clang API Documentation
00001 //===--- SemaChecking.cpp - Extra Semantic Checking -----------------------===// 00002 // 00003 // The LLVM Compiler Infrastructure 00004 // 00005 // This file is distributed under the University of Illinois Open Source 00006 // License. See LICENSE.TXT for details. 00007 // 00008 //===----------------------------------------------------------------------===// 00009 // 00010 // This file implements extra semantic analysis beyond what is enforced 00011 // by the C type system. 00012 // 00013 //===----------------------------------------------------------------------===// 00014 00015 #include "clang/Sema/Initialization.h" 00016 #include "clang/Sema/Sema.h" 00017 #include "clang/Sema/SemaInternal.h" 00018 #include "clang/Sema/Initialization.h" 00019 #include "clang/Sema/ScopeInfo.h" 00020 #include "clang/Analysis/Analyses/FormatString.h" 00021 #include "clang/AST/ASTContext.h" 00022 #include "clang/AST/CharUnits.h" 00023 #include "clang/AST/DeclCXX.h" 00024 #include "clang/AST/DeclObjC.h" 00025 #include "clang/AST/Expr.h" 00026 #include "clang/AST/ExprCXX.h" 00027 #include "clang/AST/ExprObjC.h" 00028 #include "clang/AST/EvaluatedExprVisitor.h" 00029 #include "clang/AST/DeclObjC.h" 00030 #include "clang/AST/StmtCXX.h" 00031 #include "clang/AST/StmtObjC.h" 00032 #include "clang/Lex/Preprocessor.h" 00033 #include "llvm/ADT/BitVector.h" 00034 #include "llvm/ADT/SmallString.h" 00035 #include "llvm/ADT/STLExtras.h" 00036 #include "llvm/Support/raw_ostream.h" 00037 #include "clang/Basic/TargetBuiltins.h" 00038 #include "clang/Basic/TargetInfo.h" 00039 #include "clang/Basic/ConvertUTF.h" 00040 #include <limits> 00041 using namespace clang; 00042 using namespace sema; 00043 00044 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, 00045 unsigned ByteNo) const { 00046 return SL->getLocationOfByte(ByteNo, PP.getSourceManager(), 00047 PP.getLangOpts(), PP.getTargetInfo()); 00048 } 00049 00050 /// Checks that a call expression's argument count is the desired number. 00051 /// This is useful when doing custom type-checking. Returns true on error. 00052 static bool checkArgCount(Sema &S, CallExpr *call, unsigned desiredArgCount) { 00053 unsigned argCount = call->getNumArgs(); 00054 if (argCount == desiredArgCount) return false; 00055 00056 if (argCount < desiredArgCount) 00057 return S.Diag(call->getLocEnd(), diag::err_typecheck_call_too_few_args) 00058 << 0 /*function call*/ << desiredArgCount << argCount 00059 << call->getSourceRange(); 00060 00061 // Highlight all the excess arguments. 00062 SourceRange range(call->getArg(desiredArgCount)->getLocStart(), 00063 call->getArg(argCount - 1)->getLocEnd()); 00064 00065 return S.Diag(range.getBegin(), diag::err_typecheck_call_too_many_args) 00066 << 0 /*function call*/ << desiredArgCount << argCount 00067 << call->getArg(1)->getSourceRange(); 00068 } 00069 00070 /// Check that the first argument to __builtin_annotation is an integer 00071 /// and the second argument is a non-wide string literal. 00072 static bool SemaBuiltinAnnotation(Sema &S, CallExpr *TheCall) { 00073 if (checkArgCount(S, TheCall, 2)) 00074 return true; 00075 00076 // First argument should be an integer. 00077 Expr *ValArg = TheCall->getArg(0); 00078 QualType Ty = ValArg->getType(); 00079 if (!Ty->isIntegerType()) { 00080 S.Diag(ValArg->getLocStart(), diag::err_builtin_annotation_first_arg) 00081 << ValArg->getSourceRange(); 00082 return true; 00083 } 00084 00085 // Second argument should be a constant string. 00086 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts(); 00087 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg); 00088 if (!Literal || !Literal->isAscii()) { 00089 S.Diag(StrArg->getLocStart(), diag::err_builtin_annotation_second_arg) 00090 << StrArg->getSourceRange(); 00091 return true; 00092 } 00093 00094 TheCall->setType(Ty); 00095 return false; 00096 } 00097 00098 ExprResult 00099 Sema::CheckBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 00100 ExprResult TheCallResult(Owned(TheCall)); 00101 00102 // Find out if any arguments are required to be integer constant expressions. 00103 unsigned ICEArguments = 0; 00104 ASTContext::GetBuiltinTypeError Error; 00105 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments); 00106 if (Error != ASTContext::GE_None) 00107 ICEArguments = 0; // Don't diagnose previously diagnosed errors. 00108 00109 // If any arguments are required to be ICE's, check and diagnose. 00110 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) { 00111 // Skip arguments not required to be ICE's. 00112 if ((ICEArguments & (1 << ArgNo)) == 0) continue; 00113 00114 llvm::APSInt Result; 00115 if (SemaBuiltinConstantArg(TheCall, ArgNo, Result)) 00116 return true; 00117 ICEArguments &= ~(1 << ArgNo); 00118 } 00119 00120 switch (BuiltinID) { 00121 case Builtin::BI__builtin___CFStringMakeConstantString: 00122 assert(TheCall->getNumArgs() == 1 && 00123 "Wrong # arguments to builtin CFStringMakeConstantString"); 00124 if (CheckObjCString(TheCall->getArg(0))) 00125 return ExprError(); 00126 break; 00127 case Builtin::BI__builtin_stdarg_start: 00128 case Builtin::BI__builtin_va_start: 00129 if (SemaBuiltinVAStart(TheCall)) 00130 return ExprError(); 00131 break; 00132 case Builtin::BI__builtin_isgreater: 00133 case Builtin::BI__builtin_isgreaterequal: 00134 case Builtin::BI__builtin_isless: 00135 case Builtin::BI__builtin_islessequal: 00136 case Builtin::BI__builtin_islessgreater: 00137 case Builtin::BI__builtin_isunordered: 00138 if (SemaBuiltinUnorderedCompare(TheCall)) 00139 return ExprError(); 00140 break; 00141 case Builtin::BI__builtin_fpclassify: 00142 if (SemaBuiltinFPClassification(TheCall, 6)) 00143 return ExprError(); 00144 break; 00145 case Builtin::BI__builtin_isfinite: 00146 case Builtin::BI__builtin_isinf: 00147 case Builtin::BI__builtin_isinf_sign: 00148 case Builtin::BI__builtin_isnan: 00149 case Builtin::BI__builtin_isnormal: 00150 if (SemaBuiltinFPClassification(TheCall, 1)) 00151 return ExprError(); 00152 break; 00153 case Builtin::BI__builtin_shufflevector: 00154 return SemaBuiltinShuffleVector(TheCall); 00155 // TheCall will be freed by the smart pointer here, but that's fine, since 00156 // SemaBuiltinShuffleVector guts it, but then doesn't release it. 00157 case Builtin::BI__builtin_prefetch: 00158 if (SemaBuiltinPrefetch(TheCall)) 00159 return ExprError(); 00160 break; 00161 case Builtin::BI__builtin_object_size: 00162 if (SemaBuiltinObjectSize(TheCall)) 00163 return ExprError(); 00164 break; 00165 case Builtin::BI__builtin_longjmp: 00166 if (SemaBuiltinLongjmp(TheCall)) 00167 return ExprError(); 00168 break; 00169 00170 case Builtin::BI__builtin_classify_type: 00171 if (checkArgCount(*this, TheCall, 1)) return true; 00172 TheCall->setType(Context.IntTy); 00173 break; 00174 case Builtin::BI__builtin_constant_p: 00175 if (checkArgCount(*this, TheCall, 1)) return true; 00176 TheCall->setType(Context.IntTy); 00177 break; 00178 case Builtin::BI__sync_fetch_and_add: 00179 case Builtin::BI__sync_fetch_and_add_1: 00180 case Builtin::BI__sync_fetch_and_add_2: 00181 case Builtin::BI__sync_fetch_and_add_4: 00182 case Builtin::BI__sync_fetch_and_add_8: 00183 case Builtin::BI__sync_fetch_and_add_16: 00184 case Builtin::BI__sync_fetch_and_sub: 00185 case Builtin::BI__sync_fetch_and_sub_1: 00186 case Builtin::BI__sync_fetch_and_sub_2: 00187 case Builtin::BI__sync_fetch_and_sub_4: 00188 case Builtin::BI__sync_fetch_and_sub_8: 00189 case Builtin::BI__sync_fetch_and_sub_16: 00190 case Builtin::BI__sync_fetch_and_or: 00191 case Builtin::BI__sync_fetch_and_or_1: 00192 case Builtin::BI__sync_fetch_and_or_2: 00193 case Builtin::BI__sync_fetch_and_or_4: 00194 case Builtin::BI__sync_fetch_and_or_8: 00195 case Builtin::BI__sync_fetch_and_or_16: 00196 case Builtin::BI__sync_fetch_and_and: 00197 case Builtin::BI__sync_fetch_and_and_1: 00198 case Builtin::BI__sync_fetch_and_and_2: 00199 case Builtin::BI__sync_fetch_and_and_4: 00200 case Builtin::BI__sync_fetch_and_and_8: 00201 case Builtin::BI__sync_fetch_and_and_16: 00202 case Builtin::BI__sync_fetch_and_xor: 00203 case Builtin::BI__sync_fetch_and_xor_1: 00204 case Builtin::BI__sync_fetch_and_xor_2: 00205 case Builtin::BI__sync_fetch_and_xor_4: 00206 case Builtin::BI__sync_fetch_and_xor_8: 00207 case Builtin::BI__sync_fetch_and_xor_16: 00208 case Builtin::BI__sync_add_and_fetch: 00209 case Builtin::BI__sync_add_and_fetch_1: 00210 case Builtin::BI__sync_add_and_fetch_2: 00211 case Builtin::BI__sync_add_and_fetch_4: 00212 case Builtin::BI__sync_add_and_fetch_8: 00213 case Builtin::BI__sync_add_and_fetch_16: 00214 case Builtin::BI__sync_sub_and_fetch: 00215 case Builtin::BI__sync_sub_and_fetch_1: 00216 case Builtin::BI__sync_sub_and_fetch_2: 00217 case Builtin::BI__sync_sub_and_fetch_4: 00218 case Builtin::BI__sync_sub_and_fetch_8: 00219 case Builtin::BI__sync_sub_and_fetch_16: 00220 case Builtin::BI__sync_and_and_fetch: 00221 case Builtin::BI__sync_and_and_fetch_1: 00222 case Builtin::BI__sync_and_and_fetch_2: 00223 case Builtin::BI__sync_and_and_fetch_4: 00224 case Builtin::BI__sync_and_and_fetch_8: 00225 case Builtin::BI__sync_and_and_fetch_16: 00226 case Builtin::BI__sync_or_and_fetch: 00227 case Builtin::BI__sync_or_and_fetch_1: 00228 case Builtin::BI__sync_or_and_fetch_2: 00229 case Builtin::BI__sync_or_and_fetch_4: 00230 case Builtin::BI__sync_or_and_fetch_8: 00231 case Builtin::BI__sync_or_and_fetch_16: 00232 case Builtin::BI__sync_xor_and_fetch: 00233 case Builtin::BI__sync_xor_and_fetch_1: 00234 case Builtin::BI__sync_xor_and_fetch_2: 00235 case Builtin::BI__sync_xor_and_fetch_4: 00236 case Builtin::BI__sync_xor_and_fetch_8: 00237 case Builtin::BI__sync_xor_and_fetch_16: 00238 case Builtin::BI__sync_val_compare_and_swap: 00239 case Builtin::BI__sync_val_compare_and_swap_1: 00240 case Builtin::BI__sync_val_compare_and_swap_2: 00241 case Builtin::BI__sync_val_compare_and_swap_4: 00242 case Builtin::BI__sync_val_compare_and_swap_8: 00243 case Builtin::BI__sync_val_compare_and_swap_16: 00244 case Builtin::BI__sync_bool_compare_and_swap: 00245 case Builtin::BI__sync_bool_compare_and_swap_1: 00246 case Builtin::BI__sync_bool_compare_and_swap_2: 00247 case Builtin::BI__sync_bool_compare_and_swap_4: 00248 case Builtin::BI__sync_bool_compare_and_swap_8: 00249 case Builtin::BI__sync_bool_compare_and_swap_16: 00250 case Builtin::BI__sync_lock_test_and_set: 00251 case Builtin::BI__sync_lock_test_and_set_1: 00252 case Builtin::BI__sync_lock_test_and_set_2: 00253 case Builtin::BI__sync_lock_test_and_set_4: 00254 case Builtin::BI__sync_lock_test_and_set_8: 00255 case Builtin::BI__sync_lock_test_and_set_16: 00256 case Builtin::BI__sync_lock_release: 00257 case Builtin::BI__sync_lock_release_1: 00258 case Builtin::BI__sync_lock_release_2: 00259 case Builtin::BI__sync_lock_release_4: 00260 case Builtin::BI__sync_lock_release_8: 00261 case Builtin::BI__sync_lock_release_16: 00262 case Builtin::BI__sync_swap: 00263 case Builtin::BI__sync_swap_1: 00264 case Builtin::BI__sync_swap_2: 00265 case Builtin::BI__sync_swap_4: 00266 case Builtin::BI__sync_swap_8: 00267 case Builtin::BI__sync_swap_16: 00268 return SemaBuiltinAtomicOverloaded(move(TheCallResult)); 00269 #define BUILTIN(ID, TYPE, ATTRS) 00270 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \ 00271 case Builtin::BI##ID: \ 00272 return SemaAtomicOpsOverloaded(move(TheCallResult), AtomicExpr::AO##ID); 00273 #include "clang/Basic/Builtins.def" 00274 case Builtin::BI__builtin_annotation: 00275 if (SemaBuiltinAnnotation(*this, TheCall)) 00276 return ExprError(); 00277 break; 00278 } 00279 00280 // Since the target specific builtins for each arch overlap, only check those 00281 // of the arch we are compiling for. 00282 if (BuiltinID >= Builtin::FirstTSBuiltin) { 00283 switch (Context.getTargetInfo().getTriple().getArch()) { 00284 case llvm::Triple::arm: 00285 case llvm::Triple::thumb: 00286 if (CheckARMBuiltinFunctionCall(BuiltinID, TheCall)) 00287 return ExprError(); 00288 break; 00289 default: 00290 break; 00291 } 00292 } 00293 00294 return move(TheCallResult); 00295 } 00296 00297 // Get the valid immediate range for the specified NEON type code. 00298 static unsigned RFT(unsigned t, bool shift = false) { 00299 NeonTypeFlags Type(t); 00300 int IsQuad = Type.isQuad(); 00301 switch (Type.getEltType()) { 00302 case NeonTypeFlags::Int8: 00303 case NeonTypeFlags::Poly8: 00304 return shift ? 7 : (8 << IsQuad) - 1; 00305 case NeonTypeFlags::Int16: 00306 case NeonTypeFlags::Poly16: 00307 return shift ? 15 : (4 << IsQuad) - 1; 00308 case NeonTypeFlags::Int32: 00309 return shift ? 31 : (2 << IsQuad) - 1; 00310 case NeonTypeFlags::Int64: 00311 return shift ? 63 : (1 << IsQuad) - 1; 00312 case NeonTypeFlags::Float16: 00313 assert(!shift && "cannot shift float types!"); 00314 return (4 << IsQuad) - 1; 00315 case NeonTypeFlags::Float32: 00316 assert(!shift && "cannot shift float types!"); 00317 return (2 << IsQuad) - 1; 00318 } 00319 llvm_unreachable("Invalid NeonTypeFlag!"); 00320 } 00321 00322 /// getNeonEltType - Return the QualType corresponding to the elements of 00323 /// the vector type specified by the NeonTypeFlags. This is used to check 00324 /// the pointer arguments for Neon load/store intrinsics. 00325 static QualType getNeonEltType(NeonTypeFlags Flags, ASTContext &Context) { 00326 switch (Flags.getEltType()) { 00327 case NeonTypeFlags::Int8: 00328 return Flags.isUnsigned() ? Context.UnsignedCharTy : Context.SignedCharTy; 00329 case NeonTypeFlags::Int16: 00330 return Flags.isUnsigned() ? Context.UnsignedShortTy : Context.ShortTy; 00331 case NeonTypeFlags::Int32: 00332 return Flags.isUnsigned() ? Context.UnsignedIntTy : Context.IntTy; 00333 case NeonTypeFlags::Int64: 00334 return Flags.isUnsigned() ? Context.UnsignedLongLongTy : Context.LongLongTy; 00335 case NeonTypeFlags::Poly8: 00336 return Context.SignedCharTy; 00337 case NeonTypeFlags::Poly16: 00338 return Context.ShortTy; 00339 case NeonTypeFlags::Float16: 00340 return Context.UnsignedShortTy; 00341 case NeonTypeFlags::Float32: 00342 return Context.FloatTy; 00343 } 00344 llvm_unreachable("Invalid NeonTypeFlag!"); 00345 } 00346 00347 bool Sema::CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall) { 00348 llvm::APSInt Result; 00349 00350 unsigned mask = 0; 00351 unsigned TV = 0; 00352 int PtrArgNum = -1; 00353 bool HasConstPtr = false; 00354 switch (BuiltinID) { 00355 #define GET_NEON_OVERLOAD_CHECK 00356 #include "clang/Basic/arm_neon.inc" 00357 #undef GET_NEON_OVERLOAD_CHECK 00358 } 00359 00360 // For NEON intrinsics which are overloaded on vector element type, validate 00361 // the immediate which specifies which variant to emit. 00362 unsigned ImmArg = TheCall->getNumArgs()-1; 00363 if (mask) { 00364 if (SemaBuiltinConstantArg(TheCall, ImmArg, Result)) 00365 return true; 00366 00367 TV = Result.getLimitedValue(64); 00368 if ((TV > 63) || (mask & (1 << TV)) == 0) 00369 return Diag(TheCall->getLocStart(), diag::err_invalid_neon_type_code) 00370 << TheCall->getArg(ImmArg)->getSourceRange(); 00371 } 00372 00373 if (PtrArgNum >= 0) { 00374 // Check that pointer arguments have the specified type. 00375 Expr *Arg = TheCall->getArg(PtrArgNum); 00376 if (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Arg)) 00377 Arg = ICE->getSubExpr(); 00378 ExprResult RHS = DefaultFunctionArrayLvalueConversion(Arg); 00379 QualType RHSTy = RHS.get()->getType(); 00380 QualType EltTy = getNeonEltType(NeonTypeFlags(TV), Context); 00381 if (HasConstPtr) 00382 EltTy = EltTy.withConst(); 00383 QualType LHSTy = Context.getPointerType(EltTy); 00384 AssignConvertType ConvTy; 00385 ConvTy = CheckSingleAssignmentConstraints(LHSTy, RHS); 00386 if (RHS.isInvalid()) 00387 return true; 00388 if (DiagnoseAssignmentResult(ConvTy, Arg->getLocStart(), LHSTy, RHSTy, 00389 RHS.get(), AA_Assigning)) 00390 return true; 00391 } 00392 00393 // For NEON intrinsics which take an immediate value as part of the 00394 // instruction, range check them here. 00395 unsigned i = 0, l = 0, u = 0; 00396 switch (BuiltinID) { 00397 default: return false; 00398 case ARM::BI__builtin_arm_ssat: i = 1; l = 1; u = 31; break; 00399 case ARM::BI__builtin_arm_usat: i = 1; u = 31; break; 00400 case ARM::BI__builtin_arm_vcvtr_f: 00401 case ARM::BI__builtin_arm_vcvtr_d: i = 1; u = 1; break; 00402 #define GET_NEON_IMMEDIATE_CHECK 00403 #include "clang/Basic/arm_neon.inc" 00404 #undef GET_NEON_IMMEDIATE_CHECK 00405 }; 00406 00407 // Check that the immediate argument is actually a constant. 00408 if (SemaBuiltinConstantArg(TheCall, i, Result)) 00409 return true; 00410 00411 // Range check against the upper/lower values for this isntruction. 00412 unsigned Val = Result.getZExtValue(); 00413 if (Val < l || Val > (u + l)) 00414 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 00415 << l << u+l << TheCall->getArg(i)->getSourceRange(); 00416 00417 // FIXME: VFP Intrinsics should error if VFP not present. 00418 return false; 00419 } 00420 00421 /// CheckFunctionCall - Check a direct function call for various correctness 00422 /// and safety properties not strictly enforced by the C type system. 00423 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall) { 00424 // Get the IdentifierInfo* for the called function. 00425 IdentifierInfo *FnInfo = FDecl->getIdentifier(); 00426 00427 // None of the checks below are needed for functions that don't have 00428 // simple names (e.g., C++ conversion functions). 00429 if (!FnInfo) 00430 return false; 00431 00432 // FIXME: This mechanism should be abstracted to be less fragile and 00433 // more efficient. For example, just map function ids to custom 00434 // handlers. 00435 00436 // Printf and scanf checking. 00437 for (specific_attr_iterator<FormatAttr> 00438 i = FDecl->specific_attr_begin<FormatAttr>(), 00439 e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 00440 CheckFormatArguments(*i, TheCall); 00441 } 00442 00443 for (specific_attr_iterator<NonNullAttr> 00444 i = FDecl->specific_attr_begin<NonNullAttr>(), 00445 e = FDecl->specific_attr_end<NonNullAttr>(); i != e; ++i) { 00446 CheckNonNullArguments(*i, TheCall->getArgs(), 00447 TheCall->getCallee()->getLocStart()); 00448 } 00449 00450 unsigned CMId = FDecl->getMemoryFunctionKind(); 00451 if (CMId == 0) 00452 return false; 00453 00454 // Handle memory setting and copying functions. 00455 if (CMId == Builtin::BIstrlcpy || CMId == Builtin::BIstrlcat) 00456 CheckStrlcpycatArguments(TheCall, FnInfo); 00457 else if (CMId == Builtin::BIstrncat) 00458 CheckStrncatArguments(TheCall, FnInfo); 00459 else 00460 CheckMemaccessArguments(TheCall, CMId, FnInfo); 00461 00462 return false; 00463 } 00464 00465 bool Sema::CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation lbrac, 00466 Expr **Args, unsigned NumArgs) { 00467 for (specific_attr_iterator<FormatAttr> 00468 i = Method->specific_attr_begin<FormatAttr>(), 00469 e = Method->specific_attr_end<FormatAttr>(); i != e ; ++i) { 00470 00471 CheckFormatArguments(*i, Args, NumArgs, false, lbrac, 00472 Method->getSourceRange()); 00473 } 00474 00475 // diagnose nonnull arguments. 00476 for (specific_attr_iterator<NonNullAttr> 00477 i = Method->specific_attr_begin<NonNullAttr>(), 00478 e = Method->specific_attr_end<NonNullAttr>(); i != e; ++i) { 00479 CheckNonNullArguments(*i, Args, lbrac); 00480 } 00481 00482 return false; 00483 } 00484 00485 bool Sema::CheckBlockCall(NamedDecl *NDecl, CallExpr *TheCall) { 00486 const VarDecl *V = dyn_cast<VarDecl>(NDecl); 00487 if (!V) 00488 return false; 00489 00490 QualType Ty = V->getType(); 00491 if (!Ty->isBlockPointerType()) 00492 return false; 00493 00494 // format string checking. 00495 for (specific_attr_iterator<FormatAttr> 00496 i = NDecl->specific_attr_begin<FormatAttr>(), 00497 e = NDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) { 00498 CheckFormatArguments(*i, TheCall); 00499 } 00500 00501 return false; 00502 } 00503 00504 ExprResult Sema::SemaAtomicOpsOverloaded(ExprResult TheCallResult, 00505 AtomicExpr::AtomicOp Op) { 00506 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get()); 00507 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 00508 00509 // All these operations take one of the following forms: 00510 enum { 00511 // C __c11_atomic_init(A *, C) 00512 Init, 00513 // C __c11_atomic_load(A *, int) 00514 Load, 00515 // void __atomic_load(A *, CP, int) 00516 Copy, 00517 // C __c11_atomic_add(A *, M, int) 00518 Arithmetic, 00519 // C __atomic_exchange_n(A *, CP, int) 00520 Xchg, 00521 // void __atomic_exchange(A *, C *, CP, int) 00522 GNUXchg, 00523 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int) 00524 C11CmpXchg, 00525 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int) 00526 GNUCmpXchg 00527 } Form = Init; 00528 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 4, 5, 6 }; 00529 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 2, 2, 3 }; 00530 // where: 00531 // C is an appropriate type, 00532 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins, 00533 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise, 00534 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and 00535 // the int parameters are for orderings. 00536 00537 assert(AtomicExpr::AO__c11_atomic_init == 0 && 00538 AtomicExpr::AO__c11_atomic_fetch_xor + 1 == AtomicExpr::AO__atomic_load 00539 && "need to update code for modified C11 atomics"); 00540 bool IsC11 = Op >= AtomicExpr::AO__c11_atomic_init && 00541 Op <= AtomicExpr::AO__c11_atomic_fetch_xor; 00542 bool IsN = Op == AtomicExpr::AO__atomic_load_n || 00543 Op == AtomicExpr::AO__atomic_store_n || 00544 Op == AtomicExpr::AO__atomic_exchange_n || 00545 Op == AtomicExpr::AO__atomic_compare_exchange_n; 00546 bool IsAddSub = false; 00547 00548 switch (Op) { 00549 case AtomicExpr::AO__c11_atomic_init: 00550 Form = Init; 00551 break; 00552 00553 case AtomicExpr::AO__c11_atomic_load: 00554 case AtomicExpr::AO__atomic_load_n: 00555 Form = Load; 00556 break; 00557 00558 case AtomicExpr::AO__c11_atomic_store: 00559 case AtomicExpr::AO__atomic_load: 00560 case AtomicExpr::AO__atomic_store: 00561 case AtomicExpr::AO__atomic_store_n: 00562 Form = Copy; 00563 break; 00564 00565 case AtomicExpr::AO__c11_atomic_fetch_add: 00566 case AtomicExpr::AO__c11_atomic_fetch_sub: 00567 case AtomicExpr::AO__atomic_fetch_add: 00568 case AtomicExpr::AO__atomic_fetch_sub: 00569 case AtomicExpr::AO__atomic_add_fetch: 00570 case AtomicExpr::AO__atomic_sub_fetch: 00571 IsAddSub = true; 00572 // Fall through. 00573 case AtomicExpr::AO__c11_atomic_fetch_and: 00574 case AtomicExpr::AO__c11_atomic_fetch_or: 00575 case AtomicExpr::AO__c11_atomic_fetch_xor: 00576 case AtomicExpr::AO__atomic_fetch_and: 00577 case AtomicExpr::AO__atomic_fetch_or: 00578 case AtomicExpr::AO__atomic_fetch_xor: 00579 case AtomicExpr::AO__atomic_fetch_nand: 00580 case AtomicExpr::AO__atomic_and_fetch: 00581 case AtomicExpr::AO__atomic_or_fetch: 00582 case AtomicExpr::AO__atomic_xor_fetch: 00583 case AtomicExpr::AO__atomic_nand_fetch: 00584 Form = Arithmetic; 00585 break; 00586 00587 case AtomicExpr::AO__c11_atomic_exchange: 00588 case AtomicExpr::AO__atomic_exchange_n: 00589 Form = Xchg; 00590 break; 00591 00592 case AtomicExpr::AO__atomic_exchange: 00593 Form = GNUXchg; 00594 break; 00595 00596 case AtomicExpr::AO__c11_atomic_compare_exchange_strong: 00597 case AtomicExpr::AO__c11_atomic_compare_exchange_weak: 00598 Form = C11CmpXchg; 00599 break; 00600 00601 case AtomicExpr::AO__atomic_compare_exchange: 00602 case AtomicExpr::AO__atomic_compare_exchange_n: 00603 Form = GNUCmpXchg; 00604 break; 00605 } 00606 00607 // Check we have the right number of arguments. 00608 if (TheCall->getNumArgs() < NumArgs[Form]) { 00609 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 00610 << 0 << NumArgs[Form] << TheCall->getNumArgs() 00611 << TheCall->getCallee()->getSourceRange(); 00612 return ExprError(); 00613 } else if (TheCall->getNumArgs() > NumArgs[Form]) { 00614 Diag(TheCall->getArg(NumArgs[Form])->getLocStart(), 00615 diag::err_typecheck_call_too_many_args) 00616 << 0 << NumArgs[Form] << TheCall->getNumArgs() 00617 << TheCall->getCallee()->getSourceRange(); 00618 return ExprError(); 00619 } 00620 00621 // Inspect the first argument of the atomic operation. 