1 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements extra semantic analysis beyond what is enforced 11 // by the C type system. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/Sema/SemaInternal.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/CharUnits.h" 18 #include "clang/AST/DeclCXX.h" 19 #include "clang/AST/DeclObjC.h" 20 #include "clang/AST/EvaluatedExprVisitor.h" 21 #include "clang/AST/Expr.h" 22 #include "clang/AST/ExprCXX.h" 23 #include "clang/AST/ExprObjC.h" 24 #include "clang/AST/ExprOpenMP.h" 25 #include "clang/AST/StmtCXX.h" 26 #include "clang/AST/StmtObjC.h" 27 #include "clang/Analysis/Analyses/FormatString.h" 28 #include "clang/Basic/CharInfo.h" 29 #include "clang/Basic/TargetBuiltins.h" 30 #include "clang/Basic/TargetInfo.h" 31 #include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering. 32 #include "clang/Sema/Initialization.h" 33 #include "clang/Sema/Lookup.h" 34 #include "clang/Sema/ScopeInfo.h" 35 #include "clang/Sema/Sema.h" 36 #include "llvm/ADT/STLExtras.h" 37 #include "llvm/ADT/SmallBitVector.h" 38 #include "llvm/ADT/SmallString.h" 39 #include "llvm/Support/ConvertUTF.h" 40 #include "llvm/Support/raw_ostream.h" 41 #include <limits> 42 using namespace clang; 43 using namespace sema; 44 45 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 46 unsigned ByteNo) const { 47 return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts, 48 Context.getTargetInfo()); 49 } 50 51 /// Checks that a call expression's argument count is the desired number. 52 /// This is useful when doing custom type-checking. Returns true on error. 53 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 54 unsigned argCount = call->getNumArgs(); 55 if (argCount == desiredArgCount) return false; 56 57 if (argCount < desiredArgCount) 58 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 59 << 0 /*function call*/ << desiredArgCount << argCount 60 << call->getSourceRange(); 61 62 // Highlight all the excess arguments. 63 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 64 call->getArg(argCount - 1)->getLocEnd()); 65 66 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 67 << 0 /*function call*/ << desiredArgCount << argCount 68 << call->getArg(1)->getSourceRange(); 69 } 70 71 /// Check that the first argument to __builtin_annotation is an integer 72 /// and the second argument is a non-wide string literal. 73 static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 74 if (checkArgCount(S, TheCall, 2)) 75 return true; 76 77 // First argument should be an integer. 78 Expr *ValArg = TheCall->getArg(0); 79 QualType Ty = ValArg->getType(); 80 if (!Ty->isIntegerType()) { 81 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 82 << ValArg->getSourceRange(); 83 return true; 84 } 85 86 // Second argument should be a constant string. 87 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 88 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 89 if (!Literal || !Literal->isAscii()) { 90 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 91 << StrArg->getSourceRange(); 92 return true; 93 } 94 95 TheCall->setType(Ty); 96 return false; 97 } 98 99 /// Check that the argument to __builtin_addressof is a glvalue, and set the 100 /// result type to the corresponding pointer type. 101 static bool SemaBuiltinAddressof(Sema &S, CallExpr *TheCall) { 102 if (checkArgCount(S, TheCall, 1)) 103 return true; 104 105 ExprResult Arg(TheCall->getArg(0)); 106 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getLocStart()); 107 if (ResultType.isNull()) 108 return true; 109 110 TheCall->setArg(0, Arg.get()); 111 TheCall->setType(ResultType); 112 return false; 113 } 114 115 static bool SemaBuiltinOverflow(Sema &S, CallExpr *TheCall) { 116 if (checkArgCount(S, TheCall, 3)) 117 return true; 118 119 // First two arguments should be integers. 120 for (unsigned I = 0; I < 2; ++I) { 121 Expr *Arg = TheCall->getArg(I); 122 QualType Ty = Arg->getType(); 123 if (!Ty->isIntegerType()) { 124 S.Diag(Arg->getLocStart(), diag::err_overflow_builtin_must_be_int) 125 << Ty << Arg->getSourceRange(); 126 return true; 127 } 128 } 129 130 // Third argument should be a pointer to a non-const integer. 131 // IRGen correctly handles volatile, restrict, and address spaces, and 132 // the other qualifiers aren't possible. 133 { 134 Expr *Arg = TheCall->getArg(2); 135 QualType Ty = Arg->getType(); 136 const auto *PtrTy = Ty->getAs<PointerType>(); 137 if (!(PtrTy && PtrTy->getPointeeType()->isIntegerType() && 138 !PtrTy->getPointeeType().isConstQualified())) { 139 S.Diag(Arg->getLocStart(), diag::err_overflow_builtin_must_be_ptr_int) 140 << Ty << Arg->getSourceRange(); 141 return true; 142 } 143 } 144 145 return false; 146 } 147 148 static void SemaBuiltinMemChkCall(Sema &S, FunctionDecl *FDecl, 149 CallExpr *TheCall, unsigned SizeIdx, 150 unsigned DstSizeIdx) { 151 if (TheCall->getNumArgs() <= SizeIdx || 152 TheCall->getNumArgs() <= DstSizeIdx) 153 return; 154 155 const Expr *SizeArg = TheCall->getArg(SizeIdx); 156 const Expr *DstSizeArg = TheCall->getArg(DstSizeIdx); 157 158 llvm::APSInt Size, DstSize; 159 160 // find out if both sizes are known at compile time 161 if (!SizeArg->EvaluateAsInt(Size, S.Context) || 162 !DstSizeArg->EvaluateAsInt(DstSize, S.Context)) 163 return; 164 165 if (Size.ule(DstSize)) 166 return; 167 168 // confirmed overflow so generate the diagnostic. 169 IdentifierInfo *FnName = FDecl->getIdentifier(); 170 SourceLocation SL = TheCall->getLocStart(); 171 SourceRange SR = TheCall->getSourceRange(); 172 173 S.Diag(SL, diag::warn_memcpy_chk_overflow) << SR << FnName; 174 } 175 176 static bool SemaBuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) { 177 if (checkArgCount(S, BuiltinCall, 2)) 178 return true; 179 180 SourceLocation BuiltinLoc = BuiltinCall->getLocStart(); 181 Expr *Builtin = BuiltinCall->getCallee()->IgnoreImpCasts(); 182 Expr *Call = BuiltinCall->getArg(0); 183 Expr *Chain = BuiltinCall->getArg(1); 184 185 if (Call->getStmtClass() != Stmt::CallExprClass) { 186 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_not_call) 187 << Call->getSourceRange(); 188 return true; 189 } 190 191 auto CE = cast<CallExpr>(Call); 192 if (CE->getCallee()->getType()->isBlockPointerType()) { 193 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_block_call) 194 << Call->getSourceRange(); 195 return true; 196 } 197 198 const Decl *TargetDecl = CE->getCalleeDecl(); 199 if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(TargetDecl)) 200 if (FD->getBuiltinID()) { 201 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_builtin_call) 202 << Call->getSourceRange(); 203 return true; 204 } 205 206 if (isa<CXXPseudoDestructorExpr>(CE->getCallee()->IgnoreParens())) { 207 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_pdtor_call) 208 << Call->getSourceRange(); 209 return true; 210 } 211 212 ExprResult ChainResult = S.UsualUnaryConversions(Chain); 213 if (ChainResult.isInvalid()) 214 return true; 215 if (!ChainResult.get()->getType()->isPointerType()) { 216 S.Diag(BuiltinLoc, diag::err_second_argument_to_cwsc_not_pointer) 217 << Chain->getSourceRange(); 218 return true; 219 } 220 221 QualType ReturnTy = CE->getCallReturnType(S.Context); 222 QualType ArgTys[2] = { ReturnTy, ChainResult.get()->getType() }; 223 QualType BuiltinTy = S.Context.getFunctionType( 224 ReturnTy, ArgTys, FunctionProtoType::ExtProtoInfo()); 225 QualType BuiltinPtrTy = S.Context.getPointerType(BuiltinTy); 226 227 Builtin = 228 S.ImpCastExprToType(Builtin, BuiltinPtrTy, CK_BuiltinFnToFnPtr).get(); 229 230 BuiltinCall->setType(CE->getType()); 231 BuiltinCall->setValueKind(CE->getValueKind()); 232 BuiltinCall->setObjectKind(CE->getObjectKind()); 233 BuiltinCall->setCallee(Builtin); 234 BuiltinCall->setArg(1, ChainResult.get()); 235 236 return false; 237 } 238 239 static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall, 240 Scope::ScopeFlags NeededScopeFlags, 241 unsigned DiagID) { 242 // Scopes aren't available during instantiation. Fortunately, builtin 243 // functions cannot be template args so they cannot be formed through template 244 // instantiation. Therefore checking once during the parse is sufficient. 245 if (!SemaRef.ActiveTemplateInstantiations.empty()) 246 return false; 247 248 Scope *S = SemaRef.getCurScope(); 249 while (S && !S->isSEHExceptScope()) 250 S = S->getParent(); 251 if (!S || !(S->getFlags() & NeededScopeFlags)) { 252 auto *DRE = cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 253 SemaRef.Diag(TheCall->getExprLoc(), DiagID) 254 << DRE->getDecl()->getIdentifier(); 255 return true; 256 } 257 258 return false; 259 } 260 261 ExprResult 262 Sema::CheckBuiltinFunctionCall(FunctionDecl *FDecl, unsigned BuiltinID, 263 CallExpr *TheCall) { 264 ExprResult TheCallResult(TheCall); 265 266 // Find out if any arguments are required to be integer constant expressions. 267 unsigned ICEArguments = 0; 268 ASTContext::GetBuiltinTypeError Error; 269 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 270 if (Error != ASTContext::GE_None) 271 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 272 273 // If any arguments are required to be ICE's, check and diagnose. 274 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 275 // Skip arguments not required to be ICE's. 276 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 277 278 llvm::APSInt Result; 279 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 280 return true; 281 ICEArguments &= ~(1 << ArgNo); 282 } 283 284 switch (BuiltinID) { 285 case Builtin::BI__builtin___CFStringMakeConstantString: 286 assert(TheCall->getNumArgs() == 1 && 287 "Wrong # arguments to builtin CFStringMakeConstantString"); 288 if (CheckObjCString(TheCall->getArg(0))) 289 return ExprError(); 290 break; 291 case Builtin::BI__builtin_stdarg_start: 292 case Builtin::BI__builtin_va_start: 293 if (SemaBuiltinVAStart(TheCall)) 294 return ExprError(); 295 break; 296 case Builtin::BI__va_start: { 297 switch (Context.getTargetInfo().getTriple().getArch()) { 298 case llvm::Triple::arm: 299 case llvm::Triple::thumb: 300 if (SemaBuiltinVAStartARM(TheCall)) 301 return ExprError(); 302 break; 303 default: 304 if (SemaBuiltinVAStart(TheCall)) 305 return ExprError(); 306 break; 307 } 308 break; 309 } 310 case Builtin::BI__builtin_isgreater: 311 case Builtin::BI__builtin_isgreaterequal: 312 case Builtin::BI__builtin_isless: 313 case Builtin::BI__builtin_islessequal: 314 case Builtin::BI__builtin_islessgreater: 315 case Builtin::BI__builtin_isunordered: 316 if (SemaBuiltinUnorderedCompare(TheCall)) 317 return ExprError(); 318 break; 319 case Builtin::BI__builtin_fpclassify: 320 if (SemaBuiltinFPClassification(TheCall, 6)) 321 return ExprError(); 322 break; 323 case Builtin::BI__builtin_isfinite: 324 case Builtin::BI__builtin_isinf: 325 case Builtin::BI__builtin_isinf_sign: 326 case Builtin::BI__builtin_isnan: 327 case Builtin::BI__builtin_isnormal: 328 if (SemaBuiltinFPClassification(TheCall, 1)) 329 return ExprError(); 330 break; 331 case Builtin::BI__builtin_shufflevector: 332 return SemaBuiltinShuffleVector(TheCall); 333 // TheCall will be freed by the smart pointer here, but that's fine, since 334 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 335 case Builtin::BI__builtin_prefetch: 336 if (SemaBuiltinPrefetch(TheCall)) 337 return ExprError(); 338 break; 339 case Builtin::BI__assume: 340 case Builtin::BI__builtin_assume: 341 if (SemaBuiltinAssume(TheCall)) 342 return ExprError(); 343 break; 344 case Builtin::BI__builtin_assume_aligned: 345 if (SemaBuiltinAssumeAligned(TheCall)) 346 return ExprError(); 347 break; 348 case Builtin::BI__builtin_object_size: 349 if (SemaBuiltinConstantArgRange(TheCall, 1, 0, 3)) 350 return ExprError(); 351 break; 352 case Builtin::BI__builtin_longjmp: 353 if (SemaBuiltinLongjmp(TheCall)) 354 return ExprError(); 355 break; 356 case Builtin::BI__builtin_setjmp: 357 if (SemaBuiltinSetjmp(TheCall)) 358 return ExprError(); 359 break; 360 case Builtin::BI_setjmp: 361 case Builtin::BI_setjmpex: 362 if (checkArgCount(*this, TheCall, 1)) 363 return true; 364 break; 365 366 case Builtin::BI__builtin_classify_type: 367 if (checkArgCount(*this, TheCall, 1)) return true; 368 TheCall->setType(Context.IntTy); 369 break; 370 case Builtin::BI__builtin_constant_p: 371 if (checkArgCount(*this, TheCall, 1)) return true; 372 TheCall->setType(Context.IntTy); 373 break; 374 case Builtin::BI__sync_fetch_and_add: 375 case Builtin::BI__sync_fetch_and_add_1: 376 case Builtin::BI__sync_fetch_and_add_2: 377 case Builtin::BI__sync_fetch_and_add_4: 378 case Builtin::BI__sync_fetch_and_add_8: 379 case Builtin::BI__sync_fetch_and_add_16: 380 case Builtin::BI__sync_fetch_and_sub: 381 case Builtin::BI__sync_fetch_and_sub_1: 382 case Builtin::BI__sync_fetch_and_sub_2: 383 case Builtin::BI__sync_fetch_and_sub_4: 384 case Builtin::BI__sync_fetch_and_sub_8: 385 case Builtin::BI__sync_fetch_and_sub_16: 386 case Builtin::BI__sync_fetch_and_or: 387 case Builtin::BI__sync_fetch_and_or_1: 388 case Builtin::BI__sync_fetch_and_or_2: 389 case Builtin::BI__sync_fetch_and_or_4: 390 case Builtin::BI__sync_fetch_and_or_8: 391 case Builtin::BI__sync_fetch_and_or_16: 392 case Builtin::BI__sync_fetch_and_and: 393 case Builtin::BI__sync_fetch_and_and_1: 394 case Builtin::BI__sync_fetch_and_and_2: 395 case Builtin::BI__sync_fetch_and_and_4: 396 case Builtin::BI__sync_fetch_and_and_8: 397 case Builtin::BI__sync_fetch_and_and_16: 398 case Builtin::BI__sync_fetch_and_xor: 399 case Builtin::BI__sync_fetch_and_xor_1: 400 case Builtin::BI__sync_fetch_and_xor_2: 401 case Builtin::BI__sync_fetch_and_xor_4: 402 case Builtin::BI__sync_fetch_and_xor_8: 403 case Builtin::BI__sync_fetch_and_xor_16: 404 case Builtin::BI__sync_fetch_and_nand: 405 case Builtin::BI__sync_fetch_and_nand_1: 406 case Builtin::BI__sync_fetch_and_nand_2: 407 case Builtin::BI__sync_fetch_and_nand_4: 408 case Builtin::BI__sync_fetch_and_nand_8: 409 case Builtin::BI__sync_fetch_and_nand_16: 410 case Builtin::BI__sync_add_and_fetch: 411 case Builtin::BI__sync_add_and_fetch_1: 412 case Builtin::BI__sync_add_and_fetch_2: 413 case Builtin::BI__sync_add_and_fetch_4: 414 case Builtin::BI__sync_add_and_fetch_8: 415 case Builtin::BI__sync_add_and_fetch_16: 416 case Builtin::BI__sync_sub_and_fetch: 417 case Builtin::BI__sync_sub_and_fetch_1: 418 case Builtin::BI__sync_sub_and_fetch_2: 419 case Builtin::BI__sync_sub_and_fetch_4: 420 case Builtin::BI__sync_sub_and_fetch_8: 421 case Builtin::BI__sync_sub_and_fetch_16: 422 case Builtin::BI__sync_and_and_fetch: 423 case Builtin::BI__sync_and_and_fetch_1: 424 case Builtin::BI__sync_and_and_fetch_2: 425 case Builtin::BI__sync_and_and_fetch_4: 426 case Builtin::BI__sync_and_and_fetch_8: 427 case Builtin::BI__sync_and_and_fetch_16: 428 case Builtin::BI__sync_or_and_fetch: 429 case Builtin::BI__sync_or_and_fetch_1: 430 case Builtin::BI__sync_or_and_fetch_2: 431 case Builtin::BI__sync_or_and_fetch_4: 432 case Builtin::BI__sync_or_and_fetch_8: 433 case Builtin::BI__sync_or_and_fetch_16: 434 case Builtin::BI__sync_xor_and_fetch: 435 case Builtin::BI__sync_xor_and_fetch_1: 436 case Builtin::BI__sync_xor_and_fetch_2: 437 case Builtin::BI__sync_xor_and_fetch_4: 438 case Builtin::BI__sync_xor_and_fetch_8: 439 case Builtin::BI__sync_xor_and_fetch_16: 440 case Builtin::BI__sync_nand_and_fetch: 441 case Builtin::BI__sync_nand_and_fetch_1: 442 case Builtin::BI__sync_nand_and_fetch_2: 443 case Builtin::BI__sync_nand_and_fetch_4: 444 case Builtin::BI__sync_nand_and_fetch_8: 445 case Builtin::BI__sync_nand_and_fetch_16: 446 case Builtin::BI__sync_val_compare_and_swap: 447 case Builtin::BI__sync_val_compare_and_swap_1: 448 case Builtin::BI__sync_val_compare_and_swap_2: 449 case Builtin::BI__sync_val_compare_and_swap_4: 450 case Builtin::BI__sync_val_compare_and_swap_8: 451 case Builtin::BI__sync_val_compare_and_swap_16: 452 case Builtin::BI__sync_bool_compare_and_swap: 453 case Builtin::BI__sync_bool_compare_and_swap_1: 454 case Builtin::BI__sync_bool_compare_and_swap_2: 455 case Builtin::BI__sync_bool_compare_and_swap_4: 456 case Builtin::BI__sync_bool_compare_and_swap_8: 457 case Builtin::BI__sync_bool_compare_and_swap_16: 458 case Builtin::BI__sync_lock_test_and_set: 459 case Builtin::BI__sync_lock_test_and_set_1: 460 case Builtin::BI__sync_lock_test_and_set_2: 461 case Builtin::BI__sync_lock_test_and_set_4: 462 case Builtin::BI__sync_lock_test_and_set_8: 463 case Builtin::BI__sync_lock_test_and_set_16: 464 case Builtin::BI__sync_lock_release: 465 case Builtin::BI__sync_lock_release_1: 466 case Builtin::BI__sync_lock_release_2: 467 case Builtin::BI__sync_lock_release_4: 468 case Builtin::BI__sync_lock_release_8: 469 case Builtin::BI__sync_lock_release_16: 470 case Builtin::BI__sync_swap: 471 case Builtin::BI__sync_swap_1: 472 case Builtin::BI__sync_swap_2: 473 case Builtin::BI__sync_swap_4: 474 case Builtin::BI__sync_swap_8: 475 case Builtin::BI__sync_swap_16: 476 return SemaBuiltinAtomicOverloaded(TheCallResult); 477 case Builtin::BI__builtin_nontemporal_load: 478 case Builtin::BI__builtin_nontemporal_store: 479 return SemaBuiltinNontemporalOverloaded(TheCallResult); 480 #define BUILTIN(ID, TYPE, ATTRS) 481 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 482 case Builtin::BI##ID: \ 483 return SemaAtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID); 484 #include "clang/Basic/Builtins.def" 485 case Builtin::BI__builtin_annotation: 486 if (SemaBuiltinAnnotation(*this, TheCall)) 487 return ExprError(); 488 break; 489 case Builtin::BI__builtin_addressof: 490 if (SemaBuiltinAddressof(*this, TheCall)) 491 return ExprError(); 492 break; 493 case Builtin::BI__builtin_add_overflow: 494 case Builtin::BI__builtin_sub_overflow: 495 case Builtin::BI__builtin_mul_overflow: 496 if (SemaBuiltinOverflow(*this, TheCall)) 497 return ExprError(); 498 break; 499 case Builtin::BI__builtin_operator_new: 500 case Builtin::BI__builtin_operator_delete: 501 if (!getLangOpts().CPlusPlus) { 502 Diag(TheCall->getExprLoc(), diag::err_builtin_requires_language) 503 << (BuiltinID == Builtin::BI__builtin_operator_new 504 ? "__builtin_operator_new" 505 : "__builtin_operator_delete") 506 << "C++"; 507 return ExprError(); 508 } 509 // CodeGen assumes it can find the global new and delete to call, 510 // so ensure that they are declared. 511 DeclareGlobalNewDelete(); 512 break; 513 514 // check secure string manipulation functions where overflows 515 // are detectable at compile time 516 case Builtin::BI__builtin___memcpy_chk: 517 case Builtin::BI__builtin___memmove_chk: 518 case Builtin::BI__builtin___memset_chk: 519 case Builtin::BI__builtin___strlcat_chk: 520 case Builtin::BI__builtin___strlcpy_chk: 521 case Builtin::BI__builtin___strncat_chk: 522 case Builtin::BI__builtin___strncpy_chk: 523 case Builtin::BI__builtin___stpncpy_chk: 524 SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3); 525 break; 526 case Builtin::BI__builtin___memccpy_chk: 527 SemaBuiltinMemChkCall(*this, FDecl, TheCall, 3, 4); 528 break; 529 case Builtin::BI__builtin___snprintf_chk: 530 case Builtin::BI__builtin___vsnprintf_chk: 531 SemaBuiltinMemChkCall(*this, FDecl, TheCall, 1, 3); 532 break; 533 534 case Builtin::BI__builtin_call_with_static_chain: 535 if (SemaBuiltinCallWithStaticChain(*this, TheCall)) 536 return ExprError(); 537 break; 538 539 case Builtin::BI__exception_code: 540 case Builtin::BI_exception_code: { 541 if (SemaBuiltinSEHScopeCheck(*this, TheCall, Scope::SEHExceptScope, 542 diag::err_seh___except_block)) 543 return ExprError(); 544 break; 545 } 546 case Builtin::BI__exception_info: 547 case Builtin::BI_exception_info: { 548 if (SemaBuiltinSEHScopeCheck(*this, TheCall, Scope::SEHFilterScope, 549 diag::err_seh___except_filter)) 550 return ExprError(); 551 break; 552 } 553 554 case Builtin::BI__GetExceptionInfo: 555 if (checkArgCount(*this, TheCall, 1)) 556 return ExprError(); 557 558 if (CheckCXXThrowOperand( 559 TheCall->getLocStart(), 560 Context.getExceptionObjectType(FDecl->getParamDecl(0)->getType()), 561 TheCall)) 562 return ExprError(); 563 564 TheCall->setType(Context.VoidPtrTy); 565 break; 566 567 } 568 569 // Since the target specific builtins for each arch overlap, only check those 570 // of the arch we are compiling for. 571 if (Context.BuiltinInfo.isTSBuiltin(BuiltinID)) { 572 switch (Context.getTargetInfo().getTriple().getArch()) { 573 case llvm::Triple::arm: 574 case llvm::Triple::armeb: 575 case llvm::Triple::thumb: 576 case llvm::Triple::thumbeb: 577 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 578 return ExprError(); 579 break; 580 case llvm::Triple::aarch64: 581 case llvm::Triple::aarch64_be: 582 if (CheckAArch64BuiltinFunctionCall(BuiltinID, TheCall)) 583 return ExprError(); 584 break; 585 case llvm::Triple::mips: 586 case llvm::Triple::mipsel: 587 case llvm::Triple::mips64: 588 case llvm::Triple::mips64el: 589 if (CheckMipsBuiltinFunctionCall(BuiltinID, TheCall)) 590 return ExprError(); 591 break; 592 case llvm::Triple::systemz: 593 if (CheckSystemZBuiltinFunctionCall(BuiltinID, TheCall)) 594 return ExprError(); 595 break; 596 case llvm::Triple::x86: 597 case llvm::Triple::x86_64: 598 if (CheckX86BuiltinFunctionCall(BuiltinID, TheCall)) 599 return ExprError(); 600 break; 601 case llvm::Triple::ppc: 602 case llvm::Triple::ppc64: 603 case llvm::Triple::ppc64le: 604 if (CheckPPCBuiltinFunctionCall(BuiltinID, TheCall)) 605 return ExprError(); 606 break; 607 default: 608 break; 609 } 610 } 611 612 return TheCallResult; 613 } 614 615 // Get the valid immediate range for the specified NEON type code. 616 static unsigned RFT(unsigned t, bool shift = false, bool ForceQuad = false) { 617 NeonTypeFlags Type(t); 618 int IsQuad = ForceQuad ? true : Type.isQuad(); 619 switch (Type.getEltType()) { 620 case NeonTypeFlags::Int8: 621 case NeonTypeFlags::Poly8: 622 return shift ? 7 : (8 << IsQuad) - 1; 623 case NeonTypeFlags::Int16: 624 case NeonTypeFlags::Poly16: 625 return shift ? 15 : (4 << IsQuad) - 1; 626 case NeonTypeFlags::Int32: 627 return shift ? 31 : (2 << IsQuad) - 1; 628 case NeonTypeFlags::Int64: 629 case NeonTypeFlags::Poly64: 630 return shift ? 63 : (1 << IsQuad) - 1; 631 case NeonTypeFlags::Poly128: 632 return shift ? 127 : (1 << IsQuad) - 1; 633 case NeonTypeFlags::Float16: 634 assert(!shift && "cannot shift float types!"); 635 return (4 << IsQuad) - 1; 636 case NeonTypeFlags::Float32: 637 assert(!shift && "cannot shift float types!"); 638 return (2 << IsQuad) - 1; 639 case NeonTypeFlags::Float64: 640 assert(!shift && "cannot shift float types!"); 641 return (1 << IsQuad) - 1; 642 } 643 llvm_unreachable("Invalid NeonTypeFlag!"); 644 } 645 646 /// getNeonEltType - Return the QualType corresponding to the elements of 647 /// the vector type specified by the NeonTypeFlags. This is used to check 648 /// the pointer arguments for Neon load/store intrinsics. 649 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context, 650 bool IsPolyUnsigned, bool IsInt64Long) { 651 switch (Flags.getEltType()) { 652 case NeonTypeFlags::Int8: 653 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 654 case NeonTypeFlags::Int16: 655 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 656 case NeonTypeFlags::Int32: 657 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 658 case NeonTypeFlags::Int64: 659 if (IsInt64Long) 660 return Flags.isUnsigned() ? Context.UnsignedLongTy : Context.LongTy; 661 else 662 return Flags.isUnsigned() ? Context.UnsignedLongLongTy 663 : Context.LongLongTy; 664 case NeonTypeFlags::Poly8: 665 return IsPolyUnsigned ? Context.UnsignedCharTy : Context.SignedCharTy; 666 case NeonTypeFlags::Poly16: 667 return IsPolyUnsigned ? Context.UnsignedShortTy : Context.ShortTy; 668 case NeonTypeFlags::Poly64: 669 if (IsInt64Long) 670 return Context.UnsignedLongTy; 671 else 672 return Context.UnsignedLongLongTy; 673 case NeonTypeFlags::Poly128: 674 break; 675 case NeonTypeFlags::Float16: 676 return Context.HalfTy; 677 case NeonTypeFlags::Float32: 678 return Context.FloatTy; 679 case NeonTypeFlags::Float64: 680 return Context.DoubleTy; 681 } 682 llvm_unreachable("Invalid NeonTypeFlag!"); 683 } 684 685 bool Sema::CheckNeonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 686 llvm::APSInt Result; 687 uint64_t mask = 0; 688 unsigned TV = 0; 689 int PtrArgNum = -1; 690 bool HasConstPtr = false; 691 switch (BuiltinID) { 692 #define GET_NEON_OVERLOAD_CHECK 693 #include "clang/Basic/arm_neon.inc" 694 #undef GET_NEON_OVERLOAD_CHECK 695 } 696 697 // For NEON intrinsics which are overloaded on vector element type, validate 698 // the immediate which specifies which variant to emit. 699 unsigned ImmArg = TheCall->getNumArgs()-1; 700 if (mask) { 701 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 702 return true; 703 704 TV = Result.getLimitedValue(64); 705 if ((TV > 63) || (mask & (1ULL << TV)) == 0) 706 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 707 << TheCall->getArg(ImmArg)->getSourceRange(); 708 } 709 710 if (PtrArgNum >= 0) { 711 // Check that pointer arguments have the specified type. 712 Expr *Arg = TheCall->getArg(PtrArgNum); 713 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 714 Arg = ICE->getSubExpr(); 715 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 716 QualType RHSTy = RHS.get()->getType(); 717 718 llvm::Triple::ArchType Arch = Context.getTargetInfo().getTriple().getArch(); 719 bool IsPolyUnsigned = Arch == llvm::Triple::aarch64; 720 bool IsInt64Long = 721 Context.getTargetInfo().getInt64Type() == TargetInfo::SignedLong; 722 QualType EltTy = 723 getNeonEltType(NeonTypeFlags(TV), Context, IsPolyUnsigned, IsInt64Long); 724 if (HasConstPtr) 725 EltTy = EltTy.withConst(); 726 QualType LHSTy = Context.getPointerType(EltTy); 727 AssignConvertType ConvTy; 728 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 729 if (RHS.isInvalid()) 730 return true; 731 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 732 RHS.get(), AA_Assigning)) 733 return true; 734 } 735 736 // For NEON intrinsics which take an immediate value as part of the 737 // instruction, range check them here. 738 unsigned i = 0, l = 0, u = 0; 739 switch (BuiltinID) { 740 default: 741 return false; 742 #define GET_NEON_IMMEDIATE_CHECK 743 #include "clang/Basic/arm_neon.inc" 744 #undef GET_NEON_IMMEDIATE_CHECK 745 } 746 747 return SemaBuiltinConstantArgRange(TheCall, i, l, u + l); 748 } 749 750 bool Sema::CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall, 751 unsigned MaxWidth) { 752 assert((BuiltinID == ARM::BI__builtin_arm_ldrex || 753 BuiltinID == ARM::BI__builtin_arm_ldaex || 754 BuiltinID == ARM::BI__builtin_arm_strex || 755 BuiltinID == ARM::BI__builtin_arm_stlex || 756 BuiltinID == AArch64::BI__builtin_arm_ldrex || 757 BuiltinID == AArch64::BI__builtin_arm_ldaex || 758 BuiltinID == AArch64::BI__builtin_arm_strex || 759 BuiltinID == AArch64::BI__builtin_arm_stlex) && 760 "unexpected ARM builtin"); 761 bool IsLdrex = BuiltinID == ARM::BI__builtin_arm_ldrex || 762 BuiltinID == ARM::BI__builtin_arm_ldaex || 763 BuiltinID == AArch64::BI__builtin_arm_ldrex || 764 BuiltinID == AArch64::BI__builtin_arm_ldaex; 765 766 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 767 768 // Ensure that we have the proper number of arguments. 769 if (checkArgCount(*this, TheCall, IsLdrex ? 1 : 2)) 770 return true; 771 772 // Inspect the pointer argument of the atomic builtin. This should always be 773 // a pointer type, whose element is an integral scalar or pointer type. 774 // Because it is a pointer type, we don't have to worry about any implicit 775 // casts here. 776 Expr *PointerArg = TheCall->getArg(IsLdrex ? 0 : 1); 777 ExprResult PointerArgRes = DefaultFunctionArrayLvalueConversion(PointerArg); 778 if (PointerArgRes.isInvalid()) 779 return true; 780 PointerArg = PointerArgRes.get(); 781 782 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 783 if (!pointerType) { 784 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 785 << PointerArg->getType() << PointerArg->getSourceRange(); 786 return true; 787 } 788 789 // ldrex takes a "const volatile T*" and strex takes a "volatile T*". Our next 790 // task is to insert the appropriate casts into the AST. First work out just 791 // what the appropriate type is. 792 QualType ValType = pointerType->getPointeeType(); 793 QualType AddrType = ValType.getUnqualifiedType().withVolatile(); 794 if (IsLdrex) 795 AddrType.addConst(); 796 797 // Issue a warning if the cast is dodgy. 798 CastKind CastNeeded = CK_NoOp; 799 if (!AddrType.isAtLeastAsQualifiedAs(ValType)) { 800 CastNeeded = CK_BitCast; 801 Diag(DRE->getLocStart(), diag::ext_typecheck_convert_discards_qualifiers) 802 << PointerArg->getType() 803 << Context.getPointerType(AddrType) 804 << AA_Passing << PointerArg->getSourceRange(); 805 } 806 807 // Finally, do the cast and replace the argument with the corrected version. 808 AddrType = Context.getPointerType(AddrType); 809 PointerArgRes = ImpCastExprToType(PointerArg, AddrType, CastNeeded); 810 if (PointerArgRes.isInvalid()) 811 return true; 812 PointerArg = PointerArgRes.get(); 813 814 TheCall->setArg(IsLdrex ? 0 : 1, PointerArg); 815 816 // In general, we allow ints, floats and pointers to be loaded and stored. 817 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 818 !ValType->isBlockPointerType() && !ValType->isFloatingType()) { 819 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intfltptr) 820 << PointerArg->getType() << PointerArg->getSourceRange(); 821 return true; 822 } 823 824 // But ARM doesn't have instructions to deal with 128-bit versions. 825 if (Context.getTypeSize(ValType) > MaxWidth) { 826 assert(MaxWidth == 64 && "Diagnostic unexpectedly inaccurate"); 827 Diag(DRE->getLocStart(), diag::err_atomic_exclusive_builtin_pointer_size) 828 << PointerArg->getType() << PointerArg->getSourceRange(); 829 return true; 830 } 831 832 switch (ValType.getObjCLifetime()) { 833 case Qualifiers::OCL_None: 834 case Qualifiers::OCL_ExplicitNone: 835 // okay 836 break; 837 838 case Qualifiers::OCL_Weak: 839 case Qualifiers::OCL_Strong: 840 case Qualifiers::OCL_Autoreleasing: 841 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 842 << ValType << PointerArg->getSourceRange(); 843 return true; 844 } 845 846 847 if (IsLdrex) { 848 TheCall->setType(ValType); 849 return false; 850 } 851 852 // Initialize the argument to be stored. 853 ExprResult ValArg = TheCall->getArg(0); 854 InitializedEntity Entity = InitializedEntity::InitializeParameter( 855 Context, ValType, /*consume*/ false); 856 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 857 if (ValArg.isInvalid()) 858 return true; 859 TheCall->setArg(0, ValArg.get()); 860 861 // __builtin_arm_strex always returns an int. It's marked as such in the .def, 862 // but the custom checker bypasses all default analysis. 863 TheCall->setType(Context.IntTy); 864 return false; 865 } 866 867 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 868 llvm::APSInt Result; 869 870 if (BuiltinID == ARM::BI__builtin_arm_ldrex || 871 BuiltinID == ARM::BI__builtin_arm_ldaex || 872 BuiltinID == ARM::BI__builtin_arm_strex || 873 BuiltinID == ARM::BI__builtin_arm_stlex) { 874 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 64); 875 } 876 877 if (BuiltinID == ARM::BI__builtin_arm_prefetch) { 878 return SemaBuiltinConstantArgRange(TheCall, 1, 0, 1) || 879 SemaBuiltinConstantArgRange(TheCall, 2, 0, 1); 880 } 881 882 if (BuiltinID == ARM::BI__builtin_arm_rsr64 || 883 BuiltinID == ARM::BI__builtin_arm_wsr64) 884 return SemaBuiltinARMSpecialReg(BuiltinID, TheCall, 0, 3, false); 885 886 if (BuiltinID == ARM::BI__builtin_arm_rsr || 887 BuiltinID == ARM::BI__builtin_arm_rsrp || 888 BuiltinID == ARM::BI__builtin_arm_wsr || 889 BuiltinID == ARM::BI__builtin_arm_wsrp) 890 return SemaBuiltinARMSpecialReg(BuiltinID, TheCall, 0, 5, true); 891 892 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 893 return true; 894 895 // For intrinsics which take an immediate value as part of the instruction, 896 // range check them here. 897 unsigned i = 0, l = 0, u = 0; 898 switch (BuiltinID) { 899 default: return false; 900 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 901 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 902 case ARM::BI__builtin_arm_vcvtr_f: 903 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 904 case ARM::BI__builtin_arm_dmb: 905 case ARM::BI__builtin_arm_dsb: 906 case ARM::BI__builtin_arm_isb: 907 case ARM::BI__builtin_arm_dbg: l = 0; u = 15; break; 908 } 909 910 // FIXME: VFP Intrinsics should error if VFP not present. 911 return SemaBuiltinConstantArgRange(TheCall, i, l, u + l); 912 } 913 914 bool Sema::CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, 915 CallExpr *TheCall) { 916 llvm::APSInt Result; 917 918 if (BuiltinID == AArch64::BI__builtin_arm_ldrex || 919 BuiltinID == AArch64::BI__builtin_arm_ldaex || 920 BuiltinID == AArch64::BI__builtin_arm_strex || 921 BuiltinID == AArch64::BI__builtin_arm_stlex) { 922 return CheckARMBuiltinExclusiveCall(BuiltinID, TheCall, 128); 923 } 924 925 if (BuiltinID == AArch64::BI__builtin_arm_prefetch) { 926 return SemaBuiltinConstantArgRange(TheCall, 1, 0, 1) || 927 SemaBuiltinConstantArgRange(TheCall, 2, 0, 2) || 928 SemaBuiltinConstantArgRange(TheCall, 3, 0, 1) || 929 SemaBuiltinConstantArgRange(TheCall, 4, 0, 1); 930 } 931 932 if (BuiltinID == AArch64::BI__builtin_arm_rsr64 || 933 BuiltinID == AArch64::BI__builtin_arm_wsr64) 934 return SemaBuiltinARMSpecialReg(BuiltinID, TheCall, 0, 5, false); 935 936 if (BuiltinID == AArch64::BI__builtin_arm_rsr || 937 BuiltinID == AArch64::BI__builtin_arm_rsrp || 938 BuiltinID == AArch64::BI__builtin_arm_wsr || 939 BuiltinID == AArch64::BI__builtin_arm_wsrp) 940 return SemaBuiltinARMSpecialReg(BuiltinID, TheCall, 0, 5, true); 941 942 if (CheckNeonBuiltinFunctionCall(BuiltinID, TheCall)) 943 return true; 944 945 // For intrinsics which take an immediate value as part of the instruction, 946 // range check them here. 947 unsigned i = 0, l = 0, u = 0; 948 switch (BuiltinID) { 949 default: return false; 950 case AArch64::BI__builtin_arm_dmb: 951 case AArch64::BI__builtin_arm_dsb: 952 case AArch64::BI__builtin_arm_isb: l = 0; u = 15; break; 953 } 954 955 return SemaBuiltinConstantArgRange(TheCall, i, l, u + l); 956 } 957 958 bool Sema::CheckMipsBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 959 unsigned i = 0, l = 0, u = 0; 960 switch (BuiltinID) { 961 default: return false; 962 case Mips::BI__builtin_mips_wrdsp: i = 1; l = 0; u = 63; break; 963 case Mips::BI__builtin_mips_rddsp: i = 0; l = 0; u = 63; break; 964 case Mips::BI__builtin_mips_append: i = 2; l = 0; u = 31; break; 965 case Mips::BI__builtin_mips_balign: i = 2; l = 0; u = 3; break; 966 case Mips::BI__builtin_mips_precr_sra_ph_w: i = 2; l = 0; u = 31; break; 967 case Mips::BI__builtin_mips_precr_sra_r_ph_w: i = 2; l = 0; u = 31; break; 968 case Mips::BI__builtin_mips_prepend: i = 2; l = 0; u = 31; break; 969 } 970 971 return SemaBuiltinConstantArgRange(TheCall, i, l, u); 972 } 973 974 bool Sema::CheckPPCBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 975 unsigned i = 0, l = 0, u = 0; 976 bool Is64BitBltin = BuiltinID == PPC::BI__builtin_divde || 977 BuiltinID == PPC::BI__builtin_divdeu || 978 BuiltinID == PPC::BI__builtin_bpermd; 979 bool IsTarget64Bit = Context.getTargetInfo() 980 .getTypeWidth(Context 981 .getTargetInfo() 982 .getIntPtrType()) == 64; 983 bool IsBltinExtDiv = BuiltinID == PPC::BI__builtin_divwe || 984 BuiltinID == PPC::BI__builtin_divweu || 985 BuiltinID == PPC::BI__builtin_divde || 986 BuiltinID == PPC::BI__builtin_divdeu; 987 988 if (Is64BitBltin && !IsTarget64Bit) 989 return Diag(TheCall->getLocStart(), diag::err_64_bit_builtin_32_bit_tgt) 990 << TheCall->getSourceRange(); 991 992 if ((IsBltinExtDiv && !Context.getTargetInfo().hasFeature("extdiv")) || 993 (BuiltinID == PPC::BI__builtin_bpermd && 994 !Context.getTargetInfo().hasFeature("bpermd"))) 995 return Diag(TheCall->getLocStart(), diag::err_ppc_builtin_only_on_pwr7) 996 << TheCall->getSourceRange(); 997 998 switch (BuiltinID) { 999 default: return false; 1000 case PPC::BI__builtin_altivec_crypto_vshasigmaw: 1001 case PPC::BI__builtin_altivec_crypto_vshasigmad: 1002 return SemaBuiltinConstantArgRange(TheCall, 1, 0, 1) || 1003 SemaBuiltinConstantArgRange(TheCall, 2, 0, 15); 1004 case PPC::BI__builtin_tbegin: 1005 case PPC::BI__builtin_tend: i = 0; l = 0; u = 1; break; 1006 case PPC::BI__builtin_tsr: i = 0; l = 0; u = 7; break; 1007 case PPC::BI__builtin_tabortwc: 1008 case PPC::BI__builtin_tabortdc: i = 0; l = 0; u = 31; break; 1009 case PPC::BI__builtin_tabortwci: 1010 case PPC::BI__builtin_tabortdci: 1011 return SemaBuiltinConstantArgRange(TheCall, 0, 0, 31) || 1012 SemaBuiltinConstantArgRange(TheCall, 2, 0, 31); 1013 } 1014 return SemaBuiltinConstantArgRange(TheCall, i, l, u); 1015 } 1016 1017 bool Sema::CheckSystemZBuiltinFunctionCall(unsigned BuiltinID, 1018 CallExpr *TheCall) { 1019 if (BuiltinID == SystemZ::BI__builtin_tabort) { 1020 Expr *Arg = TheCall->getArg(0); 1021 llvm::APSInt AbortCode(32); 1022 if (Arg->isIntegerConstantExpr(AbortCode, Context) && 1023 AbortCode.getSExtValue() >= 0 && AbortCode.getSExtValue() < 256) 1024 return Diag(Arg->getLocStart(), diag::err_systemz_invalid_tabort_code) 1025 << Arg->getSourceRange(); 1026 } 1027 1028 // For intrinsics which take an immediate value as part of the instruction, 1029 // range check them here. 1030 unsigned i = 0, l = 0, u = 0; 1031 switch (BuiltinID) { 1032 default: return false; 1033 case SystemZ::BI__builtin_s390_lcbb: i = 1; l = 0; u = 15; break; 1034 case SystemZ::BI__builtin_s390_verimb: 1035 case SystemZ::BI__builtin_s390_verimh: 1036 case SystemZ::BI__builtin_s390_verimf: 1037 case SystemZ::BI__builtin_s390_verimg: i = 3; l = 0; u = 255; break; 1038 case SystemZ::BI__builtin_s390_vfaeb: 1039 case SystemZ::BI__builtin_s390_vfaeh: 1040 case SystemZ::BI__builtin_s390_vfaef: 1041 case SystemZ::BI__builtin_s390_vfaebs: 1042 case SystemZ::BI__builtin_s390_vfaehs: 1043 case SystemZ::BI__builtin_s390_vfaefs: 1044 case SystemZ::BI__builtin_s390_vfaezb: 1045 case SystemZ::BI__builtin_s390_vfaezh: 1046 case SystemZ::BI__builtin_s390_vfaezf: 1047 case SystemZ::BI__builtin_s390_vfaezbs: 1048 case SystemZ::BI__builtin_s390_vfaezhs: 1049 case SystemZ::BI__builtin_s390_vfaezfs: i = 2; l = 0; u = 15; break; 1050 case SystemZ::BI__builtin_s390_vfidb: 1051 return SemaBuiltinConstantArgRange(TheCall, 1, 0, 15) || 1052 SemaBuiltinConstantArgRange(TheCall, 2, 0, 15); 1053 case SystemZ::BI__builtin_s390_vftcidb: i = 1; l = 0; u = 4095; break; 1054 case SystemZ::BI__builtin_s390_vlbb: i = 1; l = 0; u = 15; break; 1055 case SystemZ::BI__builtin_s390_vpdi: i = 2; l = 0; u = 15; break; 1056 case SystemZ::BI__builtin_s390_vsldb: i = 2; l = 0; u = 15; break; 1057 case SystemZ::BI__builtin_s390_vstrcb: 1058 case SystemZ::BI__builtin_s390_vstrch: 1059 case SystemZ::BI__builtin_s390_vstrcf: 1060 case SystemZ::BI__builtin_s390_vstrczb: 1061 case SystemZ::BI__builtin_s390_vstrczh: 1062 case SystemZ::BI__builtin_s390_vstrczf: 1063 case SystemZ::BI__builtin_s390_vstrcbs: 1064 case SystemZ::BI__builtin_s390_vstrchs: 1065 case SystemZ::BI__builtin_s390_vstrcfs: 1066 case SystemZ::BI__builtin_s390_vstrczbs: 1067 case SystemZ::BI__builtin_s390_vstrczhs: 1068 case SystemZ::BI__builtin_s390_vstrczfs: i = 3; l = 0; u = 15; break; 1069 } 1070 return SemaBuiltinConstantArgRange(TheCall, i, l, u); 1071 } 1072 1073 /// SemaBuiltinCpuSupports - Handle __builtin_cpu_supports(char *). 1074 /// This checks that the target supports __builtin_cpu_supports and 1075 /// that the string argument is constant and valid. 1076 static bool SemaBuiltinCpuSupports(Sema &S, CallExpr *TheCall) { 1077 Expr *Arg = TheCall->getArg(0); 1078 1079 // Check if the argument is a string literal. 1080 if (!isa<StringLiteral>(Arg->IgnoreParenImpCasts())) 1081 return S.Diag(TheCall->getLocStart(), diag::err_expr_not_string_literal) 1082 << Arg->getSourceRange(); 1083 1084 // Check the contents of the string. 1085 StringRef Feature = 1086 cast<StringLiteral>(Arg->IgnoreParenImpCasts())->getString(); 1087 if (!S.Context.getTargetInfo().validateCpuSupports(Feature)) 1088 return S.Diag(TheCall->getLocStart(), diag::err_invalid_cpu_supports) 1089 << Arg->getSourceRange(); 1090 return false; 1091 } 1092 1093 bool Sema::CheckX86BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 1094 unsigned i = 0, l = 0, u = 0; 1095 switch (BuiltinID) { 1096 default: return false; 1097 case X86::BI__builtin_cpu_supports: 1098 return SemaBuiltinCpuSupports(*this, TheCall); 1099 case X86::BI__builtin_ms_va_start: 1100 return SemaBuiltinMSVAStart(TheCall); 1101 case X86::BI_mm_prefetch: i = 1; l = 0; u = 3; break; 1102 case X86::BI__builtin_ia32_sha1rnds4: i = 2, l = 0; u = 3; break; 1103 case X86::BI__builtin_ia32_vpermil2pd: 1104 case X86::BI__builtin_ia32_vpermil2pd256: 1105 case X86::BI__builtin_ia32_vpermil2ps: 1106 case X86::BI__builtin_ia32_vpermil2ps256: i = 3, l = 0; u = 3; break; 1107 case X86::BI__builtin_ia32_cmpb128_mask: 1108 case X86::BI__builtin_ia32_cmpw128_mask: 1109 case X86::BI__builtin_ia32_cmpd128_mask: 1110 case X86::BI__builtin_ia32_cmpq128_mask: 1111 case X86::BI__builtin_ia32_cmpb256_mask: 1112 case X86::BI__builtin_ia32_cmpw256_mask: 1113 case X86::BI__builtin_ia32_cmpd256_mask: 1114 case X86::BI__builtin_ia32_cmpq256_mask: 1115 case X86::BI__builtin_ia32_cmpb512_mask: 1116 case X86::BI__builtin_ia32_cmpw512_mask: 1117 case X86::BI__builtin_ia32_cmpd512_mask: 1118 case X86::BI__builtin_ia32_cmpq512_mask: 1119 case X86::BI__builtin_ia32_ucmpb128_mask: 1120 case X86::BI__builtin_ia32_ucmpw128_mask: 1121 case X86::BI__builtin_ia32_ucmpd128_mask: 1122 case X86::BI__builtin_ia32_ucmpq128_mask: 1123 case X86::BI__builtin_ia32_ucmpb256_mask: 1124 case X86::BI__builtin_ia32_ucmpw256_mask: 1125 case X86::BI__builtin_ia32_ucmpd256_mask: 1126 case X86::BI__builtin_ia32_ucmpq256_mask: 1127 case X86::BI__builtin_ia32_ucmpb512_mask: 1128 case X86::BI__builtin_ia32_ucmpw512_mask: 1129 case X86::BI__builtin_ia32_ucmpd512_mask: 1130 case X86::BI__builtin_ia32_ucmpq512_mask: i = 2; l = 0; u = 7; break; 1131 case X86::BI__builtin_ia32_roundps: 1132 case X86::BI__builtin_ia32_roundpd: 1133 case X86::BI__builtin_ia32_roundps256: 1134 case X86::BI__builtin_ia32_roundpd256: i = 1, l = 0; u = 15; break; 1135 case X86::BI__builtin_ia32_roundss: 1136 case X86::BI__builtin_ia32_roundsd: i = 2, l = 0; u = 15; break; 1137 case X86::BI__builtin_ia32_cmpps: 1138 case X86::BI__builtin_ia32_cmpss: 1139 case X86::BI__builtin_ia32_cmppd: 1140 case X86::BI__builtin_ia32_cmpsd: 1141 case X86::BI__builtin_ia32_cmpps256: 1142 case X86::BI__builtin_ia32_cmppd256: 1143 case X86::BI__builtin_ia32_cmpps512_mask: 1144 case X86::BI__builtin_ia32_cmppd512_mask: i = 2; l = 0; u = 31; break; 1145 case X86::BI__builtin_ia32_vpcomub: 1146 case X86::BI__builtin_ia32_vpcomuw: 1147 case X86::BI__builtin_ia32_vpcomud: 1148 case X86::BI__builtin_ia32_vpcomuq: 1149 case X86::BI__builtin_ia32_vpcomb: 1150 case X86::BI__builtin_ia32_vpcomw: 1151 case X86::BI__builtin_ia32_vpcomd: 1152 case X86::BI__builtin_ia32_vpcomq: i = 2; l = 0; u = 7; break; 1153 } 1154 return SemaBuiltinConstantArgRange(TheCall, i, l, u); 1155 } 1156 1157 /// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo 1158 /// parameter with the FormatAttr's correct format_idx and firstDataArg. 1159 /// Returns true when the format fits the function and the FormatStringInfo has 1160 /// been populated. 1161 bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, 1162 FormatStringInfo *FSI) { 1163 FSI->HasVAListArg = Format->getFirstArg() == 0; 1164 FSI->FormatIdx = Format->getFormatIdx() - 1; 1165 FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; 1166 1167 // The way the format attribute works in GCC, the implicit this argument 1168 // of member functions is counted. However, it doesn't appear in our own 1169 // lists, so decrement format_idx in that case. 1170 if (IsCXXMember) { 1171 if(FSI->FormatIdx == 0) 1172 return false; 1173 --FSI->FormatIdx; 1174 if (FSI->FirstDataArg != 0) 1175 --FSI->FirstDataArg; 1176 } 1177 return true; 1178 } 1179 1180 /// Checks if a the given expression evaluates to null. 1181 /// 1182 /// \brief Returns true if the value evaluates to null. 1183 static bool CheckNonNullExpr(Sema &S, const Expr *Expr) { 1184 // If the expression has non-null type, it doesn't evaluate to null. 1185 if (auto nullability 1186 = Expr->IgnoreImplicit()->getType()->getNullability(S.Context)) { 1187 if (*nullability == NullabilityKind::NonNull) 1188 return false; 1189 } 1190 1191 // As a special case, transparent unions initialized with zero are 1192 // considered null for the purposes of the nonnull attribute. 