1 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements extra semantic analysis beyond what is enforced 11 // by the C type system. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/Sema/Initialization.h" 16 #include "clang/Sema/Sema.h" 17 #include "clang/Sema/SemaInternal.h" 18 #include "clang/Sema/Initialization.h" 19 #include "clang/Sema/Lookup.h" 20 #include "clang/Sema/ScopeInfo.h" 21 #include "clang/Analysis/Analyses/FormatString.h" 22 #include "clang/AST/ASTContext.h" 23 #include "clang/AST/CharUnits.h" 24 #include "clang/AST/DeclCXX.h" 25 #include "clang/AST/DeclObjC.h" 26 #include "clang/AST/Expr.h" 27 #include "clang/AST/ExprCXX.h" 28 #include "clang/AST/ExprObjC.h" 29 #include "clang/AST/EvaluatedExprVisitor.h" 30 #include "clang/AST/DeclObjC.h" 31 #include "clang/AST/StmtCXX.h" 32 #include "clang/AST/StmtObjC.h" 33 #include "clang/Lex/Preprocessor.h" 34 #include "llvm/ADT/BitVector.h" 35 #include "llvm/ADT/SmallString.h" 36 #include "llvm/ADT/STLExtras.h" 37 #include "llvm/Support/raw_ostream.h" 38 #include "clang/Basic/TargetBuiltins.h" 39 #include "clang/Basic/TargetInfo.h" 40 #include "clang/Basic/ConvertUTF.h" 41 #include <limits> 42 using namespace clang; 43 using namespace sema; 44 45 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 46 unsigned ByteNo) const { 47 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 48 PP.getLangOpts(), PP.getTargetInfo()); 49 } 50 51 /// Checks that a call expression's argument count is the desired number. 52 /// This is useful when doing custom type-checking. Returns true on error. 53 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 54 unsigned argCount = call->getNumArgs(); 55 if (argCount == desiredArgCount) return false; 56 57 if (argCount < desiredArgCount) 58 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 59 << 0 /*function call*/ << desiredArgCount << argCount 60 << call->getSourceRange(); 61 62 // Highlight all the excess arguments. 63 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 64 call->getArg(argCount - 1)->getLocEnd()); 65 66 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 67 << 0 /*function call*/ << desiredArgCount << argCount 68 << call->getArg(1)->getSourceRange(); 69 } 70 71 /// Check that the first argument to __builtin_annotation is an integer 72 /// and the second argument is a non-wide string literal. 73 static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 74 if (checkArgCount(S, TheCall, 2)) 75 return true; 76 77 // First argument should be an integer. 78 Expr *ValArg = TheCall->getArg(0); 79 QualType Ty = ValArg->getType(); 80 if (!Ty->isIntegerType()) { 81 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 82 << ValArg->getSourceRange(); 83 return true; 84 } 85 86 // Second argument should be a constant string. 87 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 88 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 89 if (!Literal || !Literal->isAscii()) { 90 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 91 << StrArg->getSourceRange(); 92 return true; 93 } 94 95 TheCall->setType(Ty); 96 return false; 97 } 98 99 ExprResult 100 Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 101 ExprResult TheCallResult(Owned(TheCall)); 102 103 // Find out if any arguments are required to be integer constant expressions. 104 unsigned ICEArguments = 0; 105 ASTContext::GetBuiltinTypeError Error; 106 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 107 if (Error != ASTContext::GE_None) 108 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 109 110 // If any arguments are required to be ICE's, check and diagnose. 111 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 112 // Skip arguments not required to be ICE's. 113 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 114 115 llvm::APSInt Result; 116 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 117 return true; 118 ICEArguments &= ~(1 << ArgNo); 119 } 120 121 switch (BuiltinID) { 122 case Builtin::BI__builtin___CFStringMakeConstantString: 123 assert(TheCall->getNumArgs() == 1 && 124 "Wrong # arguments to builtin CFStringMakeConstantString"); 125 if (CheckObjCString(TheCall->getArg(0))) 126 return ExprError(); 127 break; 128 case Builtin::BI__builtin_stdarg_start: 129 case Builtin::BI__builtin_va_start: 130 if (SemaBuiltinVAStart(TheCall)) 131 return ExprError(); 132 break; 133 case Builtin::BI__builtin_isgreater: 134 case Builtin::BI__builtin_isgreaterequal: 135 case Builtin::BI__builtin_isless: 136 case Builtin::BI__builtin_islessequal: 137 case Builtin::BI__builtin_islessgreater: 138 case Builtin::BI__builtin_isunordered: 139 if (SemaBuiltinUnorderedCompare(TheCall)) 140 return ExprError(); 141 break; 142 case Builtin::BI__builtin_fpclassify: 143 if (SemaBuiltinFPClassification(TheCall, 6)) 144 return ExprError(); 145 break; 146 case Builtin::BI__builtin_isfinite: 147 case Builtin::BI__builtin_isinf: 148 case Builtin::BI__builtin_isinf_sign: 149 case Builtin::BI__builtin_isnan: 150 case Builtin::BI__builtin_isnormal: 151 if (SemaBuiltinFPClassification(TheCall, 1)) 152 return ExprError(); 153 break; 154 case Builtin::BI__builtin_shufflevector: 155 return SemaBuiltinShuffleVector(TheCall); 156 // TheCall will be freed by the smart pointer here, but that's fine, since 157 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 158 case Builtin::BI__builtin_prefetch: 159 if (SemaBuiltinPrefetch(TheCall)) 160 return ExprError(); 161 break; 162 case Builtin::BI__builtin_object_size: 163 if (SemaBuiltinObjectSize(TheCall)) 164 return ExprError(); 165 break; 166 case Builtin::BI__builtin_longjmp: 167 if (SemaBuiltinLongjmp(TheCall)) 168 return ExprError(); 169 break; 170 171 case Builtin::BI__builtin_classify_type: 172 if (checkArgCount(*this, TheCall, 1)) return true; 173 TheCall->setType(Context.IntTy); 174 break; 175 case Builtin::BI__builtin_constant_p: 176 if (checkArgCount(*this, TheCall, 1)) return true; 177 TheCall->setType(Context.IntTy); 178 break; 179 case Builtin::BI__sync_fetch_and_add: 180 case Builtin::BI__sync_fetch_and_add_1: 181 case Builtin::BI__sync_fetch_and_add_2: 182 case Builtin::BI__sync_fetch_and_add_4: 183 case Builtin::BI__sync_fetch_and_add_8: 184 case Builtin::BI__sync_fetch_and_add_16: 185 case Builtin::BI__sync_fetch_and_sub: 186 case Builtin::BI__sync_fetch_and_sub_1: 187 case Builtin::BI__sync_fetch_and_sub_2: 188 case Builtin::BI__sync_fetch_and_sub_4: 189 case Builtin::BI__sync_fetch_and_sub_8: 190 case Builtin::BI__sync_fetch_and_sub_16: 191 case Builtin::BI__sync_fetch_and_or: 192 case Builtin::BI__sync_fetch_and_or_1: 193 case Builtin::BI__sync_fetch_and_or_2: 194 case Builtin::BI__sync_fetch_and_or_4: 195 case Builtin::BI__sync_fetch_and_or_8: 196 case Builtin::BI__sync_fetch_and_or_16: 197 case Builtin::BI__sync_fetch_and_and: 198 case Builtin::BI__sync_fetch_and_and_1: 199 case Builtin::BI__sync_fetch_and_and_2: 200 case Builtin::BI__sync_fetch_and_and_4: 201 case Builtin::BI__sync_fetch_and_and_8: 202 case Builtin::BI__sync_fetch_and_and_16: 203 case Builtin::BI__sync_fetch_and_xor: 204 case Builtin::BI__sync_fetch_and_xor_1: 205 case Builtin::BI__sync_fetch_and_xor_2: 206 case Builtin::BI__sync_fetch_and_xor_4: 207 case Builtin::BI__sync_fetch_and_xor_8: 208 case Builtin::BI__sync_fetch_and_xor_16: 209 case Builtin::BI__sync_add_and_fetch: 210 case Builtin::BI__sync_add_and_fetch_1: 211 case Builtin::BI__sync_add_and_fetch_2: 212 case Builtin::BI__sync_add_and_fetch_4: 213 case Builtin::BI__sync_add_and_fetch_8: 214 case Builtin::BI__sync_add_and_fetch_16: 215 case Builtin::BI__sync_sub_and_fetch: 216 case Builtin::BI__sync_sub_and_fetch_1: 217 case Builtin::BI__sync_sub_and_fetch_2: 218 case Builtin::BI__sync_sub_and_fetch_4: 219 case Builtin::BI__sync_sub_and_fetch_8: 220 case Builtin::BI__sync_sub_and_fetch_16: 221 case Builtin::BI__sync_and_and_fetch: 222 case Builtin::BI__sync_and_and_fetch_1: 223 case Builtin::BI__sync_and_and_fetch_2: 224 case Builtin::BI__sync_and_and_fetch_4: 225 case Builtin::BI__sync_and_and_fetch_8: 226 case Builtin::BI__sync_and_and_fetch_16: 227 case Builtin::BI__sync_or_and_fetch: 228 case Builtin::BI__sync_or_and_fetch_1: 229 case Builtin::BI__sync_or_and_fetch_2: 230 case Builtin::BI__sync_or_and_fetch_4: 231 case Builtin::BI__sync_or_and_fetch_8: 232 case Builtin::BI__sync_or_and_fetch_16: 233 case Builtin::BI__sync_xor_and_fetch: 234 case Builtin::BI__sync_xor_and_fetch_1: 235 case Builtin::BI__sync_xor_and_fetch_2: 236 case Builtin::BI__sync_xor_and_fetch_4: 237 case Builtin::BI__sync_xor_and_fetch_8: 238 case Builtin::BI__sync_xor_and_fetch_16: 239 case Builtin::BI__sync_val_compare_and_swap: 240 case Builtin::BI__sync_val_compare_and_swap_1: 241 case Builtin::BI__sync_val_compare_and_swap_2: 242 case Builtin::BI__sync_val_compare_and_swap_4: 243 case Builtin::BI__sync_val_compare_and_swap_8: 244 case Builtin::BI__sync_val_compare_and_swap_16: 245 case Builtin::BI__sync_bool_compare_and_swap: 246 case Builtin::BI__sync_bool_compare_and_swap_1: 247 case Builtin::BI__sync_bool_compare_and_swap_2: 248 case Builtin::BI__sync_bool_compare_and_swap_4: 249 case Builtin::BI__sync_bool_compare_and_swap_8: 250 case Builtin::BI__sync_bool_compare_and_swap_16: 251 case Builtin::BI__sync_lock_test_and_set: 252 case Builtin::BI__sync_lock_test_and_set_1: 253 case Builtin::BI__sync_lock_test_and_set_2: 254 case Builtin::BI__sync_lock_test_and_set_4: 255 case Builtin::BI__sync_lock_test_and_set_8: 256 case Builtin::BI__sync_lock_test_and_set_16: 257 case Builtin::BI__sync_lock_release: 258 case Builtin::BI__sync_lock_release_1: 259 case Builtin::BI__sync_lock_release_2: 260 case Builtin::BI__sync_lock_release_4: 261 case Builtin::BI__sync_lock_release_8: 262 case Builtin::BI__sync_lock_release_16: 263 case Builtin::BI__sync_swap: 264 case Builtin::BI__sync_swap_1: 265 case Builtin::BI__sync_swap_2: 266 case Builtin::BI__sync_swap_4: 267 case Builtin::BI__sync_swap_8: 268 case Builtin::BI__sync_swap_16: 269 return SemaBuiltinAtomicOverloaded(TheCallResult); 270 #define BUILTIN(ID, TYPE, ATTRS) 271 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 272 case Builtin::BI##ID: \ 273 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 274 #include "clang/Basic/Builtins.def" 275 case Builtin::BI__builtin_annotation: 276 if (SemaBuiltinAnnotation(*this, TheCall)) 277 return ExprError(); 278 break; 279 } 280 281 // Since the target specific builtins for each arch overlap, only check those 282 // of the arch we are compiling for. 283 if (BuiltinID >= Builtin::FirstTSBuiltin) { 284 switch (Context.getTargetInfo().getTriple().getArch()) { 285 case llvm::Triple::arm: 286 case llvm::Triple::thumb: 287 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 288 return ExprError(); 289 break; 290 case llvm::Triple::mips: 291 case llvm::Triple::mipsel: 292 case llvm::Triple::mips64: 293 case llvm::Triple::mips64el: 294 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 295 return ExprError(); 296 break; 297 default: 298 break; 299 } 300 } 301 302 return TheCallResult; 303 } 304 305 // Get the valid immediate range for the specified NEON type code. 306 static unsigned RFT(unsigned t, bool shift = false) { 307 NeonTypeFlags Type(t); 308 int IsQuad = Type.isQuad(); 309 switch (Type.getEltType()) { 310 case NeonTypeFlags::Int8: 311 case NeonTypeFlags::Poly8: 312 return shift ? 7 : (8 << IsQuad) - 1; 313 case NeonTypeFlags::Int16: 314 case NeonTypeFlags::Poly16: 315 return shift ? 15 : (4 << IsQuad) - 1; 316 case NeonTypeFlags::Int32: 317 return shift ? 31 : (2 << IsQuad) - 1; 318 case NeonTypeFlags::Int64: 319 return shift ? 63 : (1 << IsQuad) - 1; 320 case NeonTypeFlags::Float16: 321 assert(!shift && "cannot shift float types!"); 322 return (4 << IsQuad) - 1; 323 case NeonTypeFlags::Float32: 324 assert(!shift && "cannot shift float types!"); 325 return (2 << IsQuad) - 1; 326 } 327 llvm_unreachable("Invalid NeonTypeFlag!"); 328 } 329 330 /// getNeonEltType - Return the QualType corresponding to the elements of 331 /// the vector type specified by the NeonTypeFlags. This is used to check 332 /// the pointer arguments for Neon load/store intrinsics. 333 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 334 switch (Flags.getEltType()) { 335 case NeonTypeFlags::Int8: 336 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 337 case NeonTypeFlags::Int16: 338 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 339 case NeonTypeFlags::Int32: 340 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 341 case NeonTypeFlags::Int64: 342 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 343 case NeonTypeFlags::Poly8: 344 return Context.SignedCharTy; 345 case NeonTypeFlags::Poly16: 346 return Context.ShortTy; 347 case NeonTypeFlags::Float16: 348 return Context.UnsignedShortTy; 349 case NeonTypeFlags::Float32: 350 return Context.FloatTy; 351 } 352 llvm_unreachable("Invalid NeonTypeFlag!"); 353 } 354 355 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 356 llvm::APSInt Result; 357 358 uint64_t mask = 0; 359 unsigned TV = 0; 360 int PtrArgNum = -1; 361 bool HasConstPtr = false; 362 switch (BuiltinID) { 363 #define GET_NEON_OVERLOAD_CHECK 364 #include "clang/Basic/arm_neon.inc" 365 #undef GET_NEON_OVERLOAD_CHECK 366 } 367 368 // For NEON intrinsics which are overloaded on vector element type, validate 369 // the immediate which specifies which variant to emit. 370 unsigned ImmArg = TheCall->getNumArgs()-1; 371 if (mask) { 372 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 373 return true; 374 375 TV = Result.getLimitedValue(64); 376 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 377 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 378 << TheCall->getArg(ImmArg)->getSourceRange(); 379 } 380 381 if (PtrArgNum >= 0) { 382 // Check that pointer arguments have the specified type. 383 Expr *Arg = TheCall->getArg(PtrArgNum); 384 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 385 Arg = ICE->getSubExpr(); 386 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 387 QualType RHSTy = RHS.get()->getType(); 388 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 389 if (HasConstPtr) 390 EltTy = EltTy.withConst(); 391 QualType LHSTy = Context.getPointerType(EltTy); 392 AssignConvertType ConvTy; 393 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 394 if (RHS.isInvalid()) 395 return true; 396 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 397 RHS.get(), AA_Assigning)) 398 return true; 399 } 400 401 // For NEON intrinsics which take an immediate value as part of the 402 // instruction, range check them here. 403 unsigned i = 0, l = 0, u = 0; 404 switch (BuiltinID) { 405 default: return false; 406 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 407 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 408 case ARM::BI__builtin_arm_vcvtr_f: 409 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 410 #define GET_NEON_IMMEDIATE_CHECK 411 #include "clang/Basic/arm_neon.inc" 412 #undef GET_NEON_IMMEDIATE_CHECK 413 }; 414 415 // We can't check the value of a dependent argument. 416 if (TheCall->getArg(i)->isTypeDependent() || 417 TheCall->getArg(i)->isValueDependent()) 418 return false; 419 420 // Check that the immediate argument is actually a constant. 421 if (SemaBuiltinConstantArg(TheCall, i, Result)) 422 return true; 423 424 // Range check against the upper/lower values for this isntruction. 425 unsigned Val = Result.getZExtValue(); 426 if (Val < l || Val > (u + l)) 427 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 428 << l << u+l << TheCall->getArg(i)->getSourceRange(); 429 430 // FIXME: VFP Intrinsics should error if VFP not present. 431 return false; 432 } 433 434 bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 435 unsigned i = 0, l = 0, u = 0; 436 switch (BuiltinID) { 437 default: return false; 438 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 439 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 440 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 441 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 442 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 443 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 444 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 445 }; 446 447 // We can't check the value of a dependent argument. 448 if (TheCall->getArg(i)->isTypeDependent() || 449 TheCall->getArg(i)->isValueDependent()) 450 return false; 451 452 // Check that the immediate argument is actually a constant. 453 llvm::APSInt Result; 454 if (SemaBuiltinConstantArg(TheCall, i, Result)) 455 return true; 456 457 // Range check against the upper/lower values for this instruction. 458 unsigned Val = Result.getZExtValue(); 459 if (Val < l || Val > u) 460 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 461 << l << u << TheCall->getArg(i)->getSourceRange(); 462 463 return false; 464 } 465 466 /// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 467 /// parameter with the FormatAttr's correct format_idx and firstDataArg. 468 /// Returns true when the format fits the function and the FormatStringInfo has 469 /// been populated. 470 bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 471 FormatStringInfo *FSI) { 472 FSI->HasVAListArg = Format->getFirstArg() == 0; 473 FSI->FormatIdx = Format->getFormatIdx() - 1; 474 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 475 476 // The way the format attribute works in GCC, the implicit this argument 477 // of member functions is counted. However, it doesn't appear in our own 478 // lists, so decrement format_idx in that case. 479 if (IsCXXMember) { 480 if(FSI->FormatIdx == 0) 481 return false; 482 --FSI->FormatIdx; 483 if (FSI->FirstDataArg != 0) 484 --FSI->FirstDataArg; 485 } 486 return true; 487 } 488 489 /// Handles the checks for format strings, non-POD arguments to vararg 490 /// functions, and NULL arguments passed to non-NULL parameters. 491 void Sema::checkCall(NamedDecl *FDecl, Expr **Args, 492 unsigned NumArgs, 493 unsigned NumProtoArgs, 494 bool IsMemberFunction, 495 SourceLocation Loc, 496 SourceRange Range, 497 VariadicCallType CallType) { 498 // FIXME: This mechanism should be abstracted to be less fragile and 499 // more efficient. For example, just map function ids to custom 500 // handlers. 501 502 // Printf and scanf checking. 503 bool HandledFormatString = false; 504 for (specific_attr_iterator<FormatAttr> 505 I = FDecl->specific_attr_begin<FormatAttr>(), 506 E = FDecl->specific_attr_end<FormatAttr>(); I != E ; ++I) 507 if (CheckFormatArguments(*I, Args, NumArgs, IsMemberFunction, CallType, 508 Loc, Range)) 509 HandledFormatString = true; 510 511 // Refuse POD arguments that weren't caught by the format string 512 // checks above. 513 if (!HandledFormatString && CallType != VariadicDoesNotApply) 514 for (unsigned ArgIdx = NumProtoArgs; ArgIdx < NumArgs; ++ArgIdx) 515 variadicArgumentPODCheck(Args[ArgIdx], CallType); 516 517 for (specific_attr_iterator<NonNullAttr> 518 I = FDecl->specific_attr_begin<NonNullAttr>(), 519 E = FDecl->specific_attr_end<NonNullAttr>(); I != E; ++I) 520 CheckNonNullArguments(*I, Args, Loc); 521 522 // Type safety checking. 523 for (specific_attr_iterator<ArgumentWithTypeTagAttr> 524 i = FDecl->specific_attr_begin<ArgumentWithTypeTagAttr>(), 525 e = FDecl->specific_attr_end<ArgumentWithTypeTagAttr>(); i != e; ++i) { 526 CheckArgumentWithTypeTag(*i, Args); 527 } 528 } 529 530 /// CheckConstructorCall - Check a constructor call for correctness and safety 531 /// properties not enforced by the C type system. 532 void Sema::CheckConstructorCall(FunctionDecl *FDecl, Expr **Args, 533 unsigned NumArgs, 534 const FunctionProtoType *Proto, 535 SourceLocation Loc) { 536 VariadicCallType CallType = 537 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 538 checkCall(FDecl, Args, NumArgs, Proto->getNumArgs(), 539 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 540 } 541 542 /// CheckFunctionCall - Check a direct function call for various correctness 543 /// and safety properties not strictly enforced by the C type system. 544 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 545 const FunctionProtoType *Proto) { 546 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall); 547 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 548 TheCall->getCallee()); 549 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 550 checkCall(FDecl, TheCall->getArgs(), TheCall->getNumArgs(), NumProtoArgs, 551 IsMemberFunction, TheCall->getRParenLoc(), 552 TheCall->getCallee()->getSourceRange(), CallType); 553 554 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 555 // None of the checks below are needed for functions that don't have 556 // simple names (e.g., C++ conversion functions). 557 if (!FnInfo) 558 return false; 559 560 unsigned CMId = FDecl->getMemoryFunctionKind(); 561 if (CMId == 0) 562 return false; 563 564 // Handle memory setting and copying functions. 565 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 566 CheckStrlcpycatArguments(TheCall, FnInfo); 567 else if (CMId == Builtin::BIstrncat) 568 CheckStrncatArguments(TheCall, FnInfo); 569 else 570 CheckMemaccessArguments(TheCall, CMId, FnInfo); 571 572 return false; 573 } 574 575 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 576 Expr **Args, unsigned NumArgs) { 577 VariadicCallType CallType = 578 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 579 580 checkCall(Method, Args, NumArgs, Method->param_size(), 581 /*IsMemberFunction=*/false, 582 lbrac, Method->getSourceRange(), CallType); 583 584 return false; 585 } 586 587 bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall, 588 const FunctionProtoType *Proto) { 589 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 590 if (!V) 591 return false; 592 593 QualType Ty = V->getType(); 594 if (!Ty->isBlockPointerType()) 595 return false; 596 597 VariadicCallType CallType = 598 Proto && Proto->isVariadic() ? VariadicBlock : VariadicDoesNotApply ; 599 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 600 601 checkCall(NDecl, TheCall->getArgs(), TheCall->getNumArgs(), 602 NumProtoArgs, /*IsMemberFunction=*/false, 603 TheCall->getRParenLoc(), 604 TheCall->getCallee()->getSourceRange(), CallType); 605 606 return false; 607 } 608 609 ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 610 AtomicExpr::AtomicOp Op) { 611 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 612 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 613 614 // All these operations take one of the following forms: 615 enum { 616 // C __c11_atomic_init(A *, C) 617 Init, 618 // C __c11_atomic_load(A *, int) 619 Load, 620 // void __atomic_load(A *, CP, int) 621 Copy, 622 // C __c11_atomic_add(A *, M, int) 623 Arithmetic, 624 // C __atomic_exchange_n(A *, CP, int) 625 Xchg, 626 // void __atomic_exchange(A *, C *, CP, int) 627 GNUXchg, 628 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 629 C11CmpXchg, 630 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 631 GNUCmpXchg 632 } Form = Init; 633 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 634 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 635 // where: 636 // C is an appropriate type, 637 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 638 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 639 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 640 // the int parameters are for orderings. 641 642 assert(AtomicExpr::AO__c11_atomic_init == 0 && 643 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 644 && "need to update code for modified C11 atomics"); 645 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 646 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 647 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 648 Op == AtomicExpr::AO__atomic_store_n || 649 Op == AtomicExpr::AO__atomic_exchange_n || 650 Op == AtomicExpr::AO__atomic_compare_exchange_n; 651 bool IsAddSub = false; 652 653 switch (Op) { 654 case AtomicExpr::AO__c11_atomic_init: 655 Form = Init; 656 break; 657 658 case AtomicExpr::AO__c11_atomic_load: 659 case AtomicExpr::AO__atomic_load_n: 660 Form = Load; 661 break; 662 663 case AtomicExpr::AO__c11_atomic_store: 664 case AtomicExpr::AO__atomic_load: 665 case AtomicExpr::AO__atomic_store: 666 case AtomicExpr::AO__atomic_store_n: 667 Form = Copy; 668 break; 669 670 case AtomicExpr::AO__c11_atomic_fetch_add: 671 case AtomicExpr::AO__c11_atomic_fetch_sub: 672 case AtomicExpr::AO__atomic_fetch_add: 673 case AtomicExpr::AO__atomic_fetch_sub: 674 case AtomicExpr::AO__atomic_add_fetch: 675 case AtomicExpr::AO__atomic_sub_fetch: 676 IsAddSub = true; 677 // Fall through. 678 case AtomicExpr::AO__c11_atomic_fetch_and: 679 case AtomicExpr::AO__c11_atomic_fetch_or: 680 case AtomicExpr::AO__c11_atomic_fetch_xor: 681 case AtomicExpr::AO__atomic_fetch_and: 682 case AtomicExpr::AO__atomic_fetch_or: 683 case AtomicExpr::AO__atomic_fetch_xor: 684 case AtomicExpr::AO__atomic_fetch_nand: 685 case AtomicExpr::AO__atomic_and_fetch: 686 case AtomicExpr::AO__atomic_or_fetch: 687 case AtomicExpr::AO__atomic_xor_fetch: 688 case AtomicExpr::AO__atomic_nand_fetch: 689 Form = Arithmetic; 690 break; 691 692 case AtomicExpr::AO__c11_atomic_exchange: 693 case AtomicExpr::AO__atomic_exchange_n: 694 Form = Xchg; 695 break; 696 697 case AtomicExpr::AO__atomic_exchange: 698 Form = GNUXchg; 699 break; 700 701 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 702 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 703 Form = C11CmpXchg; 704 break; 705 706 case AtomicExpr::AO__atomic_compare_exchange: 707 case AtomicExpr::AO__atomic_compare_exchange_n: 708 Form = GNUCmpXchg; 709 break; 710 } 711 712 // Check we have the right number of arguments. 713 if (TheCall->getNumArgs() < NumArgs[Form]) { 714 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 715 << 0 << NumArgs[Form] << TheCall->getNumArgs() 716 << TheCall->getCallee()->getSourceRange(); 717 return ExprError(); 718 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 719 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 720 diag::err_typecheck_call_too_many_args) 721 << 0 << NumArgs[Form] << TheCall->getNumArgs() 722 << TheCall->getCallee()->getSourceRange(); 723 return ExprError(); 724 } 725 726 // Inspect the first argument of the atomic operation. 727 Expr *Ptr = TheCall->getArg(0); 728 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 729 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 730 if (!pointerType) { 731 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 732 << Ptr->getType() << Ptr->getSourceRange(); 733 return ExprError(); 734 } 735 736 // For a __c11 builtin, this should be a pointer to an _Atomic type. 737 QualType AtomTy = pointerType->getPointeeType(); // 'A' 738 QualType ValType = AtomTy; // 'C' 739 if (IsC11) { 740 if (!AtomTy->isAtomicType()) { 741 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 742 << Ptr->getType() << Ptr->getSourceRange(); 743 return ExprError(); 744 } 745 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 746 } 747 748 // For an arithmetic operation, the implied arithmetic must be well-formed. 