1 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements extra semantic analysis beyond what is enforced 11 // by the C type system. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/Sema/SemaInternal.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/CharUnits.h" 18 #include "clang/AST/DeclCXX.h" 19 #include "clang/AST/DeclObjC.h" 20 #include "clang/AST/EvaluatedExprVisitor.h" 21 #include "clang/AST/Expr.h" 22 #include "clang/AST/ExprCXX.h" 23 #include "clang/AST/ExprObjC.h" 24 #include "clang/AST/StmtCXX.h" 25 #include "clang/AST/StmtObjC.h" 26 #include "clang/Analysis/Analyses/FormatString.h" 27 #include "clang/Basic/CharInfo.h" 28 #include "clang/Basic/TargetBuiltins.h" 29 #include "clang/Basic/TargetInfo.h" 30 #include "clang/Lex/Preprocessor.h" 31 #include "clang/Sema/Initialization.h" 32 #include "clang/Sema/Lookup.h" 33 #include "clang/Sema/ScopeInfo.h" 34 #include "clang/Sema/Sema.h" 35 #include "llvm/ADT/SmallBitVector.h" 36 #include "llvm/ADT/SmallString.h" 37 #include "llvm/ADT/STLExtras.h" 38 #include "llvm/Support/ConvertUTF.h" 39 #include "llvm/Support/raw_ostream.h" 40 #include <limits> 41 using namespace clang; 42 using namespace sema; 43 44 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 45 unsigned ByteNo) const { 46 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 47 PP.getLangOpts(), PP.getTargetInfo()); 48 } 49 50 /// Checks that a call expression's argument count is the desired number. 51 /// This is useful when doing custom type-checking. Returns true on error. 52 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 53 unsigned argCount = call->getNumArgs(); 54 if (argCount == desiredArgCount) return false; 55 56 if (argCount < desiredArgCount) 57 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 58 << 0 /*function call*/ << desiredArgCount << argCount 59 << call->getSourceRange(); 60 61 // Highlight all the excess arguments. 62 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 63 call->getArg(argCount - 1)->getLocEnd()); 64 65 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 66 << 0 /*function call*/ << desiredArgCount << argCount 67 << call->getArg(1)->getSourceRange(); 68 } 69 70 /// Check that the first argument to __builtin_annotation is an integer 71 /// and the second argument is a non-wide string literal. 72 static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 73 if (checkArgCount(S, TheCall, 2)) 74 return true; 75 76 // First argument should be an integer. 77 Expr *ValArg = TheCall->getArg(0); 78 QualType Ty = ValArg->getType(); 79 if (!Ty->isIntegerType()) { 80 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 81 << ValArg->getSourceRange(); 82 return true; 83 } 84 85 // Second argument should be a constant string. 86 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 87 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 88 if (!Literal || !Literal->isAscii()) { 89 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 90 << StrArg->getSourceRange(); 91 return true; 92 } 93 94 TheCall->setType(Ty); 95 return false; 96 } 97 98 /// Check that the argument to __builtin_addressof is a glvalue, and set the 99 /// result type to the corresponding pointer type. 100 static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) { 101 if (checkArgCount(S, TheCall, 1)) 102 return true; 103 104 ExprResult Arg(S.Owned(TheCall->getArg(0))); 105 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart()); 106 if (ResultType.isNull()) 107 return true; 108 109 TheCall->setArg(0, Arg.take()); 110 TheCall->setType(ResultType); 111 return false; 112 } 113 114 ExprResult 115 Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 116 ExprResult TheCallResult(Owned(TheCall)); 117 118 // Find out if any arguments are required to be integer constant expressions. 119 unsigned ICEArguments = 0; 120 ASTContext::GetBuiltinTypeError Error; 121 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 122 if (Error != ASTContext::GE_None) 123 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 124 125 // If any arguments are required to be ICE's, check and diagnose. 126 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 127 // Skip arguments not required to be ICE's. 128 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 129 130 llvm::APSInt Result; 131 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 132 return true; 133 ICEArguments &= ~(1 << ArgNo); 134 } 135 136 switch (BuiltinID) { 137 case Builtin::BI__builtin___CFStringMakeConstantString: 138 assert(TheCall->getNumArgs() == 1 && 139 "Wrong # arguments to builtin CFStringMakeConstantString"); 140 if (CheckObjCString(TheCall->getArg(0))) 141 return ExprError(); 142 break; 143 case Builtin::BI__builtin_stdarg_start: 144 case Builtin::BI__builtin_va_start: 145 if (SemaBuiltinVAStart(TheCall)) 146 return ExprError(); 147 break; 148 case Builtin::BI__builtin_isgreater: 149 case Builtin::BI__builtin_isgreaterequal: 150 case Builtin::BI__builtin_isless: 151 case Builtin::BI__builtin_islessequal: 152 case Builtin::BI__builtin_islessgreater: 153 case Builtin::BI__builtin_isunordered: 154 if (SemaBuiltinUnorderedCompare(TheCall)) 155 return ExprError(); 156 break; 157 case Builtin::BI__builtin_fpclassify: 158 if (SemaBuiltinFPClassification(TheCall, 6)) 159 return ExprError(); 160 break; 161 case Builtin::BI__builtin_isfinite: 162 case Builtin::BI__builtin_isinf: 163 case Builtin::BI__builtin_isinf_sign: 164 case Builtin::BI__builtin_isnan: 165 case Builtin::BI__builtin_isnormal: 166 if (SemaBuiltinFPClassification(TheCall, 1)) 167 return ExprError(); 168 break; 169 case Builtin::BI__builtin_shufflevector: 170 return SemaBuiltinShuffleVector(TheCall); 171 // TheCall will be freed by the smart pointer here, but that's fine, since 172 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 173 case Builtin::BI__builtin_prefetch: 174 if (SemaBuiltinPrefetch(TheCall)) 175 return ExprError(); 176 break; 177 case Builtin::BI__builtin_object_size: 178 if (SemaBuiltinObjectSize(TheCall)) 179 return ExprError(); 180 break; 181 case Builtin::BI__builtin_longjmp: 182 if (SemaBuiltinLongjmp(TheCall)) 183 return ExprError(); 184 break; 185 186 case Builtin::BI__builtin_classify_type: 187 if (checkArgCount(*this, TheCall, 1)) return true; 188 TheCall->setType(Context.IntTy); 189 break; 190 case Builtin::BI__builtin_constant_p: 191 if (checkArgCount(*this, TheCall, 1)) return true; 192 TheCall->setType(Context.IntTy); 193 break; 194 case Builtin::BI__sync_fetch_and_add: 195 case Builtin::BI__sync_fetch_and_add_1: 196 case Builtin::BI__sync_fetch_and_add_2: 197 case Builtin::BI__sync_fetch_and_add_4: 198 case Builtin::BI__sync_fetch_and_add_8: 199 case Builtin::BI__sync_fetch_and_add_16: 200 case Builtin::BI__sync_fetch_and_sub: 201 case Builtin::BI__sync_fetch_and_sub_1: 202 case Builtin::BI__sync_fetch_and_sub_2: 203 case Builtin::BI__sync_fetch_and_sub_4: 204 case Builtin::BI__sync_fetch_and_sub_8: 205 case Builtin::BI__sync_fetch_and_sub_16: 206 case Builtin::BI__sync_fetch_and_or: 207 case Builtin::BI__sync_fetch_and_or_1: 208 case Builtin::BI__sync_fetch_and_or_2: 209 case Builtin::BI__sync_fetch_and_or_4: 210 case Builtin::BI__sync_fetch_and_or_8: 211 case Builtin::BI__sync_fetch_and_or_16: 212 case Builtin::BI__sync_fetch_and_and: 213 case Builtin::BI__sync_fetch_and_and_1: 214 case Builtin::BI__sync_fetch_and_and_2: 215 case Builtin::BI__sync_fetch_and_and_4: 216 case Builtin::BI__sync_fetch_and_and_8: 217 case Builtin::BI__sync_fetch_and_and_16: 218 case Builtin::BI__sync_fetch_and_xor: 219 case Builtin::BI__sync_fetch_and_xor_1: 220 case Builtin::BI__sync_fetch_and_xor_2: 221 case Builtin::BI__sync_fetch_and_xor_4: 222 case Builtin::BI__sync_fetch_and_xor_8: 223 case Builtin::BI__sync_fetch_and_xor_16: 224 case Builtin::BI__sync_add_and_fetch: 225 case Builtin::BI__sync_add_and_fetch_1: 226 case Builtin::BI__sync_add_and_fetch_2: 227 case Builtin::BI__sync_add_and_fetch_4: 228 case Builtin::BI__sync_add_and_fetch_8: 229 case Builtin::BI__sync_add_and_fetch_16: 230 case Builtin::BI__sync_sub_and_fetch: 231 case Builtin::BI__sync_sub_and_fetch_1: 232 case Builtin::BI__sync_sub_and_fetch_2: 233 case Builtin::BI__sync_sub_and_fetch_4: 234 case Builtin::BI__sync_sub_and_fetch_8: 235 case Builtin::BI__sync_sub_and_fetch_16: 236 case Builtin::BI__sync_and_and_fetch: 237 case Builtin::BI__sync_and_and_fetch_1: 238 case Builtin::BI__sync_and_and_fetch_2: 239 case Builtin::BI__sync_and_and_fetch_4: 240 case Builtin::BI__sync_and_and_fetch_8: 241 case Builtin::BI__sync_and_and_fetch_16: 242 case Builtin::BI__sync_or_and_fetch: 243 case Builtin::BI__sync_or_and_fetch_1: 244 case Builtin::BI__sync_or_and_fetch_2: 245 case Builtin::BI__sync_or_and_fetch_4: 246 case Builtin::BI__sync_or_and_fetch_8: 247 case Builtin::BI__sync_or_and_fetch_16: 248 case Builtin::BI__sync_xor_and_fetch: 249 case Builtin::BI__sync_xor_and_fetch_1: 250 case Builtin::BI__sync_xor_and_fetch_2: 251 case Builtin::BI__sync_xor_and_fetch_4: 252 case Builtin::BI__sync_xor_and_fetch_8: 253 case Builtin::BI__sync_xor_and_fetch_16: 254 case Builtin::BI__sync_val_compare_and_swap: 255 case Builtin::BI__sync_val_compare_and_swap_1: 256 case Builtin::BI__sync_val_compare_and_swap_2: 257 case Builtin::BI__sync_val_compare_and_swap_4: 258 case Builtin::BI__sync_val_compare_and_swap_8: 259 case Builtin::BI__sync_val_compare_and_swap_16: 260 case Builtin::BI__sync_bool_compare_and_swap: 261 case Builtin::BI__sync_bool_compare_and_swap_1: 262 case Builtin::BI__sync_bool_compare_and_swap_2: 263 case Builtin::BI__sync_bool_compare_and_swap_4: 264 case Builtin::BI__sync_bool_compare_and_swap_8: 265 case Builtin::BI__sync_bool_compare_and_swap_16: 266 case Builtin::BI__sync_lock_test_and_set: 267 case Builtin::BI__sync_lock_test_and_set_1: 268 case Builtin::BI__sync_lock_test_and_set_2: 269 case Builtin::BI__sync_lock_test_and_set_4: 270 case Builtin::BI__sync_lock_test_and_set_8: 271 case Builtin::BI__sync_lock_test_and_set_16: 272 case Builtin::BI__sync_lock_release: 273 case Builtin::BI__sync_lock_release_1: 274 case Builtin::BI__sync_lock_release_2: 275 case Builtin::BI__sync_lock_release_4: 276 case Builtin::BI__sync_lock_release_8: 277 case Builtin::BI__sync_lock_release_16: 278 case Builtin::BI__sync_swap: 279 case Builtin::BI__sync_swap_1: 280 case Builtin::BI__sync_swap_2: 281 case Builtin::BI__sync_swap_4: 282 case Builtin::BI__sync_swap_8: 283 case Builtin::BI__sync_swap_16: 284 return SemaBuiltinAtomicOverloaded(TheCallResult); 285 #define BUILTIN(ID, TYPE, ATTRS) 286 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 287 case Builtin::BI##ID: \ 288 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 289 #include "clang/Basic/Builtins.def" 290 case Builtin::BI__builtin_annotation: 291 if (SemaBuiltinAnnotation(*this, TheCall)) 292 return ExprError(); 293 break; 294 case Builtin::BI__builtin_addressof: 295 if (SemaBuiltinAddressof(*this, TheCall)) 296 return ExprError(); 297 break; 298 } 299 300 // Since the target specific builtins for each arch overlap, only check those 301 // of the arch we are compiling for. 302 if (BuiltinID >= Builtin::FirstTSBuiltin) { 303 switch (Context.getTargetInfo().getTriple().getArch()) { 304 case llvm::Triple::arm: 305 case llvm::Triple::thumb: 306 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 307 return ExprError(); 308 break; 309 case llvm::Triple::aarch64: 310 if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall)) 311 return ExprError(); 312 break; 313 case llvm::Triple::mips: 314 case llvm::Triple::mipsel: 315 case llvm::Triple::mips64: 316 case llvm::Triple::mips64el: 317 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 318 return ExprError(); 319 break; 320 default: 321 break; 322 } 323 } 324 325 return TheCallResult; 326 } 327 328 // Get the valid immediate range for the specified NEON type code. 329 static unsigned RFT(unsigned t, bool shift = false) { 330 NeonTypeFlags Type(t); 331 int IsQuad = Type.isQuad(); 332 switch (Type.getEltType()) { 333 case NeonTypeFlags::Int8: 334 case NeonTypeFlags::Poly8: 335 return shift ? 7 : (8 << IsQuad) - 1; 336 case NeonTypeFlags::Int16: 337 case NeonTypeFlags::Poly16: 338 return shift ? 15 : (4 << IsQuad) - 1; 339 case NeonTypeFlags::Int32: 340 return shift ? 31 : (2 << IsQuad) - 1; 341 case NeonTypeFlags::Int64: 342 return shift ? 63 : (1 << IsQuad) - 1; 343 case NeonTypeFlags::Float16: 344 assert(!shift && "cannot shift float types!"); 345 return (4 << IsQuad) - 1; 346 case NeonTypeFlags::Float32: 347 assert(!shift && "cannot shift float types!"); 348 return (2 << IsQuad) - 1; 349 case NeonTypeFlags::Float64: 350 assert(!shift && "cannot shift float types!"); 351 return (1 << IsQuad) - 1; 352 } 353 llvm_unreachable("Invalid NeonTypeFlag!"); 354 } 355 356 /// getNeonEltType - Return the QualType corresponding to the elements of 357 /// the vector type specified by the NeonTypeFlags. This is used to check 358 /// the pointer arguments for Neon load/store intrinsics. 359 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 360 switch (Flags.getEltType()) { 361 case NeonTypeFlags::Int8: 362 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 363 case NeonTypeFlags::Int16: 364 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 365 case NeonTypeFlags::Int32: 366 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 367 case NeonTypeFlags::Int64: 368 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 369 case NeonTypeFlags::Poly8: 370 return Context.SignedCharTy; 371 case NeonTypeFlags::Poly16: 372 return Context.ShortTy; 373 case NeonTypeFlags::Float16: 374 return Context.UnsignedShortTy; 375 case NeonTypeFlags::Float32: 376 return Context.FloatTy; 377 case NeonTypeFlags::Float64: 378 return Context.DoubleTy; 379 } 380 llvm_unreachable("Invalid NeonTypeFlag!"); 381 } 382 383 bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, 384 CallExpr *TheCall) { 385 386 llvm::APSInt Result; 387 388 uint64_t mask = 0; 389 unsigned TV = 0; 390 int PtrArgNum = -1; 391 bool HasConstPtr = false; 392 switch (BuiltinID) { 393 #define GET_NEON_AARCH64_OVERLOAD_CHECK 394 #include "clang/Basic/arm_neon.inc" 395 #undef GET_NEON_AARCH64_OVERLOAD_CHECK 396 } 397 398 // For NEON intrinsics which are overloaded on vector element type, validate 399 // the immediate which specifies which variant to emit. 400 unsigned ImmArg = TheCall->getNumArgs() - 1; 401 if (mask) { 402 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 403 return true; 404 405 TV = Result.getLimitedValue(64); 406 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 407 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 408 << TheCall->getArg(ImmArg)->getSourceRange(); 409 } 410 411 if (PtrArgNum >= 0) { 412 // Check that pointer arguments have the specified type. 413 Expr *Arg = TheCall->getArg(PtrArgNum); 414 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 415 Arg = ICE->getSubExpr(); 416 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 417 QualType RHSTy = RHS.get()->getType(); 418 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 419 if (HasConstPtr) 420 EltTy = EltTy.withConst(); 421 QualType LHSTy = Context.getPointerType(EltTy); 422 AssignConvertType ConvTy; 423 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 424 if (RHS.isInvalid()) 425 return true; 426 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 427 RHS.get(), AA_Assigning)) 428 return true; 429 } 430 431 // For NEON intrinsics which take an immediate value as part of the 432 // instruction, range check them here. 433 unsigned i = 0, l = 0, u = 0; 434 switch (BuiltinID) { 435 default: 436 return false; 437 #define GET_NEON_AARCH64_IMMEDIATE_CHECK 438 #include "clang/Basic/arm_neon.inc" 439 #undef GET_NEON_AARCH64_IMMEDIATE_CHECK 440 } 441 ; 442 443 // We can't check the value of a dependent argument. 444 if (TheCall->getArg(i)->isTypeDependent() || 445 TheCall->getArg(i)->isValueDependent()) 446 return false; 447 448 // Check that the immediate argument is actually a constant. 449 if (SemaBuiltinConstantArg(TheCall, i, Result)) 450 return true; 451 452 // Range check against the upper/lower values for this isntruction. 453 unsigned Val = Result.getZExtValue(); 454 if (Val < l || Val > (u + l)) 455 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 456 << l << u + l << TheCall->getArg(i)->getSourceRange(); 457 458 return false; 459 } 460 461 bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall) { 462 assert((BuiltinID == ARM::BI__builtin_arm_ldrex || 463 BuiltinID == ARM::BI__builtin_arm_strex) && 464 "unexpected ARM builtin"); 465 bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex; 466 467 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 468 469 // Ensure that we have the proper number of arguments. 470 if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2)) 471 return true; 472 473 // Inspect the pointer argument of the atomic builtin. This should always be 474 // a pointer type, whose element is an integral scalar or pointer type. 475 // Because it is a pointer type, we don't have to worry about any implicit 476 // casts here. 477 Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1); 478 ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg); 479 if (PointerArgRes.isInvalid()) 480 return true; 481 PointerArg = PointerArgRes.take(); 482 483 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 484 if (!pointerType) { 485 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 486 << PointerArg->getType() << PointerArg->getSourceRange(); 487 return true; 488 } 489 490 // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next 491 // task is to insert the appropriate casts into the AST. First work out just 492 // what the appropriate type is. 493 QualType ValType = pointerType->getPointeeType(); 494 QualType AddrType = ValType.getUnqualifiedType().withVolatile(); 495 if (IsLdrex) 496 AddrType.addConst(); 497 498 // Issue a warning if the cast is dodgy. 499 CastKind CastNeeded = CK_NoOp; 500 if (!AddrType.isAtLeastAsQualifiedAs(ValType)) { 501 CastNeeded = CK_BitCast; 502 Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers) 503 << PointerArg->getType() 504 << Context.getPointerType(AddrType) 505 << AA_Passing << PointerArg->getSourceRange(); 506 } 507 508 // Finally, do the cast and replace the argument with the corrected version. 509 AddrType = Context.getPointerType(AddrType); 510 PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded); 511 if (PointerArgRes.isInvalid()) 512 return true; 513 PointerArg = PointerArgRes.take(); 514 515 TheCall->setArg(IsLdrex ? 0 : 1, PointerArg); 516 517 // In general, we allow ints, floats and pointers to be loaded and stored. 518 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 519 !ValType->isBlockPointerType() && !ValType->isFloatingType()) { 520 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr) 521 << PointerArg->getType() << PointerArg->getSourceRange(); 522 return true; 523 } 524 525 // But ARM doesn't have instructions to deal with 128-bit versions. 526 if (Context.getTypeSize(ValType) > 64) { 527 Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size) 528 << PointerArg->getType() << PointerArg->getSourceRange(); 529 return true; 530 } 531 532 switch (ValType.getObjCLifetime()) { 533 case Qualifiers::OCL_None: 534 case Qualifiers::OCL_ExplicitNone: 535 // okay 536 break; 537 538 case Qualifiers::OCL_Weak: 539 case Qualifiers::OCL_Strong: 540 case Qualifiers::OCL_Autoreleasing: 541 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 542 << ValType << PointerArg->getSourceRange(); 543 return true; 544 } 545 546 547 if (IsLdrex) { 548 TheCall->setType(ValType); 549 return false; 550 } 551 552 // Initialize the argument to be stored. 553 ExprResult ValArg = TheCall->getArg(0); 554 InitializedEntity Entity = InitializedEntity::InitializeParameter( 555 Context, ValType, /*consume*/ false); 556 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 557 if (ValArg.isInvalid()) 558 return true; 559 560 TheCall->setArg(0, ValArg.get()); 561 return false; 562 } 563 564 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 565 llvm::APSInt Result; 566 567 if (BuiltinID == ARM::BI__builtin_arm_ldrex || 568 BuiltinID == ARM::BI__builtin_arm_strex) { 569 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall); 570 } 571 572 uint64_t mask = 0; 573 unsigned TV = 0; 574 int PtrArgNum = -1; 575 bool HasConstPtr = false; 576 switch (BuiltinID) { 577 #define GET_NEON_OVERLOAD_CHECK 578 #include "clang/Basic/arm_neon.inc" 579 #undef GET_NEON_OVERLOAD_CHECK 580 } 581 582 // For NEON intrinsics which are overloaded on vector element type, validate 583 // the immediate which specifies which variant to emit. 584 unsigned ImmArg = TheCall->getNumArgs()-1; 585 if (mask) { 586 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 587 return true; 588 589 TV = Result.getLimitedValue(64); 590 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 591 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 592 << TheCall->getArg(ImmArg)->getSourceRange(); 593 } 594 595 if (PtrArgNum >= 0) { 596 // Check that pointer arguments have the specified type. 597 Expr *Arg = TheCall->getArg(PtrArgNum); 598 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 599 Arg = ICE->getSubExpr(); 600 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 601 QualType RHSTy = RHS.get()->getType(); 602 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 603 if (HasConstPtr) 604 EltTy = EltTy.withConst(); 605 QualType LHSTy = Context.getPointerType(EltTy); 606 AssignConvertType ConvTy; 607 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 608 if (RHS.isInvalid()) 609 return true; 610 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 611 RHS.get(), AA_Assigning)) 612 return true; 613 } 614 615 // For NEON intrinsics which take an immediate value as part of the 616 // instruction, range check them here. 617 unsigned i = 0, l = 0, u = 0; 618 switch (BuiltinID) { 619 default: return false; 620 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 621 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 622 case ARM::BI__builtin_arm_vcvtr_f: 623 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 624 #define GET_NEON_IMMEDIATE_CHECK 625 #include "clang/Basic/arm_neon.inc" 626 #undef GET_NEON_IMMEDIATE_CHECK 627 }; 628 629 // We can't check the value of a dependent argument. 630 if (TheCall->getArg(i)->isTypeDependent() || 631 TheCall->getArg(i)->isValueDependent()) 632 return false; 633 634 // Check that the immediate argument is actually a constant. 635 if (SemaBuiltinConstantArg(TheCall, i, Result)) 636 return true; 637 638 // Range check against the upper/lower values for this isntruction. 639 unsigned Val = Result.getZExtValue(); 640 if (Val < l || Val > (u + l)) 641 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 642 << l << u+l << TheCall->getArg(i)->getSourceRange(); 643 644 // FIXME: VFP Intrinsics should error if VFP not present. 645 return false; 646 } 647 648 bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 649 unsigned i = 0, l = 0, u = 0; 650 switch (BuiltinID) { 651 default: return false; 652 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 653 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 654 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 655 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 656 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 657 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 658 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 659 }; 660 661 // We can't check the value of a dependent argument. 662 if (TheCall->getArg(i)->isTypeDependent() || 663 TheCall->getArg(i)->isValueDependent()) 664 return false; 665 666 // Check that the immediate argument is actually a constant. 667 llvm::APSInt Result; 668 if (SemaBuiltinConstantArg(TheCall, i, Result)) 669 return true; 670 671 // Range check against the upper/lower values for this instruction. 672 unsigned Val = Result.getZExtValue(); 673 if (Val < l || Val > u) 674 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 675 << l << u << TheCall->getArg(i)->getSourceRange(); 676 677 return false; 678 } 679 680 /// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 681 /// parameter with the FormatAttr's correct format_idx and firstDataArg. 682 /// Returns true when the format fits the function and the FormatStringInfo has 683 /// been populated. 684 bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 685 FormatStringInfo *FSI) { 686 FSI->HasVAListArg = Format->getFirstArg() == 0; 687 FSI->FormatIdx = Format->getFormatIdx() - 1; 688 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 689 690 // The way the format attribute works in GCC, the implicit this argument 691 // of member functions is counted. However, it doesn't appear in our own 692 // lists, so decrement format_idx in that case. 693 if (IsCXXMember) { 694 if(FSI->FormatIdx == 0) 695 return false; 696 --FSI->FormatIdx; 697 if (FSI->FirstDataArg != 0) 698 --FSI->FirstDataArg; 699 } 700 return true; 701 } 702 703 /// Handles the checks for format strings, non-POD arguments to vararg 704 /// functions, and NULL arguments passed to non-NULL parameters. 705 void Sema::checkCall(NamedDecl *FDecl, 706 ArrayRef<const Expr *> Args, 707 unsigned NumProtoArgs, 708 bool IsMemberFunction, 709 SourceLocation Loc, 710 SourceRange Range, 711 VariadicCallType CallType) { 712 // FIXME: We should check as much as we can in the template definition. 713 if (CurContext->isDependentContext()) 714 return; 715 716 // Printf and scanf checking. 717 bool HandledFormatString = false; 718 llvm::SmallBitVector CheckedVarArgs; 719 if (FDecl) { 720 for (specific_attr_iterator<FormatAttr> 721 I = FDecl->specific_attr_begin<FormatAttr>(), 722 E = FDecl->specific_attr_end<FormatAttr>(); I != E ; ++I) { 723 CheckedVarArgs.resize(Args.size()); 724 if (CheckFormatArguments(*I, Args, IsMemberFunction, CallType, Loc, 725 Range, CheckedVarArgs)) 726 HandledFormatString = true; 727 } 728 } 729 730 // Refuse POD arguments that weren't caught by the format string 731 // checks above. 732 if (CallType != VariadicDoesNotApply) { 733 for (unsigned ArgIdx = NumProtoArgs; ArgIdx < Args.size(); ++ArgIdx) { 734 // Args[ArgIdx] can be null in malformed code. 735 if (const Expr *Arg = Args[ArgIdx]) { 736 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx]) 737 checkVariadicArgument(Arg, CallType); 738 } 739 } 740 } 741 742 if (FDecl) { 743 for (specific_attr_iterator<NonNullAttr> 744 I = FDecl->specific_attr_begin<NonNullAttr>(), 745 E = FDecl->specific_attr_end<NonNullAttr>(); I != E; ++I) 746 CheckNonNullArguments(*I, Args.data(), Loc); 747 748 // Type safety checking. 749 for (specific_attr_iterator<ArgumentWithTypeTagAttr> 750 i = FDecl->specific_attr_begin<ArgumentWithTypeTagAttr>(), 751 e = FDecl->specific_attr_end<ArgumentWithTypeTagAttr>(); 752 i != e; ++i) { 753 CheckArgumentWithTypeTag(*i, Args.data()); 754 } 755 } 756 } 757 758 /// CheckConstructorCall - Check a constructor call for correctness and safety 759 /// properties not enforced by the C type system. 760 void Sema::CheckConstructorCall(FunctionDecl *FDecl, 761 ArrayRef<const Expr *> Args, 762 const FunctionProtoType *Proto, 763 SourceLocation Loc) { 764 VariadicCallType CallType = 765 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 766 checkCall(FDecl, Args, Proto->getNumArgs(), 767 /*IsMemberFunction=*/true, Loc, SourceRange(), CallType); 768 } 769 770 /// CheckFunctionCall - Check a direct function call for various correctness 771 /// and safety properties not strictly enforced by the C type system. 772 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 773 const FunctionProtoType *Proto) { 774 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 775 isa<CXXMethodDecl>(FDecl); 776 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 777 IsMemberOperatorCall; 778 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 779 TheCall->getCallee()); 780 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 781 Expr** Args = TheCall->getArgs(); 782 unsigned NumArgs = TheCall->getNumArgs(); 783 if (IsMemberOperatorCall) { 784 // If this is a call to a member operator, hide the first argument 785 // from checkCall. 786 // FIXME: Our choice of AST representation here is less than ideal. 787 ++Args; 788 --NumArgs; 789 } 790 checkCall(FDecl, llvm::makeArrayRef<const Expr *>(Args, NumArgs), 791 NumProtoArgs, 792 IsMemberFunction, TheCall->getRParenLoc(), 793 TheCall->getCallee()->getSourceRange(), CallType); 794 795 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 796 // None of the checks below are needed for functions that don't have 797 // simple names (e.g., C++ conversion functions). 798 if (!FnInfo) 799 return false; 800 801 unsigned CMId = FDecl->getMemoryFunctionKind(); 802 if (CMId == 0) 803 return false; 804 805 // Handle memory setting and copying functions. 806 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 807 CheckStrlcpycatArguments(TheCall, FnInfo); 808 else if (CMId == Builtin::BIstrncat) 809 CheckStrncatArguments(TheCall, FnInfo); 810 else 811 CheckMemaccessArguments(TheCall, CMId, FnInfo); 812 813 return false; 814 } 815 816 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 817 ArrayRef<const Expr *> Args) { 818 VariadicCallType CallType = 819 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 820 821 checkCall(Method, Args, Method->param_size(), 822 /*IsMemberFunction=*/false, 823 lbrac, Method->getSourceRange(), CallType); 824 825 return false; 826 } 827 828 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, 829 const FunctionProtoType *Proto) { 830 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 831 if (!V) 832 return false; 833 834 QualType Ty = V->getType(); 835 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType()) 836 return false; 837 838 VariadicCallType CallType; 839 if (!Proto || !Proto->isVariadic()) { 840 CallType = VariadicDoesNotApply; 841 } else if (Ty->isBlockPointerType()) { 842 CallType = VariadicBlock; 843 } else { // Ty->isFunctionPointerType() 844 CallType = VariadicFunction; 845 } 846 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 847 848 checkCall(NDecl, 849 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 850 TheCall->getNumArgs()), 851 NumProtoArgs, /*IsMemberFunction=*/false, 852 TheCall->getRParenLoc(), 853 TheCall->getCallee()->getSourceRange(), CallType); 854 855 return false; 856 } 857 858 /// Checks function calls when a FunctionDecl or a NamedDecl is not available, 859 /// such as function pointers returned from functions. 860 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) { 861 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/0, Proto, 862 TheCall->getCallee()); 863 unsigned NumProtoArgs = Proto ? Proto->getNumArgs() : 0; 864 865 checkCall(/*FDecl=*/0, 866 llvm::makeArrayRef<const Expr *>(TheCall->getArgs(), 867 TheCall->getNumArgs()), 868 NumProtoArgs, /*IsMemberFunction=*/false, 869 TheCall->getRParenLoc(), 870 TheCall->getCallee()->getSourceRange(), CallType); 871 872 return false; 873 } 874 875 ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 876 AtomicExpr::AtomicOp Op) { 877 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 878 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 879 880 // All these operations take one of the following forms: 881 enum { 882 // C __c11_atomic_init(A *, C) 883 Init, 884 // C __c11_atomic_load(A *, int) 885 Load, 886 // void __atomic_load(A *, CP, int) 887 Copy, 888 // C __c11_atomic_add(A *, M, int) 889 Arithmetic, 890 // C __atomic_exchange_n(A *, CP, int) 891 Xchg, 892 // void __atomic_exchange(A *, C *, CP, int) 893 GNUXchg, 894 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 895 C11CmpXchg, 896 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 897 GNUCmpXchg 898 } Form = Init; 899 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 900 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 901 // where: 902 // C is an appropriate type, 903 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 904 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 905 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 906 // the int parameters are for orderings. 