00622 Expr *Ptr = TheCall->getArg(0); 00623 Ptr = DefaultFunctionArrayLvalueConversion(Ptr).get(); 00624 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>(); 00625 if (!pointerType) { 00626 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 00627 << Ptr->getType() << Ptr->getSourceRange(); 00628 return ExprError(); 00629 } 00630 00631 // For a __c11 builtin, this should be a pointer to an _Atomic type. 00632 QualType AtomTy = pointerType->getPointeeType(); // 'A' 00633 QualType ValType = AtomTy; // 'C' 00634 if (IsC11) { 00635 if (!AtomTy->isAtomicType()) { 00636 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic) 00637 << Ptr->getType() << Ptr->getSourceRange(); 00638 return ExprError(); 00639 } 00640 ValType = AtomTy->getAs<AtomicType>()->getValueType(); 00641 } 00642 00643 // For an arithmetic operation, the implied arithmetic must be well-formed. 00644 if (Form == Arithmetic) { 00645 // gcc does not enforce these rules for GNU atomics, but we do so for sanity. 00646 if (IsAddSub && !ValType->isIntegerType() && !ValType->isPointerType()) { 00647 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 00648 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 00649 return ExprError(); 00650 } 00651 if (!IsAddSub && !ValType->isIntegerType()) { 00652 Diag(DRE->getLocStart(), diag::err_atomic_op_bitwise_needs_atomic_int) 00653 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 00654 return ExprError(); 00655 } 00656 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) { 00657 // For __atomic_*_n operations, the value type must be a scalar integral or 00658 // pointer type which is 1, 2, 4, 8 or 16 bytes in length. 00659 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_atomic_int_or_ptr) 00660 << IsC11 << Ptr->getType() << Ptr->getSourceRange(); 00661 return ExprError(); 00662 } 00663 00664 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context)) { 00665 // For GNU atomics, require a trivially-copyable type. This is not part of 00666 // the GNU atomics specification, but we enforce it for sanity. 00667 Diag(DRE->getLocStart(), diag::err_atomic_op_needs_trivial_copy) 00668 << Ptr->getType() << Ptr->getSourceRange(); 00669 return ExprError(); 00670 } 00671 00672 // FIXME: For any builtin other than a load, the ValType must not be 00673 // const-qualified. 00674 00675 switch (ValType.getObjCLifetime()) { 00676 case Qualifiers::OCL_None: 00677 case Qualifiers::OCL_ExplicitNone: 00678 // okay 00679 break; 00680 00681 case Qualifiers::OCL_Weak: 00682 case Qualifiers::OCL_Strong: 00683 case Qualifiers::OCL_Autoreleasing: 00684 // FIXME: Can this happen? By this point, ValType should be known 00685 // to be trivially copyable. 00686 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 00687 << ValType << Ptr->getSourceRange(); 00688 return ExprError(); 00689 } 00690 00691 QualType ResultType = ValType; 00692 if (Form == Copy || Form == GNUXchg || Form == Init) 00693 ResultType = Context.VoidTy; 00694 else if (Form == C11CmpXchg || Form == GNUCmpXchg) 00695 ResultType = Context.BoolTy; 00696 00697 // The type of a parameter passed 'by value'. In the GNU atomics, such 00698 // arguments are actually passed as pointers. 00699 QualType ByValType = ValType; // 'CP' 00700 if (!IsC11 && !IsN) 00701 ByValType = Ptr->getType(); 00702 00703 // The first argument --- the pointer --- has a fixed type; we 00704 // deduce the types of the rest of the arguments accordingly. Walk 00705 // the remaining arguments, converting them to the deduced value type. 00706 for (unsigned i = 1; i != NumArgs[Form]; ++i) { 00707 QualType Ty; 00708 if (i < NumVals[Form] + 1) { 00709 switch (i) { 00710 case 1: 00711 // The second argument is the non-atomic operand. For arithmetic, this 00712 // is always passed by value, and for a compare_exchange it is always 00713 // passed by address. For the rest, GNU uses by-address and C11 uses 00714 // by-value. 00715 assert(Form != Load); 00716 if (Form == Init || (Form == Arithmetic && ValType->isIntegerType())) 00717 Ty = ValType; 00718 else if (Form == Copy || Form == Xchg) 00719 Ty = ByValType; 00720 else if (Form == Arithmetic) 00721 Ty = Context.getPointerDiffType(); 00722 else 00723 Ty = Context.getPointerType(ValType.getUnqualifiedType()); 00724 break; 00725 case 2: 00726 // The third argument to compare_exchange / GNU exchange is a 00727 // (pointer to a) desired value. 00728 Ty = ByValType; 00729 break; 00730 case 3: 00731 // The fourth argument to GNU compare_exchange is a 'weak' flag. 00732 Ty = Context.BoolTy; 00733 break; 00734 } 00735 } else { 00736 // The order(s) are always converted to int. 00737 Ty = Context.IntTy; 00738 } 00739 00740 InitializedEntity Entity = 00741 InitializedEntity::InitializeParameter(Context, Ty, false); 00742 ExprResult Arg = TheCall->getArg(i); 00743 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 00744 if (Arg.isInvalid()) 00745 return true; 00746 TheCall->setArg(i, Arg.get()); 00747 } 00748 00749 // Permute the arguments into a 'consistent' order. 00750 SmallVector<Expr*, 5> SubExprs; 00751 SubExprs.push_back(Ptr); 00752 switch (Form) { 00753 case Init: 00754 // Note, AtomicExpr::getVal1() has a special case for this atomic. 00755 SubExprs.push_back(TheCall->getArg(1)); // Val1 00756 break; 00757 case Load: 00758 SubExprs.push_back(TheCall->getArg(1)); // Order 00759 break; 00760 case Copy: 00761 case Arithmetic: 00762 case Xchg: 00763 SubExprs.push_back(TheCall->getArg(2)); // Order 00764 SubExprs.push_back(TheCall->getArg(1)); // Val1 00765 break; 00766 case GNUXchg: 00767 // Note, AtomicExpr::getVal2() has a special case for this atomic. 00768 SubExprs.push_back(TheCall->getArg(3)); // Order 00769 SubExprs.push_back(TheCall->getArg(1)); // Val1 00770 SubExprs.push_back(TheCall->getArg(2)); // Val2 00771 break; 00772 case C11CmpXchg: 00773 SubExprs.push_back(TheCall->getArg(3)); // Order 00774 SubExprs.push_back(TheCall->getArg(1)); // Val1 00775 SubExprs.push_back(TheCall->getArg(4)); // OrderFail 00776 SubExprs.push_back(TheCall->getArg(2)); // Val2 00777 break; 00778 case GNUCmpXchg: 00779 SubExprs.push_back(TheCall->getArg(4)); // Order 00780 SubExprs.push_back(TheCall->getArg(1)); // Val1 00781 SubExprs.push_back(TheCall->getArg(5)); // OrderFail 00782 SubExprs.push_back(TheCall->getArg(2)); // Val2 00783 SubExprs.push_back(TheCall->getArg(3)); // Weak 00784 break; 00785 } 00786 00787 return Owned(new (Context) AtomicExpr(TheCall->getCallee()->getLocStart(), 00788 SubExprs.data(), SubExprs.size(), 00789 ResultType, Op, 00790 TheCall->getRParenLoc())); 00791 } 00792 00793 00794 /// checkBuiltinArgument - Given a call to a builtin function, perform 00795 /// normal type-checking on the given argument, updating the call in 00796 /// place. This is useful when a builtin function requires custom 00797 /// type-checking for some of its arguments but not necessarily all of 00798 /// them. 00799 /// 00800 /// Returns true on error. 00801 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) { 00802 FunctionDecl *Fn = E->getDirectCallee(); 00803 assert(Fn && "builtin call without direct callee!"); 00804 00805 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex); 00806 InitializedEntity Entity = 00807 InitializedEntity::InitializeParameter(S.Context, Param); 00808 00809 ExprResult Arg = E->getArg(0); 00810 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); 00811 if (Arg.isInvalid()) 00812 return true; 00813 00814 E->setArg(ArgIndex, Arg.take()); 00815 return false; 00816 } 00817 00818 /// SemaBuiltinAtomicOverloaded - We have a call to a function like 00819 /// __sync_fetch_and_add, which is an overloaded function based on the pointer 00820 /// type of its first argument. The main ActOnCallExpr routines have already 00821 /// promoted the types of arguments because all of these calls are prototyped as 00822 /// void(...). 00823 /// 00824 /// This function goes through and does final semantic checking for these 00825 /// builtins, 00826 ExprResult 00827 Sema::SemaBuiltinAtomicOverloaded(ExprResult TheCallResult) { 00828 CallExpr *TheCall = (CallExpr *)TheCallResult.get(); 00829 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 00830 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 00831 00832 // Ensure that we have at least one argument to do type inference from. 00833 if (TheCall->getNumArgs() < 1) { 00834 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 00835 << 0 << 1 << TheCall->getNumArgs() 00836 << TheCall->getCallee()->getSourceRange(); 00837 return ExprError(); 00838 } 00839 00840 // Inspect the first argument of the atomic builtin. This should always be 00841 // a pointer type, whose element is an integral scalar or pointer type. 00842 // Because it is a pointer type, we don't have to worry about any implicit 00843 // casts here. 00844 // FIXME: We don't allow floating point scalars as input. 00845 Expr *FirstArg = TheCall->getArg(0); 00846 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg); 00847 if (FirstArgResult.isInvalid()) 00848 return ExprError(); 00849 FirstArg = FirstArgResult.take(); 00850 TheCall->setArg(0, FirstArg); 00851 00852 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>(); 00853 if (!pointerType) { 00854 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer) 00855 << FirstArg->getType() << FirstArg->getSourceRange(); 00856 return ExprError(); 00857 } 00858 00859 QualType ValType = pointerType->getPointeeType(); 00860 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() && 00861 !ValType->isBlockPointerType()) { 00862 Diag(DRE->getLocStart(), diag::err_atomic_builtin_must_be_pointer_intptr) 00863 << FirstArg->getType() << FirstArg->getSourceRange(); 00864 return ExprError(); 00865 } 00866 00867 switch (ValType.getObjCLifetime()) { 00868 case Qualifiers::OCL_None: 00869 case Qualifiers::OCL_ExplicitNone: 00870 // okay 00871 break; 00872 00873 case Qualifiers::OCL_Weak: 00874 case Qualifiers::OCL_Strong: 00875 case Qualifiers::OCL_Autoreleasing: 00876 Diag(DRE->getLocStart(), diag::err_arc_atomic_ownership) 00877 << ValType << FirstArg->getSourceRange(); 00878 return ExprError(); 00879 } 00880 00881 // Strip any qualifiers off ValType. 00882 ValType = ValType.getUnqualifiedType(); 00883 00884 // The majority of builtins return a value, but a few have special return 00885 // types, so allow them to override appropriately below. 00886 QualType ResultType = ValType; 00887 00888 // We need to figure out which concrete builtin this maps onto. For example, 00889 // __sync_fetch_and_add with a 2 byte object turns into 00890 // __sync_fetch_and_add_2. 00891 #define BUILTIN_ROW(x) \ 00892 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \ 00893 Builtin::BI##x##_8, Builtin::BI##x##_16 } 00894 00895 static const unsigned BuiltinIndices[][5] = { 00896 BUILTIN_ROW(__sync_fetch_and_add), 00897 BUILTIN_ROW(__sync_fetch_and_sub), 00898 BUILTIN_ROW(__sync_fetch_and_or), 00899 BUILTIN_ROW(__sync_fetch_and_and), 00900 BUILTIN_ROW(__sync_fetch_and_xor), 00901 00902 BUILTIN_ROW(__sync_add_and_fetch), 00903 BUILTIN_ROW(__sync_sub_and_fetch), 00904 BUILTIN_ROW(__sync_and_and_fetch), 00905 BUILTIN_ROW(__sync_or_and_fetch), 00906 BUILTIN_ROW(__sync_xor_and_fetch), 00907 00908 BUILTIN_ROW(__sync_val_compare_and_swap), 00909 BUILTIN_ROW(__sync_bool_compare_and_swap), 00910 BUILTIN_ROW(__sync_lock_test_and_set), 00911 BUILTIN_ROW(__sync_lock_release), 00912 BUILTIN_ROW(__sync_swap) 00913 }; 00914 #undef BUILTIN_ROW 00915 00916 // Determine the index of the size. 00917 unsigned SizeIndex; 00918 switch (Context.getTypeSizeInChars(ValType).getQuantity()) { 00919 case 1: SizeIndex = 0; break; 00920 case 2: SizeIndex = 1; break; 00921 case 4: SizeIndex = 2; break; 00922 case 8: SizeIndex = 3; break; 00923 case 16: SizeIndex = 4; break; 00924 default: 00925 Diag(DRE->getLocStart(), diag::err_atomic_builtin_pointer_size) 00926 << FirstArg->getType() << FirstArg->getSourceRange(); 00927 return ExprError(); 00928 } 00929 00930 // Each of these builtins has one pointer argument, followed by some number of 00931 // values (0, 1 or 2) followed by a potentially empty varags list of stuff 00932 // that we ignore. Find out which row of BuiltinIndices to read from as well 00933 // as the number of fixed args. 00934 unsigned BuiltinID = FDecl->getBuiltinID(); 00935 unsigned BuiltinIndex, NumFixed = 1; 00936 switch (BuiltinID) { 00937 default: llvm_unreachable("Unknown overloaded atomic builtin!"); 00938 case Builtin::BI__sync_fetch_and_add: 00939 case Builtin::BI__sync_fetch_and_add_1: 00940 case Builtin::BI__sync_fetch_and_add_2: 00941 case Builtin::BI__sync_fetch_and_add_4: 00942 case Builtin::BI__sync_fetch_and_add_8: 00943 case Builtin::BI__sync_fetch_and_add_16: 00944 BuiltinIndex = 0; 00945 break; 00946 00947 case Builtin::BI__sync_fetch_and_sub: 00948 case Builtin::BI__sync_fetch_and_sub_1: 00949 case Builtin::BI__sync_fetch_and_sub_2: 00950 case Builtin::BI__sync_fetch_and_sub_4: 00951 case Builtin::BI__sync_fetch_and_sub_8: 00952 case Builtin::BI__sync_fetch_and_sub_16: 00953 BuiltinIndex = 1; 00954 break; 00955 00956 case Builtin::BI__sync_fetch_and_or: 00957 case Builtin::BI__sync_fetch_and_or_1: 00958 case Builtin::BI__sync_fetch_and_or_2: 00959 case Builtin::BI__sync_fetch_and_or_4: 00960 case Builtin::BI__sync_fetch_and_or_8: 00961 case Builtin::BI__sync_fetch_and_or_16: 00962 BuiltinIndex = 2; 00963 break; 00964 00965 case Builtin::BI__sync_fetch_and_and: 00966 case Builtin::BI__sync_fetch_and_and_1: 00967 case Builtin::BI__sync_fetch_and_and_2: 00968 case Builtin::BI__sync_fetch_and_and_4: 00969 case Builtin::BI__sync_fetch_and_and_8: 00970 case Builtin::BI__sync_fetch_and_and_16: 00971 BuiltinIndex = 3; 00972 break; 00973 00974 case Builtin::BI__sync_fetch_and_xor: 00975 case Builtin::BI__sync_fetch_and_xor_1: 00976 case Builtin::BI__sync_fetch_and_xor_2: 00977 case Builtin::BI__sync_fetch_and_xor_4: 00978 case Builtin::BI__sync_fetch_and_xor_8: 00979 case Builtin::BI__sync_fetch_and_xor_16: 00980 BuiltinIndex = 4; 00981 break; 00982 00983 case Builtin::BI__sync_add_and_fetch: 00984 case Builtin::BI__sync_add_and_fetch_1: 00985 case Builtin::BI__sync_add_and_fetch_2: 00986 case Builtin::BI__sync_add_and_fetch_4: 00987 case Builtin::BI__sync_add_and_fetch_8: 00988 case Builtin::BI__sync_add_and_fetch_16: 00989 BuiltinIndex = 5; 00990 break; 00991 00992 case Builtin::BI__sync_sub_and_fetch: 00993 case Builtin::BI__sync_sub_and_fetch_1: 00994 case Builtin::BI__sync_sub_and_fetch_2: 00995 case Builtin::BI__sync_sub_and_fetch_4: 00996 case Builtin::BI__sync_sub_and_fetch_8: 00997 case Builtin::BI__sync_sub_and_fetch_16: 00998 BuiltinIndex = 6; 00999 break; 01000 01001 case Builtin::BI__sync_and_and_fetch: 01002 case Builtin::BI__sync_and_and_fetch_1: 01003 case Builtin::BI__sync_and_and_fetch_2: 01004 case Builtin::BI__sync_and_and_fetch_4: 01005 case Builtin::BI__sync_and_and_fetch_8: 01006 case Builtin::BI__sync_and_and_fetch_16: 01007 BuiltinIndex = 7; 01008 break; 01009 01010 case Builtin::BI__sync_or_and_fetch: 01011 case Builtin::BI__sync_or_and_fetch_1: 01012 case Builtin::BI__sync_or_and_fetch_2: 01013 case Builtin::BI__sync_or_and_fetch_4: 01014 case Builtin::BI__sync_or_and_fetch_8: 01015 case Builtin::BI__sync_or_and_fetch_16: 01016 BuiltinIndex = 8; 01017 break; 01018 01019 case Builtin::BI__sync_xor_and_fetch: 01020 case Builtin::BI__sync_xor_and_fetch_1: 01021 case Builtin::BI__sync_xor_and_fetch_2: 01022 case Builtin::BI__sync_xor_and_fetch_4: 01023 case Builtin::BI__sync_xor_and_fetch_8: 01024 case Builtin::BI__sync_xor_and_fetch_16: 01025 BuiltinIndex = 9; 01026 break; 01027 01028 case Builtin::BI__sync_val_compare_and_swap: 01029 case Builtin::BI__sync_val_compare_and_swap_1: 01030 case Builtin::BI__sync_val_compare_and_swap_2: 01031 case Builtin::BI__sync_val_compare_and_swap_4: 01032 case Builtin::BI__sync_val_compare_and_swap_8: 01033 case Builtin::BI__sync_val_compare_and_swap_16: 01034 BuiltinIndex = 10; 01035 NumFixed = 2; 01036 break; 01037 01038 case Builtin::BI__sync_bool_compare_and_swap: 01039 case Builtin::BI__sync_bool_compare_and_swap_1: 01040 case Builtin::BI__sync_bool_compare_and_swap_2: 01041 case Builtin::BI__sync_bool_compare_and_swap_4: 01042 case Builtin::BI__sync_bool_compare_and_swap_8: 01043 case Builtin::BI__sync_bool_compare_and_swap_16: 01044 BuiltinIndex = 11; 01045 NumFixed = 2; 01046 ResultType = Context.BoolTy; 01047 break; 01048 01049 case Builtin::BI__sync_lock_test_and_set: 01050 case Builtin::BI__sync_lock_test_and_set_1: 01051 case Builtin::BI__sync_lock_test_and_set_2: 01052 case Builtin::BI__sync_lock_test_and_set_4: 01053 case Builtin::BI__sync_lock_test_and_set_8: 01054 case Builtin::BI__sync_lock_test_and_set_16: 01055 BuiltinIndex = 12; 01056 break; 01057 01058 case Builtin::BI__sync_lock_release: 01059 case Builtin::BI__sync_lock_release_1: 01060 case Builtin::BI__sync_lock_release_2: 01061 case Builtin::BI__sync_lock_release_4: 01062 case Builtin::BI__sync_lock_release_8: 01063 case Builtin::BI__sync_lock_release_16: 01064 BuiltinIndex = 13; 01065 NumFixed = 0; 01066 ResultType = Context.VoidTy; 01067 break; 01068 01069 case Builtin::BI__sync_swap: 01070 case Builtin::BI__sync_swap_1: 01071 case Builtin::BI__sync_swap_2: 01072 case Builtin::BI__sync_swap_4: 01073 case Builtin::BI__sync_swap_8: 01074 case Builtin::BI__sync_swap_16: 01075 BuiltinIndex = 14; 01076 break; 01077 } 01078 01079 // Now that we know how many fixed arguments we expect, first check that we 01080 // have at least that many. 01081 if (TheCall->getNumArgs() < 1+NumFixed) { 01082 Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args_at_least) 01083 << 0 << 1+NumFixed << TheCall->getNumArgs() 01084 << TheCall->getCallee()->getSourceRange(); 01085 return ExprError(); 01086 } 01087 01088 // Get the decl for the concrete builtin from this, we can tell what the 01089 // concrete integer type we should convert to is. 01090 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex]; 01091 const char *NewBuiltinName = Context.BuiltinInfo.GetName(NewBuiltinID); 01092 IdentifierInfo *NewBuiltinII = PP.getIdentifierInfo(NewBuiltinName); 01093 FunctionDecl *NewBuiltinDecl = 01094 cast<FunctionDecl>(LazilyCreateBuiltin(NewBuiltinII, NewBuiltinID, 01095 TUScope, false, DRE->getLocStart())); 01096 01097 // The first argument --- the pointer --- has a fixed type; we 01098 // deduce the types of the rest of the arguments accordingly. Walk 01099 // the remaining arguments, converting them to the deduced value type. 01100 for (unsigned i = 0; i != NumFixed; ++i) { 01101 ExprResult Arg = TheCall->getArg(i+1); 01102 01103 // GCC does an implicit conversion to the pointer or integer ValType. This 01104 // can fail in some cases (1i -> int**), check for this error case now. 01105 // Initialize the argument. 01106 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context, 01107 ValType, /*consume*/ false); 01108 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg); 01109 if (Arg.isInvalid()) 01110 return ExprError(); 01111 01112 // Okay, we have something that *can* be converted to the right type. Check 01113 // to see if there is a potentially weird extension going on here. This can 01114 // happen when you do an atomic operation on something like an char* and 01115 // pass in 42. The 42 gets converted to char. This is even more strange 01116 // for things like 45.123 -> char, etc. 01117 // FIXME: Do this check. 01118 TheCall->setArg(i+1, Arg.take()); 01119 } 01120 01121 ASTContext& Context = this->getASTContext(); 01122 01123 // Create a new DeclRefExpr to refer to the new decl. 01124 DeclRefExpr* NewDRE = DeclRefExpr::Create( 01125 Context, 01126 DRE->getQualifierLoc(), 01127 SourceLocation(), 01128 NewBuiltinDecl, 01129 /*enclosing*/ false, 01130 DRE->getLocation(), 01131 NewBuiltinDecl->getType(), 01132 DRE->getValueKind()); 01133 01134 // Set the callee in the CallExpr. 01135 // FIXME: This leaks the original parens and implicit casts. 01136 ExprResult PromotedCall = UsualUnaryConversions(NewDRE); 01137 if (PromotedCall.isInvalid()) 01138 return ExprError(); 01139 TheCall->setCallee(PromotedCall.take()); 01140 01141 // Change the result type of the call to match the original value type. This 01142 // is arbitrary, but the codegen for these builtins ins design to handle it 01143 // gracefully. 01144 TheCall->setType(ResultType); 01145 01146 return move(TheCallResult); 01147 } 01148 01149 /// CheckObjCString - Checks that the argument to the builtin 01150 /// CFString constructor is correct 01151 /// Note: It might also make sense to do the UTF-16 conversion here (would 01152 /// simplify the backend). 01153 bool Sema::CheckObjCString(Expr *Arg) { 01154 Arg = Arg->IgnoreParenCasts(); 01155 StringLiteral *Literal = dyn_cast<StringLiteral>(Arg); 01156 01157 if (!Literal || !Literal->isAscii()) { 01158 Diag(Arg->getLocStart(), diag::err_cfstring_literal_not_string_constant) 01159 << Arg->getSourceRange(); 01160 return true; 01161 } 01162 01163 if (Literal->containsNonAsciiOrNull()) { 01164 StringRef String = Literal->getString(); 01165 unsigned NumBytes = String.size(); 01166 SmallVector<UTF16, 128> ToBuf(NumBytes); 01167 const UTF8 *FromPtr = (UTF8 *)String.data(); 01168 UTF16 *ToPtr = &ToBuf[0]; 01169 01170 ConversionResult Result = ConvertUTF8toUTF16(&FromPtr, FromPtr + NumBytes, 01171 &ToPtr, ToPtr + NumBytes, 01172 strictConversion); 01173 // Check for conversion failure. 01174 if (Result != conversionOK) 01175 Diag(Arg->getLocStart(), 01176 diag::warn_cfstring_truncated) << Arg->getSourceRange(); 01177 } 01178 return false; 01179 } 01180 01181 /// SemaBuiltinVAStart - Check the arguments to __builtin_va_start for validity. 01182 /// Emit an error and return true on failure, return false on success. 01183 bool Sema::SemaBuiltinVAStart(CallExpr *TheCall) { 01184 Expr *Fn = TheCall->getCallee(); 01185 if (TheCall->getNumArgs() > 2) { 01186 Diag(TheCall->getArg(2)->getLocStart(), 01187 diag::err_typecheck_call_too_many_args) 01188 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 01189 << Fn->getSourceRange() 01190 << SourceRange(TheCall->getArg(2)->getLocStart(), 01191 (*(TheCall->arg_end()-1))->getLocEnd()); 01192 return true; 01193 } 01194 01195 if (TheCall->getNumArgs() < 2) { 01196 return Diag(TheCall->getLocEnd(), 01197 diag::err_typecheck_call_too_few_args_at_least) 01198 << 0 /*function call*/ << 2 << TheCall->getNumArgs(); 01199 } 01200 01201 // Type-check the first argument normally. 01202 if (checkBuiltinArgument(*this, TheCall, 0)) 01203 return true; 01204 01205 // Determine whether the current function is variadic or not. 01206 BlockScopeInfo *CurBlock = getCurBlock(); 01207 bool isVariadic; 01208 if (CurBlock) 01209 isVariadic = CurBlock->TheDecl->isVariadic(); 01210 else if (FunctionDecl *FD = getCurFunctionDecl()) 01211 isVariadic = FD->isVariadic(); 01212 else 01213 isVariadic = getCurMethodDecl()->isVariadic(); 01214 01215 if (!isVariadic) { 01216 Diag(Fn->getLocStart(), diag::err_va_start_used_in_non_variadic_function); 01217 return true; 01218 } 01219 01220 // Verify that the second argument to the builtin is the last argument of the 01221 // current function or method. 01222 bool SecondArgIsLastNamedArgument = false; 01223 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts(); 01224 01225 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) { 01226 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) { 01227 // FIXME: This isn't correct for methods (results in bogus warning). 01228 // Get the last formal in the current function. 