749 if (Form == Arithmetic) { 750 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 751 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 752 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 753 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 754 return ExprError(); 755 } 756 if (!IsAddSub && !ValType->isIntegerType()) { 757 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 758 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 759 return ExprError(); 760 } 761 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 762 // For __atomic_*_n operations, the value type must be a scalar integral or 763 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 764 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 765 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 766 return ExprError(); 767 } 768 769 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context)) { 770 // For GNU atomics, require a trivially-copyable type. This is not part of 771 // the GNU atomics specification, but we enforce it for sanity. 772 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 773 << Ptr->getType() << Ptr->getSourceRange(); 774 return ExprError(); 775 } 776 777 // FIXME: For any builtin other than a load, the ValType must not be 778 // const-qualified. 779 780 switch (ValType.getObjCLifetime()) { 781 case Qualifiers::OCL_None: 782 case Qualifiers::OCL_ExplicitNone: 783 // okay 784 break; 785 786 case Qualifiers::OCL_Weak: 787 case Qualifiers::OCL_Strong: 788 case Qualifiers::OCL_Autoreleasing: 789 // FIXME: Can this happen? By this point, ValType should be known 790 // to be trivially copyable. 791 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 792 << ValType << Ptr->getSourceRange(); 793 return ExprError(); 794 } 795 796 QualType ResultType = ValType; 797 if (Form == Copy || Form == GNUXchg || Form == Init) 798 ResultType = Context.VoidTy; 799 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 800 ResultType = Context.BoolTy; 801 802 // The type of a parameter passed 'by value'. In the GNU atomics, such 803 // arguments are actually passed as pointers. 804 QualType ByValType = ValType; // 'CP' 805 if (!IsC11 && !IsN) 806 ByValType = Ptr->getType(); 807 808 // The first argument --- the pointer --- has a fixed type; we 809 // deduce the types of the rest of the arguments accordingly. Walk 810 // the remaining arguments, converting them to the deduced value type. 811 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 812 QualType Ty; 813 if (i < NumVals[Form] + 1) { 814 switch (i) { 815 case 1: 816 // The second argument is the non-atomic operand. For arithmetic, this 817 // is always passed by value, and for a compare_exchange it is always 818 // passed by address. For the rest, GNU uses by-address and C11 uses 819 // by-value. 820 assert(Form != Load); 821 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 822 Ty = ValType; 823 else if (Form == Copy || Form == Xchg) 824 Ty = ByValType; 825 else if (Form == Arithmetic) 826 Ty = Context.getPointerDiffType(); 827 else 828 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 829 break; 830 case 2: 831 // The third argument to compare_exchange / GNU exchange is a 832 // (pointer to a) desired value. 833 Ty = ByValType; 834 break; 835 case 3: 836 // The fourth argument to GNU compare_exchange is a 'weak' flag. 837 Ty = Context.BoolTy; 838 break; 839 } 840 } else { 841 // The order(s) are always converted to int. 842 Ty = Context.IntTy; 843 } 844 845 InitializedEntity Entity = 846 InitializedEntity::InitializeParameter(Context, Ty, false); 847 ExprResult Arg = TheCall->getArg(i); 848 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 849 if (Arg.isInvalid()) 850 return true; 851 TheCall->setArg(i, Arg.get()); 852 } 853 854 // Permute the arguments into a 'consistent' order. 855 SmallVector<Expr*, 5> SubExprs; 856 SubExprs.push_back(Ptr); 857 switch (Form) { 858 case Init: 859 // Note, AtomicExpr::getVal1() has a special case for this atomic. 860 SubExprs.push_back(TheCall->getArg(1)); // Val1 861 break; 862 case Load: 863 SubExprs.push_back(TheCall->getArg(1)); // Order 864 break; 865 case Copy: 866 case Arithmetic: 867 case Xchg: 868 SubExprs.push_back(TheCall->getArg(2)); // Order 869 SubExprs.push_back(TheCall->getArg(1)); // Val1 870 break; 871 case GNUXchg: 872 // Note, AtomicExpr::getVal2() has a special case for this atomic. 873 SubExprs.push_back(TheCall->getArg(3)); // Order 874 SubExprs.push_back(TheCall->getArg(1)); // Val1 875 SubExprs.push_back(TheCall->getArg(2)); // Val2 876 break; 877 case C11CmpXchg: 878 SubExprs.push_back(TheCall->getArg(3)); // Order 879 SubExprs.push_back(TheCall->getArg(1)); // Val1 880 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 881 SubExprs.push_back(TheCall->getArg(2)); // Val2 882 break; 883 case GNUCmpXchg: 884 SubExprs.push_back(TheCall->getArg(4)); // Order 885 SubExprs.push_back(TheCall->getArg(1)); // Val1 886 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 887 SubExprs.push_back(TheCall->getArg(2)); // Val2 888 SubExprs.push_back(TheCall->getArg(3)); // Weak 889 break; 890 } 891 892 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 893 SubExprs, ResultType, Op, 894 TheCall->getRParenLoc())); 895 } 896 897 898 /// checkBuiltinArgument - Given a call to a builtin function, perform 899 /// normal type-checking on the given argument, updating the call in 900 /// place. This is useful when a builtin function requires custom 901 /// type-checking for some of its arguments but not necessarily all of 902 /// them. 903 /// 904 /// Returns true on error. 905 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 906 FunctionDecl *Fn = E->getDirectCallee(); 907 assert(Fn && "builtin call without direct callee!"); 908 909 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 910 InitializedEntity Entity = 911 InitializedEntity::InitializeParameter(S.Context, Param); 912 913 ExprResult Arg = E->getArg(0); 914 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 915 if (Arg.isInvalid()) 916 return true; 917 918 E->setArg(ArgIndex, Arg.take()); 919 return false; 920 } 921 922 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 923 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 924 /// type of its first argument. The main ActOnCallExpr routines have already 925 /// promoted the types of arguments because all of these calls are prototyped as 926 /// void(...). 927 /// 928 /// This function goes through and does final semantic checking for these 929 /// builtins, 930 ExprResult 931 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 932 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 933 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 934 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 935 936 // Ensure that we have at least one argument to do type inference from. 937 if (TheCall->getNumArgs() < 1) { 938 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 939 << 0 << 1 << TheCall->getNumArgs() 940 << TheCall->getCallee()->getSourceRange(); 941 return ExprError(); 942 } 943 944 // Inspect the first argument of the atomic builtin. This should always be 945 // a pointer type, whose element is an integral scalar or pointer type. 946 // Because it is a pointer type, we don't have to worry about any implicit 947 // casts here. 948 // FIXME: We don't allow floating point scalars as input. 949 Expr *FirstArg = TheCall->getArg(0); 950 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 951 if (FirstArgResult.isInvalid()) 952 return ExprError(); 953 FirstArg = FirstArgResult.take(); 954 TheCall->setArg(0, FirstArg); 955 956 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 957 if (!pointerType) { 958 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 959 << FirstArg->getType() << FirstArg->getSourceRange(); 960 return ExprError(); 961 } 962 963 QualType ValType = pointerType->getPointeeType(); 964 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 965 !ValType->isBlockPointerType()) { 966 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 967 << FirstArg->getType() << FirstArg->getSourceRange(); 968 return ExprError(); 969 } 970 971 switch (ValType.getObjCLifetime()) { 972 case Qualifiers::OCL_None: 973 case Qualifiers::OCL_ExplicitNone: 974 // okay 975 break; 976 977 case Qualifiers::OCL_Weak: 978 case Qualifiers::OCL_Strong: 979 case Qualifiers::OCL_Autoreleasing: 980 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 981 << ValType << FirstArg->getSourceRange(); 982 return ExprError(); 983 } 984 985 // Strip any qualifiers off ValType. 986 ValType = ValType.getUnqualifiedType(); 987 988 // The majority of builtins return a value, but a few have special return 989 // types, so allow them to override appropriately below. 990 QualType ResultType = ValType; 991 992 // We need to figure out which concrete builtin this maps onto. For example, 993 // __sync_fetch_and_add with a 2 byte object turns into 994 // __sync_fetch_and_add_2. 995 #define BUILTIN_ROW(x) \ 996 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 997 Builtin::BI##x##_8, Builtin::BI##x##_16 } 998 999 static const unsigned BuiltinIndices[][5] = { 1000 BUILTIN_ROW(__sync_fetch_and_add), 1001 BUILTIN_ROW(__sync_fetch_and_sub), 1002 BUILTIN_ROW(__sync_fetch_and_or), 1003 BUILTIN_ROW(__sync_fetch_and_and), 1004 BUILTIN_ROW(__sync_fetch_and_xor), 1005 1006 BUILTIN_ROW(__sync_add_and_fetch), 1007 BUILTIN_ROW(__sync_sub_and_fetch), 1008 BUILTIN_ROW(__sync_and_and_fetch), 1009 BUILTIN_ROW(__sync_or_and_fetch), 1010 BUILTIN_ROW(__sync_xor_and_fetch), 1011 1012 BUILTIN_ROW(__sync_val_compare_and_swap), 1013 BUILTIN_ROW(__sync_bool_compare_and_swap), 1014 BUILTIN_ROW(__sync_lock_test_and_set), 1015 BUILTIN_ROW(__sync_lock_release), 1016 BUILTIN_ROW(__sync_swap) 1017 }; 1018 #undef BUILTIN_ROW 1019 1020 // Determine the index of the size. 1021 unsigned SizeIndex; 1022 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1023 case 1: SizeIndex = 0; break; 1024 case 2: SizeIndex = 1; break; 1025 case 4: SizeIndex = 2; break; 1026 case 8: SizeIndex = 3; break; 1027 case 16: SizeIndex = 4; break; 1028 default: 1029 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1030 << FirstArg->getType() << FirstArg->getSourceRange(); 1031 return ExprError(); 1032 } 1033 1034 // Each of these builtins has one pointer argument, followed by some number of 1035 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1036 // that we ignore. Find out which row of BuiltinIndices to read from as well 1037 // as the number of fixed args. 1038 unsigned BuiltinID = FDecl->getBuiltinID(); 1039 unsigned BuiltinIndex, NumFixed = 1; 1040 switch (BuiltinID) { 1041 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1042 case Builtin::BI__sync_fetch_and_add: 1043 case Builtin::BI__sync_fetch_and_add_1: 1044 case Builtin::BI__sync_fetch_and_add_2: 1045 case Builtin::BI__sync_fetch_and_add_4: 1046 case Builtin::BI__sync_fetch_and_add_8: 1047 case Builtin::BI__sync_fetch_and_add_16: 1048 BuiltinIndex = 0; 1049 break; 1050 1051 case Builtin::BI__sync_fetch_and_sub: 1052 case Builtin::BI__sync_fetch_and_sub_1: 1053 case Builtin::BI__sync_fetch_and_sub_2: 1054 case Builtin::BI__sync_fetch_and_sub_4: 1055 case Builtin::BI__sync_fetch_and_sub_8: 1056 case Builtin::BI__sync_fetch_and_sub_16: 1057 BuiltinIndex = 1; 1058 break; 1059 1060 case Builtin::BI__sync_fetch_and_or: 1061 case Builtin::BI__sync_fetch_and_or_1: 1062 case Builtin::BI__sync_fetch_and_or_2: 1063 case Builtin::BI__sync_fetch_and_or_4: 1064 case Builtin::BI__sync_fetch_and_or_8: 1065 case Builtin::BI__sync_fetch_and_or_16: 1066 BuiltinIndex = 2; 1067 break; 1068 1069 case Builtin::BI__sync_fetch_and_and: 1070 case Builtin::BI__sync_fetch_and_and_1: 1071 case Builtin::BI__sync_fetch_and_and_2: 1072 case Builtin::BI__sync_fetch_and_and_4: 1073 case Builtin::BI__sync_fetch_and_and_8: 1074 case Builtin::BI__sync_fetch_and_and_16: 1075 BuiltinIndex = 3; 1076 break; 1077 1078 case Builtin::BI__sync_fetch_and_xor: 1079 case Builtin::BI__sync_fetch_and_xor_1: 1080 case Builtin::BI__sync_fetch_and_xor_2: 1081 case Builtin::BI__sync_fetch_and_xor_4: 1082 case Builtin::BI__sync_fetch_and_xor_8: 1083 case Builtin::BI__sync_fetch_and_xor_16: 1084 BuiltinIndex = 4; 1085 break; 1086 1087 case Builtin::BI__sync_add_and_fetch: 1088 case Builtin::BI__sync_add_and_fetch_1: 1089 case Builtin::BI__sync_add_and_fetch_2: 1090 case Builtin::BI__sync_add_and_fetch_4: 1091 case Builtin::BI__sync_add_and_fetch_8: 1092 case Builtin::BI__sync_add_and_fetch_16: 1093 BuiltinIndex = 5; 1094 break; 1095 1096 case Builtin::BI__sync_sub_and_fetch: 1097 case Builtin::BI__sync_sub_and_fetch_1: 1098 case Builtin::BI__sync_sub_and_fetch_2: 1099 case Builtin::BI__sync_sub_and_fetch_4: 1100 case Builtin::BI__sync_sub_and_fetch_8: 1101 case Builtin::BI__sync_sub_and_fetch_16: 1102 BuiltinIndex = 6; 1103 break; 1104 1105 case Builtin::BI__sync_and_and_fetch: 1106 case Builtin::BI__sync_and_and_fetch_1: 1107 case Builtin::BI__sync_and_and_fetch_2: 1108 case Builtin::BI__sync_and_and_fetch_4: 1109 case Builtin::BI__sync_and_and_fetch_8: 1110 case Builtin::BI__sync_and_and_fetch_16: 1111 BuiltinIndex = 7; 1112 break; 1113 1114 case Builtin::BI__sync_or_and_fetch: 1115 case Builtin::BI__sync_or_and_fetch_1: 1116 case Builtin::BI__sync_or_and_fetch_2: 1117 case Builtin::BI__sync_or_and_fetch_4: 1118 case Builtin::BI__sync_or_and_fetch_8: 1119 case Builtin::BI__sync_or_and_fetch_16: 1120 BuiltinIndex = 8; 1121 break; 1122 1123 case Builtin::BI__sync_xor_and_fetch: 1124 case Builtin::BI__sync_xor_and_fetch_1: 1125 case Builtin::BI__sync_xor_and_fetch_2: 1126 case Builtin::BI__sync_xor_and_fetch_4: 1127 case Builtin::BI__sync_xor_and_fetch_8: 1128 case Builtin::BI__sync_xor_and_fetch_16: 1129 BuiltinIndex = 9; 1130 break; 1131 1132 case Builtin::BI__sync_val_compare_and_swap: 1133 case Builtin::BI__sync_val_compare_and_swap_1: 1134 case Builtin::BI__sync_val_compare_and_swap_2: 1135 case Builtin::BI__sync_val_compare_and_swap_4: 1136 case Builtin::BI__sync_val_compare_and_swap_8: 1137 case Builtin::BI__sync_val_compare_and_swap_16: 1138 BuiltinIndex = 10; 1139 NumFixed = 2; 1140 break; 1141 1142 case Builtin::BI__sync_bool_compare_and_swap: 1143 case Builtin::BI__sync_bool_compare_and_swap_1: 1144 case Builtin::BI__sync_bool_compare_and_swap_2: 1145 case Builtin::BI__sync_bool_compare_and_swap_4: 1146 case Builtin::BI__sync_bool_compare_and_swap_8: 1147 case Builtin::BI__sync_bool_compare_and_swap_16: 1148 BuiltinIndex = 11; 1149 NumFixed = 2; 1150 ResultType = Context.BoolTy; 1151 break; 1152 1153 case Builtin::BI__sync_lock_test_and_set: 1154 case Builtin::BI__sync_lock_test_and_set_1: 1155 case Builtin::BI__sync_lock_test_and_set_2: 1156 case Builtin::BI__sync_lock_test_and_set_4: 1157 case Builtin::BI__sync_lock_test_and_set_8: 1158 case Builtin::BI__sync_lock_test_and_set_16: 1159 BuiltinIndex = 12; 1160 break; 1161 1162 case Builtin::BI__sync_lock_release: 1163 case Builtin::BI__sync_lock_release_1: 1164 case Builtin::BI__sync_lock_release_2: 1165 case Builtin::BI__sync_lock_release_4: 1166 case Builtin::BI__sync_lock_release_8: 1167 case Builtin::BI__sync_lock_release_16: 1168 BuiltinIndex = 13; 1169 NumFixed = 0; 1170 ResultType = Context.VoidTy; 1171 break; 1172 1173 case Builtin::BI__sync_swap: 1174 case Builtin::BI__sync_swap_1: 1175 case Builtin::BI__sync_swap_2: 1176 case Builtin::BI__sync_swap_4: 1177 case Builtin::BI__sync_swap_8: 1178 case Builtin::BI__sync_swap_16: 1179 BuiltinIndex = 14; 1180 break; 1181 } 1182 1183 // Now that we know how many fixed arguments we expect, first check that we 1184 // have at least that many. 1185 if (TheCall->getNumArgs() < 1+NumFixed) { 1186 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1187 << 0 << 1+NumFixed << TheCall->getNumArgs() 1188 << TheCall->getCallee()->getSourceRange(); 1189 return ExprError(); 1190 } 1191 1192 // Get the decl for the concrete builtin from this, we can tell what the 1193 // concrete integer type we should convert to is. 1194 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1195 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1196 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 1197 FunctionDecl *NewBuiltinDecl = 1198 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 1199 TUScope, false, DRE->getLocStart())); 1200 1201 // The first argument --- the pointer --- has a fixed type; we 1202 // deduce the types of the rest of the arguments accordingly. Walk 1203 // the remaining arguments, converting them to the deduced value type. 1204 for (unsigned i = 0; i != NumFixed; ++i) { 1205 ExprResult Arg = TheCall->getArg(i+1); 1206 1207 // GCC does an implicit conversion to the pointer or integer ValType. This 1208 // can fail in some cases (1i -> int**), check for this error case now. 1209 // Initialize the argument. 1210 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1211 ValType, /*consume*/ false); 1212 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1213 if (Arg.isInvalid()) 1214 return ExprError(); 1215 1216 // Okay, we have something that *can* be converted to the right type. Check 1217 // to see if there is a potentially weird extension going on here. This can 1218 // happen when you do an atomic operation on something like an char* and 1219 // pass in 42. The 42 gets converted to char. This is even more strange 1220 // for things like 45.123 -> char, etc. 1221 // FIXME: Do this check. 1222 TheCall->setArg(i+1, Arg.take()); 1223 } 1224 1225 ASTContext& Context = this->getASTContext(); 1226 1227 // Create a new DeclRefExpr to refer to the new decl. 1228 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1229 Context, 1230 DRE->getQualifierLoc(), 1231 SourceLocation(), 1232 NewBuiltinDecl, 1233 /*enclosing*/ false, 1234 DRE->getLocation(), 1235 Context.BuiltinFnTy, 1236 DRE->getValueKind()); 1237 1238 // Set the callee in the CallExpr. 1239 // FIXME: This loses syntactic information. 1240 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1241 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1242 CK_BuiltinFnToFnPtr); 1243 TheCall->setCallee(PromotedCall.take()); 1244 1245 // Change the result type of the call to match the original value type. This 1246 // is arbitrary, but the codegen for these builtins ins design to handle it 1247 // gracefully. 1248 TheCall->setType(ResultType); 1249 1250 return TheCallResult; 1251 } 1252 1253 /// CheckObjCString - Checks that the argument to the builtin 1254 /// CFString constructor is correct 1255 /// Note: It might also make sense to do the UTF-16 conversion here (would 1256 /// simplify the backend). 1257 bool Sema::CheckObjCString(Expr *Arg) { 1258 Arg = Arg->IgnoreParenCasts(); 1259 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1260 1261 if (!Literal || !Literal->isAscii()) { 1262 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1263 << Arg->getSourceRange(); 1264 return true; 1265 } 1266 1267 if (Literal->containsNonAsciiOrNull()) { 1268 StringRef String = Literal->getString(); 1269 unsigned NumBytes = String.size(); 1270 SmallVector<UTF16, 128> ToBuf(NumBytes); 1271 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1272 UTF16 *ToPtr = &ToBuf[0]; 1273 1274 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1275 &ToPtr, ToPtr + NumBytes, 1276 strictConversion); 1277 // Check for conversion failure. 1278 if (Result != conversionOK) 1279 Diag(Arg->getLocStart(), 1280 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1281 } 1282 return false; 1283 } 1284 1285 /// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1286 /// Emit an error and return true on failure, return false on success. 1287 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1288 Expr *Fn = TheCall->getCallee(); 1289 if (TheCall->getNumArgs() > 2) { 1290 Diag(TheCall->getArg(2)->getLocStart(), 1291 diag::err_typecheck_call_too_many_args) 1292 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1293 << Fn->getSourceRange() 1294 << SourceRange(TheCall->getArg(2)->getLocStart(), 1295 (*(TheCall->arg_end()-1))->getLocEnd()); 1296 return true; 1297 } 1298 1299 if (TheCall->getNumArgs() < 2) { 1300 return Diag(TheCall->getLocEnd(), 1301 diag::err_typecheck_call_too_few_args_at_least) 1302 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1303 } 1304 1305 // Type-check the first argument normally. 1306 if (checkBuiltinArgument(*this, TheCall, 0)) 1307 return true; 1308 1309 // Determine whether the current function is variadic or not. 1310 BlockScopeInfo *CurBlock = getCurBlock(); 1311 bool isVariadic; 1312 if (CurBlock) 1313 isVariadic = CurBlock->TheDecl->isVariadic(); 1314 else if (FunctionDecl *FD = getCurFunctionDecl()) 1315 isVariadic = FD->isVariadic(); 1316 else 1317 isVariadic = getCurMethodDecl()->isVariadic(); 1318 1319 if (!isVariadic) { 1320 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1321 return true; 1322 } 1323 1324 // Verify that the second argument to the builtin is the last argument of the 1325 // current function or method. 1326 bool SecondArgIsLastNamedArgument = false; 1327 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1328 1329 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1330 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1331 // FIXME: This isn't correct for methods (results in bogus warning). 1332 // Get the last formal in the current function. 1333 const ParmVarDecl *LastArg; 1334 if (CurBlock) 1335 LastArg = *(CurBlock->TheDecl->param_end()-1); 1336 else if (FunctionDecl *FD = getCurFunctionDecl()) 1337 LastArg = *(FD->param_end()-1); 1338 else 1339 LastArg = *(getCurMethodDecl()->param_end()-1); 1340 SecondArgIsLastNamedArgument = PV == LastArg; 1341 } 1342 } 1343 1344 if (!SecondArgIsLastNamedArgument) 1345 Diag(TheCall->getArg(1)->getLocStart(), 1346 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1347 return false; 1348 } 1349 1350 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1351 /// friends. This is declared to take (...), so we have to check everything. 1352 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1353 if (TheCall->getNumArgs() < 2) 1354 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1355 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1356 if (TheCall->getNumArgs() > 2) 1357 return Diag(TheCall->getArg(2)->getLocStart(), 1358 diag::err_typecheck_call_too_many_args) 1359 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1360 << SourceRange(TheCall->getArg(2)->getLocStart(), 1361 (*(TheCall->arg_end()-1))->getLocEnd()); 1362 1363 ExprResult OrigArg0 = TheCall->getArg(0); 1364 ExprResult OrigArg1 = TheCall->getArg(1); 1365 1366 // Do standard promotions between the two arguments, returning their common 1367 // type. 1368 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1369 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1370 return true; 1371 1372 // Make sure any conversions are pushed back into the call; this is 1373 // type safe since unordered compare builtins are declared as "_Bool 1374 // foo(...)". 1375 TheCall->setArg(0, OrigArg0.get()); 1376 TheCall->setArg(1, OrigArg1.get()); 1377 1378 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1379 return false; 1380 1381 // If the common type isn't a real floating type, then the arguments were 1382 // invalid for this operation. 1383 if (Res.isNull() || !Res->isRealFloatingType()) 1384 return Diag(OrigArg0.get()->getLocStart(), 1385 diag::err_typecheck_call_invalid_ordered_compare) 1386 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1387 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1388 1389 return false; 1390 } 1391 1392 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1393 /// __builtin_isnan and friends. This is declared to take (...), so we have 1394 /// to check everything. We expect the last argument to be a floating point 1395 /// value. 1396 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1397 if (TheCall->getNumArgs() < NumArgs) 1398 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1399 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1400 if (TheCall->getNumArgs() > NumArgs) 1401 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1402 diag::err_typecheck_call_too_many_args) 1403 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1404 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1405 (*(TheCall->arg_end()-1))->getLocEnd()); 1406 1407 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1408 1409 if (OrigArg->isTypeDependent()) 1410 return false; 1411 1412 // This operation requires a non-_Complex floating-point number. 1413 if (!OrigArg->getType()->isRealFloatingType()) 1414 return Diag(OrigArg->getLocStart(), 1415 diag::err_typecheck_call_invalid_unary_fp) 1416 << OrigArg->getType() << OrigArg->getSourceRange(); 1417 1418 // If this is an implicit conversion from float -> double, remove it. 1419 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1420 Expr *CastArg = Cast->getSubExpr(); 1421 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1422 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1423 "promotion from float to double is the only expected cast here"); 1424 Cast->setSubExpr(0); 1425 TheCall->setArg(NumArgs-1, CastArg); 1426 } 1427 } 1428 1429 return false; 1430 } 1431 1432 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1433 // This is declared to take (...), so we have to check everything. 1434 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1435 if (TheCall->getNumArgs() < 2) 1436 return ExprError(Diag(TheCall->getLocEnd(), 1437 diag::err_typecheck_call_too_few_args_at_least) 1438 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1439 << TheCall->getSourceRange()); 1440 1441 // Determine which of the following types of shufflevector we're checking: 1442 // 1) unary, vector mask: (lhs, mask) 1443 // 2) binary, vector mask: (lhs, rhs, mask) 1444 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1445 QualType resType = TheCall->getArg(0)->getType(); 1446 unsigned numElements = 0; 1447 1448 if (!TheCall->getArg(0)->isTypeDependent() && 1449 !TheCall->getArg(1)->isTypeDependent()) { 1450 QualType LHSType = TheCall->getArg(0)->getType(); 1451 QualType RHSType = TheCall->getArg(1)->getType(); 1452 1453 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 1454 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 1455 << SourceRange(TheCall->getArg(0)->getLocStart(), 1456 TheCall->getArg(1)->getLocEnd()); 1457 return ExprError(); 1458 } 1459 1460 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1461 unsigned numResElements = TheCall->getNumArgs() - 2; 1462 1463 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1464 // with mask. If so, verify that RHS is an integer vector type with the 1465 // same number of elts as lhs. 1466 if (TheCall->getNumArgs() == 2) { 1467 if (!RHSType->hasIntegerRepresentation() || 1468 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1469 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1470 << SourceRange(TheCall->getArg(1)->getLocStart(), 1471 TheCall->getArg(1)->getLocEnd()); 1472 numResElements = numElements; 1473 } 1474 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1475 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 1476 << SourceRange(TheCall->getArg(0)->getLocStart(), 1477 TheCall->getArg(1)->getLocEnd()); 1478 return ExprError(); 1479 } else if (numElements != numResElements) { 1480 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1481 resType = Context.getVectorType(eltType, numResElements, 1482 VectorType::GenericVector); 1483 } 1484 } 1485 1486 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1487 if (TheCall->getArg(i)->isTypeDependent() || 1488 TheCall->getArg(i)->isValueDependent()) 1489 continue; 1490 1491 llvm::APSInt Result(32); 1492 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1493 return ExprError(Diag(TheCall->getLocStart(), 1494 diag::err_shufflevector_nonconstant_argument) 1495 << TheCall->getArg(i)->getSourceRange()); 1496 1497 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1498 return ExprError(Diag(TheCall->getLocStart(), 1499 diag::err_shufflevector_argument_too_large) 1500 << TheCall->getArg(i)->getSourceRange()); 1501 } 1502 1503 SmallVector<Expr*, 32> exprs; 1504 1505 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1506 exprs.push_back(TheCall->getArg(i)); 1507 TheCall->setArg(i, 0); 1508 } 1509 1510 return Owned(new (Context) ShuffleVectorExpr(Context, exprs, resType, 1511 TheCall->getCallee()->getLocStart(), 1512 TheCall->getRParenLoc())); 1513 } 1514 1515 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1516 // This is declared to take (const void*, ...) and can take two 1517 // optional constant int args. 1518 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1519 unsigned NumArgs = TheCall->getNumArgs(); 1520 1521 if (NumArgs > 3) 1522 return Diag(TheCall->getLocEnd(), 1523 diag::err_typecheck_call_too_many_args_at_most) 1524 << 0 /*function call*/ << 3 << NumArgs 1525 << TheCall->getSourceRange(); 1526 1527 // Argument 0 is checked for us and the remaining arguments must be 1528 // constant integers. 