1 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements extra semantic analysis beyond what is enforced 11 // by the C type system. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/Sema/Initialization.h" 16 #include "clang/Sema/Sema.h" 17 #include "clang/Sema/SemaInternal.h" 18 #include "clang/Sema/Initialization.h" 19 #include "clang/Sema/ScopeInfo.h" 20 #include "clang/Analysis/Analyses/FormatString.h" 21 #include "clang/AST/ASTContext.h" 22 #include "clang/AST/CharUnits.h" 23 #include "clang/AST/DeclCXX.h" 24 #include "clang/AST/DeclObjC.h" 25 #include "clang/AST/ExprCXX.h" 26 #include "clang/AST/ExprObjC.h" 27 #include "clang/AST/EvaluatedExprVisitor.h" 28 #include "clang/AST/DeclObjC.h" 29 #include "clang/AST/StmtCXX.h" 30 #include "clang/AST/StmtObjC.h" 31 #include "clang/Lex/Preprocessor.h" 32 #include "llvm/ADT/BitVector.h" 33 #include "llvm/ADT/SmallString.h" 34 #include "llvm/ADT/STLExtras.h" 35 #include "llvm/Support/raw_ostream.h" 36 #include "clang/Basic/TargetBuiltins.h" 37 #include "clang/Basic/TargetInfo.h" 38 #include "clang/Basic/ConvertUTF.h" 39 #include <limits> 40 using namespace clang; 41 using namespace sema; 42 43 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 44 unsigned ByteNo) const { 45 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 46 PP.getLangOpts(), PP.getTargetInfo()); 47 } 48 49 /// Checks that a call expression's argument count is the desired number. 50 /// This is useful when doing custom type-checking. Returns true on error. 51 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 52 unsigned argCount = call->getNumArgs(); 53 if (argCount == desiredArgCount) return false; 54 55 if (argCount < desiredArgCount) 56 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 57 << 0 /*function call*/ << desiredArgCount << argCount 58 << call->getSourceRange(); 59 60 // Highlight all the excess arguments. 61 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 62 call->getArg(argCount - 1)->getLocEnd()); 63 64 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 65 << 0 /*function call*/ << desiredArgCount << argCount 66 << call->getArg(1)->getSourceRange(); 67 } 68 69 /// CheckBuiltinAnnotationString - Checks that string argument to the builtin 70 /// annotation is a non wide string literal. 71 static bool CheckBuiltinAnnotationString(Sema &S, Expr *Arg) { 72 Arg = Arg->IgnoreParenCasts(); 73 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 74 if (!Literal || !Literal->isAscii()) { 75 S.Diag(Arg->getLocStart(), diag::err_builtin_annotation_not_string_constant) 76 << Arg->getSourceRange(); 77 return true; 78 } 79 return false; 80 } 81 82 ExprResult 83 Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 84 ExprResult TheCallResult(Owned(TheCall)); 85 86 // Find out if any arguments are required to be integer constant expressions. 87 unsigned ICEArguments = 0; 88 ASTContext::GetBuiltinTypeError Error; 89 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 90 if (Error != ASTContext::GE_None) 91 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 92 93 // If any arguments are required to be ICE's, check and diagnose. 94 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 95 // Skip arguments not required to be ICE's. 96 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 97 98 llvm::APSInt Result; 99 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 100 return true; 101 ICEArguments &= ~(1 << ArgNo); 102 } 103 104 switch (BuiltinID) { 105 case Builtin::BI__builtin___CFStringMakeConstantString: 106 assert(TheCall->getNumArgs() == 1 && 107 "Wrong # arguments to builtin CFStringMakeConstantString"); 108 if (CheckObjCString(TheCall->getArg(0))) 109 return ExprError(); 110 break; 111 case Builtin::BI__builtin_stdarg_start: 112 case Builtin::BI__builtin_va_start: 113 if (SemaBuiltinVAStart(TheCall)) 114 return ExprError(); 115 break; 116 case Builtin::BI__builtin_isgreater: 117 case Builtin::BI__builtin_isgreaterequal: 118 case Builtin::BI__builtin_isless: 119 case Builtin::BI__builtin_islessequal: 120 case Builtin::BI__builtin_islessgreater: 121 case Builtin::BI__builtin_isunordered: 122 if (SemaBuiltinUnorderedCompare(TheCall)) 123 return ExprError(); 124 break; 125 case Builtin::BI__builtin_fpclassify: 126 if (SemaBuiltinFPClassification(TheCall, 6)) 127 return ExprError(); 128 break; 129 case Builtin::BI__builtin_isfinite: 130 case Builtin::BI__builtin_isinf: 131 case Builtin::BI__builtin_isinf_sign: 132 case Builtin::BI__builtin_isnan: 133 case Builtin::BI__builtin_isnormal: 134 if (SemaBuiltinFPClassification(TheCall, 1)) 135 return ExprError(); 136 break; 137 case Builtin::BI__builtin_shufflevector: 138 return SemaBuiltinShuffleVector(TheCall); 139 // TheCall will be freed by the smart pointer here, but that's fine, since 140 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 141 case Builtin::BI__builtin_prefetch: 142 if (SemaBuiltinPrefetch(TheCall)) 143 return ExprError(); 144 break; 145 case Builtin::BI__builtin_object_size: 146 if (SemaBuiltinObjectSize(TheCall)) 147 return ExprError(); 148 break; 149 case Builtin::BI__builtin_longjmp: 150 if (SemaBuiltinLongjmp(TheCall)) 151 return ExprError(); 152 break; 153 154 case Builtin::BI__builtin_classify_type: 155 if (checkArgCount(*this, TheCall, 1)) return true; 156 TheCall->setType(Context.IntTy); 157 break; 158 case Builtin::BI__builtin_constant_p: 159 if (checkArgCount(*this, TheCall, 1)) return true; 160 TheCall->setType(Context.IntTy); 161 break; 162 case Builtin::BI__sync_fetch_and_add: 163 case Builtin::BI__sync_fetch_and_add_1: 164 case Builtin::BI__sync_fetch_and_add_2: 165 case Builtin::BI__sync_fetch_and_add_4: 166 case Builtin::BI__sync_fetch_and_add_8: 167 case Builtin::BI__sync_fetch_and_add_16: 168 case Builtin::BI__sync_fetch_and_sub: 169 case Builtin::BI__sync_fetch_and_sub_1: 170 case Builtin::BI__sync_fetch_and_sub_2: 171 case Builtin::BI__sync_fetch_and_sub_4: 172 case Builtin::BI__sync_fetch_and_sub_8: 173 case Builtin::BI__sync_fetch_and_sub_16: 174 case Builtin::BI__sync_fetch_and_or: 175 case Builtin::BI__sync_fetch_and_or_1: 176 case Builtin::BI__sync_fetch_and_or_2: 177 case Builtin::BI__sync_fetch_and_or_4: 178 case Builtin::BI__sync_fetch_and_or_8: 179 case Builtin::BI__sync_fetch_and_or_16: 180 case Builtin::BI__sync_fetch_and_and: 181 case Builtin::BI__sync_fetch_and_and_1: 182 case Builtin::BI__sync_fetch_and_and_2: 183 case Builtin::BI__sync_fetch_and_and_4: 184 case Builtin::BI__sync_fetch_and_and_8: 185 case Builtin::BI__sync_fetch_and_and_16: 186 case Builtin::BI__sync_fetch_and_xor: 187 case Builtin::BI__sync_fetch_and_xor_1: 188 case Builtin::BI__sync_fetch_and_xor_2: 189 case Builtin::BI__sync_fetch_and_xor_4: 190 case Builtin::BI__sync_fetch_and_xor_8: 191 case Builtin::BI__sync_fetch_and_xor_16: 192 case Builtin::BI__sync_add_and_fetch: 193 case Builtin::BI__sync_add_and_fetch_1: 194 case Builtin::BI__sync_add_and_fetch_2: 195 case Builtin::BI__sync_add_and_fetch_4: 196 case Builtin::BI__sync_add_and_fetch_8: 197 case Builtin::BI__sync_add_and_fetch_16: 198 case Builtin::BI__sync_sub_and_fetch: 199 case Builtin::BI__sync_sub_and_fetch_1: 200 case Builtin::BI__sync_sub_and_fetch_2: 201 case Builtin::BI__sync_sub_and_fetch_4: 202 case Builtin::BI__sync_sub_and_fetch_8: 203 case Builtin::BI__sync_sub_and_fetch_16: 204 case Builtin::BI__sync_and_and_fetch: 205 case Builtin::BI__sync_and_and_fetch_1: 206 case Builtin::BI__sync_and_and_fetch_2: 207 case Builtin::BI__sync_and_and_fetch_4: 208 case Builtin::BI__sync_and_and_fetch_8: 209 case Builtin::BI__sync_and_and_fetch_16: 210 case Builtin::BI__sync_or_and_fetch: 211 case Builtin::BI__sync_or_and_fetch_1: 212 case Builtin::BI__sync_or_and_fetch_2: 213 case Builtin::BI__sync_or_and_fetch_4: 214 case Builtin::BI__sync_or_and_fetch_8: 215 case Builtin::BI__sync_or_and_fetch_16: 216 case Builtin::BI__sync_xor_and_fetch: 217 case Builtin::BI__sync_xor_and_fetch_1: 218 case Builtin::BI__sync_xor_and_fetch_2: 219 case Builtin::BI__sync_xor_and_fetch_4: 220 case Builtin::BI__sync_xor_and_fetch_8: 221 case Builtin::BI__sync_xor_and_fetch_16: 222 case Builtin::BI__sync_val_compare_and_swap: 223 case Builtin::BI__sync_val_compare_and_swap_1: 224 case Builtin::BI__sync_val_compare_and_swap_2: 225 case Builtin::BI__sync_val_compare_and_swap_4: 226 case Builtin::BI__sync_val_compare_and_swap_8: 227 case Builtin::BI__sync_val_compare_and_swap_16: 228 case Builtin::BI__sync_bool_compare_and_swap: 229 case Builtin::BI__sync_bool_compare_and_swap_1: 230 case Builtin::BI__sync_bool_compare_and_swap_2: 231 case Builtin::BI__sync_bool_compare_and_swap_4: 232 case Builtin::BI__sync_bool_compare_and_swap_8: 233 case Builtin::BI__sync_bool_compare_and_swap_16: 234 case Builtin::BI__sync_lock_test_and_set: 235 case Builtin::BI__sync_lock_test_and_set_1: 236 case Builtin::BI__sync_lock_test_and_set_2: 237 case Builtin::BI__sync_lock_test_and_set_4: 238 case Builtin::BI__sync_lock_test_and_set_8: 239 case Builtin::BI__sync_lock_test_and_set_16: 240 case Builtin::BI__sync_lock_release: 241 case Builtin::BI__sync_lock_release_1: 242 case Builtin::BI__sync_lock_release_2: 243 case Builtin::BI__sync_lock_release_4: 244 case Builtin::BI__sync_lock_release_8: 245 case Builtin::BI__sync_lock_release_16: 246 case Builtin::BI__sync_swap: 247 case Builtin::BI__sync_swap_1: 248 case Builtin::BI__sync_swap_2: 249 case Builtin::BI__sync_swap_4: 250 case Builtin::BI__sync_swap_8: 251 case Builtin::BI__sync_swap_16: 252 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 253 #define BUILTIN(ID, TYPE, ATTRS) 254 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 255 case Builtin::BI##ID: \ 256 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::AO##ID); 257 #include "clang/Basic/Builtins.def" 258 case Builtin::BI__builtin_annotation: 259 if (CheckBuiltinAnnotationString(*this, TheCall->getArg(1))) 260 return ExprError(); 261 break; 262 } 263 264 // Since the target specific builtins for each arch overlap, only check those 265 // of the arch we are compiling for. 266 if (BuiltinID >= Builtin::FirstTSBuiltin) { 267 switch (Context.getTargetInfo().getTriple().getArch()) { 268 case llvm::Triple::arm: 269 case llvm::Triple::thumb: 270 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 271 return ExprError(); 272 break; 273 default: 274 break; 275 } 276 } 277 278 return move(TheCallResult); 279 } 280 281 // Get the valid immediate range for the specified NEON type code. 282 static unsigned RFT(unsigned t, bool shift = false) { 283 NeonTypeFlags Type(t); 284 int IsQuad = Type.isQuad(); 285 switch (Type.getEltType()) { 286 case NeonTypeFlags::Int8: 287 case NeonTypeFlags::Poly8: 288 return shift ? 7 : (8 << IsQuad) - 1; 289 case NeonTypeFlags::Int16: 290 case NeonTypeFlags::Poly16: 291 return shift ? 15 : (4 << IsQuad) - 1; 292 case NeonTypeFlags::Int32: 293 return shift ? 31 : (2 << IsQuad) - 1; 294 case NeonTypeFlags::Int64: 295 return shift ? 63 : (1 << IsQuad) - 1; 296 case NeonTypeFlags::Float16: 297 assert(!shift && "cannot shift float types!"); 298 return (4 << IsQuad) - 1; 299 case NeonTypeFlags::Float32: 300 assert(!shift && "cannot shift float types!"); 301 return (2 << IsQuad) - 1; 302 } 303 llvm_unreachable("Invalid NeonTypeFlag!"); 304 } 305 306 /// getNeonEltType - Return the QualType corresponding to the elements of 307 /// the vector type specified by the NeonTypeFlags. This is used to check 308 /// the pointer arguments for Neon load/store intrinsics. 309 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 310 switch (Flags.getEltType()) { 311 case NeonTypeFlags::Int8: 312 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 313 case NeonTypeFlags::Int16: 314 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 315 case NeonTypeFlags::Int32: 316 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 317 case NeonTypeFlags::Int64: 318 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 319 case NeonTypeFlags::Poly8: 320 return Context.SignedCharTy; 321 case NeonTypeFlags::Poly16: 322 return Context.ShortTy; 323 case NeonTypeFlags::Float16: 324 return Context.UnsignedShortTy; 325 case NeonTypeFlags::Float32: 326 return Context.FloatTy; 327 } 328 llvm_unreachable("Invalid NeonTypeFlag!"); 329 } 330 331 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 332 llvm::APSInt Result; 333 334 unsigned mask = 0; 335 unsigned TV = 0; 336 int PtrArgNum = -1; 337 bool HasConstPtr = false; 338 switch (BuiltinID) { 339 #define GET_NEON_OVERLOAD_CHECK 340 #include "clang/Basic/arm_neon.inc" 341 #undef GET_NEON_OVERLOAD_CHECK 342 } 343 344 // For NEON intrinsics which are overloaded on vector element type, validate 345 // the immediate which specifies which variant to emit. 346 unsigned ImmArg = TheCall->getNumArgs()-1; 347 if (mask) { 348 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 349 return true; 350 351 TV = Result.getLimitedValue(64); 352 if ((TV > 63) || (mask & (1 << TV)) == 0) 353 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 354 << TheCall->getArg(ImmArg)->getSourceRange(); 355 } 356 357 if (PtrArgNum >= 0) { 358 // Check that pointer arguments have the specified type. 359 Expr *Arg = TheCall->getArg(PtrArgNum); 360 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 361 Arg = ICE->getSubExpr(); 362 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 363 QualType RHSTy = RHS.get()->getType(); 364 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 365 if (HasConstPtr) 366 EltTy = EltTy.withConst(); 367 QualType LHSTy = Context.getPointerType(EltTy); 368 AssignConvertType ConvTy; 369 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 370 if (RHS.isInvalid()) 371 return true; 372 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 373 RHS.get(), AA_Assigning)) 374 return true; 375 } 376 377 // For NEON intrinsics which take an immediate value as part of the 378 // instruction, range check them here. 379 unsigned i = 0, l = 0, u = 0; 380 switch (BuiltinID) { 381 default: return false; 382 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 383 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 384 case ARM::BI__builtin_arm_vcvtr_f: 385 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 386 #define GET_NEON_IMMEDIATE_CHECK 387 #include "clang/Basic/arm_neon.inc" 388 #undef GET_NEON_IMMEDIATE_CHECK 389 }; 390 391 // Check that the immediate argument is actually a constant. 392 if (SemaBuiltinConstantArg(TheCall, i, Result)) 393 return true; 394 395 // Range check against the upper/lower values for this isntruction. 396 unsigned Val = Result.getZExtValue(); 397 if (Val < l || Val > (u + l)) 398 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 399 << l << u+l << TheCall->getArg(i)->getSourceRange(); 400 401 // FIXME: VFP Intrinsics should error if VFP not present. 402 return false; 403 } 404 405 /// CheckFunctionCall - Check a direct function call for various correctness 406 /// and safety properties not strictly enforced by the C type system. 407 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 408 // Get the IdentifierInfo* for the called function. 409 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 410 411 // None of the checks below are needed for functions that don't have 412 // simple names (e.g., C++ conversion functions). 413 if (!FnInfo) 414 return false; 415 416 // FIXME: This mechanism should be abstracted to be less fragile and 417 // more efficient. For example, just map function ids to custom 418 // handlers. 419 420 // Printf and scanf checking. 421 for (specific_attr_iterator<FormatAttr> 422 i = FDecl->specific_attr_begin<FormatAttr>(), 423 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 424 CheckFormatArguments(*i, TheCall); 425 } 426 427 for (specific_attr_iterator<NonNullAttr> 428 i = FDecl->specific_attr_begin<NonNullAttr>(), 429 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 430 CheckNonNullArguments(*i, TheCall->getArgs(), 431 TheCall->getCallee()->getLocStart()); 432 } 433 434 unsigned CMId = FDecl->getMemoryFunctionKind(); 435 if (CMId == 0) 436 return false; 437 438 // Handle memory setting and copying functions. 439 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 440 CheckStrlcpycatArguments(TheCall, FnInfo); 441 else if (CMId == Builtin::BIstrncat) 442 CheckStrncatArguments(TheCall, FnInfo); 443 else 444 CheckMemaccessArguments(TheCall, CMId, FnInfo); 445 446 return false; 447 } 448 449 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 450 Expr **Args, unsigned NumArgs) { 451 for (specific_attr_iterator<FormatAttr> 452 i = Method->specific_attr_begin<FormatAttr>(), 453 e = Method->specific_attr_end<FormatAttr>(); i != e ; ++i) { 454 455 CheckFormatArguments(*i, Args, NumArgs, false, lbrac, 456 Method->getSourceRange()); 457 } 458 459 // diagnose nonnull arguments. 460 for (specific_attr_iterator<NonNullAttr> 461 i = Method->specific_attr_begin<NonNullAttr>(), 462 e = Method->specific_attr_end<NonNullAttr>(); i != e; ++i) { 463 CheckNonNullArguments(*i, Args, lbrac); 464 } 465 466 return false; 467 } 468 469 bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 470 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 471 if (!V) 472 return false; 473 474 QualType Ty = V->getType(); 475 if (!Ty->isBlockPointerType()) 476 return false; 477 478 // format string checking. 479 for (specific_attr_iterator<FormatAttr> 480 i = NDecl->specific_attr_begin<FormatAttr>(), 481 e = NDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 482 CheckFormatArguments(*i, TheCall); 483 } 484 485 return false; 486 } 487 488 ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 489 AtomicExpr::AtomicOp Op) { 490 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 491 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 492 493 // All these operations take one of the following forms: 494 enum { 495 // C __c11_atomic_init(A *, C) 496 Init, 497 // C __c11_atomic_load(A *, int) 498 Load, 499 // void __atomic_load(A *, CP, int) 500 Copy, 501 // C __c11_atomic_add(A *, M, int) 502 Arithmetic, 503 // C __atomic_exchange_n(A *, CP, int) 504 Xchg, 505 // void __atomic_exchange(A *, C *, CP, int) 506 GNUXchg, 507 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 508 C11CmpXchg, 509 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 510 GNUCmpXchg 511 } Form = Init; 512 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 513 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 514 // where: 515 // C is an appropriate type, 516 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 517 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 518 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 519 // the int parameters are for orderings. 520 521 assert(AtomicExpr::AO__c11_atomic_init == 0 && 522 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 523 && "need to update code for modified C11 atomics"); 524 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 525 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 526 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 527 Op == AtomicExpr::AO__atomic_store_n || 528 Op == AtomicExpr::AO__atomic_exchange_n || 529 Op == AtomicExpr::AO__atomic_compare_exchange_n; 530 bool IsAddSub = false; 531 532 switch (Op) { 533 case AtomicExpr::AO__c11_atomic_init: 534 Form = Init; 535 break; 536 537 case AtomicExpr::AO__c11_atomic_load: 538 case AtomicExpr::AO__atomic_load_n: 539 Form = Load; 540 break; 541 542 case AtomicExpr::AO__c11_atomic_store: 543 case AtomicExpr::AO__atomic_load: 544 case AtomicExpr::AO__atomic_store: 545 case AtomicExpr::AO__atomic_store_n: 546 Form = Copy; 547 break; 548 549 case AtomicExpr::AO__c11_atomic_fetch_add: 550 case AtomicExpr::AO__c11_atomic_fetch_sub: 551 case AtomicExpr::AO__atomic_fetch_add: 552 case AtomicExpr::AO__atomic_fetch_sub: 553 case AtomicExpr::AO__atomic_add_fetch: 554 case AtomicExpr::AO__atomic_sub_fetch: 555 IsAddSub = true; 556 // Fall through. 557 case AtomicExpr::AO__c11_atomic_fetch_and: 558 case AtomicExpr::AO__c11_atomic_fetch_or: 559 case AtomicExpr::AO__c11_atomic_fetch_xor: 560 case AtomicExpr::AO__atomic_fetch_and: 561 case AtomicExpr::AO__atomic_fetch_or: 562 case AtomicExpr::AO__atomic_fetch_xor: 563 case AtomicExpr::AO__atomic_fetch_nand: 564 case AtomicExpr::AO__atomic_and_fetch: 565 case AtomicExpr::AO__atomic_or_fetch: 566 case AtomicExpr::AO__atomic_xor_fetch: 567 case AtomicExpr::AO__atomic_nand_fetch: 568 Form = Arithmetic; 569 break; 570 571 case AtomicExpr::AO__c11_atomic_exchange: 572 case AtomicExpr::AO__atomic_exchange_n: 573 Form = Xchg; 574 break; 575 576 case AtomicExpr::AO__atomic_exchange: 577 Form = GNUXchg; 578 break; 579 580 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 581 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 582 Form = C11CmpXchg; 583 break; 584 585 case AtomicExpr::AO__atomic_compare_exchange: 586 case AtomicExpr::AO__atomic_compare_exchange_n: 587 Form = GNUCmpXchg; 588 break; 589 } 590 591 // Check we have the right number of arguments. 592 if (TheCall->getNumArgs() < NumArgs[Form]) { 593 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 594 << 0 << NumArgs[Form] << TheCall->getNumArgs() 595 << TheCall->getCallee()->getSourceRange(); 596 return ExprError(); 597 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 598 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 599 diag::err_typecheck_call_too_many_args) 600 << 0 << NumArgs[Form] << TheCall->getNumArgs() 601 << TheCall->getCallee()->getSourceRange(); 602 return ExprError(); 603 } 604 605 // Inspect the first argument of the atomic operation. 606 Expr *Ptr = TheCall->getArg(0); 607 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 608 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 609 if (!pointerType) { 610 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 611 << Ptr->getType() << Ptr->getSourceRange(); 612 return ExprError(); 613 } 614 615 // For a __c11 builtin, this should be a pointer to an _Atomic type. 616 QualType AtomTy = pointerType->getPointeeType(); // 'A' 617 QualType ValType = AtomTy; // 'C' 618 if (IsC11) { 619 if (!AtomTy->isAtomicType()) { 620 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 621 << Ptr->getType() << Ptr->getSourceRange(); 622 return ExprError(); 623 } 624 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 625 } 626 627 // For an arithmetic operation, the implied arithmetic must be well-formed. 628 if (Form == Arithmetic) { 629 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 630 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 631 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 632 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 633 return ExprError(); 634 } 635 if (!IsAddSub && !ValType->isIntegerType()) { 636 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 637 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 638 return ExprError(); 639 } 640 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 641 // For __atomic_*_n operations, the value type must be a scalar integral or 642 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 643 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 644 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 645 return ExprError(); 646 } 647 648 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context)) { 649 // For GNU atomics, require a trivially-copyable type. This is not part of 650 // the GNU atomics specification, but we enforce it for sanity. 