01229 const ParmVarDecl *LastArg; 01230 if (CurBlock) 01231 LastArg = *(CurBlock->TheDecl->param_end()-1); 01232 else if (FunctionDecl *FD = getCurFunctionDecl()) 01233 LastArg = *(FD->param_end()-1); 01234 else 01235 LastArg = *(getCurMethodDecl()->param_end()-1); 01236 SecondArgIsLastNamedArgument = PV == LastArg; 01237 } 01238 } 01239 01240 if (!SecondArgIsLastNamedArgument) 01241 Diag(TheCall->getArg(1)->getLocStart(), 01242 diag::warn_second_parameter_of_va_start_not_last_named_argument); 01243 return false; 01244 } 01245 01246 /// SemaBuiltinUnorderedCompare - Handle functions like __builtin_isgreater and 01247 /// friends. This is declared to take (...), so we have to check everything. 01248 bool Sema::SemaBuiltinUnorderedCompare(CallExpr *TheCall) { 01249 if (TheCall->getNumArgs() < 2) 01250 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 01251 << 0 << 2 << TheCall->getNumArgs()/*function call*/; 01252 if (TheCall->getNumArgs() > 2) 01253 return Diag(TheCall->getArg(2)->getLocStart(), 01254 diag::err_typecheck_call_too_many_args) 01255 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 01256 << SourceRange(TheCall->getArg(2)->getLocStart(), 01257 (*(TheCall->arg_end()-1))->getLocEnd()); 01258 01259 ExprResult OrigArg0 = TheCall->getArg(0); 01260 ExprResult OrigArg1 = TheCall->getArg(1); 01261 01262 // Do standard promotions between the two arguments, returning their common 01263 // type. 01264 QualType Res = UsualArithmeticConversions(OrigArg0, OrigArg1, false); 01265 if (OrigArg0.isInvalid() || OrigArg1.isInvalid()) 01266 return true; 01267 01268 // Make sure any conversions are pushed back into the call; this is 01269 // type safe since unordered compare builtins are declared as "_Bool 01270 // foo(...)". 01271 TheCall->setArg(0, OrigArg0.get()); 01272 TheCall->setArg(1, OrigArg1.get()); 01273 01274 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent()) 01275 return false; 01276 01277 // If the common type isn't a real floating type, then the arguments were 01278 // invalid for this operation. 01279 if (!Res->isRealFloatingType()) 01280 return Diag(OrigArg0.get()->getLocStart(), 01281 diag::err_typecheck_call_invalid_ordered_compare) 01282 << OrigArg0.get()->getType() << OrigArg1.get()->getType() 01283 << SourceRange(OrigArg0.get()->getLocStart(), OrigArg1.get()->getLocEnd()); 01284 01285 return false; 01286 } 01287 01288 /// SemaBuiltinSemaBuiltinFPClassification - Handle functions like 01289 /// __builtin_isnan and friends. This is declared to take (...), so we have 01290 /// to check everything. We expect the last argument to be a floating point 01291 /// value. 01292 bool Sema::SemaBuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs) { 01293 if (TheCall->getNumArgs() < NumArgs) 01294 return Diag(TheCall->getLocEnd(), diag::err_typecheck_call_too_few_args) 01295 << 0 << NumArgs << TheCall->getNumArgs()/*function call*/; 01296 if (TheCall->getNumArgs() > NumArgs) 01297 return Diag(TheCall->getArg(NumArgs)->getLocStart(), 01298 diag::err_typecheck_call_too_many_args) 01299 << 0 /*function call*/ << NumArgs << TheCall->getNumArgs() 01300 << SourceRange(TheCall->getArg(NumArgs)->getLocStart(), 01301 (*(TheCall->arg_end()-1))->getLocEnd()); 01302 01303 Expr *OrigArg = TheCall->getArg(NumArgs-1); 01304 01305 if (OrigArg->isTypeDependent()) 01306 return false; 01307 01308 // This operation requires a non-_Complex floating-point number. 01309 if (!OrigArg->getType()->isRealFloatingType()) 01310 return Diag(OrigArg->getLocStart(), 01311 diag::err_typecheck_call_invalid_unary_fp) 01312 << OrigArg->getType() << OrigArg->getSourceRange(); 01313 01314 // If this is an implicit conversion from float -> double, remove it. 01315 if (ImplicitCastExpr *Cast = dyn_cast<ImplicitCastExpr>(OrigArg)) { 01316 Expr *CastArg = Cast->getSubExpr(); 01317 if (CastArg->getType()->isSpecificBuiltinType(BuiltinType::Float)) { 01318 assert(Cast->getType()->isSpecificBuiltinType(BuiltinType::Double) && 01319 "promotion from float to double is the only expected cast here"); 01320 Cast->setSubExpr(0); 01321 TheCall->setArg(NumArgs-1, CastArg); 01322 } 01323 } 01324 01325 return false; 01326 } 01327 01328 /// SemaBuiltinShuffleVector - Handle __builtin_shufflevector. 01329 // This is declared to take (...), so we have to check everything. 01330 ExprResult Sema::SemaBuiltinShuffleVector(CallExpr *TheCall) { 01331 if (TheCall->getNumArgs() < 2) 01332 return ExprError(Diag(TheCall->getLocEnd(), 01333 diag::err_typecheck_call_too_few_args_at_least) 01334 << 0 /*function call*/ << 2 << TheCall->getNumArgs() 01335 << TheCall->getSourceRange()); 01336 01337 // Determine which of the following types of shufflevector we're checking: 01338 // 1) unary, vector mask: (lhs, mask) 01339 // 2) binary, vector mask: (lhs, rhs, mask) 01340 // 3) binary, scalar mask: (lhs, rhs, index, ..., index) 01341 QualType resType = TheCall->getArg(0)->getType(); 01342 unsigned numElements = 0; 01343 01344 if (!TheCall->getArg(0)->isTypeDependent() && 01345 !TheCall->getArg(1)->isTypeDependent()) { 01346 QualType LHSType = TheCall->getArg(0)->getType(); 01347 QualType RHSType = TheCall->getArg(1)->getType(); 01348 01349 if (!LHSType->isVectorType() || !RHSType->isVectorType()) { 01350 Diag(TheCall->getLocStart(), diag::err_shufflevector_non_vector) 01351 << SourceRange(TheCall->getArg(0)->getLocStart(), 01352 TheCall->getArg(1)->getLocEnd()); 01353 return ExprError(); 01354 } 01355 01356 numElements = LHSType->getAs<VectorType>()->getNumElements(); 01357 unsigned numResElements = TheCall->getNumArgs() - 2; 01358 01359 // Check to see if we have a call with 2 vector arguments, the unary shuffle 01360 // with mask. If so, verify that RHS is an integer vector type with the 01361 // same number of elts as lhs. 01362 if (TheCall->getNumArgs() == 2) { 01363 if (!RHSType->hasIntegerRepresentation() || 01364 RHSType->getAs<VectorType>()->getNumElements() != numElements) 01365 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 01366 << SourceRange(TheCall->getArg(1)->getLocStart(), 01367 TheCall->getArg(1)->getLocEnd()); 01368 numResElements = numElements; 01369 } 01370 else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) { 01371 Diag(TheCall->getLocStart(), diag::err_shufflevector_incompatible_vector) 01372 << SourceRange(TheCall->getArg(0)->getLocStart(), 01373 TheCall->getArg(1)->getLocEnd()); 01374 return ExprError(); 01375 } else if (numElements != numResElements) { 01376 QualType eltType = LHSType->getAs<VectorType>()->getElementType(); 01377 resType = Context.getVectorType(eltType, numResElements, 01378 VectorType::GenericVector); 01379 } 01380 } 01381 01382 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) { 01383 if (TheCall->getArg(i)->isTypeDependent() || 01384 TheCall->getArg(i)->isValueDependent()) 01385 continue; 01386 01387 llvm::APSInt Result(32); 01388 if (!TheCall->getArg(i)->isIntegerConstantExpr(Result, Context)) 01389 return ExprError(Diag(TheCall->getLocStart(), 01390 diag::err_shufflevector_nonconstant_argument) 01391 << TheCall->getArg(i)->getSourceRange()); 01392 01393 if (Result.getActiveBits() > 64 || Result.getZExtValue() >= numElements*2) 01394 return ExprError(Diag(TheCall->getLocStart(), 01395 diag::err_shufflevector_argument_too_large) 01396 << TheCall->getArg(i)->getSourceRange()); 01397 } 01398 01399 SmallVector<Expr*, 32> exprs; 01400 01401 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) { 01402 exprs.push_back(TheCall->getArg(i)); 01403 TheCall->setArg(i, 0); 01404 } 01405 01406 return Owned(new (Context) ShuffleVectorExpr(Context, exprs.begin(), 01407 exprs.size(), resType, 01408 TheCall->getCallee()->getLocStart(), 01409 TheCall->getRParenLoc())); 01410 } 01411 01412 /// SemaBuiltinPrefetch - Handle __builtin_prefetch. 01413 // This is declared to take (const void*, ...) and can take two 01414 // optional constant int args. 01415 bool Sema::SemaBuiltinPrefetch(CallExpr *TheCall) { 01416 unsigned NumArgs = TheCall->getNumArgs(); 01417 01418 if (NumArgs > 3) 01419 return Diag(TheCall->getLocEnd(), 01420 diag::err_typecheck_call_too_many_args_at_most) 01421 << 0 /*function call*/ << 3 << NumArgs 01422 << TheCall->getSourceRange(); 01423 01424 // Argument 0 is checked for us and the remaining arguments must be 01425 // constant integers. 01426 for (unsigned i = 1; i != NumArgs; ++i) { 01427 Expr *Arg = TheCall->getArg(i); 01428 01429 llvm::APSInt Result; 01430 if (SemaBuiltinConstantArg(TheCall, i, Result)) 01431 return true; 01432 01433 // FIXME: gcc issues a warning and rewrites these to 0. These 01434 // seems especially odd for the third argument since the default 01435 // is 3. 01436 if (i == 1) { 01437 if (Result.getLimitedValue() > 1) 01438 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 01439 << "0" << "1" << Arg->getSourceRange(); 01440 } else { 01441 if (Result.getLimitedValue() > 3) 01442 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 01443 << "0" << "3" << Arg->getSourceRange(); 01444 } 01445 } 01446 01447 return false; 01448 } 01449 01450 /// SemaBuiltinConstantArg - Handle a check if argument ArgNum of CallExpr 01451 /// TheCall is a constant expression. 01452 bool Sema::SemaBuiltinConstantArg(CallExpr *TheCall, int ArgNum, 01453 llvm::APSInt &Result) { 01454 Expr *Arg = TheCall->getArg(ArgNum); 01455 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts()); 01456 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl()); 01457 01458 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false; 01459 01460 if (!Arg->isIntegerConstantExpr(Result, Context)) 01461 return Diag(TheCall->getLocStart(), diag::err_constant_integer_arg_type) 01462 << FDecl->getDeclName() << Arg->getSourceRange(); 01463 01464 return false; 01465 } 01466 01467 /// SemaBuiltinObjectSize - Handle __builtin_object_size(void *ptr, 01468 /// int type). This simply type checks that type is one of the defined 01469 /// constants (0-3). 01470 // For compatibility check 0-3, llvm only handles 0 and 2. 01471 bool Sema::SemaBuiltinObjectSize(CallExpr *TheCall) { 01472 llvm::APSInt Result; 01473 01474 // Check constant-ness first. 01475 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 01476 return true; 01477 01478 Expr *Arg = TheCall->getArg(1); 01479 if (Result.getSExtValue() < 0 || Result.getSExtValue() > 3) { 01480 return Diag(TheCall->getLocStart(), diag::err_argument_invalid_range) 01481 << "0" << "3" << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 01482 } 01483 01484 return false; 01485 } 01486 01487 /// SemaBuiltinLongjmp - Handle __builtin_longjmp(void *env[5], int val). 01488 /// This checks that val is a constant 1. 01489 bool Sema::SemaBuiltinLongjmp(CallExpr *TheCall) { 01490 Expr *Arg = TheCall->getArg(1); 01491 llvm::APSInt Result; 01492 01493 // TODO: This is less than ideal. Overload this to take a value. 01494 if (SemaBuiltinConstantArg(TheCall, 1, Result)) 01495 return true; 01496 01497 if (Result != 1) 01498 return Diag(TheCall->getLocStart(), diag::err_builtin_longjmp_invalid_val) 01499 << SourceRange(Arg->getLocStart(), Arg->getLocEnd()); 01500 01501 return false; 01502 } 01503 01504 // Handle i > 1 ? "x" : "y", recursively. 01505 bool Sema::SemaCheckStringLiteral(const Expr *E, Expr **Args, 01506 unsigned NumArgs, bool HasVAListArg, 01507 unsigned format_idx, unsigned firstDataArg, 01508 FormatStringType Type, bool inFunctionCall) { 01509 tryAgain: 01510 if (E->isTypeDependent() || E->isValueDependent()) 01511 return false; 01512 01513 E = E->IgnoreParenCasts(); 01514 01515 if (E->isNullPointerConstant(Context, Expr::NPC_ValueDependentIsNotNull)) 01516 // Technically -Wformat-nonliteral does not warn about this case. 01517 // The behavior of printf and friends in this case is implementation 01518 // dependent. Ideally if the format string cannot be null then 01519 // it should have a 'nonnull' attribute in the function prototype. 01520 return true; 01521 01522 switch (E->getStmtClass()) { 01523 case Stmt::BinaryConditionalOperatorClass: 01524 case Stmt::ConditionalOperatorClass: { 01525 const AbstractConditionalOperator *C = cast<AbstractConditionalOperator>(E); 01526 return SemaCheckStringLiteral(C->getTrueExpr(), Args, NumArgs, HasVAListArg, 01527 format_idx, firstDataArg, Type, 01528 inFunctionCall) 01529 && SemaCheckStringLiteral(C->getFalseExpr(), Args, NumArgs, HasVAListArg, 01530 format_idx, firstDataArg, Type, 01531 inFunctionCall); 01532 } 01533 01534 case Stmt::ImplicitCastExprClass: { 01535 E = cast<ImplicitCastExpr>(E)->getSubExpr(); 01536 goto tryAgain; 01537 } 01538 01539 case Stmt::OpaqueValueExprClass: 01540 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) { 01541 E = src; 01542 goto tryAgain; 01543 } 01544 return false; 01545 01546 case Stmt::PredefinedExprClass: 01547 // While __func__, etc., are technically not string literals, they 01548 // cannot contain format specifiers and thus are not a security 01549 // liability. 01550 return true; 01551 01552 case Stmt::DeclRefExprClass: { 01553 const DeclRefExpr *DR = cast<DeclRefExpr>(E); 01554 01555 // As an exception, do not flag errors for variables binding to 01556 // const string literals. 01557 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 01558 bool isConstant = false; 01559 QualType T = DR->getType(); 01560 01561 if (const ArrayType *AT = Context.getAsArrayType(T)) { 01562 isConstant = AT->getElementType().isConstant(Context); 01563 } else if (const PointerType *PT = T->getAs<PointerType>()) { 01564 isConstant = T.isConstant(Context) && 01565 PT->getPointeeType().isConstant(Context); 01566 } else if (T->isObjCObjectPointerType()) { 01567 // In ObjC, there is usually no "const ObjectPointer" type, 01568 // so don't check if the pointee type is constant. 01569 isConstant = T.isConstant(Context); 01570 } 01571 01572 if (isConstant) { 01573 if (const Expr *Init = VD->getAnyInitializer()) { 01574 // Look through initializers like const char c[] = { "foo" } 01575 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { 01576 if (InitList->isStringLiteralInit()) 01577 Init = InitList->getInit(0)->IgnoreParenImpCasts(); 01578 } 01579 return SemaCheckStringLiteral(Init, Args, NumArgs, 01580 HasVAListArg, format_idx, firstDataArg, 01581 Type, /*inFunctionCall*/false); 01582 } 01583 } 01584 01585 // For vprintf* functions (i.e., HasVAListArg==true), we add a 01586 // special check to see if the format string is a function parameter 01587 // of the function calling the printf function. If the function 01588 // has an attribute indicating it is a printf-like function, then we 01589 // should suppress warnings concerning non-literals being used in a call 01590 // to a vprintf function. For example: 01591 // 01592 // void 01593 // logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ 01594 // va_list ap; 01595 // va_start(ap, fmt); 01596 // vprintf(fmt, ap); // Do NOT emit a warning about "fmt". 01597 // ... 01598 // 01599 if (HasVAListArg) { 01600 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { 01601 if (const NamedDecl *ND = dyn_cast<NamedDecl>(PV->getDeclContext())) { 01602 int PVIndex = PV->getFunctionScopeIndex() + 1; 01603 for (specific_attr_iterator<FormatAttr> 01604 i = ND->specific_attr_begin<FormatAttr>(), 01605 e = ND->specific_attr_end<FormatAttr>(); i != e ; ++i) { 01606 FormatAttr *PVFormat = *i; 01607 // adjust for implicit parameter 01608 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 01609 if (MD->isInstance()) 01610 ++PVIndex; 01611 // We also check if the formats are compatible. 01612 // We can't pass a 'scanf' string to a 'printf' function. 01613 if (PVIndex == PVFormat->getFormatIdx() && 01614 Type == GetFormatStringType(PVFormat)) 01615 return true; 01616 } 01617 } 01618 } 01619 } 01620 } 01621 01622 return false; 01623 } 01624 01625 case Stmt::CallExprClass: 01626 case Stmt::CXXMemberCallExprClass: { 01627 const CallExpr *CE = cast<CallExpr>(E); 01628 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { 01629 if (const FormatArgAttr *FA = ND->getAttr<FormatArgAttr>()) { 01630 unsigned ArgIndex = FA->getFormatIdx(); 01631 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(ND)) 01632 if (MD->isInstance()) 01633 --ArgIndex; 01634 const Expr *Arg = CE->getArg(ArgIndex - 1); 01635 01636 return SemaCheckStringLiteral(Arg, Args, NumArgs, HasVAListArg, 01637 format_idx, firstDataArg, Type, 01638 inFunctionCall); 01639 } 01640 } 01641 01642 return false; 01643 } 01644 case Stmt::ObjCStringLiteralClass: 01645 case Stmt::StringLiteralClass: { 01646 const StringLiteral *StrE = NULL; 01647 01648 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) 01649 StrE = ObjCFExpr->getString(); 01650 else 01651 StrE = cast<StringLiteral>(E); 01652 01653 if (StrE) { 01654 CheckFormatString(StrE, E, Args, NumArgs, HasVAListArg, format_idx, 01655 firstDataArg, Type, inFunctionCall); 01656 return true; 01657 } 01658 01659 return false; 01660 } 01661 01662 default: 01663 return false; 01664 } 01665 } 01666 01667 void 01668 Sema::CheckNonNullArguments(const NonNullAttr *NonNull, 01669 const Expr * const *ExprArgs, 01670 SourceLocation CallSiteLoc) { 01671 for (NonNullAttr::args_iterator i = NonNull->args_begin(), 01672 e = NonNull->args_end(); 01673 i != e; ++i) { 01674 const Expr *ArgExpr = ExprArgs[*i]; 01675 if (ArgExpr->isNullPointerConstant(Context, 01676 Expr::NPC_ValueDependentIsNotNull)) 01677 Diag(CallSiteLoc, diag::warn_null_arg) << ArgExpr->getSourceRange(); 01678 } 01679 } 01680 01681 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) { 01682 return llvm::StringSwitch<FormatStringType>(Format->getType()) 01683 .Case("scanf", FST_Scanf) 01684 .Cases("printf", "printf0", FST_Printf) 01685 .Cases("NSString", "CFString", FST_NSString) 01686 .Case("strftime", FST_Strftime) 01687 .Case("strfmon", FST_Strfmon) 01688 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf) 01689 .Default(FST_Unknown); 01690 } 01691 01692 /// CheckPrintfScanfArguments - Check calls to printf and scanf (and similar 01693 /// functions) for correct use of format strings. 01694 void Sema::CheckFormatArguments(const FormatAttr *Format, CallExpr *TheCall) { 01695 bool IsCXXMember = false; 01696 // The way the format attribute works in GCC, the implicit this argument 01697 // of member functions is counted. However, it doesn't appear in our own 01698 // lists, so decrement format_idx in that case. 01699 IsCXXMember = isa<CXXMemberCallExpr>(TheCall); 01700 CheckFormatArguments(Format, TheCall->getArgs(), TheCall->getNumArgs(), 01701 IsCXXMember, TheCall->getRParenLoc(), 01702 TheCall->getCallee()->getSourceRange()); 01703 } 01704 01705 void Sema::CheckFormatArguments(const FormatAttr *Format, Expr **Args, 01706 unsigned NumArgs, bool IsCXXMember, 01707 SourceLocation Loc, SourceRange Range) { 01708 bool HasVAListArg = Format->getFirstArg() == 0; 01709 unsigned format_idx = Format->getFormatIdx() - 1; 01710 unsigned firstDataArg = HasVAListArg ? 0 : Format->getFirstArg() - 1; 01711 if (IsCXXMember) { 01712 if (format_idx == 0) 01713 return; 01714 --format_idx; 01715 if(firstDataArg != 0) 01716 --firstDataArg; 01717 } 01718 CheckFormatArguments(Args, NumArgs, HasVAListArg, format_idx, 01719 firstDataArg, GetFormatStringType(Format), Loc, Range); 01720 } 01721 01722 void Sema::CheckFormatArguments(Expr **Args, unsigned NumArgs, 01723 bool HasVAListArg, unsigned format_idx, 01724 unsigned firstDataArg, FormatStringType Type, 01725 SourceLocation Loc, SourceRange Range) { 01726 // CHECK: printf/scanf-like function is called with no format string. 01727 if (format_idx >= NumArgs) { 01728 Diag(Loc, diag::warn_missing_format_string) << Range; 01729 return; 01730 } 01731 01732 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); 01733 01734 // CHECK: format string is not a string literal. 01735 // 01736 // Dynamically generated format strings are difficult to 01737 // automatically vet at compile time. Requiring that format strings 01738 // are string literals: (1) permits the checking of format strings by 01739 // the compiler and thereby (2) can practically remove the source of 01740 // many format string exploits. 01741 01742 // Format string can be either ObjC string (e.g. @"%d") or 01743 // C string (e.g. "%d") 01744 // ObjC string uses the same format specifiers as C string, so we can use 01745 // the same format string checking logic for both ObjC and C strings. 01746 if (SemaCheckStringLiteral(OrigFormatExpr, Args, NumArgs, HasVAListArg, 01747 format_idx, firstDataArg, Type)) 01748 return; // Literal format string found, check done! 01749 01750 // Strftime is particular as it always uses a single 'time' argument, 01751 // so it is safe to pass a non-literal string. 01752 if (Type == FST_Strftime) 01753 return; 01754 01755 // Do not emit diag when the string param is a macro expansion and the 01756 // format is either NSString or CFString. This is a hack to prevent 01757 // diag when using the NSLocalizedString and CFCopyLocalizedString macros 01758 // which are usually used in place of NS and CF string literals. 01759 if (Type == FST_NSString && 01760 SourceMgr.isInSystemMacro(Args[format_idx]->getLocStart())) 01761 return; 01762 01763 // If there are no arguments specified, warn with -Wformat-security, otherwise 01764 // warn only with -Wformat-nonliteral. 01765 if (NumArgs == format_idx+1) 01766 Diag(Args[format_idx]->getLocStart(), 01767 diag::warn_format_nonliteral_noargs) 01768 << OrigFormatExpr->getSourceRange(); 01769 else 01770 Diag(Args[format_idx]->getLocStart(), 01771 diag::warn_format_nonliteral) 01772 << OrigFormatExpr->getSourceRange(); 01773 } 01774 01775 namespace { 01776 class CheckFormatHandler : public analyze_format_string::FormatStringHandler { 01777 protected: 01778 Sema &S; 01779 const StringLiteral *FExpr; 01780 const Expr *OrigFormatExpr; 01781 const unsigned FirstDataArg; 01782 const unsigned NumDataArgs; 01783 const bool IsObjCLiteral; 01784 const char *Beg; // Start of format string. 01785 const bool HasVAListArg; 01786 const Expr * const *Args; 01787 const unsigned NumArgs; 01788 unsigned FormatIdx; 01789 llvm::BitVector CoveredArgs; 01790 bool usesPositionalArgs; 01791 bool atFirstArg; 01792 bool inFunctionCall; 01793 public: 01794 CheckFormatHandler(Sema &s, const StringLiteral *fexpr, 01795 const Expr *origFormatExpr, unsigned firstDataArg, 01796 unsigned numDataArgs, bool isObjCLiteral, 01797 const char *beg, bool hasVAListArg, 01798 Expr **args, unsigned numArgs, 01799 unsigned formatIdx, bool inFunctionCall) 01800 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), 01801 FirstDataArg(firstDataArg), 01802 NumDataArgs(numDataArgs), 01803 IsObjCLiteral(isObjCLiteral), Beg(beg), 01804 HasVAListArg(hasVAListArg), 01805 Args(args), NumArgs(numArgs), FormatIdx(formatIdx), 01806 usesPositionalArgs(false), atFirstArg(true), 01807 inFunctionCall(inFunctionCall) { 01808 CoveredArgs.resize(numDataArgs); 01809 CoveredArgs.reset(); 01810 } 01811 01812 void DoneProcessing(); 01813 01814 void HandleIncompleteSpecifier(const char *startSpecifier, 01815 unsigned specifierLen); 01816 01817 void HandleNonStandardLengthModifier( 01818 const analyze_format_string::LengthModifier &LM, 01819 const char *startSpecifier, unsigned specifierLen); 01820 01821 void HandleNonStandardConversionSpecifier( 01822 const analyze_format_string::ConversionSpecifier &CS, 01823 const char *startSpecifier, unsigned specifierLen); 01824 01825 void HandleNonStandardConversionSpecification( 01826 const analyze_format_string::LengthModifier &LM, 01827 const analyze_format_string::ConversionSpecifier &CS, 01828 const char *startSpecifier, unsigned specifierLen); 01829 01830 virtual void HandlePosition(const char *startPos, unsigned posLen); 01831 01832 virtual void HandleInvalidPosition(const char *startSpecifier, 01833 unsigned specifierLen, 01834 analyze_format_string::PositionContext p); 01835 01836 virtual void HandleZeroPosition(const char *startPos, unsigned posLen); 01837 01838 void HandleNullChar(const char *nullCharacter); 01839 01840 template <typename Range> 01841 static void EmitFormatDiagnostic(Sema &S, bool inFunctionCall, 01842 const Expr *ArgumentExpr, 01843 PartialDiagnostic PDiag, 01844 SourceLocation StringLoc, 01845 bool IsStringLocation, Range StringRange, 01846 FixItHint Fixit = FixItHint()); 01847 01848 protected: 01849 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc, 01850 const char *startSpec, 01851 unsigned specifierLen, 01852 const char *csStart, unsigned csLen); 01853 01854 void HandlePositionalNonpositionalArgs(SourceLocation Loc, 01855 const char *startSpec, 01856 unsigned specifierLen); 01857 01858 SourceRange getFormatStringRange(); 01859 CharSourceRange getSpecifierRange(const char *startSpecifier, 01860 unsigned specifierLen); 01861 SourceLocation getLocationOfByte(const char *x); 01862 01863 const Expr *getDataArg(unsigned i) const; 01864 01865 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS, 01866 const analyze_format_string::ConversionSpecifier &CS, 01867 const char *startSpecifier, unsigned specifierLen, 01868 unsigned argIndex); 01869 01870 template <typename Range> 01871 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc, 01872 bool IsStringLocation, Range StringRange, 01873 FixItHint Fixit = FixItHint()); 01874 01875 void CheckPositionalAndNonpositionalArgs( 01876 const analyze_format_string::FormatSpecifier *FS); 01877 }; 01878 } 01879 01880 SourceRange CheckFormatHandler::getFormatStringRange() { 01881 return OrigFormatExpr->getSourceRange(); 01882 } 01883 01884 CharSourceRange CheckFormatHandler:: 01885 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) { 01886 SourceLocation Start = getLocationOfByte(startSpecifier); 01887 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1); 01888 01889 // Advance the end SourceLocation by one due to half-open ranges. 