1529 for (unsigned i = 1; i != NumArgs; ++i) { 1530 Expr *Arg = TheCall->getArg(i); 1531 1532 // We can't check the value of a dependent argument. 1533 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1534 continue; 1535 1536 llvm::APSInt Result; 1537 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1538 return true; 1539 1540 // FIXME: gcc issues a warning and rewrites these to 0. These 1541 // seems especially odd for the third argument since the default 1542 // is 3. 1543 if (i == 1) { 1544 if (Result.getLimitedValue() > 1) 1545 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1546 << "0" << "1" << Arg->getSourceRange(); 1547 } else { 1548 if (Result.getLimitedValue() > 3) 1549 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1550 << "0" << "3" << Arg->getSourceRange(); 1551 } 1552 } 1553 1554 return false; 1555 } 1556 1557 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1558 /// TheCall is a constant expression. 1559 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1560 llvm::APSInt &Result) { 1561 Expr *Arg = TheCall->getArg(ArgNum); 1562 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1563 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1564 1565 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1566 1567 if (!Arg->isIntegerConstantExpr(Result, Context)) 1568 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1569 << FDecl->getDeclName() << Arg->getSourceRange(); 1570 1571 return false; 1572 } 1573 1574 /// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1575 /// int type). This simply type checks that type is one of the defined 1576 /// constants (0-3). 1577 // For compatibility check 0-3, llvm only handles 0 and 2. 1578 bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1579 llvm::APSInt Result; 1580 1581 // We can't check the value of a dependent argument. 1582 if (TheCall->getArg(1)->isTypeDependent() || 1583 TheCall->getArg(1)->isValueDependent()) 1584 return false; 1585 1586 // Check constant-ness first. 1587 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1588 return true; 1589 1590 Expr *Arg = TheCall->getArg(1); 1591 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1592 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1593 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1594 } 1595 1596 return false; 1597 } 1598 1599 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1600 /// This checks that val is a constant 1. 1601 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1602 Expr *Arg = TheCall->getArg(1); 1603 llvm::APSInt Result; 1604 1605 // TODO: This is less than ideal. Overload this to take a value. 1606 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1607 return true; 1608 1609 if (Result != 1) 1610 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1611 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1612 1613 return false; 1614 } 1615 1616 // Determine if an expression is a string literal or constant string. 1617 // If this function returns false on the arguments to a function expecting a 1618 // format string, we will usually need to emit a warning. 1619 // True string literals are then checked by CheckFormatString. 1620 Sema::StringLiteralCheckType 1621 Sema::checkFormatStringExpr(const Expr *E, Expr **Args, 1622 unsigned NumArgs, bool HasVAListArg, 1623 unsigned format_idx, unsigned firstDataArg, 1624 FormatStringType Type, VariadicCallType CallType, 1625 bool inFunctionCall) { 1626 tryAgain: 1627 if (E->isTypeDependent() || E->isValueDependent()) 1628 return SLCT_NotALiteral; 1629 1630 E = E->IgnoreParenCasts(); 1631 1632 if (E->isNullPointerConstant(Context, Expr::NPC_ValueDependentIsNotNull)) 1633 // Technically -Wformat-nonliteral does not warn about this case. 1634 // The behavior of printf and friends in this case is implementation 1635 // dependent. Ideally if the format string cannot be null then 1636 // it should have a 'nonnull' attribute in the function prototype. 1637 return SLCT_CheckedLiteral; 1638 1639 switch (E->getStmtClass()) { 1640 case Stmt::BinaryConditionalOperatorClass: 1641 case Stmt::ConditionalOperatorClass: { 1642 // The expression is a literal if both sub-expressions were, and it was 1643 // completely checked only if both sub-expressions were checked. 1644 const AbstractConditionalOperator *C = 1645 cast<AbstractConditionalOperator>(E); 1646 StringLiteralCheckType Left = 1647 checkFormatStringExpr(C->getTrueExpr(), Args, NumArgs, 1648 HasVAListArg, format_idx, firstDataArg, 1649 Type, CallType, inFunctionCall); 1650 if (Left == SLCT_NotALiteral) 1651 return SLCT_NotALiteral; 1652 StringLiteralCheckType Right = 1653 checkFormatStringExpr(C->getFalseExpr(), Args, NumArgs, 1654 HasVAListArg, format_idx, firstDataArg, 1655 Type, CallType, inFunctionCall); 1656 return Left < Right ? Left : Right; 1657 } 1658 1659 case Stmt::ImplicitCastExprClass: { 1660 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1661 goto tryAgain; 1662 } 1663 1664 case Stmt::OpaqueValueExprClass: 1665 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1666 E = src; 1667 goto tryAgain; 1668 } 1669 return SLCT_NotALiteral; 1670 1671 case Stmt::PredefinedExprClass: 1672 // While __func__, etc., are technically not string literals, they 1673 // cannot contain format specifiers and thus are not a security 1674 // liability. 1675 return SLCT_UncheckedLiteral; 1676 1677 case Stmt::DeclRefExprClass: { 1678 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1679 1680 // As an exception, do not flag errors for variables binding to 1681 // const string literals. 1682 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1683 bool isConstant = false; 1684 QualType T = DR->getType(); 1685 1686 if (const ArrayType *AT = Context.getAsArrayType(T)) { 1687 isConstant = AT->getElementType().isConstant(Context); 1688 } else if (const PointerType *PT = T->getAs<PointerType>()) { 1689 isConstant = T.isConstant(Context) && 1690 PT->getPointeeType().isConstant(Context); 1691 } else if (T->isObjCObjectPointerType()) { 1692 // In ObjC, there is usually no "const ObjectPointer" type, 1693 // so don't check if the pointee type is constant. 1694 isConstant = T.isConstant(Context); 1695 } 1696 1697 if (isConstant) { 1698 if (const Expr *Init = VD->getAnyInitializer()) { 1699 // Look through initializers like const char c[] = { "foo" } 1700 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 1701 if (InitList->isStringLiteralInit()) 1702 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 1703 } 1704 return checkFormatStringExpr(Init, Args, NumArgs, 1705 HasVAListArg, format_idx, 1706 firstDataArg, Type, CallType, 1707 /*inFunctionCall*/false); 1708 } 1709 } 1710 1711 // For vprintf* functions (i.e., HasVAListArg==true), we add a 1712 // special check to see if the format string is a function parameter 1713 // of the function calling the printf function. If the function 1714 // has an attribute indicating it is a printf-like function, then we 1715 // should suppress warnings concerning non-literals being used in a call 1716 // to a vprintf function. For example: 1717 // 1718 // void 1719 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 1720 // va_list ap; 1721 // va_start(ap, fmt); 1722 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 1723 // ... 1724 // 1725 if (HasVAListArg) { 1726 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 1727 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 1728 int PVIndex = PV->getFunctionScopeIndex() + 1; 1729 for (specific_attr_iterator<FormatAttr> 1730 i = ND->specific_attr_begin<FormatAttr>(), 1731 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 1732 FormatAttr *PVFormat = *i; 1733 // adjust for implicit parameter 1734 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1735 if (MD->isInstance()) 1736 ++PVIndex; 1737 // We also check if the formats are compatible. 1738 // We can't pass a 'scanf' string to a 'printf' function. 1739 if (PVIndex == PVFormat->getFormatIdx() && 1740 Type == GetFormatStringType(PVFormat)) 1741 return SLCT_UncheckedLiteral; 1742 } 1743 } 1744 } 1745 } 1746 } 1747 1748 return SLCT_NotALiteral; 1749 } 1750 1751 case Stmt::CallExprClass: 1752 case Stmt::CXXMemberCallExprClass: { 1753 const CallExpr *CE = cast<CallExpr>(E); 1754 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 1755 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 1756 unsigned ArgIndex = FA->getFormatIdx(); 1757 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 1758 if (MD->isInstance()) 1759 --ArgIndex; 1760 const Expr *Arg = CE->getArg(ArgIndex - 1); 1761 1762 return checkFormatStringExpr(Arg, Args, NumArgs, 1763 HasVAListArg, format_idx, firstDataArg, 1764 Type, CallType, inFunctionCall); 1765 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 1766 unsigned BuiltinID = FD->getBuiltinID(); 1767 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 1768 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 1769 const Expr *Arg = CE->getArg(0); 1770 return checkFormatStringExpr(Arg, Args, NumArgs, 1771 HasVAListArg, format_idx, 1772 firstDataArg, Type, CallType, 1773 inFunctionCall); 1774 } 1775 } 1776 } 1777 1778 return SLCT_NotALiteral; 1779 } 1780 case Stmt::ObjCStringLiteralClass: 1781 case Stmt::StringLiteralClass: { 1782 const StringLiteral *StrE = NULL; 1783 1784 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 1785 StrE = ObjCFExpr->getString(); 1786 else 1787 StrE = cast<StringLiteral>(E); 1788 1789 if (StrE) { 1790 CheckFormatString(StrE, E, Args, NumArgs, HasVAListArg, format_idx, 1791 firstDataArg, Type, inFunctionCall, CallType); 1792 return SLCT_CheckedLiteral; 1793 } 1794 1795 return SLCT_NotALiteral; 1796 } 1797 1798 default: 1799 return SLCT_NotALiteral; 1800 } 1801 } 1802 1803 void 1804 Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 1805 const Expr * const *ExprArgs, 1806 SourceLocation CallSiteLoc) { 1807 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 1808 e = NonNull->args_end(); 1809 i != e; ++i) { 1810 const Expr *ArgExpr = ExprArgs[*i]; 1811 if (ArgExpr->isNullPointerConstant(Context, 1812 Expr::NPC_ValueDependentIsNotNull)) 1813 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 1814 } 1815 } 1816 1817 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 1818 return llvm::StringSwitch<FormatStringType>(Format->getType()) 1819 .Case("scanf", FST_Scanf) 1820 .Cases("printf", "printf0", FST_Printf) 1821 .Cases("NSString", "CFString", FST_NSString) 1822 .Case("strftime", FST_Strftime) 1823 .Case("strfmon", FST_Strfmon) 1824 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 1825 .Default(FST_Unknown); 1826 } 1827 1828 /// CheckFormatArguments - Check calls to printf and scanf (and similar 1829 /// functions) for correct use of format strings. 1830 /// Returns true if a format string has been fully checked. 1831 bool Sema::CheckFormatArguments(const FormatAttr *Format, Expr **Args, 1832 unsigned NumArgs, bool IsCXXMember, 1833 VariadicCallType CallType, 1834 SourceLocation Loc, SourceRange Range) { 1835 FormatStringInfo FSI; 1836 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 1837 return CheckFormatArguments(Args, NumArgs, FSI.HasVAListArg, FSI.FormatIdx, 1838 FSI.FirstDataArg, GetFormatStringType(Format), 1839 CallType, Loc, Range); 1840 return false; 1841 } 1842 1843 bool Sema::CheckFormatArguments(Expr **Args, unsigned NumArgs, 1844 bool HasVAListArg, unsigned format_idx, 1845 unsigned firstDataArg, FormatStringType Type, 1846 VariadicCallType CallType, 1847 SourceLocation Loc, SourceRange Range) { 1848 // CHECK: printf/scanf-like function is called with no format string. 1849 if (format_idx >= NumArgs) { 1850 Diag(Loc, diag::warn_missing_format_string) << Range; 1851 return false; 1852 } 1853 1854 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 1855 1856 // CHECK: format string is not a string literal. 1857 // 1858 // Dynamically generated format strings are difficult to 1859 // automatically vet at compile time. Requiring that format strings 1860 // are string literals: (1) permits the checking of format strings by 1861 // the compiler and thereby (2) can practically remove the source of 1862 // many format string exploits. 1863 1864 // Format string can be either ObjC string (e.g. @"%d") or 1865 // C string (e.g. "%d") 1866 // ObjC string uses the same format specifiers as C string, so we can use 1867 // the same format string checking logic for both ObjC and C strings. 1868 StringLiteralCheckType CT = 1869 checkFormatStringExpr(OrigFormatExpr, Args, NumArgs, HasVAListArg, 1870 format_idx, firstDataArg, Type, CallType); 1871 if (CT != SLCT_NotALiteral) 1872 // Literal format string found, check done! 1873 return CT == SLCT_CheckedLiteral; 1874 1875 // Strftime is particular as it always uses a single 'time' argument, 1876 // so it is safe to pass a non-literal string. 1877 if (Type == FST_Strftime) 1878 return false; 1879 1880 // Do not emit diag when the string param is a macro expansion and the 1881 // format is either NSString or CFString. This is a hack to prevent 1882 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 1883 // which are usually used in place of NS and CF string literals. 1884 if (Type == FST_NSString && 1885 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 1886 return false; 1887 1888 // If there are no arguments specified, warn with -Wformat-security, otherwise 1889 // warn only with -Wformat-nonliteral. 1890 if (NumArgs == format_idx+1) 1891 Diag(Args[format_idx]->getLocStart(), 1892 diag::warn_format_nonliteral_noargs) 1893 << OrigFormatExpr->getSourceRange(); 1894 else 1895 Diag(Args[format_idx]->getLocStart(), 1896 diag::warn_format_nonliteral) 1897 << OrigFormatExpr->getSourceRange(); 1898 return false; 1899 } 1900 1901 namespace { 1902 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 1903 protected: 1904 Sema &S; 1905 const StringLiteral *FExpr; 1906 const Expr *OrigFormatExpr; 1907 const unsigned FirstDataArg; 1908 const unsigned NumDataArgs; 1909 const char *Beg; // Start of format string. 1910 const bool HasVAListArg; 1911 const Expr * const *Args; 1912 const unsigned NumArgs; 1913 unsigned FormatIdx; 1914 llvm::BitVector CoveredArgs; 1915 bool usesPositionalArgs; 1916 bool atFirstArg; 1917 bool inFunctionCall; 1918 Sema::VariadicCallType CallType; 1919 public: 1920 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 1921 const Expr *origFormatExpr, unsigned firstDataArg, 1922 unsigned numDataArgs, const char *beg, bool hasVAListArg, 1923 Expr **args, unsigned numArgs, 1924 unsigned formatIdx, bool inFunctionCall, 1925 Sema::VariadicCallType callType) 1926 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 1927 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 1928 Beg(beg), HasVAListArg(hasVAListArg), 1929 Args(args), NumArgs(numArgs), FormatIdx(formatIdx), 1930 usesPositionalArgs(false), atFirstArg(true), 1931 inFunctionCall(inFunctionCall), CallType(callType) { 1932 CoveredArgs.resize(numDataArgs); 1933 CoveredArgs.reset(); 1934 } 1935 1936 void DoneProcessing(); 1937 1938 void HandleIncompleteSpecifier(const char *startSpecifier, 1939 unsigned specifierLen); 1940 1941 void HandleInvalidLengthModifier( 1942 const analyze_format_string::FormatSpecifier &FS, 1943 const analyze_format_string::ConversionSpecifier &CS, 1944 const char *startSpecifier, unsigned specifierLen, unsigned DiagID); 1945 1946 void HandleNonStandardLengthModifier( 1947 const analyze_format_string::FormatSpecifier &FS, 1948 const char *startSpecifier, unsigned specifierLen); 1949 1950 void HandleNonStandardConversionSpecifier( 1951 const analyze_format_string::ConversionSpecifier &CS, 1952 const char *startSpecifier, unsigned specifierLen); 1953 1954 virtual void HandlePosition(const char *startPos, unsigned posLen); 1955 1956 virtual void HandleInvalidPosition(const char *startSpecifier, 1957 unsigned specifierLen, 1958 analyze_format_string::PositionContext p); 1959 1960 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 1961 1962 void HandleNullChar(const char *nullCharacter); 1963 1964 template <typename Range> 1965 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 1966 const Expr *ArgumentExpr, 1967 PartialDiagnostic PDiag, 1968 SourceLocation StringLoc, 1969 bool IsStringLocation, Range StringRange, 1970 ArrayRef<FixItHint> Fixit = ArrayRef<FixItHint>()); 1971 1972 protected: 1973 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 1974 const char *startSpec, 1975 unsigned specifierLen, 1976 const char *csStart, unsigned csLen); 1977 1978 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 1979 const char *startSpec, 1980 unsigned specifierLen); 1981 1982 SourceRange getFormatStringRange(); 1983 CharSourceRange getSpecifierRange(const char *startSpecifier, 1984 unsigned specifierLen); 1985 SourceLocation getLocationOfByte(const char *x); 1986 1987 const Expr *getDataArg(unsigned i) const; 1988 1989 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 1990 const analyze_format_string::ConversionSpecifier &CS, 1991 const char *startSpecifier, unsigned specifierLen, 1992 unsigned argIndex); 1993 1994 template <typename Range> 1995 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 1996 bool IsStringLocation, Range StringRange, 1997 ArrayRef<FixItHint> Fixit = ArrayRef<FixItHint>()); 1998 1999 void CheckPositionalAndNonpositionalArgs( 2000 const analyze_format_string::FormatSpecifier *FS); 2001 }; 2002 } 2003 2004 SourceRange CheckFormatHandler::getFormatStringRange() { 2005 return OrigFormatExpr->getSourceRange(); 2006 } 2007 2008 CharSourceRange CheckFormatHandler:: 2009 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2010 SourceLocation Start = getLocationOfByte(startSpecifier); 2011 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2012 2013 // Advance the end SourceLocation by one due to half-open ranges. 2014 End = End.getLocWithOffset(1); 2015 2016 return CharSourceRange::getCharRange(Start, End); 2017 } 2018 2019 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2020 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2021 } 2022 2023 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2024 unsigned specifierLen){ 2025 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2026 getLocationOfByte(startSpecifier), 2027 /*IsStringLocation*/true, 2028 getSpecifierRange(startSpecifier, specifierLen)); 2029 } 2030 2031 void CheckFormatHandler::HandleInvalidLengthModifier( 2032 const analyze_format_string::FormatSpecifier &FS, 2033 const analyze_format_string::ConversionSpecifier &CS, 2034 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2035 using namespace analyze_format_string; 2036 2037 const LengthModifier &LM = FS.getLengthModifier(); 2038 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2039 2040 // See if we know how to fix this length modifier. 2041 llvm::Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2042 if (FixedLM) { 2043 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2044 getLocationOfByte(LM.getStart()), 2045 /*IsStringLocation*/true, 2046 getSpecifierRange(startSpecifier, specifierLen)); 2047 2048 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2049 << FixedLM->toString() 2050 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2051 2052 } else { 2053 FixItHint Hint; 2054 if (DiagID == diag::warn_format_nonsensical_length) 2055 Hint = FixItHint::CreateRemoval(LMRange); 2056 2057 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2058 getLocationOfByte(LM.getStart()), 2059 /*IsStringLocation*/true, 2060 getSpecifierRange(startSpecifier, specifierLen), 2061 Hint); 2062 } 2063 } 2064 2065 void CheckFormatHandler::HandleNonStandardLengthModifier( 2066 const analyze_format_string::FormatSpecifier &FS, 2067 const char *startSpecifier, unsigned specifierLen) { 2068 using namespace analyze_format_string; 2069 2070 const LengthModifier &LM = FS.getLengthModifier(); 2071 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2072 2073 // See if we know how to fix this length modifier. 2074 llvm::Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2075 if (FixedLM) { 2076 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2077 << LM.toString() << 0, 2078 getLocationOfByte(LM.getStart()), 2079 /*IsStringLocation*/true, 2080 getSpecifierRange(startSpecifier, specifierLen)); 2081 2082 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2083 << FixedLM->toString() 2084 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2085 2086 } else { 2087 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2088 << LM.toString() << 0, 2089 getLocationOfByte(LM.getStart()), 2090 /*IsStringLocation*/true, 2091 getSpecifierRange(startSpecifier, specifierLen)); 2092 } 2093 } 2094 2095 void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2096 const analyze_format_string::ConversionSpecifier &CS, 2097 const char *startSpecifier, unsigned specifierLen) { 2098 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) << CS.toString() 2099 << 1, 2100 getLocationOfByte(CS.getStart()), 2101 /*IsStringLocation*/true, 2102 getSpecifierRange(startSpecifier, specifierLen)); 2103 } 2104 2105 void CheckFormatHandler::HandlePosition(const char *startPos, 2106 unsigned posLen) { 2107 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2108 getLocationOfByte(startPos), 2109 /*IsStringLocation*/true, 2110 getSpecifierRange(startPos, posLen)); 2111 } 2112 2113 void 2114 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2115 analyze_format_string::PositionContext p) { 2116 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2117 << (unsigned) p, 2118 getLocationOfByte(startPos), /*IsStringLocation*/true, 2119 getSpecifierRange(startPos, posLen)); 2120 } 2121 2122 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2123 unsigned posLen) { 2124 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2125 getLocationOfByte(startPos), 2126 /*IsStringLocation*/true, 2127 getSpecifierRange(startPos, posLen)); 2128 } 2129 2130 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2131 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2132 // The presence of a null character is likely an error. 2133 EmitFormatDiagnostic( 2134 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2135 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2136 getFormatStringRange()); 2137 } 2138 } 2139 2140 // Note that this may return NULL if there was an error parsing or building 2141 // one of the argument expressions. 2142 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2143 return Args[FirstDataArg + i]; 2144 } 2145 2146 void CheckFormatHandler::DoneProcessing() { 2147 // Does the number of data arguments exceed the number of 2148 // format conversions in the format string? 2149 if (!HasVAListArg) { 2150 // Find any arguments that weren't covered. 2151 CoveredArgs.flip(); 2152 signed notCoveredArg = CoveredArgs.find_first(); 2153 if (notCoveredArg >= 0) { 2154 assert((unsigned)notCoveredArg < NumDataArgs); 2155 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2156 SourceLocation Loc = E->getLocStart(); 2157 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2158 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2159 Loc, /*IsStringLocation*/false, 2160 getFormatStringRange()); 2161 } 2162 } 2163 } 2164 } 2165 } 2166 2167 bool 2168 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2169 SourceLocation Loc, 2170 const char *startSpec, 2171 unsigned specifierLen, 2172 const char *csStart, 2173 unsigned csLen) { 2174 2175 bool keepGoing = true; 2176 if (argIndex < NumDataArgs) { 2177 // Consider the argument coverered, even though the specifier doesn't 2178 // make sense. 2179 CoveredArgs.set(argIndex); 2180 } 2181 else { 2182 // If argIndex exceeds the number of data arguments we 2183 // don't issue a warning because that is just a cascade of warnings (and 2184 // they may have intended '%%' anyway). We don't want to continue processing 2185 // the format string after this point, however, as we will like just get 2186 // gibberish when trying to match arguments. 2187 keepGoing = false; 2188 } 2189 2190 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2191 << StringRef(csStart, csLen), 2192 Loc, /*IsStringLocation*/true, 2193 getSpecifierRange(startSpec, specifierLen)); 2194 2195 return keepGoing; 2196 } 2197 2198 void 2199 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2200 const char *startSpec, 2201 unsigned specifierLen) { 2202 EmitFormatDiagnostic( 2203 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2204 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2205 } 2206 2207 bool 2208 CheckFormatHandler::CheckNumArgs( 2209 const analyze_format_string::FormatSpecifier &FS, 2210 const analyze_format_string::ConversionSpecifier &CS, 2211 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2212 2213 if (argIndex >= NumDataArgs) { 2214 PartialDiagnostic PDiag = FS.usesPositionalArg() 2215 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2216 << (argIndex+1) << NumDataArgs) 2217 : S.PDiag(diag::warn_printf_insufficient_data_args); 2218 EmitFormatDiagnostic( 2219 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2220 getSpecifierRange(startSpecifier, specifierLen)); 2221 return false; 2222 } 2223 return true; 2224 } 2225 2226 template<typename Range> 2227 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2228 SourceLocation Loc, 2229 bool IsStringLocation, 2230 Range StringRange, 2231 ArrayRef<FixItHint> FixIt) { 2232 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2233 Loc, IsStringLocation, StringRange, FixIt); 2234 } 2235 2236 /// \brief If the format string is not within the funcion call, emit a note 2237 /// so that the function call and string are in diagnostic messages. 