1193 if (const RecordType *UT = Expr->getType()->getAsUnionType()) { 1194 if (UT->getDecl()->hasAttr<TransparentUnionAttr>()) 1195 if (const CompoundLiteralExpr *CLE = 1196 dyn_cast<CompoundLiteralExpr>(Expr)) 1197 if (const InitListExpr *ILE = 1198 dyn_cast<InitListExpr>(CLE->getInitializer())) 1199 Expr = ILE->getInit(0); 1200 } 1201 1202 bool Result; 1203 return (!Expr->isValueDependent() && 1204 Expr->EvaluateAsBooleanCondition(Result, S.Context) && 1205 !Result); 1206 } 1207 1208 static void CheckNonNullArgument(Sema &S, 1209 const Expr *ArgExpr, 1210 SourceLocation CallSiteLoc) { 1211 if (CheckNonNullExpr(S, ArgExpr)) 1212 S.DiagRuntimeBehavior(CallSiteLoc, ArgExpr, 1213 S.PDiag(diag::warn_null_arg) << ArgExpr->getSourceRange()); 1214 } 1215 1216 bool Sema::GetFormatNSStringIdx(const FormatAttr *Format, unsigned &Idx) { 1217 FormatStringInfo FSI; 1218 if ((GetFormatStringType(Format) == FST_NSString) && 1219 getFormatStringInfo(Format, false, &FSI)) { 1220 Idx = FSI.FormatIdx; 1221 return true; 1222 } 1223 return false; 1224 } 1225 /// \brief Diagnose use of %s directive in an NSString which is being passed 1226 /// as formatting string to formatting method. 1227 static void 1228 DiagnoseCStringFormatDirectiveInCFAPI(Sema &S, 1229 const NamedDecl *FDecl, 1230 Expr **Args, 1231 unsigned NumArgs) { 1232 unsigned Idx = 0; 1233 bool Format = false; 1234 ObjCStringFormatFamily SFFamily = FDecl->getObjCFStringFormattingFamily(); 1235 if (SFFamily == ObjCStringFormatFamily::SFF_CFString) { 1236 Idx = 2; 1237 Format = true; 1238 } 1239 else 1240 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) { 1241 if (S.GetFormatNSStringIdx(I, Idx)) { 1242 Format = true; 1243 break; 1244 } 1245 } 1246 if (!Format || NumArgs <= Idx) 1247 return; 1248 const Expr *FormatExpr = Args[Idx]; 1249 if (const CStyleCastExpr *CSCE = dyn_cast<CStyleCastExpr>(FormatExpr)) 1250 FormatExpr = CSCE->getSubExpr(); 1251 const StringLiteral *FormatString; 1252 if (const ObjCStringLiteral *OSL = 1253 dyn_cast<ObjCStringLiteral>(FormatExpr->IgnoreParenImpCasts())) 1254 FormatString = OSL->getString(); 1255 else 1256 FormatString = dyn_cast<StringLiteral>(FormatExpr->IgnoreParenImpCasts()); 1257 if (!FormatString) 1258 return; 1259 if (S.FormatStringHasSArg(FormatString)) { 1260 S.Diag(FormatExpr->getExprLoc(), diag::warn_objc_cdirective_format_string) 1261 << "%s" << 1 << 1; 1262 S.Diag(FDecl->getLocation(), diag::note_entity_declared_at) 1263 << FDecl->getDeclName(); 1264 } 1265 } 1266 1267 /// Determine whether the given type has a non-null nullability annotation. 1268 static bool isNonNullType(ASTContext &ctx, QualType type) { 1269 if (auto nullability = type->getNullability(ctx)) 1270 return *nullability == NullabilityKind::NonNull; 1271 1272 return false; 1273 } 1274 1275 static void CheckNonNullArguments(Sema &S, 1276 const NamedDecl *FDecl, 1277 const FunctionProtoType *Proto, 1278 ArrayRef<const Expr *> Args, 1279 SourceLocation CallSiteLoc) { 1280 assert((FDecl || Proto) && "Need a function declaration or prototype"); 1281 1282 // Check the attributes attached to the method/function itself. 1283 llvm::SmallBitVector NonNullArgs; 1284 if (FDecl) { 1285 // Handle the nonnull attribute on the function/method declaration itself. 1286 for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) { 1287 if (!NonNull->args_size()) { 1288 // Easy case: all pointer arguments are nonnull. 1289 for (const auto *Arg : Args) 1290 if (S.isValidPointerAttrType(Arg->getType())) 1291 CheckNonNullArgument(S, Arg, CallSiteLoc); 1292 return; 1293 } 1294 1295 for (unsigned Val : NonNull->args()) { 1296 if (Val >= Args.size()) 1297 continue; 1298 if (NonNullArgs.empty()) 1299 NonNullArgs.resize(Args.size()); 1300 NonNullArgs.set(Val); 1301 } 1302 } 1303 } 1304 1305 if (FDecl && (isa<FunctionDecl>(FDecl) || isa<ObjCMethodDecl>(FDecl))) { 1306 // Handle the nonnull attribute on the parameters of the 1307 // function/method. 1308 ArrayRef<ParmVarDecl*> parms; 1309 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl)) 1310 parms = FD->parameters(); 1311 else 1312 parms = cast<ObjCMethodDecl>(FDecl)->parameters(); 1313 1314 unsigned ParamIndex = 0; 1315 for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end(); 1316 I != E; ++I, ++ParamIndex) { 1317 const ParmVarDecl *PVD = *I; 1318 if (PVD->hasAttr<NonNullAttr>() || 1319 isNonNullType(S.Context, PVD->getType())) { 1320 if (NonNullArgs.empty()) 1321 NonNullArgs.resize(Args.size()); 1322 1323 NonNullArgs.set(ParamIndex); 1324 } 1325 } 1326 } else { 1327 // If we have a non-function, non-method declaration but no 1328 // function prototype, try to dig out the function prototype. 1329 if (!Proto) { 1330 if (const ValueDecl *VD = dyn_cast<ValueDecl>(FDecl)) { 1331 QualType type = VD->getType().getNonReferenceType(); 1332 if (auto pointerType = type->getAs<PointerType>()) 1333 type = pointerType->getPointeeType(); 1334 else if (auto blockType = type->getAs<BlockPointerType>()) 1335 type = blockType->getPointeeType(); 1336 // FIXME: data member pointers? 1337 1338 // Dig out the function prototype, if there is one. 1339 Proto = type->getAs<FunctionProtoType>(); 1340 } 1341 } 1342 1343 // Fill in non-null argument information from the nullability 1344 // information on the parameter types (if we have them). 1345 if (Proto) { 1346 unsigned Index = 0; 1347 for (auto paramType : Proto->getParamTypes()) { 1348 if (isNonNullType(S.Context, paramType)) { 1349 if (NonNullArgs.empty()) 1350 NonNullArgs.resize(Args.size()); 1351 1352 NonNullArgs.set(Index); 1353 } 1354 1355 ++Index; 1356 } 1357 } 1358 } 1359 1360 // Check for non-null arguments. 1361 for (unsigned ArgIndex = 0, ArgIndexEnd = NonNullArgs.size(); 1362 ArgIndex != ArgIndexEnd; ++ArgIndex) { 1363 if (NonNullArgs[ArgIndex]) 1364 CheckNonNullArgument(S, Args[ArgIndex], CallSiteLoc); 1365 } 1366 } 1367 1368 /// Handles the checks for format strings, non-POD arguments to vararg 1369 /// functions, and NULL arguments passed to non-NULL parameters. 1370 void Sema::checkCall(NamedDecl *FDecl, const FunctionProtoType *Proto, 1371 ArrayRef<const Expr *> Args, bool IsMemberFunction, 1372 SourceLocation Loc, SourceRange Range, 1373 VariadicCallType CallType) { 1374 // FIXME: We should check as much as we can in the template definition. 1375 if (CurContext->isDependentContext()) 1376 return; 1377 1378 // Printf and scanf checking. 1379 llvm::SmallBitVector CheckedVarArgs; 1380 if (FDecl) { 1381 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) { 1382 // Only create vector if there are format attributes. 1383 CheckedVarArgs.resize(Args.size()); 1384 1385 CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range, 1386 CheckedVarArgs); 1387 } 1388 } 1389 1390 // Refuse POD arguments that weren't caught by the format string 1391 // checks above. 1392 if (CallType != VariadicDoesNotApply) { 1393 unsigned NumParams = Proto ? Proto->getNumParams() 1394 : FDecl && isa<FunctionDecl>(FDecl) 1395 ? cast<FunctionDecl>(FDecl)->getNumParams() 1396 : FDecl && isa<ObjCMethodDecl>(FDecl) 1397 ? cast<ObjCMethodDecl>(FDecl)->param_size() 1398 : 0; 1399 1400 for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) { 1401 // Args[ArgIdx] can be null in malformed code. 1402 if (const Expr *Arg = Args[ArgIdx]) { 1403 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx]) 1404 checkVariadicArgument(Arg, CallType); 1405 } 1406 } 1407 } 1408 1409 if (FDecl || Proto) { 1410 CheckNonNullArguments(*this, FDecl, Proto, Args, Loc); 1411 1412 // Type safety checking. 1413 if (FDecl) { 1414 for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>()) 1415 CheckArgumentWithTypeTag(I, Args.data()); 1416 } 1417 } 1418 } 1419 1420 /// CheckConstructorCall - Check a constructor call for correctness and safety 1421 /// properties not enforced by the C type system. 1422 void Sema::CheckConstructorCall(FunctionDecl *FDecl, 1423 ArrayRef<const Expr *> Args, 1424 const FunctionProtoType *Proto, 1425 SourceLocation Loc) { 1426 VariadicCallType CallType = 1427 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply; 1428 checkCall(FDecl, Proto, Args, /*IsMemberFunction=*/true, Loc, SourceRange(), 1429 CallType); 1430 } 1431 1432 /// CheckFunctionCall - Check a direct function call for various correctness 1433 /// and safety properties not strictly enforced by the C type system. 1434 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, 1435 const FunctionProtoType *Proto) { 1436 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) && 1437 isa<CXXMethodDecl>(FDecl); 1438 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) || 1439 IsMemberOperatorCall; 1440 VariadicCallType CallType = getVariadicCallType(FDecl, Proto, 1441 TheCall->getCallee()); 1442 Expr** Args = TheCall->getArgs(); 1443 unsigned NumArgs = TheCall->getNumArgs(); 1444 if (IsMemberOperatorCall) { 1445 // If this is a call to a member operator, hide the first argument 1446 // from checkCall. 1447 // FIXME: Our choice of AST representation here is less than ideal. 1448 ++Args; 1449 --NumArgs; 1450 } 1451 checkCall(FDecl, Proto, llvm::makeArrayRef(Args, NumArgs), 1452 IsMemberFunction, TheCall->getRParenLoc(), 1453 TheCall->getCallee()->getSourceRange(), CallType); 1454 1455 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 1456 // None of the checks below are needed for functions that don't have 1457 // simple names (e.g., C++ conversion functions). 1458 if (!FnInfo) 1459 return false; 1460 1461 CheckAbsoluteValueFunction(TheCall, FDecl, FnInfo); 1462 if (getLangOpts().ObjC1) 1463 DiagnoseCStringFormatDirectiveInCFAPI(*this, FDecl, Args, NumArgs); 1464 1465 unsigned CMId = FDecl->getMemoryFunctionKind(); 1466 if (CMId == 0) 1467 return false; 1468 1469 // Handle memory setting and copying functions. 1470 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 1471 CheckStrlcpycatArguments(TheCall, FnInfo); 1472 else if (CMId == Builtin::BIstrncat) 1473 CheckStrncatArguments(TheCall, FnInfo); 1474 else 1475 CheckMemaccessArguments(TheCall, CMId, FnInfo); 1476 1477 return false; 1478 } 1479 1480 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 1481 ArrayRef<const Expr *> Args) { 1482 VariadicCallType CallType = 1483 Method->isVariadic() ? VariadicMethod : VariadicDoesNotApply; 1484 1485 checkCall(Method, nullptr, Args, 1486 /*IsMemberFunction=*/false, lbrac, Method->getSourceRange(), 1487 CallType); 1488 1489 return false; 1490 } 1491 1492 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, 1493 const FunctionProtoType *Proto) { 1494 QualType Ty; 1495 if (const auto *V = dyn_cast<VarDecl>(NDecl)) 1496 Ty = V->getType().getNonReferenceType(); 1497 else if (const auto *F = dyn_cast<FieldDecl>(NDecl)) 1498 Ty = F->getType().getNonReferenceType(); 1499 else 1500 return false; 1501 1502 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType() && 1503 !Ty->isFunctionProtoType()) 1504 return false; 1505 1506 VariadicCallType CallType; 1507 if (!Proto || !Proto->isVariadic()) { 1508 CallType = VariadicDoesNotApply; 1509 } else if (Ty->isBlockPointerType()) { 1510 CallType = VariadicBlock; 1511 } else { // Ty->isFunctionPointerType() 1512 CallType = VariadicFunction; 1513 } 1514 1515 checkCall(NDecl, Proto, 1516 llvm::makeArrayRef(TheCall->getArgs(), TheCall->getNumArgs()), 1517 /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 1518 TheCall->getCallee()->getSourceRange(), CallType); 1519 1520 return false; 1521 } 1522 1523 /// Checks function calls when a FunctionDecl or a NamedDecl is not available, 1524 /// such as function pointers returned from functions. 1525 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) { 1526 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto, 1527 TheCall->getCallee()); 1528 checkCall(/*FDecl=*/nullptr, Proto, 1529 llvm::makeArrayRef(TheCall->getArgs(), TheCall->getNumArgs()), 1530 /*IsMemberFunction=*/false, TheCall->getRParenLoc(), 1531 TheCall->getCallee()->getSourceRange(), CallType); 1532 1533 return false; 1534 } 1535 1536 static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) { 1537 if (Ordering < AtomicExpr::AO_ABI_memory_order_relaxed || 1538 Ordering > AtomicExpr::AO_ABI_memory_order_seq_cst) 1539 return false; 1540 1541 switch (Op) { 1542 case AtomicExpr::AO__c11_atomic_init: 1543 llvm_unreachable("There is no ordering argument for an init"); 1544 1545 case AtomicExpr::AO__c11_atomic_load: 1546 case AtomicExpr::AO__atomic_load_n: 1547 case AtomicExpr::AO__atomic_load: 1548 return Ordering != AtomicExpr::AO_ABI_memory_order_release && 1549 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 1550 1551 case AtomicExpr::AO__c11_atomic_store: 1552 case AtomicExpr::AO__atomic_store: 1553 case AtomicExpr::AO__atomic_store_n: 1554 return Ordering != AtomicExpr::AO_ABI_memory_order_consume && 1555 Ordering != AtomicExpr::AO_ABI_memory_order_acquire && 1556 Ordering != AtomicExpr::AO_ABI_memory_order_acq_rel; 1557 1558 default: 1559 return true; 1560 } 1561 } 1562 1563 ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 1564 AtomicExpr::AtomicOp Op) { 1565 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 1566 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1567 1568 // All these operations take one of the following forms: 1569 enum { 1570 // C __c11_atomic_init(A *, C) 1571 Init, 1572 // C __c11_atomic_load(A *, int) 1573 Load, 1574 // void __atomic_load(A *, CP, int) 1575 Copy, 1576 // C __c11_atomic_add(A *, M, int) 1577 Arithmetic, 1578 // C __atomic_exchange_n(A *, CP, int) 1579 Xchg, 1580 // void __atomic_exchange(A *, C *, CP, int) 1581 GNUXchg, 1582 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 1583 C11CmpXchg, 1584 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 1585 GNUCmpXchg 1586 } Form = Init; 1587 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 1588 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 1589 // where: 1590 // C is an appropriate type, 1591 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 1592 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 1593 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 1594 // the int parameters are for orderings. 1595 1596 static_assert(AtomicExpr::AO__c11_atomic_init == 0 && 1597 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == 1598 AtomicExpr::AO__atomic_load, 1599 "need to update code for modified C11 atomics"); 1600 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 1601 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 1602 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 1603 Op == AtomicExpr::AO__atomic_store_n || 1604 Op == AtomicExpr::AO__atomic_exchange_n || 1605 Op == AtomicExpr::AO__atomic_compare_exchange_n; 1606 bool IsAddSub = false; 1607 1608 switch (Op) { 1609 case AtomicExpr::AO__c11_atomic_init: 1610 Form = Init; 1611 break; 1612 1613 case AtomicExpr::AO__c11_atomic_load: 1614 case AtomicExpr::AO__atomic_load_n: 1615 Form = Load; 1616 break; 1617 1618 case AtomicExpr::AO__c11_atomic_store: 1619 case AtomicExpr::AO__atomic_load: 1620 case AtomicExpr::AO__atomic_store: 1621 case AtomicExpr::AO__atomic_store_n: 1622 Form = Copy; 1623 break; 1624 1625 case AtomicExpr::AO__c11_atomic_fetch_add: 1626 case AtomicExpr::AO__c11_atomic_fetch_sub: 1627 case AtomicExpr::AO__atomic_fetch_add: 1628 case AtomicExpr::AO__atomic_fetch_sub: 1629 case AtomicExpr::AO__atomic_add_fetch: 1630 case AtomicExpr::AO__atomic_sub_fetch: 1631 IsAddSub = true; 1632 // Fall through. 1633 case AtomicExpr::AO__c11_atomic_fetch_and: 1634 case AtomicExpr::AO__c11_atomic_fetch_or: 1635 case AtomicExpr::AO__c11_atomic_fetch_xor: 1636 case AtomicExpr::AO__atomic_fetch_and: 1637 case AtomicExpr::AO__atomic_fetch_or: 1638 case AtomicExpr::AO__atomic_fetch_xor: 1639 case AtomicExpr::AO__atomic_fetch_nand: 1640 case AtomicExpr::AO__atomic_and_fetch: 1641 case AtomicExpr::AO__atomic_or_fetch: 1642 case AtomicExpr::AO__atomic_xor_fetch: 1643 case AtomicExpr::AO__atomic_nand_fetch: 1644 Form = Arithmetic; 1645 break; 1646 1647 case AtomicExpr::AO__c11_atomic_exchange: 1648 case AtomicExpr::AO__atomic_exchange_n: 1649 Form = Xchg; 1650 break; 1651 1652 case AtomicExpr::AO__atomic_exchange: 1653 Form = GNUXchg; 1654 break; 1655 1656 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 1657 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 1658 Form = C11CmpXchg; 1659 break; 1660 1661 case AtomicExpr::AO__atomic_compare_exchange: 1662 case AtomicExpr::AO__atomic_compare_exchange_n: 1663 Form = GNUCmpXchg; 1664 break; 1665 } 1666 1667 // Check we have the right number of arguments. 1668 if (TheCall->getNumArgs() < NumArgs[Form]) { 1669 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 1670 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1671 << TheCall->getCallee()->getSourceRange(); 1672 return ExprError(); 1673 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 1674 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 1675 diag::err_typecheck_call_too_many_args) 1676 << 0 << NumArgs[Form] << TheCall->getNumArgs() 1677 << TheCall->getCallee()->getSourceRange(); 1678 return ExprError(); 1679 } 1680 1681 // Inspect the first argument of the atomic operation. 1682 Expr *Ptr = TheCall->getArg(0); 1683 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 1684 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 1685 if (!pointerType) { 1686 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1687 << Ptr->getType() << Ptr->getSourceRange(); 1688 return ExprError(); 1689 } 1690 1691 // For a __c11 builtin, this should be a pointer to an _Atomic type. 1692 QualType AtomTy = pointerType->getPointeeType(); // 'A' 1693 QualType ValType = AtomTy; // 'C' 1694 if (IsC11) { 1695 if (!AtomTy->isAtomicType()) { 1696 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 1697 << Ptr->getType() << Ptr->getSourceRange(); 1698 return ExprError(); 1699 } 1700 if (AtomTy.isConstQualified()) { 1701 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_atomic) 1702 << Ptr->getType() << Ptr->getSourceRange(); 1703 return ExprError(); 1704 } 1705 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 1706 } else if (Form != Load && Op != AtomicExpr::AO__atomic_load) { 1707 if (ValType.isConstQualified()) { 1708 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_non_const_pointer) 1709 << Ptr->getType() << Ptr->getSourceRange(); 1710 return ExprError(); 1711 } 1712 } 1713 1714 // For an arithmetic operation, the implied arithmetic must be well-formed. 1715 if (Form == Arithmetic) { 1716 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 1717 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 1718 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1719 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1720 return ExprError(); 1721 } 1722 if (!IsAddSub && !ValType->isIntegerType()) { 1723 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 1724 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1725 return ExprError(); 1726 } 1727 if (IsC11 && ValType->isPointerType() && 1728 RequireCompleteType(Ptr->getLocStart(), ValType->getPointeeType(), 1729 diag::err_incomplete_type)) { 1730 return ExprError(); 1731 } 1732 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 1733 // For __atomic_*_n operations, the value type must be a scalar integral or 1734 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 1735 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 1736 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 1737 return ExprError(); 1738 } 1739 1740 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) && 1741 !AtomTy->isScalarType()) { 1742 // For GNU atomics, require a trivially-copyable type. This is not part of 1743 // the GNU atomics specification, but we enforce it for sanity. 1744 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 1745 << Ptr->getType() << Ptr->getSourceRange(); 1746 return ExprError(); 1747 } 1748 1749 switch (ValType.getObjCLifetime()) { 1750 case Qualifiers::OCL_None: 1751 case Qualifiers::OCL_ExplicitNone: 1752 // okay 1753 break; 1754 1755 case Qualifiers::OCL_Weak: 1756 case Qualifiers::OCL_Strong: 1757 case Qualifiers::OCL_Autoreleasing: 1758 // FIXME: Can this happen? By this point, ValType should be known 1759 // to be trivially copyable. 1760 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1761 << ValType << Ptr->getSourceRange(); 1762 return ExprError(); 1763 } 1764 1765 // atomic_fetch_or takes a pointer to a volatile 'A'. We shouldn't let the 1766 // volatile-ness of the pointee-type inject itself into the result or the 1767 // other operands. 1768 ValType.removeLocalVolatile(); 1769 QualType ResultType = ValType; 1770 if (Form == Copy || Form == GNUXchg || Form == Init) 1771 ResultType = Context.VoidTy; 1772 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 1773 ResultType = Context.BoolTy; 1774 1775 // The type of a parameter passed 'by value'. In the GNU atomics, such 1776 // arguments are actually passed as pointers. 1777 QualType ByValType = ValType; // 'CP' 1778 if (!IsC11 && !IsN) 1779 ByValType = Ptr->getType(); 1780 1781 // FIXME: __atomic_load allows the first argument to be a a pointer to const 1782 // but not the second argument. We need to manually remove possible const 1783 // qualifiers. 1784 1785 // The first argument --- the pointer --- has a fixed type; we 1786 // deduce the types of the rest of the arguments accordingly. Walk 1787 // the remaining arguments, converting them to the deduced value type. 1788 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 1789 QualType Ty; 1790 if (i < NumVals[Form] + 1) { 1791 switch (i) { 1792 case 1: 1793 // The second argument is the non-atomic operand. For arithmetic, this 1794 // is always passed by value, and for a compare_exchange it is always 1795 // passed by address. For the rest, GNU uses by-address and C11 uses 1796 // by-value. 1797 assert(Form != Load); 1798 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 1799 Ty = ValType; 1800 else if (Form == Copy || Form == Xchg) 1801 Ty = ByValType; 1802 else if (Form == Arithmetic) 1803 Ty = Context.getPointerDiffType(); 1804 else 1805 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 1806 break; 1807 case 2: 1808 // The third argument to compare_exchange / GNU exchange is a 1809 // (pointer to a) desired value. 1810 Ty = ByValType; 1811 break; 1812 case 3: 1813 // The fourth argument to GNU compare_exchange is a 'weak' flag. 1814 Ty = Context.BoolTy; 1815 break; 1816 } 1817 } else { 1818 // The order(s) are always converted to int. 1819 Ty = Context.IntTy; 1820 } 1821 1822 InitializedEntity Entity = 1823 InitializedEntity::InitializeParameter(Context, Ty, false); 1824 ExprResult Arg = TheCall->getArg(i); 1825 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 1826 if (Arg.isInvalid()) 1827 return true; 1828 TheCall->setArg(i, Arg.get()); 1829 } 1830 1831 // Permute the arguments into a 'consistent' order. 1832 SmallVector<Expr*, 5> SubExprs; 1833 SubExprs.push_back(Ptr); 1834 switch (Form) { 1835 case Init: 1836 // Note, AtomicExpr::getVal1() has a special case for this atomic. 1837 SubExprs.push_back(TheCall->getArg(1)); // Val1 1838 break; 1839 case Load: 1840 SubExprs.push_back(TheCall->getArg(1)); // Order 1841 break; 1842 case Copy: 1843 case Arithmetic: 1844 case Xchg: 1845 SubExprs.push_back(TheCall->getArg(2)); // Order 1846 SubExprs.push_back(TheCall->getArg(1)); // Val1 1847 break; 1848 case GNUXchg: 1849 // Note, AtomicExpr::getVal2() has a special case for this atomic. 1850 SubExprs.push_back(TheCall->getArg(3)); // Order 1851 SubExprs.push_back(TheCall->getArg(1)); // Val1 1852 SubExprs.push_back(TheCall->getArg(2)); // Val2 1853 break; 1854 case C11CmpXchg: 1855 SubExprs.push_back(TheCall->getArg(3)); // Order 1856 SubExprs.push_back(TheCall->getArg(1)); // Val1 1857 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 1858 SubExprs.push_back(TheCall->getArg(2)); // Val2 1859 break; 1860 case GNUCmpXchg: 1861 SubExprs.push_back(TheCall->getArg(4)); // Order 1862 SubExprs.push_back(TheCall->getArg(1)); // Val1 1863 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 1864 SubExprs.push_back(TheCall->getArg(2)); // Val2 1865 SubExprs.push_back(TheCall->getArg(3)); // Weak 1866 break; 1867 } 1868 1869 if (SubExprs.size() >= 2 && Form != Init) { 1870 llvm::APSInt Result(32); 1871 if (SubExprs[1]->isIntegerConstantExpr(Result, Context) && 1872 !isValidOrderingForOp(Result.getSExtValue(), Op)) 1873 Diag(SubExprs[1]->getLocStart(), 1874 diag::warn_atomic_op_has_invalid_memory_order) 1875 << SubExprs[1]->getSourceRange(); 1876 } 1877 1878 AtomicExpr *AE = new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 1879 SubExprs, ResultType, Op, 1880 TheCall->getRParenLoc()); 1881 1882 if ((Op == AtomicExpr::AO__c11_atomic_load || 1883 (Op == AtomicExpr::AO__c11_atomic_store)) && 1884 Context.AtomicUsesUnsupportedLibcall(AE)) 1885 Diag(AE->getLocStart(), diag::err_atomic_load_store_uses_lib) << 1886 ((Op == AtomicExpr::AO__c11_atomic_load) ? 0 : 1); 1887 1888 return AE; 1889 } 1890 1891 1892 /// checkBuiltinArgument - Given a call to a builtin function, perform 1893 /// normal type-checking on the given argument, updating the call in 1894 /// place. This is useful when a builtin function requires custom 1895 /// type-checking for some of its arguments but not necessarily all of 1896 /// them. 1897 /// 1898 /// Returns true on error. 1899 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 1900 FunctionDecl *Fn = E->getDirectCallee(); 1901 assert(Fn && "builtin call without direct callee!"); 1902 1903 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 1904 InitializedEntity Entity = 1905 InitializedEntity::InitializeParameter(S.Context, Param); 1906 1907 ExprResult Arg = E->getArg(0); 1908 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 1909 if (Arg.isInvalid()) 1910 return true; 1911 1912 E->setArg(ArgIndex, Arg.get()); 1913 return false; 1914 } 1915 1916 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 1917 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 1918 /// type of its first argument. The main ActOnCallExpr routines have already 1919 /// promoted the types of arguments because all of these calls are prototyped as 1920 /// void(...). 1921 /// 1922 /// This function goes through and does final semantic checking for these 1923 /// builtins, 1924 ExprResult 1925 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 1926 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 1927 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 1928 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 1929 1930 // Ensure that we have at least one argument to do type inference from. 1931 if (TheCall->getNumArgs() < 1) { 1932 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 1933 << 0 << 1 << TheCall->getNumArgs() 1934 << TheCall->getCallee()->getSourceRange(); 1935 return ExprError(); 1936 } 1937 1938 // Inspect the first argument of the atomic builtin. This should always be 1939 // a pointer type, whose element is an integral scalar or pointer type. 1940 // Because it is a pointer type, we don't have to worry about any implicit 1941 // casts here. 1942 // FIXME: We don't allow floating point scalars as input. 1943 Expr *FirstArg = TheCall->getArg(0); 1944 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 1945 if (FirstArgResult.isInvalid()) 1946 return ExprError(); 1947 FirstArg = FirstArgResult.get(); 1948 TheCall->setArg(0, FirstArg); 1949 1950 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 1951 if (!pointerType) { 1952 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 1953 << FirstArg->getType() << FirstArg->getSourceRange(); 1954 return ExprError(); 1955 } 1956 1957 QualType ValType = pointerType->getPointeeType(); 1958 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 1959 !ValType->isBlockPointerType()) { 1960 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 1961 << FirstArg->getType() << FirstArg->getSourceRange(); 1962 return ExprError(); 1963 } 1964 1965 switch (ValType.getObjCLifetime()) { 1966 case Qualifiers::OCL_None: 1967 case Qualifiers::OCL_ExplicitNone: 1968 // okay 1969 break; 1970 1971 case Qualifiers::OCL_Weak: 1972 case Qualifiers::OCL_Strong: 1973 case Qualifiers::OCL_Autoreleasing: 1974 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 1975 << ValType << FirstArg->getSourceRange(); 1976 return ExprError(); 1977 } 1978 1979 // Strip any qualifiers off ValType. 1980 ValType = ValType.getUnqualifiedType(); 1981 1982 // The majority of builtins return a value, but a few have special return 1983 // types, so allow them to override appropriately below. 1984 QualType ResultType = ValType; 1985 1986 // We need to figure out which concrete builtin this maps onto. For example, 1987 // __sync_fetch_and_add with a 2 byte object turns into 1988 // __sync_fetch_and_add_2. 1989 #define BUILTIN_ROW(x) \ 1990 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 1991 Builtin::BI##x##_8, Builtin::BI##x##_16 } 1992 1993 static const unsigned BuiltinIndices[][5] = { 1994 BUILTIN_ROW(__sync_fetch_and_add), 1995 BUILTIN_ROW(__sync_fetch_and_sub), 1996 BUILTIN_ROW(__sync_fetch_and_or), 1997 BUILTIN_ROW(__sync_fetch_and_and), 1998 BUILTIN_ROW(__sync_fetch_and_xor), 1999 BUILTIN_ROW(__sync_fetch_and_nand), 2000 2001 BUILTIN_ROW(__sync_add_and_fetch), 2002 BUILTIN_ROW(__sync_sub_and_fetch), 2003 BUILTIN_ROW(__sync_and_and_fetch), 2004 BUILTIN_ROW(__sync_or_and_fetch), 2005 BUILTIN_ROW(__sync_xor_and_fetch), 2006 BUILTIN_ROW(__sync_nand_and_fetch), 2007 2008 BUILTIN_ROW(__sync_val_compare_and_swap), 2009 BUILTIN_ROW(__sync_bool_compare_and_swap), 2010 BUILTIN_ROW(__sync_lock_test_and_set), 2011 BUILTIN_ROW(__sync_lock_release), 2012 BUILTIN_ROW(__sync_swap) 2013 }; 2014 #undef BUILTIN_ROW 2015 2016 // Determine the index of the size. 2017 unsigned SizeIndex; 2018 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 2019 case 1: SizeIndex = 0; break; 2020 case 2: SizeIndex = 1; break; 2021 case 4: SizeIndex = 2; break; 2022 case 8: SizeIndex = 3; break; 2023 case 16: SizeIndex = 4; break; 2024 default: 2025 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 2026 << FirstArg->getType() << FirstArg->getSourceRange(); 2027 return ExprError(); 2028 } 2029 2030 // Each of these builtins has one pointer argument, followed by some number of 2031 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 2032 // that we ignore. Find out which row of BuiltinIndices to read from as well 2033 // as the number of fixed args. 2034 unsigned BuiltinID = FDecl->getBuiltinID(); 2035 unsigned BuiltinIndex, NumFixed = 1; 2036 bool WarnAboutSemanticsChange = false; 2037 switch (BuiltinID) { 2038 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 2039 case Builtin::BI__sync_fetch_and_add: 2040 case Builtin::BI__sync_fetch_and_add_1: 2041 case Builtin::BI__sync_fetch_and_add_2: 2042 case Builtin::BI__sync_fetch_and_add_4: 2043 case Builtin::BI__sync_fetch_and_add_8: 2044 case Builtin::BI__sync_fetch_and_add_16: 2045 BuiltinIndex = 0; 2046 break; 2047 2048 case Builtin::BI__sync_fetch_and_sub: 2049 case Builtin::BI__sync_fetch_and_sub_1: 2050 case Builtin::BI__sync_fetch_and_sub_2: 2051 case Builtin::BI__sync_fetch_and_sub_4: 2052 case Builtin::BI__sync_fetch_and_sub_8: 2053 case Builtin::BI__sync_fetch_and_sub_16: 2054 BuiltinIndex = 1; 2055 break; 2056 2057 case Builtin::BI__sync_fetch_and_or: 2058 case Builtin::BI__sync_fetch_and_or_1: 2059 case Builtin::BI__sync_fetch_and_or_2: 2060 case Builtin::BI__sync_fetch_and_or_4: 2061 case Builtin::BI__sync_fetch_and_or_8: 2062 case Builtin::BI__sync_fetch_and_or_16: 2063 BuiltinIndex = 2; 2064 break; 2065 2066 case Builtin::BI__sync_fetch_and_and: 2067 case Builtin::BI__sync_fetch_and_and_1: 2068 case Builtin::BI__sync_fetch_and_and_2: 2069 case Builtin::BI__sync_fetch_and_and_4: 2070 case Builtin::BI__sync_fetch_and_and_8: 2071 case Builtin::BI__sync_fetch_and_and_16: 2072 BuiltinIndex = 3; 2073 break; 2074 2075 case Builtin::BI__sync_fetch_and_xor: 2076 case Builtin::BI__sync_fetch_and_xor_1: 2077 case Builtin::BI__sync_fetch_and_xor_2: 2078 case Builtin::BI__sync_fetch_and_xor_4: 2079 case Builtin::BI__sync_fetch_and_xor_8: 2080 case Builtin::BI__sync_fetch_and_xor_16: 2081 BuiltinIndex = 4; 2082 break; 2083 2084 case Builtin::BI__sync_fetch_and_nand: 2085 case Builtin::BI__sync_fetch_and_nand_1: 2086 case Builtin::BI__sync_fetch_and_nand_2: 2087 case Builtin::BI__sync_fetch_and_nand_4: 2088 case Builtin::BI__sync_fetch_and_nand_8: 2089 case Builtin::BI__sync_fetch_and_nand_16: 2090 BuiltinIndex = 5; 2091 WarnAboutSemanticsChange = true; 2092 break; 2093 2094 case Builtin::BI__sync_add_and_fetch: 2095 case Builtin::BI__sync_add_and_fetch_1: 2096 case Builtin::BI__sync_add_and_fetch_2: 2097 case Builtin::BI__sync_add_and_fetch_4: 2098 case Builtin::BI__sync_add_and_fetch_8: 2099 case Builtin::BI__sync_add_and_fetch_16: 2100 BuiltinIndex = 6; 2101 break; 2102 2103 case Builtin::BI__sync_sub_and_fetch: 2104 case Builtin::BI__sync_sub_and_fetch_1: 2105 case Builtin::BI__sync_sub_and_fetch_2: 2106 case Builtin::BI__sync_sub_and_fetch_4: 2107 case Builtin::BI__sync_sub_and_fetch_8: 2108 case Builtin::BI__sync_sub_and_fetch_16: 2109 BuiltinIndex = 7; 2110 break; 2111 2112 case Builtin::BI__sync_and_and_fetch: 2113 case Builtin::BI__sync_and_and_fetch_1: 2114 case Builtin::BI__sync_and_and_fetch_2: 2115 case Builtin::BI__sync_and_and_fetch_4: 2116 case Builtin::BI__sync_and_and_fetch_8: 2117 case Builtin::BI__sync_and_and_fetch_16: 2118 BuiltinIndex = 8; 2119 break; 2120 2121 case Builtin::BI__sync_or_and_fetch: 2122 case Builtin::BI__sync_or_and_fetch_1: 2123 case Builtin::BI__sync_or_and_fetch_2: 2124 case Builtin::BI__sync_or_and_fetch_4: 2125 case Builtin::BI__sync_or_and_fetch_8: 2126 case Builtin::BI__sync_or_and_fetch_16: 2127 BuiltinIndex = 9; 2128 break; 2129 2130 case Builtin::BI__sync_xor_and_fetch: 2131 case Builtin::BI__sync_xor_and_fetch_1: 2132 case Builtin::BI__sync_xor_and_fetch_2: 2133 case Builtin::BI__sync_xor_and_fetch_4: 2134 case Builtin::BI__sync_xor_and_fetch_8: 2135 case Builtin::BI__sync_xor_and_fetch_16: 2136 BuiltinIndex = 10; 2137 break; 2138 2139 case Builtin::BI__sync_nand_and_fetch: 2140 case Builtin::BI__sync_nand_and_fetch_1: 2141 case Builtin::BI__sync_nand_and_fetch_2: 2142 case Builtin::BI__sync_nand_and_fetch_4: 2143 case Builtin::BI__sync_nand_and_fetch_8: 2144 case Builtin::BI__sync_nand_and_fetch_16: 2145 BuiltinIndex = 11; 2146 WarnAboutSemanticsChange = true; 2147 break; 2148 2149 case Builtin::BI__sync_val_compare_and_swap: 2150 case Builtin::BI__sync_val_compare_and_swap_1: 2151 case Builtin::BI__sync_val_compare_and_swap_2: 2152 case Builtin::BI__sync_val_compare_and_swap_4: 2153 case Builtin::BI__sync_val_compare_and_swap_8: 2154 case Builtin::BI__sync_val_compare_and_swap_16: 2155 BuiltinIndex = 12; 2156 NumFixed = 2; 2157 break; 2158 2159 case Builtin::BI__sync_bool_compare_and_swap: 2160 case Builtin::BI__sync_bool_compare_and_swap_1: 2161 case Builtin::BI__sync_bool_compare_and_swap_2: 2162 case Builtin::BI__sync_bool_compare_and_swap_4: 2163 case Builtin::BI__sync_bool_compare_and_swap_8: 2164 case Builtin::BI__sync_bool_compare_and_swap_16: 2165 BuiltinIndex = 13; 2166 NumFixed = 2; 2167 ResultType = Context.BoolTy; 2168 break; 2169 2170 case Builtin::BI__sync_lock_test_and_set: 2171 case Builtin::BI__sync_lock_test_and_set_1: 2172 case Builtin::BI__sync_lock_test_and_set_2: 2173 case Builtin::BI__sync_lock_test_and_set_4: 2174 case Builtin::BI__sync_lock_test_and_set_8: 2175 case Builtin::BI__sync_lock_test_and_set_16: 2176 BuiltinIndex = 14; 2177 break; 2178 2179 case Builtin::BI__sync_lock_release: 2180 case Builtin::BI__sync_lock_release_1: 2181 case Builtin::BI__sync_lock_release_2: 2182 case Builtin::BI__sync_lock_release_4: 2183 case Builtin::BI__sync_lock_release_8: 2184 case Builtin::BI__sync_lock_release_16: 2185 BuiltinIndex = 15; 2186 NumFixed = 0; 2187 ResultType = Context.VoidTy; 2188 break; 2189 2190 case Builtin::BI__sync_swap: 2191 case Builtin::BI__sync_swap_1: 2192 case Builtin::BI__sync_swap_2: 2193 case Builtin::BI__sync_swap_4: 2194 case Builtin::BI__sync_swap_8: 2195 case Builtin::BI__sync_swap_16: 2196 BuiltinIndex = 16; 2197 break; 2198 } 2199 2200 // Now that we know how many fixed arguments we expect, first check that we 2201 // have at least that many. 2202 if (TheCall->getNumArgs() < 1+NumFixed) { 2203 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 2204 << 0 << 1+NumFixed << TheCall->getNumArgs() 2205 << TheCall->getCallee()->getSourceRange(); 2206 return ExprError(); 2207 } 2208 2209 if (WarnAboutSemanticsChange) { 2210 Diag(TheCall->getLocEnd(), diag::warn_sync_fetch_and_nand_semantics_change) 2211 << TheCall->getCallee()->getSourceRange(); 2212 } 2213 2214 // Get the decl for the concrete builtin from this, we can tell what the 2215 // concrete integer type we should convert to is. 2216 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 2217 const char *NewBuiltinName = Context.BuiltinInfo.getName(NewBuiltinID); 2218 FunctionDecl *NewBuiltinDecl; 2219 if (NewBuiltinID == BuiltinID) 2220 NewBuiltinDecl = FDecl; 2221 else { 2222 // Perform builtin lookup to avoid redeclaring it. 2223 DeclarationName DN(&Context.Idents.get(NewBuiltinName)); 2224 LookupResult Res(*this, DN, DRE->getLocStart(), LookupOrdinaryName); 2225 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true); 2226 assert(Res.getFoundDecl()); 2227 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl()); 2228 if (!NewBuiltinDecl) 2229 return ExprError(); 2230 } 2231 2232 // The first argument --- the pointer --- has a fixed type; we 2233 // deduce the types of the rest of the arguments accordingly. Walk 2234 // the remaining arguments, converting them to the deduced value type. 2235 for (unsigned i = 0; i != NumFixed; ++i) { 2236 ExprResult Arg = TheCall->getArg(i+1); 2237 2238 // GCC does an implicit conversion to the pointer or integer ValType. This 2239 // can fail in some cases (1i -> int**), check for this error case now. 2240 // Initialize the argument. 2241 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 2242 ValType, /*consume*/ false); 2243 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 2244 if (Arg.isInvalid()) 2245 return ExprError(); 2246 2247 // Okay, we have something that *can* be converted to the right type. Check 2248 // to see if there is a potentially weird extension going on here. This can 2249 // happen when you do an atomic operation on something like an char* and 2250 // pass in 42. The 42 gets converted to char. This is even more strange 2251 // for things like 45.123 -> char, etc. 2252 // FIXME: Do this check. 2253 TheCall->setArg(i+1, Arg.get()); 2254 } 2255 2256 ASTContext& Context = this->getASTContext(); 2257 2258 // Create a new DeclRefExpr to refer to the new decl. 2259 DeclRefExpr* NewDRE = DeclRefExpr::Create( 2260 Context, 2261 DRE->getQualifierLoc(), 2262 SourceLocation(), 2263 NewBuiltinDecl, 2264 /*enclosing*/ false, 2265 DRE->getLocation(), 2266 Context.BuiltinFnTy, 2267 DRE->getValueKind()); 2268 2269 // Set the callee in the CallExpr. 2270 // FIXME: This loses syntactic information. 2271 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType()); 2272 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy, 2273 CK_BuiltinFnToFnPtr); 2274 TheCall->setCallee(PromotedCall.get()); 2275 2276 // Change the result type of the call to match the original value type. This 2277 // is arbitrary, but the codegen for these builtins ins design to handle it 2278 // gracefully. 2279 TheCall->setType(ResultType); 2280 2281 return TheCallResult; 2282 } 2283 2284 /// SemaBuiltinNontemporalOverloaded - We have a call to 2285 /// __builtin_nontemporal_store or __builtin_nontemporal_load, which is an 2286 /// overloaded function based on the pointer type of its last argument. 2287 /// 2288 /// This function goes through and does final semantic checking for these 2289 /// builtins. 2290 ExprResult Sema::SemaBuiltinNontemporalOverloaded(ExprResult TheCallResult) { 2291 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 2292 DeclRefExpr *DRE = 2293 cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 2294 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 2295 unsigned BuiltinID = FDecl->getBuiltinID(); 2296 assert((BuiltinID == Builtin::BI__builtin_nontemporal_store || 2297 BuiltinID == Builtin::BI__builtin_nontemporal_load) && 2298 "Unexpected nontemporal load/store builtin!"); 2299 bool isStore = BuiltinID == Builtin::BI__builtin_nontemporal_store; 2300 unsigned numArgs = isStore ? 2 : 1; 2301 2302 // Ensure that we have the proper number of arguments. 2303 if (checkArgCount(*this, TheCall, numArgs)) 2304 return ExprError(); 2305 2306 // Inspect the last argument of the nontemporal builtin. This should always 2307 // be a pointer type, from which we imply the type of the memory access. 2308 // Because it is a pointer type, we don't have to worry about any implicit 2309 // casts here. 2310 Expr *PointerArg = TheCall->getArg(numArgs - 1); 2311 ExprResult PointerArgResult = 2312 DefaultFunctionArrayLvalueConversion(PointerArg); 2313 2314 if (PointerArgResult.isInvalid()) 2315 return ExprError(); 2316 PointerArg = PointerArgResult.get(); 2317 TheCall->setArg(numArgs - 1, PointerArg); 2318 2319 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>(); 2320 if (!pointerType) { 2321 Diag(DRE->getLocStart(), diag::err_nontemporal_builtin_must_be_pointer) 2322 << PointerArg->getType() << PointerArg->getSourceRange(); 2323 return ExprError(); 2324 } 2325 2326 QualType ValType = pointerType->getPointeeType(); 2327 2328 // Strip any qualifiers off ValType. 2329 ValType = ValType.getUnqualifiedType(); 2330 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 2331 !ValType->isBlockPointerType() && !ValType->isFloatingType() && 2332 !ValType->isVectorType()) { 2333 Diag(DRE->getLocStart(), 2334 diag::err_nontemporal_builtin_must_be_pointer_intfltptr_or_vector) 2335 << PointerArg->getType() << PointerArg->getSourceRange(); 2336 return ExprError(); 2337 } 2338 2339 if (!isStore) { 2340 TheCall->setType(ValType); 2341 return TheCallResult; 2342 } 2343 2344 ExprResult ValArg = TheCall->getArg(0); 2345 InitializedEntity Entity = InitializedEntity::InitializeParameter( 2346 Context, ValType, /*consume*/ false); 2347 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg); 2348 if (ValArg.isInvalid()) 2349 return ExprError(); 2350 2351 TheCall->setArg(0, ValArg.get()); 2352 TheCall->setType(Context.VoidTy); 2353 return TheCallResult; 2354 } 2355 2356 /// CheckObjCString - Checks that the argument to the builtin 2357 /// CFString constructor is correct 2358 /// Note: It might also make sense to do the UTF-16 conversion here (would 2359 /// simplify the backend). 2360 bool Sema::CheckObjCString(Expr *Arg) { 2361 Arg = Arg->IgnoreParenCasts(); 2362 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 2363 2364 if (!Literal || !Literal->isAscii()) { 2365 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 2366 << Arg->getSourceRange(); 2367 return true; 2368 } 2369 2370 if (Literal->containsNonAsciiOrNull()) { 2371 StringRef String = Literal->getString(); 2372 unsigned NumBytes = String.size(); 2373 SmallVector<UTF16, 128> ToBuf(NumBytes); 2374 const UTF8 *FromPtr = (const UTF8 *)String.data(); 2375 UTF16 *ToPtr = &ToBuf[0]; 2376 2377 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 2378 &ToPtr, ToPtr + NumBytes, 2379 strictConversion); 2380 // Check for conversion failure. 2381 if (Result != conversionOK) 2382 Diag(Arg->getLocStart(), 2383 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 2384 } 2385 return false; 2386 } 2387 2388 /// Check the arguments to '__builtin_va_start' or '__builtin_ms_va_start' 2389 /// for validity. Emit an error and return true on failure; return false 2390 /// on success. 2391 bool Sema::SemaBuiltinVAStartImpl(CallExpr *TheCall) { 2392 Expr *Fn = TheCall->getCallee(); 2393 if (TheCall->getNumArgs() > 2) { 2394 Diag(TheCall->getArg(2)->getLocStart(), 2395 diag::err_typecheck_call_too_many_args) 2396 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 2397 << Fn->getSourceRange() 2398 << SourceRange(TheCall->getArg(2)->getLocStart(), 2399 (*(TheCall->arg_end()-1))->getLocEnd()); 2400 return true; 2401 } 2402 2403 if (TheCall->getNumArgs() < 2) { 2404 return Diag(TheCall->getLocEnd(), 2405 diag::err_typecheck_call_too_few_args_at_least) 2406 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 2407 } 2408 2409 // Type-check the first argument normally. 