool 6364 // return type. 6365 if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 6366 return; 6367 } 6368 Diag(E->getExprLoc(), diag::note_function_to_function_call) 6369 << FixItHint::CreateInsertion(getLocForEndOfToken(E->getLocEnd()), "()"); 6370} 6371 6372 6373/// Diagnoses "dangerous" implicit conversions within the given 6374/// expression (which is a full expression). Implements -Wconversion 6375/// and -Wsign-compare. 6376/// 6377/// \param CC the "context" location of the implicit conversion, i.e. 6378/// the most location of the syntactic entity requiring the implicit 6379/// conversion 6380void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 6381 // Don't diagnose in unevaluated contexts. 6382 if (isUnevaluatedContext()) 6383 return; 6384 6385 // Don't diagnose for value- or type-dependent expressions. 6386 if (E->isTypeDependent() || E->isValueDependent()) 6387 return; 6388 6389 // Check for array bounds violations in cases where the check isn't triggered 6390 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 6391 // ArraySubscriptExpr is on the RHS of a variable initialization. 6392 CheckArrayAccess(E); 6393 6394 // This is not the right CC for (e.g.) a variable initialization. 6395 AnalyzeImplicitConversions(*this, E, CC); 6396} 6397 6398/// Diagnose when expression is an integer constant expression and its evaluation 6399/// results in integer overflow 6400void Sema::CheckForIntOverflow (Expr *E) { 6401 if (isa<BinaryOperator>(E->IgnoreParens())) 6402 E->EvaluateForOverflow(Context); 6403} 6404 6405namespace { 6406/// \brief Visitor for expressions which looks for unsequenced operations on the 6407/// same object. 6408class SequenceChecker : public EvaluatedExprVisitor<SequenceChecker> { 6409 typedef EvaluatedExprVisitor<SequenceChecker> Base; 6410 6411 /// \brief A tree of sequenced regions within an expression. Two regions are 6412 /// unsequenced if one is an ancestor or a descendent of the other. When we 6413 /// finish processing an expression with sequencing, such as a comma 6414 /// expression, we fold its tree nodes into its parent, since they are 6415 /// unsequenced with respect to nodes we will visit later. 6416 class SequenceTree { 6417 struct Value { 6418 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {} 6419 unsigned Parent : 31; 6420 bool Merged : 1; 6421 }; 6422 SmallVector<Value, 8> Values; 6423 6424 public: 6425 /// \brief A region within an expression which may be sequenced with respect 6426 /// to some other region. 6427 class Seq { 6428 explicit Seq(unsigned N) : Index(N) {} 6429 unsigned Index; 6430 friend class SequenceTree; 6431 public: 6432 Seq() : Index(0) {} 6433 }; 6434 6435 SequenceTree() { Values.push_back(Value(0)); } 6436 Seq root() const { return Seq(0); } 6437 6438 /// \brief Create a new sequence of operations, which is an unsequenced 6439 /// subset of \p Parent. This sequence of operations is sequenced with 6440 /// respect to other children of \p Parent. 6441 Seq allocate(Seq Parent) { 6442 Values.push_back(Value(Parent.Index)); 6443 return Seq(Values.size() - 1); 6444 } 6445 6446 /// \brief Merge a sequence of operations into its parent. 6447 void merge(Seq S) { 6448 Values[S.Index].Merged = true; 6449 } 6450 6451 /// \brief Determine whether two operations are unsequenced. This operation 6452 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old 6453 /// should have been merged into its parent as appropriate. 6454 bool isUnsequenced(Seq Cur, Seq Old) { 6455 unsigned C = representative(Cur.Index); 6456 unsigned Target = representative(Old.Index); 6457 while (C >= Target) { 6458 if (C == Target) 6459 return true; 6460 C = Values[C].Parent; 6461 } 6462 return false; 6463 } 6464 6465 private: 6466 /// \brief Pick a representative for a sequence. 6467 unsigned representative(unsigned K) { 6468 if (Values[K].Merged) 6469 // Perform path compression as we go. 6470 return Values[K].Parent = representative(Values[K].Parent); 6471 return K; 6472 } 6473 }; 6474 6475 /// An object for which we can track unsequenced uses. 6476 typedef NamedDecl *Object; 6477 6478 /// Different flavors of object usage which we track. We only track the 6479 /// least-sequenced usage of each kind. 6480 enum UsageKind { 6481 /// A read of an object. Multiple unsequenced reads are OK. 6482 UK_Use, 6483 /// A modification of an object which is sequenced before the value 6484 /// computation of the expression, such as ++n in C++. 6485 UK_ModAsValue, 6486 /// A modification of an object which is not sequenced before the value 6487 /// computation of the expression, such as n++. 6488 UK_ModAsSideEffect, 6489 6490 UK_Count = UK_ModAsSideEffect + 1 6491 }; 6492 6493 struct Usage { 6494 Usage() : Use(nullptr), Seq() {} 6495 Expr *Use; 6496 SequenceTree::Seq Seq; 6497 }; 6498 6499 struct UsageInfo { 6500 UsageInfo() : Diagnosed(false) {} 6501 Usage Uses[UK_Count]; 6502 /// Have we issued a diagnostic for this variable already? 6503 bool Diagnosed; 6504 }; 6505 typedef llvm::SmallDenseMap<Object, UsageInfo, 16> UsageInfoMap; 6506 6507 Sema &SemaRef; 6508 /// Sequenced regions within the expression. 6509 SequenceTree Tree; 6510 /// Declaration modifications and references which we have seen. 6511 UsageInfoMap UsageMap; 6512 /// The region we are currently within. 6513 SequenceTree::Seq Region; 6514 /// Filled in with declarations which were modified as a side-effect 6515 /// (that is, post-increment operations). 6516 SmallVectorImpl<std::pair<Object, Usage> > *ModAsSideEffect; 6517 /// Expressions to check later. We defer checking these to reduce 6518 /// stack usage. 6519 SmallVectorImpl<Expr *> &WorkList; 6520 6521 /// RAII object wrapping the visitation of a sequenced subexpression of an 6522 /// expression. At the end of this process, the side-effects of the evaluation 6523 /// become sequenced with respect to the value computation of the result, so 6524 /// we downgrade any UK_ModAsSideEffect within the evaluation to 6525 /// UK_ModAsValue. 6526 struct SequencedSubexpression { 6527 SequencedSubexpression(SequenceChecker &Self) 6528 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) { 6529 Self.ModAsSideEffect = &ModAsSideEffect; 6530 } 6531 ~SequencedSubexpression() { 6532 for (unsigned I = 0, E = ModAsSideEffect.size(); I != E; ++I) { 6533 UsageInfo &U = Self.UsageMap[ModAsSideEffect[I].first]; 6534 U.Uses[UK_ModAsSideEffect] = ModAsSideEffect[I].second; 6535 Self.addUsage(U, ModAsSideEffect[I].first, 6536 ModAsSideEffect[I].second.Use, UK_ModAsValue); 6537 } 6538 Self.ModAsSideEffect = OldModAsSideEffect; 6539 } 6540 6541 SequenceChecker &Self; 6542 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect; 6543 SmallVectorImpl<std::pair<Object, Usage> > *OldModAsSideEffect; 6544 }; 6545 6546 /// RAII object wrapping the visitation of a subexpression which we might 6547 /// choose to evaluate as a constant. If any subexpression is evaluated and 6548 /// found to be non-constant, this allows us to suppress the evaluation of 6549 /// the outer expression. 