651 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 652 << Ptr->getType() << Ptr->getSourceRange(); 653 return ExprError(); 654 } 655 656 // FIXME: For any builtin other than a load, the ValType must not be 657 // const-qualified. 658 659 switch (ValType.getObjCLifetime()) { 660 case Qualifiers::OCL_None: 661 case Qualifiers::OCL_ExplicitNone: 662 // okay 663 break; 664 665 case Qualifiers::OCL_Weak: 666 case Qualifiers::OCL_Strong: 667 case Qualifiers::OCL_Autoreleasing: 668 // FIXME: Can this happen? By this point, ValType should be known 669 // to be trivially copyable. 670 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 671 << ValType << Ptr->getSourceRange(); 672 return ExprError(); 673 } 674 675 QualType ResultType = ValType; 676 if (Form == Copy || Form == GNUXchg || Form == Init) 677 ResultType = Context.VoidTy; 678 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 679 ResultType = Context.BoolTy; 680 681 // The type of a parameter passed 'by value'. In the GNU atomics, such 682 // arguments are actually passed as pointers. 683 QualType ByValType = ValType; // 'CP' 684 if (!IsC11 && !IsN) 685 ByValType = Ptr->getType(); 686 687 // The first argument --- the pointer --- has a fixed type; we 688 // deduce the types of the rest of the arguments accordingly. Walk 689 // the remaining arguments, converting them to the deduced value type. 690 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 691 QualType Ty; 692 if (i < NumVals[Form] + 1) { 693 switch (i) { 694 case 1: 695 // The second argument is the non-atomic operand. For arithmetic, this 696 // is always passed by value, and for a compare_exchange it is always 697 // passed by address. For the rest, GNU uses by-address and C11 uses 698 // by-value. 699 assert(Form != Load); 700 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 701 Ty = ValType; 702 else if (Form == Copy || Form == Xchg) 703 Ty = ByValType; 704 else if (Form == Arithmetic) 705 Ty = Context.getPointerDiffType(); 706 else 707 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 708 break; 709 case 2: 710 // The third argument to compare_exchange / GNU exchange is a 711 // (pointer to a) desired value. 712 Ty = ByValType; 713 break; 714 case 3: 715 // The fourth argument to GNU compare_exchange is a 'weak' flag. 716 Ty = Context.BoolTy; 717 break; 718 } 719 } else { 720 // The order(s) are always converted to int. 721 Ty = Context.IntTy; 722 } 723 724 InitializedEntity Entity = 725 InitializedEntity::InitializeParameter(Context, Ty, false); 726 ExprResult Arg = TheCall->getArg(i); 727 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 728 if (Arg.isInvalid()) 729 return true; 730 TheCall->setArg(i, Arg.get()); 731 } 732 733 // Permute the arguments into a 'consistent' order. 734 SmallVector<Expr*, 5> SubExprs; 735 SubExprs.push_back(Ptr); 736 switch (Form) { 737 case Init: 738 // Note, AtomicExpr::getVal1() has a special case for this atomic. 739 SubExprs.push_back(TheCall->getArg(1)); // Val1 740 break; 741 case Load: 742 SubExprs.push_back(TheCall->getArg(1)); // Order 743 break; 744 case Copy: 745 case Arithmetic: 746 case Xchg: 747 SubExprs.push_back(TheCall->getArg(2)); // Order 748 SubExprs.push_back(TheCall->getArg(1)); // Val1 749 break; 750 case GNUXchg: 751 // Note, AtomicExpr::getVal2() has a special case for this atomic. 752 SubExprs.push_back(TheCall->getArg(3)); // Order 753 SubExprs.push_back(TheCall->getArg(1)); // Val1 754 SubExprs.push_back(TheCall->getArg(2)); // Val2 755 break; 756 case C11CmpXchg: 757 SubExprs.push_back(TheCall->getArg(3)); // Order 758 SubExprs.push_back(TheCall->getArg(1)); // Val1 759 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 760 SubExprs.push_back(TheCall->getArg(2)); // Val2 761 break; 762 case GNUCmpXchg: 763 SubExprs.push_back(TheCall->getArg(4)); // Order 764 SubExprs.push_back(TheCall->getArg(1)); // Val1 765 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 766 SubExprs.push_back(TheCall->getArg(2)); // Val2 767 SubExprs.push_back(TheCall->getArg(3)); // Weak 768 break; 769 } 770 771 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 772 SubExprs.data(), SubExprs.size(), 773 ResultType, Op, 774 TheCall->getRParenLoc())); 775 } 776 777 778 /// checkBuiltinArgument - Given a call to a builtin function, perform 779 /// normal type-checking on the given argument, updating the call in 780 /// place. This is useful when a builtin function requires custom 781 /// type-checking for some of its arguments but not necessarily all of 782 /// them. 783 /// 784 /// Returns true on error. 785 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 786 FunctionDecl *Fn = E->getDirectCallee(); 787 assert(Fn && "builtin call without direct callee!"); 788 789 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 790 InitializedEntity Entity = 791 InitializedEntity::InitializeParameter(S.Context, Param); 792 793 ExprResult Arg = E->getArg(0); 794 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 795 if (Arg.isInvalid()) 796 return true; 797 798 E->setArg(ArgIndex, Arg.take()); 799 return false; 800 } 801 802 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 803 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 804 /// type of its first argument. The main ActOnCallExpr routines have already 805 /// promoted the types of arguments because all of these calls are prototyped as 806 /// void(...). 807 /// 808 /// This function goes through and does final semantic checking for these 809 /// builtins, 810 ExprResult 811 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 812 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 813 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 814 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 815 816 // Ensure that we have at least one argument to do type inference from. 817 if (TheCall->getNumArgs() < 1) { 818 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 819 << 0 << 1 << TheCall->getNumArgs() 820 << TheCall->getCallee()->getSourceRange(); 821 return ExprError(); 822 } 823 824 // Inspect the first argument of the atomic builtin. This should always be 825 // a pointer type, whose element is an integral scalar or pointer type. 826 // Because it is a pointer type, we don't have to worry about any implicit 827 // casts here. 828 // FIXME: We don't allow floating point scalars as input. 829 Expr *FirstArg = TheCall->getArg(0); 830 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 831 if (FirstArgResult.isInvalid()) 832 return ExprError(); 833 FirstArg = FirstArgResult.take(); 834 TheCall->setArg(0, FirstArg); 835 836 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 837 if (!pointerType) { 838 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 839 << FirstArg->getType() << FirstArg->getSourceRange(); 840 return ExprError(); 841 } 842 843 QualType ValType = pointerType->getPointeeType(); 844 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 845 !ValType->isBlockPointerType()) { 846 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 847 << FirstArg->getType() << FirstArg->getSourceRange(); 848 return ExprError(); 849 } 850 851 switch (ValType.getObjCLifetime()) { 852 case Qualifiers::OCL_None: 853 case Qualifiers::OCL_ExplicitNone: 854 // okay 855 break; 856 857 case Qualifiers::OCL_Weak: 858 case Qualifiers::OCL_Strong: 859 case Qualifiers::OCL_Autoreleasing: 860 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 861 << ValType << FirstArg->getSourceRange(); 862 return ExprError(); 863 } 864 865 // Strip any qualifiers off ValType. 866 ValType = ValType.getUnqualifiedType(); 867 868 // The majority of builtins return a value, but a few have special return 869 // types, so allow them to override appropriately below. 870 QualType ResultType = ValType; 871 872 // We need to figure out which concrete builtin this maps onto. For example, 873 // __sync_fetch_and_add with a 2 byte object turns into 874 // __sync_fetch_and_add_2. 875 #define BUILTIN_ROW(x) \ 876 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 877 Builtin::BI##x##_8, Builtin::BI##x##_16 } 878 879 static const unsigned BuiltinIndices[][5] = { 880 BUILTIN_ROW(__sync_fetch_and_add), 881 BUILTIN_ROW(__sync_fetch_and_sub), 882 BUILTIN_ROW(__sync_fetch_and_or), 883 BUILTIN_ROW(__sync_fetch_and_and), 884 BUILTIN_ROW(__sync_fetch_and_xor), 885 886 BUILTIN_ROW(__sync_add_and_fetch), 887 BUILTIN_ROW(__sync_sub_and_fetch), 888 BUILTIN_ROW(__sync_and_and_fetch), 889 BUILTIN_ROW(__sync_or_and_fetch), 890 BUILTIN_ROW(__sync_xor_and_fetch), 891 892 BUILTIN_ROW(__sync_val_compare_and_swap), 893 BUILTIN_ROW(__sync_bool_compare_and_swap), 894 BUILTIN_ROW(__sync_lock_test_and_set), 895 BUILTIN_ROW(__sync_lock_release), 896 BUILTIN_ROW(__sync_swap) 897 }; 898 #undef BUILTIN_ROW 899 900 // Determine the index of the size. 901 unsigned SizeIndex; 902 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 903 case 1: SizeIndex = 0; break; 904 case 2: SizeIndex = 1; break; 905 case 4: SizeIndex = 2; break; 906 case 8: SizeIndex = 3; break; 907 case 16: SizeIndex = 4; break; 908 default: 909 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 910 << FirstArg->getType() << FirstArg->getSourceRange(); 911 return ExprError(); 912 } 913 914 // Each of these builtins has one pointer argument, followed by some number of 915 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 916 // that we ignore. Find out which row of BuiltinIndices to read from as well 917 // as the number of fixed args. 918 unsigned BuiltinID = FDecl->getBuiltinID(); 919 unsigned BuiltinIndex, NumFixed = 1; 920 switch (BuiltinID) { 921 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 922 case Builtin::BI__sync_fetch_and_add: 923 case Builtin::BI__sync_fetch_and_add_1: 924 case Builtin::BI__sync_fetch_and_add_2: 925 case Builtin::BI__sync_fetch_and_add_4: 926 case Builtin::BI__sync_fetch_and_add_8: 927 case Builtin::BI__sync_fetch_and_add_16: 928 BuiltinIndex = 0; 929 break; 930 931 case Builtin::BI__sync_fetch_and_sub: 932 case Builtin::BI__sync_fetch_and_sub_1: 933 case Builtin::BI__sync_fetch_and_sub_2: 934 case Builtin::BI__sync_fetch_and_sub_4: 935 case Builtin::BI__sync_fetch_and_sub_8: 936 case Builtin::BI__sync_fetch_and_sub_16: 937 BuiltinIndex = 1; 938 break; 939 940 case Builtin::BI__sync_fetch_and_or: 941 case Builtin::BI__sync_fetch_and_or_1: 942 case Builtin::BI__sync_fetch_and_or_2: 943 case Builtin::BI__sync_fetch_and_or_4: 944 case Builtin::BI__sync_fetch_and_or_8: 945 case Builtin::BI__sync_fetch_and_or_16: 946 BuiltinIndex = 2; 947 break; 948 949 case Builtin::BI__sync_fetch_and_and: 950 case Builtin::BI__sync_fetch_and_and_1: 951 case Builtin::BI__sync_fetch_and_and_2: 952 case Builtin::BI__sync_fetch_and_and_4: 953 case Builtin::BI__sync_fetch_and_and_8: 954 case Builtin::BI__sync_fetch_and_and_16: 955 BuiltinIndex = 3; 956 break; 957 958 case Builtin::BI__sync_fetch_and_xor: 959 case Builtin::BI__sync_fetch_and_xor_1: 960 case Builtin::BI__sync_fetch_and_xor_2: 961 case Builtin::BI__sync_fetch_and_xor_4: 962 case Builtin::BI__sync_fetch_and_xor_8: 963 case Builtin::BI__sync_fetch_and_xor_16: 964 BuiltinIndex = 4; 965 break; 966 967 case Builtin::BI__sync_add_and_fetch: 968 case Builtin::BI__sync_add_and_fetch_1: 969 case Builtin::BI__sync_add_and_fetch_2: 970 case Builtin::BI__sync_add_and_fetch_4: 971 case Builtin::BI__sync_add_and_fetch_8: 972 case Builtin::BI__sync_add_and_fetch_16: 973 BuiltinIndex = 5; 974 break; 975 976 case Builtin::BI__sync_sub_and_fetch: 977 case Builtin::BI__sync_sub_and_fetch_1: 978 case Builtin::BI__sync_sub_and_fetch_2: 979 case Builtin::BI__sync_sub_and_fetch_4: 980 case Builtin::BI__sync_sub_and_fetch_8: 981 case Builtin::BI__sync_sub_and_fetch_16: 982 BuiltinIndex = 6; 983 break; 984 985 case Builtin::BI__sync_and_and_fetch: 986 case Builtin::BI__sync_and_and_fetch_1: 987 case Builtin::BI__sync_and_and_fetch_2: 988 case Builtin::BI__sync_and_and_fetch_4: 989 case Builtin::BI__sync_and_and_fetch_8: 990 case Builtin::BI__sync_and_and_fetch_16: 991 BuiltinIndex = 7; 992 break; 993 994 case Builtin::BI__sync_or_and_fetch: 995 case Builtin::BI__sync_or_and_fetch_1: 996 case Builtin::BI__sync_or_and_fetch_2: 997 case Builtin::BI__sync_or_and_fetch_4: 998 case Builtin::BI__sync_or_and_fetch_8: 999 case Builtin::BI__sync_or_and_fetch_16: 1000 BuiltinIndex = 8; 1001 break; 1002 1003 case Builtin::BI__sync_xor_and_fetch: 1004 case Builtin::BI__sync_xor_and_fetch_1: 1005 case Builtin::BI__sync_xor_and_fetch_2: 1006 case Builtin::BI__sync_xor_and_fetch_4: 1007 case Builtin::BI__sync_xor_and_fetch_8: 1008 case Builtin::BI__sync_xor_and_fetch_16: 1009 BuiltinIndex = 9; 1010 break; 1011 1012 case Builtin::BI__sync_val_compare_and_swap: 1013 case Builtin::BI__sync_val_compare_and_swap_1: 1014 case Builtin::BI__sync_val_compare_and_swap_2: 1015 case Builtin::BI__sync_val_compare_and_swap_4: 1016 case Builtin::BI__sync_val_compare_and_swap_8: 1017 case Builtin::BI__sync_val_compare_and_swap_16: 1018 BuiltinIndex = 10; 1019 NumFixed = 2; 1020 break; 1021 1022 case Builtin::BI__sync_bool_compare_and_swap: 1023 case Builtin::BI__sync_bool_compare_and_swap_1: 1024 case Builtin::BI__sync_bool_compare_and_swap_2: 1025 case Builtin::BI__sync_bool_compare_and_swap_4: 1026 case Builtin::BI__sync_bool_compare_and_swap_8: 1027 case Builtin::BI__sync_bool_compare_and_swap_16: 1028 BuiltinIndex = 11; 1029 NumFixed = 2; 1030 ResultType = Context.BoolTy; 1031 break; 1032 1033 case Builtin::BI__sync_lock_test_and_set: 1034 case Builtin::BI__sync_lock_test_and_set_1: 1035 case Builtin::BI__sync_lock_test_and_set_2: 1036 case Builtin::BI__sync_lock_test_and_set_4: 1037 case Builtin::BI__sync_lock_test_and_set_8: 1038 case Builtin::BI__sync_lock_test_and_set_16: 1039 BuiltinIndex = 12; 1040 break; 1041 1042 case Builtin::BI__sync_lock_release: 1043 case Builtin::BI__sync_lock_release_1: 1044 case Builtin::BI__sync_lock_release_2: 1045 case Builtin::BI__sync_lock_release_4: 1046 case Builtin::BI__sync_lock_release_8: 1047 case Builtin::BI__sync_lock_release_16: 1048 BuiltinIndex = 13; 1049 NumFixed = 0; 1050 ResultType = Context.VoidTy; 1051 break; 1052 1053 case Builtin::BI__sync_swap: 1054 case Builtin::BI__sync_swap_1: 1055 case Builtin::BI__sync_swap_2: 1056 case Builtin::BI__sync_swap_4: 1057 case Builtin::BI__sync_swap_8: 1058 case Builtin::BI__sync_swap_16: 1059 BuiltinIndex = 14; 1060 break; 1061 } 1062 1063 // Now that we know how many fixed arguments we expect, first check that we 1064 // have at least that many. 1065 if (TheCall->getNumArgs() < 1+NumFixed) { 1066 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1067 << 0 << 1+NumFixed << TheCall->getNumArgs() 1068 << TheCall->getCallee()->getSourceRange(); 1069 return ExprError(); 1070 } 1071 1072 // Get the decl for the concrete builtin from this, we can tell what the 1073 // concrete integer type we should convert to is. 1074 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1075 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1076 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 1077 FunctionDecl *NewBuiltinDecl = 1078 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 1079 TUScope, false, DRE->getLocStart())); 1080 1081 // The first argument --- the pointer --- has a fixed type; we 1082 // deduce the types of the rest of the arguments accordingly. Walk 1083 // the remaining arguments, converting them to the deduced value type. 1084 for (unsigned i = 0; i != NumFixed; ++i) { 1085 ExprResult Arg = TheCall->getArg(i+1); 1086 1087 // GCC does an implicit conversion to the pointer or integer ValType. This 1088 // can fail in some cases (1i -> int**), check for this error case now. 1089 // Initialize the argument. 1090 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1091 ValType, /*consume*/ false); 1092 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1093 if (Arg.isInvalid()) 1094 return ExprError(); 1095 1096 // Okay, we have something that *can* be converted to the right type. Check 1097 // to see if there is a potentially weird extension going on here. This can 1098 // happen when you do an atomic operation on something like an char* and 1099 // pass in 42. The 42 gets converted to char. This is even more strange 1100 // for things like 45.123 -> char, etc. 1101 // FIXME: Do this check. 1102 TheCall->setArg(i+1, Arg.take()); 1103 } 1104 1105 ASTContext& Context = this->getASTContext(); 1106 1107 // Create a new DeclRefExpr to refer to the new decl. 1108 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1109 Context, 1110 DRE->getQualifierLoc(), 1111 SourceLocation(), 1112 NewBuiltinDecl, 1113 /*enclosing*/ false, 1114 DRE->getLocation(), 1115 NewBuiltinDecl->getType(), 1116 DRE->getValueKind()); 1117 1118 // Set the callee in the CallExpr. 1119 // FIXME: This leaks the original parens and implicit casts. 1120 ExprResult PromotedCall = UsualUnaryConversions(NewDRE); 1121 if (PromotedCall.isInvalid()) 1122 return ExprError(); 1123 TheCall->setCallee(PromotedCall.take()); 1124 1125 // Change the result type of the call to match the original value type. This 1126 // is arbitrary, but the codegen for these builtins ins design to handle it 1127 // gracefully. 1128 TheCall->setType(ResultType); 1129 1130 return move(TheCallResult); 1131 } 1132 1133 /// CheckObjCString - Checks that the argument to the builtin 1134 /// CFString constructor is correct 1135 /// Note: It might also make sense to do the UTF-16 conversion here (would 1136 /// simplify the backend). 1137 bool Sema::CheckObjCString(Expr *Arg) { 1138 Arg = Arg->IgnoreParenCasts(); 1139 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1140 1141 if (!Literal || !Literal->isAscii()) { 1142 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1143 << Arg->getSourceRange(); 1144 return true; 1145 } 1146 1147 if (Literal->containsNonAsciiOrNull()) { 1148 StringRef String = Literal->getString(); 1149 unsigned NumBytes = String.size(); 1150 SmallVector<UTF16, 128> ToBuf(NumBytes); 1151 const UTF8 *FromPtr = (UTF8 *)String.data(); 1152 UTF16 *ToPtr = &ToBuf[0]; 1153 1154 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1155 &ToPtr, ToPtr + NumBytes, 1156 strictConversion); 1157 // Check for conversion failure. 1158 if (Result != conversionOK) 1159 Diag(Arg->getLocStart(), 1160 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1161 } 1162 return false; 1163 } 1164 1165 /// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1166 /// Emit an error and return true on failure, return false on success. 1167 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1168 Expr *Fn = TheCall->getCallee(); 1169 if (TheCall->getNumArgs() > 2) { 1170 Diag(TheCall->getArg(2)->getLocStart(), 1171 diag::err_typecheck_call_too_many_args) 1172 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1173 << Fn->getSourceRange() 1174 << SourceRange(TheCall->getArg(2)->getLocStart(), 1175 (*(TheCall->arg_end()-1))->getLocEnd()); 1176 return true; 1177 } 1178 1179 if (TheCall->getNumArgs() < 2) { 1180 return Diag(TheCall->getLocEnd(), 1181 diag::err_typecheck_call_too_few_args_at_least) 1182 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1183 } 1184 1185 // Type-check the first argument normally. 1186 if (checkBuiltinArgument(*this, TheCall, 0)) 1187 return true; 1188 1189 // Determine whether the current function is variadic or not. 1190 BlockScopeInfo *CurBlock = getCurBlock(); 1191 bool isVariadic; 1192 if (CurBlock) 1193 isVariadic = CurBlock->TheDecl->isVariadic(); 1194 else if (FunctionDecl *FD = getCurFunctionDecl()) 1195 isVariadic = FD->isVariadic(); 1196 else 1197 isVariadic = getCurMethodDecl()->isVariadic(); 1198 1199 if (!isVariadic) { 1200 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1201 return true; 1202 } 1203 1204 // Verify that the second argument to the builtin is the last argument of the 1205 // current function or method. 1206 bool SecondArgIsLastNamedArgument = false; 1207 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1208 1209 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1210 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1211 // FIXME: This isn't correct for methods (results in bogus warning). 1212 // Get the last formal in the current function. 1213 const ParmVarDecl *LastArg; 1214 if (CurBlock) 1215 LastArg = *(CurBlock->TheDecl->param_end()-1); 1216 else if (FunctionDecl *FD = getCurFunctionDecl()) 1217 LastArg = *(FD->param_end()-1); 1218 else 1219 LastArg = *(getCurMethodDecl()->param_end()-1); 1220 SecondArgIsLastNamedArgument = PV == LastArg; 1221 } 1222 } 1223 1224 if (!SecondArgIsLastNamedArgument) 1225 Diag(TheCall->getArg(1)->getLocStart(), 1226 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1227 return false; 1228 } 1229 1230 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1231 /// friends. This is declared to take (...), so we have to check everything. 1232 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1233 if (TheCall->getNumArgs() < 2) 1234 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1235 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1236 if (TheCall->getNumArgs() > 2) 1237 return Diag(TheCall->getArg(2)->getLocStart(), 1238 diag::err_typecheck_call_too_many_args) 1239 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1240 << SourceRange(TheCall->getArg(2)->getLocStart(), 1241 (*(TheCall->arg_end()-1))->getLocEnd()); 1242 1243 ExprResult OrigArg0 = TheCall->getArg(0); 1244 ExprResult OrigArg1 = TheCall->getArg(1); 1245 1246 // Do standard promotions between the two arguments, returning their common 1247 // type. 1248 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1249 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1250 return true; 1251 1252 // Make sure any conversions are pushed back into the call; this is 1253 // type safe since unordered compare builtins are declared as "_Bool 1254 // foo(...)". 1255 TheCall->setArg(0, OrigArg0.get()); 1256 TheCall->setArg(1, OrigArg1.get()); 1257 1258 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1259 return false; 1260 1261 // If the common type isn't a real floating type, then the arguments were 1262 // invalid for this operation. 1263 if (!Res->isRealFloatingType()) 1264 return Diag(OrigArg0.get()->getLocStart(), 1265 diag::err_typecheck_call_invalid_ordered_compare) 1266 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1267 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1268 1269 return false; 1270 } 1271 1272 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1273 /// __builtin_isnan and friends. This is declared to take (...), so we have 1274 /// to check everything. We expect the last argument to be a floating point 1275 /// value. 