2238 /// 2239 /// \param InFunctionCall if true, the format string is within the function 2240 /// call and only one diagnostic message will be produced. Otherwise, an 2241 /// extra note will be emitted pointing to location of the format string. 2242 /// 2243 /// \param ArgumentExpr the expression that is passed as the format string 2244 /// argument in the function call. Used for getting locations when two 2245 /// diagnostics are emitted. 2246 /// 2247 /// \param PDiag the callee should already have provided any strings for the 2248 /// diagnostic message. This function only adds locations and fixits 2249 /// to diagnostics. 2250 /// 2251 /// \param Loc primary location for diagnostic. If two diagnostics are 2252 /// required, one will be at Loc and a new SourceLocation will be created for 2253 /// the other one. 2254 /// 2255 /// \param IsStringLocation if true, Loc points to the format string should be 2256 /// used for the note. Otherwise, Loc points to the argument list and will 2257 /// be used with PDiag. 2258 /// 2259 /// \param StringRange some or all of the string to highlight. This is 2260 /// templated so it can accept either a CharSourceRange or a SourceRange. 2261 /// 2262 /// \param FixIt optional fix it hint for the format string. 2263 template<typename Range> 2264 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2265 const Expr *ArgumentExpr, 2266 PartialDiagnostic PDiag, 2267 SourceLocation Loc, 2268 bool IsStringLocation, 2269 Range StringRange, 2270 ArrayRef<FixItHint> FixIt) { 2271 if (InFunctionCall) { 2272 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2273 D << StringRange; 2274 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2275 I != E; ++I) { 2276 D << *I; 2277 } 2278 } else { 2279 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2280 << ArgumentExpr->getSourceRange(); 2281 2282 const Sema::SemaDiagnosticBuilder &Note = 2283 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2284 diag::note_format_string_defined); 2285 2286 Note << StringRange; 2287 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2288 I != E; ++I) { 2289 Note << *I; 2290 } 2291 } 2292 } 2293 2294 //===--- CHECK: Printf format string checking ------------------------------===// 2295 2296 namespace { 2297 class CheckPrintfHandler : public CheckFormatHandler { 2298 bool ObjCContext; 2299 public: 2300 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2301 const Expr *origFormatExpr, unsigned firstDataArg, 2302 unsigned numDataArgs, bool isObjC, 2303 const char *beg, bool hasVAListArg, 2304 Expr **Args, unsigned NumArgs, 2305 unsigned formatIdx, bool inFunctionCall, 2306 Sema::VariadicCallType CallType) 2307 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2308 numDataArgs, beg, hasVAListArg, Args, NumArgs, 2309 formatIdx, inFunctionCall, CallType), ObjCContext(isObjC) 2310 {} 2311 2312 2313 bool HandleInvalidPrintfConversionSpecifier( 2314 const analyze_printf::PrintfSpecifier &FS, 2315 const char *startSpecifier, 2316 unsigned specifierLen); 2317 2318 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2319 const char *startSpecifier, 2320 unsigned specifierLen); 2321 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2322 const char *StartSpecifier, 2323 unsigned SpecifierLen, 2324 const Expr *E); 2325 2326 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2327 const char *startSpecifier, unsigned specifierLen); 2328 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2329 const analyze_printf::OptionalAmount &Amt, 2330 unsigned type, 2331 const char *startSpecifier, unsigned specifierLen); 2332 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2333 const analyze_printf::OptionalFlag &flag, 2334 const char *startSpecifier, unsigned specifierLen); 2335 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2336 const analyze_printf::OptionalFlag &ignoredFlag, 2337 const analyze_printf::OptionalFlag &flag, 2338 const char *startSpecifier, unsigned specifierLen); 2339 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2340 const Expr *E, const CharSourceRange &CSR); 2341 2342 }; 2343 } 2344 2345 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2346 const analyze_printf::PrintfSpecifier &FS, 2347 const char *startSpecifier, 2348 unsigned specifierLen) { 2349 const analyze_printf::PrintfConversionSpecifier &CS = 2350 FS.getConversionSpecifier(); 2351 2352 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2353 getLocationOfByte(CS.getStart()), 2354 startSpecifier, specifierLen, 2355 CS.getStart(), CS.getLength()); 2356 } 2357 2358 bool CheckPrintfHandler::HandleAmount( 2359 const analyze_format_string::OptionalAmount &Amt, 2360 unsigned k, const char *startSpecifier, 2361 unsigned specifierLen) { 2362 2363 if (Amt.hasDataArgument()) { 2364 if (!HasVAListArg) { 2365 unsigned argIndex = Amt.getArgIndex(); 2366 if (argIndex >= NumDataArgs) { 2367 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2368 << k, 2369 getLocationOfByte(Amt.getStart()), 2370 /*IsStringLocation*/true, 2371 getSpecifierRange(startSpecifier, specifierLen)); 2372 // Don't do any more checking. We will just emit 2373 // spurious errors. 2374 return false; 2375 } 2376 2377 // Type check the data argument. It should be an 'int'. 2378 // Although not in conformance with C99, we also allow the argument to be 2379 // an 'unsigned int' as that is a reasonably safe case. GCC also 2380 // doesn't emit a warning for that case. 2381 CoveredArgs.set(argIndex); 2382 const Expr *Arg = getDataArg(argIndex); 2383 if (!Arg) 2384 return false; 2385 2386 QualType T = Arg->getType(); 2387 2388 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2389 assert(AT.isValid()); 2390 2391 if (!AT.matchesType(S.Context, T)) { 2392 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2393 << k << AT.getRepresentativeTypeName(S.Context) 2394 << T << Arg->getSourceRange(), 2395 getLocationOfByte(Amt.getStart()), 2396 /*IsStringLocation*/true, 2397 getSpecifierRange(startSpecifier, specifierLen)); 2398 // Don't do any more checking. We will just emit 2399 // spurious errors. 2400 return false; 2401 } 2402 } 2403 } 2404 return true; 2405 } 2406 2407 void CheckPrintfHandler::HandleInvalidAmount( 2408 const analyze_printf::PrintfSpecifier &FS, 2409 const analyze_printf::OptionalAmount &Amt, 2410 unsigned type, 2411 const char *startSpecifier, 2412 unsigned specifierLen) { 2413 const analyze_printf::PrintfConversionSpecifier &CS = 2414 FS.getConversionSpecifier(); 2415 2416 FixItHint fixit = 2417 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2418 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2419 Amt.getConstantLength())) 2420 : FixItHint(); 2421 2422 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2423 << type << CS.toString(), 2424 getLocationOfByte(Amt.getStart()), 2425 /*IsStringLocation*/true, 2426 getSpecifierRange(startSpecifier, specifierLen), 2427 fixit); 2428 } 2429 2430 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2431 const analyze_printf::OptionalFlag &flag, 2432 const char *startSpecifier, 2433 unsigned specifierLen) { 2434 // Warn about pointless flag with a fixit removal. 2435 const analyze_printf::PrintfConversionSpecifier &CS = 2436 FS.getConversionSpecifier(); 2437 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2438 << flag.toString() << CS.toString(), 2439 getLocationOfByte(flag.getPosition()), 2440 /*IsStringLocation*/true, 2441 getSpecifierRange(startSpecifier, specifierLen), 2442 FixItHint::CreateRemoval( 2443 getSpecifierRange(flag.getPosition(), 1))); 2444 } 2445 2446 void CheckPrintfHandler::HandleIgnoredFlag( 2447 const analyze_printf::PrintfSpecifier &FS, 2448 const analyze_printf::OptionalFlag &ignoredFlag, 2449 const analyze_printf::OptionalFlag &flag, 2450 const char *startSpecifier, 2451 unsigned specifierLen) { 2452 // Warn about ignored flag with a fixit removal. 2453 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2454 << ignoredFlag.toString() << flag.toString(), 2455 getLocationOfByte(ignoredFlag.getPosition()), 2456 /*IsStringLocation*/true, 2457 getSpecifierRange(startSpecifier, specifierLen), 2458 FixItHint::CreateRemoval( 2459 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2460 } 2461 2462 // Determines if the specified is a C++ class or struct containing 2463 // a member with the specified name and kind (e.g. a CXXMethodDecl named 2464 // "c_str()"). 2465 template<typename MemberKind> 2466 static llvm::SmallPtrSet<MemberKind*, 1> 2467 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2468 const RecordType *RT = Ty->getAs<RecordType>(); 2469 llvm::SmallPtrSet<MemberKind*, 1> Results; 2470 2471 if (!RT) 2472 return Results; 2473 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2474 if (!RD) 2475 return Results; 2476 2477 LookupResult R(S, &S.PP.getIdentifierTable().get(Name), SourceLocation(), 2478 Sema::LookupMemberName); 2479 2480 // We just need to include all members of the right kind turned up by the 2481 // filter, at this point. 2482 if (S.LookupQualifiedName(R, RT->getDecl())) 2483 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2484 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2485 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2486 Results.insert(FK); 2487 } 2488 return Results; 2489 } 2490 2491 // Check if a (w)string was passed when a (w)char* was needed, and offer a 2492 // better diagnostic if so. AT is assumed to be valid. 2493 // Returns true when a c_str() conversion method is found. 2494 bool CheckPrintfHandler::checkForCStrMembers( 2495 const analyze_printf::ArgType &AT, const Expr *E, 2496 const CharSourceRange &CSR) { 2497 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2498 2499 MethodSet Results = 2500 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2501 2502 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2503 MI != ME; ++MI) { 2504 const CXXMethodDecl *Method = *MI; 2505 if (Method->getNumParams() == 0 && 2506 AT.matchesType(S.Context, Method->getResultType())) { 2507 // FIXME: Suggest parens if the expression needs them. 2508 SourceLocation EndLoc = 2509 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()); 2510 S.Diag(E->getLocStart(), diag::note_printf_c_str) 2511 << "c_str()" 2512 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 2513 return true; 2514 } 2515 } 2516 2517 return false; 2518 } 2519 2520 bool 2521 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2522 &FS, 2523 const char *startSpecifier, 2524 unsigned specifierLen) { 2525 2526 using namespace analyze_format_string; 2527 using namespace analyze_printf; 2528 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2529 2530 if (FS.consumesDataArgument()) { 2531 if (atFirstArg) { 2532 atFirstArg = false; 2533 usesPositionalArgs = FS.usesPositionalArg(); 2534 } 2535 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2536 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2537 startSpecifier, specifierLen); 2538 return false; 2539 } 2540 } 2541 2542 // First check if the field width, precision, and conversion specifier 2543 // have matching data arguments. 2544 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2545 startSpecifier, specifierLen)) { 2546 return false; 2547 } 2548 2549 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2550 startSpecifier, specifierLen)) { 2551 return false; 2552 } 2553 2554 if (!CS.consumesDataArgument()) { 2555 // FIXME: Technically specifying a precision or field width here 2556 // makes no sense. Worth issuing a warning at some point. 2557 return true; 2558 } 2559 2560 // Consume the argument. 2561 unsigned argIndex = FS.getArgIndex(); 2562 if (argIndex < NumDataArgs) { 2563 // The check to see if the argIndex is valid will come later. 2564 // We set the bit here because we may exit early from this 2565 // function if we encounter some other error. 2566 CoveredArgs.set(argIndex); 2567 } 2568 2569 // Check for using an Objective-C specific conversion specifier 2570 // in a non-ObjC literal. 2571 if (!ObjCContext && CS.isObjCArg()) { 2572 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2573 specifierLen); 2574 } 2575 2576 // Check for invalid use of field width 2577 if (!FS.hasValidFieldWidth()) { 2578 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2579 startSpecifier, specifierLen); 2580 } 2581 2582 // Check for invalid use of precision 2583 if (!FS.hasValidPrecision()) { 2584 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2585 startSpecifier, specifierLen); 2586 } 2587 2588 // Check each flag does not conflict with any other component. 2589 if (!FS.hasValidThousandsGroupingPrefix()) 2590 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2591 if (!FS.hasValidLeadingZeros()) 2592 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2593 if (!FS.hasValidPlusPrefix()) 2594 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2595 if (!FS.hasValidSpacePrefix()) 2596 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2597 if (!FS.hasValidAlternativeForm()) 2598 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2599 if (!FS.hasValidLeftJustified()) 2600 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2601 2602 // Check that flags are not ignored by another flag 2603 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2604 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2605 startSpecifier, specifierLen); 2606 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2607 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2608 startSpecifier, specifierLen); 2609 2610 // Check the length modifier is valid with the given conversion specifier. 2611 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 2612 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2613 diag::warn_format_nonsensical_length); 2614 else if (!FS.hasStandardLengthModifier()) 2615 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 2616 else if (!FS.hasStandardLengthConversionCombination()) 2617 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2618 diag::warn_format_non_standard_conversion_spec); 2619 2620 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2621 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2622 2623 // The remaining checks depend on the data arguments. 2624 if (HasVAListArg) 2625 return true; 2626 2627 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2628 return false; 2629 2630 const Expr *Arg = getDataArg(argIndex); 2631 if (!Arg) 2632 return true; 2633 2634 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 2635 } 2636 2637 static bool requiresParensToAddCast(const Expr *E) { 2638 // FIXME: We should have a general way to reason about operator 2639 // precedence and whether parens are actually needed here. 2640 // Take care of a few common cases where they aren't. 2641 const Expr *Inside = E->IgnoreImpCasts(); 2642 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 2643 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 2644 2645 switch (Inside->getStmtClass()) { 2646 case Stmt::ArraySubscriptExprClass: 2647 case Stmt::CallExprClass: 2648 case Stmt::DeclRefExprClass: 2649 case Stmt::MemberExprClass: 2650 case Stmt::ObjCIvarRefExprClass: 2651 case Stmt::ObjCMessageExprClass: 2652 case Stmt::ObjCPropertyRefExprClass: 2653 case Stmt::ParenExprClass: 2654 case Stmt::UnaryOperatorClass: 2655 return false; 2656 default: 2657 return true; 2658 } 2659 } 2660 2661 bool 2662 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2663 const char *StartSpecifier, 2664 unsigned SpecifierLen, 2665 const Expr *E) { 2666 using namespace analyze_format_string; 2667 using namespace analyze_printf; 2668 // Now type check the data expression that matches the 2669 // format specifier. 2670 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 2671 ObjCContext); 2672 if (!AT.isValid()) 2673 return true; 2674 2675 QualType IntendedTy = E->getType(); 2676 if (AT.matchesType(S.Context, IntendedTy)) 2677 return true; 2678 2679 // Look through argument promotions for our error message's reported type. 2680 // This includes the integral and floating promotions, but excludes array 2681 // and function pointer decay; seeing that an argument intended to be a 2682 // string has type 'char [6]' is probably more confusing than 'char *'. 2683 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 2684 if (ICE->getCastKind() == CK_IntegralCast || 2685 ICE->getCastKind() == CK_FloatingCast) { 2686 E = ICE->getSubExpr(); 2687 IntendedTy = E->getType(); 2688 2689 // Check if we didn't match because of an implicit cast from a 'char' 2690 // or 'short' to an 'int'. This is done because printf is a varargs 2691 // function. 2692 if (ICE->getType() == S.Context.IntTy || 2693 ICE->getType() == S.Context.UnsignedIntTy) { 2694 // All further checking is done on the subexpression. 2695 if (AT.matchesType(S.Context, IntendedTy)) 2696 return true; 2697 } 2698 } 2699 } 2700 2701 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 2702 // Special-case some of Darwin's platform-independence types. 2703 if (const TypedefType *UserTy = IntendedTy->getAs<TypedefType>()) { 2704 StringRef Name = UserTy->getDecl()->getName(); 2705 IntendedTy = llvm::StringSwitch<QualType>(Name) 2706 .Case("NSInteger", S.Context.LongTy) 2707 .Case("NSUInteger", S.Context.UnsignedLongTy) 2708 .Case("SInt32", S.Context.IntTy) 2709 .Case("UInt32", S.Context.UnsignedIntTy) 2710 .Default(IntendedTy); 2711 } 2712 } 2713 2714 // We may be able to offer a FixItHint if it is a supported type. 2715 PrintfSpecifier fixedFS = FS; 2716 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 2717 S.Context, ObjCContext); 2718 2719 if (success) { 2720 // Get the fix string from the fixed format specifier 2721 SmallString<16> buf; 2722 llvm::raw_svector_ostream os(buf); 2723 fixedFS.toString(os); 2724 2725 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 2726 2727 if (IntendedTy != E->getType()) { 2728 // The canonical type for formatting this value is different from the 2729 // actual type of the expression. (This occurs, for example, with Darwin's 2730 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 2731 // should be printed as 'long' for 64-bit compatibility.) 2732 // Rather than emitting a normal format/argument mismatch, we want to 2733 // add a cast to the recommended type (and correct the format string 2734 // if necessary). 2735 SmallString<16> CastBuf; 2736 llvm::raw_svector_ostream CastFix(CastBuf); 2737 CastFix << "("; 2738 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 2739 CastFix << ")"; 2740 2741 SmallVector<FixItHint,4> Hints; 2742 if (!AT.matchesType(S.Context, IntendedTy)) 2743 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 2744 2745 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 2746 // If there's already a cast present, just replace it. 2747 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 2748 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 2749 2750 } else if (!requiresParensToAddCast(E)) { 2751 // If the expression has high enough precedence, 2752 // just write the C-style cast. 2753 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 2754 CastFix.str())); 2755 } else { 2756 // Otherwise, add parens around the expression as well as the cast. 2757 CastFix << "("; 2758 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 2759 CastFix.str())); 2760 2761 SourceLocation After = S.PP.getLocForEndOfToken(E->getLocEnd()); 2762 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 2763 } 2764 2765 // We extract the name from the typedef because we don't want to show 2766 // the underlying type in the diagnostic. 2767 const TypedefType *UserTy = cast<TypedefType>(E->getType()); 2768 StringRef Name = UserTy->getDecl()->getName(); 2769 2770 // Finally, emit the diagnostic. 2771 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 2772 << Name << IntendedTy 2773 << E->getSourceRange(), 2774 E->getLocStart(), /*IsStringLocation=*/false, 2775 SpecRange, Hints); 2776 } else { 2777 EmitFormatDiagnostic( 2778 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2779 << AT.getRepresentativeTypeName(S.Context) << IntendedTy 2780 << E->getSourceRange(), 2781 E->getLocStart(), 2782 /*IsStringLocation*/false, 2783 SpecRange, 2784 FixItHint::CreateReplacement(SpecRange, os.str())); 2785 } 2786 } else { 2787 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 2788 SpecifierLen); 2789 // Since the warning for passing non-POD types to variadic functions 2790 // was deferred until now, we emit a warning for non-POD 2791 // arguments here. 2792 if (S.isValidVarArgType(E->getType()) == Sema::VAK_Invalid) { 2793 unsigned DiagKind; 2794 if (E->getType()->isObjCObjectType()) 2795 DiagKind = diag::err_cannot_pass_objc_interface_to_vararg_format; 2796 else 2797 DiagKind = diag::warn_non_pod_vararg_with_format_string; 2798 2799 EmitFormatDiagnostic( 2800 S.PDiag(DiagKind) 2801 << S.getLangOpts().CPlusPlus0x 2802 << E->getType() 2803 << CallType 2804 << AT.getRepresentativeTypeName(S.Context) 2805 << CSR 2806 << E->getSourceRange(), 2807 E->getLocStart(), /*IsStringLocation*/false, CSR); 2808 2809 checkForCStrMembers(AT, E, CSR); 2810 } else 2811 EmitFormatDiagnostic( 2812 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2813 << AT.getRepresentativeTypeName(S.Context) << E->getType() 2814 << CSR 2815 << E->getSourceRange(), 2816 E->getLocStart(), /*IsStringLocation*/false, CSR); 2817 } 2818 2819 return true; 2820 } 2821 2822 //===--- CHECK: Scanf format string checking ------------------------------===// 2823 2824 namespace { 2825 class CheckScanfHandler : public CheckFormatHandler { 2826 public: 2827 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 2828 const Expr *origFormatExpr, unsigned firstDataArg, 2829 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2830 Expr **Args, unsigned NumArgs, 2831 unsigned formatIdx, bool inFunctionCall, 2832 Sema::VariadicCallType CallType) 2833 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2834 numDataArgs, beg, hasVAListArg, 2835 Args, NumArgs, formatIdx, inFunctionCall, CallType) 2836 {} 2837 2838 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 2839 const char *startSpecifier, 2840 unsigned specifierLen); 2841 2842 bool HandleInvalidScanfConversionSpecifier( 2843 const analyze_scanf::ScanfSpecifier &FS, 2844 const char *startSpecifier, 2845 unsigned specifierLen); 2846 2847 void HandleIncompleteScanList(const char *start, const char *end); 2848 }; 2849 } 2850 2851 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 2852 const char *end) { 2853 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 2854 getLocationOfByte(end), /*IsStringLocation*/true, 2855 getSpecifierRange(start, end - start)); 2856 } 2857 2858 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 2859 const analyze_scanf::ScanfSpecifier &FS, 2860 const char *startSpecifier, 2861 unsigned specifierLen) { 2862 2863 const analyze_scanf::ScanfConversionSpecifier &CS = 2864 FS.getConversionSpecifier(); 2865 2866 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2867 getLocationOfByte(CS.getStart()), 2868 startSpecifier, specifierLen, 2869 CS.getStart(), CS.getLength()); 2870 } 2871 2872 bool CheckScanfHandler::HandleScanfSpecifier( 2873 const analyze_scanf::ScanfSpecifier &FS, 2874 const char *startSpecifier, 2875 unsigned specifierLen) { 2876 2877 using namespace analyze_scanf; 2878 using namespace analyze_format_string; 2879 2880 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 2881 2882 // Handle case where '%' and '*' don't consume an argument. These shouldn't 2883 // be used to decide if we are using positional arguments consistently. 2884 if (FS.consumesDataArgument()) { 2885 if (atFirstArg) { 2886 atFirstArg = false; 2887 usesPositionalArgs = FS.usesPositionalArg(); 2888 } 2889 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2890 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2891 startSpecifier, specifierLen); 2892 return false; 2893 } 2894 } 2895 2896 // Check if the field with is non-zero. 2897 const OptionalAmount &Amt = FS.getFieldWidth(); 2898 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 2899 if (Amt.getConstantAmount() == 0) { 2900 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 2901 Amt.getConstantLength()); 2902 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 2903 getLocationOfByte(Amt.getStart()), 2904 /*IsStringLocation*/true, R, 2905 FixItHint::CreateRemoval(R)); 2906 } 2907 } 2908 2909 if (!FS.consumesDataArgument()) { 2910 // FIXME: Technically specifying a precision or field width here 2911 // makes no sense. Worth issuing a warning at some point. 2912 return true; 2913 } 2914 2915 // Consume the argument. 2916 unsigned argIndex = FS.getArgIndex(); 2917 if (argIndex < NumDataArgs) { 2918 // The check to see if the argIndex is valid will come later. 2919 // We set the bit here because we may exit early from this 2920 // function if we encounter some other error. 2921 CoveredArgs.set(argIndex); 2922 } 2923 2924 // Check the length modifier is valid with the given conversion specifier. 2925 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 2926 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2927 diag::warn_format_nonsensical_length); 2928 else if (!FS.hasStandardLengthModifier()) 2929 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 2930 else if (!FS.hasStandardLengthConversionCombination()) 2931 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2932 diag::warn_format_non_standard_conversion_spec); 2933 2934 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2935 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2936 2937 // The remaining checks depend on the data arguments. 2938 if (HasVAListArg) 2939 return true; 2940 2941 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2942 return false; 2943 2944 // Check that the argument type matches the format specifier. 2945 const Expr *Ex = getDataArg(argIndex); 2946 if (!Ex) 2947 return true; 2948 2949 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 2950 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 2951 ScanfSpecifier fixedFS = FS; 2952 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 2953 S.Context); 2954 2955 if (success) { 2956 // Get the fix string from the fixed format specifier. 2957 SmallString<128> buf; 2958 llvm::raw_svector_ostream os(buf); 2959 fixedFS.toString(os); 2960 2961 EmitFormatDiagnostic( 2962 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2963 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 2964 << Ex->getSourceRange(), 2965 Ex->getLocStart(), 2966 /*IsStringLocation*/false, 2967 getSpecifierRange(startSpecifier, specifierLen), 2968 FixItHint::CreateReplacement( 2969 getSpecifierRange(startSpecifier, specifierLen), 2970 os.str())); 2971 } else { 2972 EmitFormatDiagnostic( 2973 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 2974 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 2975 << Ex->getSourceRange(), 2976 Ex->getLocStart(), 2977 /*IsStringLocation*/false, 2978 getSpecifierRange(startSpecifier, specifierLen)); 2979 } 2980 } 2981 2982 return true; 2983 } 2984 2985 void Sema::CheckFormatString(const StringLiteral *FExpr, 2986 const Expr *OrigFormatExpr, 2987 Expr **Args, unsigned NumArgs, 2988 bool HasVAListArg, unsigned format_idx, 2989 unsigned firstDataArg, FormatStringType Type, 2990 bool inFunctionCall, VariadicCallType CallType) { 2991 2992 // CHECK: is the format string a wide literal? 