6550 class EvaluationTracker { 6551 public: 6552 EvaluationTracker(SequenceChecker &Self) 6553 : Self(Self), Prev(Self.EvalTracker), EvalOK(true) { 6554 Self.EvalTracker = this; 6555 } 6556 ~EvaluationTracker() { 6557 Self.EvalTracker = Prev; 6558 if (Prev) 6559 Prev->EvalOK &= EvalOK; 6560 } 6561 6562 bool evaluate(const Expr *E, bool &Result) { 6563 if (!EvalOK || E->isValueDependent()) 6564 return false; 6565 EvalOK = E->EvaluateAsBooleanCondition(Result, Self.SemaRef.Context); 6566 return EvalOK; 6567 } 6568 6569 private: 6570 SequenceChecker &Self; 6571 EvaluationTracker *Prev; 6572 bool EvalOK; 6573 } *EvalTracker; 6574 6575 /// \brief Find the object which is produced by the specified expression, 6576 /// if any. 6577 Object getObject(Expr *E, bool Mod) const { 6578 E = E->IgnoreParenCasts(); 6579 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 6580 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec)) 6581 return getObject(UO->getSubExpr(), Mod); 6582 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 6583 if (BO->getOpcode() == BO_Comma) 6584 return getObject(BO->getRHS(), Mod); 6585 if (Mod && BO->isAssignmentOp()) 6586 return getObject(BO->getLHS(), Mod); 6587 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(E)) { 6588 // FIXME: Check for more interesting cases, like "x.n = ++x.n". 6589 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts())) 6590 return ME->getMemberDecl(); 6591 } else if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 6592 // FIXME: If this is a reference, map through to its value. 6593 return DRE->getDecl(); 6594 return nullptr; 6595 } 6596 6597 /// \brief Note that an object was modified or used by an expression. 6598 void addUsage(UsageInfo &UI, Object O, Expr *Ref, UsageKind UK) { 6599 Usage &U = UI.Uses[UK]; 6600 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) { 6601 if (UK == UK_ModAsSideEffect && ModAsSideEffect) 6602 ModAsSideEffect->push_back(std::make_pair(O, U)); 6603 U.Use = Ref; 6604 U.Seq = Region; 6605 } 6606 } 6607 /// \brief Check whether a modification or use conflicts with a prior usage. 6608 void checkUsage(Object O, UsageInfo &UI, Expr *Ref, UsageKind OtherKind, 6609 bool IsModMod) { 6610 if (UI.Diagnosed) 6611 return; 6612 6613 const Usage &U = UI.Uses[OtherKind]; 6614 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) 6615 return; 6616 6617 Expr *Mod = U.Use; 6618 Expr *ModOrUse = Ref; 6619 if (OtherKind == UK_Use) 6620 std::swap(Mod, ModOrUse); 6621 6622 SemaRef.Diag(Mod->getExprLoc(), 6623 IsModMod ? diag::warn_unsequenced_mod_mod 6624 : diag::warn_unsequenced_mod_use) 6625 << O << SourceRange(ModOrUse->getExprLoc()); 6626 UI.Diagnosed = true; 6627 } 6628 6629 void notePreUse(Object O, Expr *Use) { 6630 UsageInfo &U = UsageMap[O]; 6631 // Uses conflict with other modifications. 6632 checkUsage(O, U, Use, UK_ModAsValue, false); 6633 } 6634 void notePostUse(Object O, Expr *Use) { 6635 UsageInfo &U = UsageMap[O]; 6636 checkUsage(O, U, Use, UK_ModAsSideEffect, false); 6637 addUsage(U, O, Use, UK_Use); 6638 } 6639 6640 void notePreMod(Object O, Expr *Mod) { 6641 UsageInfo &U = UsageMap[O]; 6642 // Modifications conflict with other modifications and with uses. 6643 checkUsage(O, U, Mod, UK_ModAsValue, true); 6644 checkUsage(O, U, Mod, UK_Use, false); 6645 } 6646 void notePostMod(Object O, Expr *Use, UsageKind UK) { 6647 UsageInfo &U = UsageMap[O]; 6648 checkUsage(O, U, Use, UK_ModAsSideEffect, true); 6649 addUsage(U, O, Use, UK); 6650 } 6651 6652public: 6653 SequenceChecker(Sema &S, Expr *E, SmallVectorImpl<Expr *> &WorkList) 6654 : Base(S.Context), SemaRef(S), Region(Tree.root()), 6655 ModAsSideEffect(nullptr), WorkList(WorkList), EvalTracker(nullptr) { 6656 Visit(E); 6657 } 6658 6659 void VisitStmt(Stmt *S) { 6660 // Skip all statements which aren't expressions for now. 6661 } 6662 6663 void VisitExpr(Expr *E) { 6664 // By default, just recurse to evaluated subexpressions. 6665 Base::VisitStmt(E); 6666 } 6667 6668 void VisitCastExpr(CastExpr *E) { 6669 Object O = Object(); 6670 if (E->getCastKind() == CK_LValueToRValue) 6671 O = getObject(E->getSubExpr(), false); 6672 6673 if (O) 6674 notePreUse(O, E); 6675 VisitExpr(E); 6676 if (O) 6677 notePostUse(O, E); 6678 } 6679 6680 void VisitBinComma(BinaryOperator *BO) { 6681 // C++11 [expr.comma]p1: 6682 // Every value computation and side effect associated with the left 6683 // expression is sequenced before every value computation and side 6684 // effect associated with the right expression. 6685 SequenceTree::Seq LHS = Tree.allocate(Region); 6686 SequenceTree::Seq RHS = Tree.allocate(Region); 6687 SequenceTree::Seq OldRegion = Region; 6688 6689 { 6690 SequencedSubexpression SeqLHS(*this); 6691 Region = LHS; 6692 Visit(BO->getLHS()); 6693 } 6694 6695 Region = RHS; 6696 Visit(BO->getRHS()); 6697 6698 Region = OldRegion; 6699 6700 // Forget that LHS and RHS are sequenced. They are both unsequenced 6701 // with respect to other stuff. 6702 Tree.merge(LHS); 6703 Tree.merge(RHS); 6704 } 6705 6706 void VisitBinAssign(BinaryOperator *BO) { 6707 // The modification is sequenced after the value computation of the LHS 6708 // and RHS, so check it before inspecting the operands and update the 6709 // map afterwards. 6710 Object O = getObject(BO->getLHS(), true); 6711 if (!O) 6712 return VisitExpr(BO); 6713 6714 notePreMod(O, BO); 6715 6716 // C++11 [expr.ass]p7: 6717 // E1 op= E2 is equivalent to E1 = E1 op E2, except that E1 is evaluated 6718 // only once. 6719 // 6720 // Therefore, for a compound assignment operator, O is considered used 6721 // everywhere except within the evaluation of E1 itself. 6722 if (isa<CompoundAssignOperator>(BO)) 6723 notePreUse(O, BO); 6724 6725 Visit(BO->getLHS()); 6726 6727 if (isa<CompoundAssignOperator>(BO)) 6728 notePostUse(O, BO); 6729 6730 Visit(BO->getRHS()); 6731 6732 // C++11 [expr.ass]p1: 6733 // the assignment is sequenced [...] before the value computation of the 6734 // assignment expression. 6735 // C11 6.5.16/3 has no such rule. 6736 notePostMod(O, BO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 6737 : UK_ModAsSideEffect); 6738 } 6739 void VisitCompoundAssignOperator(CompoundAssignOperator *CAO) { 6740 VisitBinAssign(CAO); 6741 } 6742 6743 void VisitUnaryPreInc(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 6744 void VisitUnaryPreDec(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 6745 void VisitUnaryPreIncDec(UnaryOperator *UO) { 6746 Object O = getObject(UO->getSubExpr(), true); 6747 if (!O) 6748 return VisitExpr(UO); 6749 6750 notePreMod(O, UO); 6751 Visit(UO->getSubExpr()); 6752 // C++11 [expr.pre.incr]p1: 6753 // the expression ++x is equivalent to x+=1 6754 notePostMod(O, UO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 6755 : UK_ModAsSideEffect); 6756 } 6757 6758 void VisitUnaryPostInc(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 6759 void VisitUnaryPostDec(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 6760 void VisitUnaryPostIncDec(UnaryOperator *UO) { 6761 Object O = getObject(UO->getSubExpr(), true); 6762 if (!O) 6763 return VisitExpr(UO); 6764 6765 notePreMod(O, UO); 6766 Visit(UO->getSubExpr()); 6767 notePostMod(O, UO, UK_ModAsSideEffect); 6768 } 6769 6770 /// Don't visit the RHS of '&&' or '||' if it might not be evaluated. 6771 void VisitBinLOr(BinaryOperator *BO) { 6772 // The side-effects of the LHS of an '&&' are sequenced before the 6773 // value computation of the RHS, and hence before the value computation 6774 // of the '&&' itself, unless the LHS evaluates to zero. We treat them 6775 // as if they were unconditionally sequenced. 6776 EvaluationTracker Eval(*this); 6777 { 6778 SequencedSubexpression Sequenced(*this); 6779 Visit(BO->getLHS()); 6780 } 6781 6782 bool Result; 6783 if (Eval.evaluate(BO->getLHS(), Result)) { 6784 if (!Result) 6785 Visit(BO->getRHS()); 6786 } else { 6787 // Check for unsequenced operations in the RHS, treating it as an 6788 // entirely separate evaluation. 