2410 if (checkBuiltinArgument(*this, TheCall, 0)) 2411 return true; 2412 2413 // Determine whether the current function is variadic or not. 2414 BlockScopeInfo *CurBlock = getCurBlock(); 2415 bool isVariadic; 2416 if (CurBlock) 2417 isVariadic = CurBlock->TheDecl->isVariadic(); 2418 else if (FunctionDecl *FD = getCurFunctionDecl()) 2419 isVariadic = FD->isVariadic(); 2420 else 2421 isVariadic = getCurMethodDecl()->isVariadic(); 2422 2423 if (!isVariadic) { 2424 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 2425 return true; 2426 } 2427 2428 // Verify that the second argument to the builtin is the last argument of the 2429 // current function or method. 2430 bool SecondArgIsLastNamedArgument = false; 2431 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 2432 2433 // These are valid if SecondArgIsLastNamedArgument is false after the next 2434 // block. 2435 QualType Type; 2436 SourceLocation ParamLoc; 2437 2438 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 2439 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 2440 // FIXME: This isn't correct for methods (results in bogus warning). 2441 // Get the last formal in the current function. 2442 const ParmVarDecl *LastArg; 2443 if (CurBlock) 2444 LastArg = *(CurBlock->TheDecl->param_end()-1); 2445 else if (FunctionDecl *FD = getCurFunctionDecl()) 2446 LastArg = *(FD->param_end()-1); 2447 else 2448 LastArg = *(getCurMethodDecl()->param_end()-1); 2449 SecondArgIsLastNamedArgument = PV == LastArg; 2450 2451 Type = PV->getType(); 2452 ParamLoc = PV->getLocation(); 2453 } 2454 } 2455 2456 if (!SecondArgIsLastNamedArgument) 2457 Diag(TheCall->getArg(1)->getLocStart(), 2458 diag::warn_second_parameter_of_va_start_not_last_named_argument); 2459 else if (Type->isReferenceType()) { 2460 Diag(Arg->getLocStart(), 2461 diag::warn_va_start_of_reference_type_is_undefined); 2462 Diag(ParamLoc, diag::note_parameter_type) << Type; 2463 } 2464 2465 TheCall->setType(Context.VoidTy); 2466 return false; 2467 } 2468 2469 /// Check the arguments to '__builtin_va_start' for validity, and that 2470 /// it was called from a function of the native ABI. 2471 /// Emit an error and return true on failure; return false on success. 2472 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 2473 // On x86-64 Unix, don't allow this in Win64 ABI functions. 2474 // On x64 Windows, don't allow this in System V ABI functions. 2475 // (Yes, that means there's no corresponding way to support variadic 2476 // System V ABI functions on Windows.) 2477 if (Context.getTargetInfo().getTriple().getArch() == llvm::Triple::x86_64) { 2478 unsigned OS = Context.getTargetInfo().getTriple().getOS(); 2479 clang::CallingConv CC = CC_C; 2480 if (const FunctionDecl *FD = getCurFunctionDecl()) 2481 CC = FD->getType()->getAs<FunctionType>()->getCallConv(); 2482 if ((OS == llvm::Triple::Win32 && CC == CC_X86_64SysV) || 2483 (OS != llvm::Triple::Win32 && CC == CC_X86_64Win64)) 2484 return Diag(TheCall->getCallee()->getLocStart(), 2485 diag::err_va_start_used_in_wrong_abi_function) 2486 << (OS != llvm::Triple::Win32); 2487 } 2488 return SemaBuiltinVAStartImpl(TheCall); 2489 } 2490 2491 /// Check the arguments to '__builtin_ms_va_start' for validity, and that 2492 /// it was called from a Win64 ABI function. 2493 /// Emit an error and return true on failure; return false on success. 2494 bool Sema::SemaBuiltinMSVAStart(CallExpr *TheCall) { 2495 // This only makes sense for x86-64. 2496 const llvm::Triple &TT = Context.getTargetInfo().getTriple(); 2497 Expr *Callee = TheCall->getCallee(); 2498 if (TT.getArch() != llvm::Triple::x86_64) 2499 return Diag(Callee->getLocStart(), diag::err_x86_builtin_32_bit_tgt); 2500 // Don't allow this in System V ABI functions. 2501 clang::CallingConv CC = CC_C; 2502 if (const FunctionDecl *FD = getCurFunctionDecl()) 2503 CC = FD->getType()->getAs<FunctionType>()->getCallConv(); 2504 if (CC == CC_X86_64SysV || 2505 (TT.getOS() != llvm::Triple::Win32 && CC != CC_X86_64Win64)) 2506 return Diag(Callee->getLocStart(), 2507 diag::err_ms_va_start_used_in_sysv_function); 2508 return SemaBuiltinVAStartImpl(TheCall); 2509 } 2510 2511 bool Sema::SemaBuiltinVAStartARM(CallExpr *Call) { 2512 // void __va_start(va_list *ap, const char *named_addr, size_t slot_size, 2513 // const char *named_addr); 2514 2515 Expr *Func = Call->getCallee(); 2516 2517 if (Call->getNumArgs() < 3) 2518 return Diag(Call->getLocEnd(), 2519 diag::err_typecheck_call_too_few_args_at_least) 2520 << 0 /*function call*/ << 3 << Call->getNumArgs(); 2521 2522 // Determine whether the current function is variadic or not. 2523 bool IsVariadic; 2524 if (BlockScopeInfo *CurBlock = getCurBlock()) 2525 IsVariadic = CurBlock->TheDecl->isVariadic(); 2526 else if (FunctionDecl *FD = getCurFunctionDecl()) 2527 IsVariadic = FD->isVariadic(); 2528 else if (ObjCMethodDecl *MD = getCurMethodDecl()) 2529 IsVariadic = MD->isVariadic(); 2530 else 2531 llvm_unreachable("unexpected statement type"); 2532 2533 if (!IsVariadic) { 2534 Diag(Func->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 2535 return true; 2536 } 2537 2538 // Type-check the first argument normally. 2539 if (checkBuiltinArgument(*this, Call, 0)) 2540 return true; 2541 2542 const struct { 2543 unsigned ArgNo; 2544 QualType Type; 2545 } ArgumentTypes[] = { 2546 { 1, Context.getPointerType(Context.CharTy.withConst()) }, 2547 { 2, Context.getSizeType() }, 2548 }; 2549 2550 for (const auto &AT : ArgumentTypes) { 2551 const Expr *Arg = Call->getArg(AT.ArgNo)->IgnoreParens(); 2552 if (Arg->getType().getCanonicalType() == AT.Type.getCanonicalType()) 2553 continue; 2554 Diag(Arg->getLocStart(), diag::err_typecheck_convert_incompatible) 2555 << Arg->getType() << AT.Type << 1 /* different class */ 2556 << 0 /* qualifier difference */ << 3 /* parameter mismatch */ 2557 << AT.ArgNo + 1 << Arg->getType() << AT.Type; 2558 } 2559 2560 return false; 2561 } 2562 2563 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 2564 /// friends. This is declared to take (...), so we have to check everything. 2565 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 2566 if (TheCall->getNumArgs() < 2) 2567 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 2568 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 2569 if (TheCall->getNumArgs() > 2) 2570 return Diag(TheCall->getArg(2)->getLocStart(), 2571 diag::err_typecheck_call_too_many_args) 2572 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 2573 << SourceRange(TheCall->getArg(2)->getLocStart(), 2574 (*(TheCall->arg_end()-1))->getLocEnd()); 2575 2576 ExprResult OrigArg0 = TheCall->getArg(0); 2577 ExprResult OrigArg1 = TheCall->getArg(1); 2578 2579 // Do standard promotions between the two arguments, returning their common 2580 // type. 2581 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 2582 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 2583 return true; 2584 2585 // Make sure any conversions are pushed back into the call; this is 2586 // type safe since unordered compare builtins are declared as "_Bool 2587 // foo(...)". 2588 TheCall->setArg(0, OrigArg0.get()); 2589 TheCall->setArg(1, OrigArg1.get()); 2590 2591 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 2592 return false; 2593 2594 // If the common type isn't a real floating type, then the arguments were 2595 // invalid for this operation. 2596 if (Res.isNull() || !Res->isRealFloatingType()) 2597 return Diag(OrigArg0.get()->getLocStart(), 2598 diag::err_typecheck_call_invalid_ordered_compare) 2599 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 2600 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 2601 2602 return false; 2603 } 2604 2605 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 2606 /// __builtin_isnan and friends. This is declared to take (...), so we have 2607 /// to check everything. We expect the last argument to be a floating point 2608 /// value. 2609 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 2610 if (TheCall->getNumArgs() < NumArgs) 2611 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 2612 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 2613 if (TheCall->getNumArgs() > NumArgs) 2614 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 2615 diag::err_typecheck_call_too_many_args) 2616 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 2617 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 2618 (*(TheCall->arg_end()-1))->getLocEnd()); 2619 2620 Expr *OrigArg = TheCall->getArg(NumArgs-1); 2621 2622 if (OrigArg->isTypeDependent()) 2623 return false; 2624 2625 // This operation requires a non-_Complex floating-point number. 2626 if (!OrigArg->getType()->isRealFloatingType()) 2627 return Diag(OrigArg->getLocStart(), 2628 diag::err_typecheck_call_invalid_unary_fp) 2629 << OrigArg->getType() << OrigArg->getSourceRange(); 2630 2631 // If this is an implicit conversion from float -> double, remove it. 2632 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 2633 Expr *CastArg = Cast->getSubExpr(); 2634 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 2635 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 2636 "promotion from float to double is the only expected cast here"); 2637 Cast->setSubExpr(nullptr); 2638 TheCall->setArg(NumArgs-1, CastArg); 2639 } 2640 } 2641 2642 return false; 2643 } 2644 2645 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 2646 // This is declared to take (...), so we have to check everything. 2647 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 2648 if (TheCall->getNumArgs() < 2) 2649 return ExprError(Diag(TheCall->getLocEnd(), 2650 diag::err_typecheck_call_too_few_args_at_least) 2651 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 2652 << TheCall->getSourceRange()); 2653 2654 // Determine which of the following types of shufflevector we're checking: 2655 // 1) unary, vector mask: (lhs, mask) 2656 // 2) binary, vector mask: (lhs, rhs, mask) 2657 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 2658 QualType resType = TheCall->getArg(0)->getType(); 2659 unsigned numElements = 0; 2660 2661 if (!TheCall->getArg(0)->isTypeDependent() && 2662 !TheCall->getArg(1)->isTypeDependent()) { 2663 QualType LHSType = TheCall->getArg(0)->getType(); 2664 QualType RHSType = TheCall->getArg(1)->getType(); 2665 2666 if (!LHSType->isVectorType() || !RHSType->isVectorType()) 2667 return ExprError(Diag(TheCall->getLocStart(), 2668 diag::err_shufflevector_non_vector) 2669 << SourceRange(TheCall->getArg(0)->getLocStart(), 2670 TheCall->getArg(1)->getLocEnd())); 2671 2672 numElements = LHSType->getAs<VectorType>()->getNumElements(); 2673 unsigned numResElements = TheCall->getNumArgs() - 2; 2674 2675 // Check to see if we have a call with 2 vector arguments, the unary shuffle 2676 // with mask. If so, verify that RHS is an integer vector type with the 2677 // same number of elts as lhs. 2678 if (TheCall->getNumArgs() == 2) { 2679 if (!RHSType->hasIntegerRepresentation() || 2680 RHSType->getAs<VectorType>()->getNumElements() != numElements) 2681 return ExprError(Diag(TheCall->getLocStart(), 2682 diag::err_shufflevector_incompatible_vector) 2683 << SourceRange(TheCall->getArg(1)->getLocStart(), 2684 TheCall->getArg(1)->getLocEnd())); 2685 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 2686 return ExprError(Diag(TheCall->getLocStart(), 2687 diag::err_shufflevector_incompatible_vector) 2688 << SourceRange(TheCall->getArg(0)->getLocStart(), 2689 TheCall->getArg(1)->getLocEnd())); 2690 } else if (numElements != numResElements) { 2691 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 2692 resType = Context.getVectorType(eltType, numResElements, 2693 VectorType::GenericVector); 2694 } 2695 } 2696 2697 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 2698 if (TheCall->getArg(i)->isTypeDependent() || 2699 TheCall->getArg(i)->isValueDependent()) 2700 continue; 2701 2702 llvm::APSInt Result(32); 2703 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 2704 return ExprError(Diag(TheCall->getLocStart(), 2705 diag::err_shufflevector_nonconstant_argument) 2706 << TheCall->getArg(i)->getSourceRange()); 2707 2708 // Allow -1 which will be translated to undef in the IR. 2709 if (Result.isSigned() && Result.isAllOnesValue()) 2710 continue; 2711 2712 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 2713 return ExprError(Diag(TheCall->getLocStart(), 2714 diag::err_shufflevector_argument_too_large) 2715 << TheCall->getArg(i)->getSourceRange()); 2716 } 2717 2718 SmallVector<Expr*, 32> exprs; 2719 2720 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 2721 exprs.push_back(TheCall->getArg(i)); 2722 TheCall->setArg(i, nullptr); 2723 } 2724 2725 return new (Context) ShuffleVectorExpr(Context, exprs, resType, 2726 TheCall->getCallee()->getLocStart(), 2727 TheCall->getRParenLoc()); 2728 } 2729 2730 /// SemaConvertVectorExpr - Handle __builtin_convertvector 2731 ExprResult Sema::SemaConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo, 2732 SourceLocation BuiltinLoc, 2733 SourceLocation RParenLoc) { 2734 ExprValueKind VK = VK_RValue; 2735 ExprObjectKind OK = OK_Ordinary; 2736 QualType DstTy = TInfo->getType(); 2737 QualType SrcTy = E->getType(); 2738 2739 if (!SrcTy->isVectorType() && !SrcTy->isDependentType()) 2740 return ExprError(Diag(BuiltinLoc, 2741 diag::err_convertvector_non_vector) 2742 << E->getSourceRange()); 2743 if (!DstTy->isVectorType() && !DstTy->isDependentType()) 2744 return ExprError(Diag(BuiltinLoc, 2745 diag::err_convertvector_non_vector_type)); 2746 2747 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) { 2748 unsigned SrcElts = SrcTy->getAs<VectorType>()->getNumElements(); 2749 unsigned DstElts = DstTy->getAs<VectorType>()->getNumElements(); 2750 if (SrcElts != DstElts) 2751 return ExprError(Diag(BuiltinLoc, 2752 diag::err_convertvector_incompatible_vector) 2753 << E->getSourceRange()); 2754 } 2755 2756 return new (Context) 2757 ConvertVectorExpr(E, TInfo, DstTy, VK, OK, BuiltinLoc, RParenLoc); 2758 } 2759 2760 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 2761 // This is declared to take (const void*, ...) and can take two 2762 // optional constant int args. 2763 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 2764 unsigned NumArgs = TheCall->getNumArgs(); 2765 2766 if (NumArgs > 3) 2767 return Diag(TheCall->getLocEnd(), 2768 diag::err_typecheck_call_too_many_args_at_most) 2769 << 0 /*function call*/ << 3 << NumArgs 2770 << TheCall->getSourceRange(); 2771 2772 // Argument 0 is checked for us and the remaining arguments must be 2773 // constant integers. 2774 for (unsigned i = 1; i != NumArgs; ++i) 2775 if (SemaBuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3)) 2776 return true; 2777 2778 return false; 2779 } 2780 2781 /// SemaBuiltinAssume - Handle __assume (MS Extension). 2782 // __assume does not evaluate its arguments, and should warn if its argument 2783 // has side effects. 2784 bool Sema::SemaBuiltinAssume(CallExpr *TheCall) { 2785 Expr *Arg = TheCall->getArg(0); 2786 if (Arg->isInstantiationDependent()) return false; 2787 2788 if (Arg->HasSideEffects(Context)) 2789 Diag(Arg->getLocStart(), diag::warn_assume_side_effects) 2790 << Arg->getSourceRange() 2791 << cast<FunctionDecl>(TheCall->getCalleeDecl())->getIdentifier(); 2792 2793 return false; 2794 } 2795 2796 /// Handle __builtin_assume_aligned. This is declared 2797 /// as (const void*, size_t, ...) and can take one optional constant int arg. 2798 bool Sema::SemaBuiltinAssumeAligned(CallExpr *TheCall) { 2799 unsigned NumArgs = TheCall->getNumArgs(); 2800 2801 if (NumArgs > 3) 2802 return Diag(TheCall->getLocEnd(), 2803 diag::err_typecheck_call_too_many_args_at_most) 2804 << 0 /*function call*/ << 3 << NumArgs 2805 << TheCall->getSourceRange(); 2806 2807 // The alignment must be a constant integer. 2808 Expr *Arg = TheCall->getArg(1); 2809 2810 // We can't check the value of a dependent argument. 2811 if (!Arg->isTypeDependent() && !Arg->isValueDependent()) { 2812 llvm::APSInt Result; 2813 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 2814 return true; 2815 2816 if (!Result.isPowerOf2()) 2817 return Diag(TheCall->getLocStart(), 2818 diag::err_alignment_not_power_of_two) 2819 << Arg->getSourceRange(); 2820 } 2821 2822 if (NumArgs > 2) { 2823 ExprResult Arg(TheCall->getArg(2)); 2824 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 2825 Context.getSizeType(), false); 2826 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 2827 if (Arg.isInvalid()) return true; 2828 TheCall->setArg(2, Arg.get()); 2829 } 2830 2831 return false; 2832 } 2833 2834 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 2835 /// TheCall is a constant expression. 2836 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 2837 llvm::APSInt &Result) { 2838 Expr *Arg = TheCall->getArg(ArgNum); 2839 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 2840 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 2841 2842 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 2843 2844 if (!Arg->isIntegerConstantExpr(Result, Context)) 2845 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 2846 << FDecl->getDeclName() << Arg->getSourceRange(); 2847 2848 return false; 2849 } 2850 2851 /// SemaBuiltinConstantArgRange - Handle a check if argument ArgNum of CallExpr 2852 /// TheCall is a constant expression in the range [Low, High]. 2853 bool Sema::SemaBuiltinConstantArgRange(CallExpr *TheCall, int ArgNum, 2854 int Low, int High) { 2855 llvm::APSInt Result; 2856 2857 // We can't check the value of a dependent argument. 2858 Expr *Arg = TheCall->getArg(ArgNum); 2859 if (Arg->isTypeDependent() || Arg->isValueDependent()) 2860 return false; 2861 2862 // Check constant-ness first. 2863 if (SemaBuiltinConstantArg(TheCall, ArgNum, Result)) 2864 return true; 2865 2866 if (Result.getSExtValue() < Low || Result.getSExtValue() > High) 2867 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 2868 << Low << High << Arg->getSourceRange(); 2869 2870 return false; 2871 } 2872 2873 /// SemaBuiltinARMSpecialReg - Handle a check if argument ArgNum of CallExpr 2874 /// TheCall is an ARM/AArch64 special register string literal. 2875 bool Sema::SemaBuiltinARMSpecialReg(unsigned BuiltinID, CallExpr *TheCall, 2876 int ArgNum, unsigned ExpectedFieldNum, 2877 bool AllowName) { 2878 bool IsARMBuiltin = BuiltinID == ARM::BI__builtin_arm_rsr64 || 2879 BuiltinID == ARM::BI__builtin_arm_wsr64 || 2880 BuiltinID == ARM::BI__builtin_arm_rsr || 2881 BuiltinID == ARM::BI__builtin_arm_rsrp || 2882 BuiltinID == ARM::BI__builtin_arm_wsr || 2883 BuiltinID == ARM::BI__builtin_arm_wsrp; 2884 bool IsAArch64Builtin = BuiltinID == AArch64::BI__builtin_arm_rsr64 || 2885 BuiltinID == AArch64::BI__builtin_arm_wsr64 || 2886 BuiltinID == AArch64::BI__builtin_arm_rsr || 2887 BuiltinID == AArch64::BI__builtin_arm_rsrp || 2888 BuiltinID == AArch64::BI__builtin_arm_wsr || 2889 BuiltinID == AArch64::BI__builtin_arm_wsrp; 2890 assert((IsARMBuiltin || IsAArch64Builtin) && "Unexpected ARM builtin."); 2891 2892 // We can't check the value of a dependent argument. 2893 Expr *Arg = TheCall->getArg(ArgNum); 2894 if (Arg->isTypeDependent() || Arg->isValueDependent()) 2895 return false; 2896 2897 // Check if the argument is a string literal. 2898 if (!isa<StringLiteral>(Arg->IgnoreParenImpCasts())) 2899 return Diag(TheCall->getLocStart(), diag::err_expr_not_string_literal) 2900 << Arg->getSourceRange(); 2901 2902 // Check the type of special register given. 2903 StringRef Reg = cast<StringLiteral>(Arg->IgnoreParenImpCasts())->getString(); 2904 SmallVector<StringRef, 6> Fields; 2905 Reg.split(Fields, ":"); 2906 2907 if (Fields.size() != ExpectedFieldNum && !(AllowName && Fields.size() == 1)) 2908 return Diag(TheCall->getLocStart(), diag::err_arm_invalid_specialreg) 2909 << Arg->getSourceRange(); 2910 2911 // If the string is the name of a register then we cannot check that it is 2912 // valid here but if the string is of one the forms described in ACLE then we 2913 // can check that the supplied fields are integers and within the valid 2914 // ranges. 2915 if (Fields.size() > 1) { 2916 bool FiveFields = Fields.size() == 5; 2917 2918 bool ValidString = true; 2919 if (IsARMBuiltin) { 2920 ValidString &= Fields[0].startswith_lower("cp") || 2921 Fields[0].startswith_lower("p"); 2922 if (ValidString) 2923 Fields[0] = 2924 Fields[0].drop_front(Fields[0].startswith_lower("cp") ? 2 : 1); 2925 2926 ValidString &= Fields[2].startswith_lower("c"); 2927 if (ValidString) 2928 Fields[2] = Fields[2].drop_front(1); 2929 2930 if (FiveFields) { 2931 ValidString &= Fields[3].startswith_lower("c"); 2932 if (ValidString) 2933 Fields[3] = Fields[3].drop_front(1); 2934 } 2935 } 2936 2937 SmallVector<int, 5> Ranges; 2938 if (FiveFields) 2939 Ranges.append({IsAArch64Builtin ? 1 : 15, 7, 7, 15, 15}); 2940 else 2941 Ranges.append({15, 7, 15}); 2942 2943 for (unsigned i=0; i<Fields.size(); ++i) { 2944 int IntField; 2945 ValidString &= !Fields[i].getAsInteger(10, IntField); 2946 ValidString &= (IntField >= 0 && IntField <= Ranges[i]); 2947 } 2948 2949 if (!ValidString) 2950 return Diag(TheCall->getLocStart(), diag::err_arm_invalid_specialreg) 2951 << Arg->getSourceRange(); 2952 2953 } else if (IsAArch64Builtin && Fields.size() == 1) { 2954 // If the register name is one of those that appear in the condition below 2955 // and the special register builtin being used is one of the write builtins, 2956 // then we require that the argument provided for writing to the register 2957 // is an integer constant expression. This is because it will be lowered to 2958 // an MSR (immediate) instruction, so we need to know the immediate at 2959 // compile time. 2960 if (TheCall->getNumArgs() != 2) 2961 return false; 2962 2963 std::string RegLower = Reg.lower(); 2964 if (RegLower != "spsel" && RegLower != "daifset" && RegLower != "daifclr" && 2965 RegLower != "pan" && RegLower != "uao") 2966 return false; 2967 2968 return SemaBuiltinConstantArgRange(TheCall, 1, 0, 15); 2969 } 2970 2971 return false; 2972 } 2973 2974 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 2975 /// This checks that the target supports __builtin_longjmp and 2976 /// that val is a constant 1. 2977 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 2978 if (!Context.getTargetInfo().hasSjLjLowering()) 2979 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_unsupported) 2980 << SourceRange(TheCall->getLocStart(), TheCall->getLocEnd()); 2981 2982 Expr *Arg = TheCall->getArg(1); 2983 llvm::APSInt Result; 2984 2985 // TODO: This is less than ideal. Overload this to take a value. 2986 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 2987 return true; 2988 2989 if (Result != 1) 2990 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 2991 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 2992 2993 return false; 2994 } 2995 2996 2997 /// SemaBuiltinSetjmp - Handle __builtin_setjmp(void *env[5]). 2998 /// This checks that the target supports __builtin_setjmp. 2999 bool Sema::SemaBuiltinSetjmp(CallExpr *TheCall) { 3000 if (!Context.getTargetInfo().hasSjLjLowering()) 3001 return Diag(TheCall->getLocStart(), diag::err_builtin_setjmp_unsupported) 3002 << SourceRange(TheCall->getLocStart(), TheCall->getLocEnd()); 3003 return false; 3004 } 3005 3006 namespace { 3007 enum StringLiteralCheckType { 3008 SLCT_NotALiteral, 3009 SLCT_UncheckedLiteral, 3010 SLCT_CheckedLiteral 3011 }; 3012 } 3013 3014 // Determine if an expression is a string literal or constant string. 3015 // If this function returns false on the arguments to a function expecting a 3016 // format string, we will usually need to emit a warning. 3017 // True string literals are then checked by CheckFormatString. 3018 static StringLiteralCheckType 3019 checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, 3020 bool HasVAListArg, unsigned format_idx, 3021 unsigned firstDataArg, Sema::FormatStringType Type, 3022 Sema::VariadicCallType CallType, bool InFunctionCall, 3023 llvm::SmallBitVector &CheckedVarArgs) { 3024 tryAgain: 3025 if (E->isTypeDependent() || E->isValueDependent()) 3026 return SLCT_NotALiteral; 3027 3028 E = E->IgnoreParenCasts(); 3029 3030 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) 3031 // Technically -Wformat-nonliteral does not warn about this case. 3032 // The behavior of printf and friends in this case is implementation 3033 // dependent. Ideally if the format string cannot be null then 3034 // it should have a 'nonnull' attribute in the function prototype. 3035 return SLCT_UncheckedLiteral; 3036 3037 switch (E->getStmtClass()) { 3038 case Stmt::BinaryConditionalOperatorClass: 3039 case Stmt::ConditionalOperatorClass: { 3040 // The expression is a literal if both sub-expressions were, and it was 3041 // completely checked only if both sub-expressions were checked. 3042 const AbstractConditionalOperator *C = 3043 cast<AbstractConditionalOperator>(E); 3044 StringLiteralCheckType Left = 3045 checkFormatStringExpr(S, C->getTrueExpr(), Args, 3046 HasVAListArg, format_idx, firstDataArg, 3047 Type, CallType, InFunctionCall, CheckedVarArgs); 3048 if (Left == SLCT_NotALiteral) 3049 return SLCT_NotALiteral; 3050 StringLiteralCheckType Right = 3051 checkFormatStringExpr(S, C->getFalseExpr(), Args, 3052 HasVAListArg, format_idx, firstDataArg, 3053 Type, CallType, InFunctionCall, CheckedVarArgs); 3054 return Left < Right ? Left : Right; 3055 } 3056 3057 case Stmt::ImplicitCastExprClass: { 3058 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 3059 goto tryAgain; 3060 } 3061 3062 case Stmt::OpaqueValueExprClass: 3063 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 3064 E = src; 3065 goto tryAgain; 3066 } 3067 return SLCT_NotALiteral; 3068 3069 case Stmt::PredefinedExprClass: 3070 // While __func__, etc., are technically not string literals, they 3071 // cannot contain format specifiers and thus are not a security 3072 // liability. 3073 return SLCT_UncheckedLiteral; 3074 3075 case Stmt::DeclRefExprClass: { 3076 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 3077 3078 // As an exception, do not flag errors for variables binding to 3079 // const string literals. 3080 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 3081 bool isConstant = false; 3082 QualType T = DR->getType(); 3083 3084 if (const ArrayType *AT = S.Context.getAsArrayType(T)) { 3085 isConstant = AT->getElementType().isConstant(S.Context); 3086 } else if (const PointerType *PT = T->getAs<PointerType>()) { 3087 isConstant = T.isConstant(S.Context) && 3088 PT->getPointeeType().isConstant(S.Context); 3089 } else if (T->isObjCObjectPointerType()) { 3090 // In ObjC, there is usually no "const ObjectPointer" type, 3091 // so don't check if the pointee type is constant. 3092 isConstant = T.isConstant(S.Context); 3093 } 3094 3095 if (isConstant) { 3096 if (const Expr *Init = VD->getAnyInitializer()) { 3097 // Look through initializers like const char c[] = { "foo" } 3098 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 3099 if (InitList->isStringLiteralInit()) 3100 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 3101 } 3102 return checkFormatStringExpr(S, Init, Args, 3103 HasVAListArg, format_idx, 3104 firstDataArg, Type, CallType, 3105 /*InFunctionCall*/false, CheckedVarArgs); 3106 } 3107 } 3108 3109 // For vprintf* functions (i.e., HasVAListArg==true), we add a 3110 // special check to see if the format string is a function parameter 3111 // of the function calling the printf function. If the function 3112 // has an attribute indicating it is a printf-like function, then we 3113 // should suppress warnings concerning non-literals being used in a call 3114 // to a vprintf function. For example: 3115 // 3116 // void 3117 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 3118 // va_list ap; 3119 // va_start(ap, fmt); 3120 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 3121 // ... 3122 // } 3123 if (HasVAListArg) { 3124 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 3125 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 3126 int PVIndex = PV->getFunctionScopeIndex() + 1; 3127 for (const auto *PVFormat : ND->specific_attrs<FormatAttr>()) { 3128 // adjust for implicit parameter 3129 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 3130 if (MD->isInstance()) 3131 ++PVIndex; 3132 // We also check if the formats are compatible. 3133 // We can't pass a 'scanf' string to a 'printf' function. 3134 if (PVIndex == PVFormat->getFormatIdx() && 3135 Type == S.GetFormatStringType(PVFormat)) 3136 return SLCT_UncheckedLiteral; 3137 } 3138 } 3139 } 3140 } 3141 } 3142 3143 return SLCT_NotALiteral; 3144 } 3145 3146 case Stmt::CallExprClass: 3147 case Stmt::CXXMemberCallExprClass: { 3148 const CallExpr *CE = cast<CallExpr>(E); 3149 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 3150 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 3151 unsigned ArgIndex = FA->getFormatIdx(); 3152 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 3153 if (MD->isInstance()) 3154 --ArgIndex; 3155 const Expr *Arg = CE->getArg(ArgIndex - 1); 3156 3157 return checkFormatStringExpr(S, Arg, Args, 3158 HasVAListArg, format_idx, firstDataArg, 3159 Type, CallType, InFunctionCall, 3160 CheckedVarArgs); 3161 } else if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(ND)) { 3162 unsigned BuiltinID = FD->getBuiltinID(); 3163 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || 3164 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { 3165 const Expr *Arg = CE->getArg(0); 3166 return checkFormatStringExpr(S, Arg, Args, 3167 HasVAListArg, format_idx, 3168 firstDataArg, Type, CallType, 3169 InFunctionCall, CheckedVarArgs); 3170 } 3171 } 3172 } 3173 3174 return SLCT_NotALiteral; 3175 } 3176 case Stmt::ObjCStringLiteralClass: 3177 case Stmt::StringLiteralClass: { 3178 const StringLiteral *StrE = nullptr; 3179 3180 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 3181 StrE = ObjCFExpr->getString(); 3182 else 3183 StrE = cast<StringLiteral>(E); 3184 3185 if (StrE) { 3186 S.CheckFormatString(StrE, E, Args, HasVAListArg, format_idx, firstDataArg, 3187 Type, InFunctionCall, CallType, CheckedVarArgs); 3188 return SLCT_CheckedLiteral; 3189 } 3190 3191 return SLCT_NotALiteral; 3192 } 3193 3194 default: 3195 return SLCT_NotALiteral; 3196 } 3197 } 3198 3199 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 3200 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName()) 3201 .Case("scanf", FST_Scanf) 3202 .Cases("printf", "printf0", FST_Printf) 3203 .Cases("NSString", "CFString", FST_NSString) 3204 .Case("strftime", FST_Strftime) 3205 .Case("strfmon", FST_Strfmon) 3206 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 3207 .Case("freebsd_kprintf", FST_FreeBSDKPrintf) 3208 .Case("os_trace", FST_OSTrace) 3209 .Default(FST_Unknown); 3210 } 3211 3212 /// CheckFormatArguments - Check calls to printf and scanf (and similar 3213 /// functions) for correct use of format strings. 3214 /// Returns true if a format string has been fully checked. 3215 bool Sema::CheckFormatArguments(const FormatAttr *Format, 3216 ArrayRef<const Expr *> Args, 3217 bool IsCXXMember, 3218 VariadicCallType CallType, 3219 SourceLocation Loc, SourceRange Range, 3220 llvm::SmallBitVector &CheckedVarArgs) { 3221 FormatStringInfo FSI; 3222 if (getFormatStringInfo(Format, IsCXXMember, &FSI)) 3223 return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, 3224 FSI.FirstDataArg, GetFormatStringType(Format), 3225 CallType, Loc, Range, CheckedVarArgs); 3226 return false; 3227 } 3228 3229 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, 3230 bool HasVAListArg, unsigned format_idx, 3231 unsigned firstDataArg, FormatStringType Type, 3232 VariadicCallType CallType, 3233 SourceLocation Loc, SourceRange Range, 3234 llvm::SmallBitVector &CheckedVarArgs) { 3235 // CHECK: printf/scanf-like function is called with no format string. 3236 if (format_idx >= Args.size()) { 3237 Diag(Loc, diag::warn_missing_format_string) << Range; 3238 return false; 3239 } 3240 3241 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 3242 3243 // CHECK: format string is not a string literal. 3244 // 3245 // Dynamically generated format strings are difficult to 3246 // automatically vet at compile time. Requiring that format strings 3247 // are string literals: (1) permits the checking of format strings by 3248 // the compiler and thereby (2) can practically remove the source of 3249 // many format string exploits. 3250 3251 // Format string can be either ObjC string (e.g. @"%d") or 3252 // C string (e.g. "%d") 3253 // ObjC string uses the same format specifiers as C string, so we can use 3254 // the same format string checking logic for both ObjC and C strings. 3255 StringLiteralCheckType CT = 3256 checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, 3257 format_idx, firstDataArg, Type, CallType, 3258 /*IsFunctionCall*/true, CheckedVarArgs); 3259 if (CT != SLCT_NotALiteral) 3260 // Literal format string found, check done! 3261 return CT == SLCT_CheckedLiteral; 3262 3263 // Strftime is particular as it always uses a single 'time' argument, 3264 // so it is safe to pass a non-literal string. 3265 if (Type == FST_Strftime) 3266 return false; 3267 3268 // Do not emit diag when the string param is a macro expansion and the 3269 // format is either NSString or CFString. This is a hack to prevent 3270 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 3271 // which are usually used in place of NS and CF string literals. 3272 if (Type == FST_NSString && 3273 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 3274 return false; 3275 3276 // If there are no arguments specified, warn with -Wformat-security, otherwise 3277 // warn only with -Wformat-nonliteral. 3278 if (Args.size() == firstDataArg) 3279 Diag(Args[format_idx]->getLocStart(), 3280 diag::warn_format_nonliteral_noargs) 3281 << OrigFormatExpr->getSourceRange(); 3282 else 3283 Diag(Args[format_idx]->getLocStart(), 3284 diag::warn_format_nonliteral) 3285 << OrigFormatExpr->getSourceRange(); 3286 return false; 3287 } 3288 3289 namespace { 3290 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 3291 protected: 3292 Sema &S; 3293 const StringLiteral *FExpr; 3294 const Expr *OrigFormatExpr; 3295 const unsigned FirstDataArg; 3296 const unsigned NumDataArgs; 3297 const char *Beg; // Start of format string. 3298 const bool HasVAListArg; 3299 ArrayRef<const Expr *> Args; 3300 unsigned FormatIdx; 3301 llvm::SmallBitVector CoveredArgs; 3302 bool usesPositionalArgs; 3303 bool atFirstArg; 3304 bool inFunctionCall; 3305 Sema::VariadicCallType CallType; 3306 llvm::SmallBitVector &CheckedVarArgs; 3307 public: 3308 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 3309 const Expr *origFormatExpr, unsigned firstDataArg, 3310 unsigned numDataArgs, const char *beg, bool hasVAListArg, 3311 ArrayRef<const Expr *> Args, 3312 unsigned formatIdx, bool inFunctionCall, 3313 Sema::VariadicCallType callType, 3314 llvm::SmallBitVector &CheckedVarArgs) 3315 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 3316 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), 3317 Beg(beg), HasVAListArg(hasVAListArg), 3318 Args(Args), FormatIdx(formatIdx), 3319 usesPositionalArgs(false), atFirstArg(true), 3320 inFunctionCall(inFunctionCall), CallType(callType), 3321 CheckedVarArgs(CheckedVarArgs) { 3322 CoveredArgs.resize(numDataArgs); 3323 CoveredArgs.reset(); 3324 } 3325 3326 void DoneProcessing(); 3327 3328 void HandleIncompleteSpecifier(const char *startSpecifier, 3329 unsigned specifierLen) override; 3330 3331 void HandleInvalidLengthModifier( 3332 const analyze_format_string::FormatSpecifier &FS, 3333 const analyze_format_string::ConversionSpecifier &CS, 3334 const char *startSpecifier, unsigned specifierLen, 3335 unsigned DiagID); 3336 3337 void HandleNonStandardLengthModifier( 3338 const analyze_format_string::FormatSpecifier &FS, 3339 const char *startSpecifier, unsigned specifierLen); 3340 3341 void HandleNonStandardConversionSpecifier( 3342 const analyze_format_string::ConversionSpecifier &CS, 3343 const char *startSpecifier, unsigned specifierLen); 3344 3345 void HandlePosition(const char *startPos, unsigned posLen) override; 3346 3347 void HandleInvalidPosition(const char *startSpecifier, 3348 unsigned specifierLen, 3349 analyze_format_string::PositionContext p) override; 3350 3351 void HandleZeroPosition(const char *startPos, unsigned posLen) override; 3352 3353 void HandleNullChar(const char *nullCharacter) override; 3354 3355 template <typename Range> 3356 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 3357 const Expr *ArgumentExpr, 3358 PartialDiagnostic PDiag, 3359 SourceLocation StringLoc, 3360 bool IsStringLocation, Range StringRange, 3361 ArrayRef<FixItHint> Fixit = None); 3362 3363 protected: 3364 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 3365 const char *startSpec, 3366 unsigned specifierLen, 3367 const char *csStart, unsigned csLen); 3368 3369 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 3370 const char *startSpec, 3371 unsigned specifierLen); 3372 3373 SourceRange getFormatStringRange(); 3374 CharSourceRange getSpecifierRange(const char *startSpecifier, 3375 unsigned specifierLen); 3376 SourceLocation getLocationOfByte(const char *x); 3377 3378 const Expr *getDataArg(unsigned i) const; 3379 3380 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 3381 const analyze_format_string::ConversionSpecifier &CS, 3382 const char *startSpecifier, unsigned specifierLen, 3383 unsigned argIndex); 3384 3385 template <typename Range> 3386 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 3387 bool IsStringLocation, Range StringRange, 3388 ArrayRef<FixItHint> Fixit = None); 3389 }; 3390 } 3391 3392 SourceRange CheckFormatHandler::getFormatStringRange() { 3393 return OrigFormatExpr->getSourceRange(); 3394 } 3395 3396 CharSourceRange CheckFormatHandler:: 3397 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 3398 SourceLocation Start = getLocationOfByte(startSpecifier); 3399 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 3400 3401 // Advance the end SourceLocation by one due to half-open ranges. 3402 End = End.getLocWithOffset(1); 3403 3404 return CharSourceRange::getCharRange(Start, End); 3405 } 3406 3407 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 3408 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 3409 } 3410 3411 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 3412 unsigned specifierLen){ 3413 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 3414 getLocationOfByte(startSpecifier), 3415 /*IsStringLocation*/true, 3416 getSpecifierRange(startSpecifier, specifierLen)); 3417 } 3418 3419 void CheckFormatHandler::HandleInvalidLengthModifier( 3420 const analyze_format_string::FormatSpecifier &FS, 3421 const analyze_format_string::ConversionSpecifier &CS, 3422 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) { 3423 using namespace analyze_format_string; 3424 3425 const LengthModifier &LM = FS.getLengthModifier(); 3426 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 3427 3428 // See if we know how to fix this length modifier. 3429 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 3430 if (FixedLM) { 3431 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 3432 getLocationOfByte(LM.getStart()), 3433 /*IsStringLocation*/true, 3434 getSpecifierRange(startSpecifier, specifierLen)); 3435 3436 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 3437 << FixedLM->toString() 3438 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 3439 3440 } else { 3441 FixItHint Hint; 3442 if (DiagID == diag::warn_format_nonsensical_length) 3443 Hint = FixItHint::CreateRemoval(LMRange); 3444 3445 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(), 3446 getLocationOfByte(LM.getStart()), 3447 /*IsStringLocation*/true, 3448 getSpecifierRange(startSpecifier, specifierLen), 3449 Hint); 3450 } 3451 } 3452 3453 void CheckFormatHandler::HandleNonStandardLengthModifier( 3454 const analyze_format_string::FormatSpecifier &FS, 3455 const char *startSpecifier, unsigned specifierLen) { 3456 using namespace analyze_format_string; 3457 3458 const LengthModifier &LM = FS.getLengthModifier(); 3459 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength()); 3460 3461 // See if we know how to fix this length modifier. 3462 Optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier(); 3463 if (FixedLM) { 3464 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 3465 << LM.toString() << 0, 3466 getLocationOfByte(LM.getStart()), 3467 /*IsStringLocation*/true, 3468 getSpecifierRange(startSpecifier, specifierLen)); 3469 3470 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier) 3471 << FixedLM->toString() 3472 << FixItHint::CreateReplacement(LMRange, FixedLM->toString()); 3473 3474 } else { 3475 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 3476 << LM.toString() << 0, 3477 getLocationOfByte(LM.getStart()), 3478 /*IsStringLocation*/true, 3479 getSpecifierRange(startSpecifier, specifierLen)); 3480 } 3481 } 3482 3483 void CheckFormatHandler::HandleNonStandardConversionSpecifier( 3484 const analyze_format_string::ConversionSpecifier &CS, 3485 const char *startSpecifier, unsigned specifierLen) { 3486 using namespace analyze_format_string; 3487 3488 // See if we know how to fix this conversion specifier. 3489 Optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier(); 3490 if (FixedCS) { 3491 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 3492 << CS.toString() << /*conversion specifier*/1, 3493 getLocationOfByte(CS.getStart()), 3494 /*IsStringLocation*/true, 3495 getSpecifierRange(startSpecifier, specifierLen)); 3496 3497 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength()); 3498 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier) 3499 << FixedCS->toString() 3500 << FixItHint::CreateReplacement(CSRange, FixedCS->toString()); 3501 } else { 3502 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) 3503 << CS.toString() << /*conversion specifier*/1, 3504 getLocationOfByte(CS.getStart()), 3505 /*IsStringLocation*/true, 3506 getSpecifierRange(startSpecifier, specifierLen)); 3507 } 3508 } 3509 3510 void CheckFormatHandler::HandlePosition(const char *startPos, 3511 unsigned posLen) { 3512 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 3513 getLocationOfByte(startPos), 3514 /*IsStringLocation*/true, 3515 getSpecifierRange(startPos, posLen)); 3516 } 3517 3518 void 3519 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 3520 analyze_format_string::PositionContext p) { 3521 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 3522 << (unsigned) p, 3523 getLocationOfByte(startPos), /*IsStringLocation*/true, 3524 getSpecifierRange(startPos, posLen)); 3525 } 3526 3527 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 3528 unsigned posLen) { 3529 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 3530 getLocationOfByte(startPos), 3531 /*IsStringLocation*/true, 3532 getSpecifierRange(startPos, posLen)); 3533 } 3534 3535 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 3536 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) { 3537 // The presence of a null character is likely an error. 3538 EmitFormatDiagnostic( 3539 S.PDiag(diag::warn_printf_format_string_contains_null_char), 3540 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 3541 getFormatStringRange()); 3542 } 3543 } 3544 3545 // Note that this may return NULL if there was an error parsing or building 3546 // one of the argument expressions. 3547 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 3548 return Args[FirstDataArg + i]; 3549 } 3550 3551 void CheckFormatHandler::DoneProcessing() { 3552 // Does the number of data arguments exceed the number of 3553 // format conversions in the format string? 3554 if (!HasVAListArg) { 3555 // Find any arguments that weren't covered. 3556 CoveredArgs.flip(); 3557 signed notCoveredArg = CoveredArgs.find_first(); 3558 if (notCoveredArg >= 0) { 3559 assert((unsigned)notCoveredArg < NumDataArgs); 3560 if (const Expr *E = getDataArg((unsigned) notCoveredArg)) { 3561 SourceLocation Loc = E->getLocStart(); 3562 if (!S.getSourceManager().isInSystemMacro(Loc)) { 3563 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 3564 Loc, /*IsStringLocation*/false, 3565 getFormatStringRange()); 3566 } 3567 } 3568 } 3569 } 3570 } 3571 3572 bool 3573 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 3574 SourceLocation Loc, 3575 const char *startSpec, 3576 unsigned specifierLen, 3577 const char *csStart, 3578 unsigned csLen) { 3579 3580 bool keepGoing = true; 3581 if (argIndex < NumDataArgs) { 3582 // Consider the argument coverered, even though the specifier doesn't 3583 // make sense. 