2993 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 2994 CheckFormatHandler::EmitFormatDiagnostic( 2995 *this, inFunctionCall, Args[format_idx], 2996 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 2997 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 2998 return; 2999 } 3000 3001 // Str - The format string. NOTE: this is NOT null-terminated! 3002 StringRef StrRef = FExpr->getString(); 3003 const char *Str = StrRef.data(); 3004 unsigned StrLen = StrRef.size(); 3005 const unsigned numDataArgs = NumArgs - firstDataArg; 3006 3007 // CHECK: empty format string? 3008 if (StrLen == 0 && numDataArgs > 0) { 3009 CheckFormatHandler::EmitFormatDiagnostic( 3010 *this, inFunctionCall, Args[format_idx], 3011 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3012 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3013 return; 3014 } 3015 3016 if (Type == FST_Printf || Type == FST_NSString) { 3017 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3018 numDataArgs, (Type == FST_NSString), 3019 Str, HasVAListArg, Args, NumArgs, format_idx, 3020 inFunctionCall, CallType); 3021 3022 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3023 getLangOpts())) 3024 H.DoneProcessing(); 3025 } else if (Type == FST_Scanf) { 3026 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3027 Str, HasVAListArg, Args, NumArgs, format_idx, 3028 inFunctionCall, CallType); 3029 3030 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3031 getLangOpts())) 3032 H.DoneProcessing(); 3033 } // TODO: handle other formats 3034 } 3035 3036 //===--- CHECK: Standard memory functions ---------------------------------===// 3037 3038 /// \brief Determine whether the given type is a dynamic class type (e.g., 3039 /// whether it has a vtable). 3040 static bool isDynamicClassType(QualType T) { 3041 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 3042 if (CXXRecordDecl *Definition = Record->getDefinition()) 3043 if (Definition->isDynamicClass()) 3044 return true; 3045 3046 return false; 3047 } 3048 3049 /// \brief If E is a sizeof expression, returns its argument expression, 3050 /// otherwise returns NULL. 3051 static const Expr *getSizeOfExprArg(const Expr* E) { 3052 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3053 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3054 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 3055 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 3056 3057 return 0; 3058 } 3059 3060 /// \brief If E is a sizeof expression, returns its argument type. 3061 static QualType getSizeOfArgType(const Expr* E) { 3062 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3063 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3064 if (SizeOf->getKind() == clang::UETT_SizeOf) 3065 return SizeOf->getTypeOfArgument(); 3066 3067 return QualType(); 3068 } 3069 3070 /// \brief Check for dangerous or invalid arguments to memset(). 3071 /// 3072 /// This issues warnings on known problematic, dangerous or unspecified 3073 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 3074 /// function calls. 3075 /// 3076 /// \param Call The call expression to diagnose. 3077 void Sema::CheckMemaccessArguments(const CallExpr *Call, 3078 unsigned BId, 3079 IdentifierInfo *FnName) { 3080 assert(BId != 0); 3081 3082 // It is possible to have a non-standard definition of memset. Validate 3083 // we have enough arguments, and if not, abort further checking. 3084 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 3085 if (Call->getNumArgs() < ExpectedNumArgs) 3086 return; 3087 3088 unsigned LastArg = (BId == Builtin::BImemset || 3089 BId == Builtin::BIstrndup ? 1 : 2); 3090 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 3091 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 3092 3093 // We have special checking when the length is a sizeof expression. 3094 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 3095 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 3096 llvm::FoldingSetNodeID SizeOfArgID; 3097 3098 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 3099 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 3100 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 3101 3102 QualType DestTy = Dest->getType(); 3103 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 3104 QualType PointeeTy = DestPtrTy->getPointeeType(); 3105 3106 // Never warn about void type pointers. This can be used to suppress 3107 // false positives. 3108 if (PointeeTy->isVoidType()) 3109 continue; 3110 3111 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 3112 // actually comparing the expressions for equality. Because computing the 3113 // expression IDs can be expensive, we only do this if the diagnostic is 3114 // enabled. 3115 if (SizeOfArg && 3116 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 3117 SizeOfArg->getExprLoc())) { 3118 // We only compute IDs for expressions if the warning is enabled, and 3119 // cache the sizeof arg's ID. 3120 if (SizeOfArgID == llvm::FoldingSetNodeID()) 3121 SizeOfArg->Profile(SizeOfArgID, Context, true); 3122 llvm::FoldingSetNodeID DestID; 3123 Dest->Profile(DestID, Context, true); 3124 if (DestID == SizeOfArgID) { 3125 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 3126 // over sizeof(src) as well. 3127 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 3128 StringRef ReadableName = FnName->getName(); 3129 3130 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 3131 if (UnaryOp->getOpcode() == UO_AddrOf) 3132 ActionIdx = 1; // If its an address-of operator, just remove it. 3133 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 3134 ActionIdx = 2; // If the pointee's size is sizeof(char), 3135 // suggest an explicit length. 3136 3137 // If the function is defined as a builtin macro, do not show macro 3138 // expansion. 3139 SourceLocation SL = SizeOfArg->getExprLoc(); 3140 SourceRange DSR = Dest->getSourceRange(); 3141 SourceRange SSR = SizeOfArg->getSourceRange(); 3142 SourceManager &SM = PP.getSourceManager(); 3143 3144 if (SM.isMacroArgExpansion(SL)) { 3145 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 3146 SL = SM.getSpellingLoc(SL); 3147 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 3148 SM.getSpellingLoc(DSR.getEnd())); 3149 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 3150 SM.getSpellingLoc(SSR.getEnd())); 3151 } 3152 3153 DiagRuntimeBehavior(SL, SizeOfArg, 3154 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 3155 << ReadableName 3156 << PointeeTy 3157 << DestTy 3158 << DSR 3159 << SSR); 3160 DiagRuntimeBehavior(SL, SizeOfArg, 3161 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 3162 << ActionIdx 3163 << SSR); 3164 3165 break; 3166 } 3167 } 3168 3169 // Also check for cases where the sizeof argument is the exact same 3170 // type as the memory argument, and where it points to a user-defined 3171 // record type. 3172 if (SizeOfArgTy != QualType()) { 3173 if (PointeeTy->isRecordType() && 3174 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 3175 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 3176 PDiag(diag::warn_sizeof_pointer_type_memaccess) 3177 << FnName << SizeOfArgTy << ArgIdx 3178 << PointeeTy << Dest->getSourceRange() 3179 << LenExpr->getSourceRange()); 3180 break; 3181 } 3182 } 3183 3184 // Always complain about dynamic classes. 3185 if (isDynamicClassType(PointeeTy)) { 3186 3187 unsigned OperationType = 0; 3188 // "overwritten" if we're warning about the destination for any call 3189 // but memcmp; otherwise a verb appropriate to the call. 3190 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 3191 if (BId == Builtin::BImemcpy) 3192 OperationType = 1; 3193 else if(BId == Builtin::BImemmove) 3194 OperationType = 2; 3195 else if (BId == Builtin::BImemcmp) 3196 OperationType = 3; 3197 } 3198 3199 DiagRuntimeBehavior( 3200 Dest->getExprLoc(), Dest, 3201 PDiag(diag::warn_dyn_class_memaccess) 3202 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 3203 << FnName << PointeeTy 3204 << OperationType 3205 << Call->getCallee()->getSourceRange()); 3206 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 3207 BId != Builtin::BImemset) 3208 DiagRuntimeBehavior( 3209 Dest->getExprLoc(), Dest, 3210 PDiag(diag::warn_arc_object_memaccess) 3211 << ArgIdx << FnName << PointeeTy 3212 << Call->getCallee()->getSourceRange()); 3213 else 3214 continue; 3215 3216 DiagRuntimeBehavior( 3217 Dest->getExprLoc(), Dest, 3218 PDiag(diag::note_bad_memaccess_silence) 3219 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 3220 break; 3221 } 3222 } 3223 } 3224 3225 // A little helper routine: ignore addition and subtraction of integer literals. 3226 // This intentionally does not ignore all integer constant expressions because 3227 // we don't want to remove sizeof(). 3228 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 3229 Ex = Ex->IgnoreParenCasts(); 3230 3231 for (;;) { 3232 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 3233 if (!BO || !BO->isAdditiveOp()) 3234 break; 3235 3236 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 3237 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 3238 3239 if (isa<IntegerLiteral>(RHS)) 3240 Ex = LHS; 3241 else if (isa<IntegerLiteral>(LHS)) 3242 Ex = RHS; 3243 else 3244 break; 3245 } 3246 3247 return Ex; 3248 } 3249 3250 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 3251 ASTContext &Context) { 3252 // Only handle constant-sized or VLAs, but not flexible members. 3253 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 3254 // Only issue the FIXIT for arrays of size > 1. 3255 if (CAT->getSize().getSExtValue() <= 1) 3256 return false; 3257 } else if (!Ty->isVariableArrayType()) { 3258 return false; 3259 } 3260 return true; 3261 } 3262 3263 // Warn if the user has made the 'size' argument to strlcpy or strlcat 3264 // be the size of the source, instead of the destination. 3265 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 3266 IdentifierInfo *FnName) { 3267 3268 // Don't crash if the user has the wrong number of arguments 3269 if (Call->getNumArgs() != 3) 3270 return; 3271 3272 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 3273 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 3274 const Expr *CompareWithSrc = NULL; 3275 3276 // Look for 'strlcpy(dst, x, sizeof(x))' 3277 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 3278 CompareWithSrc = Ex; 3279 else { 3280 // Look for 'strlcpy(dst, x, strlen(x))' 3281 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 3282 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 3283 && SizeCall->getNumArgs() == 1) 3284 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 3285 } 3286 } 3287 3288 if (!CompareWithSrc) 3289 return; 3290 3291 // Determine if the argument to sizeof/strlen is equal to the source 3292 // argument. In principle there's all kinds of things you could do 3293 // here, for instance creating an == expression and evaluating it with 3294 // EvaluateAsBooleanCondition, but this uses a more direct technique: 3295 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 3296 if (!SrcArgDRE) 3297 return; 3298 3299 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 3300 if (!CompareWithSrcDRE || 3301 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 3302 return; 3303 3304 const Expr *OriginalSizeArg = Call->getArg(2); 3305 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 3306 << OriginalSizeArg->getSourceRange() << FnName; 3307 3308 // Output a FIXIT hint if the destination is an array (rather than a 3309 // pointer to an array). This could be enhanced to handle some 3310 // pointers if we know the actual size, like if DstArg is 'array+2' 3311 // we could say 'sizeof(array)-2'. 3312 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 3313 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 3314 return; 3315 3316 SmallString<128> sizeString; 3317 llvm::raw_svector_ostream OS(sizeString); 3318 OS << "sizeof("; 3319 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3320 OS << ")"; 3321 3322 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 3323 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 3324 OS.str()); 3325 } 3326 3327 /// Check if two expressions refer to the same declaration. 3328 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 3329 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 3330 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 3331 return D1->getDecl() == D2->getDecl(); 3332 return false; 3333 } 3334 3335 static const Expr *getStrlenExprArg(const Expr *E) { 3336 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 3337 const FunctionDecl *FD = CE->getDirectCallee(); 3338 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 3339 return 0; 3340 return CE->getArg(0)->IgnoreParenCasts(); 3341 } 3342 return 0; 3343 } 3344 3345 // Warn on anti-patterns as the 'size' argument to strncat. 3346 // The correct size argument should look like following: 3347 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 3348 void Sema::CheckStrncatArguments(const CallExpr *CE, 3349 IdentifierInfo *FnName) { 3350 // Don't crash if the user has the wrong number of arguments. 3351 if (CE->getNumArgs() < 3) 3352 return; 3353 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 3354 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 3355 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 3356 3357 // Identify common expressions, which are wrongly used as the size argument 3358 // to strncat and may lead to buffer overflows. 3359 unsigned PatternType = 0; 3360 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 3361 // - sizeof(dst) 3362 if (referToTheSameDecl(SizeOfArg, DstArg)) 3363 PatternType = 1; 3364 // - sizeof(src) 3365 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 3366 PatternType = 2; 3367 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 3368 if (BE->getOpcode() == BO_Sub) { 3369 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 3370 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 3371 // - sizeof(dst) - strlen(dst) 3372 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 3373 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 3374 PatternType = 1; 3375 // - sizeof(src) - (anything) 3376 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 3377 PatternType = 2; 3378 } 3379 } 3380 3381 if (PatternType == 0) 3382 return; 3383 3384 // Generate the diagnostic. 3385 SourceLocation SL = LenArg->getLocStart(); 3386 SourceRange SR = LenArg->getSourceRange(); 3387 SourceManager &SM = PP.getSourceManager(); 3388 3389 // If the function is defined as a builtin macro, do not show macro expansion. 3390 if (SM.isMacroArgExpansion(SL)) { 3391 SL = SM.getSpellingLoc(SL); 3392 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 3393 SM.getSpellingLoc(SR.getEnd())); 3394 } 3395 3396 // Check if the destination is an array (rather than a pointer to an array). 3397 QualType DstTy = DstArg->getType(); 3398 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 3399 Context); 3400 if (!isKnownSizeArray) { 3401 if (PatternType == 1) 3402 Diag(SL, diag::warn_strncat_wrong_size) << SR; 3403 else 3404 Diag(SL, diag::warn_strncat_src_size) << SR; 3405 return; 3406 } 3407 3408 if (PatternType == 1) 3409 Diag(SL, diag::warn_strncat_large_size) << SR; 3410 else 3411 Diag(SL, diag::warn_strncat_src_size) << SR; 3412 3413 SmallString<128> sizeString; 3414 llvm::raw_svector_ostream OS(sizeString); 3415 OS << "sizeof("; 3416 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3417 OS << ") - "; 3418 OS << "strlen("; 3419 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3420 OS << ") - 1"; 3421 3422 Diag(SL, diag::note_strncat_wrong_size) 3423 << FixItHint::CreateReplacement(SR, OS.str()); 3424 } 3425 3426 //===--- CHECK: Return Address of Stack Variable --------------------------===// 3427 3428 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3429 Decl *ParentDecl); 3430 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 3431 Decl *ParentDecl); 3432 3433 /// CheckReturnStackAddr - Check if a return statement returns the address 3434 /// of a stack variable. 3435 void 3436 Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 3437 SourceLocation ReturnLoc) { 3438 3439 Expr *stackE = 0; 3440 SmallVector<DeclRefExpr *, 8> refVars; 3441 3442 // Perform checking for returned stack addresses, local blocks, 3443 // label addresses or references to temporaries. 3444 if (lhsType->isPointerType() || 3445 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 3446 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/0); 3447 } else if (lhsType->isReferenceType()) { 3448 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/0); 3449 } 3450 3451 if (stackE == 0) 3452 return; // Nothing suspicious was found. 3453 3454 SourceLocation diagLoc; 3455 SourceRange diagRange; 3456 if (refVars.empty()) { 3457 diagLoc = stackE->getLocStart(); 3458 diagRange = stackE->getSourceRange(); 3459 } else { 3460 // We followed through a reference variable. 'stackE' contains the 3461 // problematic expression but we will warn at the return statement pointing 3462 // at the reference variable. We will later display the "trail" of 3463 // reference variables using notes. 3464 diagLoc = refVars[0]->getLocStart(); 3465 diagRange = refVars[0]->getSourceRange(); 3466 } 3467 3468 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 3469 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 3470 : diag::warn_ret_stack_addr) 3471 << DR->getDecl()->getDeclName() << diagRange; 3472 } else if (isa<BlockExpr>(stackE)) { // local block. 3473 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 3474 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 3475 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 3476 } else { // local temporary. 3477 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 3478 : diag::warn_ret_local_temp_addr) 3479 << diagRange; 3480 } 3481 3482 // Display the "trail" of reference variables that we followed until we 3483 // found the problematic expression using notes. 3484 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 3485 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 3486 // If this var binds to another reference var, show the range of the next 3487 // var, otherwise the var binds to the problematic expression, in which case 3488 // show the range of the expression. 3489 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 3490 : stackE->getSourceRange(); 3491 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 3492 << VD->getDeclName() << range; 3493 } 3494 } 3495 3496 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 3497 /// check if the expression in a return statement evaluates to an address 3498 /// to a location on the stack, a local block, an address of a label, or a 3499 /// reference to local temporary. The recursion is used to traverse the 3500 /// AST of the return expression, with recursion backtracking when we 3501 /// encounter a subexpression that (1) clearly does not lead to one of the 3502 /// above problematic expressions (2) is something we cannot determine leads to 3503 /// a problematic expression based on such local checking. 3504 /// 3505 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 3506 /// the expression that they point to. Such variables are added to the 3507 /// 'refVars' vector so that we know what the reference variable "trail" was. 3508 /// 3509 /// EvalAddr processes expressions that are pointers that are used as 3510 /// references (and not L-values). EvalVal handles all other values. 3511 /// At the base case of the recursion is a check for the above problematic 3512 /// expressions. 3513 /// 3514 /// This implementation handles: 3515 /// 3516 /// * pointer-to-pointer casts 3517 /// * implicit conversions from array references to pointers 3518 /// * taking the address of fields 3519 /// * arbitrary interplay between "&" and "*" operators 3520 /// * pointer arithmetic from an address of a stack variable 3521 /// * taking the address of an array element where the array is on the stack 3522 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3523 Decl *ParentDecl) { 3524 if (E->isTypeDependent()) 3525 return NULL; 3526 3527 // We should only be called for evaluating pointer expressions. 3528 assert((E->getType()->isAnyPointerType() || 3529 E->getType()->isBlockPointerType() || 3530 E->getType()->isObjCQualifiedIdType()) && 3531 "EvalAddr only works on pointers"); 3532 3533 E = E->IgnoreParens(); 3534 3535 // Our "symbolic interpreter" is just a dispatch off the currently 3536 // viewed AST node. We then recursively traverse the AST by calling 3537 // EvalAddr and EvalVal appropriately. 3538 switch (E->getStmtClass()) { 3539 case Stmt::DeclRefExprClass: { 3540 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3541 3542 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 3543 // If this is a reference variable, follow through to the expression that 3544 // it points to. 3545 if (V->hasLocalStorage() && 3546 V->getType()->isReferenceType() && V->hasInit()) { 3547 // Add the reference variable to the "trail". 3548 refVars.push_back(DR); 3549 return EvalAddr(V->getInit(), refVars, ParentDecl); 3550 } 3551 3552 return NULL; 3553 } 3554 3555 case Stmt::UnaryOperatorClass: { 3556 // The only unary operator that make sense to handle here 3557 // is AddrOf. All others don't make sense as pointers. 3558 UnaryOperator *U = cast<UnaryOperator>(E); 3559 3560 if (U->getOpcode() == UO_AddrOf) 3561 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 3562 else 3563 return NULL; 3564 } 3565 3566 case Stmt::BinaryOperatorClass: { 3567 // Handle pointer arithmetic. All other binary operators are not valid 3568 // in this context. 3569 BinaryOperator *B = cast<BinaryOperator>(E); 3570 BinaryOperatorKind op = B->getOpcode(); 3571 3572 if (op != BO_Add && op != BO_Sub) 3573 return NULL; 3574 3575 Expr *Base = B->getLHS(); 3576 3577 // Determine which argument is the real pointer base. It could be 3578 // the RHS argument instead of the LHS. 3579 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 3580 3581 assert (Base->getType()->isPointerType()); 3582 return EvalAddr(Base, refVars, ParentDecl); 3583 } 3584 3585 // For conditional operators we need to see if either the LHS or RHS are 3586 // valid DeclRefExpr*s. If one of them is valid, we return it. 3587 case Stmt::ConditionalOperatorClass: { 3588 ConditionalOperator *C = cast<ConditionalOperator>(E); 3589 3590 // Handle the GNU extension for missing LHS. 3591 if (Expr *lhsExpr = C->getLHS()) { 3592 // In C++, we can have a throw-expression, which has 'void' type. 3593 if (!lhsExpr->getType()->isVoidType()) 3594 if (Expr* LHS = EvalAddr(lhsExpr, refVars, ParentDecl)) 3595 return LHS; 3596 } 3597 3598 // In C++, we can have a throw-expression, which has 'void' type. 3599 if (C->getRHS()->getType()->isVoidType()) 3600 return NULL; 3601 3602 return EvalAddr(C->getRHS(), refVars, ParentDecl); 3603 } 3604 3605 case Stmt::BlockExprClass: 3606 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 3607 return E; // local block. 3608 return NULL; 3609 3610 case Stmt::AddrLabelExprClass: 3611 return E; // address of label. 3612 3613 case Stmt::ExprWithCleanupsClass: 3614 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 3615 ParentDecl); 3616 3617 // For casts, we need to handle conversions from arrays to 3618 // pointer values, and pointer-to-pointer conversions. 3619 case Stmt::ImplicitCastExprClass: 3620 case Stmt::CStyleCastExprClass: 3621 case Stmt::CXXFunctionalCastExprClass: 3622 case Stmt::ObjCBridgedCastExprClass: 3623 case Stmt::CXXStaticCastExprClass: 3624 case Stmt::CXXDynamicCastExprClass: 3625 case Stmt::CXXConstCastExprClass: 3626 case Stmt::CXXReinterpretCastExprClass: { 3627 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 3628 switch (cast<CastExpr>(E)->getCastKind()) { 3629 case CK_BitCast: 3630 case CK_LValueToRValue: 3631 case CK_NoOp: 3632 case CK_BaseToDerived: 3633 case CK_DerivedToBase: 3634 case CK_UncheckedDerivedToBase: 3635 case CK_Dynamic: 3636 case CK_CPointerToObjCPointerCast: 3637 case CK_BlockPointerToObjCPointerCast: 3638 case CK_AnyPointerToBlockPointerCast: 3639 return EvalAddr(SubExpr, refVars, ParentDecl); 3640 3641 case CK_ArrayToPointerDecay: 3642 return EvalVal(SubExpr, refVars, ParentDecl); 3643 3644 default: 3645 return 0; 3646 } 3647 } 3648 3649 case Stmt::MaterializeTemporaryExprClass: 3650 if (Expr *Result = EvalAddr( 3651 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3652 refVars, ParentDecl)) 3653 return Result; 3654 3655 return E; 3656 3657 // Everything else: we simply don't reason about them. 3658 default: 3659 return NULL; 3660 } 3661 } 3662 3663 3664 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 3665 /// See the comments for EvalAddr for more details. 3666 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3667 Decl *ParentDecl) { 3668 do { 3669 // We should only be called for evaluating non-pointer expressions, or 3670 // expressions with a pointer type that are not used as references but instead 3671 // are l-values (e.g., DeclRefExpr with a pointer type). 3672 3673 // Our "symbolic interpreter" is just a dispatch off the currently 3674 // viewed AST node. We then recursively traverse the AST by calling 3675 // EvalAddr and EvalVal appropriately. 3676 3677 E = E->IgnoreParens(); 3678 switch (E->getStmtClass()) { 3679 case Stmt::ImplicitCastExprClass: { 3680 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 3681 if (IE->getValueKind() == VK_LValue) { 3682 E = IE->getSubExpr(); 3683 continue; 3684 } 3685 return NULL; 3686 } 3687 3688 case Stmt::ExprWithCleanupsClass: 3689 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 3690 3691 case Stmt::DeclRefExprClass: { 3692 // When we hit a DeclRefExpr we are looking at code that refers to a 3693 // variable's name. If it's not a reference variable we check if it has 3694 // local storage within the function, and if so, return the expression. 3695 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3696 3697 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 3698 // Check if it refers to itself, e.g. "int& i = i;". 3699 if (V == ParentDecl) 3700 return DR; 3701 3702 if (V->hasLocalStorage()) { 3703 if (!V->getType()->isReferenceType()) 3704 return DR; 3705 3706 // Reference variable, follow through to the expression that 3707 // it points to. 3708 if (V->hasInit()) { 3709 // Add the reference variable to the "trail". 3710 refVars.push_back(DR); 3711 return EvalVal(V->getInit(), refVars, V); 3712 } 3713 } 3714 } 3715 3716 return NULL; 3717 } 3718 3719 case Stmt::UnaryOperatorClass: { 3720 // The only unary operator that make sense to handle here 3721 // is Deref. All others don't resolve to a "name." This includes 3722 // handling all sorts of rvalues passed to a unary operator. 3723 UnaryOperator *U = cast<UnaryOperator>(E); 3724 3725 if (U->getOpcode() == UO_Deref) 3726 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 3727 3728 return NULL; 3729 } 3730 3731 case Stmt::ArraySubscriptExprClass: { 3732 // Array subscripts are potential references to data on the stack. We 3733 // retrieve the DeclRefExpr* for the array variable if it indeed 3734 // has local storage. 