6789 // 6790 // FIXME: If there are operations in the RHS which are unsequenced 6791 // with respect to operations outside the RHS, and those operations 6792 // are unconditionally evaluated, diagnose them. 6793 WorkList.push_back(BO->getRHS()); 6794 } 6795 } 6796 void VisitBinLAnd(BinaryOperator *BO) { 6797 EvaluationTracker Eval(*this); 6798 { 6799 SequencedSubexpression Sequenced(*this); 6800 Visit(BO->getLHS()); 6801 } 6802 6803 bool Result; 6804 if (Eval.evaluate(BO->getLHS(), Result)) { 6805 if (Result) 6806 Visit(BO->getRHS()); 6807 } else { 6808 WorkList.push_back(BO->getRHS()); 6809 } 6810 } 6811 6812 // Only visit the condition, unless we can be sure which subexpression will 6813 // be chosen. 6814 void VisitAbstractConditionalOperator(AbstractConditionalOperator *CO) { 6815 EvaluationTracker Eval(*this); 6816 { 6817 SequencedSubexpression Sequenced(*this); 6818 Visit(CO->getCond()); 6819 } 6820 6821 bool Result; 6822 if (Eval.evaluate(CO->getCond(), Result)) 6823 Visit(Result ? CO->getTrueExpr() : CO->getFalseExpr()); 6824 else { 6825 WorkList.push_back(CO->getTrueExpr()); 6826 WorkList.push_back(CO->getFalseExpr()); 6827 } 6828 } 6829 6830 void VisitCallExpr(CallExpr *CE) { 6831 // C++11 [intro.execution]p15: 6832 // When calling a function [...], every value computation and side effect 6833 // associated with any argument expression, or with the postfix expression 6834 // designating the called function, is sequenced before execution of every 6835 // expression or statement in the body of the function [and thus before 6836 // the value computation of its result]. 6837 SequencedSubexpression Sequenced(*this); 6838 Base::VisitCallExpr(CE); 6839 6840 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions. 6841 } 6842 6843 void VisitCXXConstructExpr(CXXConstructExpr *CCE) { 6844 // This is a call, so all subexpressions are sequenced before the result. 6845 SequencedSubexpression Sequenced(*this); 6846 6847 if (!CCE->isListInitialization()) 6848 return VisitExpr(CCE); 6849 6850 // In C++11, list initializations are sequenced. 6851 SmallVector<SequenceTree::Seq, 32> Elts; 6852 SequenceTree::Seq Parent = Region; 6853 for (CXXConstructExpr::arg_iterator I = CCE->arg_begin(), 6854 E = CCE->arg_end(); 6855 I != E; ++I) { 6856 Region = Tree.allocate(Parent); 6857 Elts.push_back(Region); 6858 Visit(*I); 6859 } 6860 6861 // Forget that the initializers are sequenced. 6862 Region = Parent; 6863 for (unsigned I = 0; I < Elts.size(); ++I) 6864 Tree.merge(Elts[I]); 6865 } 6866 6867 void VisitInitListExpr(InitListExpr *ILE) { 6868 if (!SemaRef.getLangOpts().CPlusPlus11) 6869 return VisitExpr(ILE); 6870 6871 // In C++11, list initializations are sequenced. 6872 SmallVector<SequenceTree::Seq, 32> Elts; 6873 SequenceTree::Seq Parent = Region; 6874 for (unsigned I = 0; I < ILE->getNumInits(); ++I) { 6875 Expr *E = ILE->getInit(I); 6876 if (!E) continue; 6877 Region = Tree.allocate(Parent); 6878 Elts.push_back(Region); 6879 Visit(E); 6880 } 6881 6882 // Forget that the initializers are sequenced. 6883 Region = Parent; 6884 for (unsigned I = 0; I < Elts.size(); ++I) 6885 Tree.merge(Elts[I]); 6886 } 6887}; 6888} 6889 6890void Sema::CheckUnsequencedOperations(Expr *E) { 6891 SmallVector<Expr *, 8> WorkList; 6892 WorkList.push_back(E); 6893 while (!WorkList.empty()) { 6894 Expr *Item = WorkList.pop_back_val(); 6895 SequenceChecker(*this, Item, WorkList); 6896 } 6897} 6898 6899void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc, 6900 bool IsConstexpr) { 6901 CheckImplicitConversions(E, CheckLoc); 6902 CheckUnsequencedOperations(E); 6903 if (!IsConstexpr && !E->isValueDependent()) 6904 CheckForIntOverflow(E); 6905} 6906 6907void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 6908 FieldDecl *BitField, 6909 Expr *Init) { 6910 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 6911} 6912 6913/// CheckParmsForFunctionDef - Check that the parameters of the given 6914/// function are appropriate for the definition of a function. This 6915/// takes care of any checks that cannot be performed on the 6916/// declaration itself, e.g., that the types of each of the function 6917/// parameters are complete. 6918bool Sema::CheckParmsForFunctionDef(ParmVarDecl *const *P, 6919 ParmVarDecl *const *PEnd, 6920 bool CheckParameterNames) { 6921 bool HasInvalidParm = false; 6922 for (; P != PEnd; ++P) { 6923 ParmVarDecl *Param = *P; 6924 6925 // C99 6.7.5.3p4: the parameters in a parameter type list in a 6926 // function declarator that is part of a function definition of 6927 // that function shall not have incomplete type. 6928 // 6929 // This is also C++ [dcl.fct]p6. 6930 if (!Param->isInvalidDecl() && 6931 RequireCompleteType(Param->getLocation(), Param->getType(), 6932 diag::err_typecheck_decl_incomplete_type)) { 6933 Param->setInvalidDecl(); 6934 HasInvalidParm = true; 6935 } 6936 6937 // C99 6.9.1p5: If the declarator includes a parameter type list, the 6938 // declaration of each parameter shall include an identifier. 6939 if (CheckParameterNames && 6940 Param->getIdentifier() == nullptr && 6941 !Param->isImplicit() && 6942 !getLangOpts().CPlusPlus) 6943 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 6944 6945 // C99 6.7.5.3p12: 6946 // If the function declarator is not part of a definition of that 6947 // function, parameters may have incomplete type and may use the [*] 6948 // notation in their sequences of declarator specifiers to specify 6949 // variable length array types. 6950 QualType PType = Param->getOriginalType(); 6951 while (const ArrayType *AT = Context.getAsArrayType(PType)) { 6952 if (AT->getSizeModifier() == ArrayType::Star) { 6953 // FIXME: This diagnostic should point the '[*]' if source-location 6954 // information is added for it. 6955 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 6956 break; 6957 } 6958 PType= AT->getElementType(); 6959 } 6960 6961 // MSVC destroys objects passed by value in the callee. Therefore a 6962 // function definition which takes such a parameter must be able to call the 6963 // object's destructor. However, we don't perform any direct access check 6964 // on the dtor. 6965 if (getLangOpts().CPlusPlus && Context.getTargetInfo() 6966 .getCXXABI() 6967 .areArgsDestroyedLeftToRightInCallee()) { 6968 if (!Param->isInvalidDecl()) { 6969 if (const RecordType *RT = Param->getType()->getAs<RecordType>()) { 6970 CXXRecordDecl *ClassDecl = cast<CXXRecordDecl>(RT->getDecl()); 6971 if (!ClassDecl->isInvalidDecl() && 6972 !ClassDecl->hasIrrelevantDestructor() && 6973 !ClassDecl->isDependentContext()) { 6974 CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl); 6975 MarkFunctionReferenced(Param->getLocation(), Destructor); 6976 DiagnoseUseOfDecl(Destructor, Param->getLocation()); 6977 } 6978 } 6979 } 6980 } 6981 } 6982 6983 return HasInvalidParm; 6984} 6985 6986/// CheckCastAlign - Implements -Wcast-align, which warns when a 6987/// pointer cast increases the alignment requirements. 6988void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 6989 // This is actually a lot of work to potentially be doing on every 6990 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 6991 if (getDiagnostics().isIgnored(diag::warn_cast_align, TRange.getBegin())) 6992 return; 6993 6994 // Ignore dependent types. 