907 908 assert(AtomicExpr::AO__c11_atomic_init == 0 && 909 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 910 && "need to update code for modified C11 atomics"); 911 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 912 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 913 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 914 Op == AtomicExpr::AO__atomic_store_n || 915 Op == AtomicExpr::AO__atomic_exchange_n || 916 Op == AtomicExpr::AO__atomic_compare_exchange_n; 917 bool IsAddSub = false; 918 919 switch (Op) { 920 case AtomicExpr::AO__c11_atomic_init: 921 Form = Init; 922 break; 923 924 case AtomicExpr::AO__c11_atomic_load: 925 case AtomicExpr::AO__atomic_load_n: 926 Form = Load; 927 break; 928 929 case AtomicExpr::AO__c11_atomic_store: 930 case AtomicExpr::AO__atomic_load: 931 case AtomicExpr::AO__atomic_store: 932 case AtomicExpr::AO__atomic_store_n: 933 Form = Copy; 934 break; 935 936 case AtomicExpr::AO__c11_atomic_fetch_add: 937 case AtomicExpr::AO__c11_atomic_fetch_sub: 938 case AtomicExpr::AO__atomic_fetch_add: 939 case AtomicExpr::AO__atomic_fetch_sub: 940 case AtomicExpr::AO__atomic_add_fetch: 941 case AtomicExpr::AO__atomic_sub_fetch: 942 IsAddSub = true; 943 // Fall through. 944 case AtomicExpr::AO__c11_atomic_fetch_and: 945 case AtomicExpr::AO__c11_atomic_fetch_or: 946 case AtomicExpr::AO__c11_atomic_fetch_xor: 947 case AtomicExpr::AO__atomic_fetch_and: 948 case AtomicExpr::AO__atomic_fetch_or: 949 case AtomicExpr::AO__atomic_fetch_xor: 950 case AtomicExpr::AO__atomic_fetch_nand: 951 case AtomicExpr::AO__atomic_and_fetch: 952 case AtomicExpr::AO__atomic_or_fetch: 953 case AtomicExpr::AO__atomic_xor_fetch: 954 case AtomicExpr::AO__atomic_nand_fetch: 955 Form = Arithmetic; 956 break; 957 958 case AtomicExpr::AO__c11_atomic_exchange: 959 case AtomicExpr::AO__atomic_exchange_n: 960 Form = Xchg; 961 break; 962 963 case AtomicExpr::AO__atomic_exchange: 964 Form = GNUXchg; 965 break; 966 967 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 968 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 969 Form = C11CmpXchg; 970 break; 971 972 case AtomicExpr::AO__atomic_compare_exchange: 973 case AtomicExpr::AO__atomic_compare_exchange_n: 974 Form = GNUCmpXchg; 975 break; 976 } 977 978 // Check we have the right number of arguments. 979 if (TheCall->getNumArgs() < NumArgs[Form]) { 980 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 981 << 0 << NumArgs[Form] << TheCall->getNumArgs() 982 << TheCall->getCallee()->getSourceRange(); 983 return ExprError(); 984 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 985 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 986 diag::err_typecheck_call_too_many_args) 987 << 0 << NumArgs[Form] << TheCall->getNumArgs() 988 << TheCall->getCallee()->getSourceRange(); 989 return ExprError(); 990 } 991 992 // Inspect the first argument of the atomic operation. 993 Expr *Ptr = TheCall->getArg(0); 994 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 995 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 996 if (!pointerType) { 997 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 998 << Ptr->getType() << Ptr->getSourceRange(); 999 return ExprError(); 1000 } 1001 1002 // For a __c11 builtin, this should be a pointer to an _Atomic type. 1003 QualType AtomTy = pointerType->getPointeeType(); // 'A' 1004 QualType ValType = AtomTy; // 'C' 1005 if (IsC11) { 1006 if (!AtomTy->isAtomicType()) { 1007 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 1008 << Ptr->getType() << Ptr->getSourceRange(); 1009 return ExprError(); 1010 } 1011 if (AtomTy.isConstQualified()) { 1012 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 1013 << Ptr->getType() << Ptr->getSourceRange(); 1014 return ExprError(); 1015 } 1016 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 1017 } 1018 1019 // For an arithmetic operation, the implied arithmetic must be well-formed. 1020 if (Form == Arithmetic) { 1021 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 1022 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 1023 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1024 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1025 return ExprError(); 1026 } 1027 if (!IsAddSub && !ValType->isIntegerType()) { 1028 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 1029 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1030 return ExprError(); 1031 } 1032 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 1033 // For __atomic_*_n operations, the value type must be a scalar integral or 1034 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 1035 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1036 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1037 return ExprError(); 1038 } 1039 1040 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context)) { 1041 // For GNU atomics, require a trivially-copyable type. This is not part of 1042 // the GNU atomics specification, but we enforce it for sanity. 1043 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 1044 << Ptr->getType() << Ptr->getSourceRange(); 1045 return ExprError(); 1046 } 1047 1048 // FIXME: For any builtin other than a load, the ValType must not be 1049 // const-qualified. 1050 1051 switch (ValType.getObjCLifetime()) { 1052 case Qualifiers::OCL_None: 1053 case Qualifiers::OCL_ExplicitNone: 1054 // okay 1055 break; 1056 1057 case Qualifiers::OCL_Weak: 1058 case Qualifiers::OCL_Strong: 1059 case Qualifiers::OCL_Autoreleasing: 1060 // FIXME: Can this happen? By this point, ValType should be known 1061 // to be trivially copyable. 1062 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1063 << ValType << Ptr->getSourceRange(); 1064 return ExprError(); 1065 } 1066 1067 QualType ResultType = ValType; 1068 if (Form == Copy || Form == GNUXchg || Form == Init) 1069 ResultType = Context.VoidTy; 1070 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 1071 ResultType = Context.BoolTy; 1072 1073 // The type of a parameter passed 'by value'. In the GNU atomics, such 1074 // arguments are actually passed as pointers. 1075 QualType ByValType = ValType; // 'CP' 1076 if (!IsC11 && !IsN) 1077 ByValType = Ptr->getType(); 1078 1079 // The first argument --- the pointer --- has a fixed type; we 1080 // deduce the types of the rest of the arguments accordingly. Walk 1081 // the remaining arguments, converting them to the deduced value type. 1082 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 1083 QualType Ty; 1084 if (i < NumVals[Form] + 1) { 1085 switch (i) { 1086 case 1: 1087 // The second argument is the non-atomic operand. For arithmetic, this 1088 // is always passed by value, and for a compare_exchange it is always 1089 // passed by address. For the rest, GNU uses by-address and C11 uses 1090 // by-value. 1091 assert(Form != Load); 1092 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 1093 Ty = ValType; 1094 else if (Form == Copy || Form == Xchg) 1095 Ty = ByValType; 1096 else if (Form == Arithmetic) 1097 Ty = Context.getPointerDiffType(); 1098 else 1099 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 1100 break; 1101 case 2: 1102 // The third argument to compare_exchange / GNU exchange is a 1103 // (pointer to a) desired value. 1104 Ty = ByValType; 1105 break; 1106 case 3: 1107 // The fourth argument to GNU compare_exchange is a 'weak' flag. 1108 Ty = Context.BoolTy; 1109 break; 1110 } 1111 } else { 1112 // The order(s) are always converted to int. 1113 Ty = Context.IntTy; 1114 } 1115 1116 InitializedEntity Entity = 1117 InitializedEntity::InitializeParameter(Context, Ty, false); 1118 ExprResult Arg = TheCall->getArg(i); 1119 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1120 if (Arg.isInvalid()) 1121 return true; 1122 TheCall->setArg(i, Arg.get()); 1123 } 1124 1125 // Permute the arguments into a 'consistent' order. 1126 SmallVector<Expr*, 5> SubExprs; 1127 SubExprs.push_back(Ptr); 1128 switch (Form) { 1129 case Init: 1130 // Note, AtomicExpr::getVal1() has a special case for this atomic. 1131 SubExprs.push_back(TheCall->getArg(1)); // Val1 1132 break; 1133 case Load: 1134 SubExprs.push_back(TheCall->getArg(1)); // Order 1135 break; 1136 case Copy: 1137 case Arithmetic: 1138 case Xchg: 1139 SubExprs.push_back(TheCall->getArg(2)); // Order 1140 SubExprs.push_back(TheCall->getArg(1)); // Val1 1141 break; 1142 case GNUXchg: 1143 // Note, AtomicExpr::getVal2() has a special case for this atomic. 1144 SubExprs.push_back(TheCall->getArg(3)); // Order 1145 SubExprs.push_back(TheCall->getArg(1)); // Val1 1146 SubExprs.push_back(TheCall->getArg(2)); // Val2 1147 break; 1148 case C11CmpXchg: 1149 SubExprs.push_back(TheCall->getArg(3)); // Order 1150 SubExprs.push_back(TheCall->getArg(1)); // Val1 1151 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 1152 SubExprs.push_back(TheCall->getArg(2)); // Val2 1153 break; 1154 case GNUCmpXchg: 1155 SubExprs.push_back(TheCall->getArg(4)); // Order 1156 SubExprs.push_back(TheCall->getArg(1)); // Val1 1157 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 1158 SubExprs.push_back(TheCall->getArg(2)); // Val2 1159 SubExprs.push_back(TheCall->getArg(3)); // Weak 1160 break; 1161 } 1162 1163 AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 1164 SubExprs, ResultType, Op, 1165 TheCall->getRParenLoc()); 1166 1167 if ((Op == AtomicExpr::AO__c11_atomic_load || 1168 (Op == AtomicExpr::AO__c11_atomic_store)) && 1169 Context.AtomicUsesUnsupportedLibcall(AE)) 1170 Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) << 1171 ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1); 1172 1173 return Owned(AE); 1174 } 1175 1176 1177 /// checkBuiltinArgument - Given a call to a builtin function, perform 1178 /// normal type-checking on the given argument, updating the call in 1179 /// place. This is useful when a builtin function requires custom 1180 /// type-checking for some of its arguments but not necessarily all of 1181 /// them. 1182 /// 1183 /// Returns true on error. 1184 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 1185 FunctionDecl *Fn = E->getDirectCallee(); 1186 assert(Fn && "builtin call without direct callee!"); 1187 1188 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 1189 InitializedEntity Entity = 1190 InitializedEntity::InitializeParameter(S.Context, Param); 1191 1192 ExprResult Arg = E->getArg(0); 1193 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 1194 if (Arg.isInvalid()) 1195 return true; 1196 1197 E->setArg(ArgIndex, Arg.take()); 1198 return false; 1199 } 1200 1201 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 1202 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 1203 /// type of its first argument. The main ActOnCallExpr routines have already 1204 /// promoted the types of arguments because all of these calls are prototyped as 1205 /// void(...). 1206 /// 1207 /// This function goes through and does final semantic checking for these 1208 /// builtins, 1209 ExprResult 1210 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 1211 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 1212 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1213 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1214 1215 // Ensure that we have at least one argument to do type inference from. 1216 if (TheCall->getNumArgs() < 1) { 1217 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1218 << 0 << 1 << TheCall->getNumArgs() 1219 << TheCall->getCallee()->getSourceRange(); 1220 return ExprError(); 1221 } 1222 1223 // Inspect the first argument of the atomic builtin. This should always be 1224 // a pointer type, whose element is an integral scalar or pointer type. 1225 // Because it is a pointer type, we don't have to worry about any implicit 1226 // casts here. 1227 // FIXME: We don't allow floating point scalars as input. 1228 Expr *FirstArg = TheCall->getArg(0); 1229 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 1230 if (FirstArgResult.isInvalid()) 1231 return ExprError(); 1232 FirstArg = FirstArgResult.take(); 1233 TheCall->setArg(0, FirstArg); 1234 1235 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 1236 if (!pointerType) { 1237 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1238 << FirstArg->getType() << FirstArg->getSourceRange(); 1239 return ExprError(); 1240 } 1241 1242 QualType ValType = pointerType->getPointeeType(); 1243 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 1244 !ValType->isBlockPointerType()) { 1245 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 1246 << FirstArg->getType() << FirstArg->getSourceRange(); 1247 return ExprError(); 1248 } 1249 1250 switch (ValType.getObjCLifetime()) { 1251 case Qualifiers::OCL_None: 1252 case Qualifiers::OCL_ExplicitNone: 1253 // okay 1254 break; 1255 1256 case Qualifiers::OCL_Weak: 1257 case Qualifiers::OCL_Strong: 1258 case Qualifiers::OCL_Autoreleasing: 1259 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1260 << ValType << FirstArg->getSourceRange(); 1261 return ExprError(); 1262 } 1263 1264 // Strip any qualifiers off ValType. 1265 ValType = ValType.getUnqualifiedType(); 1266 1267 // The majority of builtins return a value, but a few have special return 1268 // types, so allow them to override appropriately below. 1269 QualType ResultType = ValType; 1270 1271 // We need to figure out which concrete builtin this maps onto. For example, 1272 // __sync_fetch_and_add with a 2 byte object turns into 1273 // __sync_fetch_and_add_2. 1274 #define BUILTIN_ROW(x) \ 1275 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1276 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1277 1278 static const unsigned BuiltinIndices[][5] = { 1279 BUILTIN_ROW(__sync_fetch_and_add), 1280 BUILTIN_ROW(__sync_fetch_and_sub), 1281 BUILTIN_ROW(__sync_fetch_and_or), 1282 BUILTIN_ROW(__sync_fetch_and_and), 1283 BUILTIN_ROW(__sync_fetch_and_xor), 1284 1285 BUILTIN_ROW(__sync_add_and_fetch), 1286 BUILTIN_ROW(__sync_sub_and_fetch), 1287 BUILTIN_ROW(__sync_and_and_fetch), 1288 BUILTIN_ROW(__sync_or_and_fetch), 1289 BUILTIN_ROW(__sync_xor_and_fetch), 1290 1291 BUILTIN_ROW(__sync_val_compare_and_swap), 1292 BUILTIN_ROW(__sync_bool_compare_and_swap), 1293 BUILTIN_ROW(__sync_lock_test_and_set), 1294 BUILTIN_ROW(__sync_lock_release), 1295 BUILTIN_ROW(__sync_swap) 1296 }; 1297 #undef BUILTIN_ROW 1298 1299 // Determine the index of the size. 1300 unsigned SizeIndex; 1301 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 1302 case 1: SizeIndex = 0; break; 1303 case 2: SizeIndex = 1; break; 1304 case 4: SizeIndex = 2; break; 1305 case 8: SizeIndex = 3; break; 1306 case 16: SizeIndex = 4; break; 1307 default: 1308 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 1309 << FirstArg->getType() << FirstArg->getSourceRange(); 1310 return ExprError(); 1311 } 1312 1313 // Each of these builtins has one pointer argument, followed by some number of 1314 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 1315 // that we ignore. Find out which row of BuiltinIndices to read from as well 1316 // as the number of fixed args. 1317 unsigned BuiltinID = FDecl->getBuiltinID(); 1318 unsigned BuiltinIndex, NumFixed = 1; 1319 switch (BuiltinID) { 1320 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 1321 case Builtin::BI__sync_fetch_and_add: 1322 case Builtin::BI__sync_fetch_and_add_1: 1323 case Builtin::BI__sync_fetch_and_add_2: 1324 case Builtin::BI__sync_fetch_and_add_4: 1325 case Builtin::BI__sync_fetch_and_add_8: 1326 case Builtin::BI__sync_fetch_and_add_16: 1327 BuiltinIndex = 0; 1328 break; 1329 1330 case Builtin::BI__sync_fetch_and_sub: 1331 case Builtin::BI__sync_fetch_and_sub_1: 1332 case Builtin::BI__sync_fetch_and_sub_2: 1333 case Builtin::BI__sync_fetch_and_sub_4: 1334 case Builtin::BI__sync_fetch_and_sub_8: 1335 case Builtin::BI__sync_fetch_and_sub_16: 1336 BuiltinIndex = 1; 1337 break; 1338 1339 case Builtin::BI__sync_fetch_and_or: 1340 case Builtin::BI__sync_fetch_and_or_1: 1341 case Builtin::BI__sync_fetch_and_or_2: 1342 case Builtin::BI__sync_fetch_and_or_4: 1343 case Builtin::BI__sync_fetch_and_or_8: 1344 case Builtin::BI__sync_fetch_and_or_16: 1345 BuiltinIndex = 2; 1346 break; 1347 1348 case Builtin::BI__sync_fetch_and_and: 1349 case Builtin::BI__sync_fetch_and_and_1: 1350 case Builtin::BI__sync_fetch_and_and_2: 1351 case Builtin::BI__sync_fetch_and_and_4: 1352 case Builtin::BI__sync_fetch_and_and_8: 1353 case Builtin::BI__sync_fetch_and_and_16: 1354 BuiltinIndex = 3; 1355 break; 1356 1357 case Builtin::BI__sync_fetch_and_xor: 1358 case Builtin::BI__sync_fetch_and_xor_1: 1359 case Builtin::BI__sync_fetch_and_xor_2: 1360 case Builtin::BI__sync_fetch_and_xor_4: 1361 case Builtin::BI__sync_fetch_and_xor_8: 1362 case Builtin::BI__sync_fetch_and_xor_16: 1363 BuiltinIndex = 4; 1364 break; 1365 1366 case Builtin::BI__sync_add_and_fetch: 1367 case Builtin::BI__sync_add_and_fetch_1: 1368 case Builtin::BI__sync_add_and_fetch_2: 1369 case Builtin::BI__sync_add_and_fetch_4: 1370 case Builtin::BI__sync_add_and_fetch_8: 1371 case Builtin::BI__sync_add_and_fetch_16: 1372 BuiltinIndex = 5; 1373 break; 1374 1375 case Builtin::BI__sync_sub_and_fetch: 1376 case Builtin::BI__sync_sub_and_fetch_1: 1377 case Builtin::BI__sync_sub_and_fetch_2: 1378 case Builtin::BI__sync_sub_and_fetch_4: 1379 case Builtin::BI__sync_sub_and_fetch_8: 1380 case Builtin::BI__sync_sub_and_fetch_16: 1381 BuiltinIndex = 6; 1382 break; 1383 1384 case Builtin::BI__sync_and_and_fetch: 1385 case Builtin::BI__sync_and_and_fetch_1: 1386 case Builtin::BI__sync_and_and_fetch_2: 1387 case Builtin::BI__sync_and_and_fetch_4: 1388 case Builtin::BI__sync_and_and_fetch_8: 1389 case Builtin::BI__sync_and_and_fetch_16: 1390 BuiltinIndex = 7; 1391 break; 1392 1393 case Builtin::BI__sync_or_and_fetch: 1394 case Builtin::BI__sync_or_and_fetch_1: 1395 case Builtin::BI__sync_or_and_fetch_2: 1396 case Builtin::BI__sync_or_and_fetch_4: 1397 case Builtin::BI__sync_or_and_fetch_8: 1398 case Builtin::BI__sync_or_and_fetch_16: 1399 BuiltinIndex = 8; 1400 break; 1401 1402 case Builtin::BI__sync_xor_and_fetch: 1403 case Builtin::BI__sync_xor_and_fetch_1: 1404 case Builtin::BI__sync_xor_and_fetch_2: 1405 case Builtin::BI__sync_xor_and_fetch_4: 1406 case Builtin::BI__sync_xor_and_fetch_8: 1407 case Builtin::BI__sync_xor_and_fetch_16: 1408 BuiltinIndex = 9; 1409 break; 1410 1411 case Builtin::BI__sync_val_compare_and_swap: 1412 case Builtin::BI__sync_val_compare_and_swap_1: 1413 case Builtin::BI__sync_val_compare_and_swap_2: 1414 case Builtin::BI__sync_val_compare_and_swap_4: 1415 case Builtin::BI__sync_val_compare_and_swap_8: 1416 case Builtin::BI__sync_val_compare_and_swap_16: 1417 BuiltinIndex = 10; 1418 NumFixed = 2; 1419 break; 1420 1421 case Builtin::BI__sync_bool_compare_and_swap: 1422 case Builtin::BI__sync_bool_compare_and_swap_1: 1423 case Builtin::BI__sync_bool_compare_and_swap_2: 1424 case Builtin::BI__sync_bool_compare_and_swap_4: 1425 case Builtin::BI__sync_bool_compare_and_swap_8: 1426 case Builtin::BI__sync_bool_compare_and_swap_16: 1427 BuiltinIndex = 11; 1428 NumFixed = 2; 1429 ResultType = Context.BoolTy; 1430 break; 1431 1432 case Builtin::BI__sync_lock_test_and_set: 1433 case Builtin::BI__sync_lock_test_and_set_1: 1434 case Builtin::BI__sync_lock_test_and_set_2: 1435 case Builtin::BI__sync_lock_test_and_set_4: 1436 case Builtin::BI__sync_lock_test_and_set_8: 1437 case Builtin::BI__sync_lock_test_and_set_16: 1438 BuiltinIndex = 12; 1439 break; 1440 1441 case Builtin::BI__sync_lock_release: 1442 case Builtin::BI__sync_lock_release_1: 1443 case Builtin::BI__sync_lock_release_2: 1444 case Builtin::BI__sync_lock_release_4: 1445 case Builtin::BI__sync_lock_release_8: 1446 case Builtin::BI__sync_lock_release_16: 1447 BuiltinIndex = 13; 1448 NumFixed = 0; 1449 ResultType = Context.VoidTy; 1450 break; 1451 1452 case Builtin::BI__sync_swap: 1453 case Builtin::BI__sync_swap_1: 1454 case Builtin::BI__sync_swap_2: 1455 case Builtin::BI__sync_swap_4: 1456 case Builtin::BI__sync_swap_8: 1457 case Builtin::BI__sync_swap_16: 1458 BuiltinIndex = 14; 1459 break; 1460 } 1461 1462 // Now that we know how many fixed arguments we expect, first check that we 1463 // have at least that many. 1464 if (TheCall->getNumArgs() < 1+NumFixed) { 1465 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1466 << 0 << 1+NumFixed << TheCall->getNumArgs() 1467 << TheCall->getCallee()->getSourceRange(); 1468 return ExprError(); 1469 } 1470 1471 // Get the decl for the concrete builtin from this, we can tell what the 1472 // concrete integer type we should convert to is. 1473 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 1474 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 1475 FunctionDecl *NewBuiltinDecl; 1476 if (NewBuiltinID == BuiltinID) 1477 NewBuiltinDecl = FDecl; 1478 else { 1479 // Perform builtin lookup to avoid redeclaring it. 1480 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 1481 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 1482 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 1483 assert(Res.getFoundDecl()); 1484 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 1485 if (NewBuiltinDecl == 0) 1486 return ExprError(); 1487 } 1488 1489 // The first argument --- the pointer --- has a fixed type; we 1490 // deduce the types of the rest of the arguments accordingly. Walk 1491 // the remaining arguments, converting them to the deduced value type. 1492 for (unsigned i = 0; i != NumFixed; ++i) { 1493 ExprResult Arg = TheCall->getArg(i+1); 1494 1495 // GCC does an implicit conversion to the pointer or integer ValType. This 1496 // can fail in some cases (1i -> int**), check for this error case now. 1497 // Initialize the argument. 1498 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 1499 ValType, /*consume*/ false); 1500 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1501 if (Arg.isInvalid()) 1502 return ExprError(); 1503 1504 // Okay, we have something that *can* be converted to the right type. Check 1505 // to see if there is a potentially weird extension going on here. This can 1506 // happen when you do an atomic operation on something like an char* and 1507 // pass in 42. The 42 gets converted to char. This is even more strange 1508 // for things like 45.123 -> char, etc. 1509 // FIXME: Do this check. 1510 TheCall->setArg(i+1, Arg.take()); 1511 } 1512 1513 ASTContext& Context = this->getASTContext(); 1514 1515 // Create a new DeclRefExpr to refer to the new decl. 1516 DeclRefExpr* NewDRE = DeclRefExpr::Create( 1517 Context, 1518 DRE->getQualifierLoc(), 1519 SourceLocation(), 1520 NewBuiltinDecl, 1521 /*enclosing*/ false, 1522 DRE->getLocation(), 1523 Context.BuiltinFnTy, 1524 DRE->getValueKind()); 1525 1526 // Set the callee in the CallExpr. 1527 // FIXME: This loses syntactic information. 1528 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 1529 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 1530 CK_BuiltinFnToFnPtr); 1531 TheCall->setCallee(PromotedCall.take()); 1532 1533 // Change the result type of the call to match the original value type. This 1534 // is arbitrary, but the codegen for these builtins ins design to handle it 1535 // gracefully. 1536 TheCall->setType(ResultType); 1537 1538 return TheCallResult; 1539 } 1540 1541 /// CheckObjCString - Checks that the argument to the builtin 1542 /// CFString constructor is correct 1543 /// Note: It might also make sense to do the UTF-16 conversion here (would 1544 /// simplify the backend). 1545 bool Sema::CheckObjCString(Expr *Arg) { 1546 Arg = Arg->IgnoreParenCasts(); 1547 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 1548 1549 if (!Literal || !Literal->isAscii()) { 1550 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 1551 << Arg->getSourceRange(); 1552 return true; 1553 } 1554 1555 if (Literal->containsNonAsciiOrNull()) { 1556 StringRef String = Literal->getString(); 1557 unsigned NumBytes = String.size(); 1558 SmallVector<UTF16, 128> ToBuf(NumBytes); 1559 const UTF8 *FromPtr = (const UTF8 *)String.data(); 1560 UTF16 *ToPtr = &ToBuf[0]; 1561 1562 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 1563 &ToPtr, ToPtr + NumBytes, 1564 strictConversion); 1565 // Check for conversion failure. 1566 if (Result != conversionOK) 1567 Diag(Arg->getLocStart(), 1568 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 1569 } 1570 return false; 1571 } 1572 1573 /// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 1574 /// Emit an error and return true on failure, return false on success. 1575 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 1576 Expr *Fn = TheCall->getCallee(); 1577 if (TheCall->getNumArgs() > 2) { 1578 Diag(TheCall->getArg(2)->getLocStart(), 1579 diag::err_typecheck_call_too_many_args) 1580 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1581 << Fn->getSourceRange() 1582 << SourceRange(TheCall->getArg(2)->getLocStart(), 1583 (*(TheCall->arg_end()-1))->getLocEnd()); 1584 return true; 1585 } 1586 1587 if (TheCall->getNumArgs() < 2) { 1588 return Diag(TheCall->getLocEnd(), 1589 diag::err_typecheck_call_too_few_args_at_least) 1590 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 1591 } 1592 1593 // Type-check the first argument normally. 1594 if (checkBuiltinArgument(*this, TheCall, 0)) 1595 return true; 1596 1597 // Determine whether the current function is variadic or not. 1598 BlockScopeInfo *CurBlock = getCurBlock(); 1599 bool isVariadic; 1600 if (CurBlock) 1601 isVariadic = CurBlock->TheDecl->isVariadic(); 1602 else if (FunctionDecl *FD = getCurFunctionDecl()) 1603 isVariadic = FD->isVariadic(); 1604 else 1605 isVariadic = getCurMethodDecl()->isVariadic(); 1606 1607 if (!isVariadic) { 1608 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 1609 return true; 1610 } 1611 1612 // Verify that the second argument to the builtin is the last argument of the 1613 // current function or method. 1614 bool SecondArgIsLastNamedArgument = false; 1615 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 1616 1617 // These are valid if SecondArgIsLastNamedArgument is false after the next 1618 // block. 1619 QualType Type; 1620 SourceLocation ParamLoc; 1621 1622 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 1623 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 1624 // FIXME: This isn't correct for methods (results in bogus warning). 1625 // Get the last formal in the current function. 1626 const ParmVarDecl *LastArg; 1627 if (CurBlock) 1628 LastArg = *(CurBlock->TheDecl->param_end()-1); 1629 else if (FunctionDecl *FD = getCurFunctionDecl()) 1630 LastArg = *(FD->param_end()-1); 1631 else 1632 LastArg = *(getCurMethodDecl()->param_end()-1); 1633 SecondArgIsLastNamedArgument = PV == LastArg; 1634 1635 Type = PV->getType(); 1636 ParamLoc = PV->getLocation(); 1637 } 1638 } 1639 1640 if (!SecondArgIsLastNamedArgument) 1641 Diag(TheCall->getArg(1)->getLocStart(), 1642 diag::warn_second_parameter_of_va_start_not_last_named_argument); 1643 else if (Type->isReferenceType()) { 1644 Diag(Arg->getLocStart(), 1645 diag::warn_va_start_of_reference_type_is_undefined); 1646 Diag(ParamLoc, diag::note_parameter_type) << Type; 1647 } 1648 1649 return false; 1650 } 1651 1652 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 1653 /// friends. This is declared to take (...), so we have to check everything. 1654 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 1655 if (TheCall->getNumArgs() < 2) 1656 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1657 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 1658 if (TheCall->getNumArgs() > 2) 1659 return Diag(TheCall->getArg(2)->getLocStart(), 1660 diag::err_typecheck_call_too_many_args) 1661 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1662 << SourceRange(TheCall->getArg(2)->getLocStart(), 1663 (*(TheCall->arg_end()-1))->getLocEnd()); 1664 1665 ExprResult OrigArg0 = TheCall->getArg(0); 1666 ExprResult OrigArg1 = TheCall->getArg(1); 1667 1668 // Do standard promotions between the two arguments, returning their common 1669 // type. 1670 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 1671 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 1672 return true; 1673 1674 // Make sure any conversions are pushed back into the call; this is 1675 // type safe since unordered compare builtins are declared as "_Bool 1676 // foo(...)". 1677 TheCall->setArg(0, OrigArg0.get()); 1678 TheCall->setArg(1, OrigArg1.get()); 1679 1680 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 1681 return false; 1682 1683 // If the common type isn't a real floating type, then the arguments were 1684 // invalid for this operation. 1685 if (Res.isNull() || !Res->isRealFloatingType()) 1686 return Diag(OrigArg0.get()->getLocStart(), 1687 diag::err_typecheck_call_invalid_ordered_compare) 1688 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 1689 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 1690 1691 return false; 1692 } 1693 1694 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 1695 /// __builtin_isnan and friends. This is declared to take (...), so we have 1696 /// to check everything. We expect the last argument to be a floating point 1697 /// value. 1698 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 1699 if (TheCall->getNumArgs() < NumArgs) 1700 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1701 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 1702 if (TheCall->getNumArgs() > NumArgs) 1703 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 1704 diag::err_typecheck_call_too_many_args) 1705 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 1706 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 1707 (*(TheCall->arg_end()-1))->getLocEnd()); 1708 1709 Expr *OrigArg = TheCall->getArg(NumArgs-1); 1710 1711 if (OrigArg->isTypeDependent()) 1712 return false; 1713 1714 // This operation requires a non-_Complex floating-point number. 1715 if (!OrigArg->getType()->isRealFloatingType()) 1716 return Diag(OrigArg->getLocStart(), 1717 diag::err_typecheck_call_invalid_unary_fp) 1718 << OrigArg->getType() << OrigArg->getSourceRange(); 1719 1720 // If this is an implicit conversion from float -> double, remove it. 1721 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 1722 Expr *CastArg = Cast->getSubExpr(); 1723 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 1724 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 1725 "promotion from float to double is the only expected cast here"); 1726 Cast->setSubExpr(0); 1727 TheCall->setArg(NumArgs-1, CastArg); 1728 } 1729 } 1730 1731 return false; 1732 } 1733 1734 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 1735 // This is declared to take (...), so we have to check everything. 1736 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 1737 if (TheCall->getNumArgs() < 2) 1738 return ExprError(Diag(TheCall->getLocEnd(), 1739 diag::err_typecheck_call_too_few_args_at_least) 1740 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 1741 << TheCall->getSourceRange()); 1742 1743 // Determine which of the following types of shufflevector we're checking: 1744 // 1) unary, vector mask: (lhs, mask) 1745 // 2) binary, vector mask: (lhs, rhs, mask) 1746 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 1747 QualType resType = TheCall->getArg(0)->getType(); 1748 unsigned numElements = 0; 1749 1750 if (!TheCall->getArg(0)->isTypeDependent() && 1751 !TheCall->getArg(1)->isTypeDependent()) { 1752 QualType LHSType = TheCall->getArg(0)->getType(); 1753 QualType RHSType = TheCall->getArg(1)->getType(); 1754 1755 if (!LHSType->isVectorType() || !RHSType->isVectorType()) 1756 return ExprError(Diag(TheCall->getLocStart(), 1757 diag::err_shufflevector_non_vector) 1758 << SourceRange(TheCall->getArg(0)->getLocStart(), 1759 TheCall->getArg(1)->getLocEnd())); 1760 1761 numElements = LHSType->getAs<VectorType>()->getNumElements(); 1762 unsigned numResElements = TheCall->getNumArgs() - 2; 1763 1764 // Check to see if we have a call with 2 vector arguments, the unary shuffle 1765 // with mask. If so, verify that RHS is an integer vector type with the 1766 // same number of elts as lhs. 1767 if (TheCall->getNumArgs() == 2) { 1768 if (!RHSType->hasIntegerRepresentation() || 1769 RHSType->getAs<VectorType>()->getNumElements() != numElements) 1770 return ExprError(Diag(TheCall->getLocStart(), 1771 diag::err_shufflevector_incompatible_vector) 1772 << SourceRange(TheCall->getArg(1)->getLocStart(), 1773 TheCall->getArg(1)->getLocEnd())); 1774 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 1775 return ExprError(Diag(TheCall->getLocStart(), 1776 diag::err_shufflevector_incompatible_vector) 1777 << SourceRange(TheCall->getArg(0)->getLocStart(), 1778 TheCall->getArg(1)->getLocEnd())); 1779 } else if (numElements != numResElements) { 1780 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 1781 resType = Context.getVectorType(eltType, numResElements, 1782 VectorType::GenericVector); 1783 } 1784 } 1785 1786 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 1787 if (TheCall->getArg(i)->isTypeDependent() || 1788 TheCall->getArg(i)->isValueDependent()) 1789 continue; 1790 1791 llvm::APSInt Result(32); 1792 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 1793 return ExprError(Diag(TheCall->getLocStart(), 1794 diag::err_shufflevector_nonconstant_argument) 1795 << TheCall->getArg(i)->getSourceRange()); 1796 1797 // Allow -1 which will be translated to undef in the IR. 1798 if (Result.isSigned() && Result.isAllOnesValue()) 1799 continue; 1800 1801 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 1802 return ExprError(Diag(TheCall->getLocStart(), 1803 diag::err_shufflevector_argument_too_large) 1804 << TheCall->getArg(i)->getSourceRange()); 1805 } 1806 1807 SmallVector<Expr*, 32> exprs; 1808 1809 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 1810 exprs.push_back(TheCall->getArg(i)); 1811 TheCall->setArg(i, 0); 1812 } 1813 1814 return Owned(new (Context) ShuffleVectorExpr(Context, exprs, resType, 1815 TheCall->getCallee()->getLocStart(), 1816 TheCall->getRParenLoc())); 1817 } 1818 1819 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 1820 // This is declared to take (const void*, ...) and can take two 1821 // optional constant int args. 1822 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 1823 unsigned NumArgs = TheCall->getNumArgs(); 1824 1825 if (NumArgs > 3) 1826 return Diag(TheCall->getLocEnd(), 1827 diag::err_typecheck_call_too_many_args_at_most) 1828 << 0 /*function call*/ << 3 << NumArgs 1829 << TheCall->getSourceRange(); 1830 1831 // Argument 0 is checked for us and the remaining arguments must be 1832 // constant integers. 