3735 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 3736 } 3737 3738 case Stmt::ConditionalOperatorClass: { 3739 // For conditional operators we need to see if either the LHS or RHS are 3740 // non-NULL Expr's. If one is non-NULL, we return it. 3741 ConditionalOperator *C = cast<ConditionalOperator>(E); 3742 3743 // Handle the GNU extension for missing LHS. 3744 if (Expr *lhsExpr = C->getLHS()) 3745 if (Expr *LHS = EvalVal(lhsExpr, refVars, ParentDecl)) 3746 return LHS; 3747 3748 return EvalVal(C->getRHS(), refVars, ParentDecl); 3749 } 3750 3751 // Accesses to members are potential references to data on the stack. 3752 case Stmt::MemberExprClass: { 3753 MemberExpr *M = cast<MemberExpr>(E); 3754 3755 // Check for indirect access. We only want direct field accesses. 3756 if (M->isArrow()) 3757 return NULL; 3758 3759 // Check whether the member type is itself a reference, in which case 3760 // we're not going to refer to the member, but to what the member refers to. 3761 if (M->getMemberDecl()->getType()->isReferenceType()) 3762 return NULL; 3763 3764 return EvalVal(M->getBase(), refVars, ParentDecl); 3765 } 3766 3767 case Stmt::MaterializeTemporaryExprClass: 3768 if (Expr *Result = EvalVal( 3769 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 3770 refVars, ParentDecl)) 3771 return Result; 3772 3773 return E; 3774 3775 default: 3776 // Check that we don't return or take the address of a reference to a 3777 // temporary. This is only useful in C++. 3778 if (!E->isTypeDependent() && E->isRValue()) 3779 return E; 3780 3781 // Everything else: we simply don't reason about them. 3782 return NULL; 3783 } 3784 } while (true); 3785 } 3786 3787 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 3788 3789 /// Check for comparisons of floating point operands using != and ==. 3790 /// Issue a warning if these are no self-comparisons, as they are not likely 3791 /// to do what the programmer intended. 3792 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 3793 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 3794 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 3795 3796 // Special case: check for x == x (which is OK). 3797 // Do not emit warnings for such cases. 3798 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 3799 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 3800 if (DRL->getDecl() == DRR->getDecl()) 3801 return; 3802 3803 3804 // Special case: check for comparisons against literals that can be exactly 3805 // represented by APFloat. In such cases, do not emit a warning. This 3806 // is a heuristic: often comparison against such literals are used to 3807 // detect if a value in a variable has not changed. This clearly can 3808 // lead to false negatives. 3809 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 3810 if (FLL->isExact()) 3811 return; 3812 } else 3813 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 3814 if (FLR->isExact()) 3815 return; 3816 3817 // Check for comparisons with builtin types. 3818 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 3819 if (CL->isBuiltinCall()) 3820 return; 3821 3822 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 3823 if (CR->isBuiltinCall()) 3824 return; 3825 3826 // Emit the diagnostic. 3827 Diag(Loc, diag::warn_floatingpoint_eq) 3828 << LHS->getSourceRange() << RHS->getSourceRange(); 3829 } 3830 3831 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 3832 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 3833 3834 namespace { 3835 3836 /// Structure recording the 'active' range of an integer-valued 3837 /// expression. 3838 struct IntRange { 3839 /// The number of bits active in the int. 3840 unsigned Width; 3841 3842 /// True if the int is known not to have negative values. 3843 bool NonNegative; 3844 3845 IntRange(unsigned Width, bool NonNegative) 3846 : Width(Width), NonNegative(NonNegative) 3847 {} 3848 3849 /// Returns the range of the bool type. 3850 static IntRange forBoolType() { 3851 return IntRange(1, true); 3852 } 3853 3854 /// Returns the range of an opaque value of the given integral type. 3855 static IntRange forValueOfType(ASTContext &C, QualType T) { 3856 return forValueOfCanonicalType(C, 3857 T->getCanonicalTypeInternal().getTypePtr()); 3858 } 3859 3860 /// Returns the range of an opaque value of a canonical integral type. 3861 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 3862 assert(T->isCanonicalUnqualified()); 3863 3864 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3865 T = VT->getElementType().getTypePtr(); 3866 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3867 T = CT->getElementType().getTypePtr(); 3868 3869 // For enum types, use the known bit width of the enumerators. 3870 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 3871 EnumDecl *Enum = ET->getDecl(); 3872 if (!Enum->isCompleteDefinition()) 3873 return IntRange(C.getIntWidth(QualType(T, 0)), false); 3874 3875 unsigned NumPositive = Enum->getNumPositiveBits(); 3876 unsigned NumNegative = Enum->getNumNegativeBits(); 3877 3878 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 3879 } 3880 3881 const BuiltinType *BT = cast<BuiltinType>(T); 3882 assert(BT->isInteger()); 3883 3884 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3885 } 3886 3887 /// Returns the "target" range of a canonical integral type, i.e. 3888 /// the range of values expressible in the type. 3889 /// 3890 /// This matches forValueOfCanonicalType except that enums have the 3891 /// full range of their type, not the range of their enumerators. 3892 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 3893 assert(T->isCanonicalUnqualified()); 3894 3895 if (const VectorType *VT = dyn_cast<VectorType>(T)) 3896 T = VT->getElementType().getTypePtr(); 3897 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 3898 T = CT->getElementType().getTypePtr(); 3899 if (const EnumType *ET = dyn_cast<EnumType>(T)) 3900 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 3901 3902 const BuiltinType *BT = cast<BuiltinType>(T); 3903 assert(BT->isInteger()); 3904 3905 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 3906 } 3907 3908 /// Returns the supremum of two ranges: i.e. their conservative merge. 3909 static IntRange join(IntRange L, IntRange R) { 3910 return IntRange(std::max(L.Width, R.Width), 3911 L.NonNegative && R.NonNegative); 3912 } 3913 3914 /// Returns the infinum of two ranges: i.e. their aggressive merge. 3915 static IntRange meet(IntRange L, IntRange R) { 3916 return IntRange(std::min(L.Width, R.Width), 3917 L.NonNegative || R.NonNegative); 3918 } 3919 }; 3920 3921 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 3922 unsigned MaxWidth) { 3923 if (value.isSigned() && value.isNegative()) 3924 return IntRange(value.getMinSignedBits(), false); 3925 3926 if (value.getBitWidth() > MaxWidth) 3927 value = value.trunc(MaxWidth); 3928 3929 // isNonNegative() just checks the sign bit without considering 3930 // signedness. 3931 return IntRange(value.getActiveBits(), true); 3932 } 3933 3934 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 3935 unsigned MaxWidth) { 3936 if (result.isInt()) 3937 return GetValueRange(C, result.getInt(), MaxWidth); 3938 3939 if (result.isVector()) { 3940 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 3941 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 3942 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 3943 R = IntRange::join(R, El); 3944 } 3945 return R; 3946 } 3947 3948 if (result.isComplexInt()) { 3949 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 3950 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 3951 return IntRange::join(R, I); 3952 } 3953 3954 // This can happen with lossless casts to intptr_t of "based" lvalues. 3955 // Assume it might use arbitrary bits. 3956 // FIXME: The only reason we need to pass the type in here is to get 3957 // the sign right on this one case. It would be nice if APValue 3958 // preserved this. 3959 assert(result.isLValue() || result.isAddrLabelDiff()); 3960 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 3961 } 3962 3963 /// Pseudo-evaluate the given integer expression, estimating the 3964 /// range of values it might take. 3965 /// 3966 /// \param MaxWidth - the width to which the value will be truncated 3967 static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 3968 E = E->IgnoreParens(); 3969 3970 // Try a full evaluation first. 3971 Expr::EvalResult result; 3972 if (E->EvaluateAsRValue(result, C)) 3973 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 3974 3975 // I think we only want to look through implicit casts here; if the 3976 // user has an explicit widening cast, we should treat the value as 3977 // being of the new, wider type. 3978 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 3979 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 3980 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 3981 3982 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 3983 3984 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 3985 3986 // Assume that non-integer casts can span the full range of the type. 3987 if (!isIntegerCast) 3988 return OutputTypeRange; 3989 3990 IntRange SubRange 3991 = GetExprRange(C, CE->getSubExpr(), 3992 std::min(MaxWidth, OutputTypeRange.Width)); 3993 3994 // Bail out if the subexpr's range is as wide as the cast type. 3995 if (SubRange.Width >= OutputTypeRange.Width) 3996 return OutputTypeRange; 3997 3998 // Otherwise, we take the smaller width, and we're non-negative if 3999 // either the output type or the subexpr is. 4000 return IntRange(SubRange.Width, 4001 SubRange.NonNegative || OutputTypeRange.NonNegative); 4002 } 4003 4004 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 4005 // If we can fold the condition, just take that operand. 4006 bool CondResult; 4007 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 4008 return GetExprRange(C, CondResult ? CO->getTrueExpr() 4009 : CO->getFalseExpr(), 4010 MaxWidth); 4011 4012 // Otherwise, conservatively merge. 4013 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 4014 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 4015 return IntRange::join(L, R); 4016 } 4017 4018 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4019 switch (BO->getOpcode()) { 4020 4021 // Boolean-valued operations are single-bit and positive. 4022 case BO_LAnd: 4023 case BO_LOr: 4024 case BO_LT: 4025 case BO_GT: 4026 case BO_LE: 4027 case BO_GE: 4028 case BO_EQ: 4029 case BO_NE: 4030 return IntRange::forBoolType(); 4031 4032 // The type of the assignments is the type of the LHS, so the RHS 4033 // is not necessarily the same type. 4034 case BO_MulAssign: 4035 case BO_DivAssign: 4036 case BO_RemAssign: 4037 case BO_AddAssign: 4038 case BO_SubAssign: 4039 case BO_XorAssign: 4040 case BO_OrAssign: 4041 // TODO: bitfields? 4042 return IntRange::forValueOfType(C, E->getType()); 4043 4044 // Simple assignments just pass through the RHS, which will have 4045 // been coerced to the LHS type. 4046 case BO_Assign: 4047 // TODO: bitfields? 4048 return GetExprRange(C, BO->getRHS(), MaxWidth); 4049 4050 // Operations with opaque sources are black-listed. 4051 case BO_PtrMemD: 4052 case BO_PtrMemI: 4053 return IntRange::forValueOfType(C, E->getType()); 4054 4055 // Bitwise-and uses the *infinum* of the two source ranges. 4056 case BO_And: 4057 case BO_AndAssign: 4058 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 4059 GetExprRange(C, BO->getRHS(), MaxWidth)); 4060 4061 // Left shift gets black-listed based on a judgement call. 4062 case BO_Shl: 4063 // ...except that we want to treat '1 << (blah)' as logically 4064 // positive. It's an important idiom. 4065 if (IntegerLiteral *I 4066 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 4067 if (I->getValue() == 1) { 4068 IntRange R = IntRange::forValueOfType(C, E->getType()); 4069 return IntRange(R.Width, /*NonNegative*/ true); 4070 } 4071 } 4072 // fallthrough 4073 4074 case BO_ShlAssign: 4075 return IntRange::forValueOfType(C, E->getType()); 4076 4077 // Right shift by a constant can narrow its left argument. 4078 case BO_Shr: 4079 case BO_ShrAssign: { 4080 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4081 4082 // If the shift amount is a positive constant, drop the width by 4083 // that much. 4084 llvm::APSInt shift; 4085 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 4086 shift.isNonNegative()) { 4087 unsigned zext = shift.getZExtValue(); 4088 if (zext >= L.Width) 4089 L.Width = (L.NonNegative ? 0 : 1); 4090 else 4091 L.Width -= zext; 4092 } 4093 4094 return L; 4095 } 4096 4097 // Comma acts as its right operand. 4098 case BO_Comma: 4099 return GetExprRange(C, BO->getRHS(), MaxWidth); 4100 4101 // Black-list pointer subtractions. 4102 case BO_Sub: 4103 if (BO->getLHS()->getType()->isPointerType()) 4104 return IntRange::forValueOfType(C, E->getType()); 4105 break; 4106 4107 // The width of a division result is mostly determined by the size 4108 // of the LHS. 4109 case BO_Div: { 4110 // Don't 'pre-truncate' the operands. 4111 unsigned opWidth = C.getIntWidth(E->getType()); 4112 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4113 4114 // If the divisor is constant, use that. 4115 llvm::APSInt divisor; 4116 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 4117 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 4118 if (log2 >= L.Width) 4119 L.Width = (L.NonNegative ? 0 : 1); 4120 else 4121 L.Width = std::min(L.Width - log2, MaxWidth); 4122 return L; 4123 } 4124 4125 // Otherwise, just use the LHS's width. 4126 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4127 return IntRange(L.Width, L.NonNegative && R.NonNegative); 4128 } 4129 4130 // The result of a remainder can't be larger than the result of 4131 // either side. 4132 case BO_Rem: { 4133 // Don't 'pre-truncate' the operands. 4134 unsigned opWidth = C.getIntWidth(E->getType()); 4135 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4136 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4137 4138 IntRange meet = IntRange::meet(L, R); 4139 meet.Width = std::min(meet.Width, MaxWidth); 4140 return meet; 4141 } 4142 4143 // The default behavior is okay for these. 4144 case BO_Mul: 4145 case BO_Add: 4146 case BO_Xor: 4147 case BO_Or: 4148 break; 4149 } 4150 4151 // The default case is to treat the operation as if it were closed 4152 // on the narrowest type that encompasses both operands. 4153 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4154 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 4155 return IntRange::join(L, R); 4156 } 4157 4158 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 4159 switch (UO->getOpcode()) { 4160 // Boolean-valued operations are white-listed. 4161 case UO_LNot: 4162 return IntRange::forBoolType(); 4163 4164 // Operations with opaque sources are black-listed. 4165 case UO_Deref: 4166 case UO_AddrOf: // should be impossible 4167 return IntRange::forValueOfType(C, E->getType()); 4168 4169 default: 4170 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 4171 } 4172 } 4173 4174 if (dyn_cast<OffsetOfExpr>(E)) { 4175 IntRange::forValueOfType(C, E->getType()); 4176 } 4177 4178 if (FieldDecl *BitField = E->getBitField()) 4179 return IntRange(BitField->getBitWidthValue(C), 4180 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 4181 4182 return IntRange::forValueOfType(C, E->getType()); 4183 } 4184 4185 static IntRange GetExprRange(ASTContext &C, Expr *E) { 4186 return GetExprRange(C, E, C.getIntWidth(E->getType())); 4187 } 4188 4189 /// Checks whether the given value, which currently has the given 4190 /// source semantics, has the same value when coerced through the 4191 /// target semantics. 4192 static bool IsSameFloatAfterCast(const llvm::APFloat &value, 4193 const llvm::fltSemantics &Src, 4194 const llvm::fltSemantics &Tgt) { 4195 llvm::APFloat truncated = value; 4196 4197 bool ignored; 4198 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 4199 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 4200 4201 return truncated.bitwiseIsEqual(value); 4202 } 4203 4204 /// Checks whether the given value, which currently has the given 4205 /// source semantics, has the same value when coerced through the 4206 /// target semantics. 4207 /// 4208 /// The value might be a vector of floats (or a complex number). 4209 static bool IsSameFloatAfterCast(const APValue &value, 4210 const llvm::fltSemantics &Src, 4211 const llvm::fltSemantics &Tgt) { 4212 if (value.isFloat()) 4213 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 4214 4215 if (value.isVector()) { 4216 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 4217 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 4218 return false; 4219 return true; 4220 } 4221 4222 assert(value.isComplexFloat()); 4223 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 4224 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 4225 } 4226 4227 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 4228 4229 static bool IsZero(Sema &S, Expr *E) { 4230 // Suppress cases where we are comparing against an enum constant. 4231 if (const DeclRefExpr *DR = 4232 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 4233 if (isa<EnumConstantDecl>(DR->getDecl())) 4234 return false; 4235 4236 // Suppress cases where the '0' value is expanded from a macro. 4237 if (E->getLocStart().isMacroID()) 4238 return false; 4239 4240 llvm::APSInt Value; 4241 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 4242 } 4243 4244 static bool HasEnumType(Expr *E) { 4245 // Strip off implicit integral promotions. 4246 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 4247 if (ICE->getCastKind() != CK_IntegralCast && 4248 ICE->getCastKind() != CK_NoOp) 4249 break; 4250 E = ICE->getSubExpr(); 4251 } 4252 4253 return E->getType()->isEnumeralType(); 4254 } 4255 4256 static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 4257 BinaryOperatorKind op = E->getOpcode(); 4258 if (E->isValueDependent()) 4259 return; 4260 4261 if (op == BO_LT && IsZero(S, E->getRHS())) { 4262 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4263 << "< 0" << "false" << HasEnumType(E->getLHS()) 4264 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4265 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 4266 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4267 << ">= 0" << "true" << HasEnumType(E->getLHS()) 4268 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4269 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 4270 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4271 << "0 >" << "false" << HasEnumType(E->getRHS()) 4272 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4273 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 4274 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4275 << "0 <=" << "true" << HasEnumType(E->getRHS()) 4276 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4277 } 4278 } 4279 4280 /// Analyze the operands of the given comparison. Implements the 4281 /// fallback case from AnalyzeComparison. 4282 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 4283 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 4284 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4285 } 4286 4287 /// \brief Implements -Wsign-compare. 4288 /// 4289 /// \param E the binary operator to check for warnings 4290 static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 4291 // The type the comparison is being performed in. 4292 QualType T = E->getLHS()->getType(); 4293 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 4294 && "comparison with mismatched types"); 4295 4296 // We don't do anything special if this isn't an unsigned integral 4297 // comparison: we're only interested in integral comparisons, and 4298 // signed comparisons only happen in cases we don't care to warn about. 4299 // 4300 // We also don't care about value-dependent expressions or expressions 4301 // whose result is a constant. 4302 if (!T->hasUnsignedIntegerRepresentation() 4303 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 4304 return AnalyzeImpConvsInComparison(S, E); 4305 4306 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 4307 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 4308 4309 // Check to see if one of the (unmodified) operands is of different 4310 // signedness. 4311 Expr *signedOperand, *unsignedOperand; 4312 if (LHS->getType()->hasSignedIntegerRepresentation()) { 4313 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 4314 "unsigned comparison between two signed integer expressions?"); 4315 signedOperand = LHS; 4316 unsignedOperand = RHS; 4317 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 4318 signedOperand = RHS; 4319 unsignedOperand = LHS; 4320 } else { 4321 CheckTrivialUnsignedComparison(S, E); 4322 return AnalyzeImpConvsInComparison(S, E); 4323 } 4324 4325 // Otherwise, calculate the effective range of the signed operand. 4326 IntRange signedRange = GetExprRange(S.Context, signedOperand); 4327 4328 // Go ahead and analyze implicit conversions in the operands. Note 4329 // that we skip the implicit conversions on both sides. 4330 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 4331 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 4332 4333 // If the signed range is non-negative, -Wsign-compare won't fire, 4334 // but we should still check for comparisons which are always true 4335 // or false. 4336 if (signedRange.NonNegative) 4337 return CheckTrivialUnsignedComparison(S, E); 4338 4339 // For (in)equality comparisons, if the unsigned operand is a 4340 // constant which cannot collide with a overflowed signed operand, 4341 // then reinterpreting the signed operand as unsigned will not 4342 // change the result of the comparison. 4343 if (E->isEqualityOp()) { 4344 unsigned comparisonWidth = S.Context.getIntWidth(T); 4345 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 4346 4347 // We should never be unable to prove that the unsigned operand is 4348 // non-negative. 4349 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 4350 4351 if (unsignedRange.Width < comparisonWidth) 4352 return; 4353 } 4354 4355 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 4356 S.PDiag(diag::warn_mixed_sign_comparison) 4357 << LHS->getType() << RHS->getType() 4358 << LHS->getSourceRange() << RHS->getSourceRange()); 4359 } 4360 4361 /// Analyzes an attempt to assign the given value to a bitfield. 4362 /// 4363 /// Returns true if there was something fishy about the attempt. 4364 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 4365 SourceLocation InitLoc) { 4366 assert(Bitfield->isBitField()); 4367 if (Bitfield->isInvalidDecl()) 4368 return false; 4369 4370 // White-list bool bitfields. 4371 if (Bitfield->getType()->isBooleanType()) 4372 return false; 4373 4374 // Ignore value- or type-dependent expressions. 4375 if (Bitfield->getBitWidth()->isValueDependent() || 4376 Bitfield->getBitWidth()->isTypeDependent() || 4377 Init->isValueDependent() || 4378 Init->isTypeDependent()) 4379 return false; 4380 4381 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 4382 4383 llvm::APSInt Value; 4384 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 4385 return false; 4386 4387 unsigned OriginalWidth = Value.getBitWidth(); 4388 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 4389 4390 if (OriginalWidth <= FieldWidth) 4391 return false; 4392 4393 // Compute the value which the bitfield will contain. 4394 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 4395 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 4396 4397 // Check whether the stored value is equal to the original value. 4398 TruncatedValue = TruncatedValue.extend(OriginalWidth); 4399 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 4400 return false; 4401 4402 // Special-case bitfields of width 1: booleans are naturally 0/1, and 4403 // therefore don't strictly fit into a signed bitfield of width 1. 4404 if (FieldWidth == 1 && Value == 1) 4405 return false; 4406 4407 std::string PrettyValue = Value.toString(10); 4408 std::string PrettyTrunc = TruncatedValue.toString(10); 4409 4410 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 4411 << PrettyValue << PrettyTrunc << OriginalInit->getType() 4412 << Init->getSourceRange(); 4413 4414 return true; 4415 } 4416 4417 /// Analyze the given simple or compound assignment for warning-worthy 4418 /// operations. 4419 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 4420 // Just recurse on the LHS. 4421 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 4422 4423 // We want to recurse on the RHS as normal unless we're assigning to 4424 // a bitfield. 4425 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 4426 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 4427 E->getOperatorLoc())) { 4428 // Recurse, ignoring any implicit conversions on the RHS. 4429 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 4430 E->getOperatorLoc()); 4431 } 4432 } 4433 4434 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4435 } 4436 4437 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 4438 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 4439 SourceLocation CContext, unsigned diag, 4440 bool pruneControlFlow = false) { 4441 if (pruneControlFlow) { 4442 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4443 S.PDiag(diag) 4444 << SourceType << T << E->getSourceRange() 4445 << SourceRange(CContext)); 4446 return; 4447 } 4448 S.Diag(E->getExprLoc(), diag) 4449 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 4450 } 4451 4452 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 4453 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 4454 SourceLocation CContext, unsigned diag, 4455 bool pruneControlFlow = false) { 4456 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 4457 } 4458 4459 /// Diagnose an implicit cast from a literal expression. Does not warn when the 4460 /// cast wouldn't lose information. 4461 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 4462 SourceLocation CContext) { 4463 // Try to convert the literal exactly to an integer. If we can, don't warn. 4464 bool isExact = false; 4465 const llvm::APFloat &Value = FL->getValue(); 4466 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 4467 T->hasUnsignedIntegerRepresentation()); 4468 if (Value.convertToInteger(IntegerValue, 4469 llvm::APFloat::rmTowardZero, &isExact) 4470 == llvm::APFloat::opOK && isExact) 4471 return; 4472 4473 SmallString<16> PrettySourceValue; 4474 Value.toString(PrettySourceValue); 4475 SmallString<16> PrettyTargetValue; 4476 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 4477 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 4478 else 4479 IntegerValue.toString(PrettyTargetValue); 4480 4481 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 4482 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 4483 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 4484 } 4485 4486 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 4487 if (!Range.Width) return "0"; 4488 4489 llvm::APSInt ValueInRange = Value; 4490 ValueInRange.setIsSigned(!Range.NonNegative); 4491 ValueInRange = ValueInRange.trunc(Range.Width); 4492 return ValueInRange.toString(10); 4493 } 4494 4495 static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 4496 if (!isa<ImplicitCastExpr>(Ex)) 4497 return false; 4498 4499 Expr *InnerE = Ex->IgnoreParenImpCasts(); 4500 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 4501 const Type *Source = 4502 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 4503 if (Target->isDependentType()) 4504 return false; 4505 4506 const BuiltinType *FloatCandidateBT = 4507 dyn_cast<BuiltinType>(ToBool ? Source : Target); 4508 const Type *BoolCandidateType = ToBool ? Target : Source; 4509 4510 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 4511 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 4512 } 4513 4514 void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 4515 SourceLocation CC) { 4516 unsigned NumArgs = TheCall->getNumArgs(); 4517 for (unsigned i = 0; i < NumArgs; ++i) { 4518 Expr *CurrA = TheCall->getArg(i); 4519 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 4520 continue; 4521 4522 bool IsSwapped = ((i > 0) && 4523 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 4524 IsSwapped |= ((i < (NumArgs - 1)) && 4525 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 4526 if (IsSwapped) { 4527 // Warn on this floating-point to bool conversion. 