6995 if (T->isDependentType() || Op->getType()->isDependentType()) 6996 return; 6997 6998 // Require that the destination be a pointer type. 6999 const PointerType *DestPtr = T->getAs<PointerType>(); 7000 if (!DestPtr) return; 7001 7002 // If the destination has alignment 1, we're done. 7003 QualType DestPointee = DestPtr->getPointeeType(); 7004 if (DestPointee->isIncompleteType()) return; 7005 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 7006 if (DestAlign.isOne()) return; 7007 7008 // Require that the source be a pointer type. 7009 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 7010 if (!SrcPtr) return; 7011 QualType SrcPointee = SrcPtr->getPointeeType(); 7012 7013 // Whitelist casts from cv void*. We already implicitly 7014 // whitelisted casts to cv void*, since they have alignment 1. 7015 // Also whitelist casts involving incomplete types, which implicitly 7016 // includes 'void'. 7017 if (SrcPointee->isIncompleteType()) return; 7018 7019 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 7020 if (SrcAlign >= DestAlign) return; 7021 7022 Diag(TRange.getBegin(), diag::warn_cast_align) 7023 << Op->getType() << T 7024 << static_cast<unsigned>(SrcAlign.getQuantity()) 7025 << static_cast<unsigned>(DestAlign.getQuantity()) 7026 << TRange << Op->getSourceRange(); 7027} 7028 7029static const Type* getElementType(const Expr *BaseExpr) { 7030 const Type* EltType = BaseExpr->getType().getTypePtr(); 7031 if (EltType->isAnyPointerType()) 7032 return EltType->getPointeeType().getTypePtr(); 7033 else if (EltType->isArrayType()) 7034 return EltType->getBaseElementTypeUnsafe(); 7035 return EltType; 7036} 7037 7038/// \brief Check whether this array fits the idiom of a size-one tail padded 7039/// array member of a struct. 7040/// 7041/// We avoid emitting out-of-bounds access warnings for such arrays as they are 7042/// commonly used to emulate flexible arrays in C89 code. 7043static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 7044 const NamedDecl *ND) { 7045 if (Size != 1 || !ND) return false; 7046 7047 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 7048 if (!FD) return false; 7049 7050 // Don't consider sizes resulting from macro expansions or template argument 7051 // substitution to form C89 tail-padded arrays. 7052 7053 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 7054 while (TInfo) { 7055 TypeLoc TL = TInfo->getTypeLoc(); 7056 // Look through typedefs. 7057 if (TypedefTypeLoc TTL = TL.getAs<TypedefTypeLoc>()) { 7058 const TypedefNameDecl *TDL = TTL.getTypedefNameDecl(); 7059 TInfo = TDL->getTypeSourceInfo(); 7060 continue; 7061 } 7062 if (ConstantArrayTypeLoc CTL = TL.getAs<ConstantArrayTypeLoc>()) { 7063 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 7064 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 7065 return false; 7066 } 7067 break; 7068 } 7069 7070 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 7071 if (!RD) return false; 7072 if (RD->isUnion()) return false; 7073 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 7074 if (!CRD->isStandardLayout()) return false; 7075 } 7076 7077 // See if this is the last field decl in the record. 7078 const Decl *D = FD; 7079 while ((D = D->getNextDeclInContext())) 7080 if (isa<FieldDecl>(D)) 7081 return false; 7082 return true; 7083} 7084 7085void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 7086 const ArraySubscriptExpr *ASE, 7087 bool AllowOnePastEnd, bool IndexNegated) { 7088 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 7089 if (IndexExpr->isValueDependent()) 7090 return; 7091 7092 const Type *EffectiveType = getElementType(BaseExpr); 7093 BaseExpr = BaseExpr->IgnoreParenCasts(); 7094 const ConstantArrayType *ArrayTy = 7095 Context.getAsConstantArrayType(BaseExpr->getType()); 7096 if (!ArrayTy) 7097 return; 7098 7099 llvm::APSInt index; 7100 if (!IndexExpr->EvaluateAsInt(index, Context)) 7101 return; 7102 if (IndexNegated) 7103 index = -index; 7104 7105 const NamedDecl *ND = nullptr; 7106 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 7107 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 7108 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 7109 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 7110 7111 if (index.isUnsigned() || !index.isNegative()) { 7112 llvm::APInt size = ArrayTy->getSize(); 7113 if (!size.isStrictlyPositive()) 7114 return; 7115 7116 const Type* BaseType = getElementType(BaseExpr); 7117 if (BaseType != EffectiveType) { 7118 // Make sure we're comparing apples to apples when comparing index to size 7119 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 7120 uint64_t array_typesize = Context.getTypeSize(BaseType); 7121 // Handle ptrarith_typesize being zero, such as when casting to void* 7122 if (!ptrarith_typesize) ptrarith_typesize = 1; 7123 if (ptrarith_typesize != array_typesize) { 7124 // There's a cast to a different size type involved 7125 uint64_t ratio = array_typesize / ptrarith_typesize; 7126 // TODO: Be smarter about handling cases where array_typesize is not a 7127 // multiple of ptrarith_typesize 7128 if (ptrarith_typesize * ratio == array_typesize) 7129 size *= llvm::APInt(size.getBitWidth(), ratio); 7130 } 7131 } 7132 7133 if (size.getBitWidth() > index.getBitWidth()) 7134 index = index.zext(size.getBitWidth()); 7135 else if (size.getBitWidth() < index.getBitWidth()) 7136 size = size.zext(index.getBitWidth()); 7137 7138 // For array subscripting the index must be less than size, but for pointer 7139 // arithmetic also allow the index (offset) to be equal to size since 7140 // computing the next address after the end of the array is legal and 7141 // commonly done e.g. in C++ iterators and range-based for loops. 7142 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 7143 return; 7144 7145 // Also don't warn for arrays of size 1 which are members of some 7146 // structure. These are often used to approximate flexible arrays in C89 7147 // code. 7148 if (IsTailPaddedMemberArray(*this, size, ND)) 7149 return; 7150 7151 // Suppress the warning if the subscript expression (as identified by the 7152 // ']' location) and the index expression are both from macro expansions 7153 // within a system header. 7154 if (ASE) { 7155 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 7156 ASE->getRBracketLoc()); 7157 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 7158 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 7159 IndexExpr->getLocStart()); 7160 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc)) 7161 return; 7162 } 7163 } 7164 7165 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 7166 if (ASE) 7167 DiagID = diag::warn_array_index_exceeds_bounds; 7168 7169 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 7170 PDiag(DiagID) << index.toString(10, true) 7171 << size.toString(10, true) 7172 << (unsigned)size.getLimitedValue(~0U) 7173 << IndexExpr->getSourceRange()); 7174 } else { 7175 unsigned DiagID = diag::warn_array_index_precedes_bounds; 7176 if (!ASE) { 7177 DiagID = diag::warn_ptr_arith_precedes_bounds; 7178 if (index.isNegative()) index = -index; 7179 } 7180 7181 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 7182 PDiag(DiagID) << index.toString(10, true) 7183 << IndexExpr->getSourceRange()); 7184 } 7185 7186 if (!ND) { 7187 // Try harder to find a NamedDecl to point at in the note. 7188 while (const ArraySubscriptExpr *ASE = 7189 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 7190 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 7191 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 7192 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 7193 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 7194 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 7195 } 7196 7197 if (ND) 7198 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 7199 PDiag(diag::note_array_index_out_of_bounds) 