1833 for (unsigned i = 1; i != NumArgs; ++i) { 1834 Expr *Arg = TheCall->getArg(i); 1835 1836 // We can't check the value of a dependent argument. 1837 if (Arg->isTypeDependent() || Arg->isValueDependent()) 1838 continue; 1839 1840 llvm::APSInt Result; 1841 if (SemaBuiltinConstantArg(TheCall, i, Result)) 1842 return true; 1843 1844 // FIXME: gcc issues a warning and rewrites these to 0. These 1845 // seems especially odd for the third argument since the default 1846 // is 3. 1847 if (i == 1) { 1848 if (Result.getLimitedValue() > 1) 1849 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1850 << "0" << "1" << Arg->getSourceRange(); 1851 } else { 1852 if (Result.getLimitedValue() > 3) 1853 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1854 << "0" << "3" << Arg->getSourceRange(); 1855 } 1856 } 1857 1858 return false; 1859 } 1860 1861 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 1862 /// TheCall is a constant expression. 1863 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 1864 llvm::APSInt &Result) { 1865 Expr *Arg = TheCall->getArg(ArgNum); 1866 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1867 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1868 1869 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 1870 1871 if (!Arg->isIntegerConstantExpr(Result, Context)) 1872 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 1873 << FDecl->getDeclName() << Arg->getSourceRange(); 1874 1875 return false; 1876 } 1877 1878 /// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 1879 /// int type). This simply type checks that type is one of the defined 1880 /// constants (0-3). 1881 // For compatibility check 0-3, llvm only handles 0 and 2. 1882 bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 1883 llvm::APSInt Result; 1884 1885 // We can't check the value of a dependent argument. 1886 if (TheCall->getArg(1)->isTypeDependent() || 1887 TheCall->getArg(1)->isValueDependent()) 1888 return false; 1889 1890 // Check constant-ness first. 1891 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1892 return true; 1893 1894 Expr *Arg = TheCall->getArg(1); 1895 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 1896 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 1897 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1898 } 1899 1900 return false; 1901 } 1902 1903 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 1904 /// This checks that val is a constant 1. 1905 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 1906 Expr *Arg = TheCall->getArg(1); 1907 llvm::APSInt Result; 1908 1909 // TODO: This is less than ideal. Overload this to take a value. 1910 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 1911 return true; 1912 1913 if (Result != 1) 1914 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 1915 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 1916 1917 return false; 1918 } 1919 1920 namespace { 1921 enum StringLiteralCheckType { 1922 SLCT_NotALiteral, 1923 SLCT_UncheckedLiteral, 1924 SLCT_CheckedLiteral 1925 }; 1926 } 1927 1928 // Determine if an expression is a string literal or constant string. 1929 // If this function returns false on the arguments to a function expecting a 1930 // format string, we will usually need to emit a warning. 1931 // True string literals are then checked by CheckFormatString. 1932 static StringLiteralCheckType 1933 checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, 1934 bool HasVAListArg, unsigned format_idx, 1935 unsigned firstDataArg, Sema::FormatStringType Type, 1936 Sema::VariadicCallType CallType, bool InFunctionCall, 1937 llvm::SmallBitVector &CheckedVarArgs) { 1938 tryAgain: 1939 if (E->isTypeDependent() || E->isValueDependent()) 1940 return SLCT_NotALiteral; 1941 1942 E = E->IgnoreParenCasts(); 1943 1944 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) 1945 // Technically -Wformat-nonliteral does not warn about this case. 1946 // The behavior of printf and friends in this case is implementation 1947 // dependent. Ideally if the format string cannot be null then 1948 // it should have a 'nonnull' attribute in the function prototype. 1949 return SLCT_UncheckedLiteral; 1950 1951 switch (E->getStmtClass()) { 1952 case Stmt::BinaryConditionalOperatorClass: 1953 case Stmt::ConditionalOperatorClass: { 1954 // The expression is a literal if both sub-expressions were, and it was 1955 // completely checked only if both sub-expressions were checked. 1956 const AbstractConditionalOperator *C = 1957 cast<AbstractConditionalOperator>(E); 1958 StringLiteralCheckType Left = 1959 checkFormatStringExpr(S, C->getTrueExpr(), Args, 1960 HasVAListArg, format_idx, firstDataArg, 1961 Type, CallType, InFunctionCall, CheckedVarArgs); 1962 if (Left == SLCT_NotALiteral) 1963 return SLCT_NotALiteral; 1964 StringLiteralCheckType Right = 1965 checkFormatStringExpr(S, C->getFalseExpr(), Args, 1966 HasVAListArg, format_idx, firstDataArg, 1967 Type, CallType, InFunctionCall, CheckedVarArgs); 1968 return Left < Right ? Left : Right; 1969 } 1970 1971 case Stmt::ImplicitCastExprClass: { 1972 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 1973 goto tryAgain; 1974 } 1975 1976 case Stmt::OpaqueValueExprClass: 1977 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 1978 E = src; 1979 goto tryAgain; 1980 } 1981 return SLCT_NotALiteral; 1982 1983 case Stmt::PredefinedExprClass: 1984 // While __func__, etc., are technically not string literals, they 1985 // cannot contain format specifiers and thus are not a security 1986 // liability. 1987 return SLCT_UncheckedLiteral; 1988 1989 case Stmt::DeclRefExprClass: { 1990 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 1991 1992 // As an exception, do not flag errors for variables binding to 1993 // const string literals. 1994 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 1995 bool isConstant = false; 1996 QualType T = DR->getType(); 1997 1998 if (const ArrayType *AT = S.Context.getAsArrayType(T)) { 1999 isConstant = AT->getElementType().isConstant(S.Context); 2000 } else if (const PointerType *PT = T->getAs<PointerType>()) { 2001 isConstant = T.isConstant(S.Context) && 2002 PT->getPointeeType().isConstant(S.Context); 2003 } else if (T->isObjCObjectPointerType()) { 2004 // In ObjC, there is usually no "const ObjectPointer" type, 2005 // so don't check if the pointee type is constant. 2006 isConstant = T.isConstant(S.Context); 2007 } 2008 2009 if (isConstant) { 2010 if (const Expr *Init = VD->getAnyInitializer()) { 2011 // Look through initializers like const char c[] = { "foo" } 2012 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 2013 if (InitList->isStringLiteralInit()) 2014 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 2015 } 2016 return checkFormatStringExpr(S, Init, Args, 2017 HasVAListArg, format_idx, 2018 firstDataArg, Type, CallType, 2019 /*InFunctionCall*/false, CheckedVarArgs); 2020 } 2021 } 2022 2023 // For vprintf* functions (i.e., HasVAListArg==true), we add a 2024 // special check to see if the format string is a function parameter 2025 // of the function calling the printf function. If the function 2026 // has an attribute indicating it is a printf-like function, then we 2027 // should suppress warnings concerning non-literals being used in a call 2028 // to a vprintf function. For example: 2029 // 2030 // void 2031 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 2032 // va_list ap; 2033 // va_start(ap, fmt); 2034 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 2035 // ... 2036 // } 2037 if (HasVAListArg) { 2038 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 2039 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 2040 int PVIndex = PV->getFunctionScopeIndex() + 1; 2041 for (specific_attr_iterator<FormatAttr> 2042 i = ND->specific_attr_begin<FormatAttr>(), 2043 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 2044 FormatAttr *PVFormat = *i; 2045 // adjust for implicit parameter 2046 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2047 if (MD->isInstance()) 2048 ++PVIndex; 2049 // We also check if the formats are compatible. 2050 // We can't pass a 'scanf' string to a 'printf' function. 2051 if (PVIndex == PVFormat->getFormatIdx() && 2052 Type == S.GetFormatStringType(PVFormat)) 2053 return SLCT_UncheckedLiteral; 2054 } 2055 } 2056 } 2057 } 2058 } 2059 2060 return SLCT_NotALiteral; 2061 } 2062 2063 case Stmt::CallExprClass: 2064 case Stmt::CXXMemberCallExprClass: { 2065 const CallExpr *CE = cast<CallExpr>(E); 2066 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 2067 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 2068 unsigned ArgIndex = FA->getFormatIdx(); 2069 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 2070 if (MD->isInstance()) 2071 --ArgIndex; 2072 const Expr *Arg = CE->getArg(ArgIndex - 1); 2073 2074 return checkFormatStringExpr(S, Arg, Args, 2075 HasVAListArg, format_idx, firstDataArg, 2076 Type, CallType, InFunctionCall, 2077 CheckedVarArgs); 2078 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 2079 unsigned BuiltinID = FD->getBuiltinID(); 2080 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 2081 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 2082 const Expr *Arg = CE->getArg(0); 2083 return checkFormatStringExpr(S, Arg, Args, 2084 HasVAListArg, format_idx, 2085 firstDataArg, Type, CallType, 2086 InFunctionCall, CheckedVarArgs); 2087 } 2088 } 2089 } 2090 2091 return SLCT_NotALiteral; 2092 } 2093 case Stmt::ObjCStringLiteralClass: 2094 case Stmt::StringLiteralClass: { 2095 const StringLiteral *StrE = NULL; 2096 2097 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 2098 StrE = ObjCFExpr->getString(); 2099 else 2100 StrE = cast<StringLiteral>(E); 2101 2102 if (StrE) { 2103 S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg, 2104 Type, InFunctionCall, CallType, CheckedVarArgs); 2105 return SLCT_CheckedLiteral; 2106 } 2107 2108 return SLCT_NotALiteral; 2109 } 2110 2111 default: 2112 return SLCT_NotALiteral; 2113 } 2114 } 2115 2116 void 2117 Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 2118 const Expr * const *ExprArgs, 2119 SourceLocation CallSiteLoc) { 2120 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 2121 e = NonNull->args_end(); 2122 i != e; ++i) { 2123 const Expr *ArgExpr = ExprArgs[*i]; 2124 2125 // As a special case, transparent unions initialized with zero are 2126 // considered null for the purposes of the nonnull attribute. 2127 if (const RecordType *UT = ArgExpr->getType()->getAsUnionType()) { 2128 if (UT->getDecl()->hasAttr<TransparentUnionAttr>()) 2129 if (const CompoundLiteralExpr *CLE = 2130 dyn_cast<CompoundLiteralExpr>(ArgExpr)) 2131 if (const InitListExpr *ILE = 2132 dyn_cast<InitListExpr>(CLE->getInitializer())) 2133 ArgExpr = ILE->getInit(0); 2134 } 2135 2136 bool Result; 2137 if (ArgExpr->EvaluateAsBooleanCondition(Result, Context) && !Result) 2138 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 2139 } 2140 } 2141 2142 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 2143 return llvm::StringSwitch<FormatStringType>(Format->getType()) 2144 .Case("scanf", FST_Scanf) 2145 .Cases("printf", "printf0", FST_Printf) 2146 .Cases("NSString", "CFString", FST_NSString) 2147 .Case("strftime", FST_Strftime) 2148 .Case("strfmon", FST_Strfmon) 2149 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 2150 .Default(FST_Unknown); 2151 } 2152 2153 /// CheckFormatArguments - Check calls to printf and scanf (and similar 2154 /// functions) for correct use of format strings. 2155 /// Returns true if a format string has been fully checked. 2156 bool Sema::CheckFormatArguments(const FormatAttr *Format, 2157 ArrayRef<const Expr *> Args, 2158 bool IsCXXMember, 2159 VariadicCallType CallType, 2160 SourceLocation Loc, SourceRange Range, 2161 llvm::SmallBitVector &CheckedVarArgs) { 2162 FormatStringInfo FSI; 2163 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 2164 return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, 2165 FSI.FirstDataArg, GetFormatStringType(Format), 2166 CallType, Loc, Range, CheckedVarArgs); 2167 return false; 2168 } 2169 2170 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, 2171 bool HasVAListArg, unsigned format_idx, 2172 unsigned firstDataArg, FormatStringType Type, 2173 VariadicCallType CallType, 2174 SourceLocation Loc, SourceRange Range, 2175 llvm::SmallBitVector &CheckedVarArgs) { 2176 // CHECK: printf/scanf-like function is called with no format string. 2177 if (format_idx >= Args.size()) { 2178 Diag(Loc, diag::warn_missing_format_string) << Range; 2179 return false; 2180 } 2181 2182 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 2183 2184 // CHECK: format string is not a string literal. 2185 // 2186 // Dynamically generated format strings are difficult to 2187 // automatically vet at compile time. Requiring that format strings 2188 // are string literals: (1) permits the checking of format strings by 2189 // the compiler and thereby (2) can practically remove the source of 2190 // many format string exploits. 2191 2192 // Format string can be either ObjC string (e.g. @"%d") or 2193 // C string (e.g. "%d") 2194 // ObjC string uses the same format specifiers as C string, so we can use 2195 // the same format string checking logic for both ObjC and C strings. 2196 StringLiteralCheckType CT = 2197 checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, 2198 format_idx, firstDataArg, Type, CallType, 2199 /*IsFunctionCall*/true, CheckedVarArgs); 2200 if (CT != SLCT_NotALiteral) 2201 // Literal format string found, check done! 2202 return CT == SLCT_CheckedLiteral; 2203 2204 // Strftime is particular as it always uses a single 'time' argument, 2205 // so it is safe to pass a non-literal string. 2206 if (Type == FST_Strftime) 2207 return false; 2208 2209 // Do not emit diag when the string param is a macro expansion and the 2210 // format is either NSString or CFString. This is a hack to prevent 2211 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 2212 // which are usually used in place of NS and CF string literals. 2213 if (Type == FST_NSString && 2214 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 2215 return false; 2216 2217 // If there are no arguments specified, warn with -Wformat-security, otherwise 2218 // warn only with -Wformat-nonliteral. 2219 if (Args.size() == firstDataArg) 2220 Diag(Args[format_idx]->getLocStart(), 2221 diag::warn_format_nonliteral_noargs) 2222 << OrigFormatExpr->getSourceRange(); 2223 else 2224 Diag(Args[format_idx]->getLocStart(), 2225 diag::warn_format_nonliteral) 2226 << OrigFormatExpr->getSourceRange(); 2227 return false; 2228 } 2229 2230 namespace { 2231 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 2232 protected: 2233 Sema &S; 2234 const StringLiteral *FExpr; 2235 const Expr *OrigFormatExpr; 2236 const unsigned FirstDataArg; 2237 const unsigned NumDataArgs; 2238 const char *Beg; // Start of format string. 2239 const bool HasVAListArg; 2240 ArrayRef<const Expr *> Args; 2241 unsigned FormatIdx; 2242 llvm::SmallBitVector CoveredArgs; 2243 bool usesPositionalArgs; 2244 bool atFirstArg; 2245 bool inFunctionCall; 2246 Sema::VariadicCallType CallType; 2247 llvm::SmallBitVector &CheckedVarArgs; 2248 public: 2249 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 2250 const Expr *origFormatExpr, unsigned firstDataArg, 2251 unsigned numDataArgs, const char *beg, bool hasVAListArg, 2252 ArrayRef<const Expr *> Args, 2253 unsigned formatIdx, bool inFunctionCall, 2254 Sema::VariadicCallType callType, 2255 llvm::SmallBitVector &CheckedVarArgs) 2256 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 2257 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 2258 Beg(beg), HasVAListArg(hasVAListArg), 2259 Args(Args), FormatIdx(formatIdx), 2260 usesPositionalArgs(false), atFirstArg(true), 2261 inFunctionCall(inFunctionCall), CallType(callType), 2262 CheckedVarArgs(CheckedVarArgs) { 2263 CoveredArgs.resize(numDataArgs); 2264 CoveredArgs.reset(); 2265 } 2266 2267 void DoneProcessing(); 2268 2269 void HandleIncompleteSpecifier(const char *startSpecifier, 2270 unsigned specifierLen); 2271 2272 void HandleInvalidLengthModifier( 2273 const analyze_format_string::FormatSpecifier &FS, 2274 const analyze_format_string::ConversionSpecifier &CS, 2275 const char *startSpecifier, unsigned specifierLen, unsigned DiagID); 2276 2277 void HandleNonStandardLengthModifier( 2278 const analyze_format_string::FormatSpecifier &FS, 2279 const char *startSpecifier, unsigned specifierLen); 2280 2281 void HandleNonStandardConversionSpecifier( 2282 const analyze_format_string::ConversionSpecifier &CS, 2283 const char *startSpecifier, unsigned specifierLen); 2284 2285 virtual void HandlePosition(const char *startPos, unsigned posLen); 2286 2287 virtual void HandleInvalidPosition(const char *startSpecifier, 2288 unsigned specifierLen, 2289 analyze_format_string::PositionContext p); 2290 2291 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 2292 2293 void HandleNullChar(const char *nullCharacter); 2294 2295 template <typename Range> 2296 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 2297 const Expr *ArgumentExpr, 2298 PartialDiagnostic PDiag, 2299 SourceLocation StringLoc, 2300 bool IsStringLocation, Range StringRange, 2301 ArrayRef<FixItHint> Fixit = None); 2302 2303 protected: 2304 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 2305 const char *startSpec, 2306 unsigned specifierLen, 2307 const char *csStart, unsigned csLen); 2308 2309 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 2310 const char *startSpec, 2311 unsigned specifierLen); 2312 2313 SourceRange getFormatStringRange(); 2314 CharSourceRange getSpecifierRange(const char *startSpecifier, 2315 unsigned specifierLen); 2316 SourceLocation getLocationOfByte(const char *x); 2317 2318 const Expr *getDataArg(unsigned i) const; 2319 2320 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 2321 const analyze_format_string::ConversionSpecifier &CS, 2322 const char *startSpecifier, unsigned specifierLen, 2323 unsigned argIndex); 2324 2325 template <typename Range> 2326 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 2327 bool IsStringLocation, Range StringRange, 2328 ArrayRef<FixItHint> Fixit = None); 2329 2330 void CheckPositionalAndNonpositionalArgs( 2331 const analyze_format_string::FormatSpecifier *FS); 2332 }; 2333 } 2334 2335 SourceRange CheckFormatHandler::getFormatStringRange() { 2336 return OrigFormatExpr->getSourceRange(); 2337 } 2338 2339 CharSourceRange CheckFormatHandler:: 2340 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 2341 SourceLocation Start = getLocationOfByte(startSpecifier); 2342 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 2343 2344 // Advance the end SourceLocation by one due to half-open ranges. 2345 End = End.getLocWithOffset(1); 2346 2347 return CharSourceRange::getCharRange(Start, End); 2348 } 2349 2350 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 2351 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 2352 } 2353 2354 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 2355 unsigned specifierLen){ 2356 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 2357 getLocationOfByte(startSpecifier), 2358 /*IsStringLocation*/true, 2359 getSpecifierRange(startSpecifier, specifierLen)); 2360 } 2361 2362 void CheckFormatHandler::HandleInvalidLengthModifier( 2363 const analyze_format_string::FormatSpecifier &FS, 2364 const analyze_format_string::ConversionSpecifier &CS, 2365 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 2366 using namespace analyze_format_string; 2367 2368 const LengthModifier &LM = FS.getLengthModifier(); 2369 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2370 2371 // See if we know how to fix this length modifier. 2372 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2373 if (FixedLM) { 2374 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2375 getLocationOfByte(LM.getStart()), 2376 /*IsStringLocation*/true, 2377 getSpecifierRange(startSpecifier, specifierLen)); 2378 2379 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2380 << FixedLM->toString() 2381 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2382 2383 } else { 2384 FixItHint Hint; 2385 if (DiagID == diag::warn_format_nonsensical_length) 2386 Hint = FixItHint::CreateRemoval(LMRange); 2387 2388 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 2389 getLocationOfByte(LM.getStart()), 2390 /*IsStringLocation*/true, 2391 getSpecifierRange(startSpecifier, specifierLen), 2392 Hint); 2393 } 2394 } 2395 2396 void CheckFormatHandler::HandleNonStandardLengthModifier( 2397 const analyze_format_string::FormatSpecifier &FS, 2398 const char *startSpecifier, unsigned specifierLen) { 2399 using namespace analyze_format_string; 2400 2401 const LengthModifier &LM = FS.getLengthModifier(); 2402 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 2403 2404 // See if we know how to fix this length modifier. 2405 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 2406 if (FixedLM) { 2407 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2408 << LM.toString() << 0, 2409 getLocationOfByte(LM.getStart()), 2410 /*IsStringLocation*/true, 2411 getSpecifierRange(startSpecifier, specifierLen)); 2412 2413 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 2414 << FixedLM->toString() 2415 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 2416 2417 } else { 2418 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2419 << LM.toString() << 0, 2420 getLocationOfByte(LM.getStart()), 2421 /*IsStringLocation*/true, 2422 getSpecifierRange(startSpecifier, specifierLen)); 2423 } 2424 } 2425 2426 void CheckFormatHandler::HandleNonStandardConversionSpecifier( 2427 const analyze_format_string::ConversionSpecifier &CS, 2428 const char *startSpecifier, unsigned specifierLen) { 2429 using namespace analyze_format_string; 2430 2431 // See if we know how to fix this conversion specifier. 2432 Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 2433 if (FixedCS) { 2434 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2435 << CS.toString() << /*conversion specifier*/1, 2436 getLocationOfByte(CS.getStart()), 2437 /*IsStringLocation*/true, 2438 getSpecifierRange(startSpecifier, specifierLen)); 2439 2440 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 2441 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 2442 << FixedCS->toString() 2443 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 2444 } else { 2445 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 2446 << CS.toString() << /*conversion specifier*/1, 2447 getLocationOfByte(CS.getStart()), 2448 /*IsStringLocation*/true, 2449 getSpecifierRange(startSpecifier, specifierLen)); 2450 } 2451 } 2452 2453 void CheckFormatHandler::HandlePosition(const char *startPos, 2454 unsigned posLen) { 2455 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 2456 getLocationOfByte(startPos), 2457 /*IsStringLocation*/true, 2458 getSpecifierRange(startPos, posLen)); 2459 } 2460 2461 void 2462 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 2463 analyze_format_string::PositionContext p) { 2464 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 2465 << (unsigned) p, 2466 getLocationOfByte(startPos), /*IsStringLocation*/true, 2467 getSpecifierRange(startPos, posLen)); 2468 } 2469 2470 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 2471 unsigned posLen) { 2472 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 2473 getLocationOfByte(startPos), 2474 /*IsStringLocation*/true, 2475 getSpecifierRange(startPos, posLen)); 2476 } 2477 2478 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 2479 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 2480 // The presence of a null character is likely an error. 2481 EmitFormatDiagnostic( 2482 S.PDiag(diag::warn_printf_format_string_contains_null_char), 2483 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 2484 getFormatStringRange()); 2485 } 2486 } 2487 2488 // Note that this may return NULL if there was an error parsing or building 2489 // one of the argument expressions. 2490 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 2491 return Args[FirstDataArg + i]; 2492 } 2493 2494 void CheckFormatHandler::DoneProcessing() { 2495 // Does the number of data arguments exceed the number of 2496 // format conversions in the format string? 2497 if (!HasVAListArg) { 2498 // Find any arguments that weren't covered. 2499 CoveredArgs.flip(); 2500 signed notCoveredArg = CoveredArgs.find_first(); 2501 if (notCoveredArg >= 0) { 2502 assert((unsigned)notCoveredArg < NumDataArgs); 2503 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 2504 SourceLocation Loc = E->getLocStart(); 2505 if (!S.getSourceManager().isInSystemMacro(Loc)) { 2506 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 2507 Loc, /*IsStringLocation*/false, 2508 getFormatStringRange()); 2509 } 2510 } 2511 } 2512 } 2513 } 2514 2515 bool 2516 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 2517 SourceLocation Loc, 2518 const char *startSpec, 2519 unsigned specifierLen, 2520 const char *csStart, 2521 unsigned csLen) { 2522 2523 bool keepGoing = true; 2524 if (argIndex < NumDataArgs) { 2525 // Consider the argument coverered, even though the specifier doesn't 2526 // make sense. 2527 CoveredArgs.set(argIndex); 2528 } 2529 else { 2530 // If argIndex exceeds the number of data arguments we 2531 // don't issue a warning because that is just a cascade of warnings (and 2532 // they may have intended '%%' anyway). We don't want to continue processing 2533 // the format string after this point, however, as we will like just get 2534 // gibberish when trying to match arguments. 2535 keepGoing = false; 2536 } 2537 2538 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 2539 << StringRef(csStart, csLen), 2540 Loc, /*IsStringLocation*/true, 2541 getSpecifierRange(startSpec, specifierLen)); 2542 2543 return keepGoing; 2544 } 2545 2546 void 2547 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 2548 const char *startSpec, 2549 unsigned specifierLen) { 2550 EmitFormatDiagnostic( 2551 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 2552 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 2553 } 2554 2555 bool 2556 CheckFormatHandler::CheckNumArgs( 2557 const analyze_format_string::FormatSpecifier &FS, 2558 const analyze_format_string::ConversionSpecifier &CS, 2559 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 2560 2561 if (argIndex >= NumDataArgs) { 2562 PartialDiagnostic PDiag = FS.usesPositionalArg() 2563 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 2564 << (argIndex+1) << NumDataArgs) 2565 : S.PDiag(diag::warn_printf_insufficient_data_args); 2566 EmitFormatDiagnostic( 2567 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 2568 getSpecifierRange(startSpecifier, specifierLen)); 2569 return false; 2570 } 2571 return true; 2572 } 2573 2574 template<typename Range> 2575 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 2576 SourceLocation Loc, 2577 bool IsStringLocation, 2578 Range StringRange, 2579 ArrayRef<FixItHint> FixIt) { 2580 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 2581 Loc, IsStringLocation, StringRange, FixIt); 2582 } 2583 2584 /// \brief If the format string is not within the funcion call, emit a note 2585 /// so that the function call and string are in diagnostic messages. 2586 /// 2587 /// \param InFunctionCall if true, the format string is within the function 2588 /// call and only one diagnostic message will be produced. Otherwise, an 2589 /// extra note will be emitted pointing to location of the format string. 2590 /// 2591 /// \param ArgumentExpr the expression that is passed as the format string 2592 /// argument in the function call. Used for getting locations when two 2593 /// diagnostics are emitted. 2594 /// 2595 /// \param PDiag the callee should already have provided any strings for the 2596 /// diagnostic message. This function only adds locations and fixits 2597 /// to diagnostics. 2598 /// 2599 /// \param Loc primary location for diagnostic. If two diagnostics are 2600 /// required, one will be at Loc and a new SourceLocation will be created for 2601 /// the other one. 2602 /// 2603 /// \param IsStringLocation if true, Loc points to the format string should be 2604 /// used for the note. Otherwise, Loc points to the argument list and will 2605 /// be used with PDiag. 2606 /// 2607 /// \param StringRange some or all of the string to highlight. This is 2608 /// templated so it can accept either a CharSourceRange or a SourceRange. 2609 /// 2610 /// \param FixIt optional fix it hint for the format string. 2611 template<typename Range> 2612 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 2613 const Expr *ArgumentExpr, 2614 PartialDiagnostic PDiag, 2615 SourceLocation Loc, 2616 bool IsStringLocation, 2617 Range StringRange, 2618 ArrayRef<FixItHint> FixIt) { 2619 if (InFunctionCall) { 2620 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 2621 D << StringRange; 2622 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2623 I != E; ++I) { 2624 D << *I; 2625 } 2626 } else { 2627 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 2628 << ArgumentExpr->getSourceRange(); 2629 2630 const Sema::SemaDiagnosticBuilder &Note = 2631 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 2632 diag::note_format_string_defined); 2633 2634 Note << StringRange; 2635 for (ArrayRef<FixItHint>::iterator I = FixIt.begin(), E = FixIt.end(); 2636 I != E; ++I) { 2637 Note << *I; 2638 } 2639 } 2640 } 2641 2642 //===--- CHECK: Printf format string checking ------------------------------===// 2643 2644 namespace { 2645 class CheckPrintfHandler : public CheckFormatHandler { 2646 bool ObjCContext; 2647 public: 2648 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 2649 const Expr *origFormatExpr, unsigned firstDataArg, 2650 unsigned numDataArgs, bool isObjC, 2651 const char *beg, bool hasVAListArg, 2652 ArrayRef<const Expr *> Args, 2653 unsigned formatIdx, bool inFunctionCall, 2654 Sema::VariadicCallType CallType, 2655 llvm::SmallBitVector &CheckedVarArgs) 2656 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 2657 numDataArgs, beg, hasVAListArg, Args, 2658 formatIdx, inFunctionCall, CallType, CheckedVarArgs), 2659 ObjCContext(isObjC) 2660 {} 2661 2662 2663 bool HandleInvalidPrintfConversionSpecifier( 2664 const analyze_printf::PrintfSpecifier &FS, 2665 const char *startSpecifier, 2666 unsigned specifierLen); 2667 2668 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 2669 const char *startSpecifier, 2670 unsigned specifierLen); 2671 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 2672 const char *StartSpecifier, 2673 unsigned SpecifierLen, 2674 const Expr *E); 2675 2676 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 2677 const char *startSpecifier, unsigned specifierLen); 2678 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 2679 const analyze_printf::OptionalAmount &Amt, 2680 unsigned type, 2681 const char *startSpecifier, unsigned specifierLen); 2682 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2683 const analyze_printf::OptionalFlag &flag, 2684 const char *startSpecifier, unsigned specifierLen); 2685 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 2686 const analyze_printf::OptionalFlag &ignoredFlag, 2687 const analyze_printf::OptionalFlag &flag, 2688 const char *startSpecifier, unsigned specifierLen); 2689 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 2690 const Expr *E, const CharSourceRange &CSR); 2691 2692 }; 2693 } 2694 2695 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 2696 const analyze_printf::PrintfSpecifier &FS, 2697 const char *startSpecifier, 2698 unsigned specifierLen) { 2699 const analyze_printf::PrintfConversionSpecifier &CS = 2700 FS.getConversionSpecifier(); 2701 2702 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 2703 getLocationOfByte(CS.getStart()), 2704 startSpecifier, specifierLen, 2705 CS.getStart(), CS.getLength()); 2706 } 2707 2708 bool CheckPrintfHandler::HandleAmount( 2709 const analyze_format_string::OptionalAmount &Amt, 2710 unsigned k, const char *startSpecifier, 2711 unsigned specifierLen) { 2712 2713 if (Amt.hasDataArgument()) { 2714 if (!HasVAListArg) { 2715 unsigned argIndex = Amt.getArgIndex(); 2716 if (argIndex >= NumDataArgs) { 2717 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 2718 << k, 2719 getLocationOfByte(Amt.getStart()), 2720 /*IsStringLocation*/true, 2721 getSpecifierRange(startSpecifier, specifierLen)); 2722 // Don't do any more checking. We will just emit 2723 // spurious errors. 