01890 End = End.getLocWithOffset(1); 01891 01892 return CharSourceRange::getCharRange(Start, End); 01893 } 01894 01895 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) { 01896 return S.getLocationOfStringLiteralByte(FExpr, x - Beg); 01897 } 01898 01899 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier, 01900 unsigned specifierLen){ 01901 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier), 01902 getLocationOfByte(startSpecifier), 01903 /*IsStringLocation*/true, 01904 getSpecifierRange(startSpecifier, specifierLen)); 01905 } 01906 01907 void CheckFormatHandler::HandleNonStandardLengthModifier( 01908 const analyze_format_string::LengthModifier &LM, 01909 const char *startSpecifier, unsigned specifierLen) { 01910 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) << LM.toString() 01911 << 0, 01912 getLocationOfByte(LM.getStart()), 01913 /*IsStringLocation*/true, 01914 getSpecifierRange(startSpecifier, specifierLen)); 01915 } 01916 01917 void CheckFormatHandler::HandleNonStandardConversionSpecifier( 01918 const analyze_format_string::ConversionSpecifier &CS, 01919 const char *startSpecifier, unsigned specifierLen) { 01920 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard) << CS.toString() 01921 << 1, 01922 getLocationOfByte(CS.getStart()), 01923 /*IsStringLocation*/true, 01924 getSpecifierRange(startSpecifier, specifierLen)); 01925 } 01926 01927 void CheckFormatHandler::HandleNonStandardConversionSpecification( 01928 const analyze_format_string::LengthModifier &LM, 01929 const analyze_format_string::ConversionSpecifier &CS, 01930 const char *startSpecifier, unsigned specifierLen) { 01931 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_conversion_spec) 01932 << LM.toString() << CS.toString(), 01933 getLocationOfByte(LM.getStart()), 01934 /*IsStringLocation*/true, 01935 getSpecifierRange(startSpecifier, specifierLen)); 01936 } 01937 01938 void CheckFormatHandler::HandlePosition(const char *startPos, 01939 unsigned posLen) { 01940 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg), 01941 getLocationOfByte(startPos), 01942 /*IsStringLocation*/true, 01943 getSpecifierRange(startPos, posLen)); 01944 } 01945 01946 void 01947 CheckFormatHandler::HandleInvalidPosition(const char *startPos, unsigned posLen, 01948 analyze_format_string::PositionContext p) { 01949 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_positional_specifier) 01950 << (unsigned) p, 01951 getLocationOfByte(startPos), /*IsStringLocation*/true, 01952 getSpecifierRange(startPos, posLen)); 01953 } 01954 01955 void CheckFormatHandler::HandleZeroPosition(const char *startPos, 01956 unsigned posLen) { 01957 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier), 01958 getLocationOfByte(startPos), 01959 /*IsStringLocation*/true, 01960 getSpecifierRange(startPos, posLen)); 01961 } 01962 01963 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) { 01964 if (!IsObjCLiteral) { 01965 // The presence of a null character is likely an error. 01966 EmitFormatDiagnostic( 01967 S.PDiag(diag::warn_printf_format_string_contains_null_char), 01968 getLocationOfByte(nullCharacter), /*IsStringLocation*/true, 01969 getFormatStringRange()); 01970 } 01971 } 01972 01973 const Expr *CheckFormatHandler::getDataArg(unsigned i) const { 01974 return Args[FirstDataArg + i]; 01975 } 01976 01977 void CheckFormatHandler::DoneProcessing() { 01978 // Does the number of data arguments exceed the number of 01979 // format conversions in the format string? 01980 if (!HasVAListArg) { 01981 // Find any arguments that weren't covered. 01982 CoveredArgs.flip(); 01983 signed notCoveredArg = CoveredArgs.find_first(); 01984 if (notCoveredArg >= 0) { 01985 assert((unsigned)notCoveredArg < NumDataArgs); 01986 SourceLocation Loc = getDataArg((unsigned) notCoveredArg)->getLocStart(); 01987 if (!S.getSourceManager().isInSystemMacro(Loc)) { 01988 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_data_arg_not_used), 01989 Loc, 01990 /*IsStringLocation*/false, getFormatStringRange()); 01991 } 01992 } 01993 } 01994 } 01995 01996 bool 01997 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex, 01998 SourceLocation Loc, 01999 const char *startSpec, 02000 unsigned specifierLen, 02001 const char *csStart, 02002 unsigned csLen) { 02003 02004 bool keepGoing = true; 02005 if (argIndex < NumDataArgs) { 02006 // Consider the argument coverered, even though the specifier doesn't 02007 // make sense. 02008 CoveredArgs.set(argIndex); 02009 } 02010 else { 02011 // If argIndex exceeds the number of data arguments we 02012 // don't issue a warning because that is just a cascade of warnings (and 02013 // they may have intended '%%' anyway). We don't want to continue processing 02014 // the format string after this point, however, as we will like just get 02015 // gibberish when trying to match arguments. 02016 keepGoing = false; 02017 } 02018 02019 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_conversion) 02020 << StringRef(csStart, csLen), 02021 Loc, /*IsStringLocation*/true, 02022 getSpecifierRange(startSpec, specifierLen)); 02023 02024 return keepGoing; 02025 } 02026 02027 void 02028 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc, 02029 const char *startSpec, 02030 unsigned specifierLen) { 02031 EmitFormatDiagnostic( 02032 S.PDiag(diag::warn_format_mix_positional_nonpositional_args), 02033 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen)); 02034 } 02035 02036 bool 02037 CheckFormatHandler::CheckNumArgs( 02038 const analyze_format_string::FormatSpecifier &FS, 02039 const analyze_format_string::ConversionSpecifier &CS, 02040 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) { 02041 02042 if (argIndex >= NumDataArgs) { 02043 PartialDiagnostic PDiag = FS.usesPositionalArg() 02044 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args) 02045 << (argIndex+1) << NumDataArgs) 02046 : S.PDiag(diag::warn_printf_insufficient_data_args); 02047 EmitFormatDiagnostic( 02048 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true, 02049 getSpecifierRange(startSpecifier, specifierLen)); 02050 return false; 02051 } 02052 return true; 02053 } 02054 02055 template<typename Range> 02056 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag, 02057 SourceLocation Loc, 02058 bool IsStringLocation, 02059 Range StringRange, 02060 FixItHint FixIt) { 02061 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag, 02062 Loc, IsStringLocation, StringRange, FixIt); 02063 } 02064 02065 /// \brief If the format string is not within the funcion call, emit a note 02066 /// so that the function call and string are in diagnostic messages. 02067 /// 02068 /// \param inFunctionCall if true, the format string is within the function 02069 /// call and only one diagnostic message will be produced. Otherwise, an 02070 /// extra note will be emitted pointing to location of the format string. 02071 /// 02072 /// \param ArgumentExpr the expression that is passed as the format string 02073 /// argument in the function call. Used for getting locations when two 02074 /// diagnostics are emitted. 02075 /// 02076 /// \param PDiag the callee should already have provided any strings for the 02077 /// diagnostic message. This function only adds locations and fixits 02078 /// to diagnostics. 02079 /// 02080 /// \param Loc primary location for diagnostic. If two diagnostics are 02081 /// required, one will be at Loc and a new SourceLocation will be created for 02082 /// the other one. 02083 /// 02084 /// \param IsStringLocation if true, Loc points to the format string should be 02085 /// used for the note. Otherwise, Loc points to the argument list and will 02086 /// be used with PDiag. 02087 /// 02088 /// \param StringRange some or all of the string to highlight. This is 02089 /// templated so it can accept either a CharSourceRange or a SourceRange. 02090 /// 02091 /// \param Fixit optional fix it hint for the format string. 02092 template<typename Range> 02093 void CheckFormatHandler::EmitFormatDiagnostic(Sema &S, bool InFunctionCall, 02094 const Expr *ArgumentExpr, 02095 PartialDiagnostic PDiag, 02096 SourceLocation Loc, 02097 bool IsStringLocation, 02098 Range StringRange, 02099 FixItHint FixIt) { 02100 if (InFunctionCall) 02101 S.Diag(Loc, PDiag) << StringRange << FixIt; 02102 else { 02103 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag) 02104 << ArgumentExpr->getSourceRange(); 02105 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(), 02106 diag::note_format_string_defined) 02107 << StringRange << FixIt; 02108 } 02109 } 02110 02111 //===--- CHECK: Printf format string checking ------------------------------===// 02112 02113 namespace { 02114 class CheckPrintfHandler : public CheckFormatHandler { 02115 public: 02116 CheckPrintfHandler(Sema &s, const StringLiteral *fexpr, 02117 const Expr *origFormatExpr, unsigned firstDataArg, 02118 unsigned numDataArgs, bool isObjCLiteral, 02119 const char *beg, bool hasVAListArg, 02120 Expr **Args, unsigned NumArgs, 02121 unsigned formatIdx, bool inFunctionCall) 02122 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 02123 numDataArgs, isObjCLiteral, beg, hasVAListArg, 02124 Args, NumArgs, formatIdx, inFunctionCall) {} 02125 02126 02127 bool HandleInvalidPrintfConversionSpecifier( 02128 const analyze_printf::PrintfSpecifier &FS, 02129 const char *startSpecifier, 02130 unsigned specifierLen); 02131 02132 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, 02133 const char *startSpecifier, 02134 unsigned specifierLen); 02135 02136 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k, 02137 const char *startSpecifier, unsigned specifierLen); 02138 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS, 02139 const analyze_printf::OptionalAmount &Amt, 02140 unsigned type, 02141 const char *startSpecifier, unsigned specifierLen); 02142 void HandleFlag(const analyze_printf::PrintfSpecifier &FS, 02143 const analyze_printf::OptionalFlag &flag, 02144 const char *startSpecifier, unsigned specifierLen); 02145 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS, 02146 const analyze_printf::OptionalFlag &ignoredFlag, 02147 const analyze_printf::OptionalFlag &flag, 02148 const char *startSpecifier, unsigned specifierLen); 02149 }; 02150 } 02151 02152 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier( 02153 const analyze_printf::PrintfSpecifier &FS, 02154 const char *startSpecifier, 02155 unsigned specifierLen) { 02156 const analyze_printf::PrintfConversionSpecifier &CS = 02157 FS.getConversionSpecifier(); 02158 02159 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 02160 getLocationOfByte(CS.getStart()), 02161 startSpecifier, specifierLen, 02162 CS.getStart(), CS.getLength()); 02163 } 02164 02165 bool CheckPrintfHandler::HandleAmount( 02166 const analyze_format_string::OptionalAmount &Amt, 02167 unsigned k, const char *startSpecifier, 02168 unsigned specifierLen) { 02169 02170 if (Amt.hasDataArgument()) { 02171 if (!HasVAListArg) { 02172 unsigned argIndex = Amt.getArgIndex(); 02173 if (argIndex >= NumDataArgs) { 02174 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) 02175 << k, 02176 getLocationOfByte(Amt.getStart()), 02177 /*IsStringLocation*/true, 02178 getSpecifierRange(startSpecifier, specifierLen)); 02179 // Don't do any more checking. We will just emit 02180 // spurious errors. 02181 return false; 02182 } 02183 02184 // Type check the data argument. It should be an 'int'. 02185 // Although not in conformance with C99, we also allow the argument to be 02186 // an 'unsigned int' as that is a reasonably safe case. GCC also 02187 // doesn't emit a warning for that case. 02188 CoveredArgs.set(argIndex); 02189 const Expr *Arg = getDataArg(argIndex); 02190 QualType T = Arg->getType(); 02191 02192 const analyze_printf::ArgTypeResult &ATR = Amt.getArgType(S.Context); 02193 assert(ATR.isValid()); 02194 02195 if (!ATR.matchesType(S.Context, T)) { 02196 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type) 02197 << k << ATR.getRepresentativeTypeName(S.Context) 02198 << T << Arg->getSourceRange(), 02199 getLocationOfByte(Amt.getStart()), 02200 /*IsStringLocation*/true, 02201 getSpecifierRange(startSpecifier, specifierLen)); 02202 // Don't do any more checking. We will just emit 02203 // spurious errors. 02204 return false; 02205 } 02206 } 02207 } 02208 return true; 02209 } 02210 02211 void CheckPrintfHandler::HandleInvalidAmount( 02212 const analyze_printf::PrintfSpecifier &FS, 02213 const analyze_printf::OptionalAmount &Amt, 02214 unsigned type, 02215 const char *startSpecifier, 02216 unsigned specifierLen) { 02217 const analyze_printf::PrintfConversionSpecifier &CS = 02218 FS.getConversionSpecifier(); 02219 02220 FixItHint fixit = 02221 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant 02222 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(), 02223 Amt.getConstantLength())) 02224 : FixItHint(); 02225 02226 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount) 02227 << type << CS.toString(), 02228 getLocationOfByte(Amt.getStart()), 02229 /*IsStringLocation*/true, 02230 getSpecifierRange(startSpecifier, specifierLen), 02231 fixit); 02232 } 02233 02234 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS, 02235 const analyze_printf::OptionalFlag &flag, 02236 const char *startSpecifier, 02237 unsigned specifierLen) { 02238 // Warn about pointless flag with a fixit removal. 02239 const analyze_printf::PrintfConversionSpecifier &CS = 02240 FS.getConversionSpecifier(); 02241 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag) 02242 << flag.toString() << CS.toString(), 02243 getLocationOfByte(flag.getPosition()), 02244 /*IsStringLocation*/true, 02245 getSpecifierRange(startSpecifier, specifierLen), 02246 FixItHint::CreateRemoval( 02247 getSpecifierRange(flag.getPosition(), 1))); 02248 } 02249 02250 void CheckPrintfHandler::HandleIgnoredFlag( 02251 const analyze_printf::PrintfSpecifier &FS, 02252 const analyze_printf::OptionalFlag &ignoredFlag, 02253 const analyze_printf::OptionalFlag &flag, 02254 const char *startSpecifier, 02255 unsigned specifierLen) { 02256 // Warn about ignored flag with a fixit removal. 02257 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag) 02258 << ignoredFlag.toString() << flag.toString(), 02259 getLocationOfByte(ignoredFlag.getPosition()), 02260 /*IsStringLocation*/true, 02261 getSpecifierRange(startSpecifier, specifierLen), 02262 FixItHint::CreateRemoval( 02263 getSpecifierRange(ignoredFlag.getPosition(), 1))); 02264 } 02265 02266 bool 02267 CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier 02268 &FS, 02269 const char *startSpecifier, 02270 unsigned specifierLen) { 02271 02272 using namespace analyze_format_string; 02273 using namespace analyze_printf; 02274 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier(); 02275 02276 if (FS.consumesDataArgument()) { 02277 if (atFirstArg) { 02278 atFirstArg = false; 02279 usesPositionalArgs = FS.usesPositionalArg(); 02280 } 02281 else if (usesPositionalArgs != FS.usesPositionalArg()) { 02282 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 02283 startSpecifier, specifierLen); 02284 return false; 02285 } 02286 } 02287 02288 // First check if the field width, precision, and conversion specifier 02289 // have matching data arguments. 02290 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0, 02291 startSpecifier, specifierLen)) { 02292 return false; 02293 } 02294 02295 if (!HandleAmount(FS.getPrecision(), /* precision */ 1, 02296 startSpecifier, specifierLen)) { 02297 return false; 02298 } 02299 02300 if (!CS.consumesDataArgument()) { 02301 // FIXME: Technically specifying a precision or field width here 02302 // makes no sense. Worth issuing a warning at some point. 02303 return true; 02304 } 02305 02306 // Consume the argument. 02307 unsigned argIndex = FS.getArgIndex(); 02308 if (argIndex < NumDataArgs) { 02309 // The check to see if the argIndex is valid will come later. 02310 // We set the bit here because we may exit early from this 02311 // function if we encounter some other error. 02312 CoveredArgs.set(argIndex); 02313 } 02314 02315 // Check for using an Objective-C specific conversion specifier 02316 // in a non-ObjC literal. 02317 if (!IsObjCLiteral && CS.isObjCArg()) { 02318 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier, 02319 specifierLen); 02320 } 02321 02322 // Check for invalid use of field width 02323 if (!FS.hasValidFieldWidth()) { 02324 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0, 02325 startSpecifier, specifierLen); 02326 } 02327 02328 // Check for invalid use of precision 02329 if (!FS.hasValidPrecision()) { 02330 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1, 02331 startSpecifier, specifierLen); 02332 } 02333 02334 // Check each flag does not conflict with any other component. 02335 if (!FS.hasValidThousandsGroupingPrefix()) 02336 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen); 02337 if (!FS.hasValidLeadingZeros()) 02338 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen); 02339 if (!FS.hasValidPlusPrefix()) 02340 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen); 02341 if (!FS.hasValidSpacePrefix()) 02342 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen); 02343 if (!FS.hasValidAlternativeForm()) 02344 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen); 02345 if (!FS.hasValidLeftJustified()) 02346 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen); 02347 02348 // Check that flags are not ignored by another flag 02349 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+' 02350 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(), 02351 startSpecifier, specifierLen); 02352 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-' 02353 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(), 02354 startSpecifier, specifierLen); 02355 02356 // Check the length modifier is valid with the given conversion specifier. 02357 const LengthModifier &LM = FS.getLengthModifier(); 02358 if (!FS.hasValidLengthModifier()) 02359 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 02360 << LM.toString() << CS.toString(), 02361 getLocationOfByte(LM.getStart()), 02362 /*IsStringLocation*/true, 02363 getSpecifierRange(startSpecifier, specifierLen), 02364 FixItHint::CreateRemoval( 02365 getSpecifierRange(LM.getStart(), 02366 LM.getLength()))); 02367 if (!FS.hasStandardLengthModifier()) 02368 HandleNonStandardLengthModifier(LM, startSpecifier, specifierLen); 02369 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 02370 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 02371 if (!FS.hasStandardLengthConversionCombination()) 02372 HandleNonStandardConversionSpecification(LM, CS, startSpecifier, 02373 specifierLen); 02374 02375 // Are we using '%n'? 02376 if (CS.getKind() == ConversionSpecifier::nArg) { 02377 // Issue a warning about this being a possible security issue. 02378 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_write_back), 02379 getLocationOfByte(CS.getStart()), 02380 /*IsStringLocation*/true, 02381 getSpecifierRange(startSpecifier, specifierLen)); 02382 // Continue checking the other format specifiers. 02383 return true; 02384 } 02385 02386 // The remaining checks depend on the data arguments. 02387 if (HasVAListArg) 02388 return true; 02389 02390 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 02391 return false; 02392 02393 // Now type check the data expression that matches the 02394 // format specifier. 02395 const Expr *Ex = getDataArg(argIndex); 02396 const analyze_printf::ArgTypeResult &ATR = FS.getArgType(S.Context, 02397 IsObjCLiteral); 02398 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 02399 // Check if we didn't match because of an implicit cast from a 'char' 02400 // or 'short' to an 'int'. This is done because printf is a varargs 02401 // function. 02402 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(Ex)) 02403 if (ICE->getType() == S.Context.IntTy || 02404 ICE->getType() == S.Context.UnsignedIntTy) { 02405 // All further checking is done on the subexpression. 02406 Ex = ICE->getSubExpr(); 02407 if (ATR.matchesType(S.Context, Ex->getType())) 02408 return true; 02409 } 02410 02411 // We may be able to offer a FixItHint if it is a supported type. 02412 PrintfSpecifier fixedFS = FS; 02413 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 02414 S.Context, IsObjCLiteral); 02415 02416 if (success) { 02417 // Get the fix string from the fixed format specifier 02418 SmallString<128> buf; 02419 llvm::raw_svector_ostream os(buf); 02420 fixedFS.toString(os); 02421 02422 EmitFormatDiagnostic( 02423 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 02424 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 02425 << Ex->getSourceRange(), 02426 Ex->getLocStart(), 02427 /*IsStringLocation*/false, 02428 getSpecifierRange(startSpecifier, specifierLen), 02429 FixItHint::CreateReplacement( 02430 getSpecifierRange(startSpecifier, specifierLen), 02431 os.str())); 02432 } 02433 else { 02434 EmitFormatDiagnostic( 02435 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 02436 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 02437 << getSpecifierRange(startSpecifier, specifierLen) 02438 << Ex->getSourceRange(), 02439 Ex->getLocStart(), 02440 /*IsStringLocation*/false, 02441 getSpecifierRange(startSpecifier, specifierLen)); 02442 } 02443 } 02444 02445 return true; 02446 } 02447 02448 //===--- CHECK: Scanf format string checking ------------------------------===// 02449 02450 namespace { 02451 class CheckScanfHandler : public CheckFormatHandler { 02452 public: 02453 CheckScanfHandler(Sema &s, const StringLiteral *fexpr, 02454 const Expr *origFormatExpr, unsigned firstDataArg, 02455 unsigned numDataArgs, bool isObjCLiteral, 02456 const char *beg, bool hasVAListArg, 02457 Expr **Args, unsigned NumArgs, 02458 unsigned formatIdx, bool inFunctionCall) 02459 : CheckFormatHandler(s, fexpr, origFormatExpr, firstDataArg, 02460 numDataArgs, isObjCLiteral, beg, hasVAListArg, 02461 Args, NumArgs, formatIdx, inFunctionCall) {} 02462 02463 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, 02464 const char *startSpecifier, 02465 unsigned specifierLen); 02466 02467 bool HandleInvalidScanfConversionSpecifier( 02468 const analyze_scanf::ScanfSpecifier &FS, 02469 const char *startSpecifier, 02470 unsigned specifierLen); 02471 02472 void HandleIncompleteScanList(const char *start, const char *end); 02473 }; 02474 } 02475 02476 void CheckScanfHandler::HandleIncompleteScanList(const char *start, 02477 const char *end) { 02478 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete), 02479 getLocationOfByte(end), /*IsStringLocation*/true, 02480 getSpecifierRange(start, end - start)); 02481 } 02482 02483 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier( 02484 const analyze_scanf::ScanfSpecifier &FS, 02485 const char *startSpecifier, 02486 unsigned specifierLen) { 02487 02488 const analyze_scanf::ScanfConversionSpecifier &CS = 02489 FS.getConversionSpecifier(); 02490 02491 return HandleInvalidConversionSpecifier(FS.getArgIndex(), 02492 getLocationOfByte(CS.getStart()), 02493 startSpecifier, specifierLen, 02494 CS.getStart(), CS.getLength()); 02495 } 02496 02497 bool CheckScanfHandler::HandleScanfSpecifier( 02498 const analyze_scanf::ScanfSpecifier &FS, 02499 const char *startSpecifier, 02500 unsigned specifierLen) { 02501 02502 using namespace analyze_scanf; 02503 using namespace analyze_format_string; 02504 02505 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier(); 02506 02507 // Handle case where '%' and '*' don't consume an argument. These shouldn't 02508 // be used to decide if we are using positional arguments consistently. 