7200 << ND->getDeclName()); 7201} 7202 7203void Sema::CheckArrayAccess(const Expr *expr) { 7204 int AllowOnePastEnd = 0; 7205 while (expr) { 7206 expr = expr->IgnoreParenImpCasts(); 7207 switch (expr->getStmtClass()) { 7208 case Stmt::ArraySubscriptExprClass: { 7209 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 7210 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 7211 AllowOnePastEnd > 0); 7212 return; 7213 } 7214 case Stmt::UnaryOperatorClass: { 7215 // Only unwrap the * and & unary operators 7216 const UnaryOperator *UO = cast<UnaryOperator>(expr); 7217 expr = UO->getSubExpr(); 7218 switch (UO->getOpcode()) { 7219 case UO_AddrOf: 7220 AllowOnePastEnd++; 7221 break; 7222 case UO_Deref: 7223 AllowOnePastEnd--; 7224 break; 7225 default: 7226 return; 7227 } 7228 break; 7229 } 7230 case Stmt::ConditionalOperatorClass: { 7231 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 7232 if (const Expr *lhs = cond->getLHS()) 7233 CheckArrayAccess(lhs); 7234 if (const Expr *rhs = cond->getRHS()) 7235 CheckArrayAccess(rhs); 7236 return; 7237 } 7238 default: 7239 return; 7240 } 7241 } 7242} 7243 7244//===--- CHECK: Objective-C retain cycles ----------------------------------// 7245 7246namespace { 7247 struct RetainCycleOwner { 7248 RetainCycleOwner() : Variable(nullptr), Indirect(false) {} 7249 VarDecl *Variable; 7250 SourceRange Range; 7251 SourceLocation Loc; 7252 bool Indirect; 7253 7254 void setLocsFrom(Expr *e) { 7255 Loc = e->getExprLoc(); 7256 Range = e->getSourceRange(); 7257 } 7258 }; 7259} 7260 7261/// Consider whether capturing the given variable can possibly lead to 7262/// a retain cycle. 7263static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 7264 // In ARC, it's captured strongly iff the variable has __strong 7265 // lifetime. In MRR, it's captured strongly if the variable is 7266 // __block and has an appropriate type. 7267 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 7268 return false; 7269 7270 owner.Variable = var; 7271 if (ref) 7272 owner.setLocsFrom(ref); 7273 return true; 7274} 7275 7276static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 7277 while (true) { 7278 e = e->IgnoreParens(); 7279 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 7280 switch (cast->getCastKind()) { 7281 case CK_BitCast: 7282 case CK_LValueBitCast: 7283 case CK_LValueToRValue: 7284 case CK_ARCReclaimReturnedObject: 7285 e = cast->getSubExpr(); 7286 continue; 7287 7288 default: 7289 return false; 7290 } 7291 } 7292 7293 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 7294 ObjCIvarDecl *ivar = ref->getDecl(); 7295 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 7296 return false; 7297 7298 // Try to find a retain cycle in the base. 7299 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 7300 return false; 7301 7302 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 7303 owner.Indirect = true; 7304 return true; 7305 } 7306 7307 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 7308 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 7309 if (!var) return false; 7310 return considerVariable(var, ref, owner); 7311 } 7312 7313 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 7314 if (member->isArrow()) return false; 7315 7316 // Don't count this as an indirect ownership. 7317 e = member->getBase(); 7318 continue; 7319 } 7320 7321 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 7322 // Only pay attention to pseudo-objects on property references. 7323 ObjCPropertyRefExpr *pre 7324 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 7325 ->IgnoreParens()); 7326 if (!pre) return false; 7327 if (pre->isImplicitProperty()) return false; 7328 ObjCPropertyDecl *property = pre->getExplicitProperty(); 7329 if (!property->isRetaining() && 7330 !(property->getPropertyIvarDecl() && 7331 property->getPropertyIvarDecl()->getType() 7332 .getObjCLifetime() == Qualifiers::OCL_Strong)) 7333 return false; 7334 7335 owner.Indirect = true; 7336 if (pre->isSuperReceiver()) { 7337 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 7338 if (!owner.Variable) 7339 return false; 7340 owner.Loc = pre->getLocation(); 7341 owner.Range = pre->getSourceRange(); 7342 return true; 7343 } 7344 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 7345 ->getSourceExpr()); 7346 continue; 7347 } 7348 7349 // Array ivars? 7350 7351 return false; 7352 } 7353} 7354 7355namespace { 7356 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 7357 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 7358 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 7359 Context(Context), Variable(variable), Capturer(nullptr), 7360 VarWillBeReased(false) {} 7361 ASTContext &Context; 7362 VarDecl *Variable; 7363 Expr *Capturer; 7364 bool VarWillBeReased; 7365 7366 void VisitDeclRefExpr(DeclRefExpr *ref) { 7367 if (ref->getDecl() == Variable && !Capturer) 7368 Capturer = ref; 7369 } 7370 7371 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 7372 if (Capturer) return; 7373 Visit(ref->getBase()); 7374 if (Capturer && ref->isFreeIvar()) 7375 Capturer = ref; 7376 } 7377 7378 void VisitBlockExpr(BlockExpr *block) { 7379 // Look inside nested blocks 7380 if (block->getBlockDecl()->capturesVariable(Variable)) 7381 Visit(block->getBlockDecl()->getBody()); 7382 } 7383 7384 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 7385 if (Capturer) return; 7386 if (OVE->getSourceExpr()) 7387 Visit(OVE->getSourceExpr()); 7388 } 7389 void VisitBinaryOperator(BinaryOperator *BinOp) { 7390 if (!Variable || VarWillBeReased || BinOp->getOpcode() != BO_Assign) 7391 return; 7392 Expr *LHS = BinOp->getLHS(); 7393 if (const DeclRefExpr *DRE = dyn_cast_or_null<DeclRefExpr>(LHS)) { 7394 if (DRE->getDecl() != Variable) 7395 return; 7396 if (Expr *RHS = BinOp->getRHS()) { 7397 RHS = RHS->IgnoreParenCasts(); 7398 llvm::APSInt Value; 7399 VarWillBeReased = 7400 (RHS && RHS->isIntegerConstantExpr(Value, Context) && Value == 0); 7401 } 7402 } 7403 } 7404 }; 7405} 7406 7407/// Check whether the given argument is a block which captures a 7408/// variable. 7409static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 7410 assert(owner.Variable && owner.Loc.isValid()); 7411 7412 e = e->IgnoreParenCasts(); 7413 7414 // Look through [^{...} copy] and Block_copy(^{...}). 7415 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 7416 Selector Cmd = ME->getSelector(); 7417 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 7418 e = ME->getInstanceReceiver(); 7419 if (!e) 7420 return nullptr; 7421 e = e->IgnoreParenCasts(); 7422 } 7423 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 7424 if (CE->getNumArgs() == 1) { 7425 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 7426 if (Fn) { 7427 const IdentifierInfo *FnI = Fn->getIdentifier(); 7428 if (FnI && FnI->isStr("_Block_copy")) { 7429 e = CE->getArg(0)->IgnoreParenCasts(); 7430 } 7431 } 7432 } 7433 } 7434 7435 BlockExpr *block = dyn_cast<BlockExpr>(e); 7436 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 7437 return nullptr; 7438 7439 FindCaptureVisitor visitor(S.Context, owner.Variable); 7440 visitor.Visit(block->getBlockDecl()->getBody()); 7441 return visitor.VarWillBeReased ? nullptr : visitor.Capturer; 7442} 7443 7444static void diagnoseRetainCycle(Sema &S, Expr *capturer, 7445 RetainCycleOwner &owner) { 7446 assert(capturer); 7447 assert(owner.Variable && owner.Loc.isValid()); 7448 7449 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 7450 << owner.Variable << capturer->getSourceRange(); 7451 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 7452 << owner.Indirect << owner.Range; 7453} 7454 7455/// Check for a keyword selector that starts with the word 'add' or 7456/// 'set'. 