1276 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1277 if (TheCall->getNumArgs() < NumArgs) 1278 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1279 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1280 if (TheCall->getNumArgs() > NumArgs) 1281 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1282 diag::err_typecheck_call_too_many_args) 1283 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1284 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1285 (*(TheCall->arg_end()-1))->getLocEnd()); 1286 1287 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1288 1289 if (OrigArg->isTypeDependent()) 1290 return false; 1291 1292 // This operation requires a non-_Complex floating-point number. 1293 if (!OrigArg->getType()->isRealFloatingType()) 1294 return Diag(OrigArg->getLocStart(), 1295 diag::err_typecheck_call_invalid_unary_fp) 1296 << OrigArg->getType() << OrigArg->getSourceRange(); 1297 1298 // If this is an implicit conversion from float -> double, remove it. 1299 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1300 Expr *CastArg = Cast->getSubExpr(); 1301 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1302 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1303 "promotion from float to double is the only expected cast here"); 1304 Cast->setSubExpr(0); 1305 TheCall->setArg(NumArgs-1, CastArg); 1306 } 1307 } 1308 1309 return false; 1310 } 1311 1312 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1313 // This is declared to take (...), so we have to check everything. 1314 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1315 if (TheCall->getNumArgs() < 2) 1316 return ExprError(Diag(TheCall->getLocEnd(), 1317 diag::err_typecheck_call_too_few_args_at_least) 1318 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1319 << TheCall->getSourceRange()); 1320 1321 // Determine which of the following types of shufflevector we're checking: 1322 // 1) unary, vector mask: (lhs, mask) 1323 // 2) binary, vector mask: (lhs, rhs, mask) 1324 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1325 QualType resType = TheCall->getArg(0)->getType(); 1326 unsigned numElements = 0; 1327 1328 if (!TheCall->getArg(0)->isTypeDependent() && 1329 !TheCall->getArg(1)->isTypeDependent()) { 1330 QualType LHSType = TheCall->getArg(0)->getType(); 1331 QualType RHSType = TheCall->getArg(1)->getType(); 1332 1333 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 1334 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 1335 << SourceRange(TheCall->getArg(0)->getLocStart(), 1336 TheCall->getArg(1)->getLocEnd()); 1337 return ExprError(); 1338 } 1339 1340 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1341 unsigned numResElements = TheCall->getNumArgs() - 2; 1342 1343 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1344 // with mask. If so, verify that RHS is an integer vector type with the 1345 // same number of elts as lhs. 1346 if (TheCall->getNumArgs() == 2) { 1347 if (!RHSType->hasIntegerRepresentation() || 1348 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1349 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1350 << SourceRange(TheCall->getArg(1)->getLocStart(), 1351 TheCall->getArg(1)->getLocEnd()); 1352 numResElements = numElements; 1353 } 1354 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1355 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1356 << SourceRange(TheCall->getArg(0)->getLocStart(), 1357 TheCall->getArg(1)->getLocEnd()); 1358 return ExprError(); 1359 } else if (numElements != numResElements) { 1360 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1361 resType = Context.getVectorType(eltType, numResElements, 1362 VectorType::GenericVector); 1363 } 1364 } 1365 1366 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1367 if (TheCall->getArg(i)->isTypeDependent() || 1368 TheCall->getArg(i)->isValueDependent()) 1369 continue; 1370 1371 llvm::APSInt Result(32); 1372 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1373 return ExprError(Diag(TheCall->getLocStart(), 1374 diag::err_shufflevector_nonconstant_argument) 1375 << TheCall->getArg(i)->getSourceRange()); 1376 1377 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1378 return ExprError(Diag(TheCall->getLocStart(), 1379 diag::err_shufflevector_argument_too_large) 1380 << TheCall->getArg(i)->getSourceRange()); 1381 } 1382 1383 SmallVector<Expr*, 32> exprs; 1384 1385 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1386 exprs.push_back(TheCall->getArg(i)); 1387 TheCall->setArg(i, 0); 1388 } 1389 1390 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 1391 exprs.size(), resType, 1392 TheCall->getCallee()->getLocStart(), 1393 TheCall->getRParenLoc())); 1394 } 1395 1396 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1397 // This is declared to take (const void*, ...) and can take two 1398 // optional constant int args. 1399 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1400 unsigned NumArgs = TheCall->getNumArgs(); 1401 1402 if (NumArgs > 3) 1403 return Diag(TheCall->getLocEnd(), 1404 diag::err_typecheck_call_too_many_args_at_most) 1405 << 0 /*function call*/ << 3 << NumArgs 1406 << TheCall->getSourceRange(); 1407 1408 // Argument 0 is checked for us and the remaining arguments must be 1409 // constant integers. 1410 for (unsigned i = 1; i != NumArgs; ++i) { 1411 Expr *Arg = TheCall->getArg(i); 1412 1413 llvm::APSInt Result; 1414 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1415 return true; 1416 1417 // FIXME: gcc issues a warning and rewrites these to 0. These 1418 // seems especially odd for the third argument since the default 1419 // is 3. 1420 if (i == 1) { 1421 if (Result.getLimitedValue() > 1) 1422 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1423 << "0" << "1" << Arg->getSourceRange(); 1424 } else { 1425 if (Result.getLimitedValue() > 3) 1426 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1427 << "0" << "3" << Arg->getSourceRange(); 1428 } 1429 } 1430 1431 return false; 1432 } 1433 1434 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1435 /// TheCall is a constant expression. 1436 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1437 llvm::APSInt &Result) { 1438 Expr *Arg = TheCall->getArg(ArgNum); 1439 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1440 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1441 1442 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1443 1444 if (!Arg->isIntegerConstantExpr(Result, Context)) 1445 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1446 << FDecl->getDeclName() << Arg->getSourceRange(); 1447 1448 return false; 1449 } 1450 1451 /// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1452 /// int type). This simply type checks that type is one of the defined 1453 /// constants (0-3). 1454 // For compatibility check 0-3, llvm only handles 0 and 2. 1455 bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1456 llvm::APSInt Result; 1457 1458 // Check constant-ness first. 1459 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1460 return true; 1461 1462 Expr *Arg = TheCall->getArg(1); 1463 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1464 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1465 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1466 } 1467 1468 return false; 1469 } 1470 1471 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1472 /// This checks that val is a constant 1. 1473 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1474 Expr *Arg = TheCall->getArg(1); 1475 llvm::APSInt Result; 1476 1477 // TODO: This is less than ideal. Overload this to take a value. 1478 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1479 return true; 1480 1481 if (Result != 1) 1482 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1483 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1484 1485 return false; 1486 } 1487 1488 // Handle i > 1 ? "x" : "y", recursively. 1489 bool Sema::SemaCheckStringLiteral(const Expr *E, Expr **Args, 1490 unsigned NumArgs, bool HasVAListArg, 1491 unsigned format_idx, unsigned firstDataArg, 1492 FormatStringType Type, bool inFunctionCall) { 1493 tryAgain: 1494 if (E->isTypeDependent() || E->isValueDependent()) 1495 return false; 1496 1497 E = E->IgnoreParenCasts(); 1498 1499 if (E->isNullPointerConstant(Context, Expr::NPC_ValueDependentIsNotNull)) 1500 // Technically -Wformat-nonliteral does not warn about this case. 1501 // The behavior of printf and friends in this case is implementation 1502 // dependent. Ideally if the format string cannot be null then 1503 // it should have a 'nonnull' attribute in the function prototype. 1504 return true; 1505 1506 switch (E->getStmtClass()) { 1507 case Stmt::BinaryConditionalOperatorClass: 1508 case Stmt::ConditionalOperatorClass: { 1509 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 1510 return SemaCheckStringLiteral(C->getTrueExpr(), Args, NumArgs, HasVAListArg, 1511 format_idx, firstDataArg, Type, 1512 inFunctionCall) 1513 && SemaCheckStringLiteral(C->getFalseExpr(), Args, NumArgs, HasVAListArg, 1514 format_idx, firstDataArg, Type, 1515 inFunctionCall); 1516 } 1517 1518 case Stmt::ImplicitCastExprClass: { 1519 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1520 goto tryAgain; 1521 } 1522 1523 case Stmt::OpaqueValueExprClass: 1524 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1525 E = src; 1526 goto tryAgain; 1527 } 1528 return false; 1529 1530 case Stmt::PredefinedExprClass: 1531 // While __func__, etc., are technically not string literals, they 1532 // cannot contain format specifiers and thus are not a security 1533 // liability. 1534 return true; 1535 1536 case Stmt::DeclRefExprClass: { 1537 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1538 1539 // As an exception, do not flag errors for variables binding to 1540 // const string literals. 1541 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1542 bool isConstant = false; 1543 QualType T = DR->getType(); 1544 1545 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1546 isConstant = AT->getElementType().isConstant(Context); 1547 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1548 isConstant = T.isConstant(Context) && 1549 PT->getPointeeType().isConstant(Context); 1550 } else if (T->isObjCObjectPointerType()) { 1551 // In ObjC, there is usually no "const ObjectPointer" type, 1552 // so don't check if the pointee type is constant. 1553 isConstant = T.isConstant(Context); 1554 } 1555 1556 if (isConstant) { 1557 if (const Expr *Init = VD->getAnyInitializer()) 1558 return SemaCheckStringLiteral(Init, Args, NumArgs, 1559 HasVAListArg, format_idx, firstDataArg, 1560 Type, /*inFunctionCall*/false); 1561 } 1562 1563 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1564 // special check to see if the format string is a function parameter 1565 // of the function calling the printf function. If the function 1566 // has an attribute indicating it is a printf-like function, then we 1567 // should suppress warnings concerning non-literals being used in a call 1568 // to a vprintf function. For example: 1569 // 1570 // void 1571 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1572 // va_list ap; 1573 // va_start(ap, fmt); 1574 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1575 // ... 1576 // 1577 if (HasVAListArg) { 1578 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 1579 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 1580 int PVIndex = PV->getFunctionScopeIndex() + 1; 1581 for (specific_attr_iterator<FormatAttr> 1582 i = ND->specific_attr_begin<FormatAttr>(), 1583 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 1584 FormatAttr *PVFormat = *i; 1585 // adjust for implicit parameter 1586 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1587 if (MD->isInstance()) 1588 ++PVIndex; 1589 // We also check if the formats are compatible. 1590 // We can't pass a 'scanf' string to a 'printf' function. 1591 if (PVIndex == PVFormat->getFormatIdx() && 1592 Type == GetFormatStringType(PVFormat)) 1593 return true; 1594 } 1595 } 1596 } 1597 } 1598 } 1599 1600 return false; 1601 } 1602 1603 case Stmt::CallExprClass: 1604 case Stmt::CXXMemberCallExprClass: { 1605 const CallExpr *CE = cast<CallExpr>(E); 1606 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 1607 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 1608 unsigned ArgIndex = FA->getFormatIdx(); 1609 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1610 if (MD->isInstance()) 1611 --ArgIndex; 1612 const Expr *Arg = CE->getArg(ArgIndex - 1); 1613 1614 return SemaCheckStringLiteral(Arg, Args, NumArgs, HasVAListArg, 1615 format_idx, firstDataArg, Type, 1616 inFunctionCall); 1617 } 1618 } 1619 1620 return false; 1621 } 1622 case Stmt::ObjCStringLiteralClass: 1623 case Stmt::StringLiteralClass: { 1624 const StringLiteral *StrE = NULL; 1625 1626 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1627 StrE = ObjCFExpr->getString(); 1628 else 1629 StrE = cast<StringLiteral>(E); 1630 1631 if (StrE) { 1632 CheckFormatString(StrE, E, Args, NumArgs, HasVAListArg, format_idx, 1633 firstDataArg, Type, inFunctionCall); 1634 return true; 1635 } 1636 1637 return false; 1638 } 1639 1640 default: 1641 return false; 1642 } 1643 } 1644 1645 void 1646 Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1647 const Expr * const *ExprArgs, 1648 SourceLocation CallSiteLoc) { 1649 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1650 e = NonNull->args_end(); 1651 i != e; ++i) { 1652 const Expr *ArgExpr = ExprArgs[*i]; 1653 if (ArgExpr->isNullPointerConstant(Context, 1654 Expr::NPC_ValueDependentIsNotNull)) 1655 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1656 } 1657 } 1658 1659 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 1660 return llvm::StringSwitch<FormatStringType>(Format->getType()) 1661 .Case("scanf", FST_Scanf) 1662 .Cases("printf", "printf0", FST_Printf) 1663 .Cases("NSString", "CFString", FST_NSString) 1664 .Case("strftime", FST_Strftime) 1665 .Case("strfmon", FST_Strfmon) 1666 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 1667 .Default(FST_Unknown); 1668 } 1669 1670 /// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 1671 /// functions) for correct use of format strings. 1672 void Sema::CheckFormatArguments(const FormatAttr *Format, CallExpr *TheCall) { 1673 bool IsCXXMember = false; 1674 // The way the format attribute works in GCC, the implicit this argument 1675 // of member functions is counted. However, it doesn't appear in our own 1676 // lists, so decrement format_idx in that case. 1677 IsCXXMember = isa<CXXMemberCallExpr>(TheCall); 1678 CheckFormatArguments(Format, TheCall->getArgs(), TheCall->getNumArgs(), 1679 IsCXXMember, TheCall->getRParenLoc(), 1680 TheCall->getCallee()->getSourceRange()); 1681 } 1682 1683 void Sema::CheckFormatArguments(const FormatAttr *Format, Expr **Args, 1684 unsigned NumArgs, bool IsCXXMember, 1685 SourceLocation Loc, SourceRange Range) { 1686 bool HasVAListArg = Format->getFirstArg() == 0; 1687 unsigned format_idx = Format->getFormatIdx() - 1; 1688 unsigned firstDataArg = HasVAListArg ? 0 : Format->getFirstArg() - 1; 1689 if (IsCXXMember) { 1690 if (format_idx == 0) 1691 return; 1692 --format_idx; 1693 if(firstDataArg != 0) 1694 --firstDataArg; 1695 } 1696 CheckFormatArguments(Args, NumArgs, HasVAListArg, format_idx, 1697 firstDataArg, GetFormatStringType(Format), Loc, Range); 1698 } 1699 1700 void Sema::CheckFormatArguments(Expr **Args, unsigned NumArgs, 1701 bool HasVAListArg, unsigned format_idx, 1702 unsigned firstDataArg, FormatStringType Type, 1703 SourceLocation Loc, SourceRange Range) { 1704 // CHECK: printf/scanf-like function is called with no format string. 1705 if (format_idx >= NumArgs) { 1706 Diag(Loc, diag::warn_missing_format_string) << Range; 1707 return; 1708 } 1709 1710 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 1711 1712 // CHECK: format string is not a string literal. 1713 // 1714 // Dynamically generated format strings are difficult to 1715 // automatically vet at compile time. Requiring that format strings 1716 // are string literals: (1) permits the checking of format strings by 1717 // the compiler and thereby (2) can practically remove the source of 1718 // many format string exploits. 1719 1720 // Format string can be either ObjC string (e.g. @"%d") or 1721 // C string (e.g. "%d") 1722 // ObjC string uses the same format specifiers as C string, so we can use 1723 // the same format string checking logic for both ObjC and C strings. 1724 if (SemaCheckStringLiteral(OrigFormatExpr, Args, NumArgs, HasVAListArg, 1725 format_idx, firstDataArg, Type)) 1726 return; // Literal format string found, check done! 1727 1728 // Strftime is particular as it always uses a single 'time' argument, 1729 // so it is safe to pass a non-literal string. 1730 if (Type == FST_Strftime) 1731 return; 1732 1733 // Do not emit diag when the string param is a macro expansion and the 1734 // format is either NSString or CFString. This is a hack to prevent 1735 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 1736 // which are usually used in place of NS and CF string literals. 1737 if (Type == FST_NSString && Args[format_idx]->getLocStart().isMacroID()) 1738 return; 1739 1740 // If there are no arguments specified, warn with -Wformat-security, otherwise 1741 // warn only with -Wformat-nonliteral. 1742 if (NumArgs == format_idx+1) 1743 Diag(Args[format_idx]->getLocStart(), 1744 diag::warn_format_nonliteral_noargs) 1745 << OrigFormatExpr->getSourceRange(); 1746 else 1747 Diag(Args[format_idx]->getLocStart(), 1748 diag::warn_format_nonliteral) 1749 << OrigFormatExpr->getSourceRange(); 1750 } 1751 1752 namespace { 1753 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1754 protected: 1755 Sema &S; 1756 const StringLiteral *FExpr; 1757 const Expr *OrigFormatExpr; 1758 const unsigned FirstDataArg; 1759 const unsigned NumDataArgs; 1760 const bool IsObjCLiteral; 1761 const char *Beg; // Start of format string. 1762 const bool HasVAListArg; 1763 const Expr * const *Args; 1764 const unsigned NumArgs; 1765 unsigned FormatIdx; 1766 llvm::BitVector CoveredArgs; 1767 bool usesPositionalArgs; 1768 bool atFirstArg; 1769 bool inFunctionCall; 1770 public: 1771 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1772 const Expr *origFormatExpr, unsigned firstDataArg, 1773 unsigned numDataArgs, bool isObjCLiteral, 1774 const char *beg, bool hasVAListArg, 1775 Expr **args, unsigned numArgs, 1776 unsigned formatIdx, bool inFunctionCall) 1777 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1778 FirstDataArg(firstDataArg), 1779 NumDataArgs(numDataArgs), 1780 IsObjCLiteral(isObjCLiteral), Beg(beg), 1781 HasVAListArg(hasVAListArg), 1782 Args(args), NumArgs(numArgs), FormatIdx(formatIdx), 1783 usesPositionalArgs(false), atFirstArg(true), 1784 inFunctionCall(inFunctionCall) { 1785 CoveredArgs.resize(numDataArgs); 1786 CoveredArgs.reset(); 1787 } 1788 1789 void DoneProcessing(); 1790 1791 void HandleIncompleteSpecifier(const char *startSpecifier, 1792 unsigned specifierLen); 1793 1794 void HandleNonStandardLengthModifier( 1795 const analyze_format_string::LengthModifier &LM, 1796 const char *startSpecifier, unsigned specifierLen); 1797 1798 void HandleNonStandardConversionSpecifier( 1799 const analyze_format_string::ConversionSpecifier &CS, 1800 const char *startSpecifier, unsigned specifierLen); 1801 1802 void HandleNonStandardConversionSpecification( 1803 const analyze_format_string::LengthModifier &LM, 1804 const analyze_format_string::ConversionSpecifier &CS, 1805 const char *startSpecifier, unsigned specifierLen); 1806 1807 virtual void HandlePosition(const char *startPos, unsigned posLen); 1808 1809 virtual void HandleInvalidPosition(const char *startSpecifier, 1810 unsigned specifierLen, 1811 analyze_format_string::PositionContext p); 1812 1813 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1814 1815 void HandleNullChar(const char *nullCharacter); 1816 1817 template <typename Range> 1818 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 1819 const Expr *ArgumentExpr, 1820 PartialDiagnostic PDiag, 1821 SourceLocation StringLoc, 1822 bool IsStringLocation, Range StringRange, 1823 FixItHint Fixit = FixItHint()); 1824 1825 protected: 1826 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1827 const char *startSpec, 1828 unsigned specifierLen, 1829 const char *csStart, unsigned csLen); 1830 1831 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 1832 const char *startSpec, 1833 unsigned specifierLen); 1834 1835 SourceRange getFormatStringRange(); 1836 CharSourceRange getSpecifierRange(const char *startSpecifier, 1837 unsigned specifierLen); 1838 SourceLocation getLocationOfByte(const char *x); 1839 1840 const Expr *getDataArg(unsigned i) const; 1841 1842 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1843 const analyze_format_string::ConversionSpecifier &CS, 1844 const char *startSpecifier, unsigned specifierLen, 1845 unsigned argIndex); 1846 1847 template <typename Range> 1848 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 1849 bool IsStringLocation, Range StringRange, 1850 FixItHint Fixit = FixItHint()); 1851 1852 void CheckPositionalAndNonpositionalArgs( 1853 const analyze_format_string::FormatSpecifier *FS); 1854 }; 1855 } 1856 1857 SourceRange CheckFormatHandler::getFormatStringRange() { 1858 return OrigFormatExpr->getSourceRange(); 1859 } 1860 1861 CharSourceRange CheckFormatHandler:: 1862 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 1863 SourceLocation Start = getLocationOfByte(startSpecifier); 1864 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 1865 1866 // Advance the end SourceLocation by one due to half-open ranges. 1867 End = End.getLocWithOffset(1); 1868 1869 return CharSourceRange::getCharRange(Start, End); 1870 } 1871 1872 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 1873 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 1874 } 1875 1876 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 1877 unsigned specifierLen){ 1878 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 1879 getLocationOfByte(startSpecifier), 1880 /*IsStringLocation*/true, 1881 getSpecifierRange(startSpecifier, specifierLen)); 1882 } 1883 1884 void CheckFormatHandler::HandleNonStandardLengthModifier( 1885 const analyze_format_string::LengthModifier &LM, 1886 const char *startSpecifier, unsigned specifierLen) { 1887 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) << LM.toString() 1888 << 0, 1889 getLocationOfByte(LM.getStart()), 1890 /*IsStringLocation*/true, 1891 getSpecifierRange(startSpecifier, specifierLen)); 1892 } 1893 1894 void CheckFormatHandler::HandleNonStandardConversionSpecifier( 1895 const analyze_format_string::ConversionSpecifier &CS, 1896 const char *startSpecifier, unsigned specifierLen) { 1897 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) << CS.toString() 1898 << 1, 1899 getLocationOfByte(CS.getStart()), 1900 /*IsStringLocation*/true, 1901 getSpecifierRange(startSpecifier, specifierLen)); 1902 } 1903 1904 void CheckFormatHandler::HandleNonStandardConversionSpecification( 1905 const analyze_format_string::LengthModifier &LM, 1906 const analyze_format_string::ConversionSpecifier &CS, 1907 const char *startSpecifier, unsigned specifierLen) { 1908 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_conversion_spec) 1909 << LM.toString() << CS.toString(), 1910 getLocationOfByte(LM.getStart()), 1911 /*IsStringLocation*/true, 1912 getSpecifierRange(startSpecifier, specifierLen)); 1913 } 1914 1915 void CheckFormatHandler::HandlePosition(const char *startPos, 1916 unsigned posLen) { 1917 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 1918 getLocationOfByte(startPos), 1919 /*IsStringLocation*/true, 1920 getSpecifierRange(startPos, posLen)); 1921 } 1922 1923 void 1924 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 1925 analyze_format_string::PositionContext p) { 1926 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 1927 << (unsigned) p, 1928 getLocationOfByte(startPos), /*IsStringLocation*/true, 1929 getSpecifierRange(startPos, posLen)); 1930 } 1931 1932 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 1933 unsigned posLen) { 1934 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 1935 getLocationOfByte(startPos), 1936 /*IsStringLocation*/true, 1937 getSpecifierRange(startPos, posLen)); 1938 } 1939 1940 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 1941 if (!IsObjCLiteral) { 1942 // The presence of a null character is likely an error. 