2724 return false; 2725 } 2726 2727 // Type check the data argument. It should be an 'int'. 2728 // Although not in conformance with C99, we also allow the argument to be 2729 // an 'unsigned int' as that is a reasonably safe case. GCC also 2730 // doesn't emit a warning for that case. 2731 CoveredArgs.set(argIndex); 2732 const Expr *Arg = getDataArg(argIndex); 2733 if (!Arg) 2734 return false; 2735 2736 QualType T = Arg->getType(); 2737 2738 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 2739 assert(AT.isValid()); 2740 2741 if (!AT.matchesType(S.Context, T)) { 2742 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 2743 << k << AT.getRepresentativeTypeName(S.Context) 2744 << T << Arg->getSourceRange(), 2745 getLocationOfByte(Amt.getStart()), 2746 /*IsStringLocation*/true, 2747 getSpecifierRange(startSpecifier, specifierLen)); 2748 // Don't do any more checking. We will just emit 2749 // spurious errors. 2750 return false; 2751 } 2752 } 2753 } 2754 return true; 2755 } 2756 2757 void CheckPrintfHandler::HandleInvalidAmount( 2758 const analyze_printf::PrintfSpecifier &FS, 2759 const analyze_printf::OptionalAmount &Amt, 2760 unsigned type, 2761 const char *startSpecifier, 2762 unsigned specifierLen) { 2763 const analyze_printf::PrintfConversionSpecifier &CS = 2764 FS.getConversionSpecifier(); 2765 2766 FixItHint fixit = 2767 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 2768 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 2769 Amt.getConstantLength())) 2770 : FixItHint(); 2771 2772 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 2773 << type << CS.toString(), 2774 getLocationOfByte(Amt.getStart()), 2775 /*IsStringLocation*/true, 2776 getSpecifierRange(startSpecifier, specifierLen), 2777 fixit); 2778 } 2779 2780 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 2781 const analyze_printf::OptionalFlag &flag, 2782 const char *startSpecifier, 2783 unsigned specifierLen) { 2784 // Warn about pointless flag with a fixit removal. 2785 const analyze_printf::PrintfConversionSpecifier &CS = 2786 FS.getConversionSpecifier(); 2787 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 2788 << flag.toString() << CS.toString(), 2789 getLocationOfByte(flag.getPosition()), 2790 /*IsStringLocation*/true, 2791 getSpecifierRange(startSpecifier, specifierLen), 2792 FixItHint::CreateRemoval( 2793 getSpecifierRange(flag.getPosition(), 1))); 2794 } 2795 2796 void CheckPrintfHandler::HandleIgnoredFlag( 2797 const analyze_printf::PrintfSpecifier &FS, 2798 const analyze_printf::OptionalFlag &ignoredFlag, 2799 const analyze_printf::OptionalFlag &flag, 2800 const char *startSpecifier, 2801 unsigned specifierLen) { 2802 // Warn about ignored flag with a fixit removal. 2803 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 2804 << ignoredFlag.toString() << flag.toString(), 2805 getLocationOfByte(ignoredFlag.getPosition()), 2806 /*IsStringLocation*/true, 2807 getSpecifierRange(startSpecifier, specifierLen), 2808 FixItHint::CreateRemoval( 2809 getSpecifierRange(ignoredFlag.getPosition(), 1))); 2810 } 2811 2812 // Determines if the specified is a C++ class or struct containing 2813 // a member with the specified name and kind (e.g. a CXXMethodDecl named 2814 // "c_str()"). 2815 template<typename MemberKind> 2816 static llvm::SmallPtrSet<MemberKind*, 1> 2817 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 2818 const RecordType *RT = Ty->getAs<RecordType>(); 2819 llvm::SmallPtrSet<MemberKind*, 1> Results; 2820 2821 if (!RT) 2822 return Results; 2823 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 2824 if (!RD) 2825 return Results; 2826 2827 LookupResult R(S, &S.PP.getIdentifierTable().get(Name), SourceLocation(), 2828 Sema::LookupMemberName); 2829 2830 // We just need to include all members of the right kind turned up by the 2831 // filter, at this point. 2832 if (S.LookupQualifiedName(R, RT->getDecl())) 2833 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 2834 NamedDecl *decl = (*I)->getUnderlyingDecl(); 2835 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 2836 Results.insert(FK); 2837 } 2838 return Results; 2839 } 2840 2841 // Check if a (w)string was passed when a (w)char* was needed, and offer a 2842 // better diagnostic if so. AT is assumed to be valid. 2843 // Returns true when a c_str() conversion method is found. 2844 bool CheckPrintfHandler::checkForCStrMembers( 2845 const analyze_printf::ArgType &AT, const Expr *E, 2846 const CharSourceRange &CSR) { 2847 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 2848 2849 MethodSet Results = 2850 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 2851 2852 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 2853 MI != ME; ++MI) { 2854 const CXXMethodDecl *Method = *MI; 2855 if (Method->getNumParams() == 0 && 2856 AT.matchesType(S.Context, Method->getResultType())) { 2857 // FIXME: Suggest parens if the expression needs them. 2858 SourceLocation EndLoc = 2859 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()); 2860 S.Diag(E->getLocStart(), diag::note_printf_c_str) 2861 << "c_str()" 2862 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 2863 return true; 2864 } 2865 } 2866 2867 return false; 2868 } 2869 2870 bool 2871 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 2872 &FS, 2873 const char *startSpecifier, 2874 unsigned specifierLen) { 2875 2876 using namespace analyze_format_string; 2877 using namespace analyze_printf; 2878 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 2879 2880 if (FS.consumesDataArgument()) { 2881 if (atFirstArg) { 2882 atFirstArg = false; 2883 usesPositionalArgs = FS.usesPositionalArg(); 2884 } 2885 else if (usesPositionalArgs != FS.usesPositionalArg()) { 2886 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 2887 startSpecifier, specifierLen); 2888 return false; 2889 } 2890 } 2891 2892 // First check if the field width, precision, and conversion specifier 2893 // have matching data arguments. 2894 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 2895 startSpecifier, specifierLen)) { 2896 return false; 2897 } 2898 2899 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 2900 startSpecifier, specifierLen)) { 2901 return false; 2902 } 2903 2904 if (!CS.consumesDataArgument()) { 2905 // FIXME: Technically specifying a precision or field width here 2906 // makes no sense. Worth issuing a warning at some point. 2907 return true; 2908 } 2909 2910 // Consume the argument. 2911 unsigned argIndex = FS.getArgIndex(); 2912 if (argIndex < NumDataArgs) { 2913 // The check to see if the argIndex is valid will come later. 2914 // We set the bit here because we may exit early from this 2915 // function if we encounter some other error. 2916 CoveredArgs.set(argIndex); 2917 } 2918 2919 // Check for using an Objective-C specific conversion specifier 2920 // in a non-ObjC literal. 2921 if (!ObjCContext && CS.isObjCArg()) { 2922 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 2923 specifierLen); 2924 } 2925 2926 // Check for invalid use of field width 2927 if (!FS.hasValidFieldWidth()) { 2928 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 2929 startSpecifier, specifierLen); 2930 } 2931 2932 // Check for invalid use of precision 2933 if (!FS.hasValidPrecision()) { 2934 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 2935 startSpecifier, specifierLen); 2936 } 2937 2938 // Check each flag does not conflict with any other component. 2939 if (!FS.hasValidThousandsGroupingPrefix()) 2940 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 2941 if (!FS.hasValidLeadingZeros()) 2942 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 2943 if (!FS.hasValidPlusPrefix()) 2944 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 2945 if (!FS.hasValidSpacePrefix()) 2946 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 2947 if (!FS.hasValidAlternativeForm()) 2948 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 2949 if (!FS.hasValidLeftJustified()) 2950 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 2951 2952 // Check that flags are not ignored by another flag 2953 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 2954 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 2955 startSpecifier, specifierLen); 2956 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 2957 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 2958 startSpecifier, specifierLen); 2959 2960 // Check the length modifier is valid with the given conversion specifier. 2961 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 2962 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2963 diag::warn_format_nonsensical_length); 2964 else if (!FS.hasStandardLengthModifier()) 2965 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 2966 else if (!FS.hasStandardLengthConversionCombination()) 2967 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 2968 diag::warn_format_non_standard_conversion_spec); 2969 2970 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 2971 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 2972 2973 // The remaining checks depend on the data arguments. 2974 if (HasVAListArg) 2975 return true; 2976 2977 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 2978 return false; 2979 2980 const Expr *Arg = getDataArg(argIndex); 2981 if (!Arg) 2982 return true; 2983 2984 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 2985 } 2986 2987 static bool requiresParensToAddCast(const Expr *E) { 2988 // FIXME: We should have a general way to reason about operator 2989 // precedence and whether parens are actually needed here. 2990 // Take care of a few common cases where they aren't. 2991 const Expr *Inside = E->IgnoreImpCasts(); 2992 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 2993 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 2994 2995 switch (Inside->getStmtClass()) { 2996 case Stmt::ArraySubscriptExprClass: 2997 case Stmt::CallExprClass: 2998 case Stmt::CharacterLiteralClass: 2999 case Stmt::CXXBoolLiteralExprClass: 3000 case Stmt::DeclRefExprClass: 3001 case Stmt::FloatingLiteralClass: 3002 case Stmt::IntegerLiteralClass: 3003 case Stmt::MemberExprClass: 3004 case Stmt::ObjCArrayLiteralClass: 3005 case Stmt::ObjCBoolLiteralExprClass: 3006 case Stmt::ObjCBoxedExprClass: 3007 case Stmt::ObjCDictionaryLiteralClass: 3008 case Stmt::ObjCEncodeExprClass: 3009 case Stmt::ObjCIvarRefExprClass: 3010 case Stmt::ObjCMessageExprClass: 3011 case Stmt::ObjCPropertyRefExprClass: 3012 case Stmt::ObjCStringLiteralClass: 3013 case Stmt::ObjCSubscriptRefExprClass: 3014 case Stmt::ParenExprClass: 3015 case Stmt::StringLiteralClass: 3016 case Stmt::UnaryOperatorClass: 3017 return false; 3018 default: 3019 return true; 3020 } 3021 } 3022 3023 bool 3024 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 3025 const char *StartSpecifier, 3026 unsigned SpecifierLen, 3027 const Expr *E) { 3028 using namespace analyze_format_string; 3029 using namespace analyze_printf; 3030 // Now type check the data expression that matches the 3031 // format specifier. 3032 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 3033 ObjCContext); 3034 if (!AT.isValid()) 3035 return true; 3036 3037 QualType ExprTy = E->getType(); 3038 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { 3039 ExprTy = TET->getUnderlyingExpr()->getType(); 3040 } 3041 3042 if (AT.matchesType(S.Context, ExprTy)) 3043 return true; 3044 3045 // Look through argument promotions for our error message's reported type. 3046 // This includes the integral and floating promotions, but excludes array 3047 // and function pointer decay; seeing that an argument intended to be a 3048 // string has type 'char [6]' is probably more confusing than 'char *'. 3049 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 3050 if (ICE->getCastKind() == CK_IntegralCast || 3051 ICE->getCastKind() == CK_FloatingCast) { 3052 E = ICE->getSubExpr(); 3053 ExprTy = E->getType(); 3054 3055 // Check if we didn't match because of an implicit cast from a 'char' 3056 // or 'short' to an 'int'. This is done because printf is a varargs 3057 // function. 3058 if (ICE->getType() == S.Context.IntTy || 3059 ICE->getType() == S.Context.UnsignedIntTy) { 3060 // All further checking is done on the subexpression. 3061 if (AT.matchesType(S.Context, ExprTy)) 3062 return true; 3063 } 3064 } 3065 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 3066 // Special case for 'a', which has type 'int' in C. 3067 // Note, however, that we do /not/ want to treat multibyte constants like 3068 // 'MooV' as characters! This form is deprecated but still exists. 3069 if (ExprTy == S.Context.IntTy) 3070 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 3071 ExprTy = S.Context.CharTy; 3072 } 3073 3074 // %C in an Objective-C context prints a unichar, not a wchar_t. 3075 // If the argument is an integer of some kind, believe the %C and suggest 3076 // a cast instead of changing the conversion specifier. 3077 QualType IntendedTy = ExprTy; 3078 if (ObjCContext && 3079 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 3080 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 3081 !ExprTy->isCharType()) { 3082 // 'unichar' is defined as a typedef of unsigned short, but we should 3083 // prefer using the typedef if it is visible. 3084 IntendedTy = S.Context.UnsignedShortTy; 3085 3086 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 3087 Sema::LookupOrdinaryName); 3088 if (S.LookupName(Result, S.getCurScope())) { 3089 NamedDecl *ND = Result.getFoundDecl(); 3090 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 3091 if (TD->getUnderlyingType() == IntendedTy) 3092 IntendedTy = S.Context.getTypedefType(TD); 3093 } 3094 } 3095 } 3096 3097 // Special-case some of Darwin's platform-independence types by suggesting 3098 // casts to primitive types that are known to be large enough. 3099 bool ShouldNotPrintDirectly = false; 3100 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 3101 // Use a 'while' to peel off layers of typedefs. 3102 QualType TyTy = IntendedTy; 3103 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) { 3104 StringRef Name = UserTy->getDecl()->getName(); 3105 QualType CastTy = llvm::StringSwitch<QualType>(Name) 3106 .Case("NSInteger", S.Context.LongTy) 3107 .Case("NSUInteger", S.Context.UnsignedLongTy) 3108 .Case("SInt32", S.Context.IntTy) 3109 .Case("UInt32", S.Context.UnsignedIntTy) 3110 .Default(QualType()); 3111 3112 if (!CastTy.isNull()) { 3113 ShouldNotPrintDirectly = true; 3114 IntendedTy = CastTy; 3115 break; 3116 } 3117 TyTy = UserTy->desugar(); 3118 } 3119 } 3120 3121 // We may be able to offer a FixItHint if it is a supported type. 3122 PrintfSpecifier fixedFS = FS; 3123 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 3124 S.Context, ObjCContext); 3125 3126 if (success) { 3127 // Get the fix string from the fixed format specifier 3128 SmallString<16> buf; 3129 llvm::raw_svector_ostream os(buf); 3130 fixedFS.toString(os); 3131 3132 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 3133 3134 if (IntendedTy == ExprTy) { 3135 // In this case, the specifier is wrong and should be changed to match 3136 // the argument. 3137 EmitFormatDiagnostic( 3138 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3139 << AT.getRepresentativeTypeName(S.Context) << IntendedTy 3140 << E->getSourceRange(), 3141 E->getLocStart(), 3142 /*IsStringLocation*/false, 3143 SpecRange, 3144 FixItHint::CreateReplacement(SpecRange, os.str())); 3145 3146 } else { 3147 // The canonical type for formatting this value is different from the 3148 // actual type of the expression. (This occurs, for example, with Darwin's 3149 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 3150 // should be printed as 'long' for 64-bit compatibility.) 3151 // Rather than emitting a normal format/argument mismatch, we want to 3152 // add a cast to the recommended type (and correct the format string 3153 // if necessary). 3154 SmallString<16> CastBuf; 3155 llvm::raw_svector_ostream CastFix(CastBuf); 3156 CastFix << "("; 3157 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 3158 CastFix << ")"; 3159 3160 SmallVector<FixItHint,4> Hints; 3161 if (!AT.matchesType(S.Context, IntendedTy)) 3162 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 3163 3164 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 3165 // If there's already a cast present, just replace it. 3166 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 3167 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 3168 3169 } else if (!requiresParensToAddCast(E)) { 3170 // If the expression has high enough precedence, 3171 // just write the C-style cast. 3172 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3173 CastFix.str())); 3174 } else { 3175 // Otherwise, add parens around the expression as well as the cast. 3176 CastFix << "("; 3177 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 3178 CastFix.str())); 3179 3180 SourceLocation After = S.PP.getLocForEndOfToken(E->getLocEnd()); 3181 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 3182 } 3183 3184 if (ShouldNotPrintDirectly) { 3185 // The expression has a type that should not be printed directly. 3186 // We extract the name from the typedef because we don't want to show 3187 // the underlying type in the diagnostic. 3188 StringRef Name = cast<TypedefType>(ExprTy)->getDecl()->getName(); 3189 3190 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 3191 << Name << IntendedTy 3192 << E->getSourceRange(), 3193 E->getLocStart(), /*IsStringLocation=*/false, 3194 SpecRange, Hints); 3195 } else { 3196 // In this case, the expression could be printed using a different 3197 // specifier, but we've decided that the specifier is probably correct 3198 // and we should cast instead. Just use the normal warning message. 3199 EmitFormatDiagnostic( 3200 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3201 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3202 << E->getSourceRange(), 3203 E->getLocStart(), /*IsStringLocation*/false, 3204 SpecRange, Hints); 3205 } 3206 } 3207 } else { 3208 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 3209 SpecifierLen); 3210 // Since the warning for passing non-POD types to variadic functions 3211 // was deferred until now, we emit a warning for non-POD 3212 // arguments here. 3213 switch (S.isValidVarArgType(ExprTy)) { 3214 case Sema::VAK_Valid: 3215 case Sema::VAK_ValidInCXX11: 3216 EmitFormatDiagnostic( 3217 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3218 << AT.getRepresentativeTypeName(S.Context) << ExprTy 3219 << CSR 3220 << E->getSourceRange(), 3221 E->getLocStart(), /*IsStringLocation*/false, CSR); 3222 break; 3223 3224 case Sema::VAK_Undefined: 3225 EmitFormatDiagnostic( 3226 S.PDiag(diag::warn_non_pod_vararg_with_format_string) 3227 << S.getLangOpts().CPlusPlus11 3228 << ExprTy 3229 << CallType 3230 << AT.getRepresentativeTypeName(S.Context) 3231 << CSR 3232 << E->getSourceRange(), 3233 E->getLocStart(), /*IsStringLocation*/false, CSR); 3234 checkForCStrMembers(AT, E, CSR); 3235 break; 3236 3237 case Sema::VAK_Invalid: 3238 if (ExprTy->isObjCObjectType()) 3239 EmitFormatDiagnostic( 3240 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) 3241 << S.getLangOpts().CPlusPlus11 3242 << ExprTy 3243 << CallType 3244 << AT.getRepresentativeTypeName(S.Context) 3245 << CSR 3246 << E->getSourceRange(), 3247 E->getLocStart(), /*IsStringLocation*/false, CSR); 3248 else 3249 // FIXME: If this is an initializer list, suggest removing the braces 3250 // or inserting a cast to the target type. 3251 S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format) 3252 << isa<InitListExpr>(E) << ExprTy << CallType 3253 << AT.getRepresentativeTypeName(S.Context) 3254 << E->getSourceRange(); 3255 break; 3256 } 3257 3258 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && 3259 "format string specifier index out of range"); 3260 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; 3261 } 3262 3263 return true; 3264 } 3265 3266 //===--- CHECK: Scanf format string checking ------------------------------===// 3267 3268 namespace { 3269 class CheckScanfHandler : public CheckFormatHandler { 3270 public: 3271 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 3272 const Expr *origFormatExpr, unsigned firstDataArg, 3273 unsigned numDataArgs, const char *beg, bool hasVAListArg, 3274 ArrayRef<const Expr *> Args, 3275 unsigned formatIdx, bool inFunctionCall, 3276 Sema::VariadicCallType CallType, 3277 llvm::SmallBitVector &CheckedVarArgs) 3278 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 3279 numDataArgs, beg, hasVAListArg, 3280 Args, formatIdx, inFunctionCall, CallType, 3281 CheckedVarArgs) 3282 {} 3283 3284 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 3285 const char *startSpecifier, 3286 unsigned specifierLen); 3287 3288 bool HandleInvalidScanfConversionSpecifier( 3289 const analyze_scanf::ScanfSpecifier &FS, 3290 const char *startSpecifier, 3291 unsigned specifierLen); 3292 3293 void HandleIncompleteScanList(const char *start, const char *end); 3294 }; 3295 } 3296 3297 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 3298 const char *end) { 3299 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 3300 getLocationOfByte(end), /*IsStringLocation*/true, 3301 getSpecifierRange(start, end - start)); 3302 } 3303 3304 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 3305 const analyze_scanf::ScanfSpecifier &FS, 3306 const char *startSpecifier, 3307 unsigned specifierLen) { 3308 3309 const analyze_scanf::ScanfConversionSpecifier &CS = 3310 FS.getConversionSpecifier(); 3311 3312 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 3313 getLocationOfByte(CS.getStart()), 3314 startSpecifier, specifierLen, 3315 CS.getStart(), CS.getLength()); 3316 } 3317 3318 bool CheckScanfHandler::HandleScanfSpecifier( 3319 const analyze_scanf::ScanfSpecifier &FS, 3320 const char *startSpecifier, 3321 unsigned specifierLen) { 3322 3323 using namespace analyze_scanf; 3324 using namespace analyze_format_string; 3325 3326 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 3327 3328 // Handle case where '%' and '*' don't consume an argument. These shouldn't 3329 // be used to decide if we are using positional arguments consistently. 3330 if (FS.consumesDataArgument()) { 3331 if (atFirstArg) { 3332 atFirstArg = false; 3333 usesPositionalArgs = FS.usesPositionalArg(); 3334 } 3335 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3336 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3337 startSpecifier, specifierLen); 3338 return false; 3339 } 3340 } 3341 3342 // Check if the field with is non-zero. 3343 const OptionalAmount &Amt = FS.getFieldWidth(); 3344 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 3345 if (Amt.getConstantAmount() == 0) { 3346 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 3347 Amt.getConstantLength()); 3348 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 3349 getLocationOfByte(Amt.getStart()), 3350 /*IsStringLocation*/true, R, 3351 FixItHint::CreateRemoval(R)); 3352 } 3353 } 3354 3355 if (!FS.consumesDataArgument()) { 3356 // FIXME: Technically specifying a precision or field width here 3357 // makes no sense. Worth issuing a warning at some point. 3358 return true; 3359 } 3360 3361 // Consume the argument. 3362 unsigned argIndex = FS.getArgIndex(); 3363 if (argIndex < NumDataArgs) { 3364 // The check to see if the argIndex is valid will come later. 3365 // We set the bit here because we may exit early from this 3366 // function if we encounter some other error. 3367 CoveredArgs.set(argIndex); 3368 } 3369 3370 // Check the length modifier is valid with the given conversion specifier. 3371 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 3372 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3373 diag::warn_format_nonsensical_length); 3374 else if (!FS.hasStandardLengthModifier()) 3375 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 3376 else if (!FS.hasStandardLengthConversionCombination()) 3377 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 3378 diag::warn_format_non_standard_conversion_spec); 3379 3380 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 3381 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 3382 3383 // The remaining checks depend on the data arguments. 3384 if (HasVAListArg) 3385 return true; 3386 3387 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 3388 return false; 3389 3390 // Check that the argument type matches the format specifier. 3391 const Expr *Ex = getDataArg(argIndex); 3392 if (!Ex) 3393 return true; 3394 3395 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 3396 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) { 3397 ScanfSpecifier fixedFS = FS; 3398 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 3399 S.Context); 3400 3401 if (success) { 3402 // Get the fix string from the fixed format specifier. 3403 SmallString<128> buf; 3404 llvm::raw_svector_ostream os(buf); 3405 fixedFS.toString(os); 3406 3407 EmitFormatDiagnostic( 3408 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3409 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3410 << Ex->getSourceRange(), 3411 Ex->getLocStart(), 3412 /*IsStringLocation*/false, 3413 getSpecifierRange(startSpecifier, specifierLen), 3414 FixItHint::CreateReplacement( 3415 getSpecifierRange(startSpecifier, specifierLen), 3416 os.str())); 3417 } else { 3418 EmitFormatDiagnostic( 3419 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 3420 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 3421 << Ex->getSourceRange(), 3422 Ex->getLocStart(), 3423 /*IsStringLocation*/false, 3424 getSpecifierRange(startSpecifier, specifierLen)); 3425 } 3426 } 3427 3428 return true; 3429 } 3430 3431 void Sema::CheckFormatString(const StringLiteral *FExpr, 3432 const Expr *OrigFormatExpr, 3433 ArrayRef<const Expr *> Args, 3434 bool HasVAListArg, unsigned format_idx, 3435 unsigned firstDataArg, FormatStringType Type, 3436 bool inFunctionCall, VariadicCallType CallType, 3437 llvm::SmallBitVector &CheckedVarArgs) { 3438 3439 // CHECK: is the format string a wide literal? 3440 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 3441 CheckFormatHandler::EmitFormatDiagnostic( 3442 *this, inFunctionCall, Args[format_idx], 3443 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 3444 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3445 return; 3446 } 3447 3448 // Str - The format string. NOTE: this is NOT null-terminated! 3449 StringRef StrRef = FExpr->getString(); 3450 const char *Str = StrRef.data(); 3451 unsigned StrLen = StrRef.size(); 3452 const unsigned numDataArgs = Args.size() - firstDataArg; 3453 3454 // CHECK: empty format string? 3455 if (StrLen == 0 && numDataArgs > 0) { 3456 CheckFormatHandler::EmitFormatDiagnostic( 3457 *this, inFunctionCall, Args[format_idx], 3458 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 3459 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 3460 return; 3461 } 3462 3463 if (Type == FST_Printf || Type == FST_NSString) { 3464 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 3465 numDataArgs, (Type == FST_NSString), 3466 Str, HasVAListArg, Args, format_idx, 3467 inFunctionCall, CallType, CheckedVarArgs); 3468 3469 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 3470 getLangOpts(), 3471 Context.getTargetInfo())) 3472 H.DoneProcessing(); 3473 } else if (Type == FST_Scanf) { 3474 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 3475 Str, HasVAListArg, Args, format_idx, 3476 inFunctionCall, CallType, CheckedVarArgs); 3477 3478 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 3479 getLangOpts(), 3480 Context.getTargetInfo())) 3481 H.DoneProcessing(); 3482 } // TODO: handle other formats 3483 } 3484 3485 //===--- CHECK: Standard memory functions ---------------------------------===// 3486 3487 /// \brief Determine whether the given type is a dynamic class type (e.g., 3488 /// whether it has a vtable). 3489 static bool isDynamicClassType(QualType T) { 3490 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 3491 if (CXXRecordDecl *Definition = Record->getDefinition()) 3492 if (Definition->isDynamicClass()) 3493 return true; 3494 3495 return false; 3496 } 3497 3498 /// \brief If E is a sizeof expression, returns its argument expression, 3499 /// otherwise returns NULL. 3500 static const Expr *getSizeOfExprArg(const Expr* E) { 3501 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3502 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3503 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 3504 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 3505 3506 return 0; 3507 } 3508 3509 /// \brief If E is a sizeof expression, returns its argument type. 3510 static QualType getSizeOfArgType(const Expr* E) { 3511 if (const UnaryExprOrTypeTraitExpr *SizeOf = 3512 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 3513 if (SizeOf->getKind() == clang::UETT_SizeOf) 3514 return SizeOf->getTypeOfArgument(); 3515 3516 return QualType(); 3517 } 3518 3519 /// \brief Check for dangerous or invalid arguments to memset(). 3520 /// 3521 /// This issues warnings on known problematic, dangerous or unspecified 3522 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 3523 /// function calls. 3524 /// 3525 /// \param Call The call expression to diagnose. 3526 void Sema::CheckMemaccessArguments(const CallExpr *Call, 3527 unsigned BId, 3528 IdentifierInfo *FnName) { 3529 assert(BId != 0); 3530 3531 // It is possible to have a non-standard definition of memset. Validate 3532 // we have enough arguments, and if not, abort further checking. 3533 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 3534 if (Call->getNumArgs() < ExpectedNumArgs) 3535 return; 3536 3537 unsigned LastArg = (BId == Builtin::BImemset || 3538 BId == Builtin::BIstrndup ? 1 : 2); 3539 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 3540 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 3541 3542 // We have special checking when the length is a sizeof expression. 3543 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 3544 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 3545 llvm::FoldingSetNodeID SizeOfArgID; 3546 3547 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 3548 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 3549 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 3550 3551 QualType DestTy = Dest->getType(); 3552 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 3553 QualType PointeeTy = DestPtrTy->getPointeeType(); 3554 3555 // Never warn about void type pointers. This can be used to suppress 3556 // false positives. 3557 if (PointeeTy->isVoidType()) 3558 continue; 3559 3560 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 3561 // actually comparing the expressions for equality. Because computing the 3562 // expression IDs can be expensive, we only do this if the diagnostic is 3563 // enabled. 