7457static bool isSetterLikeSelector(Selector sel) { 7458 if (sel.isUnarySelector()) return false; 7459 7460 StringRef str = sel.getNameForSlot(0); 7461 while (!str.empty() && str.front() == '_') str = str.substr(1); 7462 if (str.startswith("set")) 7463 str = str.substr(3); 7464 else if (str.startswith("add")) { 7465 // Specially whitelist 'addOperationWithBlock:'. 7466 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 7467 return false; 7468 str = str.substr(3); 7469 } 7470 else 7471 return false; 7472 7473 if (str.empty()) return true; 7474 return !isLowercase(str.front()); 7475} 7476 7477/// Check a message send to see if it's likely to cause a retain cycle. 7478void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 7479 // Only check instance methods whose selector looks like a setter. 7480 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 7481 return; 7482 7483 // Try to find a variable that the receiver is strongly owned by. 7484 RetainCycleOwner owner; 7485 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 7486 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 7487 return; 7488 } else { 7489 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 7490 owner.Variable = getCurMethodDecl()->getSelfDecl(); 7491 owner.Loc = msg->getSuperLoc(); 7492 owner.Range = msg->getSuperLoc(); 7493 } 7494 7495 // Check whether the receiver is captured by any of the arguments. 7496 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 7497 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 7498 return diagnoseRetainCycle(*this, capturer, owner); 7499} 7500 7501/// Check a property assign to see if it's likely to cause a retain cycle. 7502void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 7503 RetainCycleOwner owner; 7504 if (!findRetainCycleOwner(*this, receiver, owner)) 7505 return; 7506 7507 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 7508 diagnoseRetainCycle(*this, capturer, owner); 7509} 7510 7511void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 7512 RetainCycleOwner Owner; 7513 if (!considerVariable(Var, /*DeclRefExpr=*/nullptr, Owner)) 7514 return; 7515 7516 // Because we don't have an expression for the variable, we have to set the 7517 // location explicitly here. 7518 Owner.Loc = Var->getLocation(); 7519 Owner.Range = Var->getSourceRange(); 7520 7521 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 7522 diagnoseRetainCycle(*this, Capturer, Owner); 7523} 7524 7525static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 7526 Expr *RHS, bool isProperty) { 7527 // Check if RHS is an Objective-C object literal, which also can get 7528 // immediately zapped in a weak reference. Note that we explicitly 7529 // allow ObjCStringLiterals, since those are designed to never really die. 7530 RHS = RHS->IgnoreParenImpCasts(); 7531 7532 // This enum needs to match with the 'select' in 7533 // warn_objc_arc_literal_assign (off-by-1). 7534 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 7535 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 7536 return false; 7537 7538 S.Diag(Loc, diag::warn_arc_literal_assign) 7539 << (unsigned) Kind 7540 << (isProperty ? 0 : 1) 7541 << RHS->getSourceRange(); 7542 7543 return true; 7544} 7545 7546static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 7547 Qualifiers::ObjCLifetime LT, 7548 Expr *RHS, bool isProperty) { 7549 // Strip off any implicit cast added to get to the one ARC-specific. 7550 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 7551 if (cast->getCastKind() == CK_ARCConsumeObject) { 7552 S.Diag(Loc, diag::warn_arc_retained_assign) 7553 << (LT == Qualifiers::OCL_ExplicitNone) 7554 << (isProperty ? 0 : 1) 7555 << RHS->getSourceRange(); 7556 return true; 7557 } 7558 RHS = cast->getSubExpr(); 7559 } 7560 7561 if (LT == Qualifiers::OCL_Weak && 7562 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 7563 return true; 7564 7565 return false; 7566} 7567 7568bool Sema::checkUnsafeAssigns(SourceLocation Loc, 7569 QualType LHS, Expr *RHS) { 7570 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 7571 7572 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 7573 return false; 7574 7575 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 7576 return true; 7577 7578 return false; 7579} 7580 7581void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 7582 Expr *LHS, Expr *RHS) { 7583 QualType LHSType; 7584 // PropertyRef on LHS type need be directly obtained from 7585 // its declaration as it has a PseudoType. 7586 ObjCPropertyRefExpr *PRE 7587 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 7588 if (PRE && !PRE->isImplicitProperty()) { 7589 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 7590 if (PD) 7591 LHSType = PD->getType(); 7592 } 7593 7594 if (LHSType.isNull()) 7595 LHSType = LHS->getType(); 7596 7597 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 7598 7599 if (LT == Qualifiers::OCL_Weak) { 7600 if (!Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, Loc)) 7601 getCurFunction()->markSafeWeakUse(LHS); 7602 } 7603 7604 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 7605 return; 7606 7607 // FIXME. Check for other life times. 7608 if (LT != Qualifiers::OCL_None) 7609 return; 7610 7611 if (PRE) { 7612 if (PRE->isImplicitProperty()) 7613 return; 7614 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 7615 if (!PD) 7616 return; 7617 7618 unsigned Attributes = PD->getPropertyAttributes(); 7619 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 7620 // when 'assign' attribute was not explicitly specified 7621 // by user, ignore it and rely on property type itself 7622 // for lifetime info. 7623 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 7624 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 7625 LHSType->isObjCRetainableType()) 7626 return; 7627 7628 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 7629 if (cast->getCastKind() == CK_ARCConsumeObject) { 7630 Diag(Loc, diag::warn_arc_retained_property_assign) 7631 << RHS->getSourceRange(); 7632 return; 7633 } 7634 RHS = cast->getSubExpr(); 7635 } 7636 } 7637 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 7638 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 7639 return; 7640 } 7641 } 7642} 7643 7644//===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 7645 7646namespace { 7647bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 7648 SourceLocation StmtLoc, 7649 const NullStmt *Body) { 7650 // Do not warn if the body is a macro that expands to nothing, e.g: 7651 // 7652 // #define CALL(x) 7653 // if (condition) 7654 // CALL(0); 7655 // 7656 if (Body->hasLeadingEmptyMacro()) 7657 return false; 7658 7659 // Get line numbers of statement and body. 7660 bool StmtLineInvalid; 7661 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 7662 &StmtLineInvalid); 7663 if (StmtLineInvalid) 7664 return false; 7665 7666 bool BodyLineInvalid; 7667 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 7668 &BodyLineInvalid); 7669 if (BodyLineInvalid) 7670 return false; 7671 7672 // Warn if null statement and body are on the same line. 7673 if (StmtLine != BodyLine) 7674 return false; 7675 7676 return true; 7677} 7678} // Unnamed namespace 7679 7680void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 7681 const Stmt *Body, 7682 unsigned DiagID) { 7683 // Since this is a syntactic check, don't emit diagnostic for template 7684 // instantiations, this just adds noise. 