1943 EmitFormatDiagnostic( 1944 S.PDiag(diag::warn_printf_format_string_contains_null_char), 1945 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 1946 getFormatStringRange()); 1947 } 1948 } 1949 1950 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 1951 return Args[FirstDataArg + i]; 1952 } 1953 1954 void CheckFormatHandler::DoneProcessing() { 1955 // Does the number of data arguments exceed the number of 1956 // format conversions in the format string? 1957 if (!HasVAListArg) { 1958 // Find any arguments that weren't covered. 1959 CoveredArgs.flip(); 1960 signed notCoveredArg = CoveredArgs.find_first(); 1961 if (notCoveredArg >= 0) { 1962 assert((unsigned)notCoveredArg < NumDataArgs); 1963 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 1964 getDataArg((unsigned) notCoveredArg)->getLocStart(), 1965 /*IsStringLocation*/false, getFormatStringRange()); 1966 } 1967 } 1968 } 1969 1970 bool 1971 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 1972 SourceLocation Loc, 1973 const char *startSpec, 1974 unsigned specifierLen, 1975 const char *csStart, 1976 unsigned csLen) { 1977 1978 bool keepGoing = true; 1979 if (argIndex < NumDataArgs) { 1980 // Consider the argument coverered, even though the specifier doesn't 1981 // make sense. 1982 CoveredArgs.set(argIndex); 1983 } 1984 else { 1985 // If argIndex exceeds the number of data arguments we 1986 // don't issue a warning because that is just a cascade of warnings (and 1987 // they may have intended '%%' anyway). We don't want to continue processing 1988 // the format string after this point, however, as we will like just get 1989 // gibberish when trying to match arguments. 1990 keepGoing = false; 1991 } 1992 1993 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 1994 << StringRef(csStart, csLen), 1995 Loc, /*IsStringLocation*/true, 1996 getSpecifierRange(startSpec, specifierLen)); 1997 1998 return keepGoing; 1999 } 2000 2001 void 2002 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2003 const char *startSpec, 2004 unsigned specifierLen) { 2005 EmitFormatDiagnostic( 2006 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2007 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2008 } 2009 2010 bool 2011 CheckFormatHandler::CheckNumArgs( 2012 const analyze_format_string::FormatSpecifier &FS, 2013 const analyze_format_string::ConversionSpecifier &CS, 2014 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2015 2016 if (argIndex >= NumDataArgs) { 2017 PartialDiagnostic PDiag = FS.usesPositionalArg() 2018 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2019 << (argIndex+1) << NumDataArgs) 2020 : S.PDiag(diag::warn_printf_insufficient_data_args); 2021 EmitFormatDiagnostic( 2022 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2023 getSpecifierRange(startSpecifier, specifierLen)); 2024 return false; 2025 } 2026 return true; 2027 } 2028 2029 template<typename Range> 2030 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2031 SourceLocation Loc, 2032 bool IsStringLocation, 2033 Range StringRange, 2034 FixItHint FixIt) { 2035 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2036 Loc, IsStringLocation, StringRange, FixIt); 2037 } 2038 2039 /// \brief If the format string is not within the funcion call, emit a note 2040 /// so that the function call and string are in diagnostic messages. 2041 /// 2042 /// \param inFunctionCall if true, the format string is within the function 2043 /// call and only one diagnostic message will be produced. Otherwise, an 2044 /// extra note will be emitted pointing to location of the format string. 2045 /// 2046 /// \param ArgumentExpr the expression that is passed as the format string 2047 /// argument in the function call. Used for getting locations when two 2048 /// diagnostics are emitted. 2049 /// 2050 /// \param PDiag the callee should already have provided any strings for the 2051 /// diagnostic message. This function only adds locations and fixits 2052 /// to diagnostics. 2053 /// 2054 /// \param Loc primary location for diagnostic. If two diagnostics are 2055 /// required, one will be at Loc and a new SourceLocation will be created for 2056 /// the other one. 2057 /// 2058 /// \param IsStringLocation if true, Loc points to the format string should be 2059 /// used for the note. Otherwise, Loc points to the argument list and will 2060 /// be used with PDiag. 2061 /// 2062 /// \param StringRange some or all of the string to highlight. This is 2063 /// templated so it can accept either a CharSourceRange or a SourceRange. 2064 /// 2065 /// \param Fixit optional fix it hint for the format string. 2066 template<typename Range> 2067 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2068 const Expr *ArgumentExpr, 2069 PartialDiagnostic PDiag, 2070 SourceLocation Loc, 2071 bool IsStringLocation, 2072 Range StringRange, 2073 FixItHint FixIt) { 2074 if (InFunctionCall) 2075 S.Diag(Loc, PDiag) << StringRange << FixIt; 2076 else { 2077 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2078 << ArgumentExpr->getSourceRange(); 2079 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2080 diag::note_format_string_defined) 2081 << StringRange << FixIt; 2082 } 2083 } 2084 2085 //===--- CHECK: Printf format string checking ------------------------------===// 2086 2087 namespace { 2088 class CheckPrintfHandler : public CheckFormatHandler { 2089 public: 2090 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2091 const Expr *origFormatExpr, unsigned firstDataArg, 2092 unsigned numDataArgs, bool isObjCLiteral, 2093 const char *beg, bool hasVAListArg, 2094 Expr **Args, unsigned NumArgs, 2095 unsigned formatIdx, bool inFunctionCall) 2096 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2097 numDataArgs, isObjCLiteral, beg, hasVAListArg, 2098 Args, NumArgs, formatIdx, inFunctionCall) {} 2099 2100 2101 bool HandleInvalidPrintfConversionSpecifier( 2102 const analyze_printf::PrintfSpecifier &FS, 2103 const char *startSpecifier, 2104 unsigned specifierLen); 2105 2106 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2107 const char *startSpecifier, 2108 unsigned specifierLen); 2109 2110 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2111 const char *startSpecifier, unsigned specifierLen); 2112 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2113 const analyze_printf::OptionalAmount &Amt, 2114 unsigned type, 2115 const char *startSpecifier, unsigned specifierLen); 2116 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2117 const analyze_printf::OptionalFlag &flag, 2118 const char *startSpecifier, unsigned specifierLen); 2119 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2120 const analyze_printf::OptionalFlag &ignoredFlag, 2121 const analyze_printf::OptionalFlag &flag, 2122 const char *startSpecifier, unsigned specifierLen); 2123 }; 2124 } 2125 2126 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2127 const analyze_printf::PrintfSpecifier &FS, 2128 const char *startSpecifier, 2129 unsigned specifierLen) { 2130 const analyze_printf::PrintfConversionSpecifier &CS = 2131 FS.getConversionSpecifier(); 2132 2133 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2134 getLocationOfByte(CS.getStart()), 2135 startSpecifier, specifierLen, 2136 CS.getStart(), CS.getLength()); 2137 } 2138 2139 bool CheckPrintfHandler::HandleAmount( 2140 const analyze_format_string::OptionalAmount &Amt, 2141 unsigned k, const char *startSpecifier, 2142 unsigned specifierLen) { 2143 2144 if (Amt.hasDataArgument()) { 2145 if (!HasVAListArg) { 2146 unsigned argIndex = Amt.getArgIndex(); 2147 if (argIndex >= NumDataArgs) { 2148 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2149 << k, 2150 getLocationOfByte(Amt.getStart()), 2151 /*IsStringLocation*/true, 2152 getSpecifierRange(startSpecifier, specifierLen)); 2153 // Don't do any more checking. We will just emit 2154 // spurious errors. 2155 return false; 2156 } 2157 2158 // Type check the data argument. It should be an 'int'. 2159 // Although not in conformance with C99, we also allow the argument to be 2160 // an 'unsigned int' as that is a reasonably safe case. GCC also 2161 // doesn't emit a warning for that case. 2162 CoveredArgs.set(argIndex); 2163 const Expr *Arg = getDataArg(argIndex); 2164 QualType T = Arg->getType(); 2165 2166 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 2167 assert(ATR.isValid()); 2168 2169 if (!ATR.matchesType(S.Context, T)) { 2170 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2171 << k << ATR.getRepresentativeTypeName(S.Context) 2172 << T << Arg->getSourceRange(), 2173 getLocationOfByte(Amt.getStart()), 2174 /*IsStringLocation*/true, 2175 getSpecifierRange(startSpecifier, specifierLen)); 2176 // Don't do any more checking. We will just emit 2177 // spurious errors. 2178 return false; 2179 } 2180 } 2181 } 2182 return true; 2183 } 2184 2185 void CheckPrintfHandler::HandleInvalidAmount( 2186 const analyze_printf::PrintfSpecifier &FS, 2187 const analyze_printf::OptionalAmount &Amt, 2188 unsigned type, 2189 const char *startSpecifier, 2190 unsigned specifierLen) { 2191 const analyze_printf::PrintfConversionSpecifier &CS = 2192 FS.getConversionSpecifier(); 2193 2194 FixItHint fixit = 2195 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2196 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2197 Amt.getConstantLength())) 2198 : FixItHint(); 2199 2200 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2201 << type << CS.toString(), 2202 getLocationOfByte(Amt.getStart()), 2203 /*IsStringLocation*/true, 2204 getSpecifierRange(startSpecifier, specifierLen), 2205 fixit); 2206 } 2207 2208 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2209 const analyze_printf::OptionalFlag &flag, 2210 const char *startSpecifier, 2211 unsigned specifierLen) { 2212 // Warn about pointless flag with a fixit removal. 2213 const analyze_printf::PrintfConversionSpecifier &CS = 2214 FS.getConversionSpecifier(); 2215 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2216 << flag.toString() << CS.toString(), 2217 getLocationOfByte(flag.getPosition()), 2218 /*IsStringLocation*/true, 2219 getSpecifierRange(startSpecifier, specifierLen), 2220 FixItHint::CreateRemoval( 2221 getSpecifierRange(flag.getPosition(), 1))); 2222 } 2223 2224 void CheckPrintfHandler::HandleIgnoredFlag( 2225 const analyze_printf::PrintfSpecifier &FS, 2226 const analyze_printf::OptionalFlag &ignoredFlag, 2227 const analyze_printf::OptionalFlag &flag, 2228 const char *startSpecifier, 2229 unsigned specifierLen) { 2230 // Warn about ignored flag with a fixit removal. 2231 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2232 << ignoredFlag.toString() << flag.toString(), 2233 getLocationOfByte(ignoredFlag.getPosition()), 2234 /*IsStringLocation*/true, 2235 getSpecifierRange(startSpecifier, specifierLen), 2236 FixItHint::CreateRemoval( 2237 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2238 } 2239 2240 bool 2241 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2242 &FS, 2243 const char *startSpecifier, 2244 unsigned specifierLen) { 2245 2246 using namespace analyze_format_string; 2247 using namespace analyze_printf; 2248 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2249 2250 if (FS.consumesDataArgument()) { 2251 if (atFirstArg) { 2252 atFirstArg = false; 2253 usesPositionalArgs = FS.usesPositionalArg(); 2254 } 2255 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2256 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2257 startSpecifier, specifierLen); 2258 return false; 2259 } 2260 } 2261 2262 // First check if the field width, precision, and conversion specifier 2263 // have matching data arguments. 2264 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2265 startSpecifier, specifierLen)) { 2266 return false; 2267 } 2268 2269 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2270 startSpecifier, specifierLen)) { 2271 return false; 2272 } 2273 2274 if (!CS.consumesDataArgument()) { 2275 // FIXME: Technically specifying a precision or field width here 2276 // makes no sense. Worth issuing a warning at some point. 2277 return true; 2278 } 2279 2280 // Consume the argument. 2281 unsigned argIndex = FS.getArgIndex(); 2282 if (argIndex < NumDataArgs) { 2283 // The check to see if the argIndex is valid will come later. 2284 // We set the bit here because we may exit early from this 2285 // function if we encounter some other error. 2286 CoveredArgs.set(argIndex); 2287 } 2288 2289 // Check for using an Objective-C specific conversion specifier 2290 // in a non-ObjC literal. 2291 if (!IsObjCLiteral && CS.isObjCArg()) { 2292 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2293 specifierLen); 2294 } 2295 2296 // Check for invalid use of field width 2297 if (!FS.hasValidFieldWidth()) { 2298 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2299 startSpecifier, specifierLen); 2300 } 2301 2302 // Check for invalid use of precision 2303 if (!FS.hasValidPrecision()) { 2304 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2305 startSpecifier, specifierLen); 2306 } 2307 2308 // Check each flag does not conflict with any other component. 2309 if (!FS.hasValidThousandsGroupingPrefix()) 2310 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2311 if (!FS.hasValidLeadingZeros()) 2312 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2313 if (!FS.hasValidPlusPrefix()) 2314 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2315 if (!FS.hasValidSpacePrefix()) 2316 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2317 if (!FS.hasValidAlternativeForm()) 2318 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2319 if (!FS.hasValidLeftJustified()) 2320 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2321 2322 // Check that flags are not ignored by another flag 2323 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2324 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2325 startSpecifier, specifierLen); 2326 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2327 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2328 startSpecifier, specifierLen); 2329 2330 // Check the length modifier is valid with the given conversion specifier. 2331 const LengthModifier &LM = FS.getLengthModifier(); 2332 if (!FS.hasValidLengthModifier()) 2333 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 2334 << LM.toString() << CS.toString(), 2335 getLocationOfByte(LM.getStart()), 2336 /*IsStringLocation*/true, 2337 getSpecifierRange(startSpecifier, specifierLen), 2338 FixItHint::CreateRemoval( 2339 getSpecifierRange(LM.getStart(), 2340 LM.getLength()))); 2341 if (!FS.hasStandardLengthModifier()) 2342 HandleNonStandardLengthModifier(LM, startSpecifier, specifierLen); 2343 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2344 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2345 if (!FS.hasStandardLengthConversionCombination()) 2346 HandleNonStandardConversionSpecification(LM, CS, startSpecifier, 2347 specifierLen); 2348 2349 // Are we using '%n'? 2350 if (CS.getKind() == ConversionSpecifier::nArg) { 2351 // Issue a warning about this being a possible security issue. 2352 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_write_back), 2353 getLocationOfByte(CS.getStart()), 2354 /*IsStringLocation*/true, 2355 getSpecifierRange(startSpecifier, specifierLen)); 2356 // Continue checking the other format specifiers. 2357 return true; 2358 } 2359 2360 // The remaining checks depend on the data arguments. 2361 if (HasVAListArg) 2362 return true; 2363 2364 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2365 return false; 2366 2367 // Now type check the data expression that matches the 2368 // format specifier. 2369 const Expr *Ex = getDataArg(argIndex); 2370 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context, 2371 IsObjCLiteral); 2372 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2373 // Check if we didn't match because of an implicit cast from a 'char' 2374 // or 'short' to an 'int'. This is done because printf is a varargs 2375 // function. 2376 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 2377 if (ICE->getType() == S.Context.IntTy) { 2378 // All further checking is done on the subexpression. 2379 Ex = ICE->getSubExpr(); 2380 if (ATR.matchesType(S.Context, Ex->getType())) 2381 return true; 2382 } 2383 2384 // We may be able to offer a FixItHint if it is a supported type. 2385 PrintfSpecifier fixedFS = FS; 2386 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 2387 S.Context, IsObjCLiteral); 2388 2389 if (success) { 2390 // Get the fix string from the fixed format specifier 2391 SmallString<128> buf; 2392 llvm::raw_svector_ostream os(buf); 2393 fixedFS.toString(os); 2394 2395 EmitFormatDiagnostic( 2396 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2397 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2398 << Ex->getSourceRange(), 2399 getLocationOfByte(CS.getStart()), 2400 /*IsStringLocation*/true, 2401 getSpecifierRange(startSpecifier, specifierLen), 2402 FixItHint::CreateReplacement( 2403 getSpecifierRange(startSpecifier, specifierLen), 2404 os.str())); 2405 } 2406 else { 2407 EmitFormatDiagnostic( 2408 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2409 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2410 << getSpecifierRange(startSpecifier, specifierLen) 2411 << Ex->getSourceRange(), 2412 getLocationOfByte(CS.getStart()), 2413 true, 2414 getSpecifierRange(startSpecifier, specifierLen)); 2415 } 2416 } 2417 2418 return true; 2419 } 2420 2421 //===--- CHECK: Scanf format string checking ------------------------------===// 2422 2423 namespace { 2424 class CheckScanfHandler : public CheckFormatHandler { 2425 public: 2426 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 2427 const Expr *origFormatExpr, unsigned firstDataArg, 2428 unsigned numDataArgs, bool isObjCLiteral, 2429 const char *beg, bool hasVAListArg, 2430 Expr **Args, unsigned NumArgs, 2431 unsigned formatIdx, bool inFunctionCall) 2432 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2433 numDataArgs, isObjCLiteral, beg, hasVAListArg, 2434 Args, NumArgs, formatIdx, inFunctionCall) {} 2435 2436 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 2437 const char *startSpecifier, 2438 unsigned specifierLen); 2439 2440 bool HandleInvalidScanfConversionSpecifier( 2441 const analyze_scanf::ScanfSpecifier &FS, 2442 const char *startSpecifier, 2443 unsigned specifierLen); 2444 2445 void HandleIncompleteScanList(const char *start, const char *end); 2446 }; 2447 } 2448 2449 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 2450 const char *end) { 2451 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 2452 getLocationOfByte(end), /*IsStringLocation*/true, 2453 getSpecifierRange(start, end - start)); 2454 } 2455 2456 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 2457 const analyze_scanf::ScanfSpecifier &FS, 2458 const char *startSpecifier, 2459 unsigned specifierLen) { 2460 2461 const analyze_scanf::ScanfConversionSpecifier &CS = 2462 FS.getConversionSpecifier(); 2463 2464 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2465 getLocationOfByte(CS.getStart()), 2466 startSpecifier, specifierLen, 2467 CS.getStart(), CS.getLength()); 2468 } 2469 2470 bool CheckScanfHandler::HandleScanfSpecifier( 2471 const analyze_scanf::ScanfSpecifier &FS, 2472 const char *startSpecifier, 2473 unsigned specifierLen) { 2474 2475 using namespace analyze_scanf; 2476 using namespace analyze_format_string; 2477 2478 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 2479 2480 // Handle case where '%' and '*' don't consume an argument. These shouldn't 2481 // be used to decide if we are using positional arguments consistently. 2482 if (FS.consumesDataArgument()) { 2483 if (atFirstArg) { 2484 atFirstArg = false; 2485 usesPositionalArgs = FS.usesPositionalArg(); 2486 } 2487 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2488 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2489 startSpecifier, specifierLen); 2490 return false; 2491 } 2492 } 2493 2494 // Check if the field with is non-zero. 2495 const OptionalAmount &Amt = FS.getFieldWidth(); 2496 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 2497 if (Amt.getConstantAmount() == 0) { 2498 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 2499 Amt.getConstantLength()); 2500 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 2501 getLocationOfByte(Amt.getStart()), 2502 /*IsStringLocation*/true, R, 2503 FixItHint::CreateRemoval(R)); 2504 } 2505 } 2506 2507 if (!FS.consumesDataArgument()) { 2508 // FIXME: Technically specifying a precision or field width here 2509 // makes no sense. Worth issuing a warning at some point. 2510 return true; 2511 } 2512 2513 // Consume the argument. 2514 unsigned argIndex = FS.getArgIndex(); 2515 if (argIndex < NumDataArgs) { 2516 // The check to see if the argIndex is valid will come later. 2517 // We set the bit here because we may exit early from this 2518 // function if we encounter some other error. 2519 CoveredArgs.set(argIndex); 2520 } 2521 2522 // Check the length modifier is valid with the given conversion specifier. 2523 const LengthModifier &LM = FS.getLengthModifier(); 2524 if (!FS.hasValidLengthModifier()) { 2525 const CharSourceRange &R = getSpecifierRange(LM.getStart(), LM.getLength()); 2526 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 2527 << LM.toString() << CS.toString() 2528 << getSpecifierRange(startSpecifier, specifierLen), 2529 getLocationOfByte(LM.getStart()), 2530 /*IsStringLocation*/true, R, 2531 FixItHint::CreateRemoval(R)); 2532 } 2533 2534 if (!FS.hasStandardLengthModifier()) 2535 HandleNonStandardLengthModifier(LM, startSpecifier, specifierLen); 2536 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2537 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2538 if (!FS.hasStandardLengthConversionCombination()) 2539 HandleNonStandardConversionSpecification(LM, CS, startSpecifier, 2540 specifierLen); 2541 2542 // The remaining checks depend on the data arguments. 2543 if (HasVAListArg) 2544 return true; 2545 2546 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2547 return false; 2548 2549 // Check that the argument type matches the format specifier. 