3564 if (SizeOfArg && 3565 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 3566 SizeOfArg->getExprLoc())) { 3567 // We only compute IDs for expressions if the warning is enabled, and 3568 // cache the sizeof arg's ID. 3569 if (SizeOfArgID == llvm::FoldingSetNodeID()) 3570 SizeOfArg->Profile(SizeOfArgID, Context, true); 3571 llvm::FoldingSetNodeID DestID; 3572 Dest->Profile(DestID, Context, true); 3573 if (DestID == SizeOfArgID) { 3574 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 3575 // over sizeof(src) as well. 3576 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 3577 StringRef ReadableName = FnName->getName(); 3578 3579 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 3580 if (UnaryOp->getOpcode() == UO_AddrOf) 3581 ActionIdx = 1; // If its an address-of operator, just remove it. 3582 if (!PointeeTy->isIncompleteType() && 3583 (Context.getTypeSize(PointeeTy) == Context.getCharWidth())) 3584 ActionIdx = 2; // If the pointee's size is sizeof(char), 3585 // suggest an explicit length. 3586 3587 // If the function is defined as a builtin macro, do not show macro 3588 // expansion. 3589 SourceLocation SL = SizeOfArg->getExprLoc(); 3590 SourceRange DSR = Dest->getSourceRange(); 3591 SourceRange SSR = SizeOfArg->getSourceRange(); 3592 SourceManager &SM = PP.getSourceManager(); 3593 3594 if (SM.isMacroArgExpansion(SL)) { 3595 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 3596 SL = SM.getSpellingLoc(SL); 3597 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 3598 SM.getSpellingLoc(DSR.getEnd())); 3599 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 3600 SM.getSpellingLoc(SSR.getEnd())); 3601 } 3602 3603 DiagRuntimeBehavior(SL, SizeOfArg, 3604 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 3605 << ReadableName 3606 << PointeeTy 3607 << DestTy 3608 << DSR 3609 << SSR); 3610 DiagRuntimeBehavior(SL, SizeOfArg, 3611 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 3612 << ActionIdx 3613 << SSR); 3614 3615 break; 3616 } 3617 } 3618 3619 // Also check for cases where the sizeof argument is the exact same 3620 // type as the memory argument, and where it points to a user-defined 3621 // record type. 3622 if (SizeOfArgTy != QualType()) { 3623 if (PointeeTy->isRecordType() && 3624 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 3625 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 3626 PDiag(diag::warn_sizeof_pointer_type_memaccess) 3627 << FnName << SizeOfArgTy << ArgIdx 3628 << PointeeTy << Dest->getSourceRange() 3629 << LenExpr->getSourceRange()); 3630 break; 3631 } 3632 } 3633 3634 // Always complain about dynamic classes. 3635 if (isDynamicClassType(PointeeTy)) { 3636 3637 unsigned OperationType = 0; 3638 // "overwritten" if we're warning about the destination for any call 3639 // but memcmp; otherwise a verb appropriate to the call. 3640 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 3641 if (BId == Builtin::BImemcpy) 3642 OperationType = 1; 3643 else if(BId == Builtin::BImemmove) 3644 OperationType = 2; 3645 else if (BId == Builtin::BImemcmp) 3646 OperationType = 3; 3647 } 3648 3649 DiagRuntimeBehavior( 3650 Dest->getExprLoc(), Dest, 3651 PDiag(diag::warn_dyn_class_memaccess) 3652 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 3653 << FnName << PointeeTy 3654 << OperationType 3655 << Call->getCallee()->getSourceRange()); 3656 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 3657 BId != Builtin::BImemset) 3658 DiagRuntimeBehavior( 3659 Dest->getExprLoc(), Dest, 3660 PDiag(diag::warn_arc_object_memaccess) 3661 << ArgIdx << FnName << PointeeTy 3662 << Call->getCallee()->getSourceRange()); 3663 else 3664 continue; 3665 3666 DiagRuntimeBehavior( 3667 Dest->getExprLoc(), Dest, 3668 PDiag(diag::note_bad_memaccess_silence) 3669 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 3670 break; 3671 } 3672 } 3673 } 3674 3675 // A little helper routine: ignore addition and subtraction of integer literals. 3676 // This intentionally does not ignore all integer constant expressions because 3677 // we don't want to remove sizeof(). 3678 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 3679 Ex = Ex->IgnoreParenCasts(); 3680 3681 for (;;) { 3682 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 3683 if (!BO || !BO->isAdditiveOp()) 3684 break; 3685 3686 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 3687 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 3688 3689 if (isa<IntegerLiteral>(RHS)) 3690 Ex = LHS; 3691 else if (isa<IntegerLiteral>(LHS)) 3692 Ex = RHS; 3693 else 3694 break; 3695 } 3696 3697 return Ex; 3698 } 3699 3700 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 3701 ASTContext &Context) { 3702 // Only handle constant-sized or VLAs, but not flexible members. 3703 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 3704 // Only issue the FIXIT for arrays of size > 1. 3705 if (CAT->getSize().getSExtValue() <= 1) 3706 return false; 3707 } else if (!Ty->isVariableArrayType()) { 3708 return false; 3709 } 3710 return true; 3711 } 3712 3713 // Warn if the user has made the 'size' argument to strlcpy or strlcat 3714 // be the size of the source, instead of the destination. 3715 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 3716 IdentifierInfo *FnName) { 3717 3718 // Don't crash if the user has the wrong number of arguments 3719 if (Call->getNumArgs() != 3) 3720 return; 3721 3722 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 3723 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 3724 const Expr *CompareWithSrc = NULL; 3725 3726 // Look for 'strlcpy(dst, x, sizeof(x))' 3727 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 3728 CompareWithSrc = Ex; 3729 else { 3730 // Look for 'strlcpy(dst, x, strlen(x))' 3731 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 3732 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 3733 && SizeCall->getNumArgs() == 1) 3734 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 3735 } 3736 } 3737 3738 if (!CompareWithSrc) 3739 return; 3740 3741 // Determine if the argument to sizeof/strlen is equal to the source 3742 // argument. In principle there's all kinds of things you could do 3743 // here, for instance creating an == expression and evaluating it with 3744 // EvaluateAsBooleanCondition, but this uses a more direct technique: 3745 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 3746 if (!SrcArgDRE) 3747 return; 3748 3749 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 3750 if (!CompareWithSrcDRE || 3751 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 3752 return; 3753 3754 const Expr *OriginalSizeArg = Call->getArg(2); 3755 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 3756 << OriginalSizeArg->getSourceRange() << FnName; 3757 3758 // Output a FIXIT hint if the destination is an array (rather than a 3759 // pointer to an array). This could be enhanced to handle some 3760 // pointers if we know the actual size, like if DstArg is 'array+2' 3761 // we could say 'sizeof(array)-2'. 3762 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 3763 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 3764 return; 3765 3766 SmallString<128> sizeString; 3767 llvm::raw_svector_ostream OS(sizeString); 3768 OS << "sizeof("; 3769 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3770 OS << ")"; 3771 3772 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 3773 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 3774 OS.str()); 3775 } 3776 3777 /// Check if two expressions refer to the same declaration. 3778 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 3779 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 3780 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 3781 return D1->getDecl() == D2->getDecl(); 3782 return false; 3783 } 3784 3785 static const Expr *getStrlenExprArg(const Expr *E) { 3786 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 3787 const FunctionDecl *FD = CE->getDirectCallee(); 3788 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 3789 return 0; 3790 return CE->getArg(0)->IgnoreParenCasts(); 3791 } 3792 return 0; 3793 } 3794 3795 // Warn on anti-patterns as the 'size' argument to strncat. 3796 // The correct size argument should look like following: 3797 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 3798 void Sema::CheckStrncatArguments(const CallExpr *CE, 3799 IdentifierInfo *FnName) { 3800 // Don't crash if the user has the wrong number of arguments. 3801 if (CE->getNumArgs() < 3) 3802 return; 3803 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 3804 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 3805 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 3806 3807 // Identify common expressions, which are wrongly used as the size argument 3808 // to strncat and may lead to buffer overflows. 3809 unsigned PatternType = 0; 3810 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 3811 // - sizeof(dst) 3812 if (referToTheSameDecl(SizeOfArg, DstArg)) 3813 PatternType = 1; 3814 // - sizeof(src) 3815 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 3816 PatternType = 2; 3817 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 3818 if (BE->getOpcode() == BO_Sub) { 3819 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 3820 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 3821 // - sizeof(dst) - strlen(dst) 3822 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 3823 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 3824 PatternType = 1; 3825 // - sizeof(src) - (anything) 3826 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 3827 PatternType = 2; 3828 } 3829 } 3830 3831 if (PatternType == 0) 3832 return; 3833 3834 // Generate the diagnostic. 3835 SourceLocation SL = LenArg->getLocStart(); 3836 SourceRange SR = LenArg->getSourceRange(); 3837 SourceManager &SM = PP.getSourceManager(); 3838 3839 // If the function is defined as a builtin macro, do not show macro expansion. 3840 if (SM.isMacroArgExpansion(SL)) { 3841 SL = SM.getSpellingLoc(SL); 3842 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 3843 SM.getSpellingLoc(SR.getEnd())); 3844 } 3845 3846 // Check if the destination is an array (rather than a pointer to an array). 3847 QualType DstTy = DstArg->getType(); 3848 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 3849 Context); 3850 if (!isKnownSizeArray) { 3851 if (PatternType == 1) 3852 Diag(SL, diag::warn_strncat_wrong_size) << SR; 3853 else 3854 Diag(SL, diag::warn_strncat_src_size) << SR; 3855 return; 3856 } 3857 3858 if (PatternType == 1) 3859 Diag(SL, diag::warn_strncat_large_size) << SR; 3860 else 3861 Diag(SL, diag::warn_strncat_src_size) << SR; 3862 3863 SmallString<128> sizeString; 3864 llvm::raw_svector_ostream OS(sizeString); 3865 OS << "sizeof("; 3866 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3867 OS << ") - "; 3868 OS << "strlen("; 3869 DstArg->printPretty(OS, 0, getPrintingPolicy()); 3870 OS << ") - 1"; 3871 3872 Diag(SL, diag::note_strncat_wrong_size) 3873 << FixItHint::CreateReplacement(SR, OS.str()); 3874 } 3875 3876 //===--- CHECK: Return Address of Stack Variable --------------------------===// 3877 3878 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3879 Decl *ParentDecl); 3880 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 3881 Decl *ParentDecl); 3882 3883 /// CheckReturnStackAddr - Check if a return statement returns the address 3884 /// of a stack variable. 3885 void 3886 Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 3887 SourceLocation ReturnLoc) { 3888 3889 Expr *stackE = 0; 3890 SmallVector<DeclRefExpr *, 8> refVars; 3891 3892 // Perform checking for returned stack addresses, local blocks, 3893 // label addresses or references to temporaries. 3894 if (lhsType->isPointerType() || 3895 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 3896 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/0); 3897 } else if (lhsType->isReferenceType()) { 3898 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/0); 3899 } 3900 3901 if (stackE == 0) 3902 return; // Nothing suspicious was found. 3903 3904 SourceLocation diagLoc; 3905 SourceRange diagRange; 3906 if (refVars.empty()) { 3907 diagLoc = stackE->getLocStart(); 3908 diagRange = stackE->getSourceRange(); 3909 } else { 3910 // We followed through a reference variable. 'stackE' contains the 3911 // problematic expression but we will warn at the return statement pointing 3912 // at the reference variable. We will later display the "trail" of 3913 // reference variables using notes. 3914 diagLoc = refVars[0]->getLocStart(); 3915 diagRange = refVars[0]->getSourceRange(); 3916 } 3917 3918 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 3919 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 3920 : diag::warn_ret_stack_addr) 3921 << DR->getDecl()->getDeclName() << diagRange; 3922 } else if (isa<BlockExpr>(stackE)) { // local block. 3923 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 3924 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 3925 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 3926 } else { // local temporary. 3927 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 3928 : diag::warn_ret_local_temp_addr) 3929 << diagRange; 3930 } 3931 3932 // Display the "trail" of reference variables that we followed until we 3933 // found the problematic expression using notes. 3934 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 3935 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 3936 // If this var binds to another reference var, show the range of the next 3937 // var, otherwise the var binds to the problematic expression, in which case 3938 // show the range of the expression. 3939 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 3940 : stackE->getSourceRange(); 3941 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 3942 << VD->getDeclName() << range; 3943 } 3944 } 3945 3946 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 3947 /// check if the expression in a return statement evaluates to an address 3948 /// to a location on the stack, a local block, an address of a label, or a 3949 /// reference to local temporary. The recursion is used to traverse the 3950 /// AST of the return expression, with recursion backtracking when we 3951 /// encounter a subexpression that (1) clearly does not lead to one of the 3952 /// above problematic expressions (2) is something we cannot determine leads to 3953 /// a problematic expression based on such local checking. 3954 /// 3955 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 3956 /// the expression that they point to. Such variables are added to the 3957 /// 'refVars' vector so that we know what the reference variable "trail" was. 3958 /// 3959 /// EvalAddr processes expressions that are pointers that are used as 3960 /// references (and not L-values). EvalVal handles all other values. 3961 /// At the base case of the recursion is a check for the above problematic 3962 /// expressions. 3963 /// 3964 /// This implementation handles: 3965 /// 3966 /// * pointer-to-pointer casts 3967 /// * implicit conversions from array references to pointers 3968 /// * taking the address of fields 3969 /// * arbitrary interplay between "&" and "*" operators 3970 /// * pointer arithmetic from an address of a stack variable 3971 /// * taking the address of an array element where the array is on the stack 3972 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 3973 Decl *ParentDecl) { 3974 if (E->isTypeDependent()) 3975 return NULL; 3976 3977 // We should only be called for evaluating pointer expressions. 3978 assert((E->getType()->isAnyPointerType() || 3979 E->getType()->isBlockPointerType() || 3980 E->getType()->isObjCQualifiedIdType()) && 3981 "EvalAddr only works on pointers"); 3982 3983 E = E->IgnoreParens(); 3984 3985 // Our "symbolic interpreter" is just a dispatch off the currently 3986 // viewed AST node. We then recursively traverse the AST by calling 3987 // EvalAddr and EvalVal appropriately. 3988 switch (E->getStmtClass()) { 3989 case Stmt::DeclRefExprClass: { 3990 DeclRefExpr *DR = cast<DeclRefExpr>(E); 3991 3992 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 3993 // If this is a reference variable, follow through to the expression that 3994 // it points to. 3995 if (V->hasLocalStorage() && 3996 V->getType()->isReferenceType() && V->hasInit()) { 3997 // Add the reference variable to the "trail". 3998 refVars.push_back(DR); 3999 return EvalAddr(V->getInit(), refVars, ParentDecl); 4000 } 4001 4002 return NULL; 4003 } 4004 4005 case Stmt::UnaryOperatorClass: { 4006 // The only unary operator that make sense to handle here 4007 // is AddrOf. All others don't make sense as pointers. 4008 UnaryOperator *U = cast<UnaryOperator>(E); 4009 4010 if (U->getOpcode() == UO_AddrOf) 4011 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 4012 else 4013 return NULL; 4014 } 4015 4016 case Stmt::BinaryOperatorClass: { 4017 // Handle pointer arithmetic. All other binary operators are not valid 4018 // in this context. 4019 BinaryOperator *B = cast<BinaryOperator>(E); 4020 BinaryOperatorKind op = B->getOpcode(); 4021 4022 if (op != BO_Add && op != BO_Sub) 4023 return NULL; 4024 4025 Expr *Base = B->getLHS(); 4026 4027 // Determine which argument is the real pointer base. It could be 4028 // the RHS argument instead of the LHS. 4029 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 4030 4031 assert (Base->getType()->isPointerType()); 4032 return EvalAddr(Base, refVars, ParentDecl); 4033 } 4034 4035 // For conditional operators we need to see if either the LHS or RHS are 4036 // valid DeclRefExpr*s. If one of them is valid, we return it. 4037 case Stmt::ConditionalOperatorClass: { 4038 ConditionalOperator *C = cast<ConditionalOperator>(E); 4039 4040 // Handle the GNU extension for missing LHS. 4041 if (Expr *lhsExpr = C->getLHS()) { 4042 // In C++, we can have a throw-expression, which has 'void' type. 4043 if (!lhsExpr->getType()->isVoidType()) 4044 if (Expr* LHS = EvalAddr(lhsExpr, refVars, ParentDecl)) 4045 return LHS; 4046 } 4047 4048 // In C++, we can have a throw-expression, which has 'void' type. 4049 if (C->getRHS()->getType()->isVoidType()) 4050 return NULL; 4051 4052 return EvalAddr(C->getRHS(), refVars, ParentDecl); 4053 } 4054 4055 case Stmt::BlockExprClass: 4056 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 4057 return E; // local block. 4058 return NULL; 4059 4060 case Stmt::AddrLabelExprClass: 4061 return E; // address of label. 4062 4063 case Stmt::ExprWithCleanupsClass: 4064 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 4065 ParentDecl); 4066 4067 // For casts, we need to handle conversions from arrays to 4068 // pointer values, and pointer-to-pointer conversions. 4069 case Stmt::ImplicitCastExprClass: 4070 case Stmt::CStyleCastExprClass: 4071 case Stmt::CXXFunctionalCastExprClass: 4072 case Stmt::ObjCBridgedCastExprClass: 4073 case Stmt::CXXStaticCastExprClass: 4074 case Stmt::CXXDynamicCastExprClass: 4075 case Stmt::CXXConstCastExprClass: 4076 case Stmt::CXXReinterpretCastExprClass: { 4077 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 4078 switch (cast<CastExpr>(E)->getCastKind()) { 4079 case CK_BitCast: 4080 case CK_LValueToRValue: 4081 case CK_NoOp: 4082 case CK_BaseToDerived: 4083 case CK_DerivedToBase: 4084 case CK_UncheckedDerivedToBase: 4085 case CK_Dynamic: 4086 case CK_CPointerToObjCPointerCast: 4087 case CK_BlockPointerToObjCPointerCast: 4088 case CK_AnyPointerToBlockPointerCast: 4089 return EvalAddr(SubExpr, refVars, ParentDecl); 4090 4091 case CK_ArrayToPointerDecay: 4092 return EvalVal(SubExpr, refVars, ParentDecl); 4093 4094 default: 4095 return 0; 4096 } 4097 } 4098 4099 case Stmt::MaterializeTemporaryExprClass: 4100 if (Expr *Result = EvalAddr( 4101 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4102 refVars, ParentDecl)) 4103 return Result; 4104 4105 return E; 4106 4107 // Everything else: we simply don't reason about them. 4108 default: 4109 return NULL; 4110 } 4111 } 4112 4113 4114 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 4115 /// See the comments for EvalAddr for more details. 4116 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 4117 Decl *ParentDecl) { 4118 do { 4119 // We should only be called for evaluating non-pointer expressions, or 4120 // expressions with a pointer type that are not used as references but instead 4121 // are l-values (e.g., DeclRefExpr with a pointer type). 4122 4123 // Our "symbolic interpreter" is just a dispatch off the currently 4124 // viewed AST node. We then recursively traverse the AST by calling 4125 // EvalAddr and EvalVal appropriately. 4126 4127 E = E->IgnoreParens(); 4128 switch (E->getStmtClass()) { 4129 case Stmt::ImplicitCastExprClass: { 4130 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 4131 if (IE->getValueKind() == VK_LValue) { 4132 E = IE->getSubExpr(); 4133 continue; 4134 } 4135 return NULL; 4136 } 4137 4138 case Stmt::ExprWithCleanupsClass: 4139 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 4140 4141 case Stmt::DeclRefExprClass: { 4142 // When we hit a DeclRefExpr we are looking at code that refers to a 4143 // variable's name. If it's not a reference variable we check if it has 4144 // local storage within the function, and if so, return the expression. 4145 DeclRefExpr *DR = cast<DeclRefExpr>(E); 4146 4147 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 4148 // Check if it refers to itself, e.g. "int& i = i;". 4149 if (V == ParentDecl) 4150 return DR; 4151 4152 if (V->hasLocalStorage()) { 4153 if (!V->getType()->isReferenceType()) 4154 return DR; 4155 4156 // Reference variable, follow through to the expression that 4157 // it points to. 4158 if (V->hasInit()) { 4159 // Add the reference variable to the "trail". 4160 refVars.push_back(DR); 4161 return EvalVal(V->getInit(), refVars, V); 4162 } 4163 } 4164 } 4165 4166 return NULL; 4167 } 4168 4169 case Stmt::UnaryOperatorClass: { 4170 // The only unary operator that make sense to handle here 4171 // is Deref. All others don't resolve to a "name." This includes 4172 // handling all sorts of rvalues passed to a unary operator. 4173 UnaryOperator *U = cast<UnaryOperator>(E); 4174 4175 if (U->getOpcode() == UO_Deref) 4176 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 4177 4178 return NULL; 4179 } 4180 4181 case Stmt::ArraySubscriptExprClass: { 4182 // Array subscripts are potential references to data on the stack. We 4183 // retrieve the DeclRefExpr* for the array variable if it indeed 4184 // has local storage. 4185 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 4186 } 4187 4188 case Stmt::ConditionalOperatorClass: { 4189 // For conditional operators we need to see if either the LHS or RHS are 4190 // non-NULL Expr's. If one is non-NULL, we return it. 4191 ConditionalOperator *C = cast<ConditionalOperator>(E); 4192 4193 // Handle the GNU extension for missing LHS. 4194 if (Expr *lhsExpr = C->getLHS()) 4195 if (Expr *LHS = EvalVal(lhsExpr, refVars, ParentDecl)) 4196 return LHS; 4197 4198 return EvalVal(C->getRHS(), refVars, ParentDecl); 4199 } 4200 4201 // Accesses to members are potential references to data on the stack. 4202 case Stmt::MemberExprClass: { 4203 MemberExpr *M = cast<MemberExpr>(E); 4204 4205 // Check for indirect access. We only want direct field accesses. 4206 if (M->isArrow()) 4207 return NULL; 4208 4209 // Check whether the member type is itself a reference, in which case 4210 // we're not going to refer to the member, but to what the member refers to. 4211 if (M->getMemberDecl()->getType()->isReferenceType()) 4212 return NULL; 4213 4214 return EvalVal(M->getBase(), refVars, ParentDecl); 4215 } 4216 4217 case Stmt::MaterializeTemporaryExprClass: 4218 if (Expr *Result = EvalVal( 4219 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 4220 refVars, ParentDecl)) 4221 return Result; 4222 4223 return E; 4224 4225 default: 4226 // Check that we don't return or take the address of a reference to a 4227 // temporary. This is only useful in C++. 4228 if (!E->isTypeDependent() && E->isRValue()) 4229 return E; 4230 4231 // Everything else: we simply don't reason about them. 4232 return NULL; 4233 } 4234 } while (true); 4235 } 4236 4237 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 4238 4239 /// Check for comparisons of floating point operands using != and ==. 4240 /// Issue a warning if these are no self-comparisons, as they are not likely 4241 /// to do what the programmer intended. 4242 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 4243 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 4244 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 4245 4246 // Special case: check for x == x (which is OK). 4247 // Do not emit warnings for such cases. 4248 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 4249 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 4250 if (DRL->getDecl() == DRR->getDecl()) 4251 return; 4252 4253 4254 // Special case: check for comparisons against literals that can be exactly 4255 // represented by APFloat. In such cases, do not emit a warning. This 4256 // is a heuristic: often comparison against such literals are used to 4257 // detect if a value in a variable has not changed. This clearly can 4258 // lead to false negatives. 4259 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 4260 if (FLL->isExact()) 4261 return; 4262 } else 4263 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 4264 if (FLR->isExact()) 4265 return; 4266 4267 // Check for comparisons with builtin types. 4268 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 4269 if (CL->isBuiltinCall()) 4270 return; 4271 4272 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 4273 if (CR->isBuiltinCall()) 4274 return; 4275 4276 // Emit the diagnostic. 4277 Diag(Loc, diag::warn_floatingpoint_eq) 4278 << LHS->getSourceRange() << RHS->getSourceRange(); 4279 } 4280 4281 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 4282 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 4283 4284 namespace { 4285 4286 /// Structure recording the 'active' range of an integer-valued 4287 /// expression. 4288 struct IntRange { 4289 /// The number of bits active in the int. 4290 unsigned Width; 4291 4292 /// True if the int is known not to have negative values. 4293 bool NonNegative; 4294 4295 IntRange(unsigned Width, bool NonNegative) 4296 : Width(Width), NonNegative(NonNegative) 4297 {} 4298 4299 /// Returns the range of the bool type. 4300 static IntRange forBoolType() { 4301 return IntRange(1, true); 4302 } 4303 4304 /// Returns the range of an opaque value of the given integral type. 4305 static IntRange forValueOfType(ASTContext &C, QualType T) { 4306 return forValueOfCanonicalType(C, 4307 T->getCanonicalTypeInternal().getTypePtr()); 4308 } 4309 4310 /// Returns the range of an opaque value of a canonical integral type. 4311 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 4312 assert(T->isCanonicalUnqualified()); 4313 4314 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4315 T = VT->getElementType().getTypePtr(); 4316 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4317 T = CT->getElementType().getTypePtr(); 4318 4319 // For enum types, use the known bit width of the enumerators. 4320 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 4321 EnumDecl *Enum = ET->getDecl(); 4322 if (!Enum->isCompleteDefinition()) 4323 return IntRange(C.getIntWidth(QualType(T, 0)), false); 4324 4325 unsigned NumPositive = Enum->getNumPositiveBits(); 4326 unsigned NumNegative = Enum->getNumNegativeBits(); 4327 4328 if (NumNegative == 0) 4329 return IntRange(NumPositive, true/*NonNegative*/); 4330 else 4331 return IntRange(std::max(NumPositive + 1, NumNegative), 4332 false/*NonNegative*/); 4333 } 4334 4335 const BuiltinType *BT = cast<BuiltinType>(T); 4336 assert(BT->isInteger()); 4337 4338 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4339 } 4340 4341 /// Returns the "target" range of a canonical integral type, i.e. 4342 /// the range of values expressible in the type. 4343 /// 4344 /// This matches forValueOfCanonicalType except that enums have the 4345 /// full range of their type, not the range of their enumerators. 4346 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 4347 assert(T->isCanonicalUnqualified()); 4348 4349 if (const VectorType *VT = dyn_cast<VectorType>(T)) 4350 T = VT->getElementType().getTypePtr(); 4351 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 4352 T = CT->getElementType().getTypePtr(); 4353 if (const EnumType *ET = dyn_cast<EnumType>(T)) 4354 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 4355 4356 const BuiltinType *BT = cast<BuiltinType>(T); 4357 assert(BT->isInteger()); 4358 4359 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 4360 } 4361 4362 /// Returns the supremum of two ranges: i.e. their conservative merge. 4363 static IntRange join(IntRange L, IntRange R) { 4364 return IntRange(std::max(L.Width, R.Width), 4365 L.NonNegative && R.NonNegative); 4366 } 4367 4368 /// Returns the infinum of two ranges: i.e. their aggressive merge. 4369 static IntRange meet(IntRange L, IntRange R) { 4370 return IntRange(std::min(L.Width, R.Width), 4371 L.NonNegative || R.NonNegative); 4372 } 4373 }; 4374 4375 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 4376 unsigned MaxWidth) { 4377 if (value.isSigned() && value.isNegative()) 4378 return IntRange(value.getMinSignedBits(), false); 4379 4380 if (value.getBitWidth() > MaxWidth) 4381 value = value.trunc(MaxWidth); 4382 4383 // isNonNegative() just checks the sign bit without considering 4384 // signedness. 4385 return IntRange(value.getActiveBits(), true); 4386 } 4387 4388 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 4389 unsigned MaxWidth) { 4390 if (result.isInt()) 4391 return GetValueRange(C, result.getInt(), MaxWidth); 4392 4393 if (result.isVector()) { 4394 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 4395 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 4396 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 4397 R = IntRange::join(R, El); 4398 } 4399 return R; 4400 } 4401 4402 if (result.isComplexInt()) { 4403 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 4404 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 4405 return IntRange::join(R, I); 4406 } 4407 4408 // This can happen with lossless casts to intptr_t of "based" lvalues. 4409 // Assume it might use arbitrary bits. 4410 // FIXME: The only reason we need to pass the type in here is to get 4411 // the sign right on this one case. It would be nice if APValue 4412 // preserved this. 4413 assert(result.isLValue() || result.isAddrLabelDiff()); 4414 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 4415 } 4416 4417 static QualType GetExprType(Expr *E) { 4418 QualType Ty = E->getType(); 4419 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>()) 4420 Ty = AtomicRHS->getValueType(); 4421 return Ty; 4422 } 4423 4424 /// Pseudo-evaluate the given integer expression, estimating the 4425 /// range of values it might take. 4426 /// 4427 /// \param MaxWidth - the width to which the value will be truncated 4428 static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 4429 E = E->IgnoreParens(); 4430 4431 // Try a full evaluation first. 4432 Expr::EvalResult result; 4433 if (E->EvaluateAsRValue(result, C)) 4434 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth); 4435 4436 // I think we only want to look through implicit casts here; if the 4437 // user has an explicit widening cast, we should treat the value as 4438 // being of the new, wider type. 4439 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 4440 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 4441 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 4442 4443 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE)); 4444 4445 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 4446 4447 // Assume that non-integer casts can span the full range of the type. 4448 if (!isIntegerCast) 4449 return OutputTypeRange; 4450 4451 IntRange SubRange 4452 = GetExprRange(C, CE->getSubExpr(), 4453 std::min(MaxWidth, OutputTypeRange.Width)); 4454 4455 // Bail out if the subexpr's range is as wide as the cast type. 4456 if (SubRange.Width >= OutputTypeRange.Width) 4457 return OutputTypeRange; 4458 4459 // Otherwise, we take the smaller width, and we're non-negative if 4460 // either the output type or the subexpr is. 4461 return IntRange(SubRange.Width, 4462 SubRange.NonNegative || OutputTypeRange.NonNegative); 4463 } 4464 4465 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 4466 // If we can fold the condition, just take that operand. 