02509 if (FS.consumesDataArgument()) { 02510 if (atFirstArg) { 02511 atFirstArg = false; 02512 usesPositionalArgs = FS.usesPositionalArg(); 02513 } 02514 else if (usesPositionalArgs != FS.usesPositionalArg()) { 02515 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()), 02516 startSpecifier, specifierLen); 02517 return false; 02518 } 02519 } 02520 02521 // Check if the field with is non-zero. 02522 const OptionalAmount &Amt = FS.getFieldWidth(); 02523 if (Amt.getHowSpecified() == OptionalAmount::Constant) { 02524 if (Amt.getConstantAmount() == 0) { 02525 const CharSourceRange &R = getSpecifierRange(Amt.getStart(), 02526 Amt.getConstantLength()); 02527 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width), 02528 getLocationOfByte(Amt.getStart()), 02529 /*IsStringLocation*/true, R, 02530 FixItHint::CreateRemoval(R)); 02531 } 02532 } 02533 02534 if (!FS.consumesDataArgument()) { 02535 // FIXME: Technically specifying a precision or field width here 02536 // makes no sense. Worth issuing a warning at some point. 02537 return true; 02538 } 02539 02540 // Consume the argument. 02541 unsigned argIndex = FS.getArgIndex(); 02542 if (argIndex < NumDataArgs) { 02543 // The check to see if the argIndex is valid will come later. 02544 // We set the bit here because we may exit early from this 02545 // function if we encounter some other error. 02546 CoveredArgs.set(argIndex); 02547 } 02548 02549 // Check the length modifier is valid with the given conversion specifier. 02550 const LengthModifier &LM = FS.getLengthModifier(); 02551 if (!FS.hasValidLengthModifier()) { 02552 const CharSourceRange &R = getSpecifierRange(LM.getStart(), LM.getLength()); 02553 EmitFormatDiagnostic(S.PDiag(diag::warn_format_nonsensical_length) 02554 << LM.toString() << CS.toString() 02555 << getSpecifierRange(startSpecifier, specifierLen), 02556 getLocationOfByte(LM.getStart()), 02557 /*IsStringLocation*/true, R, 02558 FixItHint::CreateRemoval(R)); 02559 } 02560 02561 if (!FS.hasStandardLengthModifier()) 02562 HandleNonStandardLengthModifier(LM, startSpecifier, specifierLen); 02563 if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) 02564 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); 02565 if (!FS.hasStandardLengthConversionCombination()) 02566 HandleNonStandardConversionSpecification(LM, CS, startSpecifier, 02567 specifierLen); 02568 02569 // The remaining checks depend on the data arguments. 02570 if (HasVAListArg) 02571 return true; 02572 02573 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) 02574 return false; 02575 02576 // Check that the argument type matches the format specifier. 02577 const Expr *Ex = getDataArg(argIndex); 02578 const analyze_scanf::ScanfArgTypeResult &ATR = FS.getArgType(S.Context); 02579 if (ATR.isValid() && !ATR.matchesType(S.Context, Ex->getType())) { 02580 ScanfSpecifier fixedFS = FS; 02581 bool success = fixedFS.fixType(Ex->getType(), S.getLangOpts(), 02582 S.Context); 02583 02584 if (success) { 02585 // Get the fix string from the fixed format specifier. 02586 SmallString<128> buf; 02587 llvm::raw_svector_ostream os(buf); 02588 fixedFS.toString(os); 02589 02590 EmitFormatDiagnostic( 02591 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 02592 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 02593 << Ex->getSourceRange(), 02594 Ex->getLocStart(), 02595 /*IsStringLocation*/false, 02596 getSpecifierRange(startSpecifier, specifierLen), 02597 FixItHint::CreateReplacement( 02598 getSpecifierRange(startSpecifier, specifierLen), 02599 os.str())); 02600 } else { 02601 EmitFormatDiagnostic( 02602 S.PDiag(diag::warn_printf_conversion_argument_type_mismatch) 02603 << ATR.getRepresentativeTypeName(S.Context) << Ex->getType() 02604 << Ex->getSourceRange(), 02605 Ex->getLocStart(), 02606 /*IsStringLocation*/false, 02607 getSpecifierRange(startSpecifier, specifierLen)); 02608 } 02609 } 02610 02611 return true; 02612 } 02613 02614 void Sema::CheckFormatString(const StringLiteral *FExpr, 02615 const Expr *OrigFormatExpr, 02616 Expr **Args, unsigned NumArgs, 02617 bool HasVAListArg, unsigned format_idx, 02618 unsigned firstDataArg, FormatStringType Type, 02619 bool inFunctionCall) { 02620 02621 // CHECK: is the format string a wide literal? 02622 if (!FExpr->isAscii()) { 02623 CheckFormatHandler::EmitFormatDiagnostic( 02624 *this, inFunctionCall, Args[format_idx], 02625 PDiag(diag::warn_format_string_is_wide_literal), FExpr->getLocStart(), 02626 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 02627 return; 02628 } 02629 02630 // Str - The format string. NOTE: this is NOT null-terminated! 02631 StringRef StrRef = FExpr->getString(); 02632 const char *Str = StrRef.data(); 02633 unsigned StrLen = StrRef.size(); 02634 const unsigned numDataArgs = NumArgs - firstDataArg; 02635 02636 // CHECK: empty format string? 02637 if (StrLen == 0 && numDataArgs > 0) { 02638 CheckFormatHandler::EmitFormatDiagnostic( 02639 *this, inFunctionCall, Args[format_idx], 02640 PDiag(diag::warn_empty_format_string), FExpr->getLocStart(), 02641 /*IsStringLocation*/true, OrigFormatExpr->getSourceRange()); 02642 return; 02643 } 02644 02645 if (Type == FST_Printf || Type == FST_NSString) { 02646 CheckPrintfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 02647 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 02648 Str, HasVAListArg, Args, NumArgs, format_idx, 02649 inFunctionCall); 02650 02651 if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, 02652 getLangOpts())) 02653 H.DoneProcessing(); 02654 } else if (Type == FST_Scanf) { 02655 CheckScanfHandler H(*this, FExpr, OrigFormatExpr, firstDataArg, 02656 numDataArgs, isa<ObjCStringLiteral>(OrigFormatExpr), 02657 Str, HasVAListArg, Args, NumArgs, format_idx, 02658 inFunctionCall); 02659 02660 if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, 02661 getLangOpts())) 02662 H.DoneProcessing(); 02663 } // TODO: handle other formats 02664 } 02665 02666 //===--- CHECK: Standard memory functions ---------------------------------===// 02667 02668 /// \brief Determine whether the given type is a dynamic class type (e.g., 02669 /// whether it has a vtable). 02670 static bool isDynamicClassType(QualType T) { 02671 if (CXXRecordDecl *Record = T->getAsCXXRecordDecl()) 02672 if (CXXRecordDecl *Definition = Record->getDefinition()) 02673 if (Definition->isDynamicClass()) 02674 return true; 02675 02676 return false; 02677 } 02678 02679 /// \brief If E is a sizeof expression, returns its argument expression, 02680 /// otherwise returns NULL. 02681 static const Expr *getSizeOfExprArg(const Expr* E) { 02682 if (const UnaryExprOrTypeTraitExpr *SizeOf = 02683 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 02684 if (SizeOf->getKind() == clang::UETT_SizeOf && !SizeOf->isArgumentType()) 02685 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts(); 02686 02687 return 0; 02688 } 02689 02690 /// \brief If E is a sizeof expression, returns its argument type. 02691 static QualType getSizeOfArgType(const Expr* E) { 02692 if (const UnaryExprOrTypeTraitExpr *SizeOf = 02693 dyn_cast<UnaryExprOrTypeTraitExpr>(E)) 02694 if (SizeOf->getKind() == clang::UETT_SizeOf) 02695 return SizeOf->getTypeOfArgument(); 02696 02697 return QualType(); 02698 } 02699 02700 /// \brief Check for dangerous or invalid arguments to memset(). 02701 /// 02702 /// This issues warnings on known problematic, dangerous or unspecified 02703 /// arguments to the standard 'memset', 'memcpy', 'memmove', and 'memcmp' 02704 /// function calls. 02705 /// 02706 /// \param Call The call expression to diagnose. 02707 void Sema::CheckMemaccessArguments(const CallExpr *Call, 02708 unsigned BId, 02709 IdentifierInfo *FnName) { 02710 assert(BId != 0); 02711 02712 // It is possible to have a non-standard definition of memset. Validate 02713 // we have enough arguments, and if not, abort further checking. 02714 unsigned ExpectedNumArgs = (BId == Builtin::BIstrndup ? 2 : 3); 02715 if (Call->getNumArgs() < ExpectedNumArgs) 02716 return; 02717 02718 unsigned LastArg = (BId == Builtin::BImemset || 02719 BId == Builtin::BIstrndup ? 1 : 2); 02720 unsigned LenArg = (BId == Builtin::BIstrndup ? 1 : 2); 02721 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts(); 02722 02723 // We have special checking when the length is a sizeof expression. 02724 QualType SizeOfArgTy = getSizeOfArgType(LenExpr); 02725 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr); 02726 llvm::FoldingSetNodeID SizeOfArgID; 02727 02728 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) { 02729 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts(); 02730 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange(); 02731 02732 QualType DestTy = Dest->getType(); 02733 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) { 02734 QualType PointeeTy = DestPtrTy->getPointeeType(); 02735 02736 // Never warn about void type pointers. This can be used to suppress 02737 // false positives. 02738 if (PointeeTy->isVoidType()) 02739 continue; 02740 02741 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by 02742 // actually comparing the expressions for equality. Because computing the 02743 // expression IDs can be expensive, we only do this if the diagnostic is 02744 // enabled. 02745 if (SizeOfArg && 02746 Diags.getDiagnosticLevel(diag::warn_sizeof_pointer_expr_memaccess, 02747 SizeOfArg->getExprLoc())) { 02748 // We only compute IDs for expressions if the warning is enabled, and 02749 // cache the sizeof arg's ID. 02750 if (SizeOfArgID == llvm::FoldingSetNodeID()) 02751 SizeOfArg->Profile(SizeOfArgID, Context, true); 02752 llvm::FoldingSetNodeID DestID; 02753 Dest->Profile(DestID, Context, true); 02754 if (DestID == SizeOfArgID) { 02755 // TODO: For strncpy() and friends, this could suggest sizeof(dst) 02756 // over sizeof(src) as well. 02757 unsigned ActionIdx = 0; // Default is to suggest dereferencing. 02758 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest)) 02759 if (UnaryOp->getOpcode() == UO_AddrOf) 02760 ActionIdx = 1; // If its an address-of operator, just remove it. 02761 if (Context.getTypeSize(PointeeTy) == Context.getCharWidth()) 02762 ActionIdx = 2; // If the pointee's size is sizeof(char), 02763 // suggest an explicit length. 02764 unsigned DestSrcSelect = 02765 (BId == Builtin::BIstrndup ? 1 : ArgIdx); 02766 DiagRuntimeBehavior(SizeOfArg->getExprLoc(), Dest, 02767 PDiag(diag::warn_sizeof_pointer_expr_memaccess) 02768 << FnName << DestSrcSelect << ActionIdx 02769 << Dest->getSourceRange() 02770 << SizeOfArg->getSourceRange()); 02771 break; 02772 } 02773 } 02774 02775 // Also check for cases where the sizeof argument is the exact same 02776 // type as the memory argument, and where it points to a user-defined 02777 // record type. 02778 if (SizeOfArgTy != QualType()) { 02779 if (PointeeTy->isRecordType() && 02780 Context.typesAreCompatible(SizeOfArgTy, DestTy)) { 02781 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest, 02782 PDiag(diag::warn_sizeof_pointer_type_memaccess) 02783 << FnName << SizeOfArgTy << ArgIdx 02784 << PointeeTy << Dest->getSourceRange() 02785 << LenExpr->getSourceRange()); 02786 break; 02787 } 02788 } 02789 02790 // Always complain about dynamic classes. 02791 if (isDynamicClassType(PointeeTy)) { 02792 02793 unsigned OperationType = 0; 02794 // "overwritten" if we're warning about the destination for any call 02795 // but memcmp; otherwise a verb appropriate to the call. 02796 if (ArgIdx != 0 || BId == Builtin::BImemcmp) { 02797 if (BId == Builtin::BImemcpy) 02798 OperationType = 1; 02799 else if(BId == Builtin::BImemmove) 02800 OperationType = 2; 02801 else if (BId == Builtin::BImemcmp) 02802 OperationType = 3; 02803 } 02804 02805 DiagRuntimeBehavior( 02806 Dest->getExprLoc(), Dest, 02807 PDiag(diag::warn_dyn_class_memaccess) 02808 << (BId == Builtin::BImemcmp ? ArgIdx + 2 : ArgIdx) 02809 << FnName << PointeeTy 02810 << OperationType 02811 << Call->getCallee()->getSourceRange()); 02812 } else if (PointeeTy.hasNonTrivialObjCLifetime() && 02813 BId != Builtin::BImemset) 02814 DiagRuntimeBehavior( 02815 Dest->getExprLoc(), Dest, 02816 PDiag(diag::warn_arc_object_memaccess) 02817 << ArgIdx << FnName << PointeeTy 02818 << Call->getCallee()->getSourceRange()); 02819 else 02820 continue; 02821 02822 DiagRuntimeBehavior( 02823 Dest->getExprLoc(), Dest, 02824 PDiag(diag::note_bad_memaccess_silence) 02825 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)")); 02826 break; 02827 } 02828 } 02829 } 02830 02831 // A little helper routine: ignore addition and subtraction of integer literals. 02832 // This intentionally does not ignore all integer constant expressions because 02833 // we don't want to remove sizeof(). 02834 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) { 02835 Ex = Ex->IgnoreParenCasts(); 02836 02837 for (;;) { 02838 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex); 02839 if (!BO || !BO->isAdditiveOp()) 02840 break; 02841 02842 const Expr *RHS = BO->getRHS()->IgnoreParenCasts(); 02843 const Expr *LHS = BO->getLHS()->IgnoreParenCasts(); 02844 02845 if (isa<IntegerLiteral>(RHS)) 02846 Ex = LHS; 02847 else if (isa<IntegerLiteral>(LHS)) 02848 Ex = RHS; 02849 else 02850 break; 02851 } 02852 02853 return Ex; 02854 } 02855 02856 // Warn if the user has made the 'size' argument to strlcpy or strlcat 02857 // be the size of the source, instead of the destination. 02858 void Sema::CheckStrlcpycatArguments(const CallExpr *Call, 02859 IdentifierInfo *FnName) { 02860 02861 // Don't crash if the user has the wrong number of arguments 02862 if (Call->getNumArgs() != 3) 02863 return; 02864 02865 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context); 02866 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context); 02867 const Expr *CompareWithSrc = NULL; 02868 02869 // Look for 'strlcpy(dst, x, sizeof(x))' 02870 if (const Expr *Ex = getSizeOfExprArg(SizeArg)) 02871 CompareWithSrc = Ex; 02872 else { 02873 // Look for 'strlcpy(dst, x, strlen(x))' 02874 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) { 02875 if (SizeCall->isBuiltinCall() == Builtin::BIstrlen 02876 && SizeCall->getNumArgs() == 1) 02877 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context); 02878 } 02879 } 02880 02881 if (!CompareWithSrc) 02882 return; 02883 02884 // Determine if the argument to sizeof/strlen is equal to the source 02885 // argument. In principle there's all kinds of things you could do 02886 // here, for instance creating an == expression and evaluating it with 02887 // EvaluateAsBooleanCondition, but this uses a more direct technique: 02888 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg); 02889 if (!SrcArgDRE) 02890 return; 02891 02892 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc); 02893 if (!CompareWithSrcDRE || 02894 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl()) 02895 return; 02896 02897 const Expr *OriginalSizeArg = Call->getArg(2); 02898 Diag(CompareWithSrcDRE->getLocStart(), diag::warn_strlcpycat_wrong_size) 02899 << OriginalSizeArg->getSourceRange() << FnName; 02900 02901 // Output a FIXIT hint if the destination is an array (rather than a 02902 // pointer to an array). This could be enhanced to handle some 02903 // pointers if we know the actual size, like if DstArg is 'array+2' 02904 // we could say 'sizeof(array)-2'. 02905 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts(); 02906 QualType DstArgTy = DstArg->getType(); 02907 02908 // Only handle constant-sized or VLAs, but not flexible members. 02909 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 02910 // Only issue the FIXIT for arrays of size > 1. 02911 if (CAT->getSize().getSExtValue() <= 1) 02912 return; 02913 } else if (!DstArgTy->isVariableArrayType()) { 02914 return; 02915 } 02916 02917 SmallString<128> sizeString; 02918 llvm::raw_svector_ostream OS(sizeString); 02919 OS << "sizeof("; 02920 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 02921 OS << ")"; 02922 02923 Diag(OriginalSizeArg->getLocStart(), diag::note_strlcpycat_wrong_size) 02924 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(), 02925 OS.str()); 02926 } 02927 02928 /// Check if two expressions refer to the same declaration. 02929 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) { 02930 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1)) 02931 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2)) 02932 return D1->getDecl() == D2->getDecl(); 02933 return false; 02934 } 02935 02936 static const Expr *getStrlenExprArg(const Expr *E) { 02937 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 02938 const FunctionDecl *FD = CE->getDirectCallee(); 02939 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen) 02940 return 0; 02941 return CE->getArg(0)->IgnoreParenCasts(); 02942 } 02943 return 0; 02944 } 02945 02946 // Warn on anti-patterns as the 'size' argument to strncat. 02947 // The correct size argument should look like following: 02948 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1); 02949 void Sema::CheckStrncatArguments(const CallExpr *CE, 02950 IdentifierInfo *FnName) { 02951 // Don't crash if the user has the wrong number of arguments. 02952 if (CE->getNumArgs() < 3) 02953 return; 02954 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts(); 02955 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts(); 02956 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts(); 02957 02958 // Identify common expressions, which are wrongly used as the size argument 02959 // to strncat and may lead to buffer overflows. 02960 unsigned PatternType = 0; 02961 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) { 02962 // - sizeof(dst) 02963 if (referToTheSameDecl(SizeOfArg, DstArg)) 02964 PatternType = 1; 02965 // - sizeof(src) 02966 else if (referToTheSameDecl(SizeOfArg, SrcArg)) 02967 PatternType = 2; 02968 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) { 02969 if (BE->getOpcode() == BO_Sub) { 02970 const Expr *L = BE->getLHS()->IgnoreParenCasts(); 02971 const Expr *R = BE->getRHS()->IgnoreParenCasts(); 02972 // - sizeof(dst) - strlen(dst) 02973 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) && 02974 referToTheSameDecl(DstArg, getStrlenExprArg(R))) 02975 PatternType = 1; 02976 // - sizeof(src) - (anything) 02977 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L))) 02978 PatternType = 2; 02979 } 02980 } 02981 02982 if (PatternType == 0) 02983 return; 02984 02985 // Generate the diagnostic. 02986 SourceLocation SL = LenArg->getLocStart(); 02987 SourceRange SR = LenArg->getSourceRange(); 02988 SourceManager &SM = PP.getSourceManager(); 02989 02990 // If the function is defined as a builtin macro, do not show macro expansion. 02991 if (SM.isMacroArgExpansion(SL)) { 02992 SL = SM.getSpellingLoc(SL); 02993 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()), 02994 SM.getSpellingLoc(SR.getEnd())); 02995 } 02996 02997 if (PatternType == 1) 02998 Diag(SL, diag::warn_strncat_large_size) << SR; 02999 else 03000 Diag(SL, diag::warn_strncat_src_size) << SR; 03001 03002 // Output a FIXIT hint if the destination is an array (rather than a 03003 // pointer to an array). This could be enhanced to handle some 03004 // pointers if we know the actual size, like if DstArg is 'array+2' 03005 // we could say 'sizeof(array)-2'. 03006 QualType DstArgTy = DstArg->getType(); 03007 03008 // Only handle constant-sized or VLAs, but not flexible members. 03009 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(DstArgTy)) { 03010 // Only issue the FIXIT for arrays of size > 1. 03011 if (CAT->getSize().getSExtValue() <= 1) 03012 return; 03013 } else if (!DstArgTy->isVariableArrayType()) { 03014 return; 03015 } 03016 03017 SmallString<128> sizeString; 03018 llvm::raw_svector_ostream OS(sizeString); 03019 OS << "sizeof("; 03020 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 03021 OS << ") - "; 03022 OS << "strlen("; 03023 DstArg->printPretty(OS, Context, 0, getPrintingPolicy()); 03024 OS << ") - 1"; 03025 03026 Diag(SL, diag::note_strncat_wrong_size) 03027 << FixItHint::CreateReplacement(SR, OS.str()); 03028 } 03029 03030 //===--- CHECK: Return Address of Stack Variable --------------------------===// 03031 03032 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 03033 Decl *ParentDecl); 03034 static Expr *EvalAddr(Expr* E, SmallVectorImpl<DeclRefExpr *> &refVars, 03035 Decl *ParentDecl); 03036 03037 /// CheckReturnStackAddr - Check if a return statement returns the address 03038 /// of a stack variable. 03039 void 03040 Sema::CheckReturnStackAddr(Expr *RetValExp, QualType lhsType, 03041 SourceLocation ReturnLoc) { 03042 03043 Expr *stackE = 0; 03044 SmallVector<DeclRefExpr *, 8> refVars; 03045 03046 // Perform checking for returned stack addresses, local blocks, 03047 // label addresses or references to temporaries. 03048 if (lhsType->isPointerType() || 03049 (!getLangOpts().ObjCAutoRefCount && lhsType->isBlockPointerType())) { 03050 stackE = EvalAddr(RetValExp, refVars, /*ParentDecl=*/0); 03051 } else if (lhsType->isReferenceType()) { 03052 stackE = EvalVal(RetValExp, refVars, /*ParentDecl=*/0); 03053 } 03054 03055 if (stackE == 0) 03056 return; // Nothing suspicious was found. 03057 03058 SourceLocation diagLoc; 03059 SourceRange diagRange; 03060 if (refVars.empty()) { 03061 diagLoc = stackE->getLocStart(); 03062 diagRange = stackE->getSourceRange(); 03063 } else { 03064 // We followed through a reference variable. 'stackE' contains the 03065 // problematic expression but we will warn at the return statement pointing 03066 // at the reference variable. We will later display the "trail" of 03067 // reference variables using notes. 03068 diagLoc = refVars[0]->getLocStart(); 03069 diagRange = refVars[0]->getSourceRange(); 03070 } 03071 03072 if (DeclRefExpr *DR = dyn_cast<DeclRefExpr>(stackE)) { //address of local var. 03073 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_stack_ref 03074 : diag::warn_ret_stack_addr) 03075 << DR->getDecl()->getDeclName() << diagRange; 03076 } else if (isa<BlockExpr>(stackE)) { // local block. 03077 Diag(diagLoc, diag::err_ret_local_block) << diagRange; 03078 } else if (isa<AddrLabelExpr>(stackE)) { // address of label. 03079 Diag(diagLoc, diag::warn_ret_addr_label) << diagRange; 03080 } else { // local temporary. 03081 Diag(diagLoc, lhsType->isReferenceType() ? diag::warn_ret_local_temp_ref 03082 : diag::warn_ret_local_temp_addr) 03083 << diagRange; 03084 } 03085 03086 // Display the "trail" of reference variables that we followed until we 03087 // found the problematic expression using notes. 