2550 const Expr *Ex = getDataArg(argIndex); 2551 const analyze_scanf::ScanfArgTypeResult &ATR = FS.getArgType(S.Context); 2552 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 2553 ScanfSpecifier fixedFS = FS; 2554 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 2555 S.Context); 2556 2557 if (success) { 2558 // Get the fix string from the fixed format specifier. 2559 SmallString<128> buf; 2560 llvm::raw_svector_ostream os(buf); 2561 fixedFS.toString(os); 2562 2563 EmitFormatDiagnostic( 2564 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2565 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2566 << Ex->getSourceRange(), 2567 getLocationOfByte(CS.getStart()), 2568 /*IsStringLocation*/true, 2569 getSpecifierRange(startSpecifier, specifierLen), 2570 FixItHint::CreateReplacement( 2571 getSpecifierRange(startSpecifier, specifierLen), 2572 os.str())); 2573 } else { 2574 EmitFormatDiagnostic( 2575 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2576 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 2577 << Ex->getSourceRange(), 2578 getLocationOfByte(CS.getStart()), 2579 /*IsStringLocation*/true, 2580 getSpecifierRange(startSpecifier, specifierLen)); 2581 } 2582 } 2583 2584 return true; 2585 } 2586 2587 void Sema::CheckFormatString(const StringLiteral *FExpr, 2588 const Expr *OrigFormatExpr, 2589 Expr **Args, unsigned NumArgs, 2590 bool HasVAListArg, unsigned format_idx, 2591 unsigned firstDataArg, FormatStringType Type, 2592 bool inFunctionCall) { 2593 2594 // CHECK: is the format string a wide literal? 2595 if (!FExpr->isAscii()) { 2596 CheckFormatHandler::EmitFormatDiagnostic( 2597 *this, inFunctionCall, Args[format_idx], 2598 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 2599 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2600 return; 2601 } 2602 2603 // Str - The format string. NOTE: this is NOT null-terminated! 2604 StringRef StrRef = FExpr->getString(); 2605 const char *Str = StrRef.data(); 2606 unsigned StrLen = StrRef.size(); 2607 const unsigned numDataArgs = NumArgs - firstDataArg; 2608 2609 // CHECK: empty format string? 2610 if (StrLen == 0 && numDataArgs > 0) { 2611 CheckFormatHandler::EmitFormatDiagnostic( 2612 *this, inFunctionCall, Args[format_idx], 2613 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 2614 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2615 return; 2616 } 2617 2618 if (Type == FST_Printf || Type == FST_NSString) { 2619 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2620 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2621 Str, HasVAListArg, Args, NumArgs, format_idx, 2622 inFunctionCall); 2623 2624 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 2625 getLangOpts())) 2626 H.DoneProcessing(); 2627 } else if (Type == FST_Scanf) { 2628 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 2629 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 2630 Str, HasVAListArg, Args, NumArgs, format_idx, 2631 inFunctionCall); 2632 2633 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 2634 getLangOpts())) 2635 H.DoneProcessing(); 2636 } // TODO: handle other formats 2637 } 2638 2639 //===--- CHECK: Standard memory functions ---------------------------------===// 2640 2641 /// \brief Determine whether the given type is a dynamic class type (e.g., 2642 /// whether it has a vtable). 2643 static bool isDynamicClassType(QualType T) { 2644 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 2645 if (CXXRecordDecl *Definition = Record->getDefinition()) 2646 if (Definition->isDynamicClass()) 2647 return true; 2648 2649 return false; 2650 } 2651 2652 /// \brief If E is a sizeof expression, returns its argument expression, 2653 /// otherwise returns NULL. 2654 static const Expr *getSizeOfExprArg(const Expr* E) { 2655 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2656 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2657 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 2658 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 2659 2660 return 0; 2661 } 2662 2663 /// \brief If E is a sizeof expression, returns its argument type. 2664 static QualType getSizeOfArgType(const Expr* E) { 2665 if (const UnaryExprOrTypeTraitExpr *SizeOf = 2666 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 2667 if (SizeOf->getKind() == clang::UETT_SizeOf) 2668 return SizeOf->getTypeOfArgument(); 2669 2670 return QualType(); 2671 } 2672 2673 /// \brief Check for dangerous or invalid arguments to memset(). 2674 /// 2675 /// This issues warnings on known problematic, dangerous or unspecified 2676 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 2677 /// function calls. 2678 /// 2679 /// \param Call The call expression to diagnose. 2680 void Sema::CheckMemaccessArguments(const CallExpr *Call, 2681 unsigned BId, 2682 IdentifierInfo *FnName) { 2683 assert(BId != 0); 2684 2685 // It is possible to have a non-standard definition of memset. Validate 2686 // we have enough arguments, and if not, abort further checking. 2687 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 2688 if (Call->getNumArgs() < ExpectedNumArgs) 2689 return; 2690 2691 unsigned LastArg = (BId == Builtin::BImemset || 2692 BId == Builtin::BIstrndup ? 1 : 2); 2693 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 2694 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 2695 2696 // We have special checking when the length is a sizeof expression. 2697 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 2698 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 2699 llvm::FoldingSetNodeID SizeOfArgID; 2700 2701 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 2702 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 2703 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 2704 2705 QualType DestTy = Dest->getType(); 2706 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 2707 QualType PointeeTy = DestPtrTy->getPointeeType(); 2708 2709 // Never warn about void type pointers. This can be used to suppress 2710 // false positives. 2711 if (PointeeTy->isVoidType()) 2712 continue; 2713 2714 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 2715 // actually comparing the expressions for equality. Because computing the 2716 // expression IDs can be expensive, we only do this if the diagnostic is 2717 // enabled. 2718 if (SizeOfArg && 2719 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 2720 SizeOfArg->getExprLoc())) { 2721 // We only compute IDs for expressions if the warning is enabled, and 2722 // cache the sizeof arg's ID. 2723 if (SizeOfArgID == llvm::FoldingSetNodeID()) 2724 SizeOfArg->Profile(SizeOfArgID, Context, true); 2725 llvm::FoldingSetNodeID DestID; 2726 Dest->Profile(DestID, Context, true); 2727 if (DestID == SizeOfArgID) { 2728 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 2729 // over sizeof(src) as well. 2730 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 2731 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 2732 if (UnaryOp->getOpcode() == UO_AddrOf) 2733 ActionIdx = 1; // If its an address-of operator, just remove it. 2734 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 2735 ActionIdx = 2; // If the pointee's size is sizeof(char), 2736 // suggest an explicit length. 2737 unsigned DestSrcSelect = 2738 (BId == Builtin::BIstrndup ? 1 : ArgIdx); 2739 DiagRuntimeBehavior(SizeOfArg->getExprLoc(), Dest, 2740 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 2741 << FnName << DestSrcSelect << ActionIdx 2742 << Dest->getSourceRange() 2743 << SizeOfArg->getSourceRange()); 2744 break; 2745 } 2746 } 2747 2748 // Also check for cases where the sizeof argument is the exact same 2749 // type as the memory argument, and where it points to a user-defined 2750 // record type. 2751 if (SizeOfArgTy != QualType()) { 2752 if (PointeeTy->isRecordType() && 2753 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 2754 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 2755 PDiag(diag::warn_sizeof_pointer_type_memaccess) 2756 << FnName << SizeOfArgTy << ArgIdx 2757 << PointeeTy << Dest->getSourceRange() 2758 << LenExpr->getSourceRange()); 2759 break; 2760 } 2761 } 2762 2763 // Always complain about dynamic classes. 2764 if (isDynamicClassType(PointeeTy)) { 2765 2766 unsigned OperationType = 0; 2767 // "overwritten" if we're warning about the destination for any call 2768 // but memcmp; otherwise a verb appropriate to the call. 2769 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 2770 if (BId == Builtin::BImemcpy) 2771 OperationType = 1; 2772 else if(BId == Builtin::BImemmove) 2773 OperationType = 2; 2774 else if (BId == Builtin::BImemcmp) 2775 OperationType = 3; 2776 } 2777 2778 DiagRuntimeBehavior( 2779 Dest->getExprLoc(), Dest, 2780 PDiag(diag::warn_dyn_class_memaccess) 2781 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 2782 << FnName << PointeeTy 2783 << OperationType 2784 << Call->getCallee()->getSourceRange()); 2785 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 2786 BId != Builtin::BImemset) 2787 DiagRuntimeBehavior( 2788 Dest->getExprLoc(), Dest, 2789 PDiag(diag::warn_arc_object_memaccess) 2790 << ArgIdx << FnName << PointeeTy 2791 << Call->getCallee()->getSourceRange()); 2792 else 2793 continue; 2794 2795 DiagRuntimeBehavior( 2796 Dest->getExprLoc(), Dest, 2797 PDiag(diag::note_bad_memaccess_silence) 2798 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 2799 break; 2800 } 2801 } 2802 } 2803 2804 // A little helper routine: ignore addition and subtraction of integer literals. 2805 // This intentionally does not ignore all integer constant expressions because 2806 // we don't want to remove sizeof(). 2807 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 2808 Ex = Ex->IgnoreParenCasts(); 2809 2810 for (;;) { 2811 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 2812 if (!BO || !BO->isAdditiveOp()) 2813 break; 2814 2815 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 2816 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 2817 2818 if (isa<IntegerLiteral>(RHS)) 2819 Ex = LHS; 2820 else if (isa<IntegerLiteral>(LHS)) 2821 Ex = RHS; 2822 else 2823 break; 2824 } 2825 2826 return Ex; 2827 } 2828 2829 // Warn if the user has made the 'size' argument to strlcpy or strlcat 2830 // be the size of the source, instead of the destination. 2831 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 2832 IdentifierInfo *FnName) { 2833 2834 // Don't crash if the user has the wrong number of arguments 2835 if (Call->getNumArgs() != 3) 2836 return; 2837 2838 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 2839 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 2840 const Expr *CompareWithSrc = NULL; 2841 2842 // Look for 'strlcpy(dst, x, sizeof(x))' 2843 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 2844 CompareWithSrc = Ex; 2845 else { 2846 // Look for 'strlcpy(dst, x, strlen(x))' 2847 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 2848 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 2849 && SizeCall->getNumArgs() == 1) 2850 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 2851 } 2852 } 2853 2854 if (!CompareWithSrc) 2855 return; 2856 2857 // Determine if the argument to sizeof/strlen is equal to the source 2858 // argument. In principle there's all kinds of things you could do 2859 // here, for instance creating an == expression and evaluating it with 2860 // EvaluateAsBooleanCondition, but this uses a more direct technique: 2861 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 2862 if (!SrcArgDRE) 2863 return; 2864 2865 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 2866 if (!CompareWithSrcDRE || 2867 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 2868 return; 2869 2870 const Expr *OriginalSizeArg = Call->getArg(2); 2871 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 2872 << OriginalSizeArg->getSourceRange() << FnName; 2873 2874 // Output a FIXIT hint if the destination is an array (rather than a 2875 // pointer to an array). This could be enhanced to handle some 2876 // pointers if we know the actual size, like if DstArg is 'array+2' 2877 // we could say 'sizeof(array)-2'. 2878 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 2879 QualType DstArgTy = DstArg->getType(); 2880 2881 // Only handle constant-sized or VLAs, but not flexible members. 2882 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2883 // Only issue the FIXIT for arrays of size > 1. 2884 if (CAT->getSize().getSExtValue() <= 1) 2885 return; 2886 } else if (!DstArgTy->isVariableArrayType()) { 2887 return; 2888 } 2889 2890 SmallString<128> sizeString; 2891 llvm::raw_svector_ostream OS(sizeString); 2892 OS << "sizeof("; 2893 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2894 OS << ")"; 2895 2896 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 2897 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 2898 OS.str()); 2899 } 2900 2901 /// Check if two expressions refer to the same declaration. 2902 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 2903 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 2904 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 2905 return D1->getDecl() == D2->getDecl(); 2906 return false; 2907 } 2908 2909 static const Expr *getStrlenExprArg(const Expr *E) { 2910 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 2911 const FunctionDecl *FD = CE->getDirectCallee(); 2912 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 2913 return 0; 2914 return CE->getArg(0)->IgnoreParenCasts(); 2915 } 2916 return 0; 2917 } 2918 2919 // Warn on anti-patterns as the 'size' argument to strncat. 2920 // The correct size argument should look like following: 2921 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 2922 void Sema::CheckStrncatArguments(const CallExpr *CE, 2923 IdentifierInfo *FnName) { 2924 // Don't crash if the user has the wrong number of arguments. 2925 if (CE->getNumArgs() < 3) 2926 return; 2927 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 2928 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 2929 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 2930 2931 // Identify common expressions, which are wrongly used as the size argument 2932 // to strncat and may lead to buffer overflows. 2933 unsigned PatternType = 0; 2934 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 2935 // - sizeof(dst) 2936 if (referToTheSameDecl(SizeOfArg, DstArg)) 2937 PatternType = 1; 2938 // - sizeof(src) 2939 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 2940 PatternType = 2; 2941 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 2942 if (BE->getOpcode() == BO_Sub) { 2943 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 2944 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 2945 // - sizeof(dst) - strlen(dst) 2946 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 2947 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 2948 PatternType = 1; 2949 // - sizeof(src) - (anything) 2950 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 2951 PatternType = 2; 2952 } 2953 } 2954 2955 if (PatternType == 0) 2956 return; 2957 2958 // Generate the diagnostic. 2959 SourceLocation SL = LenArg->getLocStart(); 2960 SourceRange SR = LenArg->getSourceRange(); 2961 SourceManager &SM = PP.getSourceManager(); 2962 2963 // If the function is defined as a builtin macro, do not show macro expansion. 2964 if (SM.isMacroArgExpansion(SL)) { 2965 SL = SM.getSpellingLoc(SL); 2966 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 2967 SM.getSpellingLoc(SR.getEnd())); 2968 } 2969 2970 if (PatternType == 1) 2971 Diag(SL, diag::warn_strncat_large_size) << SR; 2972 else 2973 Diag(SL, diag::warn_strncat_src_size) << SR; 2974 2975 // Output a FIXIT hint if the destination is an array (rather than a 2976 // pointer to an array). This could be enhanced to handle some 2977 // pointers if we know the actual size, like if DstArg is 'array+2' 2978 // we could say 'sizeof(array)-2'. 2979 QualType DstArgTy = DstArg->getType(); 2980 2981 // Only handle constant-sized or VLAs, but not flexible members. 2982 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 2983 // Only issue the FIXIT for arrays of size > 1. 2984 if (CAT->getSize().getSExtValue() <= 1) 2985 return; 2986 } else if (!DstArgTy->isVariableArrayType()) { 2987 return; 2988 } 2989 2990 SmallString<128> sizeString; 2991 llvm::raw_svector_ostream OS(sizeString); 2992 OS << "sizeof("; 2993 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2994 OS << ") - "; 2995 OS << "strlen("; 2996 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 2997 OS << ") - 1"; 2998 2999 Diag(SL, diag::note_strncat_wrong_size) 3000 << FixItHint::CreateReplacement(SR, OS.str()); 3001 } 3002 3003 //===--- CHECK: Return Address of Stack Variable --------------------------===// 3004 3005 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars); 3006 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars); 3007 3008 /// CheckReturnStackAddr - Check if a return statement returns the address 3009 /// of a stack variable. 3010 void 3011 Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 3012 SourceLocation ReturnLoc) { 3013 3014 Expr *stackE = 0; 3015 SmallVector<DeclRefExpr *, 8> refVars; 3016 3017 // Perform checking for returned stack addresses, local blocks, 3018 // label addresses or references to temporaries. 3019 if (lhsType->isPointerType() || 3020 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 3021 stackE = EvalAddr(RetValExp, refVars); 3022 } else if (lhsType->isReferenceType()) { 3023 stackE = EvalVal(RetValExp, refVars); 3024 } 3025 3026 if (stackE == 0) 3027 return; // Nothing suspicious was found. 3028 3029 SourceLocation diagLoc; 3030 SourceRange diagRange; 3031 if (refVars.empty()) { 3032 diagLoc = stackE->getLocStart(); 3033 diagRange = stackE->getSourceRange(); 3034 } else { 3035 // We followed through a reference variable. 'stackE' contains the 3036 // problematic expression but we will warn at the return statement pointing 3037 // at the reference variable. We will later display the "trail" of 3038 // reference variables using notes. 3039 diagLoc = refVars[0]->getLocStart(); 3040 diagRange = refVars[0]->getSourceRange(); 3041 } 3042 3043 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 3044 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 3045 : diag::warn_ret_stack_addr) 3046 << DR->getDecl()->getDeclName() << diagRange; 3047 } else if (isa<BlockExpr>(stackE)) { // local block. 3048 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 3049 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 3050 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 3051 } else { // local temporary. 3052 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 3053 : diag::warn_ret_local_temp_addr) 3054 << diagRange; 3055 } 3056 3057 // Display the "trail" of reference variables that we followed until we 3058 // found the problematic expression using notes. 3059 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 3060 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 3061 // If this var binds to another reference var, show the range of the next 3062 // var, otherwise the var binds to the problematic expression, in which case 3063 // show the range of the expression. 3064 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 3065 : stackE->getSourceRange(); 3066 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 3067 << VD->getDeclName() << range; 3068 } 3069 } 3070 3071 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 3072 /// check if the expression in a return statement evaluates to an address 3073 /// to a location on the stack, a local block, an address of a label, or a 3074 /// reference to local temporary. The recursion is used to traverse the 3075 /// AST of the return expression, with recursion backtracking when we 3076 /// encounter a subexpression that (1) clearly does not lead to one of the 3077 /// above problematic expressions (2) is something we cannot determine leads to 3078 /// a problematic expression based on such local checking. 3079 /// 3080 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 3081 /// the expression that they point to. Such variables are added to the 3082 /// 'refVars' vector so that we know what the reference variable "trail" was. 3083 /// 3084 /// EvalAddr processes expressions that are pointers that are used as 3085 /// references (and not L-values). EvalVal handles all other values. 3086 /// At the base case of the recursion is a check for the above problematic 3087 /// expressions. 3088 /// 3089 /// This implementation handles: 3090 /// 3091 /// * pointer-to-pointer casts 3092 /// * implicit conversions from array references to pointers 3093 /// * taking the address of fields 3094 /// * arbitrary interplay between "&" and "*" operators 3095 /// * pointer arithmetic from an address of a stack variable 3096 /// * taking the address of an array element where the array is on the stack 3097 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 3098 if (E->isTypeDependent()) 3099 return NULL; 3100 3101 // We should only be called for evaluating pointer expressions. 3102 assert((E->getType()->isAnyPointerType() || 3103 E->getType()->isBlockPointerType() || 3104 E->getType()->isObjCQualifiedIdType()) && 3105 "EvalAddr only works on pointers"); 3106 3107 E = E->IgnoreParens(); 3108 3109 // Our "symbolic interpreter" is just a dispatch off the currently 3110 // viewed AST node. We then recursively traverse the AST by calling 3111 // EvalAddr and EvalVal appropriately. 3112 switch (E->getStmtClass()) { 3113 case Stmt::DeclRefExprClass: { 3114 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3115 3116 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 3117 // If this is a reference variable, follow through to the expression that 3118 // it points to. 3119 if (V->hasLocalStorage() && 3120 V->getType()->isReferenceType() && V->hasInit()) { 3121 // Add the reference variable to the "trail". 3122 refVars.push_back(DR); 3123 return EvalAddr(V->getInit(), refVars); 3124 } 3125 3126 return NULL; 3127 } 3128 3129 case Stmt::UnaryOperatorClass: { 3130 // The only unary operator that make sense to handle here 3131 // is AddrOf. All others don't make sense as pointers. 3132 UnaryOperator *U = cast<UnaryOperator>(E); 3133 3134 if (U->getOpcode() == UO_AddrOf) 3135 return EvalVal(U->getSubExpr(), refVars); 3136 else 3137 return NULL; 3138 } 3139 3140 case Stmt::BinaryOperatorClass: { 3141 // Handle pointer arithmetic. All other binary operators are not valid 3142 // in this context. 3143 BinaryOperator *B = cast<BinaryOperator>(E); 3144 BinaryOperatorKind op = B->getOpcode(); 3145 3146 if (op != BO_Add && op != BO_Sub) 3147 return NULL; 3148 3149 Expr *Base = B->getLHS(); 3150 3151 // Determine which argument is the real pointer base. It could be 3152 // the RHS argument instead of the LHS. 3153 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 3154 3155 assert (Base->getType()->isPointerType()); 3156 return EvalAddr(Base, refVars); 3157 } 3158 3159 // For conditional operators we need to see if either the LHS or RHS are 3160 // valid DeclRefExpr*s. If one of them is valid, we return it. 3161 case Stmt::ConditionalOperatorClass: { 3162 ConditionalOperator *C = cast<ConditionalOperator>(E); 3163 3164 // Handle the GNU extension for missing LHS. 3165 if (Expr *lhsExpr = C->getLHS()) { 3166 // In C++, we can have a throw-expression, which has 'void' type. 3167 if (!lhsExpr->getType()->isVoidType()) 3168 if (Expr* LHS = EvalAddr(lhsExpr, refVars)) 3169 return LHS; 3170 } 3171 3172 // In C++, we can have a throw-expression, which has 'void' type. 3173 if (C->getRHS()->getType()->isVoidType()) 3174 return NULL; 3175 3176 return EvalAddr(C->getRHS(), refVars); 3177 } 3178 3179 case Stmt::BlockExprClass: 3180 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 3181 return E; // local block. 