4467 bool CondResult; 4468 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 4469 return GetExprRange(C, CondResult ? CO->getTrueExpr() 4470 : CO->getFalseExpr(), 4471 MaxWidth); 4472 4473 // Otherwise, conservatively merge. 4474 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 4475 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 4476 return IntRange::join(L, R); 4477 } 4478 4479 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 4480 switch (BO->getOpcode()) { 4481 4482 // Boolean-valued operations are single-bit and positive. 4483 case BO_LAnd: 4484 case BO_LOr: 4485 case BO_LT: 4486 case BO_GT: 4487 case BO_LE: 4488 case BO_GE: 4489 case BO_EQ: 4490 case BO_NE: 4491 return IntRange::forBoolType(); 4492 4493 // The type of the assignments is the type of the LHS, so the RHS 4494 // is not necessarily the same type. 4495 case BO_MulAssign: 4496 case BO_DivAssign: 4497 case BO_RemAssign: 4498 case BO_AddAssign: 4499 case BO_SubAssign: 4500 case BO_XorAssign: 4501 case BO_OrAssign: 4502 // TODO: bitfields? 4503 return IntRange::forValueOfType(C, GetExprType(E)); 4504 4505 // Simple assignments just pass through the RHS, which will have 4506 // been coerced to the LHS type. 4507 case BO_Assign: 4508 // TODO: bitfields? 4509 return GetExprRange(C, BO->getRHS(), MaxWidth); 4510 4511 // Operations with opaque sources are black-listed. 4512 case BO_PtrMemD: 4513 case BO_PtrMemI: 4514 return IntRange::forValueOfType(C, GetExprType(E)); 4515 4516 // Bitwise-and uses the *infinum* of the two source ranges. 4517 case BO_And: 4518 case BO_AndAssign: 4519 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 4520 GetExprRange(C, BO->getRHS(), MaxWidth)); 4521 4522 // Left shift gets black-listed based on a judgement call. 4523 case BO_Shl: 4524 // ...except that we want to treat '1 << (blah)' as logically 4525 // positive. It's an important idiom. 4526 if (IntegerLiteral *I 4527 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 4528 if (I->getValue() == 1) { 4529 IntRange R = IntRange::forValueOfType(C, GetExprType(E)); 4530 return IntRange(R.Width, /*NonNegative*/ true); 4531 } 4532 } 4533 // fallthrough 4534 4535 case BO_ShlAssign: 4536 return IntRange::forValueOfType(C, GetExprType(E)); 4537 4538 // Right shift by a constant can narrow its left argument. 4539 case BO_Shr: 4540 case BO_ShrAssign: { 4541 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4542 4543 // If the shift amount is a positive constant, drop the width by 4544 // that much. 4545 llvm::APSInt shift; 4546 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 4547 shift.isNonNegative()) { 4548 unsigned zext = shift.getZExtValue(); 4549 if (zext >= L.Width) 4550 L.Width = (L.NonNegative ? 0 : 1); 4551 else 4552 L.Width -= zext; 4553 } 4554 4555 return L; 4556 } 4557 4558 // Comma acts as its right operand. 4559 case BO_Comma: 4560 return GetExprRange(C, BO->getRHS(), MaxWidth); 4561 4562 // Black-list pointer subtractions. 4563 case BO_Sub: 4564 if (BO->getLHS()->getType()->isPointerType()) 4565 return IntRange::forValueOfType(C, GetExprType(E)); 4566 break; 4567 4568 // The width of a division result is mostly determined by the size 4569 // of the LHS. 4570 case BO_Div: { 4571 // Don't 'pre-truncate' the operands. 4572 unsigned opWidth = C.getIntWidth(GetExprType(E)); 4573 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4574 4575 // If the divisor is constant, use that. 4576 llvm::APSInt divisor; 4577 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 4578 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 4579 if (log2 >= L.Width) 4580 L.Width = (L.NonNegative ? 0 : 1); 4581 else 4582 L.Width = std::min(L.Width - log2, MaxWidth); 4583 return L; 4584 } 4585 4586 // Otherwise, just use the LHS's width. 4587 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4588 return IntRange(L.Width, L.NonNegative && R.NonNegative); 4589 } 4590 4591 // The result of a remainder can't be larger than the result of 4592 // either side. 4593 case BO_Rem: { 4594 // Don't 'pre-truncate' the operands. 4595 unsigned opWidth = C.getIntWidth(GetExprType(E)); 4596 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 4597 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 4598 4599 IntRange meet = IntRange::meet(L, R); 4600 meet.Width = std::min(meet.Width, MaxWidth); 4601 return meet; 4602 } 4603 4604 // The default behavior is okay for these. 4605 case BO_Mul: 4606 case BO_Add: 4607 case BO_Xor: 4608 case BO_Or: 4609 break; 4610 } 4611 4612 // The default case is to treat the operation as if it were closed 4613 // on the narrowest type that encompasses both operands. 4614 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 4615 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 4616 return IntRange::join(L, R); 4617 } 4618 4619 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 4620 switch (UO->getOpcode()) { 4621 // Boolean-valued operations are white-listed. 4622 case UO_LNot: 4623 return IntRange::forBoolType(); 4624 4625 // Operations with opaque sources are black-listed. 4626 case UO_Deref: 4627 case UO_AddrOf: // should be impossible 4628 return IntRange::forValueOfType(C, GetExprType(E)); 4629 4630 default: 4631 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 4632 } 4633 } 4634 4635 if (FieldDecl *BitField = E->getSourceBitField()) 4636 return IntRange(BitField->getBitWidthValue(C), 4637 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 4638 4639 return IntRange::forValueOfType(C, GetExprType(E)); 4640 } 4641 4642 static IntRange GetExprRange(ASTContext &C, Expr *E) { 4643 return GetExprRange(C, E, C.getIntWidth(GetExprType(E))); 4644 } 4645 4646 /// Checks whether the given value, which currently has the given 4647 /// source semantics, has the same value when coerced through the 4648 /// target semantics. 4649 static bool IsSameFloatAfterCast(const llvm::APFloat &value, 4650 const llvm::fltSemantics &Src, 4651 const llvm::fltSemantics &Tgt) { 4652 llvm::APFloat truncated = value; 4653 4654 bool ignored; 4655 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 4656 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 4657 4658 return truncated.bitwiseIsEqual(value); 4659 } 4660 4661 /// Checks whether the given value, which currently has the given 4662 /// source semantics, has the same value when coerced through the 4663 /// target semantics. 4664 /// 4665 /// The value might be a vector of floats (or a complex number). 4666 static bool IsSameFloatAfterCast(const APValue &value, 4667 const llvm::fltSemantics &Src, 4668 const llvm::fltSemantics &Tgt) { 4669 if (value.isFloat()) 4670 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 4671 4672 if (value.isVector()) { 4673 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 4674 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 4675 return false; 4676 return true; 4677 } 4678 4679 assert(value.isComplexFloat()); 4680 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 4681 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 4682 } 4683 4684 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 4685 4686 static bool IsZero(Sema &S, Expr *E) { 4687 // Suppress cases where we are comparing against an enum constant. 4688 if (const DeclRefExpr *DR = 4689 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 4690 if (isa<EnumConstantDecl>(DR->getDecl())) 4691 return false; 4692 4693 // Suppress cases where the '0' value is expanded from a macro. 4694 if (E->getLocStart().isMacroID()) 4695 return false; 4696 4697 llvm::APSInt Value; 4698 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 4699 } 4700 4701 static bool HasEnumType(Expr *E) { 4702 // Strip off implicit integral promotions. 4703 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 4704 if (ICE->getCastKind() != CK_IntegralCast && 4705 ICE->getCastKind() != CK_NoOp) 4706 break; 4707 E = ICE->getSubExpr(); 4708 } 4709 4710 return E->getType()->isEnumeralType(); 4711 } 4712 4713 static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 4714 BinaryOperatorKind op = E->getOpcode(); 4715 if (E->isValueDependent()) 4716 return; 4717 4718 if (op == BO_LT && IsZero(S, E->getRHS())) { 4719 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4720 << "< 0" << "false" << HasEnumType(E->getLHS()) 4721 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4722 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 4723 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 4724 << ">= 0" << "true" << HasEnumType(E->getLHS()) 4725 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4726 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 4727 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4728 << "0 >" << "false" << HasEnumType(E->getRHS()) 4729 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4730 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 4731 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 4732 << "0 <=" << "true" << HasEnumType(E->getRHS()) 4733 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4734 } 4735 } 4736 4737 static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 4738 Expr *Constant, Expr *Other, 4739 llvm::APSInt Value, 4740 bool RhsConstant) { 4741 // 0 values are handled later by CheckTrivialUnsignedComparison(). 4742 if (Value == 0) 4743 return; 4744 4745 BinaryOperatorKind op = E->getOpcode(); 4746 QualType OtherT = Other->getType(); 4747 QualType ConstantT = Constant->getType(); 4748 QualType CommonT = E->getLHS()->getType(); 4749 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 4750 return; 4751 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) 4752 && "comparison with non-integer type"); 4753 4754 bool ConstantSigned = ConstantT->isSignedIntegerType(); 4755 bool CommonSigned = CommonT->isSignedIntegerType(); 4756 4757 bool EqualityOnly = false; 4758 4759 // TODO: Investigate using GetExprRange() to get tighter bounds on 4760 // on the bit ranges. 4761 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 4762 unsigned OtherWidth = OtherRange.Width; 4763 4764 if (CommonSigned) { 4765 // The common type is signed, therefore no signed to unsigned conversion. 4766 if (!OtherRange.NonNegative) { 4767 // Check that the constant is representable in type OtherT. 4768 if (ConstantSigned) { 4769 if (OtherWidth >= Value.getMinSignedBits()) 4770 return; 4771 } else { // !ConstantSigned 4772 if (OtherWidth >= Value.getActiveBits() + 1) 4773 return; 4774 } 4775 } else { // !OtherSigned 4776 // Check that the constant is representable in type OtherT. 4777 // Negative values are out of range. 4778 if (ConstantSigned) { 4779 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 4780 return; 4781 } else { // !ConstantSigned 4782 if (OtherWidth >= Value.getActiveBits()) 4783 return; 4784 } 4785 } 4786 } else { // !CommonSigned 4787 if (OtherRange.NonNegative) { 4788 if (OtherWidth >= Value.getActiveBits()) 4789 return; 4790 } else if (!OtherRange.NonNegative && !ConstantSigned) { 4791 // Check to see if the constant is representable in OtherT. 4792 if (OtherWidth > Value.getActiveBits()) 4793 return; 4794 // Check to see if the constant is equivalent to a negative value 4795 // cast to CommonT. 4796 if (S.Context.getIntWidth(ConstantT) == S.Context.getIntWidth(CommonT) && 4797 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 4798 return; 4799 // The constant value rests between values that OtherT can represent after 4800 // conversion. Relational comparison still works, but equality 4801 // comparisons will be tautological. 4802 EqualityOnly = true; 4803 } else { // OtherSigned && ConstantSigned 4804 assert(0 && "Two signed types converted to unsigned types."); 4805 } 4806 } 4807 4808 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 4809 4810 bool IsTrue = true; 4811 if (op == BO_EQ || op == BO_NE) { 4812 IsTrue = op == BO_NE; 4813 } else if (EqualityOnly) { 4814 return; 4815 } else if (RhsConstant) { 4816 if (op == BO_GT || op == BO_GE) 4817 IsTrue = !PositiveConstant; 4818 else // op == BO_LT || op == BO_LE 4819 IsTrue = PositiveConstant; 4820 } else { 4821 if (op == BO_LT || op == BO_LE) 4822 IsTrue = !PositiveConstant; 4823 else // op == BO_GT || op == BO_GE 4824 IsTrue = PositiveConstant; 4825 } 4826 4827 // If this is a comparison to an enum constant, include that 4828 // constant in the diagnostic. 4829 const EnumConstantDecl *ED = 0; 4830 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant)) 4831 ED = dyn_cast<EnumConstantDecl>(DR->getDecl()); 4832 4833 SmallString<64> PrettySourceValue; 4834 llvm::raw_svector_ostream OS(PrettySourceValue); 4835 if (ED) 4836 OS << '\'' << *ED << "' (" << Value << ")"; 4837 else 4838 OS << Value; 4839 4840 S.Diag(E->getOperatorLoc(), diag::warn_out_of_range_compare) 4841 << OS.str() << OtherT << IsTrue 4842 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 4843 } 4844 4845 /// Analyze the operands of the given comparison. Implements the 4846 /// fallback case from AnalyzeComparison. 4847 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 4848 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 4849 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 4850 } 4851 4852 /// \brief Implements -Wsign-compare. 4853 /// 4854 /// \param E the binary operator to check for warnings 4855 static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 4856 // The type the comparison is being performed in. 4857 QualType T = E->getLHS()->getType(); 4858 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 4859 && "comparison with mismatched types"); 4860 if (E->isValueDependent()) 4861 return AnalyzeImpConvsInComparison(S, E); 4862 4863 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 4864 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 4865 4866 bool IsComparisonConstant = false; 4867 4868 // Check whether an integer constant comparison results in a value 4869 // of 'true' or 'false'. 4870 if (T->isIntegralType(S.Context)) { 4871 llvm::APSInt RHSValue; 4872 bool IsRHSIntegralLiteral = 4873 RHS->isIntegerConstantExpr(RHSValue, S.Context); 4874 llvm::APSInt LHSValue; 4875 bool IsLHSIntegralLiteral = 4876 LHS->isIntegerConstantExpr(LHSValue, S.Context); 4877 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 4878 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 4879 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 4880 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 4881 else 4882 IsComparisonConstant = 4883 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 4884 } else if (!T->hasUnsignedIntegerRepresentation()) 4885 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 4886 4887 // We don't do anything special if this isn't an unsigned integral 4888 // comparison: we're only interested in integral comparisons, and 4889 // signed comparisons only happen in cases we don't care to warn about. 4890 // 4891 // We also don't care about value-dependent expressions or expressions 4892 // whose result is a constant. 4893 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 4894 return AnalyzeImpConvsInComparison(S, E); 4895 4896 // Check to see if one of the (unmodified) operands is of different 4897 // signedness. 4898 Expr *signedOperand, *unsignedOperand; 4899 if (LHS->getType()->hasSignedIntegerRepresentation()) { 4900 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 4901 "unsigned comparison between two signed integer expressions?"); 4902 signedOperand = LHS; 4903 unsignedOperand = RHS; 4904 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 4905 signedOperand = RHS; 4906 unsignedOperand = LHS; 4907 } else { 4908 CheckTrivialUnsignedComparison(S, E); 4909 return AnalyzeImpConvsInComparison(S, E); 4910 } 4911 4912 // Otherwise, calculate the effective range of the signed operand. 4913 IntRange signedRange = GetExprRange(S.Context, signedOperand); 4914 4915 // Go ahead and analyze implicit conversions in the operands. Note 4916 // that we skip the implicit conversions on both sides. 4917 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 4918 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 4919 4920 // If the signed range is non-negative, -Wsign-compare won't fire, 4921 // but we should still check for comparisons which are always true 4922 // or false. 4923 if (signedRange.NonNegative) 4924 return CheckTrivialUnsignedComparison(S, E); 4925 4926 // For (in)equality comparisons, if the unsigned operand is a 4927 // constant which cannot collide with a overflowed signed operand, 4928 // then reinterpreting the signed operand as unsigned will not 4929 // change the result of the comparison. 4930 if (E->isEqualityOp()) { 4931 unsigned comparisonWidth = S.Context.getIntWidth(T); 4932 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 4933 4934 // We should never be unable to prove that the unsigned operand is 4935 // non-negative. 4936 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 4937 4938 if (unsignedRange.Width < comparisonWidth) 4939 return; 4940 } 4941 4942 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 4943 S.PDiag(diag::warn_mixed_sign_comparison) 4944 << LHS->getType() << RHS->getType() 4945 << LHS->getSourceRange() << RHS->getSourceRange()); 4946 } 4947 4948 /// Analyzes an attempt to assign the given value to a bitfield. 4949 /// 4950 /// Returns true if there was something fishy about the attempt. 4951 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 4952 SourceLocation InitLoc) { 4953 assert(Bitfield->isBitField()); 4954 if (Bitfield->isInvalidDecl()) 4955 return false; 4956 4957 // White-list bool bitfields. 4958 if (Bitfield->getType()->isBooleanType()) 4959 return false; 4960 4961 // Ignore value- or type-dependent expressions. 4962 if (Bitfield->getBitWidth()->isValueDependent() || 4963 Bitfield->getBitWidth()->isTypeDependent() || 4964 Init->isValueDependent() || 4965 Init->isTypeDependent()) 4966 return false; 4967 4968 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 4969 4970 llvm::APSInt Value; 4971 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 4972 return false; 4973 4974 unsigned OriginalWidth = Value.getBitWidth(); 4975 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 4976 4977 if (OriginalWidth <= FieldWidth) 4978 return false; 4979 4980 // Compute the value which the bitfield will contain. 4981 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 4982 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 4983 4984 // Check whether the stored value is equal to the original value. 4985 TruncatedValue = TruncatedValue.extend(OriginalWidth); 4986 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 4987 return false; 4988 4989 // Special-case bitfields of width 1: booleans are naturally 0/1, and 4990 // therefore don't strictly fit into a signed bitfield of width 1. 4991 if (FieldWidth == 1 && Value == 1) 4992 return false; 4993 4994 std::string PrettyValue = Value.toString(10); 4995 std::string PrettyTrunc = TruncatedValue.toString(10); 4996 4997 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 4998 << PrettyValue << PrettyTrunc << OriginalInit->getType() 4999 << Init->getSourceRange(); 5000 5001 return true; 5002 } 5003 5004 /// Analyze the given simple or compound assignment for warning-worthy 5005 /// operations. 5006 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 5007 // Just recurse on the LHS. 5008 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 5009 5010 // We want to recurse on the RHS as normal unless we're assigning to 5011 // a bitfield. 5012 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) { 5013 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 5014 E->getOperatorLoc())) { 5015 // Recurse, ignoring any implicit conversions on the RHS. 5016 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 5017 E->getOperatorLoc()); 5018 } 5019 } 5020 5021 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 5022 } 5023 5024 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5025 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 5026 SourceLocation CContext, unsigned diag, 5027 bool pruneControlFlow = false) { 5028 if (pruneControlFlow) { 5029 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5030 S.PDiag(diag) 5031 << SourceType << T << E->getSourceRange() 5032 << SourceRange(CContext)); 5033 return; 5034 } 5035 S.Diag(E->getExprLoc(), diag) 5036 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 5037 } 5038 5039 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 5040 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 5041 SourceLocation CContext, unsigned diag, 5042 bool pruneControlFlow = false) { 5043 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 5044 } 5045 5046 /// Diagnose an implicit cast from a literal expression. Does not warn when the 5047 /// cast wouldn't lose information. 5048 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 5049 SourceLocation CContext) { 5050 // Try to convert the literal exactly to an integer. If we can, don't warn. 5051 bool isExact = false; 5052 const llvm::APFloat &Value = FL->getValue(); 5053 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 5054 T->hasUnsignedIntegerRepresentation()); 5055 if (Value.convertToInteger(IntegerValue, 5056 llvm::APFloat::rmTowardZero, &isExact) 5057 == llvm::APFloat::opOK && isExact) 5058 return; 5059 5060 SmallString<16> PrettySourceValue; 5061 Value.toString(PrettySourceValue); 5062 SmallString<16> PrettyTargetValue; 5063 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 5064 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 5065 else 5066 IntegerValue.toString(PrettyTargetValue); 5067 5068 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 5069 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 5070 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 5071 } 5072 5073 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 5074 if (!Range.Width) return "0"; 5075 5076 llvm::APSInt ValueInRange = Value; 5077 ValueInRange.setIsSigned(!Range.NonNegative); 5078 ValueInRange = ValueInRange.trunc(Range.Width); 5079 return ValueInRange.toString(10); 5080 } 5081 5082 static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 5083 if (!isa<ImplicitCastExpr>(Ex)) 5084 return false; 5085 5086 Expr *InnerE = Ex->IgnoreParenImpCasts(); 5087 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 5088 const Type *Source = 5089 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5090 if (Target->isDependentType()) 5091 return false; 5092 5093 const BuiltinType *FloatCandidateBT = 5094 dyn_cast<BuiltinType>(ToBool ? Source : Target); 5095 const Type *BoolCandidateType = ToBool ? Target : Source; 5096 5097 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 5098 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 5099 } 5100 5101 void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 5102 SourceLocation CC) { 5103 unsigned NumArgs = TheCall->getNumArgs(); 5104 for (unsigned i = 0; i < NumArgs; ++i) { 5105 Expr *CurrA = TheCall->getArg(i); 5106 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 5107 continue; 5108 5109 bool IsSwapped = ((i > 0) && 5110 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 5111 IsSwapped |= ((i < (NumArgs - 1)) && 5112 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 5113 if (IsSwapped) { 5114 // Warn on this floating-point to bool conversion. 5115 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 5116 CurrA->getType(), CC, 5117 diag::warn_impcast_floating_point_to_bool); 5118 } 5119 } 5120 } 5121 5122 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 5123 SourceLocation CC, bool *ICContext = 0) { 5124 if (E->isTypeDependent() || E->isValueDependent()) return; 5125 5126 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 5127 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 5128 if (Source == Target) return; 5129 if (Target->isDependentType()) return; 5130 5131 // If the conversion context location is invalid don't complain. We also 5132 // don't want to emit a warning if the issue occurs from the expansion of 5133 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 5134 // delay this check as long as possible. Once we detect we are in that 5135 // scenario, we just return. 5136 if (CC.isInvalid()) 5137 return; 5138 5139 // Diagnose implicit casts to bool. 5140 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 5141 if (isa<StringLiteral>(E)) 5142 // Warn on string literal to bool. Checks for string literals in logical 5143 // expressions, for instances, assert(0 && "error here"), is prevented 5144 // by a check in AnalyzeImplicitConversions(). 5145 return DiagnoseImpCast(S, E, T, CC, 5146 diag::warn_impcast_string_literal_to_bool); 5147 if (Source->isFunctionType()) { 5148 // Warn on function to bool. Checks free functions and static member 5149 // functions. Weakly imported functions are excluded from the check, 5150 // since it's common to test their value to check whether the linker 5151 // found a definition for them. 5152 ValueDecl *D = 0; 5153 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 5154 D = R->getDecl(); 5155 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 5156 D = M->getMemberDecl(); 5157 } 5158 5159 if (D && !D->isWeak()) { 5160 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 5161 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 5162 << F << E->getSourceRange() << SourceRange(CC); 5163 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 5164 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 5165 QualType ReturnType; 5166 UnresolvedSet<4> NonTemplateOverloads; 5167 S.tryExprAsCall(*E, ReturnType, NonTemplateOverloads); 5168 if (!ReturnType.isNull() 5169 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 5170 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 5171 << FixItHint::CreateInsertion( 5172 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 5173 return; 5174 } 5175 } 5176 } 5177 } 5178 5179 // Strip vector types. 5180 if (isa<VectorType>(Source)) { 5181 if (!isa<VectorType>(Target)) { 5182 if (S.SourceMgr.isInSystemMacro(CC)) 5183 return; 5184 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 5185 } 5186 5187 // If the vector cast is cast between two vectors of the same size, it is 5188 // a bitcast, not a conversion. 5189 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 5190 return; 5191 5192 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 5193 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 5194 } 5195 5196 // Strip complex types. 5197 if (isa<ComplexType>(Source)) { 5198 if (!isa<ComplexType>(Target)) { 5199 if (S.SourceMgr.isInSystemMacro(CC)) 5200 return; 5201 5202 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 5203 } 5204 5205 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 5206 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 5207 } 5208 5209 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 5210 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 5211 5212 // If the source is floating point... 5213 if (SourceBT && SourceBT->isFloatingPoint()) { 5214 // ...and the target is floating point... 5215 if (TargetBT && TargetBT->isFloatingPoint()) { 5216 // ...then warn if we're dropping FP rank. 5217 5218 // Builtin FP kinds are ordered by increasing FP rank. 5219 if (SourceBT->getKind() > TargetBT->getKind()) { 5220 // Don't warn about float constants that are precisely 5221 // representable in the target type. 5222 Expr::EvalResult result; 5223 if (E->EvaluateAsRValue(result, S.Context)) { 5224 // Value might be a float, a float vector, or a float complex. 5225 if (IsSameFloatAfterCast(result.Val, 5226 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 5227 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 5228 return; 5229 } 5230 5231 if (S.SourceMgr.isInSystemMacro(CC)) 5232 return; 5233 5234 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 5235 } 5236 return; 5237 } 5238 5239 // If the target is integral, always warn. 5240 if (TargetBT && TargetBT->isInteger()) { 5241 if (S.SourceMgr.isInSystemMacro(CC)) 5242 return; 5243 5244 Expr *InnerE = E->IgnoreParenImpCasts(); 5245 // We also want to warn on, e.g., "int i = -1.234" 5246 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 5247 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 5248 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 5249 5250 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 5251 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 5252 } else { 5253 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 5254 } 5255 } 5256 5257 // If the target is bool, warn if expr is a function or method call. 5258 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 5259 isa<CallExpr>(E)) { 5260 // Check last argument of function call to see if it is an 5261 // implicit cast from a type matching the type the result 5262 // is being cast to. 5263 CallExpr *CEx = cast<CallExpr>(E); 5264 unsigned NumArgs = CEx->getNumArgs(); 5265 if (NumArgs > 0) { 5266 Expr *LastA = CEx->getArg(NumArgs - 1); 5267 Expr *InnerE = LastA->IgnoreParenImpCasts(); 5268 const Type *InnerType = 5269 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 5270 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 5271 // Warn on this floating-point to bool conversion 5272 DiagnoseImpCast(S, E, T, CC, 5273 diag::warn_impcast_floating_point_to_bool); 5274 } 5275 } 5276 } 5277 return; 5278 } 5279 5280 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 5281 == Expr::NPCK_GNUNull) && !Target->isAnyPointerType() 5282 && !Target->isBlockPointerType() && !Target->isMemberPointerType() 5283 && Target->isScalarType() && !Target->isNullPtrType()) { 5284 SourceLocation Loc = E->getSourceRange().getBegin(); 5285 if (Loc.isMacroID()) 5286 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 5287 if (!Loc.isMacroID() || CC.isMacroID()) 5288 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 5289 << T << clang::SourceRange(CC) 5290 << FixItHint::CreateReplacement(Loc, S.getFixItZeroLiteralForType(T)); 5291 } 5292 5293 if (!Source->isIntegerType() || !Target->isIntegerType()) 5294 return; 5295 5296 // TODO: remove this early return once the false positives for constant->bool 5297 // in templates, macros, etc, are reduced or removed. 5298 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 5299 return; 5300 5301 IntRange SourceRange = GetExprRange(S.Context, E); 5302 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 5303 5304 if (SourceRange.Width > TargetRange.Width) { 5305 // If the source is a constant, use a default-on diagnostic. 5306 // TODO: this should happen for bitfield stores, too. 5307 llvm::APSInt Value(32); 5308 if (E->isIntegerConstantExpr(Value, S.Context)) { 5309 if (S.SourceMgr.isInSystemMacro(CC)) 5310 return; 5311 5312 std::string PrettySourceValue = Value.toString(10); 5313 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 5314 5315 S.DiagRuntimeBehavior(E->getExprLoc(), E, 5316 S.PDiag(diag::warn_impcast_integer_precision_constant) 5317 << PrettySourceValue << PrettyTargetValue 5318 << E->getType() << T << E->getSourceRange() 5319 << clang::SourceRange(CC)); 5320 return; 5321 } 5322 5323 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 5324 if (S.SourceMgr.isInSystemMacro(CC)) 5325 return; 5326 5327 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 5328 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 5329 /* pruneControlFlow */ true); 5330 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 5331 } 5332 5333 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 5334 (!TargetRange.NonNegative && SourceRange.NonNegative && 5335 SourceRange.Width == TargetRange.Width)) { 5336 5337 if (S.SourceMgr.isInSystemMacro(CC)) 5338 return; 5339 5340 unsigned DiagID = diag::warn_impcast_integer_sign; 5341 5342 // Traditionally, gcc has warned about this under -Wsign-compare. 5343 // We also want to warn about it in -Wconversion. 5344 // So if -Wconversion is off, use a completely identical diagnostic 5345 // in the sign-compare group. 5346 // The conditional-checking code will 5347 if (ICContext) { 5348 DiagID = diag::warn_impcast_integer_sign_conditional; 5349 *ICContext = true; 5350 } 5351 5352 return DiagnoseImpCast(S, E, T, CC, DiagID); 5353 } 5354 5355 // Diagnose conversions between different enumeration types. 