03088 for (unsigned i = 0, e = refVars.size(); i != e; ++i) { 03089 VarDecl *VD = cast<VarDecl>(refVars[i]->getDecl()); 03090 // If this var binds to another reference var, show the range of the next 03091 // var, otherwise the var binds to the problematic expression, in which case 03092 // show the range of the expression. 03093 SourceRange range = (i < e-1) ? refVars[i+1]->getSourceRange() 03094 : stackE->getSourceRange(); 03095 Diag(VD->getLocation(), diag::note_ref_var_local_bind) 03096 << VD->getDeclName() << range; 03097 } 03098 } 03099 03100 /// EvalAddr - EvalAddr and EvalVal are mutually recursive functions that 03101 /// check if the expression in a return statement evaluates to an address 03102 /// to a location on the stack, a local block, an address of a label, or a 03103 /// reference to local temporary. The recursion is used to traverse the 03104 /// AST of the return expression, with recursion backtracking when we 03105 /// encounter a subexpression that (1) clearly does not lead to one of the 03106 /// above problematic expressions (2) is something we cannot determine leads to 03107 /// a problematic expression based on such local checking. 03108 /// 03109 /// Both EvalAddr and EvalVal follow through reference variables to evaluate 03110 /// the expression that they point to. Such variables are added to the 03111 /// 'refVars' vector so that we know what the reference variable "trail" was. 03112 /// 03113 /// EvalAddr processes expressions that are pointers that are used as 03114 /// references (and not L-values). EvalVal handles all other values. 03115 /// At the base case of the recursion is a check for the above problematic 03116 /// expressions. 03117 /// 03118 /// This implementation handles: 03119 /// 03120 /// * pointer-to-pointer casts 03121 /// * implicit conversions from array references to pointers 03122 /// * taking the address of fields 03123 /// * arbitrary interplay between "&" and "*" operators 03124 /// * pointer arithmetic from an address of a stack variable 03125 /// * taking the address of an array element where the array is on the stack 03126 static Expr *EvalAddr(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 03127 Decl *ParentDecl) { 03128 if (E->isTypeDependent()) 03129 return NULL; 03130 03131 // We should only be called for evaluating pointer expressions. 03132 assert((E->getType()->isAnyPointerType() || 03133 E->getType()->isBlockPointerType() || 03134 E->getType()->isObjCQualifiedIdType()) && 03135 "EvalAddr only works on pointers"); 03136 03137 E = E->IgnoreParens(); 03138 03139 // Our "symbolic interpreter" is just a dispatch off the currently 03140 // viewed AST node. We then recursively traverse the AST by calling 03141 // EvalAddr and EvalVal appropriately. 03142 switch (E->getStmtClass()) { 03143 case Stmt::DeclRefExprClass: { 03144 DeclRefExpr *DR = cast<DeclRefExpr>(E); 03145 03146 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) 03147 // If this is a reference variable, follow through to the expression that 03148 // it points to. 03149 if (V->hasLocalStorage() && 03150 V->getType()->isReferenceType() && V->hasInit()) { 03151 // Add the reference variable to the "trail". 03152 refVars.push_back(DR); 03153 return EvalAddr(V->getInit(), refVars, ParentDecl); 03154 } 03155 03156 return NULL; 03157 } 03158 03159 case Stmt::UnaryOperatorClass: { 03160 // The only unary operator that make sense to handle here 03161 // is AddrOf. All others don't make sense as pointers. 03162 UnaryOperator *U = cast<UnaryOperator>(E); 03163 03164 if (U->getOpcode() == UO_AddrOf) 03165 return EvalVal(U->getSubExpr(), refVars, ParentDecl); 03166 else 03167 return NULL; 03168 } 03169 03170 case Stmt::BinaryOperatorClass: { 03171 // Handle pointer arithmetic. All other binary operators are not valid 03172 // in this context. 03173 BinaryOperator *B = cast<BinaryOperator>(E); 03174 BinaryOperatorKind op = B->getOpcode(); 03175 03176 if (op != BO_Add && op != BO_Sub) 03177 return NULL; 03178 03179 Expr *Base = B->getLHS(); 03180 03181 // Determine which argument is the real pointer base. It could be 03182 // the RHS argument instead of the LHS. 03183 if (!Base->getType()->isPointerType()) Base = B->getRHS(); 03184 03185 assert (Base->getType()->isPointerType()); 03186 return EvalAddr(Base, refVars, ParentDecl); 03187 } 03188 03189 // For conditional operators we need to see if either the LHS or RHS are 03190 // valid DeclRefExpr*s. If one of them is valid, we return it. 03191 case Stmt::ConditionalOperatorClass: { 03192 ConditionalOperator *C = cast<ConditionalOperator>(E); 03193 03194 // Handle the GNU extension for missing LHS. 03195 if (Expr *lhsExpr = C->getLHS()) { 03196 // In C++, we can have a throw-expression, which has 'void' type. 03197 if (!lhsExpr->getType()->isVoidType()) 03198 if (Expr* LHS = EvalAddr(lhsExpr, refVars, ParentDecl)) 03199 return LHS; 03200 } 03201 03202 // In C++, we can have a throw-expression, which has 'void' type. 03203 if (C->getRHS()->getType()->isVoidType()) 03204 return NULL; 03205 03206 return EvalAddr(C->getRHS(), refVars, ParentDecl); 03207 } 03208 03209 case Stmt::BlockExprClass: 03210 if (cast<BlockExpr>(E)->getBlockDecl()->hasCaptures()) 03211 return E; // local block. 03212 return NULL; 03213 03214 case Stmt::AddrLabelExprClass: 03215 return E; // address of label. 03216 03217 case Stmt::ExprWithCleanupsClass: 03218 return EvalAddr(cast<ExprWithCleanups>(E)->getSubExpr(), refVars, 03219 ParentDecl); 03220 03221 // For casts, we need to handle conversions from arrays to 03222 // pointer values, and pointer-to-pointer conversions. 03223 case Stmt::ImplicitCastExprClass: 03224 case Stmt::CStyleCastExprClass: 03225 case Stmt::CXXFunctionalCastExprClass: 03226 case Stmt::ObjCBridgedCastExprClass: 03227 case Stmt::CXXStaticCastExprClass: 03228 case Stmt::CXXDynamicCastExprClass: 03229 case Stmt::CXXConstCastExprClass: 03230 case Stmt::CXXReinterpretCastExprClass: { 03231 Expr* SubExpr = cast<CastExpr>(E)->getSubExpr(); 03232 switch (cast<CastExpr>(E)->getCastKind()) { 03233 case CK_BitCast: 03234 case CK_LValueToRValue: 03235 case CK_NoOp: 03236 case CK_BaseToDerived: 03237 case CK_DerivedToBase: 03238 case CK_UncheckedDerivedToBase: 03239 case CK_Dynamic: 03240 case CK_CPointerToObjCPointerCast: 03241 case CK_BlockPointerToObjCPointerCast: 03242 case CK_AnyPointerToBlockPointerCast: 03243 return EvalAddr(SubExpr, refVars, ParentDecl); 03244 03245 case CK_ArrayToPointerDecay: 03246 return EvalVal(SubExpr, refVars, ParentDecl); 03247 03248 default: 03249 return 0; 03250 } 03251 } 03252 03253 case Stmt::MaterializeTemporaryExprClass: 03254 if (Expr *Result = EvalAddr( 03255 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 03256 refVars, ParentDecl)) 03257 return Result; 03258 03259 return E; 03260 03261 // Everything else: we simply don't reason about them. 03262 default: 03263 return NULL; 03264 } 03265 } 03266 03267 03268 /// EvalVal - This function is complements EvalAddr in the mutual recursion. 03269 /// See the comments for EvalAddr for more details. 03270 static Expr *EvalVal(Expr *E, SmallVectorImpl<DeclRefExpr *> &refVars, 03271 Decl *ParentDecl) { 03272 do { 03273 // We should only be called for evaluating non-pointer expressions, or 03274 // expressions with a pointer type that are not used as references but instead 03275 // are l-values (e.g., DeclRefExpr with a pointer type). 03276 03277 // Our "symbolic interpreter" is just a dispatch off the currently 03278 // viewed AST node. We then recursively traverse the AST by calling 03279 // EvalAddr and EvalVal appropriately. 03280 03281 E = E->IgnoreParens(); 03282 switch (E->getStmtClass()) { 03283 case Stmt::ImplicitCastExprClass: { 03284 ImplicitCastExpr *IE = cast<ImplicitCastExpr>(E); 03285 if (IE->getValueKind() == VK_LValue) { 03286 E = IE->getSubExpr(); 03287 continue; 03288 } 03289 return NULL; 03290 } 03291 03292 case Stmt::ExprWithCleanupsClass: 03293 return EvalVal(cast<ExprWithCleanups>(E)->getSubExpr(), refVars,ParentDecl); 03294 03295 case Stmt::DeclRefExprClass: { 03296 // When we hit a DeclRefExpr we are looking at code that refers to a 03297 // variable's name. If it's not a reference variable we check if it has 03298 // local storage within the function, and if so, return the expression. 03299 DeclRefExpr *DR = cast<DeclRefExpr>(E); 03300 03301 if (VarDecl *V = dyn_cast<VarDecl>(DR->getDecl())) { 03302 // Check if it refers to itself, e.g. "int& i = i;". 03303 if (V == ParentDecl) 03304 return DR; 03305 03306 if (V->hasLocalStorage()) { 03307 if (!V->getType()->isReferenceType()) 03308 return DR; 03309 03310 // Reference variable, follow through to the expression that 03311 // it points to. 03312 if (V->hasInit()) { 03313 // Add the reference variable to the "trail". 03314 refVars.push_back(DR); 03315 return EvalVal(V->getInit(), refVars, V); 03316 } 03317 } 03318 } 03319 03320 return NULL; 03321 } 03322 03323 case Stmt::UnaryOperatorClass: { 03324 // The only unary operator that make sense to handle here 03325 // is Deref. All others don't resolve to a "name." This includes 03326 // handling all sorts of rvalues passed to a unary operator. 03327 UnaryOperator *U = cast<UnaryOperator>(E); 03328 03329 if (U->getOpcode() == UO_Deref) 03330 return EvalAddr(U->getSubExpr(), refVars, ParentDecl); 03331 03332 return NULL; 03333 } 03334 03335 case Stmt::ArraySubscriptExprClass: { 03336 // Array subscripts are potential references to data on the stack. We 03337 // retrieve the DeclRefExpr* for the array variable if it indeed 03338 // has local storage. 03339 return EvalAddr(cast<ArraySubscriptExpr>(E)->getBase(), refVars,ParentDecl); 03340 } 03341 03342 case Stmt::ConditionalOperatorClass: { 03343 // For conditional operators we need to see if either the LHS or RHS are 03344 // non-NULL Expr's. If one is non-NULL, we return it. 03345 ConditionalOperator *C = cast<ConditionalOperator>(E); 03346 03347 // Handle the GNU extension for missing LHS. 03348 if (Expr *lhsExpr = C->getLHS()) 03349 if (Expr *LHS = EvalVal(lhsExpr, refVars, ParentDecl)) 03350 return LHS; 03351 03352 return EvalVal(C->getRHS(), refVars, ParentDecl); 03353 } 03354 03355 // Accesses to members are potential references to data on the stack. 03356 case Stmt::MemberExprClass: { 03357 MemberExpr *M = cast<MemberExpr>(E); 03358 03359 // Check for indirect access. We only want direct field accesses. 03360 if (M->isArrow()) 03361 return NULL; 03362 03363 // Check whether the member type is itself a reference, in which case 03364 // we're not going to refer to the member, but to what the member refers to. 03365 if (M->getMemberDecl()->getType()->isReferenceType()) 03366 return NULL; 03367 03368 return EvalVal(M->getBase(), refVars, ParentDecl); 03369 } 03370 03371 case Stmt::MaterializeTemporaryExprClass: 03372 if (Expr *Result = EvalVal( 03373 cast<MaterializeTemporaryExpr>(E)->GetTemporaryExpr(), 03374 refVars, ParentDecl)) 03375 return Result; 03376 03377 return E; 03378 03379 default: 03380 // Check that we don't return or take the address of a reference to a 03381 // temporary. This is only useful in C++. 03382 if (!E->isTypeDependent() && E->isRValue()) 03383 return E; 03384 03385 // Everything else: we simply don't reason about them. 03386 return NULL; 03387 } 03388 } while (true); 03389 } 03390 03391 //===--- CHECK: Floating-Point comparisons (-Wfloat-equal) ---------------===// 03392 03393 /// Check for comparisons of floating point operands using != and ==. 03394 /// Issue a warning if these are no self-comparisons, as they are not likely 03395 /// to do what the programmer intended. 03396 void Sema::CheckFloatComparison(SourceLocation Loc, Expr* LHS, Expr *RHS) { 03397 bool EmitWarning = true; 03398 03399 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts(); 03400 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts(); 03401 03402 // Special case: check for x == x (which is OK). 03403 // Do not emit warnings for such cases. 03404 if (DeclRefExpr* DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen)) 03405 if (DeclRefExpr* DRR = dyn_cast<DeclRefExpr>(RightExprSansParen)) 03406 if (DRL->getDecl() == DRR->getDecl()) 03407 EmitWarning = false; 03408 03409 03410 // Special case: check for comparisons against literals that can be exactly 03411 // represented by APFloat. In such cases, do not emit a warning. This 03412 // is a heuristic: often comparison against such literals are used to 03413 // detect if a value in a variable has not changed. This clearly can 03414 // lead to false negatives. 03415 if (EmitWarning) { 03416 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) { 03417 if (FLL->isExact()) 03418 EmitWarning = false; 03419 } else 03420 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen)){ 03421 if (FLR->isExact()) 03422 EmitWarning = false; 03423 } 03424 } 03425 03426 // Check for comparisons with builtin types. 03427 if (EmitWarning) 03428 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen)) 03429 if (CL->isBuiltinCall()) 03430 EmitWarning = false; 03431 03432 if (EmitWarning) 03433 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen)) 03434 if (CR->isBuiltinCall()) 03435 EmitWarning = false; 03436 03437 // Emit the diagnostic. 03438 if (EmitWarning) 03439 Diag(Loc, diag::warn_floatingpoint_eq) 03440 << LHS->getSourceRange() << RHS->getSourceRange(); 03441 } 03442 03443 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===// 03444 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===// 03445 03446 namespace { 03447 03448 /// Structure recording the 'active' range of an integer-valued 03449 /// expression. 03450 struct IntRange { 03451 /// The number of bits active in the int. 03452 unsigned Width; 03453 03454 /// True if the int is known not to have negative values. 03455 bool NonNegative; 03456 03457 IntRange(unsigned Width, bool NonNegative) 03458 : Width(Width), NonNegative(NonNegative) 03459 {} 03460 03461 /// Returns the range of the bool type. 03462 static IntRange forBoolType() { 03463 return IntRange(1, true); 03464 } 03465 03466 /// Returns the range of an opaque value of the given integral type. 03467 static IntRange forValueOfType(ASTContext &C, QualType T) { 03468 return forValueOfCanonicalType(C, 03469 T->getCanonicalTypeInternal().getTypePtr()); 03470 } 03471 03472 /// Returns the range of an opaque value of a canonical integral type. 03473 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) { 03474 assert(T->isCanonicalUnqualified()); 03475 03476 if (const VectorType *VT = dyn_cast<VectorType>(T)) 03477 T = VT->getElementType().getTypePtr(); 03478 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 03479 T = CT->getElementType().getTypePtr(); 03480 03481 // For enum types, use the known bit width of the enumerators. 03482 if (const EnumType *ET = dyn_cast<EnumType>(T)) { 03483 EnumDecl *Enum = ET->getDecl(); 03484 if (!Enum->isCompleteDefinition()) 03485 return IntRange(C.getIntWidth(QualType(T, 0)), false); 03486 03487 unsigned NumPositive = Enum->getNumPositiveBits(); 03488 unsigned NumNegative = Enum->getNumNegativeBits(); 03489 03490 return IntRange(std::max(NumPositive, NumNegative), NumNegative == 0); 03491 } 03492 03493 const BuiltinType *BT = cast<BuiltinType>(T); 03494 assert(BT->isInteger()); 03495 03496 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 03497 } 03498 03499 /// Returns the "target" range of a canonical integral type, i.e. 03500 /// the range of values expressible in the type. 03501 /// 03502 /// This matches forValueOfCanonicalType except that enums have the 03503 /// full range of their type, not the range of their enumerators. 03504 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) { 03505 assert(T->isCanonicalUnqualified()); 03506 03507 if (const VectorType *VT = dyn_cast<VectorType>(T)) 03508 T = VT->getElementType().getTypePtr(); 03509 if (const ComplexType *CT = dyn_cast<ComplexType>(T)) 03510 T = CT->getElementType().getTypePtr(); 03511 if (const EnumType *ET = dyn_cast<EnumType>(T)) 03512 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr(); 03513 03514 const BuiltinType *BT = cast<BuiltinType>(T); 03515 assert(BT->isInteger()); 03516 03517 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); 03518 } 03519 03520 /// Returns the supremum of two ranges: i.e. their conservative merge. 03521 static IntRange join(IntRange L, IntRange R) { 03522 return IntRange(std::max(L.Width, R.Width), 03523 L.NonNegative && R.NonNegative); 03524 } 03525 03526 /// Returns the infinum of two ranges: i.e. their aggressive merge. 03527 static IntRange meet(IntRange L, IntRange R) { 03528 return IntRange(std::min(L.Width, R.Width), 03529 L.NonNegative || R.NonNegative); 03530 } 03531 }; 03532 03533 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value, 03534 unsigned MaxWidth) { 03535 if (value.isSigned() && value.isNegative()) 03536 return IntRange(value.getMinSignedBits(), false); 03537 03538 if (value.getBitWidth() > MaxWidth) 03539 value = value.trunc(MaxWidth); 03540 03541 // isNonNegative() just checks the sign bit without considering 03542 // signedness. 03543 return IntRange(value.getActiveBits(), true); 03544 } 03545 03546 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty, 03547 unsigned MaxWidth) { 03548 if (result.isInt()) 03549 return GetValueRange(C, result.getInt(), MaxWidth); 03550 03551 if (result.isVector()) { 03552 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth); 03553 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) { 03554 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth); 03555 R = IntRange::join(R, El); 03556 } 03557 return R; 03558 } 03559 03560 if (result.isComplexInt()) { 03561 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth); 03562 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth); 03563 return IntRange::join(R, I); 03564 } 03565 03566 // This can happen with lossless casts to intptr_t of "based" lvalues. 03567 // Assume it might use arbitrary bits. 03568 // FIXME: The only reason we need to pass the type in here is to get 03569 // the sign right on this one case. It would be nice if APValue 03570 // preserved this. 03571 assert(result.isLValue() || result.isAddrLabelDiff()); 03572 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType()); 03573 } 03574 03575 /// Pseudo-evaluate the given integer expression, estimating the 03576 /// range of values it might take. 03577 /// 03578 /// \param MaxWidth - the width to which the value will be truncated 03579 static IntRange GetExprRange(ASTContext &C, Expr *E, unsigned MaxWidth) { 03580 E = E->IgnoreParens(); 03581 03582 // Try a full evaluation first. 03583 Expr::EvalResult result; 03584 if (E->EvaluateAsRValue(result, C)) 03585 return GetValueRange(C, result.Val, E->getType(), MaxWidth); 03586 03587 // I think we only want to look through implicit casts here; if the 03588 // user has an explicit widening cast, we should treat the value as 03589 // being of the new, wider type. 03590 if (ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E)) { 03591 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue) 03592 return GetExprRange(C, CE->getSubExpr(), MaxWidth); 03593 03594 IntRange OutputTypeRange = IntRange::forValueOfType(C, CE->getType()); 03595 03596 bool isIntegerCast = (CE->getCastKind() == CK_IntegralCast); 03597 03598 // Assume that non-integer casts can span the full range of the type. 03599 if (!isIntegerCast) 03600 return OutputTypeRange; 03601 03602 IntRange SubRange 03603 = GetExprRange(C, CE->getSubExpr(), 03604 std::min(MaxWidth, OutputTypeRange.Width)); 03605 03606 // Bail out if the subexpr's range is as wide as the cast type. 03607 if (SubRange.Width >= OutputTypeRange.Width) 03608 return OutputTypeRange; 03609 03610 // Otherwise, we take the smaller width, and we're non-negative if 03611 // either the output type or the subexpr is. 03612 return IntRange(SubRange.Width, 03613 SubRange.NonNegative || OutputTypeRange.NonNegative); 03614 } 03615 03616 if (ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) { 03617 // If we can fold the condition, just take that operand. 03618 bool CondResult; 03619 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) 03620 return GetExprRange(C, CondResult ? CO->getTrueExpr() 03621 : CO->getFalseExpr(), 03622 MaxWidth); 03623 03624 // Otherwise, conservatively merge. 03625 IntRange L = GetExprRange(C, CO->getTrueExpr(), MaxWidth); 03626 IntRange R = GetExprRange(C, CO->getFalseExpr(), MaxWidth); 03627 return IntRange::join(L, R); 03628 } 03629 03630 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 03631 switch (BO->getOpcode()) { 03632 03633 // Boolean-valued operations are single-bit and positive. 03634 case BO_LAnd: 03635 case BO_LOr: 03636 case BO_LT: 03637 case BO_GT: 03638 case BO_LE: 03639 case BO_GE: 03640 case BO_EQ: 03641 case BO_NE: 03642 return IntRange::forBoolType(); 03643 03644 // The type of the assignments is the type of the LHS, so the RHS 03645 // is not necessarily the same type. 03646 case BO_MulAssign: 03647 case BO_DivAssign: 03648 case BO_RemAssign: 03649 case BO_AddAssign: 03650 case BO_SubAssign: 03651 case BO_XorAssign: 03652 case BO_OrAssign: 03653 // TODO: bitfields? 03654 return IntRange::forValueOfType(C, E->getType()); 03655 03656 // Simple assignments just pass through the RHS, which will have 03657 // been coerced to the LHS type. 03658 case BO_Assign: 03659 // TODO: bitfields? 03660 return GetExprRange(C, BO->getRHS(), MaxWidth); 03661 03662 // Operations with opaque sources are black-listed. 03663 case BO_PtrMemD: 03664 case BO_PtrMemI: 03665 return IntRange::forValueOfType(C, E->getType()); 03666 03667 // Bitwise-and uses the *infinum* of the two source ranges. 03668 case BO_And: 03669 case BO_AndAssign: 03670 return IntRange::meet(GetExprRange(C, BO->getLHS(), MaxWidth), 03671 GetExprRange(C, BO->getRHS(), MaxWidth)); 03672 03673 // Left shift gets black-listed based on a judgement call. 03674 case BO_Shl: 03675 // ...except that we want to treat '1 << (blah)' as logically 03676 // positive. It's an important idiom. 03677 if (IntegerLiteral *I 03678 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) { 03679 if (I->getValue() == 1) { 03680 IntRange R = IntRange::forValueOfType(C, E->getType()); 03681 return IntRange(R.Width, /*NonNegative*/ true); 03682 } 03683 } 03684 // fallthrough 03685 03686 case BO_ShlAssign: 03687 return IntRange::forValueOfType(C, E->getType()); 03688 03689 // Right shift by a constant can narrow its left argument. 03690 case BO_Shr: 03691 case BO_ShrAssign: { 03692 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 03693 03694 // If the shift amount is a positive constant, drop the width by 03695 // that much. 03696 llvm::APSInt shift; 03697 if (BO->getRHS()->isIntegerConstantExpr(shift, C) && 03698 shift.isNonNegative()) { 03699 unsigned zext = shift.getZExtValue(); 03700 if (zext >= L.Width) 03701 L.Width = (L.NonNegative ? 0 : 1); 03702 else 03703 L.Width -= zext; 03704 } 03705 03706 return L; 03707 } 03708 03709 // Comma acts as its right operand. 03710 case BO_Comma: 03711 return GetExprRange(C, BO->getRHS(), MaxWidth); 03712 03713 // Black-list pointer subtractions. 03714 case BO_Sub: 03715 if (BO->getLHS()->getType()->isPointerType()) 03716 return IntRange::forValueOfType(C, E->getType()); 03717 break; 03718 03719 // The width of a division result is mostly determined by the size 03720 // of the LHS. 03721 case BO_Div: { 03722 // Don't 'pre-truncate' the operands. 03723 unsigned opWidth = C.getIntWidth(E->getType()); 03724 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 03725 03726 // If the divisor is constant, use that. 03727 llvm::APSInt divisor; 03728 if (BO->getRHS()->isIntegerConstantExpr(divisor, C)) { 03729 unsigned log2 = divisor.logBase2(); // floor(log_2(divisor)) 03730 if (log2 >= L.Width) 03731 L.Width = (L.NonNegative ? 0 : 1); 03732 else 03733 L.Width = std::min(L.Width - log2, MaxWidth); 03734 return L; 03735 } 03736 03737 // Otherwise, just use the LHS's width. 