3182 return NULL; 3183 3184 case Stmt::AddrLabelExprClass: 3185 return E; // address of label. 3186 3187 case Stmt::ExprWithCleanupsClass: 3188 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 3189 3190 // For casts, we need to handle conversions from arrays to 3191 // pointer values, and pointer-to-pointer conversions. 3192 case Stmt::ImplicitCastExprClass: 3193 case Stmt::CStyleCastExprClass: 3194 case Stmt::CXXFunctionalCastExprClass: 3195 case Stmt::ObjCBridgedCastExprClass: 3196 case Stmt::CXXStaticCastExprClass: 3197 case Stmt::CXXDynamicCastExprClass: 3198 case Stmt::CXXConstCastExprClass: 3199 case Stmt::CXXReinterpretCastExprClass: { 3200 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 3201 switch (cast<CastExpr>(E)->getCastKind()) { 3202 case CK_BitCast: 3203 case CK_LValueToRValue: 3204 case CK_NoOp: 3205 case CK_BaseToDerived: 3206 case CK_DerivedToBase: 3207 case CK_UncheckedDerivedToBase: 3208 case CK_Dynamic: 3209 case CK_CPointerToObjCPointerCast: 3210 case CK_BlockPointerToObjCPointerCast: 3211 case CK_AnyPointerToBlockPointerCast: 3212 return EvalAddr(SubExpr, refVars); 3213 3214 case CK_ArrayToPointerDecay: 3215 return EvalVal(SubExpr, refVars); 3216 3217 default: 3218 return 0; 3219 } 3220 } 3221 3222 case Stmt::MaterializeTemporaryExprClass: 3223 if (Expr *Result = EvalAddr( 3224 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3225 refVars)) 3226 return Result; 3227 3228 return E; 3229 3230 // Everything else: we simply don't reason about them. 3231 default: 3232 return NULL; 3233 } 3234 } 3235 3236 3237 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 3238 /// See the comments for EvalAddr for more details. 3239 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars) { 3240 do { 3241 // We should only be called for evaluating non-pointer expressions, or 3242 // expressions with a pointer type that are not used as references but instead 3243 // are l-values (e.g., DeclRefExpr with a pointer type). 3244 3245 // Our "symbolic interpreter" is just a dispatch off the currently 3246 // viewed AST node. We then recursively traverse the AST by calling 3247 // EvalAddr and EvalVal appropriately. 3248 3249 E = E->IgnoreParens(); 3250 switch (E->getStmtClass()) { 3251 case Stmt::ImplicitCastExprClass: { 3252 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 3253 if (IE->getValueKind() == VK_LValue) { 3254 E = IE->getSubExpr(); 3255 continue; 3256 } 3257 return NULL; 3258 } 3259 3260 case Stmt::ExprWithCleanupsClass: 3261 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars); 3262 3263 case Stmt::DeclRefExprClass: { 3264 // When we hit a DeclRefExpr we are looking at code that refers to a 3265 // variable's name. If it's not a reference variable we check if it has 3266 // local storage within the function, and if so, return the expression. 3267 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3268 3269 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 3270 if (V->hasLocalStorage()) { 3271 if (!V->getType()->isReferenceType()) 3272 return DR; 3273 3274 // Reference variable, follow through to the expression that 3275 // it points to. 3276 if (V->hasInit()) { 3277 // Add the reference variable to the "trail". 3278 refVars.push_back(DR); 3279 return EvalVal(V->getInit(), refVars); 3280 } 3281 } 3282 3283 return NULL; 3284 } 3285 3286 case Stmt::UnaryOperatorClass: { 3287 // The only unary operator that make sense to handle here 3288 // is Deref. All others don't resolve to a "name." This includes 3289 // handling all sorts of rvalues passed to a unary operator. 3290 UnaryOperator *U = cast<UnaryOperator>(E); 3291 3292 if (U->getOpcode() == UO_Deref) 3293 return EvalAddr(U->getSubExpr(), refVars); 3294 3295 return NULL; 3296 } 3297 3298 case Stmt::ArraySubscriptExprClass: { 3299 // Array subscripts are potential references to data on the stack. We 3300 // retrieve the DeclRefExpr* for the array variable if it indeed 3301 // has local storage. 3302 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars); 3303 } 3304 3305 case Stmt::ConditionalOperatorClass: { 3306 // For conditional operators we need to see if either the LHS or RHS are 3307 // non-NULL Expr's. If one is non-NULL, we return it. 3308 ConditionalOperator *C = cast<ConditionalOperator>(E); 3309 3310 // Handle the GNU extension for missing LHS. 3311 if (Expr *lhsExpr = C->getLHS()) 3312 if (Expr *LHS = EvalVal(lhsExpr, refVars)) 3313 return LHS; 3314 3315 return EvalVal(C->getRHS(), refVars); 3316 } 3317 3318 // Accesses to members are potential references to data on the stack. 3319 case Stmt::MemberExprClass: { 3320 MemberExpr *M = cast<MemberExpr>(E); 3321 3322 // Check for indirect access. We only want direct field accesses. 3323 if (M->isArrow()) 3324 return NULL; 3325 3326 // Check whether the member type is itself a reference, in which case 3327 // we're not going to refer to the member, but to what the member refers to. 3328 if (M->getMemberDecl()->getType()->isReferenceType()) 3329 return NULL; 3330 3331 return EvalVal(M->getBase(), refVars); 3332 } 3333 3334 case Stmt::MaterializeTemporaryExprClass: 3335 if (Expr *Result = EvalVal( 3336 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3337 refVars)) 3338 return Result; 3339 3340 return E; 3341 3342 default: 3343 // Check that we don't return or take the address of a reference to a 3344 // temporary. This is only useful in C++. 3345 if (!E->isTypeDependent() && E->isRValue()) 3346 return E; 3347 3348 // Everything else: we simply don't reason about them. 3349 return NULL; 3350 } 3351 } while (true); 3352 } 3353 3354 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 3355 3356 /// Check for comparisons of floating point operands using != and ==. 3357 /// Issue a warning if these are no self-comparisons, as they are not likely 3358 /// to do what the programmer intended. 3359 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 3360 bool EmitWarning = true; 3361 3362 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 3363 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 3364 3365 // Special case: check for x == x (which is OK). 3366 // Do not emit warnings for such cases. 3367 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 3368 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 3369 if (DRL->getDecl() == DRR->getDecl()) 3370 EmitWarning = false; 3371 3372 3373 // Special case: check for comparisons against literals that can be exactly 3374 // represented by APFloat. In such cases, do not emit a warning. This 3375 // is a heuristic: often comparison against such literals are used to 3376 // detect if a value in a variable has not changed. This clearly can 3377 // lead to false negatives. 3378 if (EmitWarning) { 3379 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 3380 if (FLL->isExact()) 3381 EmitWarning = false; 3382 } else 3383 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 3384 if (FLR->isExact()) 3385 EmitWarning = false; 3386 } 3387 } 3388 3389 // Check for comparisons with builtin types. 3390 if (EmitWarning) 3391 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 3392 if (CL->isBuiltinCall()) 3393 EmitWarning = false; 3394 3395 if (EmitWarning) 3396 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 3397 if (CR->isBuiltinCall()) 3398 EmitWarning = false; 3399 3400 // Emit the diagnostic. 3401 if (EmitWarning) 3402 Diag(Loc, diag::warn_floatingpoint_eq) 3403 << LHS->getSourceRange() << RHS->getSourceRange(); 3404 } 3405 3406 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 3407 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 3408 3409 namespace { 3410 3411 /// Structure recording the 'active' range of an integer-valued 3412 /// expression. 3413 struct IntRange { 3414 /// The number of bits active in the int. 3415 unsigned Width; 3416 3417 /// True if the int is known not to have negative values. 3418 bool NonNegative; 3419 3420 IntRange(unsigned Width, bool NonNegative) 3421 : Width(Width), NonNegative(NonNegative) 3422 {} 3423 3424 /// Returns the range of the bool type. 3425 static IntRange forBoolType() { 3426 return IntRange(1, true); 3427 } 3428 3429 /// Returns the range of an opaque value of the given integral type. 3430 static IntRange forValueOfType(ASTContext &C, QualType T) { 3431 return forValueOfCanonicalType(C, 3432 T->getCanonicalTypeInternal().getTypePtr()); 3433 } 3434 3435 /// Returns the range of an opaque value of a canonical integral type. 3436 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 3437 assert(T->isCanonicalUnqualified()); 3438 3439 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3440 T = VT->getElementType().getTypePtr(); 3441 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3442 T = CT->getElementType().getTypePtr(); 3443 3444 // For enum types, use the known bit width of the enumerators. 3445 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 3446 EnumDecl *Enum = ET->getDecl(); 3447 if (!Enum->isCompleteDefinition()) 3448 return IntRange(C.getIntWidth(QualType(T, 0)), false); 3449 3450 unsigned NumPositive = Enum->getNumPositiveBits(); 3451 unsigned NumNegative = Enum->getNumNegativeBits(); 3452 3453 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 3454 } 3455 3456 const BuiltinType *BT = cast<BuiltinType>(T); 3457 assert(BT->isInteger()); 3458 3459 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3460 } 3461 3462 /// Returns the "target" range of a canonical integral type, i.e. 3463 /// the range of values expressible in the type. 3464 /// 3465 /// This matches forValueOfCanonicalType except that enums have the 3466 /// full range of their type, not the range of their enumerators. 3467 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 3468 assert(T->isCanonicalUnqualified()); 3469 3470 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3471 T = VT->getElementType().getTypePtr(); 3472 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3473 T = CT->getElementType().getTypePtr(); 3474 if (const EnumType *ET = dyn_cast<EnumType>(T)) 3475 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 3476 3477 const BuiltinType *BT = cast<BuiltinType>(T); 3478 assert(BT->isInteger()); 3479 3480 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3481 } 3482 3483 /// Returns the supremum of two ranges: i.e. their conservative merge. 3484 static IntRange join(IntRange L, IntRange R) { 3485 return IntRange(std::max(L.Width, R.Width), 3486 L.NonNegative && R.NonNegative); 3487 } 3488 3489 /// Returns the infinum of two ranges: i.e. their aggressive merge. 3490 static IntRange meet(IntRange L, IntRange R) { 3491 return IntRange(std::min(L.Width, R.Width), 3492 L.NonNegative || R.NonNegative); 3493 } 3494 }; 3495 3496 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 3497 unsigned MaxWidth) { 3498 if (value.isSigned() && value.isNegative()) 3499 return IntRange(value.getMinSignedBits(), false); 3500 3501 if (value.getBitWidth() > MaxWidth) 3502 value = value.trunc(MaxWidth); 3503 3504 // isNonNegative() just checks the sign bit without considering 3505 // signedness. 3506 return IntRange(value.getActiveBits(), true); 3507 } 3508 3509 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 3510 unsigned MaxWidth) { 3511 if (result.isInt()) 3512 return GetValueRange(C, result.getInt(), MaxWidth); 3513 3514 if (result.isVector()) { 3515 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 3516 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 3517 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 3518 R = IntRange::join(R, El); 3519 } 3520 return R; 3521 } 3522 3523 if (result.isComplexInt()) { 3524 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 3525 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 3526 return IntRange::join(R, I); 3527 } 3528 3529 // This can happen with lossless casts to intptr_t of "based" lvalues. 3530 // Assume it might use arbitrary bits. 3531 // FIXME: The only reason we need to pass the type in here is to get 3532 // the sign right on this one case. It would be nice if APValue 3533 // preserved this. 3534 assert(result.isLValue() || result.isAddrLabelDiff()); 3535 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 3536 } 3537 3538 /// Pseudo-evaluate the given integer expression, estimating the 3539 /// range of values it might take. 3540 /// 3541 /// \param MaxWidth - the width to which the value will be truncated 3542 static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 3543 E = E->IgnoreParens(); 3544 3545 // Try a full evaluation first. 3546 Expr::EvalResult result; 3547 if (E->EvaluateAsRValue(result, C)) 3548 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 3549 3550 // I think we only want to look through implicit casts here; if the 3551 // user has an explicit widening cast, we should treat the value as 3552 // being of the new, wider type. 3553 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 3554 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 3555 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 3556 3557 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 3558 3559 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 3560 3561 // Assume that non-integer casts can span the full range of the type. 3562 if (!isIntegerCast) 3563 return OutputTypeRange; 3564 3565 IntRange SubRange 3566 = GetExprRange(C, CE->getSubExpr(), 3567 std::min(MaxWidth, OutputTypeRange.Width)); 3568 3569 // Bail out if the subexpr's range is as wide as the cast type. 3570 if (SubRange.Width >= OutputTypeRange.Width) 3571 return OutputTypeRange; 3572 3573 // Otherwise, we take the smaller width, and we're non-negative if 3574 // either the output type or the subexpr is. 3575 return IntRange(SubRange.Width, 3576 SubRange.NonNegative || OutputTypeRange.NonNegative); 3577 } 3578 3579 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 3580 // If we can fold the condition, just take that operand. 3581 bool CondResult; 3582 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 3583 return GetExprRange(C, CondResult ? CO->getTrueExpr() 3584 : CO->getFalseExpr(), 3585 MaxWidth); 3586 3587 // Otherwise, conservatively merge. 3588 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 3589 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 3590 return IntRange::join(L, R); 3591 } 3592 3593 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 3594 switch (BO->getOpcode()) { 3595 3596 // Boolean-valued operations are single-bit and positive. 3597 case BO_LAnd: 3598 case BO_LOr: 3599 case BO_LT: 3600 case BO_GT: 3601 case BO_LE: 3602 case BO_GE: 3603 case BO_EQ: 3604 case BO_NE: 3605 return IntRange::forBoolType(); 3606 3607 // The type of the assignments is the type of the LHS, so the RHS 3608 // is not necessarily the same type. 3609 case BO_MulAssign: 3610 case BO_DivAssign: 3611 case BO_RemAssign: 3612 case BO_AddAssign: 3613 case BO_SubAssign: 3614 case BO_XorAssign: 3615 case BO_OrAssign: 3616 // TODO: bitfields? 3617 return IntRange::forValueOfType(C, E->getType()); 3618 3619 // Simple assignments just pass through the RHS, which will have 3620 // been coerced to the LHS type. 3621 case BO_Assign: 3622 // TODO: bitfields? 3623 return GetExprRange(C, BO->getRHS(), MaxWidth); 3624 3625 // Operations with opaque sources are black-listed. 3626 case BO_PtrMemD: 3627 case BO_PtrMemI: 3628 return IntRange::forValueOfType(C, E->getType()); 3629 3630 // Bitwise-and uses the *infinum* of the two source ranges. 3631 case BO_And: 3632 case BO_AndAssign: 3633 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 3634 GetExprRange(C, BO->getRHS(), MaxWidth)); 3635 3636 // Left shift gets black-listed based on a judgement call. 3637 case BO_Shl: 3638 // ...except that we want to treat '1 << (blah)' as logically 3639 // positive. It's an important idiom. 3640 if (IntegerLiteral *I 3641 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 3642 if (I->getValue() == 1) { 3643 IntRange R = IntRange::forValueOfType(C, E->getType()); 3644 return IntRange(R.Width, /*NonNegative*/ true); 3645 } 3646 } 3647 // fallthrough 3648 3649 case BO_ShlAssign: 3650 return IntRange::forValueOfType(C, E->getType()); 3651 3652 // Right shift by a constant can narrow its left argument. 3653 case BO_Shr: 3654 case BO_ShrAssign: { 3655 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3656 3657 // If the shift amount is a positive constant, drop the width by 3658 // that much. 3659 llvm::APSInt shift; 3660 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 3661 shift.isNonNegative()) { 3662 unsigned zext = shift.getZExtValue(); 3663 if (zext >= L.Width) 3664 L.Width = (L.NonNegative ? 0 : 1); 3665 else 3666 L.Width -= zext; 3667 } 3668 3669 return L; 3670 } 3671 3672 // Comma acts as its right operand. 3673 case BO_Comma: 3674 return GetExprRange(C, BO->getRHS(), MaxWidth); 3675 3676 // Black-list pointer subtractions. 3677 case BO_Sub: 3678 if (BO->getLHS()->getType()->isPointerType()) 3679 return IntRange::forValueOfType(C, E->getType()); 3680 break; 3681 3682 // The width of a division result is mostly determined by the size 3683 // of the LHS. 3684 case BO_Div: { 3685 // Don't 'pre-truncate' the operands. 3686 unsigned opWidth = C.getIntWidth(E->getType()); 3687 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3688 3689 // If the divisor is constant, use that. 3690 llvm::APSInt divisor; 3691 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 3692 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 3693 if (log2 >= L.Width) 3694 L.Width = (L.NonNegative ? 0 : 1); 3695 else 3696 L.Width = std::min(L.Width - log2, MaxWidth); 3697 return L; 3698 } 3699 3700 // Otherwise, just use the LHS's width. 3701 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3702 return IntRange(L.Width, L.NonNegative && R.NonNegative); 3703 } 3704 3705 // The result of a remainder can't be larger than the result of 3706 // either side. 3707 case BO_Rem: { 3708 // Don't 'pre-truncate' the operands. 3709 unsigned opWidth = C.getIntWidth(E->getType()); 3710 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 3711 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 3712 3713 IntRange meet = IntRange::meet(L, R); 3714 meet.Width = std::min(meet.Width, MaxWidth); 3715 return meet; 3716 } 3717 3718 // The default behavior is okay for these. 3719 case BO_Mul: 3720 case BO_Add: 3721 case BO_Xor: 3722 case BO_Or: 3723 break; 3724 } 3725 3726 // The default case is to treat the operation as if it were closed 3727 // on the narrowest type that encompasses both operands. 3728 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 3729 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 3730 return IntRange::join(L, R); 3731 } 3732 3733 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 3734 switch (UO->getOpcode()) { 3735 // Boolean-valued operations are white-listed. 3736 case UO_LNot: 3737 return IntRange::forBoolType(); 3738 3739 // Operations with opaque sources are black-listed. 3740 case UO_Deref: 3741 case UO_AddrOf: // should be impossible 3742 return IntRange::forValueOfType(C, E->getType()); 3743 3744 default: 3745 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 3746 } 3747 } 3748 3749 if (dyn_cast<OffsetOfExpr>(E)) { 3750 IntRange::forValueOfType(C, E->getType()); 3751 } 3752 3753 if (FieldDecl *BitField = E->getBitField()) 3754 return IntRange(BitField->getBitWidthValue(C), 3755 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 3756 3757 return IntRange::forValueOfType(C, E->getType()); 3758 } 3759 3760 static IntRange GetExprRange(ASTContext &C, Expr *E) { 3761 return GetExprRange(C, E, C.getIntWidth(E->getType())); 3762 } 3763 3764 /// Checks whether the given value, which currently has the given 3765 /// source semantics, has the same value when coerced through the 3766 /// target semantics. 3767 static bool IsSameFloatAfterCast(const llvm::APFloat &value, 3768 const llvm::fltSemantics &Src, 3769 const llvm::fltSemantics &Tgt) { 3770 llvm::APFloat truncated = value; 3771 3772 bool ignored; 3773 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 3774 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 3775 3776 return truncated.bitwiseIsEqual(value); 3777 } 3778 3779 /// Checks whether the given value, which currently has the given 3780 /// source semantics, has the same value when coerced through the 3781 /// target semantics. 3782 /// 3783 /// The value might be a vector of floats (or a complex number). 3784 static bool IsSameFloatAfterCast(const APValue &value, 3785 const llvm::fltSemantics &Src, 3786 const llvm::fltSemantics &Tgt) { 3787 if (value.isFloat()) 3788 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 3789 3790 if (value.isVector()) { 3791 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 3792 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 3793 return false; 3794 return true; 3795 } 3796 3797 assert(value.isComplexFloat()); 3798 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 3799 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 3800 } 3801 3802 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 3803 3804 static bool IsZero(Sema &S, Expr *E) { 3805 // Suppress cases where we are comparing against an enum constant. 3806 if (const DeclRefExpr *DR = 3807 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 3808 if (isa<EnumConstantDecl>(DR->getDecl())) 3809 return false; 3810 3811 // Suppress cases where the '0' value is expanded from a macro. 3812 if (E->getLocStart().isMacroID()) 3813 return false; 3814 3815 llvm::APSInt Value; 3816 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 3817 } 3818 3819 static bool HasEnumType(Expr *E) { 3820 // Strip off implicit integral promotions. 3821 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3822 if (ICE->getCastKind() != CK_IntegralCast && 3823 ICE->getCastKind() != CK_NoOp) 3824 break; 3825 E = ICE->getSubExpr(); 3826 } 3827 3828 return E->getType()->isEnumeralType(); 3829 } 3830 3831 static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 3832 BinaryOperatorKind op = E->getOpcode(); 3833 if (E->isValueDependent()) 3834 return; 3835 3836 if (op == BO_LT && IsZero(S, E->getRHS())) { 3837 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3838 << "< 0" << "false" << HasEnumType(E->getLHS()) 3839 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3840 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 3841 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 3842 << ">= 0" << "true" << HasEnumType(E->getLHS()) 3843 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3844 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 3845 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3846 << "0 >" << "false" << HasEnumType(E->getRHS()) 3847 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3848 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 3849 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 3850 << "0 <=" << "true" << HasEnumType(E->getRHS()) 3851 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 3852 } 3853 } 3854 3855 /// Analyze the operands of the given comparison. Implements the 3856 /// fallback case from AnalyzeComparison. 