5356 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 5357 // type, to give us better diagnostics. 5358 QualType SourceType = E->getType(); 5359 if (!S.getLangOpts().CPlusPlus) { 5360 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5361 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 5362 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 5363 SourceType = S.Context.getTypeDeclType(Enum); 5364 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 5365 } 5366 } 5367 5368 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 5369 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 5370 if (SourceEnum->getDecl()->hasNameForLinkage() && 5371 TargetEnum->getDecl()->hasNameForLinkage() && 5372 SourceEnum != TargetEnum) { 5373 if (S.SourceMgr.isInSystemMacro(CC)) 5374 return; 5375 5376 return DiagnoseImpCast(S, E, SourceType, T, CC, 5377 diag::warn_impcast_different_enum_types); 5378 } 5379 5380 return; 5381 } 5382 5383 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5384 SourceLocation CC, QualType T); 5385 5386 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 5387 SourceLocation CC, bool &ICContext) { 5388 E = E->IgnoreParenImpCasts(); 5389 5390 if (isa<ConditionalOperator>(E)) 5391 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 5392 5393 AnalyzeImplicitConversions(S, E, CC); 5394 if (E->getType() != T) 5395 return CheckImplicitConversion(S, E, T, CC, &ICContext); 5396 return; 5397 } 5398 5399 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 5400 SourceLocation CC, QualType T) { 5401 AnalyzeImplicitConversions(S, E->getCond(), CC); 5402 5403 bool Suspicious = false; 5404 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 5405 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 5406 5407 // If -Wconversion would have warned about either of the candidates 5408 // for a signedness conversion to the context type... 5409 if (!Suspicious) return; 5410 5411 // ...but it's currently ignored... 5412 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 5413 CC)) 5414 return; 5415 5416 // ...then check whether it would have warned about either of the 5417 // candidates for a signedness conversion to the condition type. 5418 if (E->getType() == T) return; 5419 5420 Suspicious = false; 5421 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 5422 E->getType(), CC, &Suspicious); 5423 if (!Suspicious) 5424 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 5425 E->getType(), CC, &Suspicious); 5426 } 5427 5428 /// AnalyzeImplicitConversions - Find and report any interesting 5429 /// implicit conversions in the given expression. There are a couple 5430 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 5431 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 5432 QualType T = OrigE->getType(); 5433 Expr *E = OrigE->IgnoreParenImpCasts(); 5434 5435 if (E->isTypeDependent() || E->isValueDependent()) 5436 return; 5437 5438 // For conditional operators, we analyze the arguments as if they 5439 // were being fed directly into the output. 5440 if (isa<ConditionalOperator>(E)) { 5441 ConditionalOperator *CO = cast<ConditionalOperator>(E); 5442 CheckConditionalOperator(S, CO, CC, T); 5443 return; 5444 } 5445 5446 // Check implicit argument conversions for function calls. 5447 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 5448 CheckImplicitArgumentConversions(S, Call, CC); 5449 5450 // Go ahead and check any implicit conversions we might have skipped. 5451 // The non-canonical typecheck is just an optimization; 5452 // CheckImplicitConversion will filter out dead implicit conversions. 5453 if (E->getType() != T) 5454 CheckImplicitConversion(S, E, T, CC); 5455 5456 // Now continue drilling into this expression. 5457 5458 if (PseudoObjectExpr * POE = dyn_cast<PseudoObjectExpr>(E)) { 5459 if (POE->getResultExpr()) 5460 E = POE->getResultExpr(); 5461 } 5462 5463 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 5464 return AnalyzeImplicitConversions(S, OVE->getSourceExpr(), CC); 5465 5466 // Skip past explicit casts. 5467 if (isa<ExplicitCastExpr>(E)) { 5468 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 5469 return AnalyzeImplicitConversions(S, E, CC); 5470 } 5471 5472 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5473 // Do a somewhat different check with comparison operators. 5474 if (BO->isComparisonOp()) 5475 return AnalyzeComparison(S, BO); 5476 5477 // And with simple assignments. 5478 if (BO->getOpcode() == BO_Assign) 5479 return AnalyzeAssignment(S, BO); 5480 } 5481 5482 // These break the otherwise-useful invariant below. Fortunately, 5483 // we don't really need to recurse into them, because any internal 5484 // expressions should have been analyzed already when they were 5485 // built into statements. 5486 if (isa<StmtExpr>(E)) return; 5487 5488 // Don't descend into unevaluated contexts. 5489 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 5490 5491 // Now just recurse over the expression's children. 5492 CC = E->getExprLoc(); 5493 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 5494 bool IsLogicalOperator = BO && BO->isLogicalOp(); 5495 for (Stmt::child_range I = E->children(); I; ++I) { 5496 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 5497 if (!ChildExpr) 5498 continue; 5499 5500 if (IsLogicalOperator && 5501 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 5502 // Ignore checking string literals that are in logical operators. 5503 continue; 5504 AnalyzeImplicitConversions(S, ChildExpr, CC); 5505 } 5506 } 5507 5508 } // end anonymous namespace 5509 5510 /// Diagnoses "dangerous" implicit conversions within the given 5511 /// expression (which is a full expression). Implements -Wconversion 5512 /// and -Wsign-compare. 5513 /// 5514 /// \param CC the "context" location of the implicit conversion, i.e. 5515 /// the most location of the syntactic entity requiring the implicit 5516 /// conversion 5517 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 5518 // Don't diagnose in unevaluated contexts. 5519 if (isUnevaluatedContext()) 5520 return; 5521 5522 // Don't diagnose for value- or type-dependent expressions. 5523 if (E->isTypeDependent() || E->isValueDependent()) 5524 return; 5525 5526 // Check for array bounds violations in cases where the check isn't triggered 5527 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 5528 // ArraySubscriptExpr is on the RHS of a variable initialization. 5529 CheckArrayAccess(E); 5530 5531 // This is not the right CC for (e.g.) a variable initialization. 5532 AnalyzeImplicitConversions(*this, E, CC); 5533 } 5534 5535 /// Diagnose when expression is an integer constant expression and its evaluation 5536 /// results in integer overflow 5537 void Sema::CheckForIntOverflow (Expr *E) { 5538 if (isa<BinaryOperator>(E->IgnoreParens())) { 5539 llvm::SmallVector<PartialDiagnosticAt, 4> Diags; 5540 E->EvaluateForOverflow(Context, &Diags); 5541 } 5542 } 5543 5544 namespace { 5545 /// \brief Visitor for expressions which looks for unsequenced operations on the 5546 /// same object. 5547 class SequenceChecker : public EvaluatedExprVisitor<SequenceChecker> { 5548 typedef EvaluatedExprVisitor<SequenceChecker> Base; 5549 5550 /// \brief A tree of sequenced regions within an expression. Two regions are 5551 /// unsequenced if one is an ancestor or a descendent of the other. When we 5552 /// finish processing an expression with sequencing, such as a comma 5553 /// expression, we fold its tree nodes into its parent, since they are 5554 /// unsequenced with respect to nodes we will visit later. 5555 class SequenceTree { 5556 struct Value { 5557 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {} 5558 unsigned Parent : 31; 5559 bool Merged : 1; 5560 }; 5561 llvm::SmallVector<Value, 8> Values; 5562 5563 public: 5564 /// \brief A region within an expression which may be sequenced with respect 5565 /// to some other region. 5566 class Seq { 5567 explicit Seq(unsigned N) : Index(N) {} 5568 unsigned Index; 5569 friend class SequenceTree; 5570 public: 5571 Seq() : Index(0) {} 5572 }; 5573 5574 SequenceTree() { Values.push_back(Value(0)); } 5575 Seq root() const { return Seq(0); } 5576 5577 /// \brief Create a new sequence of operations, which is an unsequenced 5578 /// subset of \p Parent. This sequence of operations is sequenced with 5579 /// respect to other children of \p Parent. 5580 Seq allocate(Seq Parent) { 5581 Values.push_back(Value(Parent.Index)); 5582 return Seq(Values.size() - 1); 5583 } 5584 5585 /// \brief Merge a sequence of operations into its parent. 5586 void merge(Seq S) { 5587 Values[S.Index].Merged = true; 5588 } 5589 5590 /// \brief Determine whether two operations are unsequenced. This operation 5591 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old 5592 /// should have been merged into its parent as appropriate. 5593 bool isUnsequenced(Seq Cur, Seq Old) { 5594 unsigned C = representative(Cur.Index); 5595 unsigned Target = representative(Old.Index); 5596 while (C >= Target) { 5597 if (C == Target) 5598 return true; 5599 C = Values[C].Parent; 5600 } 5601 return false; 5602 } 5603 5604 private: 5605 /// \brief Pick a representative for a sequence. 5606 unsigned representative(unsigned K) { 5607 if (Values[K].Merged) 5608 // Perform path compression as we go. 5609 return Values[K].Parent = representative(Values[K].Parent); 5610 return K; 5611 } 5612 }; 5613 5614 /// An object for which we can track unsequenced uses. 5615 typedef NamedDecl *Object; 5616 5617 /// Different flavors of object usage which we track. We only track the 5618 /// least-sequenced usage of each kind. 5619 enum UsageKind { 5620 /// A read of an object. Multiple unsequenced reads are OK. 5621 UK_Use, 5622 /// A modification of an object which is sequenced before the value 5623 /// computation of the expression, such as ++n in C++. 5624 UK_ModAsValue, 5625 /// A modification of an object which is not sequenced before the value 5626 /// computation of the expression, such as n++. 5627 UK_ModAsSideEffect, 5628 5629 UK_Count = UK_ModAsSideEffect + 1 5630 }; 5631 5632 struct Usage { 5633 Usage() : Use(0), Seq() {} 5634 Expr *Use; 5635 SequenceTree::Seq Seq; 5636 }; 5637 5638 struct UsageInfo { 5639 UsageInfo() : Diagnosed(false) {} 5640 Usage Uses[UK_Count]; 5641 /// Have we issued a diagnostic for this variable already? 5642 bool Diagnosed; 5643 }; 5644 typedef llvm::SmallDenseMap<Object, UsageInfo, 16> UsageInfoMap; 5645 5646 Sema &SemaRef; 5647 /// Sequenced regions within the expression. 5648 SequenceTree Tree; 5649 /// Declaration modifications and references which we have seen. 5650 UsageInfoMap UsageMap; 5651 /// The region we are currently within. 5652 SequenceTree::Seq Region; 5653 /// Filled in with declarations which were modified as a side-effect 5654 /// (that is, post-increment operations). 5655 llvm::SmallVectorImpl<std::pair<Object, Usage> > *ModAsSideEffect; 5656 /// Expressions to check later. We defer checking these to reduce 5657 /// stack usage. 5658 llvm::SmallVectorImpl<Expr*> &WorkList; 5659 5660 /// RAII object wrapping the visitation of a sequenced subexpression of an 5661 /// expression. At the end of this process, the side-effects of the evaluation 5662 /// become sequenced with respect to the value computation of the result, so 5663 /// we downgrade any UK_ModAsSideEffect within the evaluation to 5664 /// UK_ModAsValue. 5665 struct SequencedSubexpression { 5666 SequencedSubexpression(SequenceChecker &Self) 5667 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) { 5668 Self.ModAsSideEffect = &ModAsSideEffect; 5669 } 5670 ~SequencedSubexpression() { 5671 for (unsigned I = 0, E = ModAsSideEffect.size(); I != E; ++I) { 5672 UsageInfo &U = Self.UsageMap[ModAsSideEffect[I].first]; 5673 U.Uses[UK_ModAsSideEffect] = ModAsSideEffect[I].second; 5674 Self.addUsage(U, ModAsSideEffect[I].first, 5675 ModAsSideEffect[I].second.Use, UK_ModAsValue); 5676 } 5677 Self.ModAsSideEffect = OldModAsSideEffect; 5678 } 5679 5680 SequenceChecker &Self; 5681 llvm::SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect; 5682 llvm::SmallVectorImpl<std::pair<Object, Usage> > *OldModAsSideEffect; 5683 }; 5684 5685 /// RAII object wrapping the visitation of a subexpression which we might 5686 /// choose to evaluate as a constant. If any subexpression is evaluated and 5687 /// found to be non-constant, this allows us to suppress the evaluation of 5688 /// the outer expression. 5689 class EvaluationTracker { 5690 public: 5691 EvaluationTracker(SequenceChecker &Self) 5692 : Self(Self), Prev(Self.EvalTracker), EvalOK(true) { 5693 Self.EvalTracker = this; 5694 } 5695 ~EvaluationTracker() { 5696 Self.EvalTracker = Prev; 5697 if (Prev) 5698 Prev->EvalOK &= EvalOK; 5699 } 5700 5701 bool evaluate(const Expr *E, bool &Result) { 5702 if (!EvalOK || E->isValueDependent()) 5703 return false; 5704 EvalOK = E->EvaluateAsBooleanCondition(Result, Self.SemaRef.Context); 5705 return EvalOK; 5706 } 5707 5708 private: 5709 SequenceChecker &Self; 5710 EvaluationTracker *Prev; 5711 bool EvalOK; 5712 } *EvalTracker; 5713 5714 /// \brief Find the object which is produced by the specified expression, 5715 /// if any. 5716 Object getObject(Expr *E, bool Mod) const { 5717 E = E->IgnoreParenCasts(); 5718 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 5719 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec)) 5720 return getObject(UO->getSubExpr(), Mod); 5721 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 5722 if (BO->getOpcode() == BO_Comma) 5723 return getObject(BO->getRHS(), Mod); 5724 if (Mod && BO->isAssignmentOp()) 5725 return getObject(BO->getLHS(), Mod); 5726 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(E)) { 5727 // FIXME: Check for more interesting cases, like "x.n = ++x.n". 5728 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts())) 5729 return ME->getMemberDecl(); 5730 } else if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 5731 // FIXME: If this is a reference, map through to its value. 5732 return DRE->getDecl(); 5733 return 0; 5734 } 5735 5736 /// \brief Note that an object was modified or used by an expression. 5737 void addUsage(UsageInfo &UI, Object O, Expr *Ref, UsageKind UK) { 5738 Usage &U = UI.Uses[UK]; 5739 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) { 5740 if (UK == UK_ModAsSideEffect && ModAsSideEffect) 5741 ModAsSideEffect->push_back(std::make_pair(O, U)); 5742 U.Use = Ref; 5743 U.Seq = Region; 5744 } 5745 } 5746 /// \brief Check whether a modification or use conflicts with a prior usage. 5747 void checkUsage(Object O, UsageInfo &UI, Expr *Ref, UsageKind OtherKind, 5748 bool IsModMod) { 5749 if (UI.Diagnosed) 5750 return; 5751 5752 const Usage &U = UI.Uses[OtherKind]; 5753 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) 5754 return; 5755 5756 Expr *Mod = U.Use; 5757 Expr *ModOrUse = Ref; 5758 if (OtherKind == UK_Use) 5759 std::swap(Mod, ModOrUse); 5760 5761 SemaRef.Diag(Mod->getExprLoc(), 5762 IsModMod ? diag::warn_unsequenced_mod_mod 5763 : diag::warn_unsequenced_mod_use) 5764 << O << SourceRange(ModOrUse->getExprLoc()); 5765 UI.Diagnosed = true; 5766 } 5767 5768 void notePreUse(Object O, Expr *Use) { 5769 UsageInfo &U = UsageMap[O]; 5770 // Uses conflict with other modifications. 5771 checkUsage(O, U, Use, UK_ModAsValue, false); 5772 } 5773 void notePostUse(Object O, Expr *Use) { 5774 UsageInfo &U = UsageMap[O]; 5775 checkUsage(O, U, Use, UK_ModAsSideEffect, false); 5776 addUsage(U, O, Use, UK_Use); 5777 } 5778 5779 void notePreMod(Object O, Expr *Mod) { 5780 UsageInfo &U = UsageMap[O]; 5781 // Modifications conflict with other modifications and with uses. 5782 checkUsage(O, U, Mod, UK_ModAsValue, true); 5783 checkUsage(O, U, Mod, UK_Use, false); 5784 } 5785 void notePostMod(Object O, Expr *Use, UsageKind UK) { 5786 UsageInfo &U = UsageMap[O]; 5787 checkUsage(O, U, Use, UK_ModAsSideEffect, true); 5788 addUsage(U, O, Use, UK); 5789 } 5790 5791 public: 5792 SequenceChecker(Sema &S, Expr *E, 5793 llvm::SmallVectorImpl<Expr*> &WorkList) 5794 : Base(S.Context), SemaRef(S), Region(Tree.root()), 5795 ModAsSideEffect(0), WorkList(WorkList), EvalTracker(0) { 5796 Visit(E); 5797 } 5798 5799 void VisitStmt(Stmt *S) { 5800 // Skip all statements which aren't expressions for now. 5801 } 5802 5803 void VisitExpr(Expr *E) { 5804 // By default, just recurse to evaluated subexpressions. 5805 Base::VisitStmt(E); 5806 } 5807 5808 void VisitCastExpr(CastExpr *E) { 5809 Object O = Object(); 5810 if (E->getCastKind() == CK_LValueToRValue) 5811 O = getObject(E->getSubExpr(), false); 5812 5813 if (O) 5814 notePreUse(O, E); 5815 VisitExpr(E); 5816 if (O) 5817 notePostUse(O, E); 5818 } 5819 5820 void VisitBinComma(BinaryOperator *BO) { 5821 // C++11 [expr.comma]p1: 5822 // Every value computation and side effect associated with the left 5823 // expression is sequenced before every value computation and side 5824 // effect associated with the right expression. 5825 SequenceTree::Seq LHS = Tree.allocate(Region); 5826 SequenceTree::Seq RHS = Tree.allocate(Region); 5827 SequenceTree::Seq OldRegion = Region; 5828 5829 { 5830 SequencedSubexpression SeqLHS(*this); 5831 Region = LHS; 5832 Visit(BO->getLHS()); 5833 } 5834 5835 Region = RHS; 5836 Visit(BO->getRHS()); 5837 5838 Region = OldRegion; 5839 5840 // Forget that LHS and RHS are sequenced. They are both unsequenced 5841 // with respect to other stuff. 5842 Tree.merge(LHS); 5843 Tree.merge(RHS); 5844 } 5845 5846 void VisitBinAssign(BinaryOperator *BO) { 5847 // The modification is sequenced after the value computation of the LHS 5848 // and RHS, so check it before inspecting the operands and update the 5849 // map afterwards. 5850 Object O = getObject(BO->getLHS(), true); 5851 if (!O) 5852 return VisitExpr(BO); 5853 5854 notePreMod(O, BO); 5855 5856 // C++11 [expr.ass]p7: 5857 // E1 op= E2 is equivalent to E1 = E1 op E2, except that E1 is evaluated 5858 // only once. 5859 // 5860 // Therefore, for a compound assignment operator, O is considered used 5861 // everywhere except within the evaluation of E1 itself. 5862 if (isa<CompoundAssignOperator>(BO)) 5863 notePreUse(O, BO); 5864 5865 Visit(BO->getLHS()); 5866 5867 if (isa<CompoundAssignOperator>(BO)) 5868 notePostUse(O, BO); 5869 5870 Visit(BO->getRHS()); 5871 5872 // C++11 [expr.ass]p1: 5873 // the assignment is sequenced [...] before the value computation of the 5874 // assignment expression. 5875 // C11 6.5.16/3 has no such rule. 5876 notePostMod(O, BO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 5877 : UK_ModAsSideEffect); 5878 } 5879 void VisitCompoundAssignOperator(CompoundAssignOperator *CAO) { 5880 VisitBinAssign(CAO); 5881 } 5882 5883 void VisitUnaryPreInc(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 5884 void VisitUnaryPreDec(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 5885 void VisitUnaryPreIncDec(UnaryOperator *UO) { 5886 Object O = getObject(UO->getSubExpr(), true); 5887 if (!O) 5888 return VisitExpr(UO); 5889 5890 notePreMod(O, UO); 5891 Visit(UO->getSubExpr()); 5892 // C++11 [expr.pre.incr]p1: 5893 // the expression ++x is equivalent to x+=1 5894 notePostMod(O, UO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 5895 : UK_ModAsSideEffect); 5896 } 5897 5898 void VisitUnaryPostInc(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 5899 void VisitUnaryPostDec(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 5900 void VisitUnaryPostIncDec(UnaryOperator *UO) { 5901 Object O = getObject(UO->getSubExpr(), true); 5902 if (!O) 5903 return VisitExpr(UO); 5904 5905 notePreMod(O, UO); 5906 Visit(UO->getSubExpr()); 5907 notePostMod(O, UO, UK_ModAsSideEffect); 5908 } 5909 5910 /// Don't visit the RHS of '&&' or '||' if it might not be evaluated. 5911 void VisitBinLOr(BinaryOperator *BO) { 5912 // The side-effects of the LHS of an '&&' are sequenced before the 5913 // value computation of the RHS, and hence before the value computation 5914 // of the '&&' itself, unless the LHS evaluates to zero. We treat them 5915 // as if they were unconditionally sequenced. 5916 EvaluationTracker Eval(*this); 5917 { 5918 SequencedSubexpression Sequenced(*this); 5919 Visit(BO->getLHS()); 5920 } 5921 5922 bool Result; 5923 if (Eval.evaluate(BO->getLHS(), Result)) { 5924 if (!Result) 5925 Visit(BO->getRHS()); 5926 } else { 5927 // Check for unsequenced operations in the RHS, treating it as an 5928 // entirely separate evaluation. 5929 // 5930 // FIXME: If there are operations in the RHS which are unsequenced 5931 // with respect to operations outside the RHS, and those operations 5932 // are unconditionally evaluated, diagnose them. 5933 WorkList.push_back(BO->getRHS()); 5934 } 5935 } 5936 void VisitBinLAnd(BinaryOperator *BO) { 5937 EvaluationTracker Eval(*this); 5938 { 5939 SequencedSubexpression Sequenced(*this); 5940 Visit(BO->getLHS()); 5941 } 5942 5943 bool Result; 5944 if (Eval.evaluate(BO->getLHS(), Result)) { 5945 if (Result) 5946 Visit(BO->getRHS()); 5947 } else { 5948 WorkList.push_back(BO->getRHS()); 5949 } 5950 } 5951 5952 // Only visit the condition, unless we can be sure which subexpression will 5953 // be chosen. 5954 void VisitAbstractConditionalOperator(AbstractConditionalOperator *CO) { 5955 EvaluationTracker Eval(*this); 5956 { 5957 SequencedSubexpression Sequenced(*this); 5958 Visit(CO->getCond()); 5959 } 5960 5961 bool Result; 5962 if (Eval.evaluate(CO->getCond(), Result)) 5963 Visit(Result ? CO->getTrueExpr() : CO->getFalseExpr()); 5964 else { 5965 WorkList.push_back(CO->getTrueExpr()); 5966 WorkList.push_back(CO->getFalseExpr()); 5967 } 5968 } 5969 5970 void VisitCallExpr(CallExpr *CE) { 5971 // C++11 [intro.execution]p15: 5972 // When calling a function [...], every value computation and side effect 5973 // associated with any argument expression, or with the postfix expression 5974 // designating the called function, is sequenced before execution of every 5975 // expression or statement in the body of the function [and thus before 5976 // the value computation of its result]. 5977 SequencedSubexpression Sequenced(*this); 5978 Base::VisitCallExpr(CE); 5979 5980 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions. 5981 } 5982 5983 void VisitCXXConstructExpr(CXXConstructExpr *CCE) { 5984 // This is a call, so all subexpressions are sequenced before the result. 5985 SequencedSubexpression Sequenced(*this); 5986 5987 if (!CCE->isListInitialization()) 5988 return VisitExpr(CCE); 5989 5990 // In C++11, list initializations are sequenced. 5991 llvm::SmallVector<SequenceTree::Seq, 32> Elts; 5992 SequenceTree::Seq Parent = Region; 5993 for (CXXConstructExpr::arg_iterator I = CCE->arg_begin(), 5994 E = CCE->arg_end(); 5995 I != E; ++I) { 5996 Region = Tree.allocate(Parent); 5997 Elts.push_back(Region); 5998 Visit(*I); 5999 } 6000 6001 // Forget that the initializers are sequenced. 6002 Region = Parent; 6003 for (unsigned I = 0; I < Elts.size(); ++I) 6004 Tree.merge(Elts[I]); 6005 } 6006 6007 void VisitInitListExpr(InitListExpr *ILE) { 6008 if (!SemaRef.getLangOpts().CPlusPlus11) 6009 return VisitExpr(ILE); 6010 6011 // In C++11, list initializations are sequenced. 6012 llvm::SmallVector<SequenceTree::Seq, 32> Elts; 6013 SequenceTree::Seq Parent = Region; 6014 for (unsigned I = 0; I < ILE->getNumInits(); ++I) { 6015 Expr *E = ILE->getInit(I); 6016 if (!E) continue; 6017 Region = Tree.allocate(Parent); 6018 Elts.push_back(Region); 6019 Visit(E); 6020 } 6021 6022 // Forget that the initializers are sequenced. 6023 Region = Parent; 6024 for (unsigned I = 0; I < Elts.size(); ++I) 6025 Tree.merge(Elts[I]); 6026 } 6027 }; 6028 } 6029 6030 void Sema::CheckUnsequencedOperations(Expr *E) { 6031 llvm::SmallVector<Expr*, 8> WorkList; 6032 WorkList.push_back(E); 6033 while (!WorkList.empty()) { 6034 Expr *Item = WorkList.back(); 6035 WorkList.pop_back(); 6036 SequenceChecker(*this, Item, WorkList); 6037 } 6038 } 6039 6040 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc, 6041 bool IsConstexpr) { 6042 CheckImplicitConversions(E, CheckLoc); 6043 CheckUnsequencedOperations(E); 6044 if (!IsConstexpr && !E->isValueDependent()) 6045 CheckForIntOverflow(E); 6046 } 6047 6048 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 6049 FieldDecl *BitField, 6050 Expr *Init) { 6051 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 6052 } 6053 6054 /// CheckParmsForFunctionDef - Check that the parameters of the given 6055 /// function are appropriate for the definition of a function. This 6056 /// takes care of any checks that cannot be performed on the 6057 /// declaration itself, e.g., that the types of each of the function 6058 /// parameters are complete. 6059 bool Sema::CheckParmsForFunctionDef(ParmVarDecl *const *P, 6060 ParmVarDecl *const *PEnd, 6061 bool CheckParameterNames) { 6062 bool HasInvalidParm = false; 6063 for (; P != PEnd; ++P) { 6064 ParmVarDecl *Param = *P; 6065 6066 // C99 6.7.5.3p4: the parameters in a parameter type list in a 6067 // function declarator that is part of a function definition of 6068 // that function shall not have incomplete type. 6069 // 6070 // This is also C++ [dcl.fct]p6. 6071 if (!Param->isInvalidDecl() && 6072 RequireCompleteType(Param->getLocation(), Param->getType(), 6073 diag::err_typecheck_decl_incomplete_type)) { 6074 Param->setInvalidDecl(); 6075 HasInvalidParm = true; 6076 } 6077 6078 // C99 6.9.1p5: If the declarator includes a parameter type list, the 6079 // declaration of each parameter shall include an identifier. 6080 if (CheckParameterNames && 6081 Param->getIdentifier() == 0 && 6082 !Param->isImplicit() && 6083 !getLangOpts().CPlusPlus) 6084 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 6085 6086 // C99 6.7.5.3p12: 6087 // If the function declarator is not part of a definition of that 6088 // function, parameters may have incomplete type and may use the [*] 6089 // notation in their sequences of declarator specifiers to specify 6090 // variable length array types. 6091 QualType PType = Param->getOriginalType(); 6092 while (const ArrayType *AT = Context.getAsArrayType(PType)) { 6093 if (AT->getSizeModifier() == ArrayType::Star) { 6094 // FIXME: This diagnostic should point the '[*]' if source-location 6095 // information is added for it. 6096 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 6097 break; 6098 } 6099 PType= AT->getElementType(); 6100 } 6101 6102 // MSVC destroys objects passed by value in the callee. Therefore a 6103 // function definition which takes such a parameter must be able to call the 6104 // object's destructor. 6105 if (getLangOpts().CPlusPlus && 6106 Context.getTargetInfo().getCXXABI().isArgumentDestroyedByCallee()) { 6107 if (const RecordType *RT = Param->getType()->getAs<RecordType>()) 6108 FinalizeVarWithDestructor(Param, RT); 6109 } 6110 } 6111 6112 return HasInvalidParm; 6113 } 6114 6115 /// CheckCastAlign - Implements -Wcast-align, which warns when a 6116 /// pointer cast increases the alignment requirements. 6117 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 6118 // This is actually a lot of work to potentially be doing on every 6119 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 6120 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 6121 TRange.getBegin()) 6122 == DiagnosticsEngine::Ignored) 6123 return; 6124 6125 // Ignore dependent types. 6126 if (T->isDependentType() || Op->getType()->isDependentType()) 6127 return; 6128 6129 // Require that the destination be a pointer type. 6130 const PointerType *DestPtr = T->getAs<PointerType>(); 6131 if (!DestPtr) return; 6132 6133 // If the destination has alignment 1, we're done. 6134 QualType DestPointee = DestPtr->getPointeeType(); 6135 if (DestPointee->isIncompleteType()) return; 6136 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 6137 if (DestAlign.isOne()) return; 6138 6139 // Require that the source be a pointer type. 6140 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 6141 if (!SrcPtr) return; 6142 QualType SrcPointee = SrcPtr->getPointeeType(); 6143 6144 // Whitelist casts from cv void*. We already implicitly 6145 // whitelisted casts to cv void*, since they have alignment 1. 6146 // Also whitelist casts involving incomplete types, which implicitly 6147 // includes 'void'. 6148 if (SrcPointee->isIncompleteType()) return; 6149 6150 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 6151 if (SrcAlign >= DestAlign) return; 6152 6153 Diag(TRange.getBegin(), diag::warn_cast_align) 6154 << Op->getType() << T 6155 << static_cast<unsigned>(SrcAlign.getQuantity()) 6156 << static_cast<unsigned>(DestAlign.getQuantity()) 6157 << TRange << Op->getSourceRange(); 6158 } 6159 6160 static const Type* getElementType(const Expr *BaseExpr) { 6161 const Type* EltType = BaseExpr->getType().getTypePtr(); 6162 if (EltType->isAnyPointerType()) 6163 return EltType->getPointeeType().getTypePtr(); 6164 else if (EltType->isArrayType()) 6165 return EltType->getBaseElementTypeUnsafe(); 6166 return EltType; 6167 } 6168 6169 /// \brief Check whether this array fits the idiom of a size-one tail padded 6170 /// array member of a struct. 6171 /// 6172 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 6173 /// commonly used to emulate flexible arrays in C89 code. 6174 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 6175 const NamedDecl *ND) { 6176 if (Size != 1 || !ND) return false; 6177 6178 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 6179 if (!FD) return false; 6180 6181 // Don't consider sizes resulting from macro expansions or template argument 6182 // substitution to form C89 tail-padded arrays. 6183 6184 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 6185 while (TInfo) { 6186 TypeLoc TL = TInfo->getTypeLoc(); 6187 // Look through typedefs. 6188 if (TypedefTypeLoc TTL = TL.getAs<TypedefTypeLoc>()) { 6189 const TypedefNameDecl *TDL = TTL.getTypedefNameDecl(); 6190 TInfo = TDL->getTypeSourceInfo(); 6191 continue; 6192 } 6193 if (ConstantArrayTypeLoc CTL = TL.getAs<ConstantArrayTypeLoc>()) { 6194 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 6195 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 6196 return false; 6197 } 6198 break; 6199 } 6200 6201 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 6202 if (!RD) return false; 6203 if (RD->isUnion()) return false; 6204 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 6205 if (!CRD->isStandardLayout()) return false; 6206 } 6207 6208 // See if this is the last field decl in the record. 6209 const Decl *D = FD; 6210 while ((D = D->getNextDeclInContext())) 6211 if (isa<FieldDecl>(D)) 6212 return false; 6213 return true; 6214 } 6215 6216 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 6217 const ArraySubscriptExpr *ASE, 6218 bool AllowOnePastEnd, bool IndexNegated) { 6219 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 6220 if (IndexExpr->isValueDependent()) 6221 return; 6222 6223 const Type *EffectiveType = getElementType(BaseExpr); 6224 BaseExpr = BaseExpr->IgnoreParenCasts(); 6225 const ConstantArrayType *ArrayTy = 6226 Context.getAsConstantArrayType(BaseExpr->getType()); 6227 if (!ArrayTy) 6228 return; 6229 6230 llvm::APSInt index; 6231 if (!IndexExpr->EvaluateAsInt(index, Context)) 6232 return; 6233 if (IndexNegated) 6234 index = -index; 6235 6236 const NamedDecl *ND = NULL; 6237 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 6238 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 6239 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 6240 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 6241 6242 if (index.isUnsigned() || !index.isNegative()) { 6243 llvm::APInt size = ArrayTy->getSize(); 6244 if (!size.isStrictlyPositive()) 6245 return; 6246 6247 const Type* BaseType = getElementType(BaseExpr); 6248 if (BaseType != EffectiveType) { 6249 // Make sure we're comparing apples to apples when comparing index to size 6250 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 6251 uint64_t array_typesize = Context.getTypeSize(BaseType); 6252 // Handle ptrarith_typesize being zero, such as when casting to void* 6253 if (!ptrarith_typesize) ptrarith_typesize = 1; 6254 if (ptrarith_typesize != array_typesize) { 6255 // There's a cast to a different size type involved 6256 uint64_t ratio = array_typesize / ptrarith_typesize; 6257 // TODO: Be smarter about handling cases where array_typesize is not a 6258 // multiple of ptrarith_typesize 6259 if (ptrarith_typesize * ratio == array_typesize) 6260 size *= llvm::APInt(size.getBitWidth(), ratio); 6261 } 6262 } 6263 6264 if (size.getBitWidth() > index.getBitWidth()) 6265 index = index.zext(size.getBitWidth()); 6266 else if (size.getBitWidth() < index.getBitWidth()) 6267 size = size.zext(index.getBitWidth()); 6268 6269 // For array subscripting the index must be less than size, but for pointer 6270 // arithmetic also allow the index (offset) to be equal to size since 6271 // computing the next address after the end of the array is legal and 6272 // commonly done e.g. in C++ iterators and range-based for loops. 