03738 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 03739 return IntRange(L.Width, L.NonNegative && R.NonNegative); 03740 } 03741 03742 // The result of a remainder can't be larger than the result of 03743 // either side. 03744 case BO_Rem: { 03745 // Don't 'pre-truncate' the operands. 03746 unsigned opWidth = C.getIntWidth(E->getType()); 03747 IntRange L = GetExprRange(C, BO->getLHS(), opWidth); 03748 IntRange R = GetExprRange(C, BO->getRHS(), opWidth); 03749 03750 IntRange meet = IntRange::meet(L, R); 03751 meet.Width = std::min(meet.Width, MaxWidth); 03752 return meet; 03753 } 03754 03755 // The default behavior is okay for these. 03756 case BO_Mul: 03757 case BO_Add: 03758 case BO_Xor: 03759 case BO_Or: 03760 break; 03761 } 03762 03763 // The default case is to treat the operation as if it were closed 03764 // on the narrowest type that encompasses both operands. 03765 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth); 03766 IntRange R = GetExprRange(C, BO->getRHS(), MaxWidth); 03767 return IntRange::join(L, R); 03768 } 03769 03770 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) { 03771 switch (UO->getOpcode()) { 03772 // Boolean-valued operations are white-listed. 03773 case UO_LNot: 03774 return IntRange::forBoolType(); 03775 03776 // Operations with opaque sources are black-listed. 03777 case UO_Deref: 03778 case UO_AddrOf: // should be impossible 03779 return IntRange::forValueOfType(C, E->getType()); 03780 03781 default: 03782 return GetExprRange(C, UO->getSubExpr(), MaxWidth); 03783 } 03784 } 03785 03786 if (dyn_cast<OffsetOfExpr>(E)) { 03787 IntRange::forValueOfType(C, E->getType()); 03788 } 03789 03790 if (FieldDecl *BitField = E->getBitField()) 03791 return IntRange(BitField->getBitWidthValue(C), 03792 BitField->getType()->isUnsignedIntegerOrEnumerationType()); 03793 03794 return IntRange::forValueOfType(C, E->getType()); 03795 } 03796 03797 static IntRange GetExprRange(ASTContext &C, Expr *E) { 03798 return GetExprRange(C, E, C.getIntWidth(E->getType())); 03799 } 03800 03801 /// Checks whether the given value, which currently has the given 03802 /// source semantics, has the same value when coerced through the 03803 /// target semantics. 03804 static bool IsSameFloatAfterCast(const llvm::APFloat &value, 03805 const llvm::fltSemantics &Src, 03806 const llvm::fltSemantics &Tgt) { 03807 llvm::APFloat truncated = value; 03808 03809 bool ignored; 03810 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored); 03811 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored); 03812 03813 return truncated.bitwiseIsEqual(value); 03814 } 03815 03816 /// Checks whether the given value, which currently has the given 03817 /// source semantics, has the same value when coerced through the 03818 /// target semantics. 03819 /// 03820 /// The value might be a vector of floats (or a complex number). 03821 static bool IsSameFloatAfterCast(const APValue &value, 03822 const llvm::fltSemantics &Src, 03823 const llvm::fltSemantics &Tgt) { 03824 if (value.isFloat()) 03825 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt); 03826 03827 if (value.isVector()) { 03828 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i) 03829 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt)) 03830 return false; 03831 return true; 03832 } 03833 03834 assert(value.isComplexFloat()); 03835 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) && 03836 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt)); 03837 } 03838 03839 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC); 03840 03841 static bool IsZero(Sema &S, Expr *E) { 03842 // Suppress cases where we are comparing against an enum constant. 03843 if (const DeclRefExpr *DR = 03844 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts())) 03845 if (isa<EnumConstantDecl>(DR->getDecl())) 03846 return false; 03847 03848 // Suppress cases where the '0' value is expanded from a macro. 03849 if (E->getLocStart().isMacroID()) 03850 return false; 03851 03852 llvm::APSInt Value; 03853 return E->isIntegerConstantExpr(Value, S.Context) && Value == 0; 03854 } 03855 03856 static bool HasEnumType(Expr *E) { 03857 // Strip off implicit integral promotions. 03858 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { 03859 if (ICE->getCastKind() != CK_IntegralCast && 03860 ICE->getCastKind() != CK_NoOp) 03861 break; 03862 E = ICE->getSubExpr(); 03863 } 03864 03865 return E->getType()->isEnumeralType(); 03866 } 03867 03868 static void CheckTrivialUnsignedComparison(Sema &S, BinaryOperator *E) { 03869 BinaryOperatorKind op = E->getOpcode(); 03870 if (E->isValueDependent()) 03871 return; 03872 03873 if (op == BO_LT && IsZero(S, E->getRHS())) { 03874 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 03875 << "< 0" << "false" << HasEnumType(E->getLHS()) 03876 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 03877 } else if (op == BO_GE && IsZero(S, E->getRHS())) { 03878 S.Diag(E->getOperatorLoc(), diag::warn_lunsigned_always_true_comparison) 03879 << ">= 0" << "true" << HasEnumType(E->getLHS()) 03880 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 03881 } else if (op == BO_GT && IsZero(S, E->getLHS())) { 03882 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 03883 << "0 >" << "false" << HasEnumType(E->getRHS()) 03884 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 03885 } else if (op == BO_LE && IsZero(S, E->getLHS())) { 03886 S.Diag(E->getOperatorLoc(), diag::warn_runsigned_always_true_comparison) 03887 << "0 <=" << "true" << HasEnumType(E->getRHS()) 03888 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange(); 03889 } 03890 } 03891 03892 /// Analyze the operands of the given comparison. Implements the 03893 /// fallback case from AnalyzeComparison. 03894 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) { 03895 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 03896 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 03897 } 03898 03899 /// \brief Implements -Wsign-compare. 03900 /// 03901 /// \param E the binary operator to check for warnings 03902 static void AnalyzeComparison(Sema &S, BinaryOperator *E) { 03903 // The type the comparison is being performed in. 03904 QualType T = E->getLHS()->getType(); 03905 assert(S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()) 03906 && "comparison with mismatched types"); 03907 03908 // We don't do anything special if this isn't an unsigned integral 03909 // comparison: we're only interested in integral comparisons, and 03910 // signed comparisons only happen in cases we don't care to warn about. 03911 // 03912 // We also don't care about value-dependent expressions or expressions 03913 // whose result is a constant. 03914 if (!T->hasUnsignedIntegerRepresentation() 03915 || E->isValueDependent() || E->isIntegerConstantExpr(S.Context)) 03916 return AnalyzeImpConvsInComparison(S, E); 03917 03918 Expr *LHS = E->getLHS()->IgnoreParenImpCasts(); 03919 Expr *RHS = E->getRHS()->IgnoreParenImpCasts(); 03920 03921 // Check to see if one of the (unmodified) operands is of different 03922 // signedness. 03923 Expr *signedOperand, *unsignedOperand; 03924 if (LHS->getType()->hasSignedIntegerRepresentation()) { 03925 assert(!RHS->getType()->hasSignedIntegerRepresentation() && 03926 "unsigned comparison between two signed integer expressions?"); 03927 signedOperand = LHS; 03928 unsignedOperand = RHS; 03929 } else if (RHS->getType()->hasSignedIntegerRepresentation()) { 03930 signedOperand = RHS; 03931 unsignedOperand = LHS; 03932 } else { 03933 CheckTrivialUnsignedComparison(S, E); 03934 return AnalyzeImpConvsInComparison(S, E); 03935 } 03936 03937 // Otherwise, calculate the effective range of the signed operand. 03938 IntRange signedRange = GetExprRange(S.Context, signedOperand); 03939 03940 // Go ahead and analyze implicit conversions in the operands. Note 03941 // that we skip the implicit conversions on both sides. 03942 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc()); 03943 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc()); 03944 03945 // If the signed range is non-negative, -Wsign-compare won't fire, 03946 // but we should still check for comparisons which are always true 03947 // or false. 03948 if (signedRange.NonNegative) 03949 return CheckTrivialUnsignedComparison(S, E); 03950 03951 // For (in)equality comparisons, if the unsigned operand is a 03952 // constant which cannot collide with a overflowed signed operand, 03953 // then reinterpreting the signed operand as unsigned will not 03954 // change the result of the comparison. 03955 if (E->isEqualityOp()) { 03956 unsigned comparisonWidth = S.Context.getIntWidth(T); 03957 IntRange unsignedRange = GetExprRange(S.Context, unsignedOperand); 03958 03959 // We should never be unable to prove that the unsigned operand is 03960 // non-negative. 03961 assert(unsignedRange.NonNegative && "unsigned range includes negative?"); 03962 03963 if (unsignedRange.Width < comparisonWidth) 03964 return; 03965 } 03966 03967 S.DiagRuntimeBehavior(E->getOperatorLoc(), E, 03968 S.PDiag(diag::warn_mixed_sign_comparison) 03969 << LHS->getType() << RHS->getType() 03970 << LHS->getSourceRange() << RHS->getSourceRange()); 03971 } 03972 03973 /// Analyzes an attempt to assign the given value to a bitfield. 03974 /// 03975 /// Returns true if there was something fishy about the attempt. 03976 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init, 03977 SourceLocation InitLoc) { 03978 assert(Bitfield->isBitField()); 03979 if (Bitfield->isInvalidDecl()) 03980 return false; 03981 03982 // White-list bool bitfields. 03983 if (Bitfield->getType()->isBooleanType()) 03984 return false; 03985 03986 // Ignore value- or type-dependent expressions. 03987 if (Bitfield->getBitWidth()->isValueDependent() || 03988 Bitfield->getBitWidth()->isTypeDependent() || 03989 Init->isValueDependent() || 03990 Init->isTypeDependent()) 03991 return false; 03992 03993 Expr *OriginalInit = Init->IgnoreParenImpCasts(); 03994 03995 llvm::APSInt Value; 03996 if (!OriginalInit->EvaluateAsInt(Value, S.Context, Expr::SE_AllowSideEffects)) 03997 return false; 03998 03999 unsigned OriginalWidth = Value.getBitWidth(); 04000 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context); 04001 04002 if (OriginalWidth <= FieldWidth) 04003 return false; 04004 04005 // Compute the value which the bitfield will contain. 04006 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth); 04007 TruncatedValue.setIsSigned(Bitfield->getType()->isSignedIntegerType()); 04008 04009 // Check whether the stored value is equal to the original value. 04010 TruncatedValue = TruncatedValue.extend(OriginalWidth); 04011 if (Value == TruncatedValue) 04012 return false; 04013 04014 // Special-case bitfields of width 1: booleans are naturally 0/1, and 04015 // therefore don't strictly fit into a signed bitfield of width 1. 04016 if (FieldWidth == 1 && Value == 1) 04017 return false; 04018 04019 std::string PrettyValue = Value.toString(10); 04020 std::string PrettyTrunc = TruncatedValue.toString(10); 04021 04022 S.Diag(InitLoc, diag::warn_impcast_bitfield_precision_constant) 04023 << PrettyValue << PrettyTrunc << OriginalInit->getType() 04024 << Init->getSourceRange(); 04025 04026 return true; 04027 } 04028 04029 /// Analyze the given simple or compound assignment for warning-worthy 04030 /// operations. 04031 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) { 04032 // Just recurse on the LHS. 04033 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc()); 04034 04035 // We want to recurse on the RHS as normal unless we're assigning to 04036 // a bitfield. 04037 if (FieldDecl *Bitfield = E->getLHS()->getBitField()) { 04038 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(), 04039 E->getOperatorLoc())) { 04040 // Recurse, ignoring any implicit conversions on the RHS. 04041 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(), 04042 E->getOperatorLoc()); 04043 } 04044 } 04045 04046 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc()); 04047 } 04048 04049 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 04050 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T, 04051 SourceLocation CContext, unsigned diag, 04052 bool pruneControlFlow = false) { 04053 if (pruneControlFlow) { 04054 S.DiagRuntimeBehavior(E->getExprLoc(), E, 04055 S.PDiag(diag) 04056 << SourceType << T << E->getSourceRange() 04057 << SourceRange(CContext)); 04058 return; 04059 } 04060 S.Diag(E->getExprLoc(), diag) 04061 << SourceType << T << E->getSourceRange() << SourceRange(CContext); 04062 } 04063 04064 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion. 04065 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T, 04066 SourceLocation CContext, unsigned diag, 04067 bool pruneControlFlow = false) { 04068 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow); 04069 } 04070 04071 /// Diagnose an implicit cast from a literal expression. Does not warn when the 04072 /// cast wouldn't lose information. 04073 void DiagnoseFloatingLiteralImpCast(Sema &S, FloatingLiteral *FL, QualType T, 04074 SourceLocation CContext) { 04075 // Try to convert the literal exactly to an integer. If we can, don't warn. 04076 bool isExact = false; 04077 const llvm::APFloat &Value = FL->getValue(); 04078 llvm::APSInt IntegerValue(S.Context.getIntWidth(T), 04079 T->hasUnsignedIntegerRepresentation()); 04080 if (Value.convertToInteger(IntegerValue, 04081 llvm::APFloat::rmTowardZero, &isExact) 04082 == llvm::APFloat::opOK && isExact) 04083 return; 04084 04085 SmallString<16> PrettySourceValue; 04086 Value.toString(PrettySourceValue); 04087 SmallString<16> PrettyTargetValue; 04088 if (T->isSpecificBuiltinType(BuiltinType::Bool)) 04089 PrettyTargetValue = IntegerValue == 0 ? "false" : "true"; 04090 else 04091 IntegerValue.toString(PrettyTargetValue); 04092 04093 S.Diag(FL->getExprLoc(), diag::warn_impcast_literal_float_to_integer) 04094 << FL->getType() << T.getUnqualifiedType() << PrettySourceValue 04095 << PrettyTargetValue << FL->getSourceRange() << SourceRange(CContext); 04096 } 04097 04098 std::string PrettyPrintInRange(const llvm::APSInt &Value, IntRange Range) { 04099 if (!Range.Width) return "0"; 04100 04101 llvm::APSInt ValueInRange = Value; 04102 ValueInRange.setIsSigned(!Range.NonNegative); 04103 ValueInRange = ValueInRange.trunc(Range.Width); 04104 return ValueInRange.toString(10); 04105 } 04106 04107 void CheckImplicitConversion(Sema &S, Expr *E, QualType T, 04108 SourceLocation CC, bool *ICContext = 0) { 04109 if (E->isTypeDependent() || E->isValueDependent()) return; 04110 04111 const Type *Source = S.Context.getCanonicalType(E->getType()).getTypePtr(); 04112 const Type *Target = S.Context.getCanonicalType(T).getTypePtr(); 04113 if (Source == Target) return; 04114 if (Target->isDependentType()) return; 04115 04116 // If the conversion context location is invalid don't complain. We also 04117 // don't want to emit a warning if the issue occurs from the expansion of 04118 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we 04119 // delay this check as long as possible. Once we detect we are in that 04120 // scenario, we just return. 04121 if (CC.isInvalid()) 04122 return; 04123 04124 // Diagnose implicit casts to bool. 04125 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) { 04126 if (isa<StringLiteral>(E)) 04127 // Warn on string literal to bool. Checks for string literals in logical 04128 // expressions, for instances, assert(0 && "error here"), is prevented 04129 // by a check in AnalyzeImplicitConversions(). 04130 return DiagnoseImpCast(S, E, T, CC, 04131 diag::warn_impcast_string_literal_to_bool); 04132 if (Source->isFunctionType()) { 04133 // Warn on function to bool. Checks free functions and static member 04134 // functions. Weakly imported functions are excluded from the check, 04135 // since it's common to test their value to check whether the linker 04136 // found a definition for them. 04137 ValueDecl *D = 0; 04138 if (DeclRefExpr* R = dyn_cast<DeclRefExpr>(E)) { 04139 D = R->getDecl(); 04140 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) { 04141 D = M->getMemberDecl(); 04142 } 04143 04144 if (D && !D->isWeak()) { 04145 if (FunctionDecl* F = dyn_cast<FunctionDecl>(D)) { 04146 S.Diag(E->getExprLoc(), diag::warn_impcast_function_to_bool) 04147 << F << E->getSourceRange() << SourceRange(CC); 04148 S.Diag(E->getExprLoc(), diag::note_function_to_bool_silence) 04149 << FixItHint::CreateInsertion(E->getExprLoc(), "&"); 04150 QualType ReturnType; 04151 UnresolvedSet<4> NonTemplateOverloads; 04152 S.isExprCallable(*E, ReturnType, NonTemplateOverloads); 04153 if (!ReturnType.isNull() 04154 && ReturnType->isSpecificBuiltinType(BuiltinType::Bool)) 04155 S.Diag(E->getExprLoc(), diag::note_function_to_bool_call) 04156 << FixItHint::CreateInsertion( 04157 S.getPreprocessor().getLocForEndOfToken(E->getLocEnd()), "()"); 04158 return; 04159 } 04160 } 04161 } 04162 } 04163 04164 // Strip vector types. 04165 if (isa<VectorType>(Source)) { 04166 if (!isa<VectorType>(Target)) { 04167 if (S.SourceMgr.isInSystemMacro(CC)) 04168 return; 04169 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_vector_scalar); 04170 } 04171 04172 // If the vector cast is cast between two vectors of the same size, it is 04173 // a bitcast, not a conversion. 04174 if (S.Context.getTypeSize(Source) == S.Context.getTypeSize(Target)) 04175 return; 04176 04177 Source = cast<VectorType>(Source)->getElementType().getTypePtr(); 04178 Target = cast<VectorType>(Target)->getElementType().getTypePtr(); 04179 } 04180 04181 // Strip complex types. 04182 if (isa<ComplexType>(Source)) { 04183 if (!isa<ComplexType>(Target)) { 04184 if (S.SourceMgr.isInSystemMacro(CC)) 04185 return; 04186 04187 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_complex_scalar); 04188 } 04189 04190 Source = cast<ComplexType>(Source)->getElementType().getTypePtr(); 04191 Target = cast<ComplexType>(Target)->getElementType().getTypePtr(); 04192 } 04193 04194 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source); 04195 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target); 04196 04197 // If the source is floating point... 04198 if (SourceBT && SourceBT->isFloatingPoint()) { 04199 // ...and the target is floating point... 04200 if (TargetBT && TargetBT->isFloatingPoint()) { 04201 // ...then warn if we're dropping FP rank. 04202 04203 // Builtin FP kinds are ordered by increasing FP rank. 04204 if (SourceBT->getKind() > TargetBT->getKind()) { 04205 // Don't warn about float constants that are precisely 04206 // representable in the target type. 04207 Expr::EvalResult result; 04208 if (E->EvaluateAsRValue(result, S.Context)) { 04209 // Value might be a float, a float vector, or a float complex. 04210 if (IsSameFloatAfterCast(result.Val, 04211 S.Context.getFloatTypeSemantics(QualType(TargetBT, 0)), 04212 S.Context.getFloatTypeSemantics(QualType(SourceBT, 0)))) 04213 return; 04214 } 04215 04216 if (S.SourceMgr.isInSystemMacro(CC)) 04217 return; 04218 04219 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_precision); 04220 } 04221 return; 04222 } 04223 04224 // If the target is integral, always warn. 04225 if (TargetBT && TargetBT->isInteger()) { 04226 if (S.SourceMgr.isInSystemMacro(CC)) 04227 return; 04228 04229 Expr *InnerE = E->IgnoreParenImpCasts(); 04230 // We also want to warn on, e.g., "int i = -1.234" 04231 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE)) 04232 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus) 04233 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts(); 04234 04235 if (FloatingLiteral *FL = dyn_cast<FloatingLiteral>(InnerE)) { 04236 DiagnoseFloatingLiteralImpCast(S, FL, T, CC); 04237 } else { 04238 DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_float_integer); 04239 } 04240 } 04241 04242 return; 04243 } 04244 04245 if (!Source->isIntegerType() || !Target->isIntegerType()) 04246 return; 04247 04248 if ((E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull) 04249 == Expr::NPCK_GNUNull) && Target->isIntegerType()) { 04250 SourceLocation Loc = E->getSourceRange().getBegin(); 04251 if (Loc.isMacroID()) 04252 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).first; 04253 if (!Loc.isMacroID() || CC.isMacroID()) 04254 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer) 04255 << T << clang::SourceRange(CC) 04256 << FixItHint::CreateReplacement(Loc, S.getFixItZeroLiteralForType(T)); 04257 return; 04258 } 04259 04260 // TODO: remove this early return once the false positives for constant->bool 04261 // in templates, macros, etc, are reduced or removed. 04262 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) 04263 return; 04264 04265 IntRange SourceRange = GetExprRange(S.Context, E); 04266 IntRange TargetRange = IntRange::forTargetOfCanonicalType(S.Context, Target); 04267 04268 if (SourceRange.Width > TargetRange.Width) { 04269 // If the source is a constant, use a default-on diagnostic. 04270 // TODO: this should happen for bitfield stores, too. 04271 llvm::APSInt Value(32); 04272 if (E->isIntegerConstantExpr(Value, S.Context)) { 04273 if (S.SourceMgr.isInSystemMacro(CC)) 04274 return; 04275 04276 std::string PrettySourceValue = Value.toString(10); 04277 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange); 04278 04279 S.DiagRuntimeBehavior(E->getExprLoc(), E, 04280 S.PDiag(diag::warn_impcast_integer_precision_constant) 04281 << PrettySourceValue << PrettyTargetValue 04282 << E->getType() << T << E->getSourceRange() 04283 << clang::SourceRange(CC)); 04284 return; 04285 } 04286 04287 // People want to build with -Wshorten-64-to-32 and not -Wconversion. 04288 if (S.SourceMgr.isInSystemMacro(CC)) 04289 return; 04290 04291 if (TargetRange.Width == 32 && S.Context.getIntWidth(E->getType()) == 64) 04292 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_64_32, 04293 /* pruneControlFlow */ true); 04294 return DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_integer_precision); 04295 } 04296 04297 if ((TargetRange.NonNegative && !SourceRange.NonNegative) || 04298 (!TargetRange.NonNegative && SourceRange.NonNegative && 04299 SourceRange.Width == TargetRange.Width)) { 04300 04301 if (S.SourceMgr.isInSystemMacro(CC)) 04302 return; 04303 04304 unsigned DiagID = diag::warn_impcast_integer_sign; 04305 04306 // Traditionally, gcc has warned about this under -Wsign-compare. 04307 // We also want to warn about it in -Wconversion. 04308 // So if -Wconversion is off, use a completely identical diagnostic 04309 // in the sign-compare group. 04310 // The conditional-checking code will 04311 if (ICContext) { 04312 DiagID = diag::warn_impcast_integer_sign_conditional; 04313 *ICContext = true; 04314 } 04315 04316 return DiagnoseImpCast(S, E, T, CC, DiagID); 04317 } 04318 04319 // Diagnose conversions between different enumeration types. 04320 // In C, we pretend that the type of an EnumConstantDecl is its enumeration 04321 // type, to give us better diagnostics. 04322 QualType SourceType = E->getType(); 04323 if (!S.getLangOpts().CPlusPlus) { 04324 if (DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) 04325 if (EnumConstantDecl *ECD = dyn_cast<EnumConstantDecl>(DRE->getDecl())) { 04326 EnumDecl *Enum = cast<EnumDecl>(ECD->getDeclContext()); 04327 SourceType = S.Context.getTypeDeclType(Enum); 04328 Source = S.Context.getCanonicalType(SourceType).getTypePtr(); 04329 } 04330 } 04331 04332 if (const EnumType *SourceEnum = Source->getAs<EnumType>()) 04333 if (const EnumType *TargetEnum = Target->getAs<EnumType>()) 04334 if ((SourceEnum->getDecl()->getIdentifier() || 04335 SourceEnum->getDecl()->getTypedefNameForAnonDecl()) && 04336 (TargetEnum->getDecl()->getIdentifier() || 04337 TargetEnum->getDecl()->getTypedefNameForAnonDecl()) && 04338 SourceEnum != TargetEnum) { 04339 if (S.SourceMgr.isInSystemMacro(CC)) 04340 return; 04341 04342 return DiagnoseImpCast(S, E, SourceType, T, CC, 04343 diag::warn_impcast_different_enum_types); 04344 } 04345 04346 return; 04347 } 04348 04349 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 04350 SourceLocation CC, QualType T); 04351 04352 void CheckConditionalOperand(Sema &S, Expr *E, QualType T, 04353 SourceLocation CC, bool &ICContext) { 04354 E = E->IgnoreParenImpCasts(); 04355 04356 if (isa<ConditionalOperator>(E)) 04357 return CheckConditionalOperator(S, cast<ConditionalOperator>(E), CC, T); 04358 04359 AnalyzeImplicitConversions(S, E, CC); 04360 if (E->getType() != T) 04361 return CheckImplicitConversion(S, E, T, CC, &ICContext); 04362 return; 04363 } 04364 04365 void CheckConditionalOperator(Sema &S, ConditionalOperator *E, 04366 SourceLocation CC, QualType T) { 04367 AnalyzeImplicitConversions(S, E->getCond(), CC); 04368 04369 bool Suspicious = false; 04370 CheckConditionalOperand(S, E->getTrueExpr(), T, CC, Suspicious); 04371 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious); 04372 04373 // If -Wconversion would have warned about either of the candidates 04374 // for a signedness conversion to the context type... 04375 if (!Suspicious) return; 04376 04377 // ...but it's currently ignored... 