3857 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 3858 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3859 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 3860 } 3861 3862 /// \brief Implements -Wsign-compare. 3863 /// 3864 /// \param E the binary operator to check for warnings 3865 static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 3866 // The type the comparison is being performed in. 3867 QualType T = E->getLHS()->getType(); 3868 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 3869 && "comparison with mismatched types"); 3870 3871 // We don't do anything special if this isn't an unsigned integral 3872 // comparison: we're only interested in integral comparisons, and 3873 // signed comparisons only happen in cases we don't care to warn about. 3874 // 3875 // We also don't care about value-dependent expressions or expressions 3876 // whose result is a constant. 3877 if (!T->hasUnsignedIntegerRepresentation() 3878 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 3879 return AnalyzeImpConvsInComparison(S, E); 3880 3881 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 3882 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 3883 3884 // Check to see if one of the (unmodified) operands is of different 3885 // signedness. 3886 Expr *signedOperand, *unsignedOperand; 3887 if (LHS->getType()->hasSignedIntegerRepresentation()) { 3888 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 3889 "unsigned comparison between two signed integer expressions?"); 3890 signedOperand = LHS; 3891 unsignedOperand = RHS; 3892 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 3893 signedOperand = RHS; 3894 unsignedOperand = LHS; 3895 } else { 3896 CheckTrivialUnsignedComparison(S, E); 3897 return AnalyzeImpConvsInComparison(S, E); 3898 } 3899 3900 // Otherwise, calculate the effective range of the signed operand. 3901 IntRange signedRange = GetExprRange(S.Context, signedOperand); 3902 3903 // Go ahead and analyze implicit conversions in the operands. Note 3904 // that we skip the implicit conversions on both sides. 3905 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 3906 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 3907 3908 // If the signed range is non-negative, -Wsign-compare won't fire, 3909 // but we should still check for comparisons which are always true 3910 // or false. 3911 if (signedRange.NonNegative) 3912 return CheckTrivialUnsignedComparison(S, E); 3913 3914 // For (in)equality comparisons, if the unsigned operand is a 3915 // constant which cannot collide with a overflowed signed operand, 3916 // then reinterpreting the signed operand as unsigned will not 3917 // change the result of the comparison. 3918 if (E->isEqualityOp()) { 3919 unsigned comparisonWidth = S.Context.getIntWidth(T); 3920 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 3921 3922 // We should never be unable to prove that the unsigned operand is 3923 // non-negative. 3924 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 3925 3926 if (unsignedRange.Width < comparisonWidth) 3927 return; 3928 } 3929 3930 S.Diag(E->getOperatorLoc(), diag::warn_mixed_sign_comparison) 3931 << LHS->getType() << RHS->getType() 3932 << LHS->getSourceRange() << RHS->getSourceRange(); 3933 } 3934 3935 /// Analyzes an attempt to assign the given value to a bitfield. 3936 /// 3937 /// Returns true if there was something fishy about the attempt. 3938 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 3939 SourceLocation InitLoc) { 3940 assert(Bitfield->isBitField()); 3941 if (Bitfield->isInvalidDecl()) 3942 return false; 3943 3944 // White-list bool bitfields. 3945 if (Bitfield->getType()->isBooleanType()) 3946 return false; 3947 3948 // Ignore value- or type-dependent expressions. 3949 if (Bitfield->getBitWidth()->isValueDependent() || 3950 Bitfield->getBitWidth()->isTypeDependent() || 3951 Init->isValueDependent() || 3952 Init->isTypeDependent()) 3953 return false; 3954 3955 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 3956 3957 llvm::APSInt Value; 3958 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 3959 return false; 3960 3961 unsigned OriginalWidth = Value.getBitWidth(); 3962 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 3963 3964 if (OriginalWidth <= FieldWidth) 3965 return false; 3966 3967 // Compute the value which the bitfield will contain. 3968 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 3969 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 3970 3971 // Check whether the stored value is equal to the original value. 3972 TruncatedValue = TruncatedValue.extend(OriginalWidth); 3973 if (Value == TruncatedValue) 3974 return false; 3975 3976 // Special-case bitfields of width 1: booleans are naturally 0/1, and 3977 // therefore don't strictly fit into a signed bitfield of width 1. 3978 if (FieldWidth == 1 && Value == 1) 3979 return false; 3980 3981 std::string PrettyValue = Value.toString(10); 3982 std::string PrettyTrunc = TruncatedValue.toString(10); 3983 3984 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 3985 << PrettyValue << PrettyTrunc << OriginalInit->getType() 3986 << Init->getSourceRange(); 3987 3988 return true; 3989 } 3990 3991 /// Analyze the given simple or compound assignment for warning-worthy 3992 /// operations. 3993 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 3994 // Just recurse on the LHS. 3995 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 3996 3997 // We want to recurse on the RHS as normal unless we're assigning to 3998 // a bitfield. 3999 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 4000 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 4001 E->getOperatorLoc())) { 4002 // Recurse, ignoring any implicit conversions on the RHS. 4003 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 4004 E->getOperatorLoc()); 4005 } 4006 } 4007 4008 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4009 } 4010 4011 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 4012 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 4013 SourceLocation CContext, unsigned diag, 4014 bool pruneControlFlow = false) { 4015 if (pruneControlFlow) { 4016 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4017 S.PDiag(diag) 4018 << SourceType << T << E->getSourceRange() 4019 << SourceRange(CContext)); 4020 return; 4021 } 4022 S.Diag(E->getExprLoc(), diag) 4023 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 4024 } 4025 4026 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 4027 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 4028 SourceLocation CContext, unsigned diag, 4029 bool pruneControlFlow = false) { 4030 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 4031 } 4032 4033 /// Diagnose an implicit cast from a literal expression. Does not warn when the 4034 /// cast wouldn't lose information. 4035 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 4036 SourceLocation CContext) { 4037 // Try to convert the literal exactly to an integer. If we can, don't warn. 4038 bool isExact = false; 4039 const llvm::APFloat &Value = FL->getValue(); 4040 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 4041 T->hasUnsignedIntegerRepresentation()); 4042 if (Value.convertToInteger(IntegerValue, 4043 llvm::APFloat::rmTowardZero, &isExact) 4044 == llvm::APFloat::opOK && isExact) 4045 return; 4046 4047 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 4048 << FL->getType() << T << FL->getSourceRange() << SourceRange(CContext); 4049 } 4050 4051 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 4052 if (!Range.Width) return "0"; 4053 4054 llvm::APSInt ValueInRange = Value; 4055 ValueInRange.setIsSigned(!Range.NonNegative); 4056 ValueInRange = ValueInRange.trunc(Range.Width); 4057 return ValueInRange.toString(10); 4058 } 4059 4060 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 4061 SourceLocation CC, bool *ICContext = 0) { 4062 if (E->isTypeDependent() || E->isValueDependent()) return; 4063 4064 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 4065 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 4066 if (Source == Target) return; 4067 if (Target->isDependentType()) return; 4068 4069 // If the conversion context location is invalid don't complain. We also 4070 // don't want to emit a warning if the issue occurs from the expansion of 4071 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 4072 // delay this check as long as possible. Once we detect we are in that 4073 // scenario, we just return. 4074 if (CC.isInvalid()) 4075 return; 4076 4077 // Diagnose implicit casts to bool. 4078 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 4079 if (isa<StringLiteral>(E)) 4080 // Warn on string literal to bool. Checks for string literals in logical 4081 // expressions, for instances, assert(0 && "error here"), is prevented 4082 // by a check in AnalyzeImplicitConversions(). 4083 return DiagnoseImpCast(S, E, T, CC, 4084 diag::warn_impcast_string_literal_to_bool); 4085 if (Source->isFunctionType()) { 4086 // Warn on function to bool. Checks free functions and static member 4087 // functions. Weakly imported functions are excluded from the check, 4088 // since it's common to test their value to check whether the linker 4089 // found a definition for them. 4090 ValueDecl *D = 0; 4091 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 4092 D = R->getDecl(); 4093 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 4094 D = M->getMemberDecl(); 4095 } 4096 4097 if (D && !D->isWeak()) { 4098 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 4099 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 4100 << F << E->getSourceRange() << SourceRange(CC); 4101 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 4102 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 4103 QualType ReturnType; 4104 UnresolvedSet<4> NonTemplateOverloads; 4105 S.isExprCallable(*E, ReturnType, NonTemplateOverloads); 4106 if (!ReturnType.isNull() 4107 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 4108 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 4109 << FixItHint::CreateInsertion( 4110 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 4111 return; 4112 } 4113 } 4114 } 4115 return; // Other casts to bool are not checked. 4116 } 4117 4118 // Strip vector types. 4119 if (isa<VectorType>(Source)) { 4120 if (!isa<VectorType>(Target)) { 4121 if (S.SourceMgr.isInSystemMacro(CC)) 4122 return; 4123 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 4124 } 4125 4126 // If the vector cast is cast between two vectors of the same size, it is 4127 // a bitcast, not a conversion. 4128 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 4129 return; 4130 4131 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 4132 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 4133 } 4134 4135 // Strip complex types. 4136 if (isa<ComplexType>(Source)) { 4137 if (!isa<ComplexType>(Target)) { 4138 if (S.SourceMgr.isInSystemMacro(CC)) 4139 return; 4140 4141 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 4142 } 4143 4144 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 4145 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 4146 } 4147 4148 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 4149 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 4150 4151 // If the source is floating point... 4152 if (SourceBT && SourceBT->isFloatingPoint()) { 4153 // ...and the target is floating point... 4154 if (TargetBT && TargetBT->isFloatingPoint()) { 4155 // ...then warn if we're dropping FP rank. 4156 4157 // Builtin FP kinds are ordered by increasing FP rank. 4158 if (SourceBT->getKind() > TargetBT->getKind()) { 4159 // Don't warn about float constants that are precisely 4160 // representable in the target type. 4161 Expr::EvalResult result; 4162 if (E->EvaluateAsRValue(result, S.Context)) { 4163 // Value might be a float, a float vector, or a float complex. 4164 if (IsSameFloatAfterCast(result.Val, 4165 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 4166 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 4167 return; 4168 } 4169 4170 if (S.SourceMgr.isInSystemMacro(CC)) 4171 return; 4172 4173 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 4174 } 4175 return; 4176 } 4177 4178 // If the target is integral, always warn. 4179 if ((TargetBT && TargetBT->isInteger())) { 4180 if (S.SourceMgr.isInSystemMacro(CC)) 4181 return; 4182 4183 Expr *InnerE = E->IgnoreParenImpCasts(); 4184 // We also want to warn on, e.g., "int i = -1.234" 4185 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 4186 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 4187 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 4188 4189 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 4190 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 4191 } else { 4192 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 4193 } 4194 } 4195 4196 return; 4197 } 4198 4199 if (!Source->isIntegerType() || !Target->isIntegerType()) 4200 return; 4201 4202 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 4203 == Expr::NPCK_GNUNull) && Target->isIntegerType()) { 4204 SourceLocation Loc = E->getSourceRange().getBegin(); 4205 if (Loc.isMacroID()) 4206 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 4207 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 4208 << T << Loc << clang::SourceRange(CC); 4209 return; 4210 } 4211 4212 IntRange SourceRange = GetExprRange(S.Context, E); 4213 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 4214 4215 if (SourceRange.Width > TargetRange.Width) { 4216 // If the source is a constant, use a default-on diagnostic. 4217 // TODO: this should happen for bitfield stores, too. 4218 llvm::APSInt Value(32); 4219 if (E->isIntegerConstantExpr(Value, S.Context)) { 4220 if (S.SourceMgr.isInSystemMacro(CC)) 4221 return; 4222 4223 std::string PrettySourceValue = Value.toString(10); 4224 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 4225 4226 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4227 S.PDiag(diag::warn_impcast_integer_precision_constant) 4228 << PrettySourceValue << PrettyTargetValue 4229 << E->getType() << T << E->getSourceRange() 4230 << clang::SourceRange(CC)); 4231 return; 4232 } 4233 4234 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 4235 if (S.SourceMgr.isInSystemMacro(CC)) 4236 return; 4237 4238 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 4239 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 4240 /* pruneControlFlow */ true); 4241 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 4242 } 4243 4244 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 4245 (!TargetRange.NonNegative && SourceRange.NonNegative && 4246 SourceRange.Width == TargetRange.Width)) { 4247 4248 if (S.SourceMgr.isInSystemMacro(CC)) 4249 return; 4250 4251 unsigned DiagID = diag::warn_impcast_integer_sign; 4252 4253 // Traditionally, gcc has warned about this under -Wsign-compare. 4254 // We also want to warn about it in -Wconversion. 4255 // So if -Wconversion is off, use a completely identical diagnostic 4256 // in the sign-compare group. 4257 // The conditional-checking code will 4258 if (ICContext) { 4259 DiagID = diag::warn_impcast_integer_sign_conditional; 4260 *ICContext = true; 4261 } 4262 4263 return DiagnoseImpCast(S, E, T, CC, DiagID); 4264 } 4265 4266 // Diagnose conversions between different enumeration types. 4267 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 4268 // type, to give us better diagnostics. 4269 QualType SourceType = E->getType(); 4270 if (!S.getLangOpts().CPlusPlus) { 4271 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 4272 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 4273 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 4274 SourceType = S.Context.getTypeDeclType(Enum); 4275 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 4276 } 4277 } 4278 4279 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 4280 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 4281 if ((SourceEnum->getDecl()->getIdentifier() || 4282 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 4283 (TargetEnum->getDecl()->getIdentifier() || 4284 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 4285 SourceEnum != TargetEnum) { 4286 if (S.SourceMgr.isInSystemMacro(CC)) 4287 return; 4288 4289 return DiagnoseImpCast(S, E, SourceType, T, CC, 4290 diag::warn_impcast_different_enum_types); 4291 } 4292 4293 return; 4294 } 4295 4296 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T); 4297 4298 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 4299 SourceLocation CC, bool &ICContext) { 4300 E = E->IgnoreParenImpCasts(); 4301 4302 if (isa<ConditionalOperator>(E)) 4303 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), T); 4304 4305 AnalyzeImplicitConversions(S, E, CC); 4306 if (E->getType() != T) 4307 return CheckImplicitConversion(S, E, T, CC, &ICContext); 4308 return; 4309 } 4310 4311 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, QualType T) { 4312 SourceLocation CC = E->getQuestionLoc(); 4313 4314 AnalyzeImplicitConversions(S, E->getCond(), CC); 4315 4316 bool Suspicious = false; 4317 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 4318 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 4319 4320 // If -Wconversion would have warned about either of the candidates 4321 // for a signedness conversion to the context type... 4322 if (!Suspicious) return; 4323 4324 // ...but it's currently ignored... 4325 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 4326 CC)) 4327 return; 4328 4329 // ...then check whether it would have warned about either of the 4330 // candidates for a signedness conversion to the condition type. 4331 if (E->getType() == T) return; 4332 4333 Suspicious = false; 4334 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 4335 E->getType(), CC, &Suspicious); 4336 if (!Suspicious) 4337 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 4338 E->getType(), CC, &Suspicious); 4339 } 4340 4341 /// AnalyzeImplicitConversions - Find and report any interesting 4342 /// implicit conversions in the given expression. There are a couple 4343 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 4344 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 4345 QualType T = OrigE->getType(); 4346 Expr *E = OrigE->IgnoreParenImpCasts(); 4347 4348 if (E->isTypeDependent() || E->isValueDependent()) 4349 return; 4350 4351 // For conditional operators, we analyze the arguments as if they 4352 // were being fed directly into the output. 4353 if (isa<ConditionalOperator>(E)) { 4354 ConditionalOperator *CO = cast<ConditionalOperator>(E); 4355 CheckConditionalOperator(S, CO, T); 4356 return; 4357 } 4358 4359 // Go ahead and check any implicit conversions we might have skipped. 4360 // The non-canonical typecheck is just an optimization; 4361 // CheckImplicitConversion will filter out dead implicit conversions. 4362 if (E->getType() != T) 4363 CheckImplicitConversion(S, E, T, CC); 4364 4365 // Now continue drilling into this expression. 4366 4367 // Skip past explicit casts. 4368 if (isa<ExplicitCastExpr>(E)) { 4369 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 4370 return AnalyzeImplicitConversions(S, E, CC); 4371 } 4372 4373 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4374 // Do a somewhat different check with comparison operators. 4375 if (BO->isComparisonOp()) 4376 return AnalyzeComparison(S, BO); 4377 4378 // And with simple assignments. 4379 if (BO->getOpcode() == BO_Assign) 4380 return AnalyzeAssignment(S, BO); 4381 } 4382 4383 // These break the otherwise-useful invariant below. Fortunately, 4384 // we don't really need to recurse into them, because any internal 4385 // expressions should have been analyzed already when they were 4386 // built into statements. 4387 if (isa<StmtExpr>(E)) return; 4388 4389 // Don't descend into unevaluated contexts. 4390 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 4391 4392 // Now just recurse over the expression's children. 4393 CC = E->getExprLoc(); 4394 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 4395 bool IsLogicalOperator = BO && BO->isLogicalOp(); 4396 for (Stmt::child_range I = E->children(); I; ++I) { 4397 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 4398 if (!ChildExpr) 4399 continue; 4400 4401 if (IsLogicalOperator && 4402 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 4403 // Ignore checking string literals that are in logical operators. 4404 continue; 4405 AnalyzeImplicitConversions(S, ChildExpr, CC); 4406 } 4407 } 4408 4409 } // end anonymous namespace 4410 4411 /// Diagnoses "dangerous" implicit conversions within the given 4412 /// expression (which is a full expression). Implements -Wconversion 4413 /// and -Wsign-compare. 4414 /// 4415 /// \param CC the "context" location of the implicit conversion, i.e. 4416 /// the most location of the syntactic entity requiring the implicit 4417 /// conversion 4418 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 4419 // Don't diagnose in unevaluated contexts. 4420 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 4421 return; 4422 4423 // Don't diagnose for value- or type-dependent expressions. 4424 if (E->isTypeDependent() || E->isValueDependent()) 4425 return; 4426 4427 // Check for array bounds violations in cases where the check isn't triggered 4428 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 4429 // ArraySubscriptExpr is on the RHS of a variable initialization. 4430 CheckArrayAccess(E); 4431 4432 // This is not the right CC for (e.g.) a variable initialization. 4433 AnalyzeImplicitConversions(*this, E, CC); 4434 } 4435 4436 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 4437 FieldDecl *BitField, 4438 Expr *Init) { 4439 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 4440 } 4441 4442 /// CheckParmsForFunctionDef - Check that the parameters of the given 4443 /// function are appropriate for the definition of a function. This 4444 /// takes care of any checks that cannot be performed on the 4445 /// declaration itself, e.g., that the types of each of the function 4446 /// parameters are complete. 4447 bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 4448 bool CheckParameterNames) { 4449 bool HasInvalidParm = false; 4450 for (; P != PEnd; ++P) { 4451 ParmVarDecl *Param = *P; 4452 4453 // C99 6.7.5.3p4: the parameters in a parameter type list in a 4454 // function declarator that is part of a function definition of 4455 // that function shall not have incomplete type. 4456 // 4457 // This is also C++ [dcl.fct]p6. 