6273 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 6274 return; 6275 6276 // Also don't warn for arrays of size 1 which are members of some 6277 // structure. These are often used to approximate flexible arrays in C89 6278 // code. 6279 if (IsTailPaddedMemberArray(*this, size, ND)) 6280 return; 6281 6282 // Suppress the warning if the subscript expression (as identified by the 6283 // ']' location) and the index expression are both from macro expansions 6284 // within a system header. 6285 if (ASE) { 6286 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 6287 ASE->getRBracketLoc()); 6288 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 6289 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 6290 IndexExpr->getLocStart()); 6291 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 6292 return; 6293 } 6294 } 6295 6296 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 6297 if (ASE) 6298 DiagID = diag::warn_array_index_exceeds_bounds; 6299 6300 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 6301 PDiag(DiagID) << index.toString(10, true) 6302 << size.toString(10, true) 6303 << (unsigned)size.getLimitedValue(~0U) 6304 << IndexExpr->getSourceRange()); 6305 } else { 6306 unsigned DiagID = diag::warn_array_index_precedes_bounds; 6307 if (!ASE) { 6308 DiagID = diag::warn_ptr_arith_precedes_bounds; 6309 if (index.isNegative()) index = -index; 6310 } 6311 6312 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 6313 PDiag(DiagID) << index.toString(10, true) 6314 << IndexExpr->getSourceRange()); 6315 } 6316 6317 if (!ND) { 6318 // Try harder to find a NamedDecl to point at in the note. 6319 while (const ArraySubscriptExpr *ASE = 6320 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 6321 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 6322 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 6323 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 6324 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 6325 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 6326 } 6327 6328 if (ND) 6329 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 6330 PDiag(diag::note_array_index_out_of_bounds) 6331 << ND->getDeclName()); 6332 } 6333 6334 void Sema::CheckArrayAccess(const Expr *expr) { 6335 int AllowOnePastEnd = 0; 6336 while (expr) { 6337 expr = expr->IgnoreParenImpCasts(); 6338 switch (expr->getStmtClass()) { 6339 case Stmt::ArraySubscriptExprClass: { 6340 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 6341 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 6342 AllowOnePastEnd > 0); 6343 return; 6344 } 6345 case Stmt::UnaryOperatorClass: { 6346 // Only unwrap the * and & unary operators 6347 const UnaryOperator *UO = cast<UnaryOperator>(expr); 6348 expr = UO->getSubExpr(); 6349 switch (UO->getOpcode()) { 6350 case UO_AddrOf: 6351 AllowOnePastEnd++; 6352 break; 6353 case UO_Deref: 6354 AllowOnePastEnd--; 6355 break; 6356 default: 6357 return; 6358 } 6359 break; 6360 } 6361 case Stmt::ConditionalOperatorClass: { 6362 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 6363 if (const Expr *lhs = cond->getLHS()) 6364 CheckArrayAccess(lhs); 6365 if (const Expr *rhs = cond->getRHS()) 6366 CheckArrayAccess(rhs); 6367 return; 6368 } 6369 default: 6370 return; 6371 } 6372 } 6373 } 6374 6375 //===--- CHECK: Objective-C retain cycles ----------------------------------// 6376 6377 namespace { 6378 struct RetainCycleOwner { 6379 RetainCycleOwner() : Variable(0), Indirect(false) {} 6380 VarDecl *Variable; 6381 SourceRange Range; 6382 SourceLocation Loc; 6383 bool Indirect; 6384 6385 void setLocsFrom(Expr *e) { 6386 Loc = e->getExprLoc(); 6387 Range = e->getSourceRange(); 6388 } 6389 }; 6390 } 6391 6392 /// Consider whether capturing the given variable can possibly lead to 6393 /// a retain cycle. 6394 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 6395 // In ARC, it's captured strongly iff the variable has __strong 6396 // lifetime. In MRR, it's captured strongly if the variable is 6397 // __block and has an appropriate type. 6398 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 6399 return false; 6400 6401 owner.Variable = var; 6402 if (ref) 6403 owner.setLocsFrom(ref); 6404 return true; 6405 } 6406 6407 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 6408 while (true) { 6409 e = e->IgnoreParens(); 6410 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 6411 switch (cast->getCastKind()) { 6412 case CK_BitCast: 6413 case CK_LValueBitCast: 6414 case CK_LValueToRValue: 6415 case CK_ARCReclaimReturnedObject: 6416 e = cast->getSubExpr(); 6417 continue; 6418 6419 default: 6420 return false; 6421 } 6422 } 6423 6424 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 6425 ObjCIvarDecl *ivar = ref->getDecl(); 6426 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 6427 return false; 6428 6429 // Try to find a retain cycle in the base. 6430 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 6431 return false; 6432 6433 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 6434 owner.Indirect = true; 6435 return true; 6436 } 6437 6438 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 6439 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 6440 if (!var) return false; 6441 return considerVariable(var, ref, owner); 6442 } 6443 6444 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 6445 if (member->isArrow()) return false; 6446 6447 // Don't count this as an indirect ownership. 6448 e = member->getBase(); 6449 continue; 6450 } 6451 6452 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 6453 // Only pay attention to pseudo-objects on property references. 6454 ObjCPropertyRefExpr *pre 6455 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 6456 ->IgnoreParens()); 6457 if (!pre) return false; 6458 if (pre->isImplicitProperty()) return false; 6459 ObjCPropertyDecl *property = pre->getExplicitProperty(); 6460 if (!property->isRetaining() && 6461 !(property->getPropertyIvarDecl() && 6462 property->getPropertyIvarDecl()->getType() 6463 .getObjCLifetime() == Qualifiers::OCL_Strong)) 6464 return false; 6465 6466 owner.Indirect = true; 6467 if (pre->isSuperReceiver()) { 6468 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 6469 if (!owner.Variable) 6470 return false; 6471 owner.Loc = pre->getLocation(); 6472 owner.Range = pre->getSourceRange(); 6473 return true; 6474 } 6475 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 6476 ->getSourceExpr()); 6477 continue; 6478 } 6479 6480 // Array ivars? 6481 6482 return false; 6483 } 6484 } 6485 6486 namespace { 6487 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 6488 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 6489 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 6490 Variable(variable), Capturer(0) {} 6491 6492 VarDecl *Variable; 6493 Expr *Capturer; 6494 6495 void VisitDeclRefExpr(DeclRefExpr *ref) { 6496 if (ref->getDecl() == Variable && !Capturer) 6497 Capturer = ref; 6498 } 6499 6500 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 6501 if (Capturer) return; 6502 Visit(ref->getBase()); 6503 if (Capturer && ref->isFreeIvar()) 6504 Capturer = ref; 6505 } 6506 6507 void VisitBlockExpr(BlockExpr *block) { 6508 // Look inside nested blocks 6509 if (block->getBlockDecl()->capturesVariable(Variable)) 6510 Visit(block->getBlockDecl()->getBody()); 6511 } 6512 6513 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 6514 if (Capturer) return; 6515 if (OVE->getSourceExpr()) 6516 Visit(OVE->getSourceExpr()); 6517 } 6518 }; 6519 } 6520 6521 /// Check whether the given argument is a block which captures a 6522 /// variable. 6523 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 6524 assert(owner.Variable && owner.Loc.isValid()); 6525 6526 e = e->IgnoreParenCasts(); 6527 6528 // Look through [^{...} copy] and Block_copy(^{...}). 6529 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 6530 Selector Cmd = ME->getSelector(); 6531 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 6532 e = ME->getInstanceReceiver(); 6533 if (!e) 6534 return 0; 6535 e = e->IgnoreParenCasts(); 6536 } 6537 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 6538 if (CE->getNumArgs() == 1) { 6539 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 6540 if (Fn) { 6541 const IdentifierInfo *FnI = Fn->getIdentifier(); 6542 if (FnI && FnI->isStr("_Block_copy")) { 6543 e = CE->getArg(0)->IgnoreParenCasts(); 6544 } 6545 } 6546 } 6547 } 6548 6549 BlockExpr *block = dyn_cast<BlockExpr>(e); 6550 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 6551 return 0; 6552 6553 FindCaptureVisitor visitor(S.Context, owner.Variable); 6554 visitor.Visit(block->getBlockDecl()->getBody()); 6555 return visitor.Capturer; 6556 } 6557 6558 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 6559 RetainCycleOwner &owner) { 6560 assert(capturer); 6561 assert(owner.Variable && owner.Loc.isValid()); 6562 6563 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 6564 << owner.Variable << capturer->getSourceRange(); 6565 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 6566 << owner.Indirect << owner.Range; 6567 } 6568 6569 /// Check for a keyword selector that starts with the word 'add' or 6570 /// 'set'. 6571 static bool isSetterLikeSelector(Selector sel) { 6572 if (sel.isUnarySelector()) return false; 6573 6574 StringRef str = sel.getNameForSlot(0); 6575 while (!str.empty() && str.front() == '_') str = str.substr(1); 6576 if (str.startswith("set")) 6577 str = str.substr(3); 6578 else if (str.startswith("add")) { 6579 // Specially whitelist 'addOperationWithBlock:'. 6580 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 6581 return false; 6582 str = str.substr(3); 6583 } 6584 else 6585 return false; 6586 6587 if (str.empty()) return true; 6588 return !isLowercase(str.front()); 6589 } 6590 6591 /// Check a message send to see if it's likely to cause a retain cycle. 6592 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 6593 // Only check instance methods whose selector looks like a setter. 6594 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 6595 return; 6596 6597 // Try to find a variable that the receiver is strongly owned by. 6598 RetainCycleOwner owner; 6599 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 6600 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 6601 return; 6602 } else { 6603 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 6604 owner.Variable = getCurMethodDecl()->getSelfDecl(); 6605 owner.Loc = msg->getSuperLoc(); 6606 owner.Range = msg->getSuperLoc(); 6607 } 6608 6609 // Check whether the receiver is captured by any of the arguments. 6610 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 6611 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 6612 return diagnoseRetainCycle(*this, capturer, owner); 6613 } 6614 6615 /// Check a property assign to see if it's likely to cause a retain cycle. 6616 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 6617 RetainCycleOwner owner; 6618 if (!findRetainCycleOwner(*this, receiver, owner)) 6619 return; 6620 6621 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 6622 diagnoseRetainCycle(*this, capturer, owner); 6623 } 6624 6625 void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 6626 RetainCycleOwner Owner; 6627 if (!considerVariable(Var, /*DeclRefExpr=*/0, Owner)) 6628 return; 6629 6630 // Because we don't have an expression for the variable, we have to set the 6631 // location explicitly here. 6632 Owner.Loc = Var->getLocation(); 6633 Owner.Range = Var->getSourceRange(); 6634 6635 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 6636 diagnoseRetainCycle(*this, Capturer, Owner); 6637 } 6638 6639 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 6640 Expr *RHS, bool isProperty) { 6641 // Check if RHS is an Objective-C object literal, which also can get 6642 // immediately zapped in a weak reference. Note that we explicitly 6643 // allow ObjCStringLiterals, since those are designed to never really die. 6644 RHS = RHS->IgnoreParenImpCasts(); 6645 6646 // This enum needs to match with the 'select' in 6647 // warn_objc_arc_literal_assign (off-by-1). 6648 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 6649 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 6650 return false; 6651 6652 S.Diag(Loc, diag::warn_arc_literal_assign) 6653 << (unsigned) Kind 6654 << (isProperty ? 0 : 1) 6655 << RHS->getSourceRange(); 6656 6657 return true; 6658 } 6659 6660 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 6661 Qualifiers::ObjCLifetime LT, 6662 Expr *RHS, bool isProperty) { 6663 // Strip off any implicit cast added to get to the one ARC-specific. 6664 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 6665 if (cast->getCastKind() == CK_ARCConsumeObject) { 6666 S.Diag(Loc, diag::warn_arc_retained_assign) 6667 << (LT == Qualifiers::OCL_ExplicitNone) 6668 << (isProperty ? 0 : 1) 6669 << RHS->getSourceRange(); 6670 return true; 6671 } 6672 RHS = cast->getSubExpr(); 6673 } 6674 6675 if (LT == Qualifiers::OCL_Weak && 6676 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 6677 return true; 6678 6679 return false; 6680 } 6681 6682 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 6683 QualType LHS, Expr *RHS) { 6684 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 6685 6686 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 6687 return false; 6688 6689 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 6690 return true; 6691 6692 return false; 6693 } 6694 6695 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 6696 Expr *LHS, Expr *RHS) { 6697 QualType LHSType; 6698 // PropertyRef on LHS type need be directly obtained from 6699 // its declaration as it has a PsuedoType. 6700 ObjCPropertyRefExpr *PRE 6701 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 6702 if (PRE && !PRE->isImplicitProperty()) { 6703 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 6704 if (PD) 6705 LHSType = PD->getType(); 6706 } 6707 6708 if (LHSType.isNull()) 6709 LHSType = LHS->getType(); 6710 6711 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 6712 6713 if (LT == Qualifiers::OCL_Weak) { 6714 DiagnosticsEngine::Level Level = 6715 Diags.getDiagnosticLevel(diag::warn_arc_repeated_use_of_weak, Loc); 6716 if (Level != DiagnosticsEngine::Ignored) 6717 getCurFunction()->markSafeWeakUse(LHS); 6718 } 6719 6720 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 6721 return; 6722 6723 // FIXME. Check for other life times. 6724 if (LT != Qualifiers::OCL_None) 6725 return; 6726 6727 if (PRE) { 6728 if (PRE->isImplicitProperty()) 6729 return; 6730 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 6731 if (!PD) 6732 return; 6733 6734 unsigned Attributes = PD->getPropertyAttributes(); 6735 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 6736 // when 'assign' attribute was not explicitly specified 6737 // by user, ignore it and rely on property type itself 6738 // for lifetime info. 6739 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 6740 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 6741 LHSType->isObjCRetainableType()) 6742 return; 6743 6744 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 6745 if (cast->getCastKind() == CK_ARCConsumeObject) { 6746 Diag(Loc, diag::warn_arc_retained_property_assign) 6747 << RHS->getSourceRange(); 6748 return; 6749 } 6750 RHS = cast->getSubExpr(); 6751 } 6752 } 6753 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 6754 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 6755 return; 6756 } 6757 } 6758 } 6759 6760 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 6761 6762 namespace { 6763 bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 6764 SourceLocation StmtLoc, 6765 const NullStmt *Body) { 6766 // Do not warn if the body is a macro that expands to nothing, e.g: 6767 // 6768 // #define CALL(x) 6769 // if (condition) 6770 // CALL(0); 6771 // 6772 if (Body->hasLeadingEmptyMacro()) 6773 return false; 6774 6775 // Get line numbers of statement and body. 6776 bool StmtLineInvalid; 6777 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 6778 &StmtLineInvalid); 6779 if (StmtLineInvalid) 6780 return false; 6781 6782 bool BodyLineInvalid; 6783 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 6784 &BodyLineInvalid); 6785 if (BodyLineInvalid) 6786 return false; 6787 6788 // Warn if null statement and body are on the same line. 6789 if (StmtLine != BodyLine) 6790 return false; 6791 6792 return true; 6793 } 6794 } // Unnamed namespace 6795 6796 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 6797 const Stmt *Body, 6798 unsigned DiagID) { 6799 // Since this is a syntactic check, don't emit diagnostic for template 6800 // instantiations, this just adds noise. 6801 if (CurrentInstantiationScope) 6802 return; 6803 6804 // The body should be a null statement. 6805 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 6806 if (!NBody) 6807 return; 6808 6809 // Do the usual checks. 6810 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 6811 return; 6812 6813 Diag(NBody->getSemiLoc(), DiagID); 6814 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 6815 } 6816 6817 void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 6818 const Stmt *PossibleBody) { 6819 assert(!CurrentInstantiationScope); // Ensured by caller 6820 6821 SourceLocation StmtLoc; 6822 const Stmt *Body; 6823 unsigned DiagID; 6824 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 6825 StmtLoc = FS->getRParenLoc(); 6826 Body = FS->getBody(); 6827 DiagID = diag::warn_empty_for_body; 6828 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 6829 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 6830 Body = WS->getBody(); 6831 DiagID = diag::warn_empty_while_body; 6832 } else 6833 return; // Neither `for' nor `while'. 6834 6835 // The body should be a null statement. 6836 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 6837 if (!NBody) 6838 return; 6839 6840 // Skip expensive checks if diagnostic is disabled. 6841 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 6842 DiagnosticsEngine::Ignored) 6843 return; 6844 6845 // Do the usual checks. 6846 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 6847 return; 6848 6849 // `for(...);' and `while(...);' are popular idioms, so in order to keep 6850 // noise level low, emit diagnostics only if for/while is followed by a 6851 // CompoundStmt, e.g.: 6852 // for (int i = 0; i < n; i++); 6853 // { 6854 // a(i); 6855 // } 6856 // or if for/while is followed by a statement with more indentation 6857 // than for/while itself: 6858 // for (int i = 0; i < n; i++); 6859 // a(i); 6860 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 6861 if (!ProbableTypo) { 6862 bool BodyColInvalid; 6863 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 6864 PossibleBody->getLocStart(), 6865 &BodyColInvalid); 6866 if (BodyColInvalid) 6867 return; 6868 6869 bool StmtColInvalid; 6870 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 6871 S->getLocStart(), 6872 &StmtColInvalid); 6873 if (StmtColInvalid) 6874 return; 6875 6876 if (BodyCol > StmtCol) 6877 ProbableTypo = true; 6878 } 6879 6880 if (ProbableTypo) { 6881 Diag(NBody->getSemiLoc(), DiagID); 6882 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 6883 } 6884 } 6885 6886 //===--- Layout compatibility ----------------------------------------------// 6887 6888 namespace { 6889 6890 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 6891 6892 /// \brief Check if two enumeration types are layout-compatible. 6893 bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 6894 // C++11 [dcl.enum] p8: 6895 // Two enumeration types are layout-compatible if they have the same 6896 // underlying type. 6897 return ED1->isComplete() && ED2->isComplete() && 6898 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 6899 } 6900 6901 /// \brief Check if two fields are layout-compatible. 6902 bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 6903 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 6904 return false; 6905 6906 if (Field1->isBitField() != Field2->isBitField()) 6907 return false; 6908 6909 if (Field1->isBitField()) { 6910 // Make sure that the bit-fields are the same length. 6911 unsigned Bits1 = Field1->getBitWidthValue(C); 6912 unsigned Bits2 = Field2->getBitWidthValue(C); 6913 6914 if (Bits1 != Bits2) 6915 return false; 6916 } 6917 6918 return true; 6919 } 6920 6921 /// \brief Check if two standard-layout structs are layout-compatible. 6922 /// (C++11 [class.mem] p17) 6923 bool isLayoutCompatibleStruct(ASTContext &C, 6924 RecordDecl *RD1, 6925 RecordDecl *RD2) { 6926 // If both records are C++ classes, check that base classes match. 6927 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 6928 // If one of records is a CXXRecordDecl we are in C++ mode, 6929 // thus the other one is a CXXRecordDecl, too. 6930 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 6931 // Check number of base classes. 6932 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 6933 return false; 6934 6935 // Check the base classes. 6936 for (CXXRecordDecl::base_class_const_iterator 6937 Base1 = D1CXX->bases_begin(), 6938 BaseEnd1 = D1CXX->bases_end(), 6939 Base2 = D2CXX->bases_begin(); 6940 Base1 != BaseEnd1; 6941 ++Base1, ++Base2) { 6942 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 6943 return false; 6944 } 6945 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 6946 // If only RD2 is a C++ class, it should have zero base classes. 6947 if (D2CXX->getNumBases() > 0) 6948 return false; 6949 } 6950 6951 // Check the fields. 6952 RecordDecl::field_iterator Field2 = RD2->field_begin(), 6953 Field2End = RD2->field_end(), 6954 Field1 = RD1->field_begin(), 6955 Field1End = RD1->field_end(); 6956 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 6957 if (!isLayoutCompatible(C, *Field1, *Field2)) 6958 return false; 6959 } 6960 if (Field1 != Field1End || Field2 != Field2End) 6961 return false; 6962 6963 return true; 6964 } 6965 6966 /// \brief Check if two standard-layout unions are layout-compatible. 6967 /// (C++11 [class.mem] p18) 6968 bool isLayoutCompatibleUnion(ASTContext &C, 6969 RecordDecl *RD1, 6970 RecordDecl *RD2) { 6971 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 6972 for (RecordDecl::field_iterator Field2 = RD2->field_begin(), 6973 Field2End = RD2->field_end(); 6974 Field2 != Field2End; ++Field2) { 6975 UnmatchedFields.insert(*Field2); 6976 } 6977 6978 for (RecordDecl::field_iterator Field1 = RD1->field_begin(), 6979 Field1End = RD1->field_end(); 6980 Field1 != Field1End; ++Field1) { 6981 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 6982 I = UnmatchedFields.begin(), 6983 E = UnmatchedFields.end(); 6984 6985 for ( ; I != E; ++I) { 6986 if (isLayoutCompatible(C, *Field1, *I)) { 6987 bool Result = UnmatchedFields.erase(*I); 6988 (void) Result; 6989 assert(Result); 6990 break; 6991 } 6992 } 6993 if (I == E) 6994 return false; 6995 } 6996 6997 return UnmatchedFields.empty(); 6998 } 6999 7000 bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 7001 if (RD1->isUnion() != RD2->isUnion()) 7002 return false; 7003 7004 if (RD1->isUnion()) 7005 return isLayoutCompatibleUnion(C, RD1, RD2); 7006 else 7007 return isLayoutCompatibleStruct(C, RD1, RD2); 7008 } 7009 7010 /// \brief Check if two types are layout-compatible in C++11 sense. 7011 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 7012 if (T1.isNull() || T2.isNull()) 7013 return false; 7014 7015 // C++11 [basic.types] p11: 7016 // If two types T1 and T2 are the same type, then T1 and T2 are 7017 // layout-compatible types. 7018 if (C.hasSameType(T1, T2)) 7019 return true; 7020 7021 T1 = T1.getCanonicalType().getUnqualifiedType(); 7022 T2 = T2.getCanonicalType().getUnqualifiedType(); 7023 7024 const Type::TypeClass TC1 = T1->getTypeClass(); 7025 const Type::TypeClass TC2 = T2->getTypeClass(); 7026 7027 if (TC1 != TC2) 7028 return false; 7029 7030 if (TC1 == Type::Enum) { 7031 return isLayoutCompatible(C, 7032 cast<EnumType>(T1)->getDecl(), 7033 cast<EnumType>(T2)->getDecl()); 7034 } else if (TC1 == Type::Record) { 7035 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 7036 return false; 7037 7038 return isLayoutCompatible(C, 7039 cast<RecordType>(T1)->getDecl(), 7040 cast<RecordType>(T2)->getDecl()); 7041 } 7042 7043 return false; 7044 } 7045 } 7046 7047 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 7048 7049 namespace { 7050 /// \brief Given a type tag expression find the type tag itself. 7051 /// 7052 /// \param TypeExpr Type tag expression, as it appears in user's code. 7053 /// 7054 /// \param VD Declaration of an identifier that appears in a type tag. 7055 /// 7056 /// \param MagicValue Type tag magic value. 7057 bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 7058 const ValueDecl **VD, uint64_t *MagicValue) { 7059 while(true) { 7060 if (!TypeExpr) 7061 return false; 7062 7063 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 7064 7065 switch (TypeExpr->getStmtClass()) { 7066 case Stmt::UnaryOperatorClass: { 7067 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 7068 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 7069 TypeExpr = UO->getSubExpr(); 7070 continue; 7071 } 7072 return false; 7073 } 7074 7075 case Stmt::DeclRefExprClass: { 7076 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 7077 *VD = DRE->getDecl(); 7078 return true; 7079 } 7080 7081 case Stmt::IntegerLiteralClass: { 7082 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 7083 llvm::APInt MagicValueAPInt = IL->getValue(); 7084 if (MagicValueAPInt.getActiveBits() <= 64) { 7085 *MagicValue = MagicValueAPInt.getZExtValue(); 7086 return true; 7087 } else 7088 return false; 7089 } 7090 7091 case Stmt::BinaryConditionalOperatorClass: 7092 case Stmt::ConditionalOperatorClass: { 7093 const AbstractConditionalOperator *ACO = 7094 cast<AbstractConditionalOperator>(TypeExpr); 7095 bool Result; 7096 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 7097 if (Result) 7098 TypeExpr = ACO->getTrueExpr(); 7099 else 7100 TypeExpr = ACO->getFalseExpr(); 7101 continue; 7102 } 7103 return false; 7104 } 7105 7106 case Stmt::BinaryOperatorClass: { 7107 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 7108 if (BO->getOpcode() == BO_Comma) { 7109 TypeExpr = BO->getRHS(); 7110 continue; 7111 } 7112 return false; 7113 } 7114 7115 default: 7116 return false; 7117 } 7118 } 7119 } 7120 7121 /// \brief Retrieve the C type corresponding to type tag TypeExpr. 7122 /// 7123 /// \param TypeExpr Expression that specifies a type tag. 7124 /// 7125 /// \param MagicValues Registered magic values. 7126 /// 7127 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 7128 /// kind. 7129 /// 7130 /// \param TypeInfo Information about the corresponding C type. 7131 /// 7132 /// \returns true if the corresponding C type was found. 7133 bool GetMatchingCType( 7134 const IdentifierInfo *ArgumentKind, 7135 const Expr *TypeExpr, const ASTContext &Ctx, 7136 const llvm::DenseMap<Sema::TypeTagMagicValue, 7137 Sema::TypeTagData> *MagicValues, 7138 bool &FoundWrongKind, 7139 Sema::TypeTagData &TypeInfo) { 7140 FoundWrongKind = false; 7141 7142 // Variable declaration that has type_tag_for_datatype attribute. 7143 const ValueDecl *VD = NULL; 7144 7145 uint64_t MagicValue; 7146 7147 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 7148 return false; 7149 7150 if (VD) { 7151 for (specific_attr_iterator<TypeTagForDatatypeAttr> 7152 I = VD->specific_attr_begin<TypeTagForDatatypeAttr>(), 7153 E = VD->specific_attr_end<TypeTagForDatatypeAttr>(); 7154 I != E; ++I) { 7155 if (I->getArgumentKind() != ArgumentKind) { 7156 FoundWrongKind = true; 7157 return false; 7158 } 7159 TypeInfo.Type = I->getMatchingCType(); 7160 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 7161 TypeInfo.MustBeNull = I->getMustBeNull(); 7162 return true; 7163 } 7164 return false; 7165 } 7166 7167 if (!MagicValues) 7168 return false; 7169 7170 llvm::DenseMap<Sema::TypeTagMagicValue, 7171 Sema::TypeTagData>::const_iterator I = 7172 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 7173 if (I == MagicValues->end()) 7174 return false; 7175 7176 TypeInfo = I->second; 7177 return true; 7178 } 7179 } // unnamed namespace 7180 7181 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 7182 uint64_t MagicValue, QualType Type, 7183 bool LayoutCompatible, 7184 bool MustBeNull) { 7185 if (!TypeTagForDatatypeMagicValues) 7186 TypeTagForDatatypeMagicValues.reset( 7187 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 7188 7189 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 7190 (*TypeTagForDatatypeMagicValues)[Magic] = 7191 TypeTagData(Type, LayoutCompatible, MustBeNull); 7192 } 7193 7194 namespace { 7195 bool IsSameCharType(QualType T1, QualType T2) { 7196 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 7197 if (!BT1) 7198 return false; 7199 7200 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 7201 if (!BT2) 7202 return false; 7203 7204 BuiltinType::Kind T1Kind = BT1->getKind(); 7205 BuiltinType::Kind T2Kind = BT2->getKind(); 7206 7207 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 7208 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 7209 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 7210 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 7211 } 7212 } // unnamed namespace 7213 7214 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 7215 const Expr * const *ExprArgs) { 7216 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 7217 bool IsPointerAttr = Attr->getIsPointer(); 7218 7219 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 7220 bool FoundWrongKind; 7221 TypeTagData TypeInfo; 7222 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 7223 TypeTagForDatatypeMagicValues.get(), 7224 FoundWrongKind, TypeInfo)) { 7225 if (FoundWrongKind) 7226 Diag(TypeTagExpr->getExprLoc(), 7227 diag::warn_type_tag_for_datatype_wrong_kind) 7228 << TypeTagExpr->getSourceRange(); 7229 return; 7230 } 7231 7232 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 7233 if (IsPointerAttr) { 7234 // Skip implicit cast of pointer to `void *' (as a function argument). 7235 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 7236 if (ICE->getType()->isVoidPointerType() && 7237 ICE->getCastKind() == CK_BitCast) 7238 ArgumentExpr = ICE->getSubExpr(); 7239 } 7240 QualType ArgumentType = ArgumentExpr->getType(); 7241 7242 // Passing a `void*' pointer shouldn't trigger a warning. 7243 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 7244 return; 7245 7246 if (TypeInfo.MustBeNull) { 7247 // Type tag with matching void type requires a null pointer. 7248 if (!ArgumentExpr->isNullPointerConstant(Context, 7249 Expr::NPC_ValueDependentIsNotNull)) { 7250 Diag(ArgumentExpr->getExprLoc(), 7251 diag::warn_type_safety_null_pointer_required) 7252 << ArgumentKind->getName() 7253 << ArgumentExpr->getSourceRange() 7254 << TypeTagExpr->getSourceRange(); 7255 } 7256 return; 7257 } 7258 7259 QualType RequiredType = TypeInfo.Type; 7260 if (IsPointerAttr) 7261 RequiredType = Context.getPointerType(RequiredType); 7262 7263 bool mismatch = false; 7264 if (!TypeInfo.LayoutCompatible) { 7265 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 7266 7267 // C++11 [basic.fundamental] p1: 7268 // Plain char, signed char, and unsigned char are three distinct types. 7269 // 7270 // But we treat plain `char' as equivalent to `signed char' or `unsigned 7271 // char' depending on the current char signedness mode. 7272 if (mismatch) 7273 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 7274 RequiredType->getPointeeType())) || 7275 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 7276 mismatch = false; 7277 } else 7278 if (IsPointerAttr) 7279 mismatch = !isLayoutCompatible(Context, 7280 ArgumentType->getPointeeType(), 7281 RequiredType->getPointeeType()); 7282 else 7283 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 7284 7285 if (mismatch) 7286 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 7287 << ArgumentType << ArgumentKind->getName() 7288 << TypeInfo.LayoutCompatible << RequiredType 7289 << ArgumentExpr->getSourceRange() 7290 << TypeTagExpr->getSourceRange(); 7291 } 7292