04378 if (S.Diags.getDiagnosticLevel(diag::warn_impcast_integer_sign_conditional, 04379 CC)) 04380 return; 04381 04382 // ...then check whether it would have warned about either of the 04383 // candidates for a signedness conversion to the condition type. 04384 if (E->getType() == T) return; 04385 04386 Suspicious = false; 04387 CheckImplicitConversion(S, E->getTrueExpr()->IgnoreParenImpCasts(), 04388 E->getType(), CC, &Suspicious); 04389 if (!Suspicious) 04390 CheckImplicitConversion(S, E->getFalseExpr()->IgnoreParenImpCasts(), 04391 E->getType(), CC, &Suspicious); 04392 } 04393 04394 /// AnalyzeImplicitConversions - Find and report any interesting 04395 /// implicit conversions in the given expression. There are a couple 04396 /// of competing diagnostics here, -Wconversion and -Wsign-compare. 04397 void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC) { 04398 QualType T = OrigE->getType(); 04399 Expr *E = OrigE->IgnoreParenImpCasts(); 04400 04401 if (E->isTypeDependent() || E->isValueDependent()) 04402 return; 04403 04404 // For conditional operators, we analyze the arguments as if they 04405 // were being fed directly into the output. 04406 if (isa<ConditionalOperator>(E)) { 04407 ConditionalOperator *CO = cast<ConditionalOperator>(E); 04408 CheckConditionalOperator(S, CO, CC, T); 04409 return; 04410 } 04411 04412 // Go ahead and check any implicit conversions we might have skipped. 04413 // The non-canonical typecheck is just an optimization; 04414 // CheckImplicitConversion will filter out dead implicit conversions. 04415 if (E->getType() != T) 04416 CheckImplicitConversion(S, E, T, CC); 04417 04418 // Now continue drilling into this expression. 04419 04420 // Skip past explicit casts. 04421 if (isa<ExplicitCastExpr>(E)) { 04422 E = cast<ExplicitCastExpr>(E)->getSubExpr()->IgnoreParenImpCasts(); 04423 return AnalyzeImplicitConversions(S, E, CC); 04424 } 04425 04426 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) { 04427 // Do a somewhat different check with comparison operators. 04428 if (BO->isComparisonOp()) 04429 return AnalyzeComparison(S, BO); 04430 04431 // And with simple assignments. 04432 if (BO->getOpcode() == BO_Assign) 04433 return AnalyzeAssignment(S, BO); 04434 } 04435 04436 // These break the otherwise-useful invariant below. Fortunately, 04437 // we don't really need to recurse into them, because any internal 04438 // expressions should have been analyzed already when they were 04439 // built into statements. 04440 if (isa<StmtExpr>(E)) return; 04441 04442 // Don't descend into unevaluated contexts. 04443 if (isa<UnaryExprOrTypeTraitExpr>(E)) return; 04444 04445 // Now just recurse over the expression's children. 04446 CC = E->getExprLoc(); 04447 BinaryOperator *BO = dyn_cast<BinaryOperator>(E); 04448 bool IsLogicalOperator = BO && BO->isLogicalOp(); 04449 for (Stmt::child_range I = E->children(); I; ++I) { 04450 Expr *ChildExpr = dyn_cast_or_null<Expr>(*I); 04451 if (!ChildExpr) 04452 continue; 04453 04454 if (IsLogicalOperator && 04455 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts())) 04456 // Ignore checking string literals that are in logical operators. 04457 continue; 04458 AnalyzeImplicitConversions(S, ChildExpr, CC); 04459 } 04460 } 04461 04462 } // end anonymous namespace 04463 04464 /// Diagnoses "dangerous" implicit conversions within the given 04465 /// expression (which is a full expression). Implements -Wconversion 04466 /// and -Wsign-compare. 04467 /// 04468 /// \param CC the "context" location of the implicit conversion, i.e. 04469 /// the most location of the syntactic entity requiring the implicit 04470 /// conversion 04471 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) { 04472 // Don't diagnose in unevaluated contexts. 04473 if (ExprEvalContexts.back().Context == Sema::Unevaluated) 04474 return; 04475 04476 // Don't diagnose for value- or type-dependent expressions. 04477 if (E->isTypeDependent() || E->isValueDependent()) 04478 return; 04479 04480 // Check for array bounds violations in cases where the check isn't triggered 04481 // elsewhere for other Expr types (like BinaryOperators), e.g. when an 04482 // ArraySubscriptExpr is on the RHS of a variable initialization. 04483 CheckArrayAccess(E); 04484 04485 // This is not the right CC for (e.g.) a variable initialization. 04486 AnalyzeImplicitConversions(*this, E, CC); 04487 } 04488 04489 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc, 04490 FieldDecl *BitField, 04491 Expr *Init) { 04492 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc); 04493 } 04494 04495 /// CheckParmsForFunctionDef - Check that the parameters of the given 04496 /// function are appropriate for the definition of a function. This 04497 /// takes care of any checks that cannot be performed on the 04498 /// declaration itself, e.g., that the types of each of the function 04499 /// parameters are complete. 04500 bool Sema::CheckParmsForFunctionDef(ParmVarDecl **P, ParmVarDecl **PEnd, 04501 bool CheckParameterNames) { 04502 bool HasInvalidParm = false; 04503 for (; P != PEnd; ++P) { 04504 ParmVarDecl *Param = *P; 04505 04506 // C99 6.7.5.3p4: the parameters in a parameter type list in a 04507 // function declarator that is part of a function definition of 04508 // that function shall not have incomplete type. 04509 // 04510 // This is also C++ [dcl.fct]p6. 04511 if (!Param->isInvalidDecl() && 04512 RequireCompleteType(Param->getLocation(), Param->getType(), 04513 diag::err_typecheck_decl_incomplete_type)) { 04514 Param->setInvalidDecl(); 04515 HasInvalidParm = true; 04516 } 04517 04518 // C99 6.9.1p5: If the declarator includes a parameter type list, the 04519 // declaration of each parameter shall include an identifier. 04520 if (CheckParameterNames && 04521 Param->getIdentifier() == 0 && 04522 !Param->isImplicit() && 04523 !getLangOpts().CPlusPlus) 04524 Diag(Param->getLocation(), diag::err_parameter_name_omitted); 04525 04526 // C99 6.7.5.3p12: 04527 // If the function declarator is not part of a definition of that 04528 // function, parameters may have incomplete type and may use the [*] 04529 // notation in their sequences of declarator specifiers to specify 04530 // variable length array types. 04531 QualType PType = Param->getOriginalType(); 04532 if (const ArrayType *AT = Context.getAsArrayType(PType)) { 04533 if (AT->getSizeModifier() == ArrayType::Star) { 04534 // FIXME: This diagnosic should point the the '[*]' if source-location 04535 // information is added for it. 04536 Diag(Param->getLocation(), diag::err_array_star_in_function_definition); 04537 } 04538 } 04539 } 04540 04541 return HasInvalidParm; 04542 } 04543 04544 /// CheckCastAlign - Implements -Wcast-align, which warns when a 04545 /// pointer cast increases the alignment requirements. 04546 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) { 04547 // This is actually a lot of work to potentially be doing on every 04548 // cast; don't do it if we're ignoring -Wcast_align (as is the default). 04549 if (getDiagnostics().getDiagnosticLevel(diag::warn_cast_align, 04550 TRange.getBegin()) 04551 == DiagnosticsEngine::Ignored) 04552 return; 04553 04554 // Ignore dependent types. 04555 if (T->isDependentType() || Op->getType()->isDependentType()) 04556 return; 04557 04558 // Require that the destination be a pointer type. 04559 const PointerType *DestPtr = T->getAs<PointerType>(); 04560 if (!DestPtr) return; 04561 04562 // If the destination has alignment 1, we're done. 04563 QualType DestPointee = DestPtr->getPointeeType(); 04564 if (DestPointee->isIncompleteType()) return; 04565 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee); 04566 if (DestAlign.isOne()) return; 04567 04568 // Require that the source be a pointer type. 04569 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>(); 04570 if (!SrcPtr) return; 04571 QualType SrcPointee = SrcPtr->getPointeeType(); 04572 04573 // Whitelist casts from cv void*. We already implicitly 04574 // whitelisted casts to cv void*, since they have alignment 1. 04575 // Also whitelist casts involving incomplete types, which implicitly 04576 // includes 'void'. 04577 if (SrcPointee->isIncompleteType()) return; 04578 04579 CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointee); 04580 if (SrcAlign >= DestAlign) return; 04581 04582 Diag(TRange.getBegin(), diag::warn_cast_align) 04583 << Op->getType() << T 04584 << static_cast<unsigned>(SrcAlign.getQuantity()) 04585 << static_cast<unsigned>(DestAlign.getQuantity()) 04586 << TRange << Op->getSourceRange(); 04587 } 04588 04589 static const Type* getElementType(const Expr *BaseExpr) { 04590 const Type* EltType = BaseExpr->getType().getTypePtr(); 04591 if (EltType->isAnyPointerType()) 04592 return EltType->getPointeeType().getTypePtr(); 04593 else if (EltType->isArrayType()) 04594 return EltType->getBaseElementTypeUnsafe(); 04595 return EltType; 04596 } 04597 04598 /// \brief Check whether this array fits the idiom of a size-one tail padded 04599 /// array member of a struct. 04600 /// 04601 /// We avoid emitting out-of-bounds access warnings for such arrays as they are 04602 /// commonly used to emulate flexible arrays in C89 code. 04603 static bool IsTailPaddedMemberArray(Sema &S, llvm::APInt Size, 04604 const NamedDecl *ND) { 04605 if (Size != 1 || !ND) return false; 04606 04607 const FieldDecl *FD = dyn_cast<FieldDecl>(ND); 04608 if (!FD) return false; 04609 04610 // Don't consider sizes resulting from macro expansions or template argument 04611 // substitution to form C89 tail-padded arrays. 04612 04613 TypeSourceInfo *TInfo = FD->getTypeSourceInfo(); 04614 while (TInfo) { 04615 TypeLoc TL = TInfo->getTypeLoc(); 04616 // Look through typedefs. 04617 const TypedefTypeLoc *TTL = dyn_cast<TypedefTypeLoc>(&TL); 04618 if (TTL) { 04619 const TypedefNameDecl *TDL = TTL->getTypedefNameDecl(); 04620 TInfo = TDL->getTypeSourceInfo(); 04621 continue; 04622 } 04623 ConstantArrayTypeLoc CTL = cast<ConstantArrayTypeLoc>(TL); 04624 const Expr *SizeExpr = dyn_cast<IntegerLiteral>(CTL.getSizeExpr()); 04625 if (!SizeExpr || SizeExpr->getExprLoc().isMacroID()) 04626 return false; 04627 break; 04628 } 04629 04630 const RecordDecl *RD = dyn_cast<RecordDecl>(FD->getDeclContext()); 04631 if (!RD) return false; 04632 if (RD->isUnion()) return false; 04633 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) { 04634 if (!CRD->isStandardLayout()) return false; 04635 } 04636 04637 // See if this is the last field decl in the record. 04638 const Decl *D = FD; 04639 while ((D = D->getNextDeclInContext())) 04640 if (isa<FieldDecl>(D)) 04641 return false; 04642 return true; 04643 } 04644 04645 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, 04646 const ArraySubscriptExpr *ASE, 04647 bool AllowOnePastEnd, bool IndexNegated) { 04648 IndexExpr = IndexExpr->IgnoreParenImpCasts(); 04649 if (IndexExpr->isValueDependent()) 04650 return; 04651 04652 const Type *EffectiveType = getElementType(BaseExpr); 04653 BaseExpr = BaseExpr->IgnoreParenCasts(); 04654 const ConstantArrayType *ArrayTy = 04655 Context.getAsConstantArrayType(BaseExpr->getType()); 04656 if (!ArrayTy) 04657 return; 04658 04659 llvm::APSInt index; 04660 if (!IndexExpr->EvaluateAsInt(index, Context)) 04661 return; 04662 if (IndexNegated) 04663 index = -index; 04664 04665 const NamedDecl *ND = NULL; 04666 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 04667 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 04668 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 04669 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 04670 04671 if (index.isUnsigned() || !index.isNegative()) { 04672 llvm::APInt size = ArrayTy->getSize(); 04673 if (!size.isStrictlyPositive()) 04674 return; 04675 04676 const Type* BaseType = getElementType(BaseExpr); 04677 if (BaseType != EffectiveType) { 04678 // Make sure we're comparing apples to apples when comparing index to size 04679 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType); 04680 uint64_t array_typesize = Context.getTypeSize(BaseType); 04681 // Handle ptrarith_typesize being zero, such as when casting to void* 04682 if (!ptrarith_typesize) ptrarith_typesize = 1; 04683 if (ptrarith_typesize != array_typesize) { 04684 // There's a cast to a different size type involved 04685 uint64_t ratio = array_typesize / ptrarith_typesize; 04686 // TODO: Be smarter about handling cases where array_typesize is not a 04687 // multiple of ptrarith_typesize 04688 if (ptrarith_typesize * ratio == array_typesize) 04689 size *= llvm::APInt(size.getBitWidth(), ratio); 04690 } 04691 } 04692 04693 if (size.getBitWidth() > index.getBitWidth()) 04694 index = index.zext(size.getBitWidth()); 04695 else if (size.getBitWidth() < index.getBitWidth()) 04696 size = size.zext(index.getBitWidth()); 04697 04698 // For array subscripting the index must be less than size, but for pointer 04699 // arithmetic also allow the index (offset) to be equal to size since 04700 // computing the next address after the end of the array is legal and 04701 // commonly done e.g. in C++ iterators and range-based for loops. 04702 if (AllowOnePastEnd ? index.ule(size) : index.ult(size)) 04703 return; 04704 04705 // Also don't warn for arrays of size 1 which are members of some 04706 // structure. These are often used to approximate flexible arrays in C89 04707 // code. 04708 if (IsTailPaddedMemberArray(*this, size, ND)) 04709 return; 04710 04711 // Suppress the warning if the subscript expression (as identified by the 04712 // ']' location) and the index expression are both from macro expansions 04713 // within a system header. 04714 if (ASE) { 04715 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc( 04716 ASE->getRBracketLoc()); 04717 if (SourceMgr.isInSystemHeader(RBracketLoc)) { 04718 SourceLocation IndexLoc = SourceMgr.getSpellingLoc( 04719 IndexExpr->getLocStart()); 04720 if (SourceMgr.isFromSameFile(RBracketLoc, IndexLoc)) 04721 return; 04722 } 04723 } 04724 04725 unsigned DiagID = diag::warn_ptr_arith_exceeds_bounds; 04726 if (ASE) 04727 DiagID = diag::warn_array_index_exceeds_bounds; 04728 04729 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 04730 PDiag(DiagID) << index.toString(10, true) 04731 << size.toString(10, true) 04732 << (unsigned)size.getLimitedValue(~0U) 04733 << IndexExpr->getSourceRange()); 04734 } else { 04735 unsigned DiagID = diag::warn_array_index_precedes_bounds; 04736 if (!ASE) { 04737 DiagID = diag::warn_ptr_arith_precedes_bounds; 04738 if (index.isNegative()) index = -index; 04739 } 04740 04741 DiagRuntimeBehavior(BaseExpr->getLocStart(), BaseExpr, 04742 PDiag(DiagID) << index.toString(10, true) 04743 << IndexExpr->getSourceRange()); 04744 } 04745 04746 if (!ND) { 04747 // Try harder to find a NamedDecl to point at in the note. 04748 while (const ArraySubscriptExpr *ASE = 04749 dyn_cast<ArraySubscriptExpr>(BaseExpr)) 04750 BaseExpr = ASE->getBase()->IgnoreParenCasts(); 04751 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) 04752 ND = dyn_cast<NamedDecl>(DRE->getDecl()); 04753 if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) 04754 ND = dyn_cast<NamedDecl>(ME->getMemberDecl()); 04755 } 04756 04757 if (ND) 04758 DiagRuntimeBehavior(ND->getLocStart(), BaseExpr, 04759 PDiag(diag::note_array_index_out_of_bounds) 04760 << ND->getDeclName()); 04761 } 04762 04763 void Sema::CheckArrayAccess(const Expr *expr) { 04764 int AllowOnePastEnd = 0; 04765 while (expr) { 04766 expr = expr->IgnoreParenImpCasts(); 04767 switch (expr->getStmtClass()) { 04768 case Stmt::ArraySubscriptExprClass: { 04769 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); 04770 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, 04771 AllowOnePastEnd > 0); 04772 return; 04773 } 04774 case Stmt::UnaryOperatorClass: { 04775 // Only unwrap the * and & unary operators 04776 const UnaryOperator *UO = cast<UnaryOperator>(expr); 04777 expr = UO->getSubExpr(); 04778 switch (UO->getOpcode()) { 04779 case UO_AddrOf: 04780 AllowOnePastEnd++; 04781 break; 04782 case UO_Deref: 04783 AllowOnePastEnd--; 04784 break; 04785 default: 04786 return; 04787 } 04788 break; 04789 } 04790 case Stmt::ConditionalOperatorClass: { 04791 const ConditionalOperator *cond = cast<ConditionalOperator>(expr); 04792 if (const Expr *lhs = cond->getLHS()) 04793 CheckArrayAccess(lhs); 04794 if (const Expr *rhs = cond->getRHS()) 04795 CheckArrayAccess(rhs); 04796 return; 04797 } 04798 default: 04799 return; 04800 } 04801 } 04802 } 04803 04804 //===--- CHECK: Objective-C retain cycles ----------------------------------// 04805 04806 namespace { 04807 struct RetainCycleOwner { 04808 RetainCycleOwner() : Variable(0), Indirect(false) {} 04809 VarDecl *Variable; 04810 SourceRange Range; 04811 SourceLocation Loc; 04812 bool Indirect; 04813 04814 void setLocsFrom(Expr *e) { 04815 Loc = e->getExprLoc(); 04816 Range = e->getSourceRange(); 04817 } 04818 }; 04819 } 04820 04821 /// Consider whether capturing the given variable can possibly lead to 04822 /// a retain cycle. 04823 static bool considerVariable(VarDecl *var, Expr *ref, RetainCycleOwner &owner) { 04824 // In ARC, it's captured strongly iff the variable has __strong 04825 // lifetime. In MRR, it's captured strongly if the variable is 04826 // __block and has an appropriate type. 04827 if (var->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 04828 return false; 04829 04830 owner.Variable = var; 04831 owner.setLocsFrom(ref); 04832 return true; 04833 } 04834 04835 static bool findRetainCycleOwner(Sema &S, Expr *e, RetainCycleOwner &owner) { 04836 while (true) { 04837 e = e->IgnoreParens(); 04838 if (CastExpr *cast = dyn_cast<CastExpr>(e)) { 04839 switch (cast->getCastKind()) { 04840 case CK_BitCast: 04841 case CK_LValueBitCast: 04842 case CK_LValueToRValue: 04843 case CK_ARCReclaimReturnedObject: 04844 e = cast->getSubExpr(); 04845 continue; 04846 04847 default: 04848 return false; 04849 } 04850 } 04851 04852 if (ObjCIvarRefExpr *ref = dyn_cast<ObjCIvarRefExpr>(e)) { 04853 ObjCIvarDecl *ivar = ref->getDecl(); 04854 if (ivar->getType().getObjCLifetime() != Qualifiers::OCL_Strong) 04855 return false; 04856 04857 // Try to find a retain cycle in the base. 04858 if (!findRetainCycleOwner(S, ref->getBase(), owner)) 04859 return false; 04860 04861 if (ref->isFreeIvar()) owner.setLocsFrom(ref); 04862 owner.Indirect = true; 04863 return true; 04864 } 04865 04866 if (DeclRefExpr *ref = dyn_cast<DeclRefExpr>(e)) { 04867 VarDecl *var = dyn_cast<VarDecl>(ref->getDecl()); 04868 if (!var) return false; 04869 return considerVariable(var, ref, owner); 04870 } 04871 04872 if (MemberExpr *member = dyn_cast<MemberExpr>(e)) { 04873 if (member->isArrow()) return false; 04874 04875 // Don't count this as an indirect ownership. 04876 e = member->getBase(); 04877 continue; 04878 } 04879 04880 if (PseudoObjectExpr *pseudo = dyn_cast<PseudoObjectExpr>(e)) { 04881 // Only pay attention to pseudo-objects on property references. 04882 ObjCPropertyRefExpr *pre 04883 = dyn_cast<ObjCPropertyRefExpr>(pseudo->getSyntacticForm() 04884 ->IgnoreParens()); 04885 if (!pre) return false; 04886 if (pre->isImplicitProperty()) return false; 04887 ObjCPropertyDecl *property = pre->getExplicitProperty(); 04888 if (!property->isRetaining() && 04889 !(property->getPropertyIvarDecl() && 04890 property->getPropertyIvarDecl()->getType() 04891 .getObjCLifetime() == Qualifiers::OCL_Strong)) 04892 return false; 04893 04894 owner.Indirect = true; 04895 if (pre->isSuperReceiver()) { 04896 owner.Variable = S.getCurMethodDecl()->getSelfDecl(); 04897 if (!owner.Variable) 04898 return false; 04899 owner.Loc = pre->getLocation(); 04900 owner.Range = pre->getSourceRange(); 04901 return true; 04902 } 04903 e = const_cast<Expr*>(cast<OpaqueValueExpr>(pre->getBase()) 04904 ->getSourceExpr()); 04905 continue; 04906 } 04907 04908 // Array ivars? 04909 04910 return false; 04911 } 04912 } 04913 04914 namespace { 04915 struct FindCaptureVisitor : EvaluatedExprVisitor<FindCaptureVisitor> { 04916 FindCaptureVisitor(ASTContext &Context, VarDecl *variable) 04917 : EvaluatedExprVisitor<FindCaptureVisitor>(Context), 04918 Variable(variable), Capturer(0) {} 04919 04920 VarDecl *Variable; 04921 Expr *Capturer; 04922 04923 void VisitDeclRefExpr(DeclRefExpr *ref) { 04924 if (ref->getDecl() == Variable && !Capturer) 04925 Capturer = ref; 04926 } 04927 04928 void VisitObjCIvarRefExpr(ObjCIvarRefExpr *ref) { 04929 if (Capturer) return; 04930 Visit(ref->getBase()); 04931 if (Capturer && ref->isFreeIvar()) 04932 Capturer = ref; 04933 } 04934 04935 void VisitBlockExpr(BlockExpr *block) { 04936 // Look inside nested blocks 04937 if (block->getBlockDecl()->capturesVariable(Variable)) 04938 Visit(block->getBlockDecl()->getBody()); 04939 } 04940 }; 04941 } 04942 04943 /// Check whether the given argument is a block which captures a 04944 /// variable. 04945 static Expr *findCapturingExpr(Sema &S, Expr *e, RetainCycleOwner &owner) { 04946 assert(owner.Variable && owner.Loc.isValid()); 04947 04948 e = e->IgnoreParenCasts(); 04949 BlockExpr *block = dyn_cast<BlockExpr>(e); 04950 if (!block || !block->getBlockDecl()->capturesVariable(owner.Variable)) 04951 return 0; 04952 04953 FindCaptureVisitor visitor(S.Context, owner.Variable); 04954 visitor.Visit(block->getBlockDecl()->getBody()); 04955 return visitor.Capturer; 04956 } 04957 04958 static void diagnoseRetainCycle(Sema &S, Expr *capturer, 04959 RetainCycleOwner &owner) { 04960 assert(capturer); 04961 assert(owner.Variable && owner.Loc.isValid()); 04962 04963 S.Diag(capturer->getExprLoc(), diag::warn_arc_retain_cycle) 04964 << owner.Variable << capturer->getSourceRange(); 04965 S.Diag(owner.Loc, diag::note_arc_retain_cycle_owner) 04966 << owner.Indirect << owner.Range; 04967 } 04968 04969 /// Check for a keyword selector that starts with the word 'add' or 04970 /// 'set'. 04971 static bool isSetterLikeSelector(Selector sel) { 04972 if (sel.isUnarySelector()) return false; 04973 04974 StringRef str = sel.getNameForSlot(0); 04975 while (!str.empty() && str.front() == '_') str = str.substr(1); 04976 if (str.startswith("set")) 04977 str = str.substr(3); 04978 else if (str.startswith("add")) { 04979 // Specially whitelist 'addOperationWithBlock:'. 04980 if (sel.getNumArgs() == 1 && str.startswith("addOperationWithBlock")) 04981 return false; 04982 str = str.substr(3); 04983 } 04984 else 04985 return false; 04986 04987 if (str.empty()) return true; 04988 return !islower(str.front()); 04989 } 04990 04991 /// Check a message send to see if it's likely to cause a retain cycle. 04992 void Sema::checkRetainCycles(ObjCMessageExpr *msg) { 04993 // Only check instance methods whose selector looks like a setter. 04994 if (!msg->isInstanceMessage() || !isSetterLikeSelector(msg->getSelector())) 04995 return; 04996 04997 // Try to find a variable that the receiver is strongly owned by. 04998 RetainCycleOwner owner; 04999 if (msg->getReceiverKind() == ObjCMessageExpr::Instance) { 05000 if (!findRetainCycleOwner(*