4458 if (!Param->isInvalidDecl() && 4459 RequireCompleteType(Param->getLocation(), Param->getType(), 4460 diag::err_typecheck_decl_incomplete_type)) { 4461 Param->setInvalidDecl(); 4462 HasInvalidParm = true; 4463 } 4464 4465 // C99 6.9.1p5: If the declarator includes a parameter type list, the 4466 // declaration of each parameter shall include an identifier. 4467 if (CheckParameterNames && 4468 Param->getIdentifier() == 0 && 4469 !Param->isImplicit() && 4470 !getLangOpts().CPlusPlus) 4471 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 4472 4473 // C99 6.7.5.3p12: 4474 // If the function declarator is not part of a definition of that 4475 // function, parameters may have incomplete type and may use the [*] 4476 // notation in their sequences of declarator specifiers to specify 4477 // variable length array types. 4478 QualType PType = Param->getOriginalType(); 4479 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 4480 if (AT->getSizeModifier() == ArrayType::Star) { 4481 // FIXME: This diagnosic should point the the '[*]' if source-location 4482 // information is added for it. 4483 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 4484 } 4485 } 4486 } 4487 4488 return HasInvalidParm; 4489 } 4490 4491 /// CheckCastAlign - Implements -Wcast-align, which warns when a 4492 /// pointer cast increases the alignment requirements. 4493 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 4494 // This is actually a lot of work to potentially be doing on every 4495 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 4496 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 4497 TRange.getBegin()) 4498 == DiagnosticsEngine::Ignored) 4499 return; 4500 4501 // Ignore dependent types. 4502 if (T->isDependentType() || Op->getType()->isDependentType()) 4503 return; 4504 4505 // Require that the destination be a pointer type. 4506 const PointerType *DestPtr = T->getAs<PointerType>(); 4507 if (!DestPtr) return; 4508 4509 // If the destination has alignment 1, we're done. 4510 QualType DestPointee = DestPtr->getPointeeType(); 4511 if (DestPointee->isIncompleteType()) return; 4512 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 4513 if (DestAlign.isOne()) return; 4514 4515 // Require that the source be a pointer type. 4516 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 4517 if (!SrcPtr) return; 4518 QualType SrcPointee = SrcPtr->getPointeeType(); 4519 4520 // Whitelist casts from cv void*. We already implicitly 4521 // whitelisted casts to cv void*, since they have alignment 1. 4522 // Also whitelist casts involving incomplete types, which implicitly 4523 // includes 'void'. 4524 if (SrcPointee->isIncompleteType()) return; 4525 4526 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 4527 if (SrcAlign >= DestAlign) return; 4528 4529 Diag(TRange.getBegin(), diag::warn_cast_align) 4530 << Op->getType() << T 4531 << static_cast<unsigned>(SrcAlign.getQuantity()) 4532 << static_cast<unsigned>(DestAlign.getQuantity()) 4533 << TRange << Op->getSourceRange(); 4534 } 4535 4536 static const Type* getElementType(const Expr *BaseExpr) { 4537 const Type* EltType = BaseExpr->getType().getTypePtr(); 4538 if (EltType->isAnyPointerType()) 4539 return EltType->getPointeeType().getTypePtr(); 4540 else if (EltType->isArrayType()) 4541 return EltType->getBaseElementTypeUnsafe(); 4542 return EltType; 4543 } 4544 4545 /// \brief Check whether this array fits the idiom of a size-one tail padded 4546 /// array member of a struct. 4547 /// 4548 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 4549 /// commonly used to emulate flexible arrays in C89 code. 4550 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 4551 const NamedDecl *ND) { 4552 if (Size != 1 || !ND) return false; 4553 4554 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 4555 if (!FD) return false; 4556 4557 // Don't consider sizes resulting from macro expansions or template argument 4558 // substitution to form C89 tail-padded arrays. 4559 ConstantArrayTypeLoc TL = 4560 cast<ConstantArrayTypeLoc>(FD->getTypeSourceInfo()->getTypeLoc()); 4561 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(TL.getSizeExpr()); 4562 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 4563 return false; 4564 4565 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 4566 if (!RD) return false; 4567 if (RD->isUnion()) return false; 4568 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 4569 if (!CRD->isStandardLayout()) return false; 4570 } 4571 4572 // See if this is the last field decl in the record. 4573 const Decl *D = FD; 4574 while ((D = D->getNextDeclInContext())) 4575 if (isa<FieldDecl>(D)) 4576 return false; 4577 return true; 4578 } 4579 4580 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 4581 const ArraySubscriptExpr *ASE, 4582 bool AllowOnePastEnd, bool IndexNegated) { 4583 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 4584 if (IndexExpr->isValueDependent()) 4585 return; 4586 4587 const Type *EffectiveType = getElementType(BaseExpr); 4588 BaseExpr = BaseExpr->IgnoreParenCasts(); 4589 const ConstantArrayType *ArrayTy = 4590 Context.getAsConstantArrayType(BaseExpr->getType()); 4591 if (!ArrayTy) 4592 return; 4593 4594 llvm::APSInt index; 4595 if (!IndexExpr->EvaluateAsInt(index, Context)) 4596 return; 4597 if (IndexNegated) 4598 index = -index; 4599 4600 const NamedDecl *ND = NULL; 4601 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4602 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4603 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4604 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4605 4606 if (index.isUnsigned() || !index.isNegative()) { 4607 llvm::APInt size = ArrayTy->getSize(); 4608 if (!size.isStrictlyPositive()) 4609 return; 4610 4611 const Type* BaseType = getElementType(BaseExpr); 4612 if (BaseType != EffectiveType) { 4613 // Make sure we're comparing apples to apples when comparing index to size 4614 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 4615 uint64_t array_typesize = Context.getTypeSize(BaseType); 4616 // Handle ptrarith_typesize being zero, such as when casting to void* 4617 if (!ptrarith_typesize) ptrarith_typesize = 1; 4618 if (ptrarith_typesize != array_typesize) { 4619 // There's a cast to a different size type involved 4620 uint64_t ratio = array_typesize / ptrarith_typesize; 4621 // TODO: Be smarter about handling cases where array_typesize is not a 4622 // multiple of ptrarith_typesize 4623 if (ptrarith_typesize * ratio == array_typesize) 4624 size *= llvm::APInt(size.getBitWidth(), ratio); 4625 } 4626 } 4627 4628 if (size.getBitWidth() > index.getBitWidth()) 4629 index = index.zext(size.getBitWidth()); 4630 else if (size.getBitWidth() < index.getBitWidth()) 4631 size = size.zext(index.getBitWidth()); 4632 4633 // For array subscripting the index must be less than size, but for pointer 4634 // arithmetic also allow the index (offset) to be equal to size since 4635 // computing the next address after the end of the array is legal and 4636 // commonly done e.g. in C++ iterators and range-based for loops. 4637 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 4638 return; 4639 4640 // Also don't warn for arrays of size 1 which are members of some 4641 // structure. These are often used to approximate flexible arrays in C89 4642 // code. 4643 if (IsTailPaddedMemberArray(*this, size, ND)) 4644 return; 4645 4646 // Suppress the warning if the subscript expression (as identified by the 4647 // ']' location) and the index expression are both from macro expansions 4648 // within a system header. 4649 if (ASE) { 4650 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 4651 ASE->getRBracketLoc()); 4652 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 4653 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 4654 IndexExpr->getLocStart()); 4655 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 4656 return; 4657 } 4658 } 4659 4660 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 4661 if (ASE) 4662 DiagID = diag::warn_array_index_exceeds_bounds; 4663 4664 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4665 PDiag(DiagID) << index.toString(10, true) 4666 << size.toString(10, true) 4667 << (unsigned)size.getLimitedValue(~0U) 4668 << IndexExpr->getSourceRange()); 4669 } else { 4670 unsigned DiagID = diag::warn_array_index_precedes_bounds; 4671 if (!ASE) { 4672 DiagID = diag::warn_ptr_arith_precedes_bounds; 4673 if (index.isNegative()) index = -index; 4674 } 4675 4676 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 4677 PDiag(DiagID) << index.toString(10, true) 4678 << IndexExpr->getSourceRange()); 4679 } 4680 4681 if (!ND) { 4682 // Try harder to find a NamedDecl to point at in the note. 4683 while (const ArraySubscriptExpr *ASE = 4684 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 4685 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 4686 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 4687 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 4688 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 4689 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 4690 } 4691 4692 if (ND) 4693 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 4694 PDiag(diag::note_array_index_out_of_bounds) 4695 << ND->getDeclName()); 4696 } 4697 4698 void Sema::CheckArrayAccess(const Expr *expr) { 4699 int AllowOnePastEnd = 0; 4700 while (expr) { 4701 expr = expr->IgnoreParenImpCasts(); 4702 switch (expr->getStmtClass()) { 4703 case Stmt::ArraySubscriptExprClass: { 4704 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 4705 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 4706 AllowOnePastEnd > 0); 4707 return; 4708 } 4709 case Stmt::UnaryOperatorClass: { 4710 // Only unwrap the * and & unary operators 4711 const UnaryOperator *UO = cast<UnaryOperator>(expr); 4712 expr = UO->getSubExpr(); 4713 switch (UO->getOpcode()) { 4714 case UO_AddrOf: 4715 AllowOnePastEnd++; 4716 break; 4717 case UO_Deref: 4718 AllowOnePastEnd--; 4719 break; 4720 default: 4721 return; 4722 } 4723 break; 4724 } 4725 case Stmt::ConditionalOperatorClass: { 4726 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 4727 if (const Expr *lhs = cond->getLHS()) 4728 CheckArrayAccess(lhs); 4729 if (const Expr *rhs = cond->getRHS()) 4730 CheckArrayAccess(rhs); 4731 return; 4732 } 4733 default: 4734 return; 4735 } 4736 } 4737 } 4738 4739 //===--- CHECK: Objective-C retain cycles ----------------------------------// 4740 4741 namespace { 4742 struct RetainCycleOwner { 4743 RetainCycleOwner() : Variable(0), Indirect(false) {} 4744 VarDecl *Variable; 4745 SourceRange Range; 4746 SourceLocation Loc; 4747 bool Indirect; 4748 4749 void setLocsFrom(Expr *e) { 4750 Loc = e->getExprLoc(); 4751 Range = e->getSourceRange(); 4752 } 4753 }; 4754 } 4755 4756 /// Consider whether capturing the given variable can possibly lead to 4757 /// a retain cycle. 4758 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 4759 // In ARC, it's captured strongly iff the variable has __strong 4760 // lifetime. In MRR, it's captured strongly if the variable is 4761 // __block and has an appropriate type. 4762 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4763 return false; 4764 4765 owner.Variable = var; 4766 owner.setLocsFrom(ref); 4767 return true; 4768 } 4769 4770 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 4771 while (true) { 4772 e = e->IgnoreParens(); 4773 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 4774 switch (cast->getCastKind()) { 4775 case CK_BitCast: 4776 case CK_LValueBitCast: 4777 case CK_LValueToRValue: 4778 case CK_ARCReclaimReturnedObject: 4779 e = cast->getSubExpr(); 4780 continue; 4781 4782 default: 4783 return false; 4784 } 4785 } 4786 4787 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 4788 ObjCIvarDecl *ivar = ref->getDecl(); 4789 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 4790 return false; 4791 4792 // Try to find a retain cycle in the base. 4793 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 4794 return false; 4795 4796 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 4797 owner.Indirect = true; 4798 return true; 4799 } 4800 4801 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 4802 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 4803 if (!var) return false; 4804 return considerVariable(var, ref, owner); 4805 } 4806 4807 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 4808 if (member->isArrow()) return false; 4809 4810 // Don't count this as an indirect ownership. 4811 e = member->getBase(); 4812 continue; 4813 } 4814 4815 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 4816 // Only pay attention to pseudo-objects on property references. 4817 ObjCPropertyRefExpr *pre 4818 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 4819 ->IgnoreParens()); 4820 if (!pre) return false; 4821 if (pre->isImplicitProperty()) return false; 4822 ObjCPropertyDecl *property = pre->getExplicitProperty(); 4823 if (!property->isRetaining() && 4824 !(property->getPropertyIvarDecl() && 4825 property->getPropertyIvarDecl()->getType() 4826 .getObjCLifetime() == Qualifiers::OCL_Strong)) 4827 return false; 4828 4829 owner.Indirect = true; 4830 if (pre->isSuperReceiver()) { 4831 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 4832 if (!owner.Variable) 4833 return false; 4834 owner.Loc = pre->getLocation(); 4835 owner.Range = pre->getSourceRange(); 4836 return true; 4837 } 4838 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 4839 ->getSourceExpr()); 4840 continue; 4841 } 4842 4843 // Array ivars? 4844 4845 return false; 4846 } 4847 } 4848 4849 namespace { 4850 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 4851 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 4852 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 4853 Variable(variable), Capturer(0) {} 4854 4855 VarDecl *Variable; 4856 Expr *Capturer; 4857 4858 void VisitDeclRefExpr(DeclRefExpr *ref) { 4859 if (ref->getDecl() == Variable && !Capturer) 4860 Capturer = ref; 4861 } 4862 4863 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 4864 if (Capturer) return; 4865 Visit(ref->getBase()); 4866 if (Capturer && ref->isFreeIvar()) 4867 Capturer = ref; 4868 } 4869 4870 void VisitBlockExpr(BlockExpr *block) { 4871 // Look inside nested blocks 4872 if (block->getBlockDecl()->capturesVariable(Variable)) 4873 Visit(block->getBlockDecl()->getBody()); 4874 } 4875 }; 4876 } 4877 4878 /// Check whether the given argument is a block which captures a 4879 /// variable. 4880 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 4881 assert(owner.Variable && owner.Loc.isValid()); 4882 4883 e = e->IgnoreParenCasts(); 4884 BlockExpr *block = dyn_cast<BlockExpr>(e); 4885 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 4886 return 0; 4887 4888 FindCaptureVisitor visitor(S.Context, owner.Variable); 4889 visitor.Visit(block->getBlockDecl()->getBody()); 4890 return visitor.Capturer; 4891 } 4892 4893 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 4894 RetainCycleOwner &owner) { 4895 assert(capturer); 4896 assert(owner.Variable && owner.Loc.isValid()); 4897 4898 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 4899 << owner.Variable << capturer->getSourceRange(); 4900 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 4901 << owner.Indirect << owner.Range; 4902 } 4903 4904 /// Check for a keyword selector that starts with the word 'add' or 4905 /// 'set'. 4906 static bool isSetterLikeSelector(Selector sel) { 4907 if (sel.isUnarySelector()) return false; 4908 4909 StringRef str = sel.getNameForSlot(0); 4910 while (!str.empty() && str.front() == '_') str = str.substr(1); 4911 if (str.startswith("set")) 4912 str = str.substr(3); 4913 else if (str.startswith("add")) { 4914 // Specially whitelist 'addOperationWithBlock:'. 4915 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 4916 return false; 4917 str = str.substr(3); 4918 } 4919 else 4920 return false; 4921 4922 if (str.empty()) return true; 4923 return !islower(str.front()); 4924 } 4925 4926 /// Check a message send to see if it's likely to cause a retain cycle. 4927 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 4928 // Only check instance methods whose selector looks like a setter. 4929 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 4930 return; 4931 4932 // Try to find a variable that the receiver is strongly owned by. 4933 RetainCycleOwner owner; 4934 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 4935 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 4936 return; 4937 } else { 4938 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 4939 owner.Variable = getCurMethodDecl()->getSelfDecl(); 4940 owner.Loc = msg->getSuperLoc(); 4941 owner.Range = msg->getSuperLoc(); 4942 } 4943 4944 // Check whether the receiver is captured by any of the arguments. 4945 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 4946 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 4947 return diagnoseRetainCycle(*this, capturer, owner); 4948 } 4949 4950 /// Check a property assign to see if it's likely to cause a retain cycle. 4951 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 4952 RetainCycleOwner owner; 4953 if (!findRetainCycleOwner(*this, receiver, owner)) 4954 return; 4955 4956 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 4957 diagnoseRetainCycle(*this, capturer, owner); 4958 } 4959 4960 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 4961 QualType LHS, Expr *RHS) { 4962 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 4963 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 4964 return false; 4965 // strip off any implicit cast added to get to the one arc-specific 4966 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 4967 if (cast->getCastKind() == CK_ARCConsumeObject) { 4968 Diag(Loc, diag::warn_arc_retained_assign) 4969 << (LT == Qualifiers::OCL_ExplicitNone) 4970 << RHS->getSourceRange(); 4971 return true; 4972 } 4973 RHS = cast->getSubExpr(); 4974 } 4975 return false; 4976 } 4977 4978 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 4979 Expr *LHS, Expr *RHS) { 4980 QualType LHSType; 4981 // PropertyRef on LHS type need be directly obtained from 4982 // its declaration as it has a PsuedoType. 4983 ObjCPropertyRefExpr *PRE 4984 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 4985 if (PRE && !PRE->isImplicitProperty()) { 4986 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 4987 if (PD) 4988 LHSType = PD->getType(); 4989 } 4990 4991 if (LHSType.isNull()) 4992 LHSType = LHS->getType(); 4993 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 4994 return; 4995 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 4996 // FIXME. Check for other life times. 4997 if (LT != Qualifiers::OCL_None) 4998 return; 4999 5000 if (PRE) { 5001 if (PRE->isImplicitProperty()) 5002 return; 5003 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 5004 if (!PD) 5005 return; 5006 5007 unsigned Attributes = PD->getPropertyAttributes(); 5008 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 5009 // when 'assign' attribute was not explicitly specified 5010 // by user, ignore it and rely on property type itself 5011 // for lifetime info. 5012 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 5013 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 5014 LHSType->isObjCRetainableType()) 5015 return; 5016 5017 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 5018 if (cast->getCastKind() == CK_ARCConsumeObject) { 5019 Diag(Loc, diag::warn_arc_retained_property_assign) 5020 << RHS->getSourceRange(); 5021 return; 5022 } 5023 RHS = cast->getSubExpr(); 5024 } 5025 } 5026 } 5027 } 5028 5029 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 5030 5031 namespace { 5032 bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 5033 SourceLocation StmtLoc, 5034 const NullStmt *Body) { 5035 // Do not warn if the body is a macro that expands to nothing, e.g: 5036 // 5037 // #define CALL(x) 5038 // if (condition) 5039 // CALL(0); 5040 // 5041 if (Body->hasLeadingEmptyMacro()) 5042 return false; 5043 5044 // Get line numbers of statement and body. 5045 bool StmtLineInvalid; 5046 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 5047 &StmtLineInvalid); 5048 if (StmtLineInvalid) 5049 return false; 5050 5051 bool BodyLineInvalid; 5052 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 5053 &BodyLineInvalid); 5054 if (BodyLineInvalid) 5055 return false; 5056 5057 // Warn if null statement and body are on the same line. 5058 if (StmtLine != BodyLine) 5059 return false; 5060 5061 return true; 5062 } 5063 } // Unnamed namespace 5064 5065 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 5066 const Stmt *Body, 5067 unsigned DiagID) { 5068 // Since this is a syntactic check, don't emit diagnostic for template 5069 // instantiations, this just adds noise. 5070 if (CurrentInstantiationScope) 5071 return; 5072 5073 // The body should be a null statement. 5074 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 5075 if (!NBody) 5076 return; 5077 5078 // Do the usual checks. 5079 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 5080 return; 5081 5082 Diag(NBody->getSemiLoc(), DiagID); 5083 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 5084 } 5085 5086 void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 5087 const Stmt *PossibleBody) { 5088 assert(!CurrentInstantiationScope); // Ensured by caller 5089 5090 SourceLocation StmtLoc; 5091 const Stmt *Body; 5092 unsigned DiagID; 5093 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 5094 StmtLoc = FS->getRParenLoc(); 5095 Body = FS->getBody(); 5096 DiagID = diag::warn_empty_for_body; 5097 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 5098 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 5099 Body = WS->getBody(); 5100 DiagID = diag::warn_empty_while_body; 5101 } else 5102 return; // Neither `for' nor `while'. 5103 5104 // The body should be a null statement. 5105 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 5106 if (!NBody) 5107 return; 5108 5109 // Skip expensive checks if diagnostic is disabled. 5110 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 5111 DiagnosticsEngine::Ignored) 5112 return; 5113 5114 // Do the usual checks. 5115 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 5116 return; 5117 5118 // `for(...);' and `while(...);' are popular idioms, so in order to keep 5119 // noise level low, emit diagnostics only if for/while is followed by a 5120 // CompoundStmt, e.g.: 5121 // for (int i = 0; i < n; i++); 5122 // { 5123 // a(i); 5124 // } 5125 // or if for/while is followed by a statement with more indentation 5126 // than for/while itself: 5127 // for (int i = 0; i < n; i++); 5128 // a(i); 5129 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 5130 if (!ProbableTypo) { 5131 bool BodyColInvalid; 5132 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 5133 PossibleBody->getLocStart(), 5134 &BodyColInvalid); 5135 if (BodyColInvalid) 5136 return; 5137 5138 bool StmtColInvalid; 5139 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 5140 S->getLocStart(), 5141 &StmtColInvalid); 5142 if (StmtColInvalid) 5143 return; 5144 5145 if (BodyCol > StmtCol) 5146 ProbableTypo = true; 5147 } 5148 5149 if (ProbableTypo) { 5150 Diag(NBody->getSemiLoc(), DiagID); 5151 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 5152 } 5153 } 5154