7685 if (CurrentInstantiationScope) 7686 return; 7687 7688 // The body should be a null statement. 7689 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 7690 if (!NBody) 7691 return; 7692 7693 // Do the usual checks. 7694 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 7695 return; 7696 7697 Diag(NBody->getSemiLoc(), DiagID); 7698 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 7699} 7700 7701void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 7702 const Stmt *PossibleBody) { 7703 assert(!CurrentInstantiationScope); // Ensured by caller 7704 7705 SourceLocation StmtLoc; 7706 const Stmt *Body; 7707 unsigned DiagID; 7708 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 7709 StmtLoc = FS->getRParenLoc(); 7710 Body = FS->getBody(); 7711 DiagID = diag::warn_empty_for_body; 7712 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 7713 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 7714 Body = WS->getBody(); 7715 DiagID = diag::warn_empty_while_body; 7716 } else 7717 return; // Neither `for' nor `while'. 7718 7719 // The body should be a null statement. 7720 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 7721 if (!NBody) 7722 return; 7723 7724 // Skip expensive checks if diagnostic is disabled. 7725 if (Diags.isIgnored(DiagID, NBody->getSemiLoc())) 7726 return; 7727 7728 // Do the usual checks. 7729 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 7730 return; 7731 7732 // `for(...);' and `while(...);' are popular idioms, so in order to keep 7733 // noise level low, emit diagnostics only if for/while is followed by a 7734 // CompoundStmt, e.g.: 7735 // for (int i = 0; i < n; i++); 7736 // { 7737 // a(i); 7738 // } 7739 // or if for/while is followed by a statement with more indentation 7740 // than for/while itself: 7741 // for (int i = 0; i < n; i++); 7742 // a(i); 7743 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 7744 if (!ProbableTypo) { 7745 bool BodyColInvalid; 7746 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 7747 PossibleBody->getLocStart(), 7748 &BodyColInvalid); 7749 if (BodyColInvalid) 7750 return; 7751 7752 bool StmtColInvalid; 7753 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 7754 S->getLocStart(), 7755 &StmtColInvalid); 7756 if (StmtColInvalid) 7757 return; 7758 7759 if (BodyCol > StmtCol) 7760 ProbableTypo = true; 7761 } 7762 7763 if (ProbableTypo) { 7764 Diag(NBody->getSemiLoc(), DiagID); 7765 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 7766 } 7767} 7768 7769//===--- Layout compatibility ----------------------------------------------// 7770 7771namespace { 7772 7773bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 7774 7775/// \brief Check if two enumeration types are layout-compatible. 7776bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 7777 // C++11 [dcl.enum] p8: 7778 // Two enumeration types are layout-compatible if they have the same 7779 // underlying type. 7780 return ED1->isComplete() && ED2->isComplete() && 7781 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 7782} 7783 7784/// \brief Check if two fields are layout-compatible. 7785bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 7786 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 7787 return false; 7788 7789 if (Field1->isBitField() != Field2->isBitField()) 7790 return false; 7791 7792 if (Field1->isBitField()) { 7793 // Make sure that the bit-fields are the same length. 7794 unsigned Bits1 = Field1->getBitWidthValue(C); 7795 unsigned Bits2 = Field2->getBitWidthValue(C); 7796 7797 if (Bits1 != Bits2) 7798 return false; 7799 } 7800 7801 return true; 7802} 7803 7804/// \brief Check if two standard-layout structs are layout-compatible. 7805/// (C++11 [class.mem] p17) 7806bool isLayoutCompatibleStruct(ASTContext &C, 7807 RecordDecl *RD1, 7808 RecordDecl *RD2) { 7809 // If both records are C++ classes, check that base classes match. 7810 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 7811 // If one of records is a CXXRecordDecl we are in C++ mode, 7812 // thus the other one is a CXXRecordDecl, too. 7813 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 7814 // Check number of base classes. 7815 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 7816 return false; 7817 7818 // Check the base classes. 7819 for (CXXRecordDecl::base_class_const_iterator 7820 Base1 = D1CXX->bases_begin(), 7821 BaseEnd1 = D1CXX->bases_end(), 7822 Base2 = D2CXX->bases_begin(); 7823 Base1 != BaseEnd1; 7824 ++Base1, ++Base2) { 7825 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 7826 return false; 7827 } 7828 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 7829 // If only RD2 is a C++ class, it should have zero base classes. 7830 if (D2CXX->getNumBases() > 0) 7831 return false; 7832 } 7833 7834 // Check the fields. 7835 RecordDecl::field_iterator Field2 = RD2->field_begin(), 7836 Field2End = RD2->field_end(), 7837 Field1 = RD1->field_begin(), 7838 Field1End = RD1->field_end(); 7839 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 7840 if (!isLayoutCompatible(C, *Field1, *Field2)) 7841 return false; 7842 } 7843 if (Field1 != Field1End || Field2 != Field2End) 7844 return false; 7845 7846 return true; 7847} 7848 7849/// \brief Check if two standard-layout unions are layout-compatible. 7850/// (C++11 [class.mem] p18) 7851bool isLayoutCompatibleUnion(ASTContext &C, 7852 RecordDecl *RD1, 7853 RecordDecl *RD2) { 7854 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 7855 for (auto *Field2 : RD2->fields()) 7856 UnmatchedFields.insert(Field2); 7857 7858 for (auto *Field1 : RD1->fields()) { 7859 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 7860 I = UnmatchedFields.begin(), 7861 E = UnmatchedFields.end(); 7862 7863 for ( ; I != E; ++I) { 7864 if (isLayoutCompatible(C, Field1, *I)) { 7865 bool Result = UnmatchedFields.erase(*I); 7866 (void) Result; 7867 assert(Result); 7868 break; 7869 } 7870 } 7871 if (I == E) 7872 return false; 7873 } 7874 7875 return UnmatchedFields.empty(); 7876} 7877 7878bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 7879 if (RD1->isUnion() != RD2->isUnion()) 7880 return false; 7881 7882 if (RD1->isUnion()) 7883 return isLayoutCompatibleUnion(C, RD1, RD2); 7884 else 7885 return isLayoutCompatibleStruct(C, RD1, RD2); 7886} 7887 7888/// \brief Check if two types are layout-compatible in C++11 sense. 7889bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 7890 if (T1.isNull() || T2.isNull()) 7891 return false; 7892 7893 // C++11 [basic.types] p11: 7894 // If two types T1 and T2 are the same type, then T1 and T2 are 7895 // layout-compatible types. 7896 if (C.hasSameType(T1, T2)) 7897 return true; 7898 7899 T1 = T1.getCanonicalType().getUnqualifiedType(); 7900 T2 = T2.getCanonicalType().getUnqualifiedType(); 7901 7902 const Type::TypeClass TC1 = T1->getTypeClass(); 7903 const Type::TypeClass TC2 = T2->getTypeClass(); 7904 7905 if (TC1 != TC2) 7906 return false; 7907 7908 if (TC1 == Type::Enum) { 7909 return isLayoutCompatible(C, 7910 cast<EnumType>(T1)->getDecl(), 7911 cast<EnumType>(T2)->getDecl()); 7912 } else if (TC1 == Type::Record) { 7913 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 7914 return false; 7915 7916 return isLayoutCompatible(C, 7917 cast<RecordType>(T1)->getDecl(), 7918 cast<RecordType>(T2)->getDecl()); 7919 } 7920 7921 return false; 7922} 7923} 7924 7925//===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 7926 7927namespace { 7928/// \brief Given a type tag expression find the type tag itself. 