4528 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 4529 CurrA->getType(), CC, 4530 diag::warn_impcast_floating_point_to_bool); 4531 } 4532 } 4533 } 4534 4535 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 4536 SourceLocation CC, bool *ICContext = 0) { 4537 if (E->isTypeDependent() || E->isValueDependent()) return; 4538 4539 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 4540 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 4541 if (Source == Target) return; 4542 if (Target->isDependentType()) return; 4543 4544 // If the conversion context location is invalid don't complain. We also 4545 // don't want to emit a warning if the issue occurs from the expansion of 4546 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 4547 // delay this check as long as possible. Once we detect we are in that 4548 // scenario, we just return. 4549 if (CC.isInvalid()) 4550 return; 4551 4552 // Diagnose implicit casts to bool. 4553 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 4554 if (isa<StringLiteral>(E)) 4555 // Warn on string literal to bool. Checks for string literals in logical 4556 // expressions, for instances, assert(0 && "error here"), is prevented 4557 // by a check in AnalyzeImplicitConversions(). 4558 return DiagnoseImpCast(S, E, T, CC, 4559 diag::warn_impcast_string_literal_to_bool); 4560 if (Source->isFunctionType()) { 4561 // Warn on function to bool. Checks free functions and static member 4562 // functions. Weakly imported functions are excluded from the check, 4563 // since it's common to test their value to check whether the linker 4564 // found a definition for them. 4565 ValueDecl *D = 0; 4566 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 4567 D = R->getDecl(); 4568 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 4569 D = M->getMemberDecl(); 4570 } 4571 4572 if (D && !D->isWeak()) { 4573 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 4574 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 4575 << F << E->getSourceRange() << SourceRange(CC); 4576 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 4577 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 4578 QualType ReturnType; 4579 UnresolvedSet<4> NonTemplateOverloads; 4580 S.isExprCallable(*E, ReturnType, NonTemplateOverloads); 4581 if (!ReturnType.isNull() 4582 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 4583 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 4584 << FixItHint::CreateInsertion( 4585 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 4586 return; 4587 } 4588 } 4589 } 4590 } 4591 4592 // Strip vector types. 4593 if (isa<VectorType>(Source)) { 4594 if (!isa<VectorType>(Target)) { 4595 if (S.SourceMgr.isInSystemMacro(CC)) 4596 return; 4597 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 4598 } 4599 4600 // If the vector cast is cast between two vectors of the same size, it is 4601 // a bitcast, not a conversion. 4602 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 4603 return; 4604 4605 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 4606 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 4607 } 4608 4609 // Strip complex types. 4610 if (isa<ComplexType>(Source)) { 4611 if (!isa<ComplexType>(Target)) { 4612 if (S.SourceMgr.isInSystemMacro(CC)) 4613 return; 4614 4615 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 4616 } 4617 4618 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 4619 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 4620 } 4621 4622 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 4623 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 4624 4625 // If the source is floating point... 4626 if (SourceBT && SourceBT->isFloatingPoint()) { 4627 // ...and the target is floating point... 4628 if (TargetBT && TargetBT->isFloatingPoint()) { 4629 // ...then warn if we're dropping FP rank. 4630 4631 // Builtin FP kinds are ordered by increasing FP rank. 4632 if (SourceBT->getKind() > TargetBT->getKind()) { 4633 // Don't warn about float constants that are precisely 4634 // representable in the target type. 4635 Expr::EvalResult result; 4636 if (E->EvaluateAsRValue(result, S.Context)) { 4637 // Value might be a float, a float vector, or a float complex. 4638 if (IsSameFloatAfterCast(result.Val, 4639 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 4640 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 4641 return; 4642 } 4643 4644 if (S.SourceMgr.isInSystemMacro(CC)) 4645 return; 4646 4647 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 4648 } 4649 return; 4650 } 4651 4652 // If the target is integral, always warn. 4653 if (TargetBT && TargetBT->isInteger()) { 4654 if (S.SourceMgr.isInSystemMacro(CC)) 4655 return; 4656 4657 Expr *InnerE = E->IgnoreParenImpCasts(); 4658 // We also want to warn on, e.g., "int i = -1.234" 4659 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 4660 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 4661 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 4662 4663 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 4664 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 4665 } else { 4666 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 4667 } 4668 } 4669 4670 // If the target is bool, warn if expr is a function or method call. 4671 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 4672 isa<CallExpr>(E)) { 4673 // Check last argument of function call to see if it is an 4674 // implicit cast from a type matching the type the result 4675 // is being cast to. 4676 CallExpr *CEx = cast<CallExpr>(E); 4677 unsigned NumArgs = CEx->getNumArgs(); 4678 if (NumArgs > 0) { 4679 Expr *LastA = CEx->getArg(NumArgs - 1); 4680 Expr *InnerE = LastA->IgnoreParenImpCasts(); 4681 const Type *InnerType = 4682 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 4683 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 4684 // Warn on this floating-point to bool conversion 4685 DiagnoseImpCast(S, E, T, CC, 4686 diag::warn_impcast_floating_point_to_bool); 4687 } 4688 } 4689 } 4690 return; 4691 } 4692 4693 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 4694 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 4695 && !Target->isBlockPointerType() && !Target->isMemberPointerType()) { 4696 SourceLocation Loc = E->getSourceRange().getBegin(); 4697 if (Loc.isMacroID()) 4698 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 4699 if (!Loc.isMacroID() || CC.isMacroID()) 4700 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 4701 << T << clang::SourceRange(CC) 4702 << FixItHint::CreateReplacement(Loc, S.getFixItZeroLiteralForType(T)); 4703 } 4704 4705 if (!Source->isIntegerType() || !Target->isIntegerType()) 4706 return; 4707 4708 // TODO: remove this early return once the false positives for constant->bool 4709 // in templates, macros, etc, are reduced or removed. 4710 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 4711 return; 4712 4713 IntRange SourceRange = GetExprRange(S.Context, E); 4714 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 4715 4716 if (SourceRange.Width > TargetRange.Width) { 4717 // If the source is a constant, use a default-on diagnostic. 4718 // TODO: this should happen for bitfield stores, too. 4719 llvm::APSInt Value(32); 4720 if (E->isIntegerConstantExpr(Value, S.Context)) { 4721 if (S.SourceMgr.isInSystemMacro(CC)) 4722 return; 4723 4724 std::string PrettySourceValue = Value.toString(10); 4725 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 4726 4727 S.DiagRuntimeBehavior(E->getExprLoc(), E, 4728 S.PDiag(diag::warn_impcast_integer_precision_constant) 4729 << PrettySourceValue << PrettyTargetValue 4730 << E->getType() << T << E->getSourceRange() 4731 << clang::SourceRange(CC)); 4732 return; 4733 } 4734 4735 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 4736 if (S.SourceMgr.isInSystemMacro(CC)) 4737 return; 4738 4739 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 4740 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 4741 /* pruneControlFlow */ true); 4742 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 4743 } 4744 4745 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 4746 (!TargetRange.NonNegative && SourceRange.NonNegative && 4747 SourceRange.Width == TargetRange.Width)) { 4748 4749 if (S.SourceMgr.isInSystemMacro(CC)) 4750 return; 4751 4752 unsigned DiagID = diag::warn_impcast_integer_sign; 4753 4754 // Traditionally, gcc has warned about this under -Wsign-compare. 4755 // We also want to warn about it in -Wconversion. 4756 // So if -Wconversion is off, use a completely identical diagnostic 4757 // in the sign-compare group. 4758 // The conditional-checking code will 4759 if (ICContext) { 4760 DiagID = diag::warn_impcast_integer_sign_conditional; 4761 *ICContext = true; 4762 } 4763 4764 return DiagnoseImpCast(S, E, T, CC, DiagID); 4765 } 4766 4767 // Diagnose conversions between different enumeration types. 4768 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 4769 // type, to give us better diagnostics. 4770 QualType SourceType = E->getType(); 4771 if (!S.getLangOpts().CPlusPlus) { 4772 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 4773 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 4774 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 4775 SourceType = S.Context.getTypeDeclType(Enum); 4776 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 4777 } 4778 } 4779 4780 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 4781 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 4782 if ((SourceEnum->getDecl()->getIdentifier() || 4783 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 4784 (TargetEnum->getDecl()->getIdentifier() || 4785 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 4786 SourceEnum != TargetEnum) { 4787 if (S.SourceMgr.isInSystemMacro(CC)) 4788 return; 4789 4790 return DiagnoseImpCast(S, E, SourceType, T, CC, 4791 diag::warn_impcast_different_enum_types); 4792 } 4793 4794 return; 4795 } 4796 4797 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 4798 SourceLocation CC, QualType T); 4799 4800 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 4801 SourceLocation CC, bool &ICContext) { 4802 E = E->IgnoreParenImpCasts(); 4803 4804 if (isa<ConditionalOperator>(E)) 4805 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 4806 4807 AnalyzeImplicitConversions(S, E, CC); 4808 if (E->getType() != T) 4809 return CheckImplicitConversion(S, E, T, CC, &ICContext); 4810 return; 4811 } 4812 4813 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 4814 SourceLocation CC, QualType T) { 4815 AnalyzeImplicitConversions(S, E->getCond(), CC); 4816 4817 bool Suspicious = false; 4818 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 4819 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 4820 4821 // If -Wconversion would have warned about either of the candidates 4822 // for a signedness conversion to the context type... 4823 if (!Suspicious) return; 4824 4825 // ...but it's currently ignored... 4826 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 4827 CC)) 4828 return; 4829 4830 // ...then check whether it would have warned about either of the 4831 // candidates for a signedness conversion to the condition type. 4832 if (E->getType() == T) return; 4833 4834 Suspicious = false; 4835 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 4836 E->getType(), CC, &Suspicious); 4837 if (!Suspicious) 4838 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 4839 E->getType(), CC, &Suspicious); 4840 } 4841 4842 /// AnalyzeImplicitConversions - Find and report any interesting 4843 /// implicit conversions in the given expression. There are a couple 4844 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 4845 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 4846 QualType T = OrigE->getType(); 4847 Expr *E = OrigE->IgnoreParenImpCasts(); 4848 4849 if (E->isTypeDependent() || E->isValueDependent()) 4850 return; 4851 4852 // For conditional operators, we analyze the arguments as if they 4853 // were being fed directly into the output. 4854 if (isa<ConditionalOperator>(E)) { 4855 ConditionalOperator *CO = cast<ConditionalOperator>(E); 4856 CheckConditionalOperator(S, CO, CC, T); 4857 return; 4858 } 4859 4860 // Check implicit argument conversions for function calls. 4861 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 4862 CheckImplicitArgumentConversions(S, Call, CC); 4863 4864 // Go ahead and check any implicit conversions we might have skipped. 4865 // The non-canonical typecheck is just an optimization; 4866 // CheckImplicitConversion will filter out dead implicit conversions. 4867 if (E->getType() != T) 4868 CheckImplicitConversion(S, E, T, CC); 4869 4870 // Now continue drilling into this expression. 4871 4872 // Skip past explicit casts. 4873 if (isa<ExplicitCastExpr>(E)) { 4874 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 4875 return AnalyzeImplicitConversions(S, E, CC); 4876 } 4877 4878 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4879 // Do a somewhat different check with comparison operators. 4880 if (BO->isComparisonOp()) 4881 return AnalyzeComparison(S, BO); 4882 4883 // And with simple assignments. 4884 if (BO->getOpcode() == BO_Assign) 4885 return AnalyzeAssignment(S, BO); 4886 } 4887 4888 // These break the otherwise-useful invariant below. Fortunately, 4889 // we don't really need to recurse into them, because any internal 4890 // expressions should have been analyzed already when they were 4891 // built into statements. 4892 if (isa<StmtExpr>(E)) return; 4893 4894 // Don't descend into unevaluated contexts. 4895 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 4896 4897 // Now just recurse over the expression's children. 4898 CC = E->getExprLoc(); 4899 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 4900 bool IsLogicalOperator = BO && BO->isLogicalOp(); 4901 for (Stmt::child_range I = E->children(); I; ++I) { 4902 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 4903 if (!ChildExpr) 4904 continue; 4905 4906 if (IsLogicalOperator && 4907 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 4908 // Ignore checking string literals that are in logical operators. 4909 continue; 4910 AnalyzeImplicitConversions(S, ChildExpr, CC); 4911 } 4912 } 4913 4914 } // end anonymous namespace 4915 4916 /// Diagnoses "dangerous" implicit conversions within the given 4917 /// expression (which is a full expression). Implements -Wconversion 4918 /// and -Wsign-compare. 4919 /// 4920 /// \param CC the "context" location of the implicit conversion, i.e. 4921 /// the most location of the syntactic entity requiring the implicit 4922 /// conversion 4923 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 4924 // Don't diagnose in unevaluated contexts. 4925 if (isUnevaluatedContext()) 4926 return; 4927 4928 // Don't diagnose for value- or type-dependent expressions. 4929 if (E->isTypeDependent() || E->isValueDependent()) 4930 return; 4931 4932 // Check for array bounds violations in cases where the check isn't triggered 4933 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 4934 // ArraySubscriptExpr is on the RHS of a variable initialization. 4935 CheckArrayAccess(E); 4936 4937 // This is not the right CC for (e.g.) a variable initialization. 4938 AnalyzeImplicitConversions(*this, E, CC); 4939 } 4940 4941 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 4942 FieldDecl *BitField, 4943 Expr *Init) { 4944 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 4945 } 4946 4947 /// CheckParmsForFunctionDef - Check that the parameters of the given 4948 /// function are appropriate for the definition of a function. This 4949 /// takes care of any checks that cannot be performed on the 4950 /// declaration itself, e.g., that the types of each of the function 4951 /// parameters are complete. 4952 bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 4953 bool CheckParameterNames) { 4954 bool HasInvalidParm = false; 4955 for (; P != PEnd; ++P) { 4956 ParmVarDecl *Param = *P; 4957 4958 // C99 6.7.5.3p4: the parameters in a parameter type list in a 4959 // function declarator that is part of a function definition of 4960 // that function shall not have incomplete type. 4961 // 4962 // This is also C++ [dcl.fct]p6. 4963 if (!Param->isInvalidDecl() && 4964 RequireCompleteType(Param->getLocation(), Param->getType(), 4965 diag::err_typecheck_decl_incomplete_type)) { 4966 Param->setInvalidDecl(); 4967 HasInvalidParm = true; 4968 } 4969 4970 // C99 6.9.1p5: If the declarator includes a parameter type list, the 4971 // declaration of each parameter shall include an identifier. 4972 if (CheckParameterNames && 4973 Param->getIdentifier() == 0 && 4974 !Param->isImplicit() && 4975 !getLangOpts().CPlusPlus) 4976 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 4977 4978 // C99 6.7.5.3p12: 4979 // If the function declarator is not part of a definition of that 4980 // function, parameters may have incomplete type and may use the [*] 4981 // notation in their sequences of declarator specifiers to specify 4982 // variable length array types. 4983 QualType PType = Param->getOriginalType(); 4984 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 4985 if (AT->getSizeModifier() == ArrayType::Star) { 4986 // FIXME: This diagnosic should point the '[*]' if source-location 4987 // information is added for it. 4988 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 4989 } 4990 } 4991 } 4992 4993 return HasInvalidParm; 4994 } 4995 4996 /// CheckCastAlign - Implements -Wcast-align, which warns when a 4997 /// pointer cast increases the alignment requirements. 4998 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 4999 // This is actually a lot of work to potentially be doing on every 5000 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 5001 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 5002 TRange.getBegin()) 5003 == DiagnosticsEngine::Ignored) 5004 return; 5005 5006 // Ignore dependent types. 5007 if (T->isDependentType() || Op->getType()->isDependentType()) 5008 return; 5009 5010 // Require that the destination be a pointer type. 5011 const PointerType *DestPtr = T->getAs<PointerType>(); 5012 if (!DestPtr) return; 5013 5014 // If the destination has alignment 1, we're done. 5015 QualType DestPointee = DestPtr->getPointeeType(); 5016 if (DestPointee->isIncompleteType()) return; 5017 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 5018 if (DestAlign.isOne()) return; 5019 5020 // Require that the source be a pointer type. 5021 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 5022 if (!SrcPtr) return; 5023 QualType SrcPointee = SrcPtr->getPointeeType(); 5024 5025 // Whitelist casts from cv void*. We already implicitly 5026 // whitelisted casts to cv void*, since they have alignment 1. 5027 // Also whitelist casts involving incomplete types, which implicitly 5028 // includes 'void'. 5029 if (SrcPointee->isIncompleteType()) return; 5030 5031 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 5032 if (SrcAlign >= DestAlign) return; 5033 5034 Diag(TRange.getBegin(), diag::warn_cast_align) 5035 << Op->getType() << T 5036 << static_cast<unsigned>(SrcAlign.getQuantity()) 5037 << static_cast<unsigned>(DestAlign.getQuantity()) 5038 << TRange << Op->getSourceRange(); 5039 } 5040 5041 static const Type* getElementType(const Expr *BaseExpr) { 5042 const Type* EltType = BaseExpr->getType().getTypePtr(); 5043 if (EltType->isAnyPointerType()) 5044 return EltType->getPointeeType().getTypePtr(); 5045 else if (EltType->isArrayType()) 5046 return EltType->getBaseElementTypeUnsafe(); 5047 return EltType; 5048 } 5049 5050 /// \brief Check whether this array fits the idiom of a size-one tail padded 5051 /// array member of a struct. 5052 /// 5053 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 5054 /// commonly used to emulate flexible arrays in C89 code. 5055 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 5056 const NamedDecl *ND) { 5057 if (Size != 1 || !ND) return false; 5058 5059 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 5060 if (!FD) return false; 5061 5062 // Don't consider sizes resulting from macro expansions or template argument 5063 // substitution to form C89 tail-padded arrays. 5064 5065 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 5066 while (TInfo) { 5067 TypeLoc TL = TInfo->getTypeLoc(); 5068 // Look through typedefs. 5069 const TypedefTypeLoc *TTL = dyn_cast<TypedefTypeLoc>(&TL); 5070 if (TTL) { 5071 const TypedefNameDecl *TDL = TTL->getTypedefNameDecl(); 5072 TInfo = TDL->getTypeSourceInfo(); 5073 continue; 5074 } 5075 ConstantArrayTypeLoc CTL = cast<ConstantArrayTypeLoc>(TL); 5076 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 5077 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 5078 return false; 5079 break; 5080 } 5081 5082 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 5083 if (!RD) return false; 5084 if (RD->isUnion()) return false; 5085 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 5086 if (!CRD->isStandardLayout()) return false; 5087 } 5088 5089 // See if this is the last field decl in the record. 5090 const Decl *D = FD; 5091 while ((D = D->getNextDeclInContext())) 5092 if (isa<FieldDecl>(D)) 5093 return false; 5094 return true; 5095 } 5096 5097 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 5098 const ArraySubscriptExpr *ASE, 5099 bool AllowOnePastEnd, bool IndexNegated) { 5100 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 5101 if (IndexExpr->isValueDependent()) 5102 return; 5103 5104 const Type *EffectiveType = getElementType(BaseExpr); 5105 BaseExpr = BaseExpr->IgnoreParenCasts(); 5106 const ConstantArrayType *ArrayTy = 5107 Context.getAsConstantArrayType(BaseExpr->getType()); 5108 if (!ArrayTy) 5109 return; 5110 5111 llvm::APSInt index; 5112 if (!IndexExpr->EvaluateAsInt(index, Context)) 5113 return; 5114 if (IndexNegated) 5115 index = -index; 5116 5117 const NamedDecl *ND = NULL; 5118 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 5119 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 5120 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 5121 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 5122 5123 if (index.isUnsigned() || !index.isNegative()) { 5124 llvm::APInt size = ArrayTy->getSize(); 5125 if (!size.isStrictlyPositive()) 5126 return; 5127 5128 const Type* BaseType = getElementType(BaseExpr); 5129 if (BaseType != EffectiveType) { 5130 // Make sure we're comparing apples to apples when comparing index to size 5131 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 5132 uint64_t array_typesize = Context.getTypeSize(BaseType); 5133 // Handle ptrarith_typesize being zero, such as when casting to void* 5134 if (!ptrarith_typesize) ptrarith_typesize = 1; 5135 if (ptrarith_typesize != array_typesize) { 5136 // There's a cast to a different size type involved 5137 uint64_t ratio = array_typesize / ptrarith_typesize; 5138 // TODO: Be smarter about handling cases where array_typesize is not a 5139 // multiple of ptrarith_typesize 5140 if (ptrarith_typesize * ratio == array_typesize) 5141 size *= llvm::APInt(size.getBitWidth(), ratio); 5142 } 5143 } 5144 5145 if (size.getBitWidth() > index.getBitWidth()) 5146 index = index.zext(size.getBitWidth()); 5147 else if (size.getBitWidth() < index.getBitWidth()) 5148 size = size.zext(index.getBitWidth()); 5149 5150 // For array subscripting the index must be less than size, but for pointer 5151 // arithmetic also allow the index (offset) to be equal to size since 5152 // computing the next address after the end of the array is legal and 5153 // commonly done e.g. in C++ iterators and range-based for loops. 5154 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 5155 return; 5156 5157 // Also don't warn for arrays of size 1 which are members of some 5158 // structure. These are often used to approximate flexible arrays in C89 5159 // code. 5160 if (IsTailPaddedMemberArray(*this, size, ND)) 5161 return; 5162 5163 // Suppress the warning if the subscript expression (as identified by the 5164 // ']' location) and the index expression are both from macro expansions 5165 // within a system header. 5166 if (ASE) { 5167 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 5168 ASE->getRBracketLoc()); 5169 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 5170 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 5171 IndexExpr->getLocStart()); 5172 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 5173 return; 5174 } 5175 } 5176 5177 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 5178 if (ASE) 5179 DiagID = diag::warn_array_index_exceeds_bounds; 5180 5181 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 5182 PDiag(DiagID) << index.toString(10, true) 5183 << size.toString(10, true) 5184 << (unsigned)size.getLimitedValue(~0U) 5185 << IndexExpr->getSourceRange()); 5186 } else { 5187 unsigned DiagID = diag::warn_array_index_precedes_bounds; 5188 if (!ASE) { 5189 DiagID = diag::warn_ptr_arith_precedes_bounds; 5190 if (index.isNegative()) index = -index; 5191 } 5192 5193 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 5194 PDiag(DiagID) << index.toString(10, true) 5195 << IndexExpr->getSourceRange()); 5196 } 5197 5198 if (!ND) { 5199 // Try harder to find a NamedDecl to point at in the note. 5200 while (const ArraySubscriptExpr *ASE = 5201 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 5202 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 5203 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 5204 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 5205 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 5206 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 5207 } 5208 5209 if (ND) 5210 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 5211 PDiag(diag::note_array_index_out_of_bounds) 5212 << ND->getDeclName()); 5213 } 5214 5215 void Sema::CheckArrayAccess(const Expr *expr) { 5216 int AllowOnePastEnd = 0; 5217 while (expr) { 5218 expr = expr->IgnoreParenImpCasts(); 5219 switch (expr->getStmtClass()) { 5220 case Stmt::ArraySubscriptExprClass: { 5221 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 5222 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 5223 AllowOnePastEnd > 0); 5224 return; 5225 } 5226 case Stmt::UnaryOperatorClass: { 5227 // Only unwrap the * and & unary operators 5228 const UnaryOperator *UO = cast<UnaryOperator>(expr); 5229 expr = UO->getSubExpr(); 5230 switch (UO->getOpcode()) { 5231 case UO_AddrOf: 5232 AllowOnePastEnd++; 5233 break; 5234 case UO_Deref: 5235 AllowOnePastEnd--; 5236 break; 5237 default: 5238 return; 5239 } 5240 break; 5241 } 5242 case Stmt::ConditionalOperatorClass: { 5243 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 5244 if (const Expr *lhs = cond->getLHS()) 5245 CheckArrayAccess(lhs); 5246 if (const Expr *rhs = cond->getRHS()) 5247 CheckArrayAccess(rhs); 5248 return; 5249 } 5250 default: 5251 return; 5252 } 5253 } 5254 } 5255 5256 //===--- CHECK: Objective-C retain cycles ----------------------------------// 5257 5258 namespace { 5259 struct RetainCycleOwner { 5260 RetainCycleOwner() : Variable(0), Indirect(false) {} 5261 VarDecl *Variable; 5262 SourceRange Range; 5263 SourceLocation Loc; 5264 bool Indirect; 5265 5266 void setLocsFrom(Expr *e) { 5267 Loc = e->getExprLoc(); 5268 Range = e->getSourceRange(); 5269 } 5270 }; 5271 } 5272 5273 /// Consider whether capturing the given variable can possibly lead to 5274 /// a retain cycle. 