3584 CoveredArgs.set(argIndex); 3585 } 3586 else { 3587 // If argIndex exceeds the number of data arguments we 3588 // don't issue a warning because that is just a cascade of warnings (and 3589 // they may have intended '%%' anyway). We don't want to continue processing 3590 // the format string after this point, however, as we will like just get 3591 // gibberish when trying to match arguments. 3592 keepGoing = false; 3593 } 3594 3595 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 3596 << StringRef(csStart, csLen), 3597 Loc, /*IsStringLocation*/true, 3598 getSpecifierRange(startSpec, specifierLen)); 3599 3600 return keepGoing; 3601 } 3602 3603 void 3604 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 3605 const char *startSpec, 3606 unsigned specifierLen) { 3607 EmitFormatDiagnostic( 3608 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 3609 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 3610 } 3611 3612 bool 3613 CheckFormatHandler::CheckNumArgs( 3614 const analyze_format_string::FormatSpecifier &FS, 3615 const analyze_format_string::ConversionSpecifier &CS, 3616 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 3617 3618 if (argIndex >= NumDataArgs) { 3619 PartialDiagnostic PDiag = FS.usesPositionalArg() 3620 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 3621 << (argIndex+1) << NumDataArgs) 3622 : S.PDiag(diag::warn_printf_insufficient_data_args); 3623 EmitFormatDiagnostic( 3624 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 3625 getSpecifierRange(startSpecifier, specifierLen)); 3626 return false; 3627 } 3628 return true; 3629 } 3630 3631 template<typename Range> 3632 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 3633 SourceLocation Loc, 3634 bool IsStringLocation, 3635 Range StringRange, 3636 ArrayRef<FixItHint> FixIt) { 3637 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 3638 Loc, IsStringLocation, StringRange, FixIt); 3639 } 3640 3641 /// \brief If the format string is not within the funcion call, emit a note 3642 /// so that the function call and string are in diagnostic messages. 3643 /// 3644 /// \param InFunctionCall if true, the format string is within the function 3645 /// call and only one diagnostic message will be produced. Otherwise, an 3646 /// extra note will be emitted pointing to location of the format string. 3647 /// 3648 /// \param ArgumentExpr the expression that is passed as the format string 3649 /// argument in the function call. Used for getting locations when two 3650 /// diagnostics are emitted. 3651 /// 3652 /// \param PDiag the callee should already have provided any strings for the 3653 /// diagnostic message. This function only adds locations and fixits 3654 /// to diagnostics. 3655 /// 3656 /// \param Loc primary location for diagnostic. If two diagnostics are 3657 /// required, one will be at Loc and a new SourceLocation will be created for 3658 /// the other one. 3659 /// 3660 /// \param IsStringLocation if true, Loc points to the format string should be 3661 /// used for the note. Otherwise, Loc points to the argument list and will 3662 /// be used with PDiag. 3663 /// 3664 /// \param StringRange some or all of the string to highlight. This is 3665 /// templated so it can accept either a CharSourceRange or a SourceRange. 3666 /// 3667 /// \param FixIt optional fix it hint for the format string. 3668 template<typename Range> 3669 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 3670 const Expr *ArgumentExpr, 3671 PartialDiagnostic PDiag, 3672 SourceLocation Loc, 3673 bool IsStringLocation, 3674 Range StringRange, 3675 ArrayRef<FixItHint> FixIt) { 3676 if (InFunctionCall) { 3677 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag); 3678 D << StringRange; 3679 D << FixIt; 3680 } else { 3681 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 3682 << ArgumentExpr->getSourceRange(); 3683 3684 const Sema::SemaDiagnosticBuilder &Note = 3685 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 3686 diag::note_format_string_defined); 3687 3688 Note << StringRange; 3689 Note << FixIt; 3690 } 3691 } 3692 3693 //===--- CHECK: Printf format string checking ------------------------------===// 3694 3695 namespace { 3696 class CheckPrintfHandler : public CheckFormatHandler { 3697 bool ObjCContext; 3698 public: 3699 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 3700 const Expr *origFormatExpr, unsigned firstDataArg, 3701 unsigned numDataArgs, bool isObjC, 3702 const char *beg, bool hasVAListArg, 3703 ArrayRef<const Expr *> Args, 3704 unsigned formatIdx, bool inFunctionCall, 3705 Sema::VariadicCallType CallType, 3706 llvm::SmallBitVector &CheckedVarArgs) 3707 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 3708 numDataArgs, beg, hasVAListArg, Args, 3709 formatIdx, inFunctionCall, CallType, CheckedVarArgs), 3710 ObjCContext(isObjC) 3711 {} 3712 3713 3714 bool HandleInvalidPrintfConversionSpecifier( 3715 const analyze_printf::PrintfSpecifier &FS, 3716 const char *startSpecifier, 3717 unsigned specifierLen) override; 3718 3719 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 3720 const char *startSpecifier, 3721 unsigned specifierLen) override; 3722 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 3723 const char *StartSpecifier, 3724 unsigned SpecifierLen, 3725 const Expr *E); 3726 3727 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 3728 const char *startSpecifier, unsigned specifierLen); 3729 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 3730 const analyze_printf::OptionalAmount &Amt, 3731 unsigned type, 3732 const char *startSpecifier, unsigned specifierLen); 3733 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 3734 const analyze_printf::OptionalFlag &flag, 3735 const char *startSpecifier, unsigned specifierLen); 3736 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 3737 const analyze_printf::OptionalFlag &ignoredFlag, 3738 const analyze_printf::OptionalFlag &flag, 3739 const char *startSpecifier, unsigned specifierLen); 3740 bool checkForCStrMembers(const analyze_printf::ArgType &AT, 3741 const Expr *E); 3742 3743 void HandleEmptyObjCModifierFlag(const char *startFlag, 3744 unsigned flagLen) override; 3745 3746 void HandleInvalidObjCModifierFlag(const char *startFlag, 3747 unsigned flagLen) override; 3748 3749 void HandleObjCFlagsWithNonObjCConversion(const char *flagsStart, 3750 const char *flagsEnd, 3751 const char *conversionPosition) 3752 override; 3753 }; 3754 } 3755 3756 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 3757 const analyze_printf::PrintfSpecifier &FS, 3758 const char *startSpecifier, 3759 unsigned specifierLen) { 3760 const analyze_printf::PrintfConversionSpecifier &CS = 3761 FS.getConversionSpecifier(); 3762 3763 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 3764 getLocationOfByte(CS.getStart()), 3765 startSpecifier, specifierLen, 3766 CS.getStart(), CS.getLength()); 3767 } 3768 3769 bool CheckPrintfHandler::HandleAmount( 3770 const analyze_format_string::OptionalAmount &Amt, 3771 unsigned k, const char *startSpecifier, 3772 unsigned specifierLen) { 3773 3774 if (Amt.hasDataArgument()) { 3775 if (!HasVAListArg) { 3776 unsigned argIndex = Amt.getArgIndex(); 3777 if (argIndex >= NumDataArgs) { 3778 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 3779 << k, 3780 getLocationOfByte(Amt.getStart()), 3781 /*IsStringLocation*/true, 3782 getSpecifierRange(startSpecifier, specifierLen)); 3783 // Don't do any more checking. We will just emit 3784 // spurious errors. 3785 return false; 3786 } 3787 3788 // Type check the data argument. It should be an 'int'. 3789 // Although not in conformance with C99, we also allow the argument to be 3790 // an 'unsigned int' as that is a reasonably safe case. GCC also 3791 // doesn't emit a warning for that case. 3792 CoveredArgs.set(argIndex); 3793 const Expr *Arg = getDataArg(argIndex); 3794 if (!Arg) 3795 return false; 3796 3797 QualType T = Arg->getType(); 3798 3799 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context); 3800 assert(AT.isValid()); 3801 3802 if (!AT.matchesType(S.Context, T)) { 3803 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 3804 << k << AT.getRepresentativeTypeName(S.Context) 3805 << T << Arg->getSourceRange(), 3806 getLocationOfByte(Amt.getStart()), 3807 /*IsStringLocation*/true, 3808 getSpecifierRange(startSpecifier, specifierLen)); 3809 // Don't do any more checking. We will just emit 3810 // spurious errors. 3811 return false; 3812 } 3813 } 3814 } 3815 return true; 3816 } 3817 3818 void CheckPrintfHandler::HandleInvalidAmount( 3819 const analyze_printf::PrintfSpecifier &FS, 3820 const analyze_printf::OptionalAmount &Amt, 3821 unsigned type, 3822 const char *startSpecifier, 3823 unsigned specifierLen) { 3824 const analyze_printf::PrintfConversionSpecifier &CS = 3825 FS.getConversionSpecifier(); 3826 3827 FixItHint fixit = 3828 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 3829 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 3830 Amt.getConstantLength())) 3831 : FixItHint(); 3832 3833 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 3834 << type << CS.toString(), 3835 getLocationOfByte(Amt.getStart()), 3836 /*IsStringLocation*/true, 3837 getSpecifierRange(startSpecifier, specifierLen), 3838 fixit); 3839 } 3840 3841 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 3842 const analyze_printf::OptionalFlag &flag, 3843 const char *startSpecifier, 3844 unsigned specifierLen) { 3845 // Warn about pointless flag with a fixit removal. 3846 const analyze_printf::PrintfConversionSpecifier &CS = 3847 FS.getConversionSpecifier(); 3848 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 3849 << flag.toString() << CS.toString(), 3850 getLocationOfByte(flag.getPosition()), 3851 /*IsStringLocation*/true, 3852 getSpecifierRange(startSpecifier, specifierLen), 3853 FixItHint::CreateRemoval( 3854 getSpecifierRange(flag.getPosition(), 1))); 3855 } 3856 3857 void CheckPrintfHandler::HandleIgnoredFlag( 3858 const analyze_printf::PrintfSpecifier &FS, 3859 const analyze_printf::OptionalFlag &ignoredFlag, 3860 const analyze_printf::OptionalFlag &flag, 3861 const char *startSpecifier, 3862 unsigned specifierLen) { 3863 // Warn about ignored flag with a fixit removal. 3864 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 3865 << ignoredFlag.toString() << flag.toString(), 3866 getLocationOfByte(ignoredFlag.getPosition()), 3867 /*IsStringLocation*/true, 3868 getSpecifierRange(startSpecifier, specifierLen), 3869 FixItHint::CreateRemoval( 3870 getSpecifierRange(ignoredFlag.getPosition(), 1))); 3871 } 3872 3873 // void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 3874 // bool IsStringLocation, Range StringRange, 3875 // ArrayRef<FixItHint> Fixit = None); 3876 3877 void CheckPrintfHandler::HandleEmptyObjCModifierFlag(const char *startFlag, 3878 unsigned flagLen) { 3879 // Warn about an empty flag. 3880 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_empty_objc_flag), 3881 getLocationOfByte(startFlag), 3882 /*IsStringLocation*/true, 3883 getSpecifierRange(startFlag, flagLen)); 3884 } 3885 3886 void CheckPrintfHandler::HandleInvalidObjCModifierFlag(const char *startFlag, 3887 unsigned flagLen) { 3888 // Warn about an invalid flag. 3889 auto Range = getSpecifierRange(startFlag, flagLen); 3890 StringRef flag(startFlag, flagLen); 3891 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_invalid_objc_flag) << flag, 3892 getLocationOfByte(startFlag), 3893 /*IsStringLocation*/true, 3894 Range, FixItHint::CreateRemoval(Range)); 3895 } 3896 3897 void CheckPrintfHandler::HandleObjCFlagsWithNonObjCConversion( 3898 const char *flagsStart, const char *flagsEnd, const char *conversionPosition) { 3899 // Warn about using '[...]' without a '@' conversion. 3900 auto Range = getSpecifierRange(flagsStart, flagsEnd - flagsStart + 1); 3901 auto diag = diag::warn_printf_ObjCflags_without_ObjCConversion; 3902 EmitFormatDiagnostic(S.PDiag(diag) << StringRef(conversionPosition, 1), 3903 getLocationOfByte(conversionPosition), 3904 /*IsStringLocation*/true, 3905 Range, FixItHint::CreateRemoval(Range)); 3906 } 3907 3908 // Determines if the specified is a C++ class or struct containing 3909 // a member with the specified name and kind (e.g. a CXXMethodDecl named 3910 // "c_str()"). 3911 template<typename MemberKind> 3912 static llvm::SmallPtrSet<MemberKind*, 1> 3913 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) { 3914 const RecordType *RT = Ty->getAs<RecordType>(); 3915 llvm::SmallPtrSet<MemberKind*, 1> Results; 3916 3917 if (!RT) 3918 return Results; 3919 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl()); 3920 if (!RD || !RD->getDefinition()) 3921 return Results; 3922 3923 LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(), 3924 Sema::LookupMemberName); 3925 R.suppressDiagnostics(); 3926 3927 // We just need to include all members of the right kind turned up by the 3928 // filter, at this point. 3929 if (S.LookupQualifiedName(R, RT->getDecl())) 3930 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { 3931 NamedDecl *decl = (*I)->getUnderlyingDecl(); 3932 if (MemberKind *FK = dyn_cast<MemberKind>(decl)) 3933 Results.insert(FK); 3934 } 3935 return Results; 3936 } 3937 3938 /// Check if we could call '.c_str()' on an object. 3939 /// 3940 /// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't 3941 /// allow the call, or if it would be ambiguous). 3942 bool Sema::hasCStrMethod(const Expr *E) { 3943 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 3944 MethodSet Results = 3945 CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType()); 3946 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 3947 MI != ME; ++MI) 3948 if ((*MI)->getMinRequiredArguments() == 0) 3949 return true; 3950 return false; 3951 } 3952 3953 // Check if a (w)string was passed when a (w)char* was needed, and offer a 3954 // better diagnostic if so. AT is assumed to be valid. 3955 // Returns true when a c_str() conversion method is found. 3956 bool CheckPrintfHandler::checkForCStrMembers( 3957 const analyze_printf::ArgType &AT, const Expr *E) { 3958 typedef llvm::SmallPtrSet<CXXMethodDecl*, 1> MethodSet; 3959 3960 MethodSet Results = 3961 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType()); 3962 3963 for (MethodSet::iterator MI = Results.begin(), ME = Results.end(); 3964 MI != ME; ++MI) { 3965 const CXXMethodDecl *Method = *MI; 3966 if (Method->getMinRequiredArguments() == 0 && 3967 AT.matchesType(S.Context, Method->getReturnType())) { 3968 // FIXME: Suggest parens if the expression needs them. 3969 SourceLocation EndLoc = S.getLocForEndOfToken(E->getLocEnd()); 3970 S.Diag(E->getLocStart(), diag::note_printf_c_str) 3971 << "c_str()" 3972 << FixItHint::CreateInsertion(EndLoc, ".c_str()"); 3973 return true; 3974 } 3975 } 3976 3977 return false; 3978 } 3979 3980 bool 3981 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 3982 &FS, 3983 const char *startSpecifier, 3984 unsigned specifierLen) { 3985 3986 using namespace analyze_format_string; 3987 using namespace analyze_printf; 3988 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 3989 3990 if (FS.consumesDataArgument()) { 3991 if (atFirstArg) { 3992 atFirstArg = false; 3993 usesPositionalArgs = FS.usesPositionalArg(); 3994 } 3995 else if (usesPositionalArgs != FS.usesPositionalArg()) { 3996 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 3997 startSpecifier, specifierLen); 3998 return false; 3999 } 4000 } 4001 4002 // First check if the field width, precision, and conversion specifier 4003 // have matching data arguments. 4004 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 4005 startSpecifier, specifierLen)) { 4006 return false; 4007 } 4008 4009 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 4010 startSpecifier, specifierLen)) { 4011 return false; 4012 } 4013 4014 if (!CS.consumesDataArgument()) { 4015 // FIXME: Technically specifying a precision or field width here 4016 // makes no sense. Worth issuing a warning at some point. 4017 return true; 4018 } 4019 4020 // Consume the argument. 4021 unsigned argIndex = FS.getArgIndex(); 4022 if (argIndex < NumDataArgs) { 4023 // The check to see if the argIndex is valid will come later. 4024 // We set the bit here because we may exit early from this 4025 // function if we encounter some other error. 4026 CoveredArgs.set(argIndex); 4027 } 4028 4029 // FreeBSD kernel extensions. 4030 if (CS.getKind() == ConversionSpecifier::FreeBSDbArg || 4031 CS.getKind() == ConversionSpecifier::FreeBSDDArg) { 4032 // We need at least two arguments. 4033 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex + 1)) 4034 return false; 4035 4036 // Claim the second argument. 4037 CoveredArgs.set(argIndex + 1); 4038 4039 // Type check the first argument (int for %b, pointer for %D) 4040 const Expr *Ex = getDataArg(argIndex); 4041 const analyze_printf::ArgType &AT = 4042 (CS.getKind() == ConversionSpecifier::FreeBSDbArg) ? 4043 ArgType(S.Context.IntTy) : ArgType::CPointerTy; 4044 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType())) 4045 EmitFormatDiagnostic( 4046 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 4047 << AT.getRepresentativeTypeName(S.Context) << Ex->getType() 4048 << false << Ex->getSourceRange(), 4049 Ex->getLocStart(), /*IsStringLocation*/false, 4050 getSpecifierRange(startSpecifier, specifierLen)); 4051 4052 // Type check the second argument (char * for both %b and %D) 4053 Ex = getDataArg(argIndex + 1); 4054 const analyze_printf::ArgType &AT2 = ArgType::CStrTy; 4055 if (AT2.isValid() && !AT2.matchesType(S.Context, Ex->getType())) 4056 EmitFormatDiagnostic( 4057 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 4058 << AT2.getRepresentativeTypeName(S.Context) << Ex->getType() 4059 << false << Ex->getSourceRange(), 4060 Ex->getLocStart(), /*IsStringLocation*/false, 4061 getSpecifierRange(startSpecifier, specifierLen)); 4062 4063 return true; 4064 } 4065 4066 // Check for using an Objective-C specific conversion specifier 4067 // in a non-ObjC literal. 4068 if (!ObjCContext && CS.isObjCArg()) { 4069 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 4070 specifierLen); 4071 } 4072 4073 // Check for invalid use of field width 4074 if (!FS.hasValidFieldWidth()) { 4075 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 4076 startSpecifier, specifierLen); 4077 } 4078 4079 // Check for invalid use of precision 4080 if (!FS.hasValidPrecision()) { 4081 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 4082 startSpecifier, specifierLen); 4083 } 4084 4085 // Check each flag does not conflict with any other component. 4086 if (!FS.hasValidThousandsGroupingPrefix()) 4087 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 4088 if (!FS.hasValidLeadingZeros()) 4089 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 4090 if (!FS.hasValidPlusPrefix()) 4091 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 4092 if (!FS.hasValidSpacePrefix()) 4093 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 4094 if (!FS.hasValidAlternativeForm()) 4095 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 4096 if (!FS.hasValidLeftJustified()) 4097 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 4098 4099 // Check that flags are not ignored by another flag 4100 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 4101 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 4102 startSpecifier, specifierLen); 4103 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 4104 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 4105 startSpecifier, specifierLen); 4106 4107 // Check the length modifier is valid with the given conversion specifier. 4108 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 4109 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 4110 diag::warn_format_nonsensical_length); 4111 else if (!FS.hasStandardLengthModifier()) 4112 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 4113 else if (!FS.hasStandardLengthConversionCombination()) 4114 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 4115 diag::warn_format_non_standard_conversion_spec); 4116 4117 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 4118 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 4119 4120 // The remaining checks depend on the data arguments. 4121 if (HasVAListArg) 4122 return true; 4123 4124 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 4125 return false; 4126 4127 const Expr *Arg = getDataArg(argIndex); 4128 if (!Arg) 4129 return true; 4130 4131 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg); 4132 } 4133 4134 static bool requiresParensToAddCast(const Expr *E) { 4135 // FIXME: We should have a general way to reason about operator 4136 // precedence and whether parens are actually needed here. 4137 // Take care of a few common cases where they aren't. 4138 const Expr *Inside = E->IgnoreImpCasts(); 4139 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside)) 4140 Inside = POE->getSyntacticForm()->IgnoreImpCasts(); 4141 4142 switch (Inside->getStmtClass()) { 4143 case Stmt::ArraySubscriptExprClass: 4144 case Stmt::CallExprClass: 4145 case Stmt::CharacterLiteralClass: 4146 case Stmt::CXXBoolLiteralExprClass: 4147 case Stmt::DeclRefExprClass: 4148 case Stmt::FloatingLiteralClass: 4149 case Stmt::IntegerLiteralClass: 4150 case Stmt::MemberExprClass: 4151 case Stmt::ObjCArrayLiteralClass: 4152 case Stmt::ObjCBoolLiteralExprClass: 4153 case Stmt::ObjCBoxedExprClass: 4154 case Stmt::ObjCDictionaryLiteralClass: 4155 case Stmt::ObjCEncodeExprClass: 4156 case Stmt::ObjCIvarRefExprClass: 4157 case Stmt::ObjCMessageExprClass: 4158 case Stmt::ObjCPropertyRefExprClass: 4159 case Stmt::ObjCStringLiteralClass: 4160 case Stmt::ObjCSubscriptRefExprClass: 4161 case Stmt::ParenExprClass: 4162 case Stmt::StringLiteralClass: 4163 case Stmt::UnaryOperatorClass: 4164 return false; 4165 default: 4166 return true; 4167 } 4168 } 4169 4170 static std::pair<QualType, StringRef> 4171 shouldNotPrintDirectly(const ASTContext &Context, 4172 QualType IntendedTy, 4173 const Expr *E) { 4174 // Use a 'while' to peel off layers of typedefs. 4175 QualType TyTy = IntendedTy; 4176 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) { 4177 StringRef Name = UserTy->getDecl()->getName(); 4178 QualType CastTy = llvm::StringSwitch<QualType>(Name) 4179 .Case("NSInteger", Context.LongTy) 4180 .Case("NSUInteger", Context.UnsignedLongTy) 4181 .Case("SInt32", Context.IntTy) 4182 .Case("UInt32", Context.UnsignedIntTy) 4183 .Default(QualType()); 4184 4185 if (!CastTy.isNull()) 4186 return std::make_pair(CastTy, Name); 4187 4188 TyTy = UserTy->desugar(); 4189 } 4190 4191 // Strip parens if necessary. 4192 if (const ParenExpr *PE = dyn_cast<ParenExpr>(E)) 4193 return shouldNotPrintDirectly(Context, 4194 PE->getSubExpr()->getType(), 4195 PE->getSubExpr()); 4196 4197 // If this is a conditional expression, then its result type is constructed 4198 // via usual arithmetic conversions and thus there might be no necessary 4199 // typedef sugar there. Recurse to operands to check for NSInteger & 4200 // Co. usage condition. 4201 if (const ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 4202 QualType TrueTy, FalseTy; 4203 StringRef TrueName, FalseName; 4204 4205 std::tie(TrueTy, TrueName) = 4206 shouldNotPrintDirectly(Context, 4207 CO->getTrueExpr()->getType(), 4208 CO->getTrueExpr()); 4209 std::tie(FalseTy, FalseName) = 4210 shouldNotPrintDirectly(Context, 4211 CO->getFalseExpr()->getType(), 4212 CO->getFalseExpr()); 4213 4214 if (TrueTy == FalseTy) 4215 return std::make_pair(TrueTy, TrueName); 4216 else if (TrueTy.isNull()) 4217 return std::make_pair(FalseTy, FalseName); 4218 else if (FalseTy.isNull()) 4219 return std::make_pair(TrueTy, TrueName); 4220 } 4221 4222 return std::make_pair(QualType(), StringRef()); 4223 } 4224 4225 bool 4226 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS, 4227 const char *StartSpecifier, 4228 unsigned SpecifierLen, 4229 const Expr *E) { 4230 using namespace analyze_format_string; 4231 using namespace analyze_printf; 4232 // Now type check the data expression that matches the 4233 // format specifier. 4234 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, 4235 ObjCContext); 4236 if (!AT.isValid()) 4237 return true; 4238 4239 QualType ExprTy = E->getType(); 4240 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { 4241 ExprTy = TET->getUnderlyingExpr()->getType(); 4242 } 4243 4244 analyze_printf::ArgType::MatchKind match = AT.matchesType(S.Context, ExprTy); 4245 4246 if (match == analyze_printf::ArgType::Match) { 4247 return true; 4248 } 4249 4250 // Look through argument promotions for our error message's reported type. 4251 // This includes the integral and floating promotions, but excludes array 4252 // and function pointer decay; seeing that an argument intended to be a 4253 // string has type 'char [6]' is probably more confusing than 'char *'. 4254 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 4255 if (ICE->getCastKind() == CK_IntegralCast || 4256 ICE->getCastKind() == CK_FloatingCast) { 4257 E = ICE->getSubExpr(); 4258 ExprTy = E->getType(); 4259 4260 // Check if we didn't match because of an implicit cast from a 'char' 4261 // or 'short' to an 'int'. This is done because printf is a varargs 4262 // function. 4263 if (ICE->getType() == S.Context.IntTy || 4264 ICE->getType() == S.Context.UnsignedIntTy) { 4265 // All further checking is done on the subexpression. 4266 if (AT.matchesType(S.Context, ExprTy)) 4267 return true; 4268 } 4269 } 4270 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) { 4271 // Special case for 'a', which has type 'int' in C. 4272 // Note, however, that we do /not/ want to treat multibyte constants like 4273 // 'MooV' as characters! This form is deprecated but still exists. 4274 if (ExprTy == S.Context.IntTy) 4275 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) 4276 ExprTy = S.Context.CharTy; 4277 } 4278 4279 // Look through enums to their underlying type. 4280 bool IsEnum = false; 4281 if (auto EnumTy = ExprTy->getAs<EnumType>()) { 4282 ExprTy = EnumTy->getDecl()->getIntegerType(); 4283 IsEnum = true; 4284 } 4285 4286 // %C in an Objective-C context prints a unichar, not a wchar_t. 4287 // If the argument is an integer of some kind, believe the %C and suggest 4288 // a cast instead of changing the conversion specifier. 4289 QualType IntendedTy = ExprTy; 4290 if (ObjCContext && 4291 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) { 4292 if (ExprTy->isIntegralOrUnscopedEnumerationType() && 4293 !ExprTy->isCharType()) { 4294 // 'unichar' is defined as a typedef of unsigned short, but we should 4295 // prefer using the typedef if it is visible. 4296 IntendedTy = S.Context.UnsignedShortTy; 4297 4298 // While we are here, check if the value is an IntegerLiteral that happens 4299 // to be within the valid range. 4300 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) { 4301 const llvm::APInt &V = IL->getValue(); 4302 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy)) 4303 return true; 4304 } 4305 4306 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getLocStart(), 4307 Sema::LookupOrdinaryName); 4308 if (S.LookupName(Result, S.getCurScope())) { 4309 NamedDecl *ND = Result.getFoundDecl(); 4310 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND)) 4311 if (TD->getUnderlyingType() == IntendedTy) 4312 IntendedTy = S.Context.getTypedefType(TD); 4313 } 4314 } 4315 } 4316 4317 // Special-case some of Darwin's platform-independence types by suggesting 4318 // casts to primitive types that are known to be large enough. 4319 bool ShouldNotPrintDirectly = false; StringRef CastTyName; 4320 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) { 4321 QualType CastTy; 4322 std::tie(CastTy, CastTyName) = shouldNotPrintDirectly(S.Context, IntendedTy, E); 4323 if (!CastTy.isNull()) { 4324 IntendedTy = CastTy; 4325 ShouldNotPrintDirectly = true; 4326 } 4327 } 4328 4329 // We may be able to offer a FixItHint if it is a supported type. 4330 PrintfSpecifier fixedFS = FS; 4331 bool success = fixedFS.fixType(IntendedTy, S.getLangOpts(), 4332 S.Context, ObjCContext); 4333 4334 if (success) { 4335 // Get the fix string from the fixed format specifier 4336 SmallString<16> buf; 4337 llvm::raw_svector_ostream os(buf); 4338 fixedFS.toString(os); 4339 4340 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen); 4341 4342 if (IntendedTy == ExprTy && !ShouldNotPrintDirectly) { 4343 unsigned diag = diag::warn_format_conversion_argument_type_mismatch; 4344 if (match == analyze_format_string::ArgType::NoMatchPedantic) { 4345 diag = diag::warn_format_conversion_argument_type_mismatch_pedantic; 4346 } 4347 // In this case, the specifier is wrong and should be changed to match 4348 // the argument. 4349 EmitFormatDiagnostic(S.PDiag(diag) 4350 << AT.getRepresentativeTypeName(S.Context) 4351 << IntendedTy << IsEnum << E->getSourceRange(), 4352 E->getLocStart(), 4353 /*IsStringLocation*/ false, SpecRange, 4354 FixItHint::CreateReplacement(SpecRange, os.str())); 4355 4356 } else { 4357 // The canonical type for formatting this value is different from the 4358 // actual type of the expression. (This occurs, for example, with Darwin's 4359 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but 4360 // should be printed as 'long' for 64-bit compatibility.) 4361 // Rather than emitting a normal format/argument mismatch, we want to 4362 // add a cast to the recommended type (and correct the format string 4363 // if necessary). 4364 SmallString<16> CastBuf; 4365 llvm::raw_svector_ostream CastFix(CastBuf); 4366 CastFix << "("; 4367 IntendedTy.print(CastFix, S.Context.getPrintingPolicy()); 4368 CastFix << ")"; 4369 4370 SmallVector<FixItHint,4> Hints; 4371 if (!AT.matchesType(S.Context, IntendedTy)) 4372 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str())); 4373 4374 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) { 4375 // If there's already a cast present, just replace it. 4376 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc()); 4377 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str())); 4378 4379 } else if (!requiresParensToAddCast(E)) { 4380 // If the expression has high enough precedence, 4381 // just write the C-style cast. 4382 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 4383 CastFix.str())); 4384 } else { 4385 // Otherwise, add parens around the expression as well as the cast. 4386 CastFix << "("; 4387 Hints.push_back(FixItHint::CreateInsertion(E->getLocStart(), 4388 CastFix.str())); 4389 4390 SourceLocation After = S.getLocForEndOfToken(E->getLocEnd()); 4391 Hints.push_back(FixItHint::CreateInsertion(After, ")")); 4392 } 4393 4394 if (ShouldNotPrintDirectly) { 4395 // The expression has a type that should not be printed directly. 4396 // We extract the name from the typedef because we don't want to show 4397 // the underlying type in the diagnostic. 4398 StringRef Name; 4399 if (const TypedefType *TypedefTy = dyn_cast<TypedefType>(ExprTy)) 4400 Name = TypedefTy->getDecl()->getName(); 4401 else 4402 Name = CastTyName; 4403 EmitFormatDiagnostic(S.PDiag(diag::warn_format_argument_needs_cast) 4404 << Name << IntendedTy << IsEnum 4405 << E->getSourceRange(), 4406 E->getLocStart(), /*IsStringLocation=*/false, 4407 SpecRange, Hints); 4408 } else { 4409 // In this case, the expression could be printed using a different 4410 // specifier, but we've decided that the specifier is probably correct 4411 // and we should cast instead. Just use the normal warning message. 4412 EmitFormatDiagnostic( 4413 S.PDiag(diag::warn_format_conversion_argument_type_mismatch) 4414 << AT.getRepresentativeTypeName(S.Context) << ExprTy << IsEnum 4415 << E->getSourceRange(), 4416 E->getLocStart(), /*IsStringLocation*/false, 4417 SpecRange, Hints); 4418 } 4419 } 4420 } else { 4421 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, 4422 SpecifierLen); 4423 // Since the warning for passing non-POD types to variadic functions 4424 // was deferred until now, we emit a warning for non-POD 4425 // arguments here. 4426 switch (S.isValidVarArgType(ExprTy)) { 4427 case Sema::VAK_Valid: 4428 case Sema::VAK_ValidInCXX11: { 4429 unsigned diag = diag::warn_format_conversion_argument_type_mismatch; 4430 if (match == analyze_printf::ArgType::NoMatchPedantic) { 4431 diag = diag::warn_format_conversion_argument_type_mismatch_pedantic; 4432 } 4433 4434 EmitFormatDiagnostic( 4435 S.PDiag(diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy 4436 << IsEnum << CSR << E->getSourceRange(), 4437 E->getLocStart(), /*IsStringLocation*/ false, CSR); 4438 break; 4439 } 4440 case Sema::VAK_Undefined: 4441 case Sema::VAK_MSVCUndefined: 4442 EmitFormatDiagnostic( 4443 S.PDiag(diag::warn_non_pod_vararg_with_format_string) 4444 << S.getLangOpts().CPlusPlus11 4445 << ExprTy 4446 << CallType 4447 << AT.getRepresentativeTypeName(S.Context) 4448 << CSR 4449 << E->getSourceRange(), 4450 E->getLocStart(), /*IsStringLocation*/false, CSR); 4451 checkForCStrMembers(AT, E); 4452 break; 4453 4454 case Sema::VAK_Invalid: 4455 if (ExprTy->isObjCObjectType()) 4456 EmitFormatDiagnostic( 4457 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) 4458 << S.getLangOpts().CPlusPlus11 4459 << ExprTy 4460 << CallType 4461 << AT.getRepresentativeTypeName(S.Context) 4462 << CSR 4463 << E->getSourceRange(), 4464 E->getLocStart(), /*IsStringLocation*/false, CSR); 4465 else 4466 // FIXME: If this is an initializer list, suggest removing the braces 4467 // or inserting a cast to the target type. 4468 S.Diag(E->getLocStart(), diag::err_cannot_pass_to_vararg_format) 4469 << isa<InitListExpr>(E) << ExprTy << CallType 4470 << AT.getRepresentativeTypeName(S.Context) 4471 << E->getSourceRange(); 4472 break; 4473 } 4474 4475 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && 4476 "format string specifier index out of range"); 4477 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; 4478 } 4479 4480 return true; 4481 } 4482 4483 //===--- CHECK: Scanf format string checking ------------------------------===// 4484 4485 namespace { 4486 class CheckScanfHandler : public CheckFormatHandler { 4487 public: 4488 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 4489 const Expr *origFormatExpr, unsigned firstDataArg, 4490 unsigned numDataArgs, const char *beg, bool hasVAListArg, 4491 ArrayRef<const Expr *> Args, 4492 unsigned formatIdx, bool inFunctionCall, 4493 Sema::VariadicCallType CallType, 4494 llvm::SmallBitVector &CheckedVarArgs) 4495 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 4496 numDataArgs, beg, hasVAListArg, 4497 Args, formatIdx, inFunctionCall, CallType, 4498 CheckedVarArgs) 4499 {} 4500 4501 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 4502 const char *startSpecifier, 4503 unsigned specifierLen) override; 4504 4505 bool HandleInvalidScanfConversionSpecifier( 4506 const analyze_scanf::ScanfSpecifier &FS, 4507 const char *startSpecifier, 4508 unsigned specifierLen) override; 4509 4510 void HandleIncompleteScanList(const char *start, const char *end) override; 4511 }; 4512 } 4513 4514 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 4515 const char *end) { 4516 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 4517 getLocationOfByte(end), /*IsStringLocation*/true, 4518 getSpecifierRange(start, end - start)); 4519 } 4520 4521 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 4522 const analyze_scanf::ScanfSpecifier &FS, 4523 const char *startSpecifier, 4524 unsigned specifierLen) { 4525 4526 const analyze_scanf::ScanfConversionSpecifier &CS = 4527 FS.getConversionSpecifier(); 4528 4529 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 4530 getLocationOfByte(CS.getStart()), 4531 startSpecifier, specifierLen, 4532 CS.getStart(), CS.getLength()); 4533 } 4534 4535 bool CheckScanfHandler::HandleScanfSpecifier( 4536 const analyze_scanf::ScanfSpecifier &FS, 4537 const char *startSpecifier, 4538 unsigned specifierLen) { 4539 4540 using namespace analyze_scanf; 4541 using namespace analyze_format_string; 4542 4543 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 4544 4545 // Handle case where '%' and '*' don't consume an argument. These shouldn't 4546 // be used to decide if we are using positional arguments consistently. 4547 if (FS.consumesDataArgument()) { 4548 if (atFirstArg) { 4549 atFirstArg = false; 4550 usesPositionalArgs = FS.usesPositionalArg(); 4551 } 4552 else if (usesPositionalArgs != FS.usesPositionalArg()) { 4553 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 4554 startSpecifier, specifierLen); 4555 return false; 4556 } 4557 } 4558 4559 // Check if the field with is non-zero. 4560 const OptionalAmount &Amt = FS.getFieldWidth(); 4561 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 4562 if (Amt.getConstantAmount() == 0) { 4563 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 4564 Amt.getConstantLength()); 4565 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 4566 getLocationOfByte(Amt.getStart()), 4567 /*IsStringLocation*/true, R, 4568 FixItHint::CreateRemoval(R)); 4569 } 4570 } 4571 4572 if (!FS.consumesDataArgument()) { 4573 // FIXME: Technically specifying a precision or field width here 4574 // makes no sense. Worth issuing a warning at some point. 4575 return true; 4576 } 4577 4578 // Consume the argument. 4579 unsigned argIndex = FS.getArgIndex(); 4580 if (argIndex < NumDataArgs) { 4581 // The check to see if the argIndex is valid will come later. 4582 // We set the bit here because we may exit early from this 4583 // function if we encounter some other error. 4584 CoveredArgs.set(argIndex); 4585 } 4586 4587 // Check the length modifier is valid with the given conversion specifier. 4588 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo())) 4589 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 4590 diag::warn_format_nonsensical_length); 4591 else if (!FS.hasStandardLengthModifier()) 4592 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen); 4593 else if (!FS.hasStandardLengthConversionCombination()) 4594 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, 4595 diag::warn_format_non_standard_conversion_spec); 4596 4597 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 4598 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 4599 4600 // The remaining checks depend on the data arguments. 4601 if (HasVAListArg) 4602 return true; 4603 4604 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 4605 return false; 4606 4607 // Check that the argument type matches the format specifier. 4608 const Expr *Ex = getDataArg(argIndex); 4609 if (!Ex) 4610 return true; 4611 4612 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context); 4613 4614 if (!AT.isValid()) { 4615 return true; 4616 } 4617 4618 analyze_format_string::ArgType::MatchKind match = 4619 AT.matchesType(S.Context, Ex->getType()); 4620 if (match == analyze_format_string::ArgType::Match) { 4621 return true; 4622 } 4623 4624 ScanfSpecifier fixedFS = FS; 4625 bool success = fixedFS.fixType(Ex->getType(), Ex->IgnoreImpCasts()->getType(), 4626 S.getLangOpts(), S.Context); 4627 4628 unsigned diag = diag::warn_format_conversion_argument_type_mismatch; 4629 if (match == analyze_format_string::ArgType::NoMatchPedantic) { 4630 diag = diag::warn_format_conversion_argument_type_mismatch_pedantic; 4631 } 4632 4633 if (success) { 4634 // Get the fix string from the fixed format specifier. 4635 SmallString<128> buf; 4636 llvm::raw_svector_ostream os(buf); 4637 fixedFS.toString(os); 4638 4639 EmitFormatDiagnostic( 4640 S.PDiag(diag) << AT.getRepresentativeTypeName(S.Context) 4641 << Ex->getType() << false << Ex->getSourceRange(), 4642 Ex->getLocStart(), 4643 /*IsStringLocation*/ false, 4644 getSpecifierRange(startSpecifier, specifierLen), 4645 FixItHint::CreateReplacement( 4646 getSpecifierRange(startSpecifier, specifierLen), os.str())); 4647 } else { 4648 EmitFormatDiagnostic(S.PDiag(diag) 4649 << AT.getRepresentativeTypeName(S.Context) 4650 << Ex->getType() << false << Ex->getSourceRange(), 4651 Ex->getLocStart(), 4652 /*IsStringLocation*/ false, 4653 getSpecifierRange(startSpecifier, specifierLen)); 4654 } 4655 4656 return true; 4657 } 4658 4659 void Sema::CheckFormatString(const StringLiteral *FExpr, 4660 const Expr *OrigFormatExpr, 4661 ArrayRef<const Expr *> Args, 4662 bool HasVAListArg, unsigned format_idx, 4663 unsigned firstDataArg, FormatStringType Type, 4664 bool inFunctionCall, VariadicCallType CallType, 4665 llvm::SmallBitVector &CheckedVarArgs) { 4666 4667 // CHECK: is the format string a wide literal? 4668 if (!FExpr->isAscii() && !FExpr->isUTF8()) { 4669 CheckFormatHandler::EmitFormatDiagnostic( 4670 *this, inFunctionCall, Args[format_idx], 4671 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 4672 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 4673 return; 4674 } 4675 4676 // Str - The format string. NOTE: this is NOT null-terminated! 4677 StringRef StrRef = FExpr->getString(); 4678 const char *Str = StrRef.data(); 4679 // Account for cases where the string literal is truncated in a declaration. 4680 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType()); 4681 assert(T && "String literal not of constant array type!"); 4682 size_t TypeSize = T->getSize().getZExtValue(); 4683 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size()); 4684 const unsigned numDataArgs = Args.size() - firstDataArg; 4685 4686 // Emit a warning if the string literal is truncated and does not contain an 4687 // embedded null character. 4688 if (TypeSize <= StrRef.size() && 4689 StrRef.substr(0, TypeSize).find('\0') == StringRef::npos) { 4690 CheckFormatHandler::EmitFormatDiagnostic( 4691 *this, inFunctionCall, Args[format_idx], 4692 PDiag(diag::warn_printf_format_string_not_null_terminated), 4693 FExpr->getLocStart(), 4694 /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange()); 4695 return; 4696 } 4697 4698 // CHECK: empty format string? 4699 if (StrLen == 0 && numDataArgs > 0) { 4700 CheckFormatHandler::EmitFormatDiagnostic( 4701 *this, inFunctionCall, Args[format_idx], 4702 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 4703 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 4704 return; 4705 } 4706 4707 if (Type == FST_Printf || Type == FST_NSString || 4708 Type == FST_FreeBSDKPrintf || Type == FST_OSTrace) { 4709 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 4710 numDataArgs, (Type == FST_NSString || Type == FST_OSTrace), 4711 Str, HasVAListArg, Args, format_idx, 4712 inFunctionCall, CallType, CheckedVarArgs); 4713 4714 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 4715 getLangOpts(), 4716 Context.getTargetInfo(), 4717 Type == FST_FreeBSDKPrintf)) 4718 H.DoneProcessing(); 4719 } else if (Type == FST_Scanf) { 4720 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, numDataArgs, 4721 Str, HasVAListArg, Args, format_idx, 4722 inFunctionCall, CallType, CheckedVarArgs); 4723 4724 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 4725 getLangOpts(), 4726 Context.getTargetInfo())) 4727 H.DoneProcessing(); 4728 } // TODO: handle other formats 4729 } 4730 4731 bool Sema::FormatStringHasSArg(const StringLiteral *FExpr) { 4732 // Str - The format string. NOTE: this is NOT null-terminated! 4733 StringRef StrRef = FExpr->getString(); 4734 const char *Str = StrRef.data(); 4735 // Account for cases where the string literal is truncated in a declaration. 4736 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType()); 4737 assert(T && "String literal not of constant array type!"); 4738 size_t TypeSize = T->getSize().getZExtValue(); 4739 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size()); 4740 return analyze_format_string::ParseFormatStringHasSArg(Str, Str + StrLen, 4741 getLangOpts(), 4742 Context.getTargetInfo()); 4743 } 4744 4745 //===--- CHECK: Warn on use of wrong absolute value function. -------------===// 4746 4747 // Returns the related absolute value function that is larger, of 0 if one 4748 // does not exist. 4749 static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) { 4750 switch (AbsFunction) { 4751 default: 4752 return 0; 4753 4754 case Builtin::BI__builtin_abs: 4755 return Builtin::BI__builtin_labs; 4756 case Builtin::BI__builtin_labs: 4757 return Builtin::BI__builtin_llabs; 4758 case Builtin::BI__builtin_llabs: 4759 return 0; 4760 4761 case Builtin::BI__builtin_fabsf: 4762 return Builtin::BI__builtin_fabs; 4763 case Builtin::BI__builtin_fabs: 4764 return Builtin::BI__builtin_fabsl; 4765 case Builtin::BI__builtin_fabsl: 4766 return 0; 4767 4768 case Builtin::BI__builtin_cabsf: 4769 return Builtin::BI__builtin_cabs; 4770 case Builtin::BI__builtin_cabs: 4771 return Builtin::BI__builtin_cabsl; 4772 case Builtin::BI__builtin_cabsl: 4773 return 0; 4774 4775 case Builtin::BIabs: 4776 return Builtin::BIlabs; 4777 case Builtin::BIlabs: 4778 return Builtin::BIllabs; 4779 case Builtin::BIllabs: 4780 return 0; 4781 4782 case Builtin::BIfabsf: 4783 return Builtin::BIfabs; 4784 case Builtin::BIfabs: 4785 return Builtin::BIfabsl; 4786 case Builtin::BIfabsl: 4787 return 0; 4788 4789 case Builtin::BIcabsf: 4790 return Builtin::BIcabs; 4791 case Builtin::BIcabs: 4792 return Builtin::BIcabsl; 4793 case Builtin::BIcabsl: 4794 return 0; 4795 } 4796 } 4797 4798 // Returns the argument type of the absolute value function. 4799 static QualType getAbsoluteValueArgumentType(ASTContext &Context, 4800 unsigned AbsType) { 4801 if (AbsType == 0) 4802 return QualType(); 4803 4804 ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None; 4805 QualType BuiltinType = Context.GetBuiltinType(AbsType, Error); 4806 if (Error != ASTContext::GE_None) 4807 return QualType(); 4808 4809 const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>(); 4810 if (!FT) 4811 return QualType(); 4812 4813 if (FT->getNumParams() != 1) 4814 return QualType(); 4815 4816 return FT->getParamType(0); 4817 } 4818 4819 // Returns the best absolute value function, or zero, based on type and 4820 // current absolute value function. 4821 static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType, 4822 unsigned AbsFunctionKind) { 4823 unsigned BestKind = 0; 4824 uint64_t ArgSize = Context.getTypeSize(ArgType); 4825 for (unsigned Kind = AbsFunctionKind; Kind != 0; 4826 Kind = getLargerAbsoluteValueFunction(Kind)) { 4827 QualType ParamType = getAbsoluteValueArgumentType(Context, Kind); 4828 if (Context.getTypeSize(ParamType) >= ArgSize) { 4829 if (BestKind == 0) 4830 BestKind = Kind; 4831 else if (Context.hasSameType(ParamType, ArgType)) { 4832 BestKind = Kind; 4833 break; 4834 } 4835 } 4836 } 4837 return BestKind; 4838 } 4839 4840 enum AbsoluteValueKind { 4841 AVK_Integer, 4842 AVK_Floating, 4843 AVK_Complex 4844 }; 4845 4846 static AbsoluteValueKind getAbsoluteValueKind(QualType T) { 4847 if (T->isIntegralOrEnumerationType()) 4848 return AVK_Integer; 4849 if (T->isRealFloatingType()) 4850 return AVK_Floating; 4851 if (T->isAnyComplexType()) 4852 return AVK_Complex; 4853 4854 llvm_unreachable("Type not integer, floating, or complex"); 4855 } 4856 4857 // Changes the absolute value function to a different type. Preserves whether 4858 // the function is a builtin. 4859 static unsigned changeAbsFunction(unsigned AbsKind, 4860 AbsoluteValueKind ValueKind) { 4861 switch (ValueKind) { 4862 case AVK_Integer: 4863 switch (AbsKind) { 4864 default: 4865 return 0; 4866 case Builtin::BI__builtin_fabsf: 4867 case Builtin::BI__builtin_fabs: 4868 case Builtin::BI__builtin_fabsl: 4869 case Builtin::BI__builtin_cabsf: 4870 case Builtin::BI__builtin_cabs: 4871 case Builtin::BI__builtin_cabsl: 4872 return Builtin::BI__builtin_abs; 4873 case Builtin::BIfabsf: 4874 case Builtin::BIfabs: 4875 case Builtin::BIfabsl: 4876 case Builtin::BIcabsf: 4877 case Builtin::BIcabs: 4878 case Builtin::BIcabsl: 4879 return Builtin::BIabs; 4880 } 4881 case AVK_Floating: 4882 switch (AbsKind) { 4883 default: 4884 return 0; 4885 case Builtin::BI__builtin_abs: 4886 case Builtin::BI__builtin_labs: 4887 case Builtin::BI__builtin_llabs: 4888 case Builtin::BI__builtin_cabsf: 4889 case Builtin::BI__builtin_cabs: 4890 case Builtin::BI__builtin_cabsl: 4891 return Builtin::BI__builtin_fabsf; 4892 case Builtin::BIabs: 4893 case Builtin::BIlabs: 4894 case Builtin::BIllabs: 4895 case Builtin::BIcabsf: 4896 case Builtin::BIcabs: 4897 case Builtin::BIcabsl: 4898 return Builtin::BIfabsf; 4899 } 4900 case AVK_Complex: 4901 switch (AbsKind) { 4902 default: 4903 return 0; 4904 case Builtin::BI__builtin_abs: 4905 case Builtin::BI__builtin_labs: 4906 case Builtin::BI__builtin_llabs: 4907 case Builtin::BI__builtin_fabsf: 4908 case Builtin::BI__builtin_fabs: 4909 case Builtin::BI__builtin_fabsl: 4910 return Builtin::BI__builtin_cabsf; 4911 case Builtin::BIabs: 4912 case Builtin::BIlabs: 4913 case Builtin::BIllabs: 4914 case Builtin::BIfabsf: 4915 case Builtin::BIfabs: 4916 case Builtin::BIfabsl: 4917 return Builtin::BIcabsf; 4918 } 4919 } 4920 llvm_unreachable("Unable to convert function"); 4921 } 4922 4923 static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) { 4924 const IdentifierInfo *FnInfo = FDecl->getIdentifier(); 4925 if (!FnInfo) 4926 return 0; 4927 4928 switch (FDecl->getBuiltinID()) { 4929 default: 4930 return 0; 4931 case Builtin::BI__builtin_abs: 4932 case Builtin::BI__builtin_fabs: 4933 case Builtin::BI__builtin_fabsf: 4934 case Builtin::BI__builtin_fabsl: 4935 case Builtin::BI__builtin_labs: 4936 case Builtin::BI__builtin_llabs: 4937 case Builtin::BI__builtin_cabs: 4938 case Builtin::BI__builtin_cabsf: 4939 case Builtin::BI__builtin_cabsl: 4940 case Builtin::BIabs: 4941 case Builtin::BIlabs: 4942 case Builtin::BIllabs: 4943 case Builtin::BIfabs: 4944 case Builtin::BIfabsf: 4945 case Builtin::BIfabsl: 4946 case Builtin::BIcabs: 4947 case Builtin::BIcabsf: 4948 case Builtin::BIcabsl: 4949 return FDecl->getBuiltinID(); 4950 } 4951 llvm_unreachable("Unknown Builtin type"); 4952 } 4953 4954 // If the replacement is valid, emit a note with replacement function. 4955 // Additionally, suggest including the proper header if not already included. 4956 static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range, 4957 unsigned AbsKind, QualType ArgType) { 4958 bool EmitHeaderHint = true; 4959 const char *HeaderName = nullptr; 4960 const char *FunctionName = nullptr; 4961 if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) { 4962 FunctionName = "std::abs"; 4963 if (ArgType->isIntegralOrEnumerationType()) { 4964 HeaderName = "cstdlib"; 4965 } else if (ArgType->isRealFloatingType()) { 4966 HeaderName = "cmath"; 4967 } else { 4968 llvm_unreachable("Invalid Type"); 4969 } 4970 4971 // Lookup all std::abs 4972 if (NamespaceDecl *Std = S.getStdNamespace()) { 4973 LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName); 4974 R.suppressDiagnostics(); 4975 S.LookupQualifiedName(R, Std); 4976 4977 for (const auto *I : R) { 4978 const FunctionDecl *FDecl = nullptr; 4979 if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) { 4980 FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl()); 4981 } else { 4982 FDecl = dyn_cast<FunctionDecl>(I); 4983 } 4984 if (!FDecl) 4985 continue; 4986 4987 // Found std::abs(), check that they are the right ones. 4988 if (FDecl->getNumParams() != 1) 4989 continue; 4990 4991 // Check that the parameter type can handle the argument. 4992 QualType ParamType = FDecl->getParamDecl(0)->getType(); 4993 if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) && 4994 S.Context.getTypeSize(ArgType) <= 4995 S.Context.getTypeSize(ParamType)) { 4996 // Found a function, don't need the header hint. 4997 EmitHeaderHint = false; 4998 break; 4999 } 5000 } 5001 } 5002 } else { 5003 FunctionName = S.Context.BuiltinInfo.getName(AbsKind); 5004 HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind); 5005 5006 if (HeaderName) { 5007 DeclarationName DN(&S.Context.Idents.get(FunctionName)); 5008 LookupResult R(S, DN, Loc, Sema::LookupAnyName); 5009 R.suppressDiagnostics(); 5010 S.LookupName(R, S.getCurScope()); 5011 5012 if (R.isSingleResult()) { 5013 FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl()); 5014 if (FD && FD->getBuiltinID() == AbsKind) { 5015 EmitHeaderHint = false; 5016 } else { 5017 return; 5018 } 5019 } else if (!R.empty()) { 5020 return; 5021 } 5022 } 5023 } 5024 5025 S.Diag(Loc, diag::note_replace_abs_function) 5026 << FunctionName << FixItHint::CreateReplacement(Range, FunctionName); 5027 5028 if (!HeaderName) 5029 return; 5030 5031 if (!EmitHeaderHint) 5032 return; 5033 5034 S.Diag(Loc, diag::note_include_header_or_declare) << HeaderName 5035 << FunctionName; 5036 } 5037 5038 static bool IsFunctionStdAbs(const FunctionDecl *FDecl) { 5039 if (!FDecl) 5040 return false; 5041 5042 if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr("abs")) 5043 return false; 5044 5045 const NamespaceDecl *ND = dyn_cast<NamespaceDecl>(FDecl->getDeclContext()); 5046 5047 while (ND && ND->isInlineNamespace()) { 5048 ND = dyn_cast<NamespaceDecl>(ND->getDeclContext()); 5049 } 5050 5051 if (!ND || !ND->getIdentifier() || !ND->getIdentifier()->isStr("std")) 5052 return false; 5053 5054 if (!isa<TranslationUnitDecl>(ND->getDeclContext())) 5055 return false; 5056 5057 return true; 5058 } 5059 5060 // Warn when using the wrong abs() function. 5061 void Sema::CheckAbsoluteValueFunction(const CallExpr *Call, 5062 const FunctionDecl *FDecl, 5063 IdentifierInfo *FnInfo) { 5064 if (Call->getNumArgs() != 1) 5065 return; 5066 5067 unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl); 5068 bool IsStdAbs = IsFunctionStdAbs(FDecl); 5069 if (AbsKind == 0 && !IsStdAbs) 5070 return; 5071 5072 QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType(); 5073 QualType ParamType = Call->getArg(0)->getType(); 5074 5075 // Unsigned types cannot be negative. Suggest removing the absolute value 5076 // function call. 5077 if (ArgType->isUnsignedIntegerType()) { 5078 const char *FunctionName = 5079 IsStdAbs ? "std::abs" : Context.BuiltinInfo.getName(AbsKind); 5080 Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType; 5081 Diag(Call->getExprLoc(), diag::note_remove_abs) 5082 << FunctionName 5083 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange()); 5084 return; 5085 } 5086 5087 // Taking the absolute value of a pointer is very suspicious, they probably 5088 // wanted to index into an array, dereference a pointer, call a function, etc. 5089 if (ArgType->isPointerType() || ArgType->canDecayToPointerType()) { 5090 unsigned DiagType = 0; 5091 if (ArgType->isFunctionType()) 5092 DiagType = 1; 5093 else if (ArgType->isArrayType()) 5094 DiagType = 2; 5095 5096 Diag(Call->getExprLoc(), diag::warn_pointer_abs) << DiagType << ArgType; 5097 return; 5098 } 5099 5100 // std::abs has overloads which prevent most of the absolute value problems 5101 // from occurring. 5102 if (IsStdAbs) 5103 return; 5104 5105 AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType); 5106 AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType); 5107 5108 // The argument and parameter are the same kind. Check if they are the right 5109 // size. 5110 if (ArgValueKind == ParamValueKind) { 5111 if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType)) 5112 return; 5113 5114 unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind); 5115 Diag(Call->getExprLoc(), diag::warn_abs_too_small) 5116 << FDecl << ArgType << ParamType; 5117 5118 if (NewAbsKind == 0) 5119 return; 5120 5121 emitReplacement(*this, Call->getExprLoc(), 5122 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 5123 return; 5124 } 5125 5126 // ArgValueKind != ParamValueKind 5127 // The wrong type of absolute value function was used. Attempt to find the 5128 // proper one. 5129 unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind); 5130 NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind); 5131 if (NewAbsKind == 0) 5132 return; 5133 5134 Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type) 5135 << FDecl << ParamValueKind << ArgValueKind; 5136 5137 emitReplacement(*this, Call->getExprLoc(), 5138 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType); 5139 return; 5140 } 5141 5142 //===--- CHECK: Standard memory functions ---------------------------------===// 5143 5144 /// \brief Takes the expression passed to the size_t parameter of functions 5145 /// such as memcmp, strncat, etc and warns if it's a comparison. 5146 /// 5147 /// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`. 5148 static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E, 5149 IdentifierInfo *FnName, 5150 SourceLocation FnLoc, 5151 SourceLocation RParenLoc) { 5152 const BinaryOperator *Size = dyn_cast<BinaryOperator>(E); 5153 if (!Size) 5154 return false; 5155 5156 // if E is binop and op is >, <, >=, <=, ==, &&, ||: 5157 if (!Size->isComparisonOp() && !Size->isEqualityOp() && !Size->isLogicalOp()) 5158 return false; 5159 5160 SourceRange SizeRange = Size->getSourceRange(); 5161 S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison) 5162 << SizeRange << FnName; 5163 S.Diag(FnLoc, diag::note_memsize_comparison_paren) 5164 << FnName << FixItHint::CreateInsertion( 5165 S.getLocForEndOfToken(Size->getLHS()->getLocEnd()), ")") 5166 << FixItHint::CreateRemoval(RParenLoc); 5167 S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence) 5168 << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(") 5169 << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()), 5170 ")"); 5171 5172 return true; 5173 } 5174 5175 /// \brief Determine whether the given type is or contains a dynamic class type 5176 /// (e.g., whether it has a vtable). 5177 static const CXXRecordDecl *getContainedDynamicClass(QualType T, 5178 bool &IsContained) { 5179 // Look through array types while ignoring qualifiers. 5180 const Type *Ty = T->getBaseElementTypeUnsafe(); 5181 IsContained = false; 5182 5183 const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl(); 5184 RD = RD ? RD->getDefinition() : nullptr; 5185 if (!RD) 5186 return nullptr; 5187 5188 if (RD->isDynamicClass()) 5189 return RD; 5190 5191 // Check all the fields. If any bases were dynamic, the class is dynamic. 5192 // It's impossible for a class to transitively contain itself by value, so 5193 // infinite recursion is impossible. 5194 for (auto *FD : RD->fields()) { 5195 bool SubContained; 5196 if (const CXXRecordDecl *ContainedRD = 5197 getContainedDynamicClass(FD->getType(), SubContained)) { 5198 IsContained = true; 5199 return ContainedRD; 5200 } 5201 } 5202 5203 return nullptr; 5204 } 5205 5206 /// \brief If E is a sizeof expression, returns its argument expression, 5207 /// otherwise returns NULL. 5208 static const Expr *getSizeOfExprArg(const Expr *E) { 5209 if (const UnaryExprOrTypeTraitExpr *SizeOf = 5210 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 5211 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 5212 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 5213 5214 return nullptr; 5215 } 5216 5217 /// \brief If E is a sizeof expression, returns its argument type. 5218 static QualType getSizeOfArgType(const Expr *E) { 5219 if (const UnaryExprOrTypeTraitExpr *SizeOf = 5220 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 5221 if (SizeOf->getKind() == clang::UETT_SizeOf) 5222 return SizeOf->getTypeOfArgument(); 5223 5224 return QualType(); 5225 } 5226 5227 /// \brief Check for dangerous or invalid arguments to memset(). 5228 /// 5229 /// This issues warnings on known problematic, dangerous or unspecified 5230 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 5231 /// function calls. 5232 /// 5233 /// \param Call The call expression to diagnose. 5234 void Sema::CheckMemaccessArguments(const CallExpr *Call, 5235 unsigned BId, 5236 IdentifierInfo *FnName) { 5237 assert(BId != 0); 5238 5239 // It is possible to have a non-standard definition of memset. Validate 5240 // we have enough arguments, and if not, abort further checking. 5241 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 5242 if (Call->getNumArgs() < ExpectedNumArgs) 5243 return; 5244 5245 unsigned LastArg = (BId == Builtin::BImemset || 5246 BId == Builtin::BIstrndup ? 1 : 2); 5247 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 5248 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 5249 5250 if (CheckMemorySizeofForComparison(*this, LenExpr, FnName, 5251 Call->getLocStart(), Call->getRParenLoc())) 5252 return; 5253 5254 // We have special checking when the length is a sizeof expression. 5255 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 5256 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 5257 llvm::FoldingSetNodeID SizeOfArgID; 5258 5259 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 5260 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 5261 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 5262 5263 QualType DestTy = Dest->getType(); 5264 QualType PointeeTy; 5265 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 5266 PointeeTy = DestPtrTy->getPointeeType(); 5267 5268 // Never warn about void type pointers. This can be used to suppress 5269 // false positives. 5270 if (PointeeTy->isVoidType()) 5271 continue; 5272 5273 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 5274 // actually comparing the expressions for equality. Because computing the 5275 // expression IDs can be expensive, we only do this if the diagnostic is 5276 // enabled. 5277 if (SizeOfArg && 5278 !Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess, 5279 SizeOfArg->getExprLoc())) { 5280 // We only compute IDs for expressions if the warning is enabled, and 5281 // cache the sizeof arg's ID. 5282 if (SizeOfArgID == llvm::FoldingSetNodeID()) 5283 SizeOfArg->Profile(SizeOfArgID, Context, true); 5284 llvm::FoldingSetNodeID DestID; 5285 Dest->Profile(DestID, Context, true); 5286 if (DestID == SizeOfArgID) { 5287 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 5288 // over sizeof(src) as well. 5289 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 5290 StringRef ReadableName = FnName->getName(); 5291 5292 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 5293 if (UnaryOp->getOpcode() == UO_AddrOf) 5294 ActionIdx = 1; // If its an address-of operator, just remove it. 5295 if (!PointeeTy->isIncompleteType() && 5296 (Context.getTypeSize(PointeeTy) == Context.getCharWidth())) 5297 ActionIdx = 2; // If the pointee's size is sizeof(char), 5298 // suggest an explicit length. 5299 5300 // If the function is defined as a builtin macro, do not show macro 5301 // expansion. 5302 SourceLocation SL = SizeOfArg->getExprLoc(); 5303 SourceRange DSR = Dest->getSourceRange(); 5304 SourceRange SSR = SizeOfArg->getSourceRange(); 5305 SourceManager &SM = getSourceManager(); 5306 5307 if (SM.isMacroArgExpansion(SL)) { 5308 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts); 5309 SL = SM.getSpellingLoc(SL); 5310 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()), 5311 SM.getSpellingLoc(DSR.getEnd())); 5312 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()), 5313 SM.getSpellingLoc(SSR.getEnd())); 5314 } 5315 5316 DiagRuntimeBehavior(SL, SizeOfArg, 5317 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 5318 << ReadableName 5319 << PointeeTy 5320 << DestTy 5321 << DSR 5322 << SSR); 5323 DiagRuntimeBehavior(SL, SizeOfArg, 5324 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note) 5325 << ActionIdx 5326 << SSR); 5327 5328 break; 5329 } 5330 } 5331 5332 // Also check for cases where the sizeof argument is the exact same 5333 // type as the memory argument, and where it points to a user-defined 5334 // record type. 5335 if (SizeOfArgTy != QualType()) { 5336 if (PointeeTy->isRecordType() && 5337 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 5338 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 5339 PDiag(diag::warn_sizeof_pointer_type_memaccess) 5340 << FnName << SizeOfArgTy << ArgIdx 5341 << PointeeTy << Dest->getSourceRange() 5342 << LenExpr->getSourceRange()); 5343 break; 5344 } 5345 } 5346 } else if (DestTy->isArrayType()) { 5347 PointeeTy = DestTy; 5348 } 5349 5350 if (PointeeTy == QualType()) 5351 continue; 5352 5353 // Always complain about dynamic classes. 5354 bool IsContained; 5355 if (const CXXRecordDecl *ContainedRD = 5356 getContainedDynamicClass(PointeeTy, IsContained)) { 5357 5358 unsigned OperationType = 0; 5359 // "overwritten" if we're warning about the destination for any call 5360 // but memcmp; otherwise a verb appropriate to the call. 5361 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 5362 if (BId == Builtin::BImemcpy) 5363 OperationType = 1; 5364 else if(BId == Builtin::BImemmove) 5365 OperationType = 2; 5366 else if (BId == Builtin::BImemcmp) 5367 OperationType = 3; 5368 } 5369 5370 DiagRuntimeBehavior( 5371 Dest->getExprLoc(), Dest, 5372 PDiag(diag::warn_dyn_class_memaccess) 5373 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 5374 << FnName << IsContained << ContainedRD << OperationType 5375 << Call->getCallee()->getSourceRange()); 5376 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 5377 BId != Builtin::BImemset) 5378 DiagRuntimeBehavior( 5379 Dest->getExprLoc(), Dest, 5380 PDiag(diag::warn_arc_object_memaccess) 5381 << ArgIdx << FnName << PointeeTy 5382 << Call->getCallee()->getSourceRange()); 5383 else 5384 continue; 5385 5386 DiagRuntimeBehavior( 5387 Dest->getExprLoc(), Dest, 5388 PDiag(diag::note_bad_memaccess_silence) 5389 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 5390 break; 5391 } 5392 5393 } 5394 5395 // A little helper routine: ignore addition and subtraction of integer literals. 5396 // This intentionally does not ignore all integer constant expressions because 5397 // we don't want to remove sizeof(). 5398 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 5399 Ex = Ex->IgnoreParenCasts(); 5400 5401 for (;;) { 5402 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 5403 if (!BO || !BO->isAdditiveOp()) 5404 break; 5405 5406 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 5407 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 5408 5409 if (isa<IntegerLiteral>(RHS)) 5410 Ex = LHS; 5411 else if (isa<IntegerLiteral>(LHS)) 5412 Ex = RHS; 5413 else 5414 break; 5415 } 5416 5417 return Ex; 5418 } 5419 5420 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty, 5421 ASTContext &Context) { 5422 // Only handle constant-sized or VLAs, but not flexible members. 5423 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) { 5424 // Only issue the FIXIT for arrays of size > 1. 5425 if (CAT->getSize().getSExtValue() <= 1) 5426 return false; 5427 } else if (!Ty->isVariableArrayType()) { 5428 return false; 5429 } 5430 return true; 5431 } 5432 5433 // Warn if the user has made the 'size' argument to strlcpy or strlcat 5434 // be the size of the source, instead of the destination. 5435 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 5436 IdentifierInfo *FnName) { 5437 5438 // Don't crash if the user has the wrong number of arguments 5439 unsigned NumArgs = Call->getNumArgs(); 5440 if ((NumArgs != 3) && (NumArgs != 4)) 5441 return; 5442 5443 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 5444 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 5445 const Expr *CompareWithSrc = nullptr; 5446 5447 if (CheckMemorySizeofForComparison(*this, SizeArg, FnName, 5448 Call->getLocStart(), Call->getRParenLoc())) 5449 return; 5450 5451 // Look for 'strlcpy(dst, x, sizeof(x))' 5452 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 5453 CompareWithSrc = Ex; 5454 else { 5455 // Look for 'strlcpy(dst, x, strlen(x))' 5456 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 5457 if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen && 5458 SizeCall->getNumArgs() == 1) 5459 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 5460 } 5461 } 5462 5463 if (!CompareWithSrc) 5464 return; 5465 5466 // Determine if the argument to sizeof/strlen is equal to the source 5467 // argument. In principle there's all kinds of things you could do 5468 // here, for instance creating an == expression and evaluating it with 5469 // EvaluateAsBooleanCondition, but this uses a more direct technique: 5470 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 5471 if (!SrcArgDRE) 5472 return; 5473 5474 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 5475 if (!CompareWithSrcDRE || 5476 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 5477 return; 5478 5479 const Expr *OriginalSizeArg = Call->getArg(2); 5480 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 5481 << OriginalSizeArg->getSourceRange() << FnName; 5482 5483 // Output a FIXIT hint if the destination is an array (rather than a 5484 // pointer to an array). This could be enhanced to handle some 5485 // pointers if we know the actual size, like if DstArg is 'array+2' 5486 // we could say 'sizeof(array)-2'. 5487 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 5488 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context)) 5489 return; 5490 5491 SmallString<128> sizeString; 5492 llvm::raw_svector_ostream OS(sizeString); 5493 OS << "sizeof("; 5494 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 5495 OS << ")"; 5496 5497 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 5498 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 5499 OS.str()); 5500 } 5501 5502 /// Check if two expressions refer to the same declaration. 5503 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 5504 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 5505 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 5506 return D1->getDecl() == D2->getDecl(); 5507 return false; 5508 } 5509 5510 static const Expr *getStrlenExprArg(const Expr *E) { 5511 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 5512 const FunctionDecl *FD = CE->getDirectCallee(); 5513 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 5514 return nullptr; 5515 return CE->getArg(0)->IgnoreParenCasts(); 5516 } 5517 return nullptr; 5518 } 5519 5520 // Warn on anti-patterns as the 'size' argument to strncat. 5521 // The correct size argument should look like following: 5522 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 5523 void Sema::CheckStrncatArguments(const CallExpr *CE, 5524 IdentifierInfo *FnName) { 5525 // Don't crash if the user has the wrong number of arguments. 5526 if (CE->getNumArgs() < 3) 5527 return; 5528 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 5529 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 5530 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 5531 5532 if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getLocStart(), 5533 CE->getRParenLoc())) 5534 return; 5535 5536 // Identify common expressions, which are wrongly used as the size argument 5537 // to strncat and may lead to buffer overflows. 5538 unsigned PatternType = 0; 5539 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 5540 // - sizeof(dst) 5541 if (referToTheSameDecl(SizeOfArg, DstArg)) 5542 PatternType = 1; 5543 // - sizeof(src) 5544 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 5545 PatternType = 2; 5546 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 5547 if (BE->getOpcode() == BO_Sub) { 5548 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 5549 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 5550 // - sizeof(dst) - strlen(dst) 5551 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 5552 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 5553 PatternType = 1; 5554 // - sizeof(src) - (anything) 5555 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 5556 PatternType = 2; 5557 } 5558 } 5559 5560 if (PatternType == 0) 5561 return; 5562 5563 // Generate the diagnostic. 5564 SourceLocation SL = LenArg->getLocStart(); 5565 SourceRange SR = LenArg->getSourceRange(); 5566 SourceManager &SM = getSourceManager(); 5567 5568 // If the function is defined as a builtin macro, do not show macro expansion. 5569 if (SM.isMacroArgExpansion(SL)) { 5570 SL = SM.getSpellingLoc(SL); 5571 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 5572 SM.getSpellingLoc(SR.getEnd())); 5573 } 5574 5575 // Check if the destination is an array (rather than a pointer to an array). 5576 QualType DstTy = DstArg->getType(); 5577 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy, 5578 Context); 5579 if (!isKnownSizeArray) { 5580 if (PatternType == 1) 5581 Diag(SL, diag::warn_strncat_wrong_size) << SR; 5582 else 5583 Diag(SL, diag::warn_strncat_src_size) << SR; 5584 return; 5585 } 5586 5587 if (PatternType == 1) 5588 Diag(SL, diag::warn_strncat_large_size) << SR; 5589 else 5590 Diag(SL, diag::warn_strncat_src_size) << SR; 5591 5592 SmallString<128> sizeString; 5593 llvm::raw_svector_ostream OS(sizeString); 5594 OS << "sizeof("; 5595 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 5596 OS << ") - "; 5597 OS << "strlen("; 5598 DstArg->printPretty(OS, nullptr, getPrintingPolicy()); 5599 OS << ") - 1"; 5600 5601 Diag(SL, diag::note_strncat_wrong_size) 5602 << FixItHint::CreateReplacement(SR, OS.str()); 5603 } 5604 5605 //===--- CHECK: Return Address of Stack Variable --------------------------===// 5606 5607 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 5608 Decl *ParentDecl); 5609 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 5610 Decl *ParentDecl); 5611 5612 /// CheckReturnStackAddr - Check if a return statement returns the address 5613 /// of a stack variable. 5614 static void 5615 CheckReturnStackAddr(Sema &S, Expr *RetValExp, QualType lhsType, 5616 SourceLocation ReturnLoc) { 5617 5618 Expr *stackE = nullptr; 5619 SmallVector<DeclRefExpr *, 8> refVars; 5620 5621 // Perform checking for returned stack addresses, local blocks, 5622 // label addresses or references to temporaries. 5623 if (lhsType->isPointerType() || 5624 (!S.getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 5625 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/nullptr); 5626 } else if (lhsType->isReferenceType()) { 5627 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/nullptr); 5628 } 5629 5630 if (!stackE) 5631 return; // Nothing suspicious was found. 5632 5633 SourceLocation diagLoc; 5634 SourceRange diagRange; 5635 if (refVars.empty()) { 5636 diagLoc = stackE->getLocStart(); 5637 diagRange = stackE->getSourceRange(); 5638 } else { 5639 // We followed through a reference variable. 'stackE' contains the 5640 // problematic expression but we will warn at the return statement pointing 5641 // at the reference variable. We will later display the "trail" of 5642 // reference variables using notes. 5643 diagLoc = refVars[0]->getLocStart(); 5644 diagRange = refVars[0]->getSourceRange(); 5645 } 5646 5647 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 5648 S.Diag(diagLoc, diag::warn_ret_stack_addr_ref) << lhsType->isReferenceType() 5649 << DR->getDecl()->getDeclName() << diagRange; 5650 } else if (isa<BlockExpr>(stackE)) { // local block. 5651 S.Diag(diagLoc, diag::err_ret_local_block) << diagRange; 5652 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 5653 S.Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 5654 } else { // local temporary. 5655 S.Diag(diagLoc, diag::warn_ret_local_temp_addr_ref) 5656 << lhsType->isReferenceType() << diagRange; 5657 } 5658 5659 // Display the "trail" of reference variables that we followed until we 5660 // found the problematic expression using notes. 5661 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 5662 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 5663 // If this var binds to another reference var, show the range of the next 5664 // var, otherwise the var binds to the problematic expression, in which case 5665 // show the range of the expression. 5666 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 5667 : stackE->getSourceRange(); 5668 S.Diag(VD->getLocation(), diag::note_ref_var_local_bind) 5669 << VD->getDeclName() << range; 5670 } 5671 } 5672 5673 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 5674 /// check if the expression in a return statement evaluates to an address 5675 /// to a location on the stack, a local block, an address of a label, or a 5676 /// reference to local temporary. The recursion is used to traverse the 5677 /// AST of the return expression, with recursion backtracking when we 5678 /// encounter a subexpression that (1) clearly does not lead to one of the 5679 /// above problematic expressions (2) is something we cannot determine leads to 5680 /// a problematic expression based on such local checking. 5681 /// 5682 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 5683 /// the expression that they point to. Such variables are added to the 5684 /// 'refVars' vector so that we know what the reference variable "trail" was. 5685 /// 5686 /// EvalAddr processes expressions that are pointers that are used as 5687 /// references (and not L-values). EvalVal handles all other values. 5688 /// At the base case of the recursion is a check for the above problematic 5689 /// expressions. 5690 /// 5691 /// This implementation handles: 5692 /// 5693 /// * pointer-to-pointer casts 5694 /// * implicit conversions from array references to pointers 5695 /// * taking the address of fields 5696 /// * arbitrary interplay between "&" and "*" operators 5697 /// * pointer arithmetic from an address of a stack variable 5698 /// * taking the address of an array element where the array is on the stack 5699 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 5700 Decl *ParentDecl) { 5701 if (E->isTypeDependent()) 5702 return nullptr; 5703 5704 // We should only be called for evaluating pointer expressions. 5705 assert((E->getType()->isAnyPointerType() || 5706 E->getType()->isBlockPointerType() || 5707 E->getType()->isObjCQualifiedIdType()) && 5708 "EvalAddr only works on pointers"); 5709 5710 E = E->IgnoreParens(); 5711 5712 // Our "symbolic interpreter" is just a dispatch off the currently 5713 // viewed AST node. We then recursively traverse the AST by calling 5714 // EvalAddr and EvalVal appropriately. 5715 switch (E->getStmtClass()) { 5716 case Stmt::DeclRefExprClass: { 5717 DeclRefExpr *DR = cast<DeclRefExpr>(E); 5718 5719 // If we leave the immediate function, the lifetime isn't about to end. 5720 if (DR->refersToEnclosingVariableOrCapture()) 5721 return nullptr; 5722 5723 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 5724 // If this is a reference variable, follow through to the expression that 5725 // it points to. 5726 if (V->hasLocalStorage() && 5727 V->getType()->isReferenceType() && V->hasInit()) { 5728 // Add the reference variable to the "trail". 5729 refVars.push_back(DR); 5730 return EvalAddr(V->getInit(), refVars, ParentDecl); 5731 } 5732 5733 return nullptr; 5734 } 5735 5736 case Stmt::UnaryOperatorClass: { 5737 // The only unary operator that make sense to handle here 5738 // is AddrOf. All others don't make sense as pointers. 5739 UnaryOperator *U = cast<UnaryOperator>(E); 5740 5741 if (U->getOpcode() == UO_AddrOf) 5742 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 5743 else 5744 return nullptr; 5745 } 5746 5747 case Stmt::BinaryOperatorClass: { 5748 // Handle pointer arithmetic. All other binary operators are not valid 5749 // in this context. 5750 BinaryOperator *B = cast<BinaryOperator>(E); 5751 BinaryOperatorKind op = B->getOpcode(); 5752 5753 if (op != BO_Add && op != BO_Sub) 5754 return nullptr; 5755 5756 Expr *Base = B->getLHS(); 5757 5758 // Determine which argument is the real pointer base. It could be 5759 // the RHS argument instead of the LHS. 5760 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 5761 5762 assert (Base->getType()->isPointerType()); 5763 return EvalAddr(Base, refVars, ParentDecl); 5764 } 5765 5766 // For conditional operators we need to see if either the LHS or RHS are 5767 // valid DeclRefExpr*s. If one of them is valid, we return it. 5768 case Stmt::ConditionalOperatorClass: { 5769 ConditionalOperator *C = cast<ConditionalOperator>(E); 5770 5771 // Handle the GNU extension for missing LHS. 5772 // FIXME: That isn't a ConditionalOperator, so doesn't get here. 5773 if (Expr *LHSExpr = C->getLHS()) { 5774 // In C++, we can have a throw-expression, which has 'void' type. 5775 if (!LHSExpr->getType()->isVoidType()) 5776 if (Expr *LHS = EvalAddr(LHSExpr, refVars, ParentDecl)) 5777 return LHS; 5778 } 5779 5780 // In C++, we can have a throw-expression, which has 'void' type. 5781 if (C->getRHS()->getType()->isVoidType()) 5782 return nullptr; 5783 5784 return EvalAddr(C->getRHS(), refVars, ParentDecl); 5785 } 5786 5787 case Stmt::BlockExprClass: 5788 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 5789 return E; // local block. 5790 return nullptr; 5791 5792 case Stmt::AddrLabelExprClass: 5793 return E; // address of label. 5794 5795 case Stmt::ExprWithCleanupsClass: 5796 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 5797 ParentDecl); 5798 5799 // For casts, we need to handle conversions from arrays to 5800 // pointer values, and pointer-to-pointer conversions. 5801 case Stmt::ImplicitCastExprClass: 5802 case Stmt::CStyleCastExprClass: 5803 case Stmt::CXXFunctionalCastExprClass: 5804 case Stmt::ObjCBridgedCastExprClass: 5805 case Stmt::CXXStaticCastExprClass: 5806 case Stmt::CXXDynamicCastExprClass: 5807 case Stmt::CXXConstCastExprClass: 5808 case Stmt::CXXReinterpretCastExprClass: { 5809 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 5810 switch (cast<CastExpr>(E)->getCastKind()) { 5811 case CK_LValueToRValue: 5812 case CK_NoOp: 5813 case CK_BaseToDerived: 5814 case CK_DerivedToBase: 5815 case CK_UncheckedDerivedToBase: 5816 case CK_Dynamic: 5817 case CK_CPointerToObjCPointerCast: 5818 case CK_BlockPointerToObjCPointerCast: 5819 case CK_AnyPointerToBlockPointerCast: 5820 return EvalAddr(SubExpr, refVars, ParentDecl); 5821 5822 case CK_ArrayToPointerDecay: 5823 return EvalVal(SubExpr, refVars, ParentDecl); 5824 5825 case CK_BitCast: 5826 if (SubExpr->getType()->isAnyPointerType() || 5827 SubExpr->getType()->isBlockPointerType() || 5828 SubExpr->getType()->isObjCQualifiedIdType()) 5829 return EvalAddr(SubExpr, refVars, ParentDecl); 5830 else 5831 return nullptr; 5832 5833 default: 5834 return nullptr; 5835 } 5836 } 5837 5838 case Stmt::MaterializeTemporaryExprClass: 5839 if (Expr *Result = EvalAddr( 5840 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 5841 refVars, ParentDecl)) 5842 return Result; 5843 5844 return E; 5845 5846 // Everything else: we simply don't reason about them. 5847 default: 5848 return nullptr; 5849 } 5850 } 5851 5852 5853 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 5854 /// See the comments for EvalAddr for more details. 5855 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 5856 Decl *ParentDecl) { 5857 do { 5858 // We should only be called for evaluating non-pointer expressions, or 5859 // expressions with a pointer type that are not used as references but instead 5860 // are l-values (e.g., DeclRefExpr with a pointer type). 5861 5862 // Our "symbolic interpreter" is just a dispatch off the currently 5863 // viewed AST node. We then recursively traverse the AST by calling 5864 // EvalAddr and EvalVal appropriately. 5865 5866 E = E->IgnoreParens(); 5867 switch (E->getStmtClass()) { 5868 case Stmt::ImplicitCastExprClass: { 5869 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 5870 if (IE->getValueKind() == VK_LValue) { 5871 E = IE->getSubExpr(); 5872 continue; 5873 } 5874 return nullptr; 5875 } 5876 5877 case Stmt::ExprWithCleanupsClass: 5878 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 5879 5880 case Stmt::DeclRefExprClass: { 5881 // When we hit a DeclRefExpr we are looking at code that refers to a 5882 // variable's name. If it's not a reference variable we check if it has 5883 // local storage within the function, and if so, return the expression. 5884 DeclRefExpr *DR = cast<DeclRefExpr>(E); 5885 5886 // If we leave the immediate function, the lifetime isn't about to end. 5887 if (DR->refersToEnclosingVariableOrCapture()) 5888 return nullptr; 5889 5890 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 5891 // Check if it refers to itself, e.g. "int& i = i;". 5892 if (V == ParentDecl) 5893 return DR; 5894 5895 if (V->hasLocalStorage()) { 5896 if (!V->getType()->isReferenceType()) 5897 return DR; 5898 5899 // Reference variable, follow through to the expression that 5900 // it points to. 5901 if (V->hasInit()) { 5902 // Add the reference variable to the "trail". 5903 refVars.push_back(DR); 5904 return EvalVal(V->getInit(), refVars, V); 5905 } 5906 } 5907 } 5908 5909 return nullptr; 5910 } 5911 5912 case Stmt::UnaryOperatorClass: { 5913 // The only unary operator that make sense to handle here 5914 // is Deref. All others don't resolve to a "name." This includes 5915 // handling all sorts of rvalues passed to a unary operator. 5916 UnaryOperator *U = cast<UnaryOperator>(E); 5917 5918 if (U->getOpcode() == UO_Deref) 5919 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 5920 5921 return nullptr; 5922 } 5923 5924 case Stmt::ArraySubscriptExprClass: { 5925 // Array subscripts are potential references to data on the stack. We 5926 // retrieve the DeclRefExpr* for the array variable if it indeed 5927 // has local storage. 5928 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 5929 } 5930 5931 case Stmt::OMPArraySectionExprClass: { 5932 return EvalAddr(cast<OMPArraySectionExpr>(E)->getBase(), refVars, 5933 ParentDecl); 5934 } 5935 5936 case Stmt::ConditionalOperatorClass: { 5937 // For conditional operators we need to see if either the LHS or RHS are 5938 // non-NULL Expr's. If one is non-NULL, we return it. 5939 ConditionalOperator *C = cast<ConditionalOperator>(E); 5940 5941 // Handle the GNU extension for missing LHS. 5942 if (Expr *LHSExpr = C->getLHS()) { 5943 // In C++, we can have a throw-expression, which has 'void' type. 5944 if (!LHSExpr->getType()->isVoidType()) 5945 if (Expr *LHS = EvalVal(LHSExpr, refVars, ParentDecl)) 5946 return LHS; 5947 } 5948 5949 // In C++, we can have a throw-expression, which has 'void' type. 5950 if (C->getRHS()->getType()->isVoidType()) 5951 return nullptr; 5952 5953 return EvalVal(C->getRHS(), refVars, ParentDecl); 5954 } 5955 5956 // Accesses to members are potential references to data on the stack. 5957 case Stmt::MemberExprClass: { 5958 MemberExpr *M = cast<MemberExpr>(E); 5959 5960 // Check for indirect access. We only want direct field accesses. 5961 if (M->isArrow()) 5962 return nullptr; 5963 5964 // Check whether the member type is itself a reference, in which case 5965 // we're not going to refer to the member, but to what the member refers to. 5966 if (M->getMemberDecl()->getType()->isReferenceType()) 5967 return nullptr; 5968 5969 return EvalVal(M->getBase(), refVars, ParentDecl); 5970 } 5971 5972 case Stmt::MaterializeTemporaryExprClass: 5973 if (Expr *Result = EvalVal( 5974 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 5975 refVars, ParentDecl)) 5976 return Result; 5977 5978 return E; 5979 5980 default: 5981 // Check that we don't return or take the address of a reference to a 5982 // temporary. This is only useful in C++. 5983 if (!E->isTypeDependent() && E->isRValue()) 5984 return E; 5985 5986 // Everything else: we simply don't reason about them. 5987 return nullptr; 5988 } 5989 } while (true); 5990 } 5991 5992 void 5993 Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType, 5994 SourceLocation ReturnLoc, 5995 bool isObjCMethod, 5996 const AttrVec *Attrs, 5997 const FunctionDecl *FD) { 5998 CheckReturnStackAddr(*this, RetValExp, lhsType, ReturnLoc); 5999 6000 // Check if the return value is null but should not be. 6001 if (((Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs)) || 6002 (!isObjCMethod && isNonNullType(Context, lhsType))) && 6003 CheckNonNullExpr(*this, RetValExp)) 6004 Diag(ReturnLoc, diag::warn_null_ret) 6005 << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange(); 6006 6007 // C++11 [basic.stc.dynamic.allocation]p4: 6008 // If an allocation function declared with a non-throwing 6009 // exception-specification fails to allocate storage, it shall return 6010 // a null pointer. Any other allocation function that fails to allocate 6011 // storage shall indicate failure only by throwing an exception [...] 6012 if (FD) { 6013 OverloadedOperatorKind Op = FD->getOverloadedOperator(); 6014 if (Op == OO_New || Op == OO_Array_New) { 6015 const FunctionProtoType *Proto 6016 = FD->getType()->castAs<FunctionProtoType>(); 6017 if (!Proto->isNothrow(Context, /*ResultIfDependent*/true) && 6018 CheckNonNullExpr(*this, RetValExp)) 6019 Diag(ReturnLoc, diag::warn_operator_new_returns_null) 6020 << FD << getLangOpts().CPlusPlus11; 6021 } 6022 } 6023 } 6024 6025 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 6026 6027 /// Check for comparisons of floating point operands using != and ==. 6028 /// Issue a warning if these are no self-comparisons, as they are not likely 6029 /// to do what the programmer intended. 6030 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 6031 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 6032 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 6033 6034 // Special case: check for x == x (which is OK). 6035 // Do not emit warnings for such cases. 6036 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 6037 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 6038 if (DRL->getDecl() == DRR->getDecl()) 6039 return; 6040 6041 6042 // Special case: check for comparisons against literals that can be exactly 6043 // represented by APFloat. In such cases, do not emit a warning. This 6044 // is a heuristic: often comparison against such literals are used to 6045 // detect if a value in a variable has not changed. This clearly can 6046 // lead to false negatives. 6047 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 6048 if (FLL->isExact()) 6049 return; 6050 } else 6051 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)) 6052 if (FLR->isExact()) 6053 return; 6054 6055 // Check for comparisons with builtin types. 6056 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 6057 if (CL->getBuiltinCallee()) 6058 return; 6059 6060 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 6061 if (CR->getBuiltinCallee()) 6062 return; 6063 6064 // Emit the diagnostic. 6065 Diag(Loc, diag::warn_floatingpoint_eq) 6066 << LHS->getSourceRange() << RHS->getSourceRange(); 6067 } 6068 6069 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 6070 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 6071 6072 namespace { 6073 6074 /// Structure recording the 'active' range of an integer-valued 6075 /// expression. 6076 struct IntRange { 6077 /// The number of bits active in the int. 6078 unsigned Width; 6079 6080 /// True if the int is known not to have negative values. 6081 bool NonNegative; 6082 6083 IntRange(unsigned Width, bool NonNegative) 6084 : Width(Width), NonNegative(NonNegative) 6085 {} 6086 6087 /// Returns the range of the bool type. 6088 static IntRange forBoolType() { 6089 return IntRange(1, true); 6090 } 6091 6092 /// Returns the range of an opaque value of the given integral type. 6093 static IntRange forValueOfType(ASTContext &C, QualType T) { 6094 return forValueOfCanonicalType(C, 6095 T->getCanonicalTypeInternal().getTypePtr()); 6096 } 6097 6098 /// Returns the range of an opaque value of a canonical integral type. 6099 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 6100 assert(T->isCanonicalUnqualified()); 6101 6102 if (const VectorType *VT = dyn_cast<VectorType>(T)) 6103 T = VT->getElementType().getTypePtr(); 6104 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 6105 T = CT->getElementType().getTypePtr(); 6106 if (const AtomicType *AT = dyn_cast<AtomicType>(T)) 6107 T = AT->getValueType().getTypePtr(); 6108 6109 // For enum types, use the known bit width of the enumerators. 6110 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 6111 EnumDecl *Enum = ET->getDecl(); 6112 if (!Enum->isCompleteDefinition()) 6113 return IntRange(C.getIntWidth(QualType(T, 0)), false); 6114 6115 unsigned NumPositive = Enum->getNumPositiveBits(); 6116 unsigned NumNegative = Enum->getNumNegativeBits(); 6117 6118 if (NumNegative == 0) 6119 return IntRange(NumPositive, true/*NonNegative*/); 6120 else 6121 return IntRange(std::max(NumPositive + 1, NumNegative), 6122 false/*NonNegative*/); 6123 } 6124 6125 const BuiltinType *BT = cast<BuiltinType>(T); 6126 assert(BT->isInteger()); 6127 6128 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 6129 } 6130 6131 /// Returns the "target" range of a canonical integral type, i.e. 6132 /// the range of values expressible in the type. 6133 /// 6134 /// This matches forValueOfCanonicalType except that enums have the 6135 /// full range of their type, not the range of their enumerators. 6136 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 6137 assert(T->isCanonicalUnqualified()); 6138 6139 if (const VectorType *VT = dyn_cast<VectorType>(T)) 6140 T = VT->getElementType().getTypePtr(); 6141 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 6142 T = CT->getElementType().getTypePtr(); 6143 if (const AtomicType *AT = dyn_cast<AtomicType>(T)) 6144 T = AT->getValueType().getTypePtr(); 6145 if (const EnumType *ET = dyn_cast<EnumType>(T)) 6146 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 6147 6148 const BuiltinType *BT = cast<BuiltinType>(T); 6149 assert(BT->isInteger()); 6150 6151 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 6152 } 6153 6154 /// Returns the supremum of two ranges: i.e. their conservative merge. 6155 static IntRange join(IntRange L, IntRange R) { 6156 return IntRange(std::max(L.Width, R.Width), 6157 L.NonNegative && R.NonNegative); 6158 } 6159 6160 /// Returns the infinum of two ranges: i.e. their aggressive merge. 6161 static IntRange meet(IntRange L, IntRange R) { 6162 return IntRange(std::min(L.Width, R.Width), 6163 L.NonNegative || R.NonNegative); 6164 } 6165 }; 6166 6167 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 6168 unsigned MaxWidth) { 6169 if (value.isSigned() && value.isNegative()) 6170 return IntRange(value.getMinSignedBits(), false); 6171 6172 if (value.getBitWidth() > MaxWidth) 6173 value = value.trunc(MaxWidth); 6174 6175 // isNonNegative() just checks the sign bit without considering 6176 // signedness. 6177 return IntRange(value.getActiveBits(), true); 6178 } 6179 6180 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 6181 unsigned MaxWidth) { 6182 if (result.isInt()) 6183 return GetValueRange(C, result.getInt(), MaxWidth); 6184 6185 if (result.isVector()) { 6186 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 6187 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 6188 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 6189 R = IntRange::join(R, El); 6190 } 6191 return R; 6192 } 6193 6194 if (result.isComplexInt()) { 6195 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 6196 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 6197 return IntRange::join(R, I); 6198 } 6199 6200 // This can happen with lossless casts to intptr_t of "based" lvalues. 6201 // Assume it might use arbitrary bits. 6202 // FIXME: The only reason we need to pass the type in here is to get 6203 // the sign right on this one case. It would be nice if APValue 6204 // preserved this. 6205 assert(result.isLValue() || result.isAddrLabelDiff()); 6206 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 6207 } 6208 6209 static QualType GetExprType(Expr *E) { 6210 QualType Ty = E->getType(); 6211 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>()) 6212 Ty = AtomicRHS->getValueType(); 6213 return Ty; 6214 } 6215 6216 /// Pseudo-evaluate the given integer expression, estimating the 6217 /// range of values it might take. 6218 /// 6219 /// \param MaxWidth - the width to which the value will be truncated 6220 static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 6221 E = E->IgnoreParens(); 6222 6223 // Try a full evaluation first. 6224 Expr::EvalResult result; 6225 if (E->EvaluateAsRValue(result, C)) 6226 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth); 6227 6228 // I think we only want to look through implicit casts here; if the 6229 // user has an explicit widening cast, we should treat the value as 6230 // being of the new, wider type. 6231 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 6232 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 6233 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 6234 6235 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE)); 6236 6237 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 6238 6239 // Assume that non-integer casts can span the full range of the type. 6240 if (!isIntegerCast) 6241 return OutputTypeRange; 6242 6243 IntRange SubRange 6244 = GetExprRange(C, CE->getSubExpr(), 6245 std::min(MaxWidth, OutputTypeRange.Width)); 6246 6247 // Bail out if the subexpr's range is as wide as the cast type. 6248 if (SubRange.Width >= OutputTypeRange.Width) 6249 return OutputTypeRange; 6250 6251 // Otherwise, we take the smaller width, and we're non-negative if 6252 // either the output type or the subexpr is. 6253 return IntRange(SubRange.Width, 6254 SubRange.NonNegative || OutputTypeRange.NonNegative); 6255 } 6256 6257 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 6258 // If we can fold the condition, just take that operand. 6259 bool CondResult; 6260 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 6261 return GetExprRange(C, CondResult ? CO->getTrueExpr() 6262 : CO->getFalseExpr(), 6263 MaxWidth); 6264 6265 // Otherwise, conservatively merge. 6266 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 6267 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 6268 return IntRange::join(L, R); 6269 } 6270 6271 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 6272 switch (BO->getOpcode()) { 6273 6274 // Boolean-valued operations are single-bit and positive. 6275 case BO_LAnd: 6276 case BO_LOr: 6277 case BO_LT: 6278 case BO_GT: 6279 case BO_LE: 6280 case BO_GE: 6281 case BO_EQ: 6282 case BO_NE: 6283 return IntRange::forBoolType(); 6284 6285 // The type of the assignments is the type of the LHS, so the RHS 6286 // is not necessarily the same type. 6287 case BO_MulAssign: 6288 case BO_DivAssign: 6289 case BO_RemAssign: 6290 case BO_AddAssign: 6291 case BO_SubAssign: 6292 case BO_XorAssign: 6293 case BO_OrAssign: 6294 // TODO: bitfields? 6295 return IntRange::forValueOfType(C, GetExprType(E)); 6296 6297 // Simple assignments just pass through the RHS, which will have 6298 // been coerced to the LHS type. 6299 case BO_Assign: 6300 // TODO: bitfields? 6301 return GetExprRange(C, BO->getRHS(), MaxWidth); 6302 6303 // Operations with opaque sources are black-listed. 6304 case BO_PtrMemD: 6305 case BO_PtrMemI: 6306 return IntRange::forValueOfType(C, GetExprType(E)); 6307 6308 // Bitwise-and uses the *infinum* of the two source ranges. 6309 case BO_And: 6310 case BO_AndAssign: 6311 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 6312 GetExprRange(C, BO->getRHS(), MaxWidth)); 6313 6314 // Left shift gets black-listed based on a judgement call. 6315 case BO_Shl: 6316 // ...except that we want to treat '1 << (blah)' as logically 6317 // positive. It's an important idiom. 6318 if (IntegerLiteral *I 6319 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 6320 if (I->getValue() == 1) { 6321 IntRange R = IntRange::forValueOfType(C, GetExprType(E)); 6322 return IntRange(R.Width, /*NonNegative*/ true); 6323 } 6324 } 6325 // fallthrough 6326 6327 case BO_ShlAssign: 6328 return IntRange::forValueOfType(C, GetExprType(E)); 6329 6330 // Right shift by a constant can narrow its left argument. 6331 case BO_Shr: 6332 case BO_ShrAssign: { 6333 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 6334 6335 // If the shift amount is a positive constant, drop the width by 6336 // that much. 6337 llvm::APSInt shift; 6338 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 6339 shift.isNonNegative()) { 6340 unsigned zext = shift.getZExtValue(); 6341 if (zext >= L.Width) 6342 L.Width = (L.NonNegative ? 0 : 1); 6343 else 6344 L.Width -= zext; 6345 } 6346 6347 return L; 6348 } 6349 6350 // Comma acts as its right operand. 6351 case BO_Comma: 6352 return GetExprRange(C, BO->getRHS(), MaxWidth); 6353 6354 // Black-list pointer subtractions. 6355 case BO_Sub: 6356 if (BO->getLHS()->getType()->isPointerType()) 6357 return IntRange::forValueOfType(C, GetExprType(E)); 6358 break; 6359 6360 // The width of a division result is mostly determined by the size 6361 // of the LHS. 6362 case BO_Div: { 6363 // Don't 'pre-truncate' the operands. 6364 unsigned opWidth = C.getIntWidth(GetExprType(E)); 6365 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 6366 6367 // If the divisor is constant, use that. 6368 llvm::APSInt divisor; 6369 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 6370 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 6371 if (log2 >= L.Width) 6372 L.Width = (L.NonNegative ? 0 : 1); 6373 else 6374 L.Width = std::min(L.Width - log2, MaxWidth); 6375 return L; 6376 } 6377 6378 // Otherwise, just use the LHS's width. 6379 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 6380 return IntRange(L.Width, L.NonNegative && R.NonNegative); 6381 } 6382 6383 // The result of a remainder can't be larger than the result of 6384 // either side. 6385 case BO_Rem: { 6386 // Don't 'pre-truncate' the operands. 6387 unsigned opWidth = C.getIntWidth(GetExprType(E)); 6388 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 6389 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 6390 6391 IntRange meet = IntRange::meet(L, R); 6392 meet.Width = std::min(meet.Width, MaxWidth); 6393 return meet; 6394 } 6395 6396 // The default behavior is okay for these. 6397 case BO_Mul: 6398 case BO_Add: 6399 case BO_Xor: 6400 case BO_Or: 6401 break; 6402 } 6403 6404 // The default case is to treat the operation as if it were closed 6405 // on the narrowest type that encompasses both operands. 6406 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 6407 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 6408 return IntRange::join(L, R); 6409 } 6410 6411 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 6412 switch (UO->getOpcode()) { 6413 // Boolean-valued operations are white-listed. 6414 case UO_LNot: 6415 return IntRange::forBoolType(); 6416 6417 // Operations with opaque sources are black-listed. 6418 case UO_Deref: 6419 case UO_AddrOf: // should be impossible 6420 return IntRange::forValueOfType(C, GetExprType(E)); 6421 6422 default: 6423 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 6424 } 6425 } 6426 6427 if (OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(E)) 6428 return GetExprRange(C, OVE->getSourceExpr(), MaxWidth); 6429 6430 if (FieldDecl *BitField = E->getSourceBitField()) 6431 return IntRange(BitField->getBitWidthValue(C), 6432 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 6433 6434 return IntRange::forValueOfType(C, GetExprType(E)); 6435 } 6436 6437 static IntRange GetExprRange(ASTContext &C, Expr *E) { 6438 return GetExprRange(C, E, C.getIntWidth(GetExprType(E))); 6439 } 6440 6441 /// Checks whether the given value, which currently has the given 6442 /// source semantics, has the same value when coerced through the 6443 /// target semantics. 6444 static bool IsSameFloatAfterCast(const llvm::APFloat &value, 6445 const llvm::fltSemantics &Src, 6446 const llvm::fltSemantics &Tgt) { 6447 llvm::APFloat truncated = value; 6448 6449 bool ignored; 6450 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 6451 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 6452 6453 return truncated.bitwiseIsEqual(value); 6454 } 6455 6456 /// Checks whether the given value, which currently has the given 6457 /// source semantics, has the same value when coerced through the 6458 /// target semantics. 6459 /// 6460 /// The value might be a vector of floats (or a complex number). 6461 static bool IsSameFloatAfterCast(const APValue &value, 6462 const llvm::fltSemantics &Src, 6463 const llvm::fltSemantics &Tgt) { 6464 if (value.isFloat()) 6465 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 6466 6467 if (value.isVector()) { 6468 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 6469 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 6470 return false; 6471 return true; 6472 } 6473 6474 assert(value.isComplexFloat()); 6475 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 6476 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 6477 } 6478 6479 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 6480 6481 static bool IsZero(Sema &S, Expr *E) { 6482 // Suppress cases where we are comparing against an enum constant. 6483 if (const DeclRefExpr *DR = 6484 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 6485 if (isa<EnumConstantDecl>(DR->getDecl())) 6486 return false; 6487 6488 // Suppress cases where the '0' value is expanded from a macro. 6489 if (E->getLocStart().isMacroID()) 6490 return false; 6491 6492 llvm::APSInt Value; 6493 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 6494 } 6495 6496 static bool HasEnumType(Expr *E) { 6497 // Strip off implicit integral promotions. 6498 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 6499 if (ICE->getCastKind() != CK_IntegralCast && 6500 ICE->getCastKind() != CK_NoOp) 6501 break; 6502 E = ICE->getSubExpr(); 6503 } 6504 6505 return E->getType()->isEnumeralType(); 6506 } 6507 6508 static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 6509 // Disable warning in template instantiations. 6510 if (!S.ActiveTemplateInstantiations.empty()) 6511 return; 6512 6513 BinaryOperatorKind op = E->getOpcode(); 6514 if (E->isValueDependent()) 6515 return; 6516 6517 if (op == BO_LT && IsZero(S, E->getRHS())) { 6518 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 6519 << "< 0" << "false" << HasEnumType(E->getLHS()) 6520 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 6521 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 6522 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 6523 << ">= 0" << "true" << HasEnumType(E->getLHS()) 6524 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 6525 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 6526 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 6527 << "0 >" << "false" << HasEnumType(E->getRHS()) 6528 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 6529 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 6530 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 6531 << "0 <=" << "true" << HasEnumType(E->getRHS()) 6532 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 6533 } 6534 } 6535 6536 static void DiagnoseOutOfRangeComparison(Sema &S, BinaryOperator *E, 6537 Expr *Constant, Expr *Other, 6538 llvm::APSInt Value, 6539 bool RhsConstant) { 6540 // Disable warning in template instantiations. 6541 if (!S.ActiveTemplateInstantiations.empty()) 6542 return; 6543 6544 // TODO: Investigate using GetExprRange() to get tighter bounds 6545 // on the bit ranges. 6546 QualType OtherT = Other->getType(); 6547 if (const auto *AT = OtherT->getAs<AtomicType>()) 6548 OtherT = AT->getValueType(); 6549 IntRange OtherRange = IntRange::forValueOfType(S.Context, OtherT); 6550 unsigned OtherWidth = OtherRange.Width; 6551 6552 bool OtherIsBooleanType = Other->isKnownToHaveBooleanValue(); 6553 6554 // 0 values are handled later by CheckTrivialUnsignedComparison(). 6555 if ((Value == 0) && (!OtherIsBooleanType)) 6556 return; 6557 6558 BinaryOperatorKind op = E->getOpcode(); 6559 bool IsTrue = true; 6560 6561 // Used for diagnostic printout. 6562 enum { 6563 LiteralConstant = 0, 6564 CXXBoolLiteralTrue, 6565 CXXBoolLiteralFalse 6566 } LiteralOrBoolConstant = LiteralConstant; 6567 6568 if (!OtherIsBooleanType) { 6569 QualType ConstantT = Constant->getType(); 6570 QualType CommonT = E->getLHS()->getType(); 6571 6572 if (S.Context.hasSameUnqualifiedType(OtherT, ConstantT)) 6573 return; 6574 assert((OtherT->isIntegerType() && ConstantT->isIntegerType()) && 6575 "comparison with non-integer type"); 6576 6577 bool ConstantSigned = ConstantT->isSignedIntegerType(); 6578 bool CommonSigned = CommonT->isSignedIntegerType(); 6579 6580 bool EqualityOnly = false; 6581 6582 if (CommonSigned) { 6583 // The common type is signed, therefore no signed to unsigned conversion. 6584 if (!OtherRange.NonNegative) { 6585 // Check that the constant is representable in type OtherT. 6586 if (ConstantSigned) { 6587 if (OtherWidth >= Value.getMinSignedBits()) 6588 return; 6589 } else { // !ConstantSigned 6590 if (OtherWidth >= Value.getActiveBits() + 1) 6591 return; 6592 } 6593 } else { // !OtherSigned 6594 // Check that the constant is representable in type OtherT. 6595 // Negative values are out of range. 6596 if (ConstantSigned) { 6597 if (Value.isNonNegative() && OtherWidth >= Value.getActiveBits()) 6598 return; 6599 } else { // !ConstantSigned 6600 if (OtherWidth >= Value.getActiveBits()) 6601 return; 6602 } 6603 } 6604 } else { // !CommonSigned 6605 if (OtherRange.NonNegative) { 6606 if (OtherWidth >= Value.getActiveBits()) 6607 return; 6608 } else { // OtherSigned 6609 assert(!ConstantSigned && 6610 "Two signed types converted to unsigned types."); 6611 // Check to see if the constant is representable in OtherT. 6612 if (OtherWidth > Value.getActiveBits()) 6613 return; 6614 // Check to see if the constant is equivalent to a negative value 6615 // cast to CommonT. 6616 if (S.Context.getIntWidth(ConstantT) == 6617 S.Context.getIntWidth(CommonT) && 6618 Value.isNegative() && Value.getMinSignedBits() <= OtherWidth) 6619 return; 6620 // The constant value rests between values that OtherT can represent 6621 // after conversion. Relational comparison still works, but equality 6622 // comparisons will be tautological. 6623 EqualityOnly = true; 6624 } 6625 } 6626 6627 bool PositiveConstant = !ConstantSigned || Value.isNonNegative(); 6628 6629 if (op == BO_EQ || op == BO_NE) { 6630 IsTrue = op == BO_NE; 6631 } else if (EqualityOnly) { 6632 return; 6633 } else if (RhsConstant) { 6634 if (op == BO_GT || op == BO_GE) 6635 IsTrue = !PositiveConstant; 6636 else // op == BO_LT || op == BO_LE 6637 IsTrue = PositiveConstant; 6638 } else { 6639 if (op == BO_LT || op == BO_LE) 6640 IsTrue = !PositiveConstant; 6641 else // op == BO_GT || op == BO_GE 6642 IsTrue = PositiveConstant; 6643 } 6644 } else { 6645 // Other isKnownToHaveBooleanValue 6646 enum CompareBoolWithConstantResult { AFals, ATrue, Unkwn }; 6647 enum ConstantValue { LT_Zero, Zero, One, GT_One, SizeOfConstVal }; 6648 enum ConstantSide { Lhs, Rhs, SizeOfConstSides }; 6649 6650 static const struct LinkedConditions { 6651 CompareBoolWithConstantResult BO_LT_OP[SizeOfConstSides][SizeOfConstVal]; 6652 CompareBoolWithConstantResult BO_GT_OP[SizeOfConstSides][SizeOfConstVal]; 6653 CompareBoolWithConstantResult BO_LE_OP[SizeOfConstSides][SizeOfConstVal]; 6654 CompareBoolWithConstantResult BO_GE_OP[SizeOfConstSides][SizeOfConstVal]; 6655 CompareBoolWithConstantResult BO_EQ_OP[SizeOfConstSides][SizeOfConstVal]; 6656 CompareBoolWithConstantResult BO_NE_OP[SizeOfConstSides][SizeOfConstVal]; 6657 6658 } TruthTable = { 6659 // Constant on LHS. | Constant on RHS. | 6660 // LT_Zero| Zero | One |GT_One| LT_Zero| Zero | One |GT_One| 6661 { { ATrue, Unkwn, AFals, AFals }, { AFals, AFals, Unkwn, ATrue } }, 6662 { { AFals, AFals, Unkwn, ATrue }, { ATrue, Unkwn, AFals, AFals } }, 6663 { { ATrue, ATrue, Unkwn, AFals }, { AFals, Unkwn, ATrue, ATrue } }, 6664 { { AFals, Unkwn, ATrue, ATrue }, { ATrue, ATrue, Unkwn, AFals } }, 6665 { { AFals, Unkwn, Unkwn, AFals }, { AFals, Unkwn, Unkwn, AFals } }, 6666 { { ATrue, Unkwn, Unkwn, ATrue }, { ATrue, Unkwn, Unkwn, ATrue } } 6667 }; 6668 6669 bool ConstantIsBoolLiteral = isa<CXXBoolLiteralExpr>(Constant); 6670 6671 enum ConstantValue ConstVal = Zero; 6672 if (Value.isUnsigned() || Value.isNonNegative()) { 6673 if (Value == 0) { 6674 LiteralOrBoolConstant = 6675 ConstantIsBoolLiteral ? CXXBoolLiteralFalse : LiteralConstant; 6676 ConstVal = Zero; 6677 } else if (Value == 1) { 6678 LiteralOrBoolConstant = 6679 ConstantIsBoolLiteral ? CXXBoolLiteralTrue : LiteralConstant; 6680 ConstVal = One; 6681 } else { 6682 LiteralOrBoolConstant = LiteralConstant; 6683 ConstVal = GT_One; 6684 } 6685 } else { 6686 ConstVal = LT_Zero; 6687 } 6688 6689 CompareBoolWithConstantResult CmpRes; 6690 6691 switch (op) { 6692 case BO_LT: 6693 CmpRes = TruthTable.BO_LT_OP[RhsConstant][ConstVal]; 6694 break; 6695 case BO_GT: 6696 CmpRes = TruthTable.BO_GT_OP[RhsConstant][ConstVal]; 6697 break; 6698 case BO_LE: 6699 CmpRes = TruthTable.BO_LE_OP[RhsConstant][ConstVal]; 6700 break; 6701 case BO_GE: 6702 CmpRes = TruthTable.BO_GE_OP[RhsConstant][ConstVal]; 6703 break; 6704 case BO_EQ: 6705 CmpRes = TruthTable.BO_EQ_OP[RhsConstant][ConstVal]; 6706 break; 6707 case BO_NE: 6708 CmpRes = TruthTable.BO_NE_OP[RhsConstant][ConstVal]; 6709 break; 6710 default: 6711 CmpRes = Unkwn; 6712 break; 6713 } 6714 6715 if (CmpRes == AFals) { 6716 IsTrue = false; 6717 } else if (CmpRes == ATrue) { 6718 IsTrue = true; 6719 } else { 6720 return; 6721 } 6722 } 6723 6724 // If this is a comparison to an enum constant, include that 6725 // constant in the diagnostic. 6726 const EnumConstantDecl *ED = nullptr; 6727 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant)) 6728 ED = dyn_cast<EnumConstantDecl>(DR->getDecl()); 6729 6730 SmallString<64> PrettySourceValue; 6731 llvm::raw_svector_ostream OS(PrettySourceValue); 6732 if (ED) 6733 OS << '\'' << *ED << "' (" << Value << ")"; 6734 else 6735 OS << Value; 6736 6737 S.DiagRuntimeBehavior( 6738 E->getOperatorLoc(), E, 6739 S.PDiag(diag::warn_out_of_range_compare) 6740 << OS.str() << LiteralOrBoolConstant 6741 << OtherT << (OtherIsBooleanType && !OtherT->isBooleanType()) << IsTrue 6742 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange()); 6743 } 6744 6745 /// Analyze the operands of the given comparison. Implements the 6746 /// fallback case from AnalyzeComparison. 6747 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 6748 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 6749 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 6750 } 6751 6752 /// \brief Implements -Wsign-compare. 6753 /// 6754 /// \param E the binary operator to check for warnings 6755 static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 6756 // The type the comparison is being performed in. 6757 QualType T = E->getLHS()->getType(); 6758 6759 // Only analyze comparison operators where both sides have been converted to 6760 // the same type. 6761 if (!S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType())) 6762 return AnalyzeImpConvsInComparison(S, E); 6763 6764 // Don't analyze value-dependent comparisons directly. 6765 if (E->isValueDependent()) 6766 return AnalyzeImpConvsInComparison(S, E); 6767 6768 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 6769 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 6770 6771 bool IsComparisonConstant = false; 6772 6773 // Check whether an integer constant comparison results in a value 6774 // of 'true' or 'false'. 6775 if (T->isIntegralType(S.Context)) { 6776 llvm::APSInt RHSValue; 6777 bool IsRHSIntegralLiteral = 6778 RHS->isIntegerConstantExpr(RHSValue, S.Context); 6779 llvm::APSInt LHSValue; 6780 bool IsLHSIntegralLiteral = 6781 LHS->isIntegerConstantExpr(LHSValue, S.Context); 6782 if (IsRHSIntegralLiteral && !IsLHSIntegralLiteral) 6783 DiagnoseOutOfRangeComparison(S, E, RHS, LHS, RHSValue, true); 6784 else if (!IsRHSIntegralLiteral && IsLHSIntegralLiteral) 6785 DiagnoseOutOfRangeComparison(S, E, LHS, RHS, LHSValue, false); 6786 else 6787 IsComparisonConstant = 6788 (IsRHSIntegralLiteral && IsLHSIntegralLiteral); 6789 } else if (!T->hasUnsignedIntegerRepresentation()) 6790 IsComparisonConstant = E->isIntegerConstantExpr(S.Context); 6791 6792 // We don't do anything special if this isn't an unsigned integral 6793 // comparison: we're only interested in integral comparisons, and 6794 // signed comparisons only happen in cases we don't care to warn about. 6795 // 6796 // We also don't care about value-dependent expressions or expressions 6797 // whose result is a constant. 6798 if (!T->hasUnsignedIntegerRepresentation() || IsComparisonConstant) 6799 return AnalyzeImpConvsInComparison(S, E); 6800 6801 // Check to see if one of the (unmodified) operands is of different 6802 // signedness. 6803 Expr *signedOperand, *unsignedOperand; 6804 if (LHS->getType()->hasSignedIntegerRepresentation()) { 6805 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 6806 "unsigned comparison between two signed integer expressions?"); 6807 signedOperand = LHS; 6808 unsignedOperand = RHS; 6809 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 6810 signedOperand = RHS; 6811 unsignedOperand = LHS; 6812 } else { 6813 CheckTrivialUnsignedComparison(S, E); 6814 return AnalyzeImpConvsInComparison(S, E); 6815 } 6816 6817 // Otherwise, calculate the effective range of the signed operand. 6818 IntRange signedRange = GetExprRange(S.Context, signedOperand); 6819 6820 // Go ahead and analyze implicit conversions in the operands. Note 6821 // that we skip the implicit conversions on both sides. 6822 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 6823 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 6824 6825 // If the signed range is non-negative, -Wsign-compare won't fire, 6826 // but we should still check for comparisons which are always true 6827 // or false. 6828 if (signedRange.NonNegative) 6829 return CheckTrivialUnsignedComparison(S, E); 6830 6831 // For (in)equality comparisons, if the unsigned operand is a 6832 // constant which cannot collide with a overflowed signed operand, 6833 // then reinterpreting the signed operand as unsigned will not 6834 // change the result of the comparison. 6835 if (E->isEqualityOp()) { 6836 unsigned comparisonWidth = S.Context.getIntWidth(T); 6837 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 6838 6839 // We should never be unable to prove that the unsigned operand is 6840 // non-negative. 6841 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 6842 6843 if (unsignedRange.Width < comparisonWidth) 6844 return; 6845 } 6846 6847 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 6848 S.PDiag(diag::warn_mixed_sign_comparison) 6849 << LHS->getType() << RHS->getType() 6850 << LHS->getSourceRange() << RHS->getSourceRange()); 6851 } 6852 6853 /// Analyzes an attempt to assign the given value to a bitfield. 6854 /// 6855 /// Returns true if there was something fishy about the attempt. 6856 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 6857 SourceLocation InitLoc) { 6858 assert(Bitfield->isBitField()); 6859 if (Bitfield->isInvalidDecl()) 6860 return false; 6861 6862 // White-list bool bitfields. 6863 if (Bitfield->getType()->isBooleanType()) 6864 return false; 6865 6866 // Ignore value- or type-dependent expressions. 6867 if (Bitfield->getBitWidth()->isValueDependent() || 6868 Bitfield->getBitWidth()->isTypeDependent() || 6869 Init->isValueDependent() || 6870 Init->isTypeDependent()) 6871 return false; 6872 6873 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 6874 6875 llvm::APSInt Value; 6876 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 6877 return false; 6878 6879 unsigned OriginalWidth = Value.getBitWidth(); 6880 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 6881 6882 if (OriginalWidth <= FieldWidth) 6883 return false; 6884 6885 // Compute the value which the bitfield will contain. 6886 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 6887 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 6888 6889 // Check whether the stored value is equal to the original value. 6890 TruncatedValue = TruncatedValue.extend(OriginalWidth); 6891 if (llvm::APSInt::isSameValue(Value, TruncatedValue)) 6892 return false; 6893 6894 // Special-case bitfields of width 1: booleans are naturally 0/1, and 6895 // therefore don't strictly fit into a signed bitfield of width 1. 6896 if (FieldWidth == 1 && Value == 1) 6897 return false; 6898 6899 std::string PrettyValue = Value.toString(10); 6900 std::string PrettyTrunc = TruncatedValue.toString(10); 6901 6902 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 6903 << PrettyValue << PrettyTrunc << OriginalInit->getType() 6904 << Init->getSourceRange(); 6905 6906 return true; 6907 } 6908 6909 /// Analyze the given simple or compound assignment for warning-worthy 6910 /// operations. 6911 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 6912 // Just recurse on the LHS. 6913 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 6914 6915 // We want to recurse on the RHS as normal unless we're assigning to 6916 // a bitfield. 6917 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) { 6918 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 6919 E->getOperatorLoc())) { 6920 // Recurse, ignoring any implicit conversions on the RHS. 6921 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 6922 E->getOperatorLoc()); 6923 } 6924 } 6925 6926 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 6927 } 6928 6929 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 6930 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 6931 SourceLocation CContext, unsigned diag, 6932 bool pruneControlFlow = false) { 6933 if (pruneControlFlow) { 6934 S.DiagRuntimeBehavior(E->getExprLoc(), E, 6935 S.PDiag(diag) 6936 << SourceType << T << E->getSourceRange() 6937 << SourceRange(CContext)); 6938 return; 6939 } 6940 S.Diag(E->getExprLoc(), diag) 6941 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 6942 } 6943 6944 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 6945 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 6946 SourceLocation CContext, unsigned diag, 6947 bool pruneControlFlow = false) { 6948 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 6949 } 6950 6951 /// Diagnose an implicit cast from a literal expression. Does not warn when the 6952 /// cast wouldn't lose information. 6953 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 6954 SourceLocation CContext) { 6955 // Try to convert the literal exactly to an integer. If we can, don't warn. 6956 bool isExact = false; 6957 const llvm::APFloat &Value = FL->getValue(); 6958 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 6959 T->hasUnsignedIntegerRepresentation()); 6960 if (Value.convertToInteger(IntegerValue, 6961 llvm::APFloat::rmTowardZero, &isExact) 6962 == llvm::APFloat::opOK && isExact) 6963 return; 6964 6965 // FIXME: Force the precision of the source value down so we don't print 6966 // digits which are usually useless (we don't really care here if we 6967 // truncate a digit by accident in edge cases). Ideally, APFloat::toString 6968 // would automatically print the shortest representation, but it's a bit 6969 // tricky to implement. 6970 SmallString<16> PrettySourceValue; 6971 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics()); 6972 precision = (precision * 59 + 195) / 196; 6973 Value.toString(PrettySourceValue, precision); 6974 6975 SmallString<16> PrettyTargetValue; 6976 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 6977 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 6978 else 6979 IntegerValue.toString(PrettyTargetValue); 6980 6981 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 6982 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 6983 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 6984 } 6985 6986 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 6987 if (!Range.Width) return "0"; 6988 6989 llvm::APSInt ValueInRange = Value; 6990 ValueInRange.setIsSigned(!Range.NonNegative); 6991 ValueInRange = ValueInRange.trunc(Range.Width); 6992 return ValueInRange.toString(10); 6993 } 6994 6995 static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) { 6996 if (!isa<ImplicitCastExpr>(Ex)) 6997 return false; 6998 6999 Expr *InnerE = Ex->IgnoreParenImpCasts(); 7000 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr(); 7001 const Type *Source = 7002 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 7003 if (Target->isDependentType()) 7004 return false; 7005 7006 const BuiltinType *FloatCandidateBT = 7007 dyn_cast<BuiltinType>(ToBool ? Source : Target); 7008 const Type *BoolCandidateType = ToBool ? Target : Source; 7009 7010 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) && 7011 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint())); 7012 } 7013 7014 void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall, 7015 SourceLocation CC) { 7016 unsigned NumArgs = TheCall->getNumArgs(); 7017 for (unsigned i = 0; i < NumArgs; ++i) { 7018 Expr *CurrA = TheCall->getArg(i); 7019 if (!IsImplicitBoolFloatConversion(S, CurrA, true)) 7020 continue; 7021 7022 bool IsSwapped = ((i > 0) && 7023 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false)); 7024 IsSwapped |= ((i < (NumArgs - 1)) && 7025 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false)); 7026 if (IsSwapped) { 7027 // Warn on this floating-point to bool conversion. 7028 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(), 7029 CurrA->getType(), CC, 7030 diag::warn_impcast_floating_point_to_bool); 7031 } 7032 } 7033 } 7034 7035 static void DiagnoseNullConversion(Sema &S, Expr *E, QualType T, 7036 SourceLocation CC) { 7037 if (S.Diags.isIgnored(diag::warn_impcast_null_pointer_to_integer, 7038 E->getExprLoc())) 7039 return; 7040 7041 // Check for NULL (GNUNull) or nullptr (CXX11_nullptr). 7042 const Expr::NullPointerConstantKind NullKind = 7043 E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull); 7044 if (NullKind != Expr::NPCK_GNUNull && NullKind != Expr::NPCK_CXX11_nullptr) 7045 return; 7046 7047 // Return if target type is a safe conversion. 7048 if (T->isAnyPointerType() || T->isBlockPointerType() || 7049 T->isMemberPointerType() || !T->isScalarType() || T->isNullPtrType()) 7050 return; 7051 7052 SourceLocation Loc = E->getSourceRange().getBegin(); 7053 7054 // __null is usually wrapped in a macro. Go up a macro if that is the case. 7055 if (NullKind == Expr::NPCK_GNUNull) { 7056 if (Loc.isMacroID()) 7057 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 7058 } 7059 7060 // Only warn if the null and context location are in the same macro expansion. 7061 if (S.SourceMgr.getFileID(Loc) != S.SourceMgr.getFileID(CC)) 7062 return; 7063 7064 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 7065 << (NullKind == Expr::NPCK_CXX11_nullptr) << T << clang::SourceRange(CC) 7066 << FixItHint::CreateReplacement(Loc, 7067 S.getFixItZeroLiteralForType(T, Loc)); 7068 } 7069 7070 static void checkObjCArrayLiteral(Sema &S, QualType TargetType, 7071 ObjCArrayLiteral *ArrayLiteral); 7072 static void checkObjCDictionaryLiteral(Sema &S, QualType TargetType, 7073 ObjCDictionaryLiteral *DictionaryLiteral); 7074 7075 /// Check a single element within a collection literal against the 7076 /// target element type. 7077 static void checkObjCCollectionLiteralElement(Sema &S, 7078 QualType TargetElementType, 7079 Expr *Element, 7080 unsigned ElementKind) { 7081 // Skip a bitcast to 'id' or qualified 'id'. 7082 if (auto ICE = dyn_cast<ImplicitCastExpr>(Element)) { 7083 if (ICE->getCastKind() == CK_BitCast && 7084 ICE->getSubExpr()->getType()->getAs<ObjCObjectPointerType>()) 7085 Element = ICE->getSubExpr(); 7086 } 7087 7088 QualType ElementType = Element->getType(); 7089 ExprResult ElementResult(Element); 7090 if (ElementType->getAs<ObjCObjectPointerType>() && 7091 S.CheckSingleAssignmentConstraints(TargetElementType, 7092 ElementResult, 7093 false, false) 7094 != Sema::Compatible) { 7095 S.Diag(Element->getLocStart(), 7096 diag::warn_objc_collection_literal_element) 7097 << ElementType << ElementKind << TargetElementType 7098 << Element->getSourceRange(); 7099 } 7100 7101 if (auto ArrayLiteral = dyn_cast<ObjCArrayLiteral>(Element)) 7102 checkObjCArrayLiteral(S, TargetElementType, ArrayLiteral); 7103 else if (auto DictionaryLiteral = dyn_cast<ObjCDictionaryLiteral>(Element)) 7104 checkObjCDictionaryLiteral(S, TargetElementType, DictionaryLiteral); 7105 } 7106 7107 /// Check an Objective-C array literal being converted to the given 7108 /// target type. 7109 static void checkObjCArrayLiteral(Sema &S, QualType TargetType, 7110 ObjCArrayLiteral *ArrayLiteral) { 7111 if (!S.NSArrayDecl) 7112 return; 7113 7114 const auto *TargetObjCPtr = TargetType->getAs<ObjCObjectPointerType>(); 7115 if (!TargetObjCPtr) 7116 return; 7117 7118 if (TargetObjCPtr->isUnspecialized() || 7119 TargetObjCPtr->getInterfaceDecl()->getCanonicalDecl() 7120 != S.NSArrayDecl->getCanonicalDecl()) 7121 return; 7122 7123 auto TypeArgs = TargetObjCPtr->getTypeArgs(); 7124 if (TypeArgs.size() != 1) 7125 return; 7126 7127 QualType TargetElementType = TypeArgs[0]; 7128 for (unsigned I = 0, N = ArrayLiteral->getNumElements(); I != N; ++I) { 7129 checkObjCCollectionLiteralElement(S, TargetElementType, 7130 ArrayLiteral->getElement(I), 7131 0); 7132 } 7133 } 7134 7135 /// Check an Objective-C dictionary literal being converted to the given 7136 /// target type. 7137 static void checkObjCDictionaryLiteral( 7138 Sema &S, QualType TargetType, 7139 ObjCDictionaryLiteral *DictionaryLiteral) { 7140 if (!S.NSDictionaryDecl) 7141 return; 7142 7143 const auto *TargetObjCPtr = TargetType->getAs<ObjCObjectPointerType>(); 7144 if (!TargetObjCPtr) 7145 return; 7146 7147 if (TargetObjCPtr->isUnspecialized() || 7148 TargetObjCPtr->getInterfaceDecl()->getCanonicalDecl() 7149 != S.NSDictionaryDecl->getCanonicalDecl()) 7150 return; 7151 7152 auto TypeArgs = TargetObjCPtr->getTypeArgs(); 7153 if (TypeArgs.size() != 2) 7154 return; 7155 7156 QualType TargetKeyType = TypeArgs[0]; 7157 QualType TargetObjectType = TypeArgs[1]; 7158 for (unsigned I = 0, N = DictionaryLiteral->getNumElements(); I != N; ++I) { 7159 auto Element = DictionaryLiteral->getKeyValueElement(I); 7160 checkObjCCollectionLiteralElement(S, TargetKeyType, Element.Key, 1); 7161 checkObjCCollectionLiteralElement(S, TargetObjectType, Element.Value, 2); 7162 } 7163 } 7164 7165 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 7166 SourceLocation CC, bool *ICContext = nullptr) { 7167 if (E->isTypeDependent() || E->isValueDependent()) return; 7168 7169 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 7170 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 7171 if (Source == Target) return; 7172 if (Target->isDependentType()) return; 7173 7174 // If the conversion context location is invalid don't complain. We also 7175 // don't want to emit a warning if the issue occurs from the expansion of 7176 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 7177 // delay this check as long as possible. Once we detect we are in that 7178 // scenario, we just return. 7179 if (CC.isInvalid()) 7180 return; 7181 7182 // Diagnose implicit casts to bool. 7183 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 7184 if (isa<StringLiteral>(E)) 7185 // Warn on string literal to bool. Checks for string literals in logical 7186 // and expressions, for instance, assert(0 && "error here"), are 7187 // prevented by a check in AnalyzeImplicitConversions(). 7188 return DiagnoseImpCast(S, E, T, CC, 7189 diag::warn_impcast_string_literal_to_bool); 7190 if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) || 7191 isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) { 7192 // This covers the literal expressions that evaluate to Objective-C 7193 // objects. 7194 return DiagnoseImpCast(S, E, T, CC, 7195 diag::warn_impcast_objective_c_literal_to_bool); 7196 } 7197 if (Source->isPointerType() || Source->canDecayToPointerType()) { 7198 // Warn on pointer to bool conversion that is always true. 7199 S.DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false, 7200 SourceRange(CC)); 7201 } 7202 } 7203 7204 // Check implicit casts from Objective-C collection literals to specialized 7205 // collection types, e.g., NSArray<NSString *> *. 7206 if (auto *ArrayLiteral = dyn_cast<ObjCArrayLiteral>(E)) 7207 checkObjCArrayLiteral(S, QualType(Target, 0), ArrayLiteral); 7208 else if (auto *DictionaryLiteral = dyn_cast<ObjCDictionaryLiteral>(E)) 7209 checkObjCDictionaryLiteral(S, QualType(Target, 0), DictionaryLiteral); 7210 7211 // Strip vector types. 7212 if (isa<VectorType>(Source)) { 7213 if (!isa<VectorType>(Target)) { 7214 if (S.SourceMgr.isInSystemMacro(CC)) 7215 return; 7216 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 7217 } 7218 7219 // If the vector cast is cast between two vectors of the same size, it is 7220 // a bitcast, not a conversion. 7221 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 7222 return; 7223 7224 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 7225 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 7226 } 7227 if (auto VecTy = dyn_cast<VectorType>(Target)) 7228 Target = VecTy->getElementType().getTypePtr(); 7229 7230 // Strip complex types. 7231 if (isa<ComplexType>(Source)) { 7232 if (!isa<ComplexType>(Target)) { 7233 if (S.SourceMgr.isInSystemMacro(CC)) 7234 return; 7235 7236 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 7237 } 7238 7239 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 7240 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 7241 } 7242 7243 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 7244 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 7245 7246 // If the source is floating point... 7247 if (SourceBT && SourceBT->isFloatingPoint()) { 7248 // ...and the target is floating point... 7249 if (TargetBT && TargetBT->isFloatingPoint()) { 7250 // ...then warn if we're dropping FP rank. 7251 7252 // Builtin FP kinds are ordered by increasing FP rank. 7253 if (SourceBT->getKind() > TargetBT->getKind()) { 7254 // Don't warn about float constants that are precisely 7255 // representable in the target type. 7256 Expr::EvalResult result; 7257 if (E->EvaluateAsRValue(result, S.Context)) { 7258 // Value might be a float, a float vector, or a float complex. 7259 if (IsSameFloatAfterCast(result.Val, 7260 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 7261 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 7262 return; 7263 } 7264 7265 if (S.SourceMgr.isInSystemMacro(CC)) 7266 return; 7267 7268 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 7269 7270 } 7271 // ... or possibly if we're increasing rank, too 7272 else if (TargetBT->getKind() > SourceBT->getKind()) { 7273 if (S.SourceMgr.isInSystemMacro(CC)) 7274 return; 7275 7276 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_double_promotion); 7277 } 7278 return; 7279 } 7280 7281 // If the target is integral, always warn. 7282 if (TargetBT && TargetBT->isInteger()) { 7283 if (S.SourceMgr.isInSystemMacro(CC)) 7284 return; 7285 7286 Expr *InnerE = E->IgnoreParenImpCasts(); 7287 // We also want to warn on, e.g., "int i = -1.234" 7288 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 7289 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 7290 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 7291 7292 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 7293 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 7294 } else { 7295 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 7296 } 7297 } 7298 7299 // If the target is bool, warn if expr is a function or method call. 7300 if (Target->isSpecificBuiltinType(BuiltinType::Bool) && 7301 isa<CallExpr>(E)) { 7302 // Check last argument of function call to see if it is an 7303 // implicit cast from a type matching the type the result 7304 // is being cast to. 7305 CallExpr *CEx = cast<CallExpr>(E); 7306 unsigned NumArgs = CEx->getNumArgs(); 7307 if (NumArgs > 0) { 7308 Expr *LastA = CEx->getArg(NumArgs - 1); 7309 Expr *InnerE = LastA->IgnoreParenImpCasts(); 7310 const Type *InnerType = 7311 S.Context.getCanonicalType(InnerE->getType()).getTypePtr(); 7312 if (isa<ImplicitCastExpr>(LastA) && (InnerType == Target)) { 7313 // Warn on this floating-point to bool conversion 7314 DiagnoseImpCast(S, E, T, CC, 7315 diag::warn_impcast_floating_point_to_bool); 7316 } 7317 } 7318 } 7319 return; 7320 } 7321 7322 DiagnoseNullConversion(S, E, T, CC); 7323 7324 if (!Source->isIntegerType() || !Target->isIntegerType()) 7325 return; 7326 7327 // TODO: remove this early return once the false positives for constant->bool 7328 // in templates, macros, etc, are reduced or removed. 7329 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 7330 return; 7331 7332 IntRange SourceRange = GetExprRange(S.Context, E); 7333 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 7334 7335 if (SourceRange.Width > TargetRange.Width) { 7336 // If the source is a constant, use a default-on diagnostic. 7337 // TODO: this should happen for bitfield stores, too. 7338 llvm::APSInt Value(32); 7339 if (E->isIntegerConstantExpr(Value, S.Context)) { 7340 if (S.SourceMgr.isInSystemMacro(CC)) 7341 return; 7342 7343 std::string PrettySourceValue = Value.toString(10); 7344 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 7345 7346 S.DiagRuntimeBehavior(E->getExprLoc(), E, 7347 S.PDiag(diag::warn_impcast_integer_precision_constant) 7348 << PrettySourceValue << PrettyTargetValue 7349 << E->getType() << T << E->getSourceRange() 7350 << clang::SourceRange(CC)); 7351 return; 7352 } 7353 7354 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 7355 if (S.SourceMgr.isInSystemMacro(CC)) 7356 return; 7357 7358 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 7359 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 7360 /* pruneControlFlow */ true); 7361 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 7362 } 7363 7364 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 7365 (!TargetRange.NonNegative && SourceRange.NonNegative && 7366 SourceRange.Width == TargetRange.Width)) { 7367 7368 if (S.SourceMgr.isInSystemMacro(CC)) 7369 return; 7370 7371 unsigned DiagID = diag::warn_impcast_integer_sign; 7372 7373 // Traditionally, gcc has warned about this under -Wsign-compare. 7374 // We also want to warn about it in -Wconversion. 7375 // So if -Wconversion is off, use a completely identical diagnostic 7376 // in the sign-compare group. 7377 // The conditional-checking code will 7378 if (ICContext) { 7379 DiagID = diag::warn_impcast_integer_sign_conditional; 7380 *ICContext = true; 7381 } 7382 7383 return DiagnoseImpCast(S, E, T, CC, DiagID); 7384 } 7385 7386 // Diagnose conversions between different enumeration types. 7387 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 7388 // type, to give us better diagnostics. 7389 QualType SourceType = E->getType(); 7390 if (!S.getLangOpts().CPlusPlus) { 7391 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 7392 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 7393 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 7394 SourceType = S.Context.getTypeDeclType(Enum); 7395 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 7396 } 7397 } 7398 7399 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 7400 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 7401 if (SourceEnum->getDecl()->hasNameForLinkage() && 7402 TargetEnum->getDecl()->hasNameForLinkage() && 7403 SourceEnum != TargetEnum) { 7404 if (S.SourceMgr.isInSystemMacro(CC)) 7405 return; 7406 7407 return DiagnoseImpCast(S, E, SourceType, T, CC, 7408 diag::warn_impcast_different_enum_types); 7409 } 7410 7411 return; 7412 } 7413 7414 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 7415 SourceLocation CC, QualType T); 7416 7417 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 7418 SourceLocation CC, bool &ICContext) { 7419 E = E->IgnoreParenImpCasts(); 7420 7421 if (isa<ConditionalOperator>(E)) 7422 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 7423 7424 AnalyzeImplicitConversions(S, E, CC); 7425 if (E->getType() != T) 7426 return CheckImplicitConversion(S, E, T, CC, &ICContext); 7427 return; 7428 } 7429 7430 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 7431 SourceLocation CC, QualType T) { 7432 AnalyzeImplicitConversions(S, E->getCond(), E->getQuestionLoc()); 7433 7434 bool Suspicious = false; 7435 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 7436 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 7437 7438 // If -Wconversion would have warned about either of the candidates 7439 // for a signedness conversion to the context type... 7440 if (!Suspicious) return; 7441 7442 // ...but it's currently ignored... 7443 if (!S.Diags.isIgnored(diag::warn_impcast_integer_sign_conditional, CC)) 7444 return; 7445 7446 // ...then check whether it would have warned about either of the 7447 // candidates for a signedness conversion to the condition type. 7448 if (E->getType() == T) return; 7449 7450 Suspicious = false; 7451 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 7452 E->getType(), CC, &Suspicious); 7453 if (!Suspicious) 7454 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 7455 E->getType(), CC, &Suspicious); 7456 } 7457 7458 /// CheckBoolLikeConversion - Check conversion of given expression to boolean. 7459 /// Input argument E is a logical expression. 7460 static void CheckBoolLikeConversion(Sema &S, Expr *E, SourceLocation CC) { 7461 if (S.getLangOpts().Bool) 7462 return; 7463 CheckImplicitConversion(S, E->IgnoreParenImpCasts(), S.Context.BoolTy, CC); 7464 } 7465 7466 /// AnalyzeImplicitConversions - Find and report any interesting 7467 /// implicit conversions in the given expression. There are a couple 7468 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 7469 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 7470 QualType T = OrigE->getType(); 7471 Expr *E = OrigE->IgnoreParenImpCasts(); 7472 7473 if (E->isTypeDependent() || E->isValueDependent()) 7474 return; 7475 7476 // For conditional operators, we analyze the arguments as if they 7477 // were being fed directly into the output. 7478 if (isa<ConditionalOperator>(E)) { 7479 ConditionalOperator *CO = cast<ConditionalOperator>(E); 7480 CheckConditionalOperator(S, CO, CC, T); 7481 return; 7482 } 7483 7484 // Check implicit argument conversions for function calls. 7485 if (CallExpr *Call = dyn_cast<CallExpr>(E)) 7486 CheckImplicitArgumentConversions(S, Call, CC); 7487 7488 // Go ahead and check any implicit conversions we might have skipped. 7489 // The non-canonical typecheck is just an optimization; 7490 // CheckImplicitConversion will filter out dead implicit conversions. 7491 if (E->getType() != T) 7492 CheckImplicitConversion(S, E, T, CC); 7493 7494 // Now continue drilling into this expression. 7495 7496 if (PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E)) { 7497 // The bound subexpressions in a PseudoObjectExpr are not reachable 7498 // as transitive children. 7499 // FIXME: Use a more uniform representation for this. 7500 for (auto *SE : POE->semantics()) 7501 if (auto *OVE = dyn_cast<OpaqueValueExpr>(SE)) 7502 AnalyzeImplicitConversions(S, OVE->getSourceExpr(), CC); 7503 } 7504 7505 // Skip past explicit casts. 7506 if (isa<ExplicitCastExpr>(E)) { 7507 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 7508 return AnalyzeImplicitConversions(S, E, CC); 7509 } 7510 7511 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 7512 // Do a somewhat different check with comparison operators. 7513 if (BO->isComparisonOp()) 7514 return AnalyzeComparison(S, BO); 7515 7516 // And with simple assignments. 7517 if (BO->getOpcode() == BO_Assign) 7518 return AnalyzeAssignment(S, BO); 7519 } 7520 7521 // These break the otherwise-useful invariant below. Fortunately, 7522 // we don't really need to recurse into them, because any internal 7523 // expressions should have been analyzed already when they were 7524 // built into statements. 7525 if (isa<StmtExpr>(E)) return; 7526 7527 // Don't descend into unevaluated contexts. 7528 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 7529 7530 // Now just recurse over the expression's children. 7531 CC = E->getExprLoc(); 7532 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 7533 bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd; 7534 for (Stmt *SubStmt : E->children()) { 7535 Expr *ChildExpr = dyn_cast_or_null<Expr>(SubStmt); 7536 if (!ChildExpr) 7537 continue; 7538 7539 if (IsLogicalAndOperator && 7540 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 7541 // Ignore checking string literals that are in logical and operators. 7542 // This is a common pattern for asserts. 7543 continue; 7544 AnalyzeImplicitConversions(S, ChildExpr, CC); 7545 } 7546 7547 if (BO && BO->isLogicalOp()) { 7548 Expr *SubExpr = BO->getLHS()->IgnoreParenImpCasts(); 7549 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr)) 7550 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc()); 7551 7552 SubExpr = BO->getRHS()->IgnoreParenImpCasts(); 7553 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr)) 7554 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc()); 7555 } 7556 7557 if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) 7558 if (U->getOpcode() == UO_LNot) 7559 ::CheckBoolLikeConversion(S, U->getSubExpr(), CC); 7560 } 7561 7562 } // end anonymous namespace 7563 7564 enum { 7565 AddressOf, 7566 FunctionPointer, 7567 ArrayPointer 7568 }; 7569 7570 // Helper function for Sema::DiagnoseAlwaysNonNullPointer. 7571 // Returns true when emitting a warning about taking the address of a reference. 7572 static bool CheckForReference(Sema &SemaRef, const Expr *E, 7573 PartialDiagnostic PD) { 7574 E = E->IgnoreParenImpCasts(); 7575 7576 const FunctionDecl *FD = nullptr; 7577 7578 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) { 7579 if (!DRE->getDecl()->getType()->isReferenceType()) 7580 return false; 7581 } else if (const MemberExpr *M = dyn_cast<MemberExpr>(E)) { 7582 if (!M->getMemberDecl()->getType()->isReferenceType()) 7583 return false; 7584 } else if (const CallExpr *Call = dyn_cast<CallExpr>(E)) { 7585 if (!Call->getCallReturnType(SemaRef.Context)->isReferenceType()) 7586 return false; 7587 FD = Call->getDirectCallee(); 7588 } else { 7589 return false; 7590 } 7591 7592 SemaRef.Diag(E->getExprLoc(), PD); 7593 7594 // If possible, point to location of function. 7595 if (FD) { 7596 SemaRef.Diag(FD->getLocation(), diag::note_reference_is_return_value) << FD; 7597 } 7598 7599 return true; 7600 } 7601 7602 // Returns true if the SourceLocation is expanded from any macro body. 7603 // Returns false if the SourceLocation is invalid, is from not in a macro 7604 // expansion, or is from expanded from a top-level macro argument. 7605 static bool IsInAnyMacroBody(const SourceManager &SM, SourceLocation Loc) { 7606 if (Loc.isInvalid()) 7607 return false; 7608 7609 while (Loc.isMacroID()) { 7610 if (SM.isMacroBodyExpansion(Loc)) 7611 return true; 7612 Loc = SM.getImmediateMacroCallerLoc(Loc); 7613 } 7614 7615 return false; 7616 } 7617 7618 /// \brief Diagnose pointers that are always non-null. 7619 /// \param E the expression containing the pointer 7620 /// \param NullKind NPCK_NotNull if E is a cast to bool, otherwise, E is 7621 /// compared to a null pointer 7622 /// \param IsEqual True when the comparison is equal to a null pointer 7623 /// \param Range Extra SourceRange to highlight in the diagnostic 7624 void Sema::DiagnoseAlwaysNonNullPointer(Expr *E, 7625 Expr::NullPointerConstantKind NullKind, 7626 bool IsEqual, SourceRange Range) { 7627 if (!E) 7628 return; 7629 7630 // Don't warn inside macros. 7631 if (E->getExprLoc().isMacroID()) { 7632 const SourceManager &SM = getSourceManager(); 7633 if (IsInAnyMacroBody(SM, E->getExprLoc()) || 7634 IsInAnyMacroBody(SM, Range.getBegin())) 7635 return; 7636 } 7637 E = E->IgnoreImpCasts(); 7638 7639 const bool IsCompare = NullKind != Expr::NPCK_NotNull; 7640 7641 if (isa<CXXThisExpr>(E)) { 7642 unsigned DiagID = IsCompare ? diag::warn_this_null_compare 7643 : diag::warn_this_bool_conversion; 7644 Diag(E->getExprLoc(), DiagID) << E->getSourceRange() << Range << IsEqual; 7645 return; 7646 } 7647 7648 bool IsAddressOf = false; 7649 7650 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 7651 if (UO->getOpcode() != UO_AddrOf) 7652 return; 7653 IsAddressOf = true; 7654 E = UO->getSubExpr(); 7655 } 7656 7657 if (IsAddressOf) { 7658 unsigned DiagID = IsCompare 7659 ? diag::warn_address_of_reference_null_compare 7660 : diag::warn_address_of_reference_bool_conversion; 7661 PartialDiagnostic PD = PDiag(DiagID) << E->getSourceRange() << Range 7662 << IsEqual; 7663 if (CheckForReference(*this, E, PD)) { 7664 return; 7665 } 7666 } 7667 7668 auto ComplainAboutNonnullParamOrCall = [&](bool IsParam) { 7669 std::string Str; 7670 llvm::raw_string_ostream S(Str); 7671 E->printPretty(S, nullptr, getPrintingPolicy()); 7672 unsigned DiagID = IsCompare ? diag::warn_nonnull_expr_compare 7673 : diag::warn_cast_nonnull_to_bool; 7674 Diag(E->getExprLoc(), DiagID) << IsParam << S.str() 7675 << E->getSourceRange() << Range << IsEqual; 7676 }; 7677 7678 // If we have a CallExpr that is tagged with returns_nonnull, we can complain. 7679 if (auto *Call = dyn_cast<CallExpr>(E->IgnoreParenImpCasts())) { 7680 if (auto *Callee = Call->getDirectCallee()) { 7681 if (Callee->hasAttr<ReturnsNonNullAttr>()) { 7682 ComplainAboutNonnullParamOrCall(false); 7683 return; 7684 } 7685 } 7686 } 7687 7688 // Expect to find a single Decl. Skip anything more complicated. 7689 ValueDecl *D = nullptr; 7690 if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) { 7691 D = R->getDecl(); 7692 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 7693 D = M->getMemberDecl(); 7694 } 7695 7696 // Weak Decls can be null. 7697 if (!D || D->isWeak()) 7698 return; 7699 7700 // Check for parameter decl with nonnull attribute 7701 if (const auto* PV = dyn_cast<ParmVarDecl>(D)) { 7702 if (getCurFunction() && 7703 !getCurFunction()->ModifiedNonNullParams.count(PV)) { 7704 if (PV->hasAttr<NonNullAttr>()) { 7705 ComplainAboutNonnullParamOrCall(true); 7706 return; 7707 } 7708 7709 if (const auto *FD = dyn_cast<FunctionDecl>(PV->getDeclContext())) { 7710 auto ParamIter = std::find(FD->param_begin(), FD->param_end(), PV); 7711 assert(ParamIter != FD->param_end()); 7712 unsigned ParamNo = std::distance(FD->param_begin(), ParamIter); 7713 7714 for (const auto *NonNull : FD->specific_attrs<NonNullAttr>()) { 7715 if (!NonNull->args_size()) { 7716 ComplainAboutNonnullParamOrCall(true); 7717 return; 7718 } 7719 7720 for (unsigned ArgNo : NonNull->args()) { 7721 if (ArgNo == ParamNo) { 7722 ComplainAboutNonnullParamOrCall(true); 7723 return; 7724 } 7725 } 7726 } 7727 } 7728 } 7729 } 7730 7731 QualType T = D->getType(); 7732 const bool IsArray = T->isArrayType(); 7733 const bool IsFunction = T->isFunctionType(); 7734 7735 // Address of function is used to silence the function warning. 7736 if (IsAddressOf && IsFunction) { 7737 return; 7738 } 7739 7740 // Found nothing. 7741 if (!IsAddressOf && !IsFunction && !IsArray) 7742 return; 7743 7744 // Pretty print the expression for the diagnostic. 7745 std::string Str; 7746 llvm::raw_string_ostream S(Str); 7747 E->printPretty(S, nullptr, getPrintingPolicy()); 7748 7749 unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare 7750 : diag::warn_impcast_pointer_to_bool; 7751 unsigned DiagType; 7752 if (IsAddressOf) 7753 DiagType = AddressOf; 7754 else if (IsFunction) 7755 DiagType = FunctionPointer; 7756 else if (IsArray) 7757 DiagType = ArrayPointer; 7758 else 7759 llvm_unreachable("Could not determine diagnostic."); 7760 Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange() 7761 << Range << IsEqual; 7762 7763 if (!IsFunction) 7764 return; 7765 7766 // Suggest '&' to silence the function warning. 7767 Diag(E->getExprLoc(), diag::note_function_warning_silence) 7768 << FixItHint::CreateInsertion(E->getLocStart(), "&"); 7769 7770 // Check to see if '()' fixit should be emitted. 7771 QualType ReturnType; 7772 UnresolvedSet<4> NonTemplateOverloads; 7773 tryExprAsCall(*E, ReturnType, NonTemplateOverloads); 7774 if (ReturnType.isNull()) 7775 return; 7776 7777 if (IsCompare) { 7778 // There are two cases here. If there is null constant, the only suggest 7779 // for a pointer return type. If the null is 0, then suggest if the return 7780 // type is a pointer or an integer type. 7781 if (!ReturnType->isPointerType()) { 7782 if (NullKind == Expr::NPCK_ZeroExpression || 7783 NullKind == Expr::NPCK_ZeroLiteral) { 7784 if (!ReturnType->isIntegerType()) 7785 return; 7786 } else { 7787 return; 7788 } 7789 } 7790 } else { // !IsCompare 7791 // For function to bool, only suggest if the function pointer has bool 7792 // return type. 7793 if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 7794 return; 7795 } 7796 Diag(E->getExprLoc(), diag::note_function_to_function_call) 7797 << FixItHint::CreateInsertion(getLocForEndOfToken(E->getLocEnd()), "()"); 7798 } 7799 7800 7801 /// Diagnoses "dangerous" implicit conversions within the given 7802 /// expression (which is a full expression). Implements -Wconversion 7803 /// and -Wsign-compare. 7804 /// 7805 /// \param CC the "context" location of the implicit conversion, i.e. 7806 /// the most location of the syntactic entity requiring the implicit 7807 /// conversion 7808 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 7809 // Don't diagnose in unevaluated contexts. 7810 if (isUnevaluatedContext()) 7811 return; 7812 7813 // Don't diagnose for value- or type-dependent expressions. 7814 if (E->isTypeDependent() || E->isValueDependent()) 7815 return; 7816 7817 // Check for array bounds violations in cases where the check isn't triggered 7818 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 7819 // ArraySubscriptExpr is on the RHS of a variable initialization. 7820 CheckArrayAccess(E); 7821 7822 // This is not the right CC for (e.g.) a variable initialization. 7823 AnalyzeImplicitConversions(*this, E, CC); 7824 } 7825 7826 /// CheckBoolLikeConversion - Check conversion of given expression to boolean. 7827 /// Input argument E is a logical expression. 7828 void Sema::CheckBoolLikeConversion(Expr *E, SourceLocation CC) { 7829 ::CheckBoolLikeConversion(*this, E, CC); 7830 } 7831 7832 /// Diagnose when expression is an integer constant expression and its evaluation 7833 /// results in integer overflow 7834 void Sema::CheckForIntOverflow (Expr *E) { 7835 if (isa<BinaryOperator>(E->IgnoreParenCasts())) 7836 E->IgnoreParenCasts()->EvaluateForOverflow(Context); 7837 } 7838 7839 namespace { 7840 /// \brief Visitor for expressions which looks for unsequenced operations on the 7841 /// same object. 7842 class SequenceChecker : public EvaluatedExprVisitor<SequenceChecker> { 7843 typedef EvaluatedExprVisitor<SequenceChecker> Base; 7844 7845 /// \brief A tree of sequenced regions within an expression. Two regions are 7846 /// unsequenced if one is an ancestor or a descendent of the other. When we 7847 /// finish processing an expression with sequencing, such as a comma 7848 /// expression, we fold its tree nodes into its parent, since they are 7849 /// unsequenced with respect to nodes we will visit later. 7850 class SequenceTree { 7851 struct Value { 7852 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {} 7853 unsigned Parent : 31; 7854 bool Merged : 1; 7855 }; 7856 SmallVector<Value, 8> Values; 7857 7858 public: 7859 /// \brief A region within an expression which may be sequenced with respect 7860 /// to some other region. 7861 class Seq { 7862 explicit Seq(unsigned N) : Index(N) {} 7863 unsigned Index; 7864 friend class SequenceTree; 7865 public: 7866 Seq() : Index(0) {} 7867 }; 7868 7869 SequenceTree() { Values.push_back(Value(0)); } 7870 Seq root() const { return Seq(0); } 7871 7872 /// \brief Create a new sequence of operations, which is an unsequenced 7873 /// subset of \p Parent. This sequence of operations is sequenced with 7874 /// respect to other children of \p Parent. 7875 Seq allocate(Seq Parent) { 7876 Values.push_back(Value(Parent.Index)); 7877 return Seq(Values.size() - 1); 7878 } 7879 7880 /// \brief Merge a sequence of operations into its parent. 7881 void merge(Seq S) { 7882 Values[S.Index].Merged = true; 7883 } 7884 7885 /// \brief Determine whether two operations are unsequenced. This operation 7886 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old 7887 /// should have been merged into its parent as appropriate. 7888 bool isUnsequenced(Seq Cur, Seq Old) { 7889 unsigned C = representative(Cur.Index); 7890 unsigned Target = representative(Old.Index); 7891 while (C >= Target) { 7892 if (C == Target) 7893 return true; 7894 C = Values[C].Parent; 7895 } 7896 return false; 7897 } 7898 7899 private: 7900 /// \brief Pick a representative for a sequence. 7901 unsigned representative(unsigned K) { 7902 if (Values[K].Merged) 7903 // Perform path compression as we go. 7904 return Values[K].Parent = representative(Values[K].Parent); 7905 return K; 7906 } 7907 }; 7908 7909 /// An object for which we can track unsequenced uses. 7910 typedef NamedDecl *Object; 7911 7912 /// Different flavors of object usage which we track. We only track the 7913 /// least-sequenced usage of each kind. 7914 enum UsageKind { 7915 /// A read of an object. Multiple unsequenced reads are OK. 7916 UK_Use, 7917 /// A modification of an object which is sequenced before the value 7918 /// computation of the expression, such as ++n in C++. 7919 UK_ModAsValue, 7920 /// A modification of an object which is not sequenced before the value 7921 /// computation of the expression, such as n++. 7922 UK_ModAsSideEffect, 7923 7924 UK_Count = UK_ModAsSideEffect + 1 7925 }; 7926 7927 struct Usage { 7928 Usage() : Use(nullptr), Seq() {} 7929 Expr *Use; 7930 SequenceTree::Seq Seq; 7931 }; 7932 7933 struct UsageInfo { 7934 UsageInfo() : Diagnosed(false) {} 7935 Usage Uses[UK_Count]; 7936 /// Have we issued a diagnostic for this variable already? 7937 bool Diagnosed; 7938 }; 7939 typedef llvm::SmallDenseMap<Object, UsageInfo, 16> UsageInfoMap; 7940 7941 Sema &SemaRef; 7942 /// Sequenced regions within the expression. 7943 SequenceTree Tree; 7944 /// Declaration modifications and references which we have seen. 7945 UsageInfoMap UsageMap; 7946 /// The region we are currently within. 7947 SequenceTree::Seq Region; 7948 /// Filled in with declarations which were modified as a side-effect 7949 /// (that is, post-increment operations). 7950 SmallVectorImpl<std::pair<Object, Usage> > *ModAsSideEffect; 7951 /// Expressions to check later. We defer checking these to reduce 7952 /// stack usage. 7953 SmallVectorImpl<Expr *> &WorkList; 7954 7955 /// RAII object wrapping the visitation of a sequenced subexpression of an 7956 /// expression. At the end of this process, the side-effects of the evaluation 7957 /// become sequenced with respect to the value computation of the result, so 7958 /// we downgrade any UK_ModAsSideEffect within the evaluation to 7959 /// UK_ModAsValue. 7960 struct SequencedSubexpression { 7961 SequencedSubexpression(SequenceChecker &Self) 7962 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) { 7963 Self.ModAsSideEffect = &ModAsSideEffect; 7964 } 7965 ~SequencedSubexpression() { 7966 for (auto MI = ModAsSideEffect.rbegin(), ME = ModAsSideEffect.rend(); 7967 MI != ME; ++MI) { 7968 UsageInfo &U = Self.UsageMap[MI->first]; 7969 auto &SideEffectUsage = U.Uses[UK_ModAsSideEffect]; 7970 Self.addUsage(U, MI->first, SideEffectUsage.Use, UK_ModAsValue); 7971 SideEffectUsage = MI->second; 7972 } 7973 Self.ModAsSideEffect = OldModAsSideEffect; 7974 } 7975 7976 SequenceChecker &Self; 7977 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect; 7978 SmallVectorImpl<std::pair<Object, Usage> > *OldModAsSideEffect; 7979 }; 7980 7981 /// RAII object wrapping the visitation of a subexpression which we might 7982 /// choose to evaluate as a constant. If any subexpression is evaluated and 7983 /// found to be non-constant, this allows us to suppress the evaluation of 7984 /// the outer expression. 7985 class EvaluationTracker { 7986 public: 7987 EvaluationTracker(SequenceChecker &Self) 7988 : Self(Self), Prev(Self.EvalTracker), EvalOK(true) { 7989 Self.EvalTracker = this; 7990 } 7991 ~EvaluationTracker() { 7992 Self.EvalTracker = Prev; 7993 if (Prev) 7994 Prev->EvalOK &= EvalOK; 7995 } 7996 7997 bool evaluate(const Expr *E, bool &Result) { 7998 if (!EvalOK || E->isValueDependent()) 7999 return false; 8000 EvalOK = E->EvaluateAsBooleanCondition(Result, Self.SemaRef.Context); 8001 return EvalOK; 8002 } 8003 8004 private: 8005 SequenceChecker &Self; 8006 EvaluationTracker *Prev; 8007 bool EvalOK; 8008 } *EvalTracker; 8009 8010 /// \brief Find the object which is produced by the specified expression, 8011 /// if any. 8012 Object getObject(Expr *E, bool Mod) const { 8013 E = E->IgnoreParenCasts(); 8014 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 8015 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec)) 8016 return getObject(UO->getSubExpr(), Mod); 8017 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 8018 if (BO->getOpcode() == BO_Comma) 8019 return getObject(BO->getRHS(), Mod); 8020 if (Mod && BO->isAssignmentOp()) 8021 return getObject(BO->getLHS(), Mod); 8022 } else if (MemberExpr *ME = dyn_cast<MemberExpr>(E)) { 8023 // FIXME: Check for more interesting cases, like "x.n = ++x.n". 8024 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts())) 8025 return ME->getMemberDecl(); 8026 } else if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 8027 // FIXME: If this is a reference, map through to its value. 8028 return DRE->getDecl(); 8029 return nullptr; 8030 } 8031 8032 /// \brief Note that an object was modified or used by an expression. 8033 void addUsage(UsageInfo &UI, Object O, Expr *Ref, UsageKind UK) { 8034 Usage &U = UI.Uses[UK]; 8035 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) { 8036 if (UK == UK_ModAsSideEffect && ModAsSideEffect) 8037 ModAsSideEffect->push_back(std::make_pair(O, U)); 8038 U.Use = Ref; 8039 U.Seq = Region; 8040 } 8041 } 8042 /// \brief Check whether a modification or use conflicts with a prior usage. 8043 void checkUsage(Object O, UsageInfo &UI, Expr *Ref, UsageKind OtherKind, 8044 bool IsModMod) { 8045 if (UI.Diagnosed) 8046 return; 8047 8048 const Usage &U = UI.Uses[OtherKind]; 8049 if (!U.Use || !Tree.isUnsequenced(Region, U.Seq)) 8050 return; 8051 8052 Expr *Mod = U.Use; 8053 Expr *ModOrUse = Ref; 8054 if (OtherKind == UK_Use) 8055 std::swap(Mod, ModOrUse); 8056 8057 SemaRef.Diag(Mod->getExprLoc(), 8058 IsModMod ? diag::warn_unsequenced_mod_mod 8059 : diag::warn_unsequenced_mod_use) 8060 << O << SourceRange(ModOrUse->getExprLoc()); 8061 UI.Diagnosed = true; 8062 } 8063 8064 void notePreUse(Object O, Expr *Use) { 8065 UsageInfo &U = UsageMap[O]; 8066 // Uses conflict with other modifications. 8067 checkUsage(O, U, Use, UK_ModAsValue, false); 8068 } 8069 void notePostUse(Object O, Expr *Use) { 8070 UsageInfo &U = UsageMap[O]; 8071 checkUsage(O, U, Use, UK_ModAsSideEffect, false); 8072 addUsage(U, O, Use, UK_Use); 8073 } 8074 8075 void notePreMod(Object O, Expr *Mod) { 8076 UsageInfo &U = UsageMap[O]; 8077 // Modifications conflict with other modifications and with uses. 8078 checkUsage(O, U, Mod, UK_ModAsValue, true); 8079 checkUsage(O, U, Mod, UK_Use, false); 8080 } 8081 void notePostMod(Object O, Expr *Use, UsageKind UK) { 8082 UsageInfo &U = UsageMap[O]; 8083 checkUsage(O, U, Use, UK_ModAsSideEffect, true); 8084 addUsage(U, O, Use, UK); 8085 } 8086 8087 public: 8088 SequenceChecker(Sema &S, Expr *E, SmallVectorImpl<Expr *> &WorkList) 8089 : Base(S.Context), SemaRef(S), Region(Tree.root()), 8090 ModAsSideEffect(nullptr), WorkList(WorkList), EvalTracker(nullptr) { 8091 Visit(E); 8092 } 8093 8094 void VisitStmt(Stmt *S) { 8095 // Skip all statements which aren't expressions for now. 8096 } 8097 8098 void VisitExpr(Expr *E) { 8099 // By default, just recurse to evaluated subexpressions. 8100 Base::VisitStmt(E); 8101 } 8102 8103 void VisitCastExpr(CastExpr *E) { 8104 Object O = Object(); 8105 if (E->getCastKind() == CK_LValueToRValue) 8106 O = getObject(E->getSubExpr(), false); 8107 8108 if (O) 8109 notePreUse(O, E); 8110 VisitExpr(E); 8111 if (O) 8112 notePostUse(O, E); 8113 } 8114 8115 void VisitBinComma(BinaryOperator *BO) { 8116 // C++11 [expr.comma]p1: 8117 // Every value computation and side effect associated with the left 8118 // expression is sequenced before every value computation and side 8119 // effect associated with the right expression. 8120 SequenceTree::Seq LHS = Tree.allocate(Region); 8121 SequenceTree::Seq RHS = Tree.allocate(Region); 8122 SequenceTree::Seq OldRegion = Region; 8123 8124 { 8125 SequencedSubexpression SeqLHS(*this); 8126 Region = LHS; 8127 Visit(BO->getLHS()); 8128 } 8129 8130 Region = RHS; 8131 Visit(BO->getRHS()); 8132 8133 Region = OldRegion; 8134 8135 // Forget that LHS and RHS are sequenced. They are both unsequenced 8136 // with respect to other stuff. 8137 Tree.merge(LHS); 8138 Tree.merge(RHS); 8139 } 8140 8141 void VisitBinAssign(BinaryOperator *BO) { 8142 // The modification is sequenced after the value computation of the LHS 8143 // and RHS, so check it before inspecting the operands and update the 8144 // map afterwards. 8145 Object O = getObject(BO->getLHS(), true); 8146 if (!O) 8147 return VisitExpr(BO); 8148 8149 notePreMod(O, BO); 8150 8151 // C++11 [expr.ass]p7: 8152 // E1 op= E2 is equivalent to E1 = E1 op E2, except that E1 is evaluated 8153 // only once. 8154 // 8155 // Therefore, for a compound assignment operator, O is considered used 8156 // everywhere except within the evaluation of E1 itself. 8157 if (isa<CompoundAssignOperator>(BO)) 8158 notePreUse(O, BO); 8159 8160 Visit(BO->getLHS()); 8161 8162 if (isa<CompoundAssignOperator>(BO)) 8163 notePostUse(O, BO); 8164 8165 Visit(BO->getRHS()); 8166 8167 // C++11 [expr.ass]p1: 8168 // the assignment is sequenced [...] before the value computation of the 8169 // assignment expression. 8170 // C11 6.5.16/3 has no such rule. 8171 notePostMod(O, BO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 8172 : UK_ModAsSideEffect); 8173 } 8174 void VisitCompoundAssignOperator(CompoundAssignOperator *CAO) { 8175 VisitBinAssign(CAO); 8176 } 8177 8178 void VisitUnaryPreInc(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 8179 void VisitUnaryPreDec(UnaryOperator *UO) { VisitUnaryPreIncDec(UO); } 8180 void VisitUnaryPreIncDec(UnaryOperator *UO) { 8181 Object O = getObject(UO->getSubExpr(), true); 8182 if (!O) 8183 return VisitExpr(UO); 8184 8185 notePreMod(O, UO); 8186 Visit(UO->getSubExpr()); 8187 // C++11 [expr.pre.incr]p1: 8188 // the expression ++x is equivalent to x+=1 8189 notePostMod(O, UO, SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue 8190 : UK_ModAsSideEffect); 8191 } 8192 8193 void VisitUnaryPostInc(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 8194 void VisitUnaryPostDec(UnaryOperator *UO) { VisitUnaryPostIncDec(UO); } 8195 void VisitUnaryPostIncDec(UnaryOperator *UO) { 8196 Object O = getObject(UO->getSubExpr(), true); 8197 if (!O) 8198 return VisitExpr(UO); 8199 8200 notePreMod(O, UO); 8201 Visit(UO->getSubExpr()); 8202 notePostMod(O, UO, UK_ModAsSideEffect); 8203 } 8204 8205 /// Don't visit the RHS of '&&' or '||' if it might not be evaluated. 8206 void VisitBinLOr(BinaryOperator *BO) { 8207 // The side-effects of the LHS of an '&&' are sequenced before the 8208 // value computation of the RHS, and hence before the value computation 8209 // of the '&&' itself, unless the LHS evaluates to zero. We treat them 8210 // as if they were unconditionally sequenced. 8211 EvaluationTracker Eval(*this); 8212 { 8213 SequencedSubexpression Sequenced(*this); 8214 Visit(BO->getLHS()); 8215 } 8216 8217 bool Result; 8218 if (Eval.evaluate(BO->getLHS(), Result)) { 8219 if (!Result) 8220 Visit(BO->getRHS()); 8221 } else { 8222 // Check for unsequenced operations in the RHS, treating it as an 8223 // entirely separate evaluation. 8224 // 8225 // FIXME: If there are operations in the RHS which are unsequenced 8226 // with respect to operations outside the RHS, and those operations 8227 // are unconditionally evaluated, diagnose them. 8228 WorkList.push_back(BO->getRHS()); 8229 } 8230 } 8231 void VisitBinLAnd(BinaryOperator *BO) { 8232 EvaluationTracker Eval(*this); 8233 { 8234 SequencedSubexpression Sequenced(*this); 8235 Visit(BO->getLHS()); 8236 } 8237 8238 bool Result; 8239 if (Eval.evaluate(BO->getLHS(), Result)) { 8240 if (Result) 8241 Visit(BO->getRHS()); 8242 } else { 8243 WorkList.push_back(BO->getRHS()); 8244 } 8245 } 8246 8247 // Only visit the condition, unless we can be sure which subexpression will 8248 // be chosen. 8249 void VisitAbstractConditionalOperator(AbstractConditionalOperator *CO) { 8250 EvaluationTracker Eval(*this); 8251 { 8252 SequencedSubexpression Sequenced(*this); 8253 Visit(CO->getCond()); 8254 } 8255 8256 bool Result; 8257 if (Eval.evaluate(CO->getCond(), Result)) 8258 Visit(Result ? CO->getTrueExpr() : CO->getFalseExpr()); 8259 else { 8260 WorkList.push_back(CO->getTrueExpr()); 8261 WorkList.push_back(CO->getFalseExpr()); 8262 } 8263 } 8264 8265 void VisitCallExpr(CallExpr *CE) { 8266 // C++11 [intro.execution]p15: 8267 // When calling a function [...], every value computation and side effect 8268 // associated with any argument expression, or with the postfix expression 8269 // designating the called function, is sequenced before execution of every 8270 // expression or statement in the body of the function [and thus before 8271 // the value computation of its result]. 8272 SequencedSubexpression Sequenced(*this); 8273 Base::VisitCallExpr(CE); 8274 8275 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions. 8276 } 8277 8278 void VisitCXXConstructExpr(CXXConstructExpr *CCE) { 8279 // This is a call, so all subexpressions are sequenced before the result. 8280 SequencedSubexpression Sequenced(*this); 8281 8282 if (!CCE->isListInitialization()) 8283 return VisitExpr(CCE); 8284 8285 // In C++11, list initializations are sequenced. 8286 SmallVector<SequenceTree::Seq, 32> Elts; 8287 SequenceTree::Seq Parent = Region; 8288 for (CXXConstructExpr::arg_iterator I = CCE->arg_begin(), 8289 E = CCE->arg_end(); 8290 I != E; ++I) { 8291 Region = Tree.allocate(Parent); 8292 Elts.push_back(Region); 8293 Visit(*I); 8294 } 8295 8296 // Forget that the initializers are sequenced. 8297 Region = Parent; 8298 for (unsigned I = 0; I < Elts.size(); ++I) 8299 Tree.merge(Elts[I]); 8300 } 8301 8302 void VisitInitListExpr(InitListExpr *ILE) { 8303 if (!SemaRef.getLangOpts().CPlusPlus11) 8304 return VisitExpr(ILE); 8305 8306 // In C++11, list initializations are sequenced. 8307 SmallVector<SequenceTree::Seq, 32> Elts; 8308 SequenceTree::Seq Parent = Region; 8309 for (unsigned I = 0; I < ILE->getNumInits(); ++I) { 8310 Expr *E = ILE->getInit(I); 8311 if (!E) continue; 8312 Region = Tree.allocate(Parent); 8313 Elts.push_back(Region); 8314 Visit(E); 8315 } 8316 8317 // Forget that the initializers are sequenced. 8318 Region = Parent; 8319 for (unsigned I = 0; I < Elts.size(); ++I) 8320 Tree.merge(Elts[I]); 8321 } 8322 }; 8323 } 8324 8325 void Sema::CheckUnsequencedOperations(Expr *E) { 8326 SmallVector<Expr *, 8> WorkList; 8327 WorkList.push_back(E); 8328 while (!WorkList.empty()) { 8329 Expr *Item = WorkList.pop_back_val(); 8330 SequenceChecker(*this, Item, WorkList); 8331 } 8332 } 8333 8334 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc, 8335 bool IsConstexpr) { 8336 CheckImplicitConversions(E, CheckLoc); 8337 CheckUnsequencedOperations(E); 8338 if (!IsConstexpr && !E->isValueDependent()) 8339 CheckForIntOverflow(E); 8340 } 8341 8342 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 8343 FieldDecl *BitField, 8344 Expr *Init) { 8345 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 8346 } 8347 8348 static void diagnoseArrayStarInParamType(Sema &S, QualType PType, 8349 SourceLocation Loc) { 8350 if (!PType->isVariablyModifiedType()) 8351 return; 8352 if (const auto *PointerTy = dyn_cast<PointerType>(PType)) { 8353 diagnoseArrayStarInParamType(S, PointerTy->getPointeeType(), Loc); 8354 return; 8355 } 8356 if (const auto *ReferenceTy = dyn_cast<ReferenceType>(PType)) { 8357 diagnoseArrayStarInParamType(S, ReferenceTy->getPointeeType(), Loc); 8358 return; 8359 } 8360 if (const auto *ParenTy = dyn_cast<ParenType>(PType)) { 8361 diagnoseArrayStarInParamType(S, ParenTy->getInnerType(), Loc); 8362 return; 8363 } 8364 8365 const ArrayType *AT = S.Context.getAsArrayType(PType); 8366 if (!AT) 8367 return; 8368 8369 if (AT->getSizeModifier() != ArrayType::Star) { 8370 diagnoseArrayStarInParamType(S, AT->getElementType(), Loc); 8371 return; 8372 } 8373 8374 S.Diag(Loc, diag::err_array_star_in_function_definition); 8375 } 8376 8377 /// CheckParmsForFunctionDef - Check that the parameters of the given 8378 /// function are appropriate for the definition of a function. This 8379 /// takes care of any checks that cannot be performed on the 8380 /// declaration itself, e.g., that the types of each of the function 8381 /// parameters are complete. 8382 bool Sema::CheckParmsForFunctionDef(ParmVarDecl *const *P, 8383 ParmVarDecl *const *PEnd, 8384 bool CheckParameterNames) { 8385 bool HasInvalidParm = false; 8386 for (; P != PEnd; ++P) { 8387 ParmVarDecl *Param = *P; 8388 8389 // C99 6.7.5.3p4: the parameters in a parameter type list in a 8390 // function declarator that is part of a function definition of 8391 // that function shall not have incomplete type. 8392 // 8393 // This is also C++ [dcl.fct]p6. 8394 if (!Param->isInvalidDecl() && 8395 RequireCompleteType(Param->getLocation(), Param->getType(), 8396 diag::err_typecheck_decl_incomplete_type)) { 8397 Param->setInvalidDecl(); 8398 HasInvalidParm = true; 8399 } 8400 8401 // C99 6.9.1p5: If the declarator includes a parameter type list, the 8402 // declaration of each parameter shall include an identifier. 8403 if (CheckParameterNames && 8404 Param->getIdentifier() == nullptr && 8405 !Param->isImplicit() && 8406 !getLangOpts().CPlusPlus) 8407 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 8408 8409 // C99 6.7.5.3p12: 8410 // If the function declarator is not part of a definition of that 8411 // function, parameters may have incomplete type and may use the [*] 8412 // notation in their sequences of declarator specifiers to specify 8413 // variable length array types. 8414 QualType PType = Param->getOriginalType(); 8415 // FIXME: This diagnostic should point the '[*]' if source-location 8416 // information is added for it. 8417 diagnoseArrayStarInParamType(*this, PType, Param->getLocation()); 8418 8419 // MSVC destroys objects passed by value in the callee. Therefore a 8420 // function definition which takes such a parameter must be able to call the 8421 // object's destructor. However, we don't perform any direct access check 8422 // on the dtor. 8423 if (getLangOpts().CPlusPlus && Context.getTargetInfo() 8424 .getCXXABI() 8425 .areArgsDestroyedLeftToRightInCallee()) { 8426 if (!Param->isInvalidDecl()) { 8427 if (const RecordType *RT = Param->getType()->getAs<RecordType>()) { 8428 CXXRecordDecl *ClassDecl = cast<CXXRecordDecl>(RT->getDecl()); 8429 if (!ClassDecl->isInvalidDecl() && 8430 !ClassDecl->hasIrrelevantDestructor() && 8431 !ClassDecl->isDependentContext()) { 8432 CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl); 8433 MarkFunctionReferenced(Param->getLocation(), Destructor); 8434 DiagnoseUseOfDecl(Destructor, Param->getLocation()); 8435 } 8436 } 8437 } 8438 } 8439 8440 // Parameters with the pass_object_size attribute only need to be marked 8441 // constant at function definitions. Because we lack information about 8442 // whether we're on a declaration or definition when we're instantiating the 8443 // attribute, we need to check for constness here. 8444 if (const auto *Attr = Param->getAttr<PassObjectSizeAttr>()) 8445 if (!Param->getType().isConstQualified()) 8446 Diag(Param->getLocation(), diag::err_attribute_pointers_only) 8447 << Attr->getSpelling() << 1; 8448 } 8449 8450 return HasInvalidParm; 8451 } 8452 8453 /// CheckCastAlign - Implements -Wcast-align, which warns when a 8454 /// pointer cast increases the alignment requirements. 8455 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 8456 // This is actually a lot of work to potentially be doing on every 8457 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 8458 if (getDiagnostics().isIgnored(diag::warn_cast_align, TRange.getBegin())) 8459 return; 8460 8461 // Ignore dependent types. 8462 if (T->isDependentType() || Op->getType()->isDependentType()) 8463 return; 8464 8465 // Require that the destination be a pointer type. 8466 const PointerType *DestPtr = T->getAs<PointerType>(); 8467 if (!DestPtr) return; 8468 8469 // If the destination has alignment 1, we're done. 8470 QualType DestPointee = DestPtr->getPointeeType(); 8471 if (DestPointee->isIncompleteType()) return; 8472 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 8473 if (DestAlign.isOne()) return; 8474 8475 // Require that the source be a pointer type. 8476 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 8477 if (!SrcPtr) return; 8478 QualType SrcPointee = SrcPtr->getPointeeType(); 8479 8480 // Whitelist casts from cv void*. We already implicitly 8481 // whitelisted casts to cv void*, since they have alignment 1. 8482 // Also whitelist casts involving incomplete types, which implicitly 8483 // includes 'void'. 8484 if (SrcPointee->isIncompleteType()) return; 8485 8486 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 8487 if (SrcAlign >= DestAlign) return; 8488 8489 Diag(TRange.getBegin(), diag::warn_cast_align) 8490 << Op->getType() << T 8491 << static_cast<unsigned>(SrcAlign.getQuantity()) 8492 << static_cast<unsigned>(DestAlign.getQuantity()) 8493 << TRange << Op->getSourceRange(); 8494 } 8495 8496 static const Type* getElementType(const Expr *BaseExpr) { 8497 const Type* EltType = BaseExpr->getType().getTypePtr(); 8498 if (EltType->isAnyPointerType()) 8499 return EltType->getPointeeType().getTypePtr(); 8500 else if (EltType->isArrayType()) 8501 return EltType->getBaseElementTypeUnsafe(); 8502 return EltType; 8503 } 8504 8505 /// \brief Check whether this array fits the idiom of a size-one tail padded 8506 /// array member of a struct. 8507 /// 8508 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 8509 /// commonly used to emulate flexible arrays in C89 code. 8510 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 8511 const NamedDecl *ND) { 8512 if (Size != 1 || !ND) return false; 8513 8514 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 8515 if (!FD) return false; 8516 8517 // Don't consider sizes resulting from macro expansions or template argument 8518 // substitution to form C89 tail-padded arrays. 8519 8520 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 8521 while (TInfo) { 8522 TypeLoc TL = TInfo->getTypeLoc(); 8523 // Look through typedefs. 8524 if (TypedefTypeLoc TTL = TL.getAs<TypedefTypeLoc>()) { 8525 const TypedefNameDecl *TDL = TTL.getTypedefNameDecl(); 8526 TInfo = TDL->getTypeSourceInfo(); 8527 continue; 8528 } 8529 if (ConstantArrayTypeLoc CTL = TL.getAs<ConstantArrayTypeLoc>()) { 8530 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 8531 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 8532 return false; 8533 } 8534 break; 8535 } 8536 8537 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 8538 if (!RD) return false; 8539 if (RD->isUnion()) return false; 8540 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 8541 if (!CRD->isStandardLayout()) return false; 8542 } 8543 8544 // See if this is the last field decl in the record. 8545 const Decl *D = FD; 8546 while ((D = D->getNextDeclInContext())) 8547 if (isa<FieldDecl>(D)) 8548 return false; 8549 return true; 8550 } 8551 8552 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 8553 const ArraySubscriptExpr *ASE, 8554 bool AllowOnePastEnd, bool IndexNegated) { 8555 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 8556 if (IndexExpr->isValueDependent()) 8557 return; 8558 8559 const Type *EffectiveType = getElementType(BaseExpr); 8560 BaseExpr = BaseExpr->IgnoreParenCasts(); 8561 const ConstantArrayType *ArrayTy = 8562 Context.getAsConstantArrayType(BaseExpr->getType()); 8563 if (!ArrayTy) 8564 return; 8565 8566 llvm::APSInt index; 8567 if (!IndexExpr->EvaluateAsInt(index, Context, Expr::SE_AllowSideEffects)) 8568 return; 8569 if (IndexNegated) 8570 index = -index; 8571 8572 const NamedDecl *ND = nullptr; 8573 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 8574 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 8575 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 8576 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 8577 8578 if (index.isUnsigned() || !index.isNegative()) { 8579 llvm::APInt size = ArrayTy->getSize(); 8580 if (!size.isStrictlyPositive()) 8581 return; 8582 8583 const Type* BaseType = getElementType(BaseExpr); 8584 if (BaseType != EffectiveType) { 8585 // Make sure we're comparing apples to apples when comparing index to size 8586 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 8587 uint64_t array_typesize = Context.getTypeSize(BaseType); 8588 // Handle ptrarith_typesize being zero, such as when casting to void* 8589 if (!ptrarith_typesize) ptrarith_typesize = 1; 8590 if (ptrarith_typesize != array_typesize) { 8591 // There's a cast to a different size type involved 8592 uint64_t ratio = array_typesize / ptrarith_typesize; 8593 // TODO: Be smarter about handling cases where array_typesize is not a 8594 // multiple of ptrarith_typesize 8595 if (ptrarith_typesize * ratio == array_typesize) 8596 size *= llvm::APInt(size.getBitWidth(), ratio); 8597 } 8598 } 8599 8600 if (size.getBitWidth() > index.getBitWidth()) 8601 index = index.zext(size.getBitWidth()); 8602 else if (size.getBitWidth() < index.getBitWidth()) 8603 size = size.zext(index.getBitWidth()); 8604 8605 // For array subscripting the index must be less than size, but for pointer 8606 // arithmetic also allow the index (offset) to be equal to size since 8607 // computing the next address after the end of the array is legal and 8608 // commonly done e.g. in C++ iterators and range-based for loops. 8609 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 8610 return; 8611 8612 // Also don't warn for arrays of size 1 which are members of some 8613 // structure. These are often used to approximate flexible arrays in C89 8614 // code. 8615 if (IsTailPaddedMemberArray(*this, size, ND)) 8616 return; 8617 8618 // Suppress the warning if the subscript expression (as identified by the 8619 // ']' location) and the index expression are both from macro expansions 8620 // within a system header. 8621 if (ASE) { 8622 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 8623 ASE->getRBracketLoc()); 8624 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 8625 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 8626 IndexExpr->getLocStart()); 8627 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc)) 8628 return; 8629 } 8630 } 8631 8632 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 8633 if (ASE) 8634 DiagID = diag::warn_array_index_exceeds_bounds; 8635 8636 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 8637 PDiag(DiagID) << index.toString(10, true) 8638 << size.toString(10, true) 8639 << (unsigned)size.getLimitedValue(~0U) 8640 << IndexExpr->getSourceRange()); 8641 } else { 8642 unsigned DiagID = diag::warn_array_index_precedes_bounds; 8643 if (!ASE) { 8644 DiagID = diag::warn_ptr_arith_precedes_bounds; 8645 if (index.isNegative()) index = -index; 8646 } 8647 8648 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 8649 PDiag(DiagID) << index.toString(10, true) 8650 << IndexExpr->getSourceRange()); 8651 } 8652 8653 if (!ND) { 8654 // Try harder to find a NamedDecl to point at in the note. 8655 while (const ArraySubscriptExpr *ASE = 8656 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 8657 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 8658 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 8659 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 8660 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 8661 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 8662 } 8663 8664 if (ND) 8665 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 8666 PDiag(diag::note_array_index_out_of_bounds) 8667 << ND->getDeclName()); 8668 } 8669 8670 void Sema::CheckArrayAccess(const Expr *expr) { 8671 int AllowOnePastEnd = 0; 8672 while (expr) { 8673 expr = expr->IgnoreParenImpCasts(); 8674 switch (expr->getStmtClass()) { 8675 case Stmt::ArraySubscriptExprClass: { 8676 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 8677 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 8678 AllowOnePastEnd > 0); 8679 return; 8680 } 8681 case Stmt::OMPArraySectionExprClass: { 8682 const OMPArraySectionExpr *ASE = cast<OMPArraySectionExpr>(expr); 8683 if (ASE->getLowerBound()) 8684 CheckArrayAccess(ASE->getBase(), ASE->getLowerBound(), 8685 /*ASE=*/nullptr, AllowOnePastEnd > 0); 8686 return; 8687 } 8688 case Stmt::UnaryOperatorClass: { 8689 // Only unwrap the * and & unary operators 8690 const UnaryOperator *UO = cast<UnaryOperator>(expr); 8691 expr = UO->getSubExpr(); 8692 switch (UO->getOpcode()) { 8693 case UO_AddrOf: 8694 AllowOnePastEnd++; 8695 break; 8696 case UO_Deref: 8697 AllowOnePastEnd--; 8698 break; 8699 default: 8700 return; 8701 } 8702 break; 8703 } 8704 case Stmt::ConditionalOperatorClass: { 8705 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 8706 if (const Expr *lhs = cond->getLHS()) 8707 CheckArrayAccess(lhs); 8708 if (const Expr *rhs = cond->getRHS()) 8709 CheckArrayAccess(rhs); 8710 return; 8711 } 8712 default: 8713 return; 8714 } 8715 } 8716 } 8717 8718 //===--- CHECK: Objective-C retain cycles ----------------------------------// 8719 8720 namespace { 8721 struct RetainCycleOwner { 8722 RetainCycleOwner() : Variable(nullptr), Indirect(false) {} 8723 VarDecl *Variable; 8724 SourceRange Range; 8725 SourceLocation Loc; 8726 bool Indirect; 8727 8728 void setLocsFrom(Expr *e) { 8729 Loc = e->getExprLoc(); 8730 Range = e->getSourceRange(); 8731 } 8732 }; 8733 } 8734 8735 /// Consider whether capturing the given variable can possibly lead to 8736 /// a retain cycle. 8737 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 8738 // In ARC, it's captured strongly iff the variable has __strong 8739 // lifetime. In MRR, it's captured strongly if the variable is 8740 // __block and has an appropriate type. 8741 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 8742 return false; 8743 8744 owner.Variable = var; 8745 if (ref) 8746 owner.setLocsFrom(ref); 8747 return true; 8748 } 8749 8750 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 8751 while (true) { 8752 e = e->IgnoreParens(); 8753 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 8754 switch (cast->getCastKind()) { 8755 case CK_BitCast: 8756 case CK_LValueBitCast: 8757 case CK_LValueToRValue: 8758 case CK_ARCReclaimReturnedObject: 8759 e = cast->getSubExpr(); 8760 continue; 8761 8762 default: 8763 return false; 8764 } 8765 } 8766 8767 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 8768 ObjCIvarDecl *ivar = ref->getDecl(); 8769 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 8770 return false; 8771 8772 // Try to find a retain cycle in the base. 8773 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 8774 return false; 8775 8776 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 8777 owner.Indirect = true; 8778 return true; 8779 } 8780 8781 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 8782 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 8783 if (!var) return false; 8784 return considerVariable(var, ref, owner); 8785 } 8786 8787 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 8788 if (member->isArrow()) return false; 8789 8790 // Don't count this as an indirect ownership. 8791 e = member->getBase(); 8792 continue; 8793 } 8794 8795 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 8796 // Only pay attention to pseudo-objects on property references. 8797 ObjCPropertyRefExpr *pre 8798 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 8799 ->IgnoreParens()); 8800 if (!pre) return false; 8801 if (pre->isImplicitProperty()) return false; 8802 ObjCPropertyDecl *property = pre->getExplicitProperty(); 8803 if (!property->isRetaining() && 8804 !(property->getPropertyIvarDecl() && 8805 property->getPropertyIvarDecl()->getType() 8806 .getObjCLifetime() == Qualifiers::OCL_Strong)) 8807 return false; 8808 8809 owner.Indirect = true; 8810 if (pre->isSuperReceiver()) { 8811 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 8812 if (!owner.Variable) 8813 return false; 8814 owner.Loc = pre->getLocation(); 8815 owner.Range = pre->getSourceRange(); 8816 return true; 8817 } 8818 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 8819 ->getSourceExpr()); 8820 continue; 8821 } 8822 8823 // Array ivars? 8824 8825 return false; 8826 } 8827 } 8828 8829 namespace { 8830 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 8831 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 8832 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 8833 Context(Context), Variable(variable), Capturer(nullptr), 8834 VarWillBeReased(false) {} 8835 ASTContext &Context; 8836 VarDecl *Variable; 8837 Expr *Capturer; 8838 bool VarWillBeReased; 8839 8840 void VisitDeclRefExpr(DeclRefExpr *ref) { 8841 if (ref->getDecl() == Variable && !Capturer) 8842 Capturer = ref; 8843 } 8844 8845 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 8846 if (Capturer) return; 8847 Visit(ref->getBase()); 8848 if (Capturer && ref->isFreeIvar()) 8849 Capturer = ref; 8850 } 8851 8852 void VisitBlockExpr(BlockExpr *block) { 8853 // Look inside nested blocks 8854 if (block->getBlockDecl()->capturesVariable(Variable)) 8855 Visit(block->getBlockDecl()->getBody()); 8856 } 8857 8858 void VisitOpaqueValueExpr(OpaqueValueExpr *OVE) { 8859 if (Capturer) return; 8860 if (OVE->getSourceExpr()) 8861 Visit(OVE->getSourceExpr()); 8862 } 8863 void VisitBinaryOperator(BinaryOperator *BinOp) { 8864 if (!Variable || VarWillBeReased || BinOp->getOpcode() != BO_Assign) 8865 return; 8866 Expr *LHS = BinOp->getLHS(); 8867 if (const DeclRefExpr *DRE = dyn_cast_or_null<DeclRefExpr>(LHS)) { 8868 if (DRE->getDecl() != Variable) 8869 return; 8870 if (Expr *RHS = BinOp->getRHS()) { 8871 RHS = RHS->IgnoreParenCasts(); 8872 llvm::APSInt Value; 8873 VarWillBeReased = 8874 (RHS && RHS->isIntegerConstantExpr(Value, Context) && Value == 0); 8875 } 8876 } 8877 } 8878 }; 8879 } 8880 8881 /// Check whether the given argument is a block which captures a 8882 /// variable. 8883 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 8884 assert(owner.Variable && owner.Loc.isValid()); 8885 8886 e = e->IgnoreParenCasts(); 8887 8888 // Look through [^{...} copy] and Block_copy(^{...}). 8889 if (ObjCMessageExpr *ME = dyn_cast<ObjCMessageExpr>(e)) { 8890 Selector Cmd = ME->getSelector(); 8891 if (Cmd.isUnarySelector() && Cmd.getNameForSlot(0) == "copy") { 8892 e = ME->getInstanceReceiver(); 8893 if (!e) 8894 return nullptr; 8895 e = e->IgnoreParenCasts(); 8896 } 8897 } else if (CallExpr *CE = dyn_cast<CallExpr>(e)) { 8898 if (CE->getNumArgs() == 1) { 8899 FunctionDecl *Fn = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); 8900 if (Fn) { 8901 const IdentifierInfo *FnI = Fn->getIdentifier(); 8902 if (FnI && FnI->isStr("_Block_copy")) { 8903 e = CE->getArg(0)->IgnoreParenCasts(); 8904 } 8905 } 8906 } 8907 } 8908 8909 BlockExpr *block = dyn_cast<BlockExpr>(e); 8910 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 8911 return nullptr; 8912 8913 FindCaptureVisitor visitor(S.Context, owner.Variable); 8914 visitor.Visit(block->getBlockDecl()->getBody()); 8915 return visitor.VarWillBeReased ? nullptr : visitor.Capturer; 8916 } 8917 8918 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 8919 RetainCycleOwner &owner) { 8920 assert(capturer); 8921 assert(owner.Variable && owner.Loc.isValid()); 8922 8923 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 8924 << owner.Variable << capturer->getSourceRange(); 8925 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 8926 << owner.Indirect << owner.Range; 8927 } 8928 8929 /// Check for a keyword selector that starts with the word 'add' or 8930 /// 'set'. 8931 static bool isSetterLikeSelector(Selector sel) { 8932 if (sel.isUnarySelector()) return false; 8933 8934 StringRef str = sel.getNameForSlot(0); 8935 while (!str.empty() && str.front() == '_') str = str.substr(1); 8936 if (str.startswith("set")) 8937 str = str.substr(3); 8938 else if (str.startswith("add")) { 8939 // Specially whitelist 'addOperationWithBlock:'. 8940 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 8941 return false; 8942 str = str.substr(3); 8943 } 8944 else 8945 return false; 8946 8947 if (str.empty()) return true; 8948 return !isLowercase(str.front()); 8949 } 8950 8951 static Optional<int> GetNSMutableArrayArgumentIndex(Sema &S, 8952 ObjCMessageExpr *Message) { 8953 bool IsMutableArray = S.NSAPIObj->isSubclassOfNSClass( 8954 Message->getReceiverInterface(), 8955 NSAPI::ClassId_NSMutableArray); 8956 if (!IsMutableArray) { 8957 return None; 8958 } 8959 8960 Selector Sel = Message->getSelector(); 8961 8962 Optional<NSAPI::NSArrayMethodKind> MKOpt = 8963 S.NSAPIObj->getNSArrayMethodKind(Sel); 8964 if (!MKOpt) { 8965 return None; 8966 } 8967 8968 NSAPI::NSArrayMethodKind MK = *MKOpt; 8969 8970 switch (MK) { 8971 case NSAPI::NSMutableArr_addObject: 8972 case NSAPI::NSMutableArr_insertObjectAtIndex: 8973 case NSAPI::NSMutableArr_setObjectAtIndexedSubscript: 8974 return 0; 8975 case NSAPI::NSMutableArr_replaceObjectAtIndex: 8976 return 1; 8977 8978 default: 8979 return None; 8980 } 8981 8982 return None; 8983 } 8984 8985 static 8986 Optional<int> GetNSMutableDictionaryArgumentIndex(Sema &S, 8987 ObjCMessageExpr *Message) { 8988 bool IsMutableDictionary = S.NSAPIObj->isSubclassOfNSClass( 8989 Message->getReceiverInterface(), 8990 NSAPI::ClassId_NSMutableDictionary); 8991 if (!IsMutableDictionary) { 8992 return None; 8993 } 8994 8995 Selector Sel = Message->getSelector(); 8996 8997 Optional<NSAPI::NSDictionaryMethodKind> MKOpt = 8998 S.NSAPIObj->getNSDictionaryMethodKind(Sel); 8999 if (!MKOpt) { 9000 return None; 9001 } 9002 9003 NSAPI::NSDictionaryMethodKind MK = *MKOpt; 9004 9005 switch (MK) { 9006 case NSAPI::NSMutableDict_setObjectForKey: 9007 case NSAPI::NSMutableDict_setValueForKey: 9008 case NSAPI::NSMutableDict_setObjectForKeyedSubscript: 9009 return 0; 9010 9011 default: 9012 return None; 9013 } 9014 9015 return None; 9016 } 9017 9018 static Optional<int> GetNSSetArgumentIndex(Sema &S, ObjCMessageExpr *Message) { 9019 bool IsMutableSet = S.NSAPIObj->isSubclassOfNSClass( 9020 Message->getReceiverInterface(), 9021 NSAPI::ClassId_NSMutableSet); 9022 9023 bool IsMutableOrderedSet = S.NSAPIObj->isSubclassOfNSClass( 9024 Message->getReceiverInterface(), 9025 NSAPI::ClassId_NSMutableOrderedSet); 9026 if (!IsMutableSet && !IsMutableOrderedSet) { 9027 return None; 9028 } 9029 9030 Selector Sel = Message->getSelector(); 9031 9032 Optional<NSAPI::NSSetMethodKind> MKOpt = S.NSAPIObj->getNSSetMethodKind(Sel); 9033 if (!MKOpt) { 9034 return None; 9035 } 9036 9037 NSAPI::NSSetMethodKind MK = *MKOpt; 9038 9039 switch (MK) { 9040 case NSAPI::NSMutableSet_addObject: 9041 case NSAPI::NSOrderedSet_setObjectAtIndex: 9042 case NSAPI::NSOrderedSet_setObjectAtIndexedSubscript: 9043 case NSAPI::NSOrderedSet_insertObjectAtIndex: 9044 return 0; 9045 case NSAPI::NSOrderedSet_replaceObjectAtIndexWithObject: 9046 return 1; 9047 } 9048 9049 return None; 9050 } 9051 9052 void Sema::CheckObjCCircularContainer(ObjCMessageExpr *Message) { 9053 if (!Message->isInstanceMessage()) { 9054 return; 9055 } 9056 9057 Optional<int> ArgOpt; 9058 9059 if (!(ArgOpt = GetNSMutableArrayArgumentIndex(*this, Message)) && 9060 !(ArgOpt = GetNSMutableDictionaryArgumentIndex(*this, Message)) && 9061 !(ArgOpt = GetNSSetArgumentIndex(*this, Message))) { 9062 return; 9063 } 9064 9065 int ArgIndex = *ArgOpt; 9066 9067 Expr *Arg = Message->getArg(ArgIndex)->IgnoreImpCasts(); 9068 if (OpaqueValueExpr *OE = dyn_cast<OpaqueValueExpr>(Arg)) { 9069 Arg = OE->getSourceExpr()->IgnoreImpCasts(); 9070 } 9071 9072 if (Message->getReceiverKind() == ObjCMessageExpr::SuperInstance) { 9073 if (DeclRefExpr *ArgRE = dyn_cast<DeclRefExpr>(Arg)) { 9074 if (ArgRE->isObjCSelfExpr()) { 9075 Diag(Message->getSourceRange().getBegin(), 9076 diag::warn_objc_circular_container) 9077 << ArgRE->getDecl()->getName() << StringRef("super"); 9078 } 9079 } 9080 } else { 9081 Expr *Receiver = Message->getInstanceReceiver()->IgnoreImpCasts(); 9082 9083 if (OpaqueValueExpr *OE = dyn_cast<OpaqueValueExpr>(Receiver)) { 9084 Receiver = OE->getSourceExpr()->IgnoreImpCasts(); 9085 } 9086 9087 if (DeclRefExpr *ReceiverRE = dyn_cast<DeclRefExpr>(Receiver)) { 9088 if (DeclRefExpr *ArgRE = dyn_cast<DeclRefExpr>(Arg)) { 9089 if (ReceiverRE->getDecl() == ArgRE->getDecl()) { 9090 ValueDecl *Decl = ReceiverRE->getDecl(); 9091 Diag(Message->getSourceRange().getBegin(), 9092 diag::warn_objc_circular_container) 9093 << Decl->getName() << Decl->getName(); 9094 if (!ArgRE->isObjCSelfExpr()) { 9095 Diag(Decl->getLocation(), 9096 diag::note_objc_circular_container_declared_here) 9097 << Decl->getName(); 9098 } 9099 } 9100 } 9101 } else if (ObjCIvarRefExpr *IvarRE = dyn_cast<ObjCIvarRefExpr>(Receiver)) { 9102 if (ObjCIvarRefExpr *IvarArgRE = dyn_cast<ObjCIvarRefExpr>(Arg)) { 9103 if (IvarRE->getDecl() == IvarArgRE->getDecl()) { 9104 ObjCIvarDecl *Decl = IvarRE->getDecl(); 9105 Diag(Message->getSourceRange().getBegin(), 9106 diag::warn_objc_circular_container) 9107 << Decl->getName() << Decl->getName(); 9108 Diag(Decl->getLocation(), 9109 diag::note_objc_circular_container_declared_here) 9110 << Decl->getName(); 9111 } 9112 } 9113 } 9114 } 9115 9116 } 9117 9118 /// Check a message send to see if it's likely to cause a retain cycle. 9119 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 9120 // Only check instance methods whose selector looks like a setter. 9121 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 9122 return; 9123 9124 // Try to find a variable that the receiver is strongly owned by. 9125 RetainCycleOwner owner; 9126 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 9127 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 9128 return; 9129 } else { 9130 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 9131 owner.Variable = getCurMethodDecl()->getSelfDecl(); 9132 owner.Loc = msg->getSuperLoc(); 9133 owner.Range = msg->getSuperLoc(); 9134 } 9135 9136 // Check whether the receiver is captured by any of the arguments. 9137 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 9138 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 9139 return diagnoseRetainCycle(*this, capturer, owner); 9140 } 9141 9142 /// Check a property assign to see if it's likely to cause a retain cycle. 9143 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 9144 RetainCycleOwner owner; 9145 if (!findRetainCycleOwner(*this, receiver, owner)) 9146 return; 9147 9148 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 9149 diagnoseRetainCycle(*this, capturer, owner); 9150 } 9151 9152 void Sema::checkRetainCycles(VarDecl *Var, Expr *Init) { 9153 RetainCycleOwner Owner; 9154 if (!considerVariable(Var, /*DeclRefExpr=*/nullptr, Owner)) 9155 return; 9156 9157 // Because we don't have an expression for the variable, we have to set the 9158 // location explicitly here. 9159 Owner.Loc = Var->getLocation(); 9160 Owner.Range = Var->getSourceRange(); 9161 9162 if (Expr *Capturer = findCapturingExpr(*this, Init, Owner)) 9163 diagnoseRetainCycle(*this, Capturer, Owner); 9164 } 9165 9166 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc, 9167 Expr *RHS, bool isProperty) { 9168 // Check if RHS is an Objective-C object literal, which also can get 9169 // immediately zapped in a weak reference. Note that we explicitly 9170 // allow ObjCStringLiterals, since those are designed to never really die. 9171 RHS = RHS->IgnoreParenImpCasts(); 9172 9173 // This enum needs to match with the 'select' in 9174 // warn_objc_arc_literal_assign (off-by-1). 9175 Sema::ObjCLiteralKind Kind = S.CheckLiteralKind(RHS); 9176 if (Kind == Sema::LK_String || Kind == Sema::LK_None) 9177 return false; 9178 9179 S.Diag(Loc, diag::warn_arc_literal_assign) 9180 << (unsigned) Kind 9181 << (isProperty ? 0 : 1) 9182 << RHS->getSourceRange(); 9183 9184 return true; 9185 } 9186 9187 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc, 9188 Qualifiers::ObjCLifetime LT, 9189 Expr *RHS, bool isProperty) { 9190 // Strip off any implicit cast added to get to the one ARC-specific. 9191 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 9192 if (cast->getCastKind() == CK_ARCConsumeObject) { 9193 S.Diag(Loc, diag::warn_arc_retained_assign) 9194 << (LT == Qualifiers::OCL_ExplicitNone) 9195 << (isProperty ? 0 : 1) 9196 << RHS->getSourceRange(); 9197 return true; 9198 } 9199 RHS = cast->getSubExpr(); 9200 } 9201 9202 if (LT == Qualifiers::OCL_Weak && 9203 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty)) 9204 return true; 9205 9206 return false; 9207 } 9208 9209 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 9210 QualType LHS, Expr *RHS) { 9211 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 9212 9213 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 9214 return false; 9215 9216 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false)) 9217 return true; 9218 9219 return false; 9220 } 9221 9222 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 9223 Expr *LHS, Expr *RHS) { 9224 QualType LHSType; 9225 // PropertyRef on LHS type need be directly obtained from 9226 // its declaration as it has a PseudoType. 9227 ObjCPropertyRefExpr *PRE 9228 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 9229 if (PRE && !PRE->isImplicitProperty()) { 9230 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 9231 if (PD) 9232 LHSType = PD->getType(); 9233 } 9234 9235 if (LHSType.isNull()) 9236 LHSType = LHS->getType(); 9237 9238 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 9239 9240 if (LT == Qualifiers::OCL_Weak) { 9241 if (!Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, Loc)) 9242 getCurFunction()->markSafeWeakUse(LHS); 9243 } 9244 9245 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 9246 return; 9247 9248 // FIXME. Check for other life times. 9249 if (LT != Qualifiers::OCL_None) 9250 return; 9251 9252 if (PRE) { 9253 if (PRE->isImplicitProperty()) 9254 return; 9255 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 9256 if (!PD) 9257 return; 9258 9259 unsigned Attributes = PD->getPropertyAttributes(); 9260 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 9261 // when 'assign' attribute was not explicitly specified 9262 // by user, ignore it and rely on property type itself 9263 // for lifetime info. 9264 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 9265 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 9266 LHSType->isObjCRetainableType()) 9267 return; 9268 9269 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 9270 if (cast->getCastKind() == CK_ARCConsumeObject) { 9271 Diag(Loc, diag::warn_arc_retained_property_assign) 9272 << RHS->getSourceRange(); 9273 return; 9274 } 9275 RHS = cast->getSubExpr(); 9276 } 9277 } 9278 else if (Attributes & ObjCPropertyDecl::OBJC_PR_weak) { 9279 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true)) 9280 return; 9281 } 9282 } 9283 } 9284 9285 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 9286 9287 namespace { 9288 bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 9289 SourceLocation StmtLoc, 9290 const NullStmt *Body) { 9291 // Do not warn if the body is a macro that expands to nothing, e.g: 9292 // 9293 // #define CALL(x) 9294 // if (condition) 9295 // CALL(0); 9296 // 9297 if (Body->hasLeadingEmptyMacro()) 9298 return false; 9299 9300 // Get line numbers of statement and body. 9301 bool StmtLineInvalid; 9302 unsigned StmtLine = SourceMgr.getPresumedLineNumber(StmtLoc, 9303 &StmtLineInvalid); 9304 if (StmtLineInvalid) 9305 return false; 9306 9307 bool BodyLineInvalid; 9308 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 9309 &BodyLineInvalid); 9310 if (BodyLineInvalid) 9311 return false; 9312 9313 // Warn if null statement and body are on the same line. 9314 if (StmtLine != BodyLine) 9315 return false; 9316 9317 return true; 9318 } 9319 } // Unnamed namespace 9320 9321 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 9322 const Stmt *Body, 9323 unsigned DiagID) { 9324 // Since this is a syntactic check, don't emit diagnostic for template 9325 // instantiations, this just adds noise. 9326 if (CurrentInstantiationScope) 9327 return; 9328 9329 // The body should be a null statement. 9330 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 9331 if (!NBody) 9332 return; 9333 9334 // Do the usual checks. 9335 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 9336 return; 9337 9338 Diag(NBody->getSemiLoc(), DiagID); 9339 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 9340 } 9341 9342 void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 9343 const Stmt *PossibleBody) { 9344 assert(!CurrentInstantiationScope); // Ensured by caller 9345 9346 SourceLocation StmtLoc; 9347 const Stmt *Body; 9348 unsigned DiagID; 9349 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 9350 StmtLoc = FS->getRParenLoc(); 9351 Body = FS->getBody(); 9352 DiagID = diag::warn_empty_for_body; 9353 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 9354 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 9355 Body = WS->getBody(); 9356 DiagID = diag::warn_empty_while_body; 9357 } else 9358 return; // Neither `for' nor `while'. 9359 9360 // The body should be a null statement. 9361 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 9362 if (!NBody) 9363 return; 9364 9365 // Skip expensive checks if diagnostic is disabled. 9366 if (Diags.isIgnored(DiagID, NBody->getSemiLoc())) 9367 return; 9368 9369 // Do the usual checks. 9370 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 9371 return; 9372 9373 // `for(...);' and `while(...);' are popular idioms, so in order to keep 9374 // noise level low, emit diagnostics only if for/while is followed by a 9375 // CompoundStmt, e.g.: 9376 // for (int i = 0; i < n; i++); 9377 // { 9378 // a(i); 9379 // } 9380 // or if for/while is followed by a statement with more indentation 9381 // than for/while itself: 9382 // for (int i = 0; i < n; i++); 9383 // a(i); 9384 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 9385 if (!ProbableTypo) { 9386 bool BodyColInvalid; 9387 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 9388 PossibleBody->getLocStart(), 9389 &BodyColInvalid); 9390 if (BodyColInvalid) 9391 return; 9392 9393 bool StmtColInvalid; 9394 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 9395 S->getLocStart(), 9396 &StmtColInvalid); 9397 if (StmtColInvalid) 9398 return; 9399 9400 if (BodyCol > StmtCol) 9401 ProbableTypo = true; 9402 } 9403 9404 if (ProbableTypo) { 9405 Diag(NBody->getSemiLoc(), DiagID); 9406 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 9407 } 9408 } 9409 9410 //===--- CHECK: Warn on self move with std::move. -------------------------===// 9411 9412 /// DiagnoseSelfMove - Emits a warning if a value is moved to itself. 9413 void Sema::DiagnoseSelfMove(const Expr *LHSExpr, const Expr *RHSExpr, 9414 SourceLocation OpLoc) { 9415 9416 if (Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess, OpLoc)) 9417 return; 9418 9419 if (!ActiveTemplateInstantiations.empty()) 9420 return; 9421 9422 // Strip parens and casts away. 9423 LHSExpr = LHSExpr->IgnoreParenImpCasts(); 9424 RHSExpr = RHSExpr->IgnoreParenImpCasts(); 9425 9426 // Check for a call expression 9427 const CallExpr *CE = dyn_cast<CallExpr>(RHSExpr); 9428 if (!CE || CE->getNumArgs() != 1) 9429 return; 9430 9431 // Check for a call to std::move 9432 const FunctionDecl *FD = CE->getDirectCallee(); 9433 if (!FD || !FD->isInStdNamespace() || !FD->getIdentifier() || 9434 !FD->getIdentifier()->isStr("move")) 9435 return; 9436 9437 // Get argument from std::move 9438 RHSExpr = CE->getArg(0); 9439 9440 const DeclRefExpr *LHSDeclRef = dyn_cast<DeclRefExpr>(LHSExpr); 9441 const DeclRefExpr *RHSDeclRef = dyn_cast<DeclRefExpr>(RHSExpr); 9442 9443 // Two DeclRefExpr's, check that the decls are the same. 9444 if (LHSDeclRef && RHSDeclRef) { 9445 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl()) 9446 return; 9447 if (LHSDeclRef->getDecl()->getCanonicalDecl() != 9448 RHSDeclRef->getDecl()->getCanonicalDecl()) 9449 return; 9450 9451 Diag(OpLoc, diag::warn_self_move) << LHSExpr->getType() 9452 << LHSExpr->getSourceRange() 9453 << RHSExpr->getSourceRange(); 9454 return; 9455 } 9456 9457 // Member variables require a different approach to check for self moves. 9458 // MemberExpr's are the same if every nested MemberExpr refers to the same 9459 // Decl and that the base Expr's are DeclRefExpr's with the same Decl or 9460 // the base Expr's are CXXThisExpr's. 9461 const Expr *LHSBase = LHSExpr; 9462 const Expr *RHSBase = RHSExpr; 9463 const MemberExpr *LHSME = dyn_cast<MemberExpr>(LHSExpr); 9464 const MemberExpr *RHSME = dyn_cast<MemberExpr>(RHSExpr); 9465 if (!LHSME || !RHSME) 9466 return; 9467 9468 while (LHSME && RHSME) { 9469 if (LHSME->getMemberDecl()->getCanonicalDecl() != 9470 RHSME->getMemberDecl()->getCanonicalDecl()) 9471 return; 9472 9473 LHSBase = LHSME->getBase(); 9474 RHSBase = RHSME->getBase(); 9475 LHSME = dyn_cast<MemberExpr>(LHSBase); 9476 RHSME = dyn_cast<MemberExpr>(RHSBase); 9477 } 9478 9479 LHSDeclRef = dyn_cast<DeclRefExpr>(LHSBase); 9480 RHSDeclRef = dyn_cast<DeclRefExpr>(RHSBase); 9481 if (LHSDeclRef && RHSDeclRef) { 9482 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl()) 9483 return; 9484 if (LHSDeclRef->getDecl()->getCanonicalDecl() != 9485 RHSDeclRef->getDecl()->getCanonicalDecl()) 9486 return; 9487 9488 Diag(OpLoc, diag::warn_self_move) << LHSExpr->getType() 9489 << LHSExpr->getSourceRange() 9490 << RHSExpr->getSourceRange(); 9491 return; 9492 } 9493 9494 if (isa<CXXThisExpr>(LHSBase) && isa<CXXThisExpr>(RHSBase)) 9495 Diag(OpLoc, diag::warn_self_move) << LHSExpr->getType() 9496 << LHSExpr->getSourceRange() 9497 << RHSExpr->getSourceRange(); 9498 } 9499 9500 //===--- Layout compatibility ----------------------------------------------// 9501 9502 namespace { 9503 9504 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2); 9505 9506 /// \brief Check if two enumeration types are layout-compatible. 9507 bool isLayoutCompatible(ASTContext &C, EnumDecl *ED1, EnumDecl *ED2) { 9508 // C++11 [dcl.enum] p8: 9509 // Two enumeration types are layout-compatible if they have the same 9510 // underlying type. 9511 return ED1->isComplete() && ED2->isComplete() && 9512 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType()); 9513 } 9514 9515 /// \brief Check if two fields are layout-compatible. 9516 bool isLayoutCompatible(ASTContext &C, FieldDecl *Field1, FieldDecl *Field2) { 9517 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType())) 9518 return false; 9519 9520 if (Field1->isBitField() != Field2->isBitField()) 9521 return false; 9522 9523 if (Field1->isBitField()) { 9524 // Make sure that the bit-fields are the same length. 9525 unsigned Bits1 = Field1->getBitWidthValue(C); 9526 unsigned Bits2 = Field2->getBitWidthValue(C); 9527 9528 if (Bits1 != Bits2) 9529 return false; 9530 } 9531 9532 return true; 9533 } 9534 9535 /// \brief Check if two standard-layout structs are layout-compatible. 9536 /// (C++11 [class.mem] p17) 9537 bool isLayoutCompatibleStruct(ASTContext &C, 9538 RecordDecl *RD1, 9539 RecordDecl *RD2) { 9540 // If both records are C++ classes, check that base classes match. 9541 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1)) { 9542 // If one of records is a CXXRecordDecl we are in C++ mode, 9543 // thus the other one is a CXXRecordDecl, too. 9544 const CXXRecordDecl *D2CXX = cast<CXXRecordDecl>(RD2); 9545 // Check number of base classes. 9546 if (D1CXX->getNumBases() != D2CXX->getNumBases()) 9547 return false; 9548 9549 // Check the base classes. 9550 for (CXXRecordDecl::base_class_const_iterator 9551 Base1 = D1CXX->bases_begin(), 9552 BaseEnd1 = D1CXX->bases_end(), 9553 Base2 = D2CXX->bases_begin(); 9554 Base1 != BaseEnd1; 9555 ++Base1, ++Base2) { 9556 if (!isLayoutCompatible(C, Base1->getType(), Base2->getType())) 9557 return false; 9558 } 9559 } else if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2)) { 9560 // If only RD2 is a C++ class, it should have zero base classes. 9561 if (D2CXX->getNumBases() > 0) 9562 return false; 9563 } 9564 9565 // Check the fields. 9566 RecordDecl::field_iterator Field2 = RD2->field_begin(), 9567 Field2End = RD2->field_end(), 9568 Field1 = RD1->field_begin(), 9569 Field1End = RD1->field_end(); 9570 for ( ; Field1 != Field1End && Field2 != Field2End; ++Field1, ++Field2) { 9571 if (!isLayoutCompatible(C, *Field1, *Field2)) 9572 return false; 9573 } 9574 if (Field1 != Field1End || Field2 != Field2End) 9575 return false; 9576 9577 return true; 9578 } 9579 9580 /// \brief Check if two standard-layout unions are layout-compatible. 9581 /// (C++11 [class.mem] p18) 9582 bool isLayoutCompatibleUnion(ASTContext &C, 9583 RecordDecl *RD1, 9584 RecordDecl *RD2) { 9585 llvm::SmallPtrSet<FieldDecl *, 8> UnmatchedFields; 9586 for (auto *Field2 : RD2->fields()) 9587 UnmatchedFields.insert(Field2); 9588 9589 for (auto *Field1 : RD1->fields()) { 9590 llvm::SmallPtrSet<FieldDecl *, 8>::iterator 9591 I = UnmatchedFields.begin(), 9592 E = UnmatchedFields.end(); 9593 9594 for ( ; I != E; ++I) { 9595 if (isLayoutCompatible(C, Field1, *I)) { 9596 bool Result = UnmatchedFields.erase(*I); 9597 (void) Result; 9598 assert(Result); 9599 break; 9600 } 9601 } 9602 if (I == E) 9603 return false; 9604 } 9605 9606 return UnmatchedFields.empty(); 9607 } 9608 9609 bool isLayoutCompatible(ASTContext &C, RecordDecl *RD1, RecordDecl *RD2) { 9610 if (RD1->isUnion() != RD2->isUnion()) 9611 return false; 9612 9613 if (RD1->isUnion()) 9614 return isLayoutCompatibleUnion(C, RD1, RD2); 9615 else 9616 return isLayoutCompatibleStruct(C, RD1, RD2); 9617 } 9618 9619 /// \brief Check if two types are layout-compatible in C++11 sense. 9620 bool isLayoutCompatible(ASTContext &C, QualType T1, QualType T2) { 9621 if (T1.isNull() || T2.isNull()) 9622 return false; 9623 9624 // C++11 [basic.types] p11: 9625 // If two types T1 and T2 are the same type, then T1 and T2 are 9626 // layout-compatible types. 9627 if (C.hasSameType(T1, T2)) 9628 return true; 9629 9630 T1 = T1.getCanonicalType().getUnqualifiedType(); 9631 T2 = T2.getCanonicalType().getUnqualifiedType(); 9632 9633 const Type::TypeClass TC1 = T1->getTypeClass(); 9634 const Type::TypeClass TC2 = T2->getTypeClass(); 9635 9636 if (TC1 != TC2) 9637 return false; 9638 9639 if (TC1 == Type::Enum) { 9640 return isLayoutCompatible(C, 9641 cast<EnumType>(T1)->getDecl(), 9642 cast<EnumType>(T2)->getDecl()); 9643 } else if (TC1 == Type::Record) { 9644 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType()) 9645 return false; 9646 9647 return isLayoutCompatible(C, 9648 cast<RecordType>(T1)->getDecl(), 9649 cast<RecordType>(T2)->getDecl()); 9650 } 9651 9652 return false; 9653 } 9654 } 9655 9656 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----// 9657 9658 namespace { 9659 /// \brief Given a type tag expression find the type tag itself. 9660 /// 9661 /// \param TypeExpr Type tag expression, as it appears in user's code. 9662 /// 9663 /// \param VD Declaration of an identifier that appears in a type tag. 9664 /// 9665 /// \param MagicValue Type tag magic value. 9666 bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx, 9667 const ValueDecl **VD, uint64_t *MagicValue) { 9668 while(true) { 9669 if (!TypeExpr) 9670 return false; 9671 9672 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts(); 9673 9674 switch (TypeExpr->getStmtClass()) { 9675 case Stmt::UnaryOperatorClass: { 9676 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr); 9677 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) { 9678 TypeExpr = UO->getSubExpr(); 9679 continue; 9680 } 9681 return false; 9682 } 9683 9684 case Stmt::DeclRefExprClass: { 9685 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr); 9686 *VD = DRE->getDecl(); 9687 return true; 9688 } 9689 9690 case Stmt::IntegerLiteralClass: { 9691 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr); 9692 llvm::APInt MagicValueAPInt = IL->getValue(); 9693 if (MagicValueAPInt.getActiveBits() <= 64) { 9694 *MagicValue = MagicValueAPInt.getZExtValue(); 9695 return true; 9696 } else 9697 return false; 9698 } 9699 9700 case Stmt::BinaryConditionalOperatorClass: 9701 case Stmt::ConditionalOperatorClass: { 9702 const AbstractConditionalOperator *ACO = 9703 cast<AbstractConditionalOperator>(TypeExpr); 9704 bool Result; 9705 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx)) { 9706 if (Result) 9707 TypeExpr = ACO->getTrueExpr(); 9708 else 9709 TypeExpr = ACO->getFalseExpr(); 9710 continue; 9711 } 9712 return false; 9713 } 9714 9715 case Stmt::BinaryOperatorClass: { 9716 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr); 9717 if (BO->getOpcode() == BO_Comma) { 9718 TypeExpr = BO->getRHS(); 9719 continue; 9720 } 9721 return false; 9722 } 9723 9724 default: 9725 return false; 9726 } 9727 } 9728 } 9729 9730 /// \brief Retrieve the C type corresponding to type tag TypeExpr. 9731 /// 9732 /// \param TypeExpr Expression that specifies a type tag. 9733 /// 9734 /// \param MagicValues Registered magic values. 9735 /// 9736 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong 9737 /// kind. 9738 /// 9739 /// \param TypeInfo Information about the corresponding C type. 9740 /// 9741 /// \returns true if the corresponding C type was found. 9742 bool GetMatchingCType( 9743 const IdentifierInfo *ArgumentKind, 9744 const Expr *TypeExpr, const ASTContext &Ctx, 9745 const llvm::DenseMap<Sema::TypeTagMagicValue, 9746 Sema::TypeTagData> *MagicValues, 9747 bool &FoundWrongKind, 9748 Sema::TypeTagData &TypeInfo) { 9749 FoundWrongKind = false; 9750 9751 // Variable declaration that has type_tag_for_datatype attribute. 9752 const ValueDecl *VD = nullptr; 9753 9754 uint64_t MagicValue; 9755 9756 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue)) 9757 return false; 9758 9759 if (VD) { 9760 if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) { 9761 if (I->getArgumentKind() != ArgumentKind) { 9762 FoundWrongKind = true; 9763 return false; 9764 } 9765 TypeInfo.Type = I->getMatchingCType(); 9766 TypeInfo.LayoutCompatible = I->getLayoutCompatible(); 9767 TypeInfo.MustBeNull = I->getMustBeNull(); 9768 return true; 9769 } 9770 return false; 9771 } 9772 9773 if (!MagicValues) 9774 return false; 9775 9776 llvm::DenseMap<Sema::TypeTagMagicValue, 9777 Sema::TypeTagData>::const_iterator I = 9778 MagicValues->find(std::make_pair(ArgumentKind, MagicValue)); 9779 if (I == MagicValues->end()) 9780 return false; 9781 9782 TypeInfo = I->second; 9783 return true; 9784 } 9785 } // unnamed namespace 9786 9787 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind, 9788 uint64_t MagicValue, QualType Type, 9789 bool LayoutCompatible, 9790 bool MustBeNull) { 9791 if (!TypeTagForDatatypeMagicValues) 9792 TypeTagForDatatypeMagicValues.reset( 9793 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>); 9794 9795 TypeTagMagicValue Magic(ArgumentKind, MagicValue); 9796 (*TypeTagForDatatypeMagicValues)[Magic] = 9797 TypeTagData(Type, LayoutCompatible, MustBeNull); 9798 } 9799 9800 namespace { 9801 bool IsSameCharType(QualType T1, QualType T2) { 9802 const BuiltinType *BT1 = T1->getAs<BuiltinType>(); 9803 if (!BT1) 9804 return false; 9805 9806 const BuiltinType *BT2 = T2->getAs<BuiltinType>(); 9807 if (!BT2) 9808 return false; 9809 9810 BuiltinType::Kind T1Kind = BT1->getKind(); 9811 BuiltinType::Kind T2Kind = BT2->getKind(); 9812 9813 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) || 9814 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) || 9815 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) || 9816 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar); 9817 } 9818 } // unnamed namespace 9819 9820 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, 9821 const Expr * const *ExprArgs) { 9822 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); 9823 bool IsPointerAttr = Attr->getIsPointer(); 9824 9825 const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; 9826 bool FoundWrongKind; 9827 TypeTagData TypeInfo; 9828 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context, 9829 TypeTagForDatatypeMagicValues.get(), 9830 FoundWrongKind, TypeInfo)) { 9831 if (FoundWrongKind) 9832 Diag(TypeTagExpr->getExprLoc(), 9833 diag::warn_type_tag_for_datatype_wrong_kind) 9834 << TypeTagExpr->getSourceRange(); 9835 return; 9836 } 9837 9838 const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; 9839 if (IsPointerAttr) { 9840 // Skip implicit cast of pointer to `void *' (as a function argument). 9841 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr)) 9842 if (ICE->getType()->isVoidPointerType() && 9843 ICE->getCastKind() == CK_BitCast) 9844 ArgumentExpr = ICE->getSubExpr(); 9845 } 9846 QualType ArgumentType = ArgumentExpr->getType(); 9847 9848 // Passing a `void*' pointer shouldn't trigger a warning. 9849 if (IsPointerAttr && ArgumentType->isVoidPointerType()) 9850 return; 9851 9852 if (TypeInfo.MustBeNull) { 9853 // Type tag with matching void type requires a null pointer. 9854 if (!ArgumentExpr->isNullPointerConstant(Context, 9855 Expr::NPC_ValueDependentIsNotNull)) { 9856 Diag(ArgumentExpr->getExprLoc(), 9857 diag::warn_type_safety_null_pointer_required) 9858 << ArgumentKind->getName() 9859 << ArgumentExpr->getSourceRange() 9860 << TypeTagExpr->getSourceRange(); 9861 } 9862 return; 9863 } 9864 9865 QualType RequiredType = TypeInfo.Type; 9866 if (IsPointerAttr) 9867 RequiredType = Context.getPointerType(RequiredType); 9868 9869 bool mismatch = false; 9870 if (!TypeInfo.LayoutCompatible) { 9871 mismatch = !Context.hasSameType(ArgumentType, RequiredType); 9872 9873 // C++11 [basic.fundamental] p1: 9874 // Plain char, signed char, and unsigned char are three distinct types. 9875 // 9876 // But we treat plain `char' as equivalent to `signed char' or `unsigned 9877 // char' depending on the current char signedness mode. 9878 if (mismatch) 9879 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(), 9880 RequiredType->getPointeeType())) || 9881 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType))) 9882 mismatch = false; 9883 } else 9884 if (IsPointerAttr) 9885 mismatch = !isLayoutCompatible(Context, 9886 ArgumentType->getPointeeType(), 9887 RequiredType->getPointeeType()); 9888 else 9889 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType); 9890 9891 if (mismatch) 9892 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch) 9893 << ArgumentType << ArgumentKind 9894 << TypeInfo.LayoutCompatible << RequiredType 9895 << ArgumentExpr->getSourceRange() 9896 << TypeTagExpr->getSourceRange(); 9897 } 9898