7929/// 7930/// \param TypeExpr Type tag expression, as it appears in user's code. 7931/// 7932/// \param VD Declaration of an identifier that appears in a type tag. 7933/// 7934/// \param MagicValue Type tag magic value. 7935bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 7936 const ValueDecl **VD, uint64_t *MagicValue) { 7937 while(true) { 7938 if (!TypeExpr) 7939 return false; 7940 7941 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 7942 7943 switch (TypeExpr->getStmtClass()) { 7944 case Stmt::UnaryOperatorClass: { 7945 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 7946 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 7947 TypeExpr = UO->getSubExpr(); 7948 continue; 7949 } 7950 return false; 7951 } 7952 7953 case Stmt::DeclRefExprClass: { 7954 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 7955 *VD = DRE->getDecl(); 7956 return true; 7957 } 7958 7959 case Stmt::IntegerLiteralClass: { 7960 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 7961 llvm::APInt MagicValueAPInt = IL->getValue(); 7962 if (MagicValueAPInt.getActiveBits() <= 64) { 7963 *MagicValue = MagicValueAPInt.getZExtValue(); 7964 return true; 7965 } else 7966 return false; 7967 } 7968 7969 case Stmt::BinaryConditionalOperatorClass: 7970 case Stmt::ConditionalOperatorClass: { 7971 const AbstractConditionalOperator *ACO = 7972 cast<AbstractConditionalOperator>(TypeExpr); 7973 bool Result; 7974 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 7975 if (Result) 7976 TypeExpr = ACO->getTrueExpr(); 7977 else 7978 TypeExpr = ACO->getFalseExpr(); 7979 continue; 7980 } 7981 return false; 7982 } 7983 7984 case Stmt::BinaryOperatorClass: { 7985 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 7986 if (BO->getOpcode() == BO_Comma) { 7987 TypeExpr = BO->getRHS(); 7988 continue; 7989 } 7990 return false; 7991 } 7992 7993 default: 7994 return false; 7995 } 7996 } 7997} 7998 7999/// \brief Retrieve the C type corresponding to type tag TypeExpr. 8000/// 8001/// \param TypeExpr Expression that specifies a type tag. 8002/// 8003/// \param MagicValues Registered magic values. 8004/// 8005/// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 8006/// kind. 8007/// 8008/// \param TypeInfo Information about the corresponding C type. 8009/// 8010/// \returns true if the corresponding C type was found. 8011bool GetMatchingCType( 8012 const IdentifierInfo *ArgumentKind, 8013 const Expr *TypeExpr, const ASTContext &Ctx, 8014 const llvm::DenseMap<Sema::TypeTagMagicValue, 8015 Sema::TypeTagData> *MagicValues, 8016 bool &FoundWrongKind, 8017 Sema::TypeTagData &TypeInfo) { 8018 FoundWrongKind = false; 8019 8020 // Variable declaration that has type_tag_for_datatype attribute. 8021 const ValueDecl *VD = nullptr; 8022 8023 uint64_t MagicValue; 8024 8025 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 8026 return false; 8027 8028 if (VD) { 8029 if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) { 8030 if (I->getArgumentKind() != ArgumentKind) { 8031 FoundWrongKind = true; 8032 return false; 8033 } 8034 TypeInfo.Type = I->getMatchingCType(); 8035 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 8036 TypeInfo.MustBeNull = I->getMustBeNull(); 8037 return true; 8038 } 8039 return false; 8040 } 8041 8042 if (!MagicValues) 8043 return false; 8044 8045 llvm::DenseMap<Sema::TypeTagMagicValue, 8046 Sema::TypeTagData>::const_iterator I = 8047 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 8048 if (I == MagicValues->end()) 8049 return false; 8050 8051 TypeInfo = I->second; 8052 return true; 8053} 8054} // unnamed namespace 8055 8056void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 8057 uint64_t MagicValue, QualType Type, 8058 bool LayoutCompatible, 8059 bool MustBeNull) { 8060 if (!TypeTagForDatatypeMagicValues) 8061 TypeTagForDatatypeMagicValues.reset( 8062 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 8063 8064 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 8065 (*TypeTagForDatatypeMagicValues)[Magic] = 8066 TypeTagData(Type, LayoutCompatible, MustBeNull); 8067} 8068 8069namespace { 8070bool IsSameCharType(QualType T1, QualType T2) { 8071 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 8072 if (!BT1) 8073 return false; 8074 8075 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 8076 if (!BT2) 8077 return false; 8078 8079 BuiltinType::Kind T1Kind = BT1->getKind(); 8080 BuiltinType::Kind T2Kind = BT2->getKind(); 8081 8082 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 8083 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 8084 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 8085 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 8086} 8087} // unnamed namespace 8088 8089void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 8090 const Expr * const *ExprArgs) { 8091 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 8092 bool IsPointerAttr = Attr->getIsPointer(); 8093 8094 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 8095 bool FoundWrongKind; 8096 TypeTagData TypeInfo; 8097 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 8098 TypeTagForDatatypeMagicValues.get(), 8099 FoundWrongKind, TypeInfo)) { 8100 if (FoundWrongKind) 8101 Diag(TypeTagExpr->getExprLoc(), 8102 diag::warn_type_tag_for_datatype_wrong_kind) 8103 << TypeTagExpr->getSourceRange(); 8104 return; 8105 } 8106 8107 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 8108 if (IsPointerAttr) { 8109 // Skip implicit cast of pointer to `void *' (as a function argument). 8110 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 8111 if (ICE->getType()->isVoidPointerType() && 8112 ICE->getCastKind() == CK_BitCast) 8113 ArgumentExpr = ICE->getSubExpr(); 8114 } 8115 QualType ArgumentType = ArgumentExpr->getType(); 8116 8117 // Passing a `void*' pointer shouldn't trigger a warning. 8118 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 8119 return; 8120 8121 if (TypeInfo.MustBeNull) { 8122 // Type tag with matching void type requires a null pointer. 8123 if (!ArgumentExpr->isNullPointerConstant(Context, 8124 Expr::NPC_ValueDependentIsNotNull)) { 8125 Diag(ArgumentExpr->getExprLoc(), 8126 diag::warn_type_safety_null_pointer_required) 8127 << ArgumentKind->getName() 8128 << ArgumentExpr->getSourceRange() 8129 << TypeTagExpr->getSourceRange(); 8130 } 8131 return; 8132 } 8133 8134 QualType RequiredType = TypeInfo.Type; 8135 if (IsPointerAttr) 8136 RequiredType = Context.getPointerType(RequiredType); 8137 8138 bool mismatch = false; 8139 if (!TypeInfo.LayoutCompatible) { 8140 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 8141 8142 // C++11 [basic.fundamental] p1: 8143 // Plain char, signed char, and unsigned char are three distinct types. 8144 // 8145 // But we treat plain `char' as equivalent to `signed char' or `unsigned 8146 // char' depending on the current char signedness mode. 8147 if (mismatch) 8148 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 8149 RequiredType->getPointeeType())) || 8150 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 8151 mismatch = false; 8152 } else 8153 if (IsPointerAttr) 8154 mismatch = !isLayoutCompatible(Context, 8155 ArgumentType->getPointeeType(), 8156 RequiredType->getPointeeType()); 8157 else 8158 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 8159 8160 if (mismatch) 8161 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 8162 << ArgumentType << ArgumentKind 8163 << TypeInfo.LayoutCompatible << RequiredType 8164 << ArgumentExpr->getSourceRange() 8165 << TypeTagExpr->getSourceRange(); 8166} 8167 8168