5275 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 5276 // In ARC, it's captured strongly iff the variable has __strong 5277 // lifetime. In MRR, it's captured strongly if the variable is 5278 // __block and has an appropriate type. 5279 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 5280 return false; 5281 5282 owner.Variable = var; 5283 owner.setLocsFrom(ref); 5284 return true; 5285 } 5286 5287 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 5288 while (true) { 5289 e = e->IgnoreParens(); 5290 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 5291 switch (cast->getCastKind()) { 5292 case CK_BitCast: 5293 case CK_LValueBitCast: 5294 case CK_LValueToRValue: 5295 case CK_ARCReclaimReturnedObject: 5296 e = cast->getSubExpr(); 5297 continue; 5298 5299 default: 5300 return false; 5301 } 5302 } 5303 5304 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 5305 ObjCIvarDecl *ivar = ref->getDecl(); 5306 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 5307 return false; 5308 5309 // Try to find a retain cycle in the base. 5310 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 5311 return false; 5312 5313 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 5314 owner.Indirect = true; 5315 return true; 5316 } 5317 5318 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 5319 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 5320 if (!var) return false; 5321 return considerVariable(var, ref, owner); 5322 } 5323 5324 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 5325 if (member->isArrow()) return false; 5326 5327 // Don't count this as an indirect ownership. 5328 e = member->getBase(); 5329 continue; 5330 } 5331 5332 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 5333 // Only pay attention to pseudo-objects on property references. 5334 ObjCPropertyRefExpr *pre 5335 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 5336 ->IgnoreParens()); 5337 if (!pre) return false; 5338 if (pre->isImplicitProperty()) return false; 5339 ObjCPropertyDecl *property = pre->getExplicitProperty(); 5340 if (!property->isRetaining() && 5341 !(property->getPropertyIvarDecl() && 5342 property->getPropertyIvarDecl()->getType() 5343 .getObjCLifetime() == Qualifiers::OCL_Strong)) 5344 return false; 5345 5346 owner.Indirect = true; 5347 if (pre->isSuperReceiver()) { 5348 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 5349 if (!owner.Variable) 5350 return false; 5351 owner.Loc = pre->getLocation(); 5352 owner.Range = pre->getSourceRange(); 5353 return true; 5354 } 5355 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 5356 ->getSourceExpr()); 5357 continue; 5358 } 5359 5360 // Array ivars? 5361 5362 return false; 5363 } 5364 } 5365 5366 namespace { 5367 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 5368 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 5369 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 5370 Variable(variable), Capturer(0) {} 5371 5372 VarDecl *Variable; 5373 Expr *Capturer; 5374 5375 void VisitDeclRefExpr(DeclRefExpr *ref) { 5376 if (ref->getDecl() == Variable && !Capturer) 5377 Capturer = ref; 5378 } 5379 5380 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 5381 if (Capturer) return; 5382 Visit(ref->getBase()); 5383 if (Capturer && ref->isFreeIvar()) 5384 Capturer = ref; 5385 } 5386 5387 void VisitBlockExpr(BlockExpr *block) { 5388 // Look inside nested blocks 5389 if (block->getBlockDecl()->capturesVariable(Variable)) 5390 Visit(block->getBlockDecl()->getBody()); 5391 } 5392 5393 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 5394 if (Capturer) return; 5395 if (OVE->getSourceExpr()) 5396 Visit(OVE->getSourceExpr()); 5397 } 5398 }; 5399 } 5400 5401 /// Check whether the given argument is a block which captures a 5402 /// variable. 5403 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 5404 assert(owner.Variable && owner.Loc.isValid()); 5405 5406 e = e->IgnoreParenCasts(); 5407 BlockExpr *block = dyn_cast<BlockExpr>(e); 5408 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 5409 return 0; 5410 5411 FindCaptureVisitor visitor(S.Context, owner.Variable); 5412 visitor.Visit(block->getBlockDecl()->getBody()); 5413 return visitor.Capturer; 5414 } 5415 5416 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 5417 RetainCycleOwner &owner) { 5418 assert(capturer); 5419 assert(owner.Variable && owner.Loc.isValid()); 5420 5421 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 5422 << owner.Variable << capturer->getSourceRange(); 5423 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 5424 << owner.Indirect << owner.Range; 5425 } 5426 5427 /// Check for a keyword selector that starts with the word 'add' or 5428 /// 'set'. 5429 static bool isSetterLikeSelector(Selector sel) { 5430 if (sel.isUnarySelector()) return false; 5431 5432 StringRef str = sel.getNameForSlot(0); 5433 while (!str.empty() && str.front() == '_') str = str.substr(1); 5434 if (str.startswith("set")) 5435 str = str.substr(3); 5436 else if (str.startswith("add")) { 5437 // Specially whitelist 'addOperationWithBlock:'. 5438 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 5439 return false; 5440 str = str.substr(3); 5441 } 5442 else 5443 return false; 5444 5445 if (str.empty()) return true; 5446 return !islower(str.front()); 5447 } 5448 5449 /// Check a message send to see if it's likely to cause a retain cycle. 5450 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 5451 // Only check instance methods whose selector looks like a setter. 5452 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 5453 return; 5454 5455 // Try to find a variable that the receiver is strongly owned by. 5456 RetainCycleOwner owner; 5457 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 5458 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 5459 return; 5460 } else { 5461 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 5462 owner.Variable = getCurMethodDecl()->getSelfDecl(); 5463 owner.Loc = msg->getSuperLoc(); 5464 owner.Range = msg->getSuperLoc(); 5465 } 5466 5467 // Check whether the receiver is captured by any of the arguments. 5468 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 5469 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 5470 return diagnoseRetainCycle(*this, capturer, owner); 5471 } 5472 5473 /// Check a property assign to see if it's likely to cause a retain cycle. 5474 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 5475 RetainCycleOwner owner; 5476 if (!findRetainCycleOwner(*this, receiver, owner)) 5477 return; 5478 5479 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 5480 diagnoseRetainCycle(*this, capturer, owner); 5481 } 5482 5483 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 5484 QualType LHS, Expr *RHS) { 5485 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 5486 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 5487 return false; 5488 // strip off any implicit cast added to get to the one arc-specific 5489 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 5490 if (cast->getCastKind() == CK_ARCConsumeObject) { 5491 Diag(Loc, diag::warn_arc_retained_assign) 5492 << (LT == Qualifiers::OCL_ExplicitNone) << 1 5493 << RHS->getSourceRange(); 5494 return true; 5495 } 5496 RHS = cast->getSubExpr(); 5497 } 5498 return false; 5499 } 5500 5501 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 5502 Expr *LHS, Expr *RHS) { 5503 QualType LHSType; 5504 // PropertyRef on LHS type need be directly obtained from 5505 // its declaration as it has a PsuedoType. 5506 ObjCPropertyRefExpr *PRE 5507 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 5508 if (PRE && !PRE->isImplicitProperty()) { 5509 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 5510 if (PD) 5511 LHSType = PD->getType(); 5512 } 5513 5514 if (LHSType.isNull()) 5515 LHSType = LHS->getType(); 5516 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 5517 return; 5518 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 5519 // FIXME. Check for other life times. 5520 if (LT != Qualifiers::OCL_None) 5521 return; 5522 5523 if (PRE) { 5524 if (PRE->isImplicitProperty()) 5525 return; 5526 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 5527 if (!PD) 5528 return; 5529 5530 unsigned Attributes = PD->getPropertyAttributes(); 5531 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 5532 // when 'assign' attribute was not explicitly specified 5533 // by user, ignore it and rely on property type itself 5534 // for lifetime info. 5535 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 5536 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 5537 LHSType->isObjCRetainableType()) 5538 return; 5539 5540 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 5541 if (cast->getCastKind() == CK_ARCConsumeObject) { 5542 Diag(Loc, diag::warn_arc_retained_property_assign) 5543 << RHS->getSourceRange(); 5544 return; 5545 } 5546 RHS = cast->getSubExpr(); 5547 } 5548 } 5549 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 5550 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 5551 if (cast->getCastKind() == CK_ARCConsumeObject) { 5552 Diag(Loc, diag::warn_arc_retained_assign) 5553 << 0 << 0<< RHS->getSourceRange(); 5554 return; 5555 } 5556 RHS = cast->getSubExpr(); 5557 } 5558 } 5559 } 5560 } 5561 5562 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 5563 5564 namespace { 5565 bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 5566 SourceLocation StmtLoc, 5567 const NullStmt *Body) { 5568 // Do not warn if the body is a macro that expands to nothing, e.g: 5569 // 5570 // #define CALL(x) 5571 // if (condition) 5572 // CALL(0); 5573 // 5574 if (Body->hasLeadingEmptyMacro()) 5575 return false; 5576 5577 // Get line numbers of statement and body. 5578 bool StmtLineInvalid; 5579 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 5580 &StmtLineInvalid); 5581 if (StmtLineInvalid) 5582 return false; 5583 5584 bool BodyLineInvalid; 5585 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 5586 &BodyLineInvalid); 5587 if (BodyLineInvalid) 5588 return false; 5589 5590 // Warn if null statement and body are on the same line. 5591 if (StmtLine != BodyLine) 5592 return false; 5593 5594 return true; 5595 } 5596 } // Unnamed namespace 5597 5598 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 5599 const Stmt *Body, 5600 unsigned DiagID) { 5601 // Since this is a syntactic check, don't emit diagnostic for template 5602 // instantiations, this just adds noise. 5603 if (CurrentInstantiationScope) 5604 return; 5605 5606 // The body should be a null statement. 5607 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 5608 if (!NBody) 5609 return; 5610 5611 // Do the usual checks. 5612 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 5613 return; 5614 5615 Diag(NBody->getSemiLoc(), DiagID); 5616 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 5617 } 5618 5619 void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 5620 const Stmt *PossibleBody) { 5621 assert(!CurrentInstantiationScope); // Ensured by caller 5622 5623 SourceLocation StmtLoc; 5624 const Stmt *Body; 5625 unsigned DiagID; 5626 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 5627 StmtLoc = FS->getRParenLoc(); 5628 Body = FS->getBody(); 5629 DiagID = diag::warn_empty_for_body; 5630 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 5631 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 5632 Body = WS->getBody(); 5633 DiagID = diag::warn_empty_while_body; 5634 } else 5635 return; // Neither `for' nor `while'. 5636 5637 // The body should be a null statement. 5638 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 5639 if (!NBody) 5640 return; 5641 5642 // Skip expensive checks if diagnostic is disabled. 5643 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 5644 DiagnosticsEngine::Ignored) 5645 return; 5646 5647 // Do the usual checks. 5648 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 5649 return; 5650 5651 // `for(...);' and `while(...);' are popular idioms, so in order to keep 5652 // noise level low, emit diagnostics only if for/while is followed by a 5653 // CompoundStmt, e.g.: 5654 // for (int i = 0; i < n; i++); 5655 // { 5656 // a(i); 5657 // } 5658 // or if for/while is followed by a statement with more indentation 5659 // than for/while itself: 5660 // for (int i = 0; i < n; i++); 5661 // a(i); 5662 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 5663 if (!ProbableTypo) { 5664 bool BodyColInvalid; 5665 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 5666 PossibleBody->getLocStart(), 5667 &BodyColInvalid); 5668 if (BodyColInvalid) 5669 return; 5670 5671 bool StmtColInvalid; 5672 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 5673 S->getLocStart(), 5674 &StmtColInvalid); 5675 if (StmtColInvalid) 5676 return; 5677 5678 if (BodyCol > StmtCol) 5679 ProbableTypo = true; 5680 } 5681 5682 if (ProbableTypo) { 5683 Diag(NBody->getSemiLoc(), DiagID); 5684 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 5685 } 5686 } 5687 5688 //===--- Layout compatibility ----------------------------------------------// 5689 5690 namespace { 5691 5692 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 5693 5694 /// \brief Check if two enumeration types are layout-compatible. 5695 bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 5696 // C++11 [dcl.enum] p8: 5697 // Two enumeration types are layout-compatible if they have the same 5698 // underlying type. 5699 return ED1->isComplete() && ED2->isComplete() && 5700 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 5701 } 5702 5703 /// \brief Check if two fields are layout-compatible. 5704 bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 5705 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 5706 return false; 5707 5708 if (Field1->isBitField() != Field2->isBitField()) 5709 return false; 5710 5711 if (Field1->isBitField()) { 5712 // Make sure that the bit-fields are the same length. 5713 unsigned Bits1 = Field1->getBitWidthValue(C); 5714 unsigned Bits2 = Field2->getBitWidthValue(C); 5715 5716 if (Bits1 != Bits2) 5717 return false; 5718 } 5719 5720 return true; 5721 } 5722 5723 /// \brief Check if two standard-layout structs are layout-compatible. 5724 /// (C++11 [class.mem] p17) 5725 bool isLayoutCompatibleStruct(ASTContext &C, 5726 RecordDecl *RD1, 5727 RecordDecl *RD2) { 5728 // If both records are C++ classes, check that base classes match. 5729 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 5730 // If one of records is a CXXRecordDecl we are in C++ mode, 5731 // thus the other one is a CXXRecordDecl, too. 5732 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 5733 // Check number of base classes. 5734 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 5735 return false; 5736 5737 // Check the base classes. 5738 for (CXXRecordDecl::base_class_const_iterator 5739 Base1 = D1CXX->bases_begin(), 5740 BaseEnd1 = D1CXX->bases_end(), 5741 Base2 = D2CXX->bases_begin(); 5742 Base1 != BaseEnd1; 5743 ++Base1, ++Base2) { 5744 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 5745 return false; 5746 } 5747 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 5748 // If only RD2 is a C++ class, it should have zero base classes. 5749 if (D2CXX->getNumBases() > 0) 5750 return false; 5751 } 5752 5753 // Check the fields. 5754 RecordDecl::field_iterator Field2 = RD2->field_begin(), 5755 Field2End = RD2->field_end(), 5756 Field1 = RD1->field_begin(), 5757 Field1End = RD1->field_end(); 5758 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 5759 if (!isLayoutCompatible(C, *Field1, *Field2)) 5760 return false; 5761 } 5762 if (Field1 != Field1End || Field2 != Field2End) 5763 return false; 5764 5765 return true; 5766 } 5767 5768 /// \brief Check if two standard-layout unions are layout-compatible. 5769 /// (C++11 [class.mem] p18) 5770 bool isLayoutCompatibleUnion(ASTContext &C, 5771 RecordDecl *RD1, 5772 RecordDecl *RD2) { 5773 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 5774 for (RecordDecl::field_iterator Field2 = RD2->field_begin(), 5775 Field2End = RD2->field_end(); 5776 Field2 != Field2End; ++Field2) { 5777 UnmatchedFields.insert(*Field2); 5778 } 5779 5780 for (RecordDecl::field_iterator Field1 = RD1->field_begin(), 5781 Field1End = RD1->field_end(); 5782 Field1 != Field1End; ++Field1) { 5783 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 5784 I = UnmatchedFields.begin(), 5785 E = UnmatchedFields.end(); 5786 5787 for ( ; I != E; ++I) { 5788 if (isLayoutCompatible(C, *Field1, *I)) { 5789 bool Result = UnmatchedFields.erase(*I); 5790 (void) Result; 5791 assert(Result); 5792 break; 5793 } 5794 } 5795 if (I == E) 5796 return false; 5797 } 5798 5799 return UnmatchedFields.empty(); 5800 } 5801 5802 bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 5803 if (RD1->isUnion() != RD2->isUnion()) 5804 return false; 5805 5806 if (RD1->isUnion()) 5807 return isLayoutCompatibleUnion(C, RD1, RD2); 5808 else 5809 return isLayoutCompatibleStruct(C, RD1, RD2); 5810 } 5811 5812 /// \brief Check if two types are layout-compatible in C++11 sense. 5813 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 5814 if (T1.isNull() || T2.isNull()) 5815 return false; 5816 5817 // C++11 [basic.types] p11: 5818 // If two types T1 and T2 are the same type, then T1 and T2 are 5819 // layout-compatible types. 5820 if (C.hasSameType(T1, T2)) 5821 return true; 5822 5823 T1 = T1.getCanonicalType().getUnqualifiedType(); 5824 T2 = T2.getCanonicalType().getUnqualifiedType(); 5825 5826 const Type::TypeClass TC1 = T1->getTypeClass(); 5827 const Type::TypeClass TC2 = T2->getTypeClass(); 5828 5829 if (TC1 != TC2) 5830 return false; 5831 5832 if (TC1 == Type::Enum) { 5833 return isLayoutCompatible(C, 5834 cast<EnumType>(T1)->getDecl(), 5835 cast<EnumType>(T2)->getDecl()); 5836 } else if (TC1 == Type::Record) { 5837 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 5838 return false; 5839 5840 return isLayoutCompatible(C, 5841 cast<RecordType>(T1)->getDecl(), 5842 cast<RecordType>(T2)->getDecl()); 5843 } 5844 5845 return false; 5846 } 5847 } 5848 5849 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 5850 5851 namespace { 5852 /// \brief Given a type tag expression find the type tag itself. 5853 /// 5854 /// \param TypeExpr Type tag expression, as it appears in user's code. 5855 /// 5856 /// \param VD Declaration of an identifier that appears in a type tag. 5857 /// 5858 /// \param MagicValue Type tag magic value. 5859 bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 5860 const ValueDecl **VD, uint64_t *MagicValue) { 5861 while(true) { 5862 if (!TypeExpr) 5863 return false; 5864 5865 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 5866 5867 switch (TypeExpr->getStmtClass()) { 5868 case Stmt::UnaryOperatorClass: { 5869 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 5870 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 5871 TypeExpr = UO->getSubExpr(); 5872 continue; 5873 } 5874 return false; 5875 } 5876 5877 case Stmt::DeclRefExprClass: { 5878 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 5879 *VD = DRE->getDecl(); 5880 return true; 5881 } 5882 5883 case Stmt::IntegerLiteralClass: { 5884 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 5885 llvm::APInt MagicValueAPInt = IL->getValue(); 5886 if (MagicValueAPInt.getActiveBits() <= 64) { 5887 *MagicValue = MagicValueAPInt.getZExtValue(); 5888 return true; 5889 } else 5890 return false; 5891 } 5892 5893 case Stmt::BinaryConditionalOperatorClass: 5894 case Stmt::ConditionalOperatorClass: { 5895 const AbstractConditionalOperator *ACO = 5896 cast<AbstractConditionalOperator>(TypeExpr); 5897 bool Result; 5898 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 5899 if (Result) 5900 TypeExpr = ACO->getTrueExpr(); 5901 else 5902 TypeExpr = ACO->getFalseExpr(); 5903 continue; 5904 } 5905 return false; 5906 } 5907 5908 case Stmt::BinaryOperatorClass: { 5909 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 5910 if (BO->getOpcode() == BO_Comma) { 5911 TypeExpr = BO->getRHS(); 5912 continue; 5913 } 5914 return false; 5915 } 5916 5917 default: 5918 return false; 5919 } 5920 } 5921 } 5922 5923 /// \brief Retrieve the C type corresponding to type tag TypeExpr. 5924 /// 5925 /// \param TypeExpr Expression that specifies a type tag. 5926 /// 5927 /// \param MagicValues Registered magic values. 5928 /// 5929 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 5930 /// kind. 5931 /// 5932 /// \param TypeInfo Information about the corresponding C type. 5933 /// 5934 /// \returns true if the corresponding C type was found. 5935 bool GetMatchingCType( 5936 const IdentifierInfo *ArgumentKind, 5937 const Expr *TypeExpr, const ASTContext &Ctx, 5938 const llvm::DenseMap<Sema::TypeTagMagicValue, 5939 Sema::TypeTagData> *MagicValues, 5940 bool &FoundWrongKind, 5941 Sema::TypeTagData &TypeInfo) { 5942 FoundWrongKind = false; 5943 5944 // Variable declaration that has type_tag_for_datatype attribute. 5945 const ValueDecl *VD = NULL; 5946 5947 uint64_t MagicValue; 5948 5949 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 5950 return false; 5951 5952 if (VD) { 5953 for (specific_attr_iterator<TypeTagForDatatypeAttr> 5954 I = VD->specific_attr_begin<TypeTagForDatatypeAttr>(), 5955 E = VD->specific_attr_end<TypeTagForDatatypeAttr>(); 5956 I != E; ++I) { 5957 if (I->getArgumentKind() != ArgumentKind) { 5958 FoundWrongKind = true; 5959 return false; 5960 } 5961 TypeInfo.Type = I->getMatchingCType(); 5962 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 5963 TypeInfo.MustBeNull = I->getMustBeNull(); 5964 return true; 5965 } 5966 return false; 5967 } 5968 5969 if (!MagicValues) 5970 return false; 5971 5972 llvm::DenseMap<Sema::TypeTagMagicValue, 5973 Sema::TypeTagData>::const_iterator I = 5974 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 5975 if (I == MagicValues->end()) 5976 return false; 5977 5978 TypeInfo = I->second; 5979 return true; 5980 } 5981 } // unnamed namespace 5982 5983 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 5984 uint64_t MagicValue, QualType Type, 5985 bool LayoutCompatible, 5986 bool MustBeNull) { 5987 if (!TypeTagForDatatypeMagicValues) 5988 TypeTagForDatatypeMagicValues.reset( 5989 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 5990 5991 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 5992 (*TypeTagForDatatypeMagicValues)[Magic] = 5993 TypeTagData(Type, LayoutCompatible, MustBeNull); 5994 } 5995 5996 namespace { 5997 bool IsSameCharType(QualType T1, QualType T2) { 5998 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 5999 if (!BT1) 6000 return false; 6001 6002 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 6003 if (!BT2) 6004 return false; 6005 6006 BuiltinType::Kind T1Kind = BT1->getKind(); 6007 BuiltinType::Kind T2Kind = BT2->getKind(); 6008 6009 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 6010 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 6011 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 6012 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 6013 } 6014 } // unnamed namespace 6015 6016 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 6017 const Expr * const *ExprArgs) { 6018 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 6019 bool IsPointerAttr = Attr->getIsPointer(); 6020 6021 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 6022 bool FoundWrongKind; 6023 TypeTagData TypeInfo; 6024 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 6025 TypeTagForDatatypeMagicValues.get(), 6026 FoundWrongKind, TypeInfo)) { 6027 if (FoundWrongKind) 6028 Diag(TypeTagExpr->getExprLoc(), 6029 diag::warn_type_tag_for_datatype_wrong_kind) 6030 << TypeTagExpr->getSourceRange(); 6031 return; 6032 } 6033 6034 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 6035 if (IsPointerAttr) { 6036 // Skip implicit cast of pointer to `void *' (as a function argument). 6037 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 6038 if (ICE->getType()->isVoidPointerType()) 6039 ArgumentExpr = ICE->getSubExpr(); 6040 } 6041 QualType ArgumentType = ArgumentExpr->getType(); 6042 6043 // Passing a `void*' pointer shouldn't trigger a warning. 6044 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 6045 return; 6046 6047 if (TypeInfo.MustBeNull) { 6048 // Type tag with matching void type requires a null pointer. 6049 if (!ArgumentExpr->isNullPointerConstant(Context, 6050 Expr::NPC_ValueDependentIsNotNull)) { 6051 Diag(ArgumentExpr->getExprLoc(), 6052 diag::warn_type_safety_null_pointer_required) 6053 << ArgumentKind->getName() 6054 << ArgumentExpr->getSourceRange() 6055 << TypeTagExpr->getSourceRange(); 6056 } 6057 return; 6058 } 6059 6060 QualType RequiredType = TypeInfo.Type; 6061 if (IsPointerAttr) 6062 RequiredType = Context.getPointerType(RequiredType); 6063 6064 bool mismatch = false; 6065 if (!TypeInfo.LayoutCompatible) { 6066 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 6067 6068 // C++11 [basic.fundamental] p1: 6069 // Plain char, signed char, and unsigned char are three distinct types. 6070 // 6071 // But we treat plain `char' as equivalent to `signed char' or `unsigned 6072 // char' depending on the current char signedness mode. 6073 if (mismatch) 6074 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 6075 RequiredType->getPointeeType())) || 6076 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 6077 mismatch = false; 6078 } else 6079 if (IsPointerAttr) 6080 mismatch = !isLayoutCompatible(Context, 6081 ArgumentType->getPointeeType(), 6082 RequiredType->getPointeeType()); 6083 else 6084 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 6085 6086 if (mismatch) 6087 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 6088 << ArgumentType << ArgumentKind->getName() 6089 << TypeInfo.LayoutCompatible << RequiredType 6090 << ArgumentExpr->getSourceRange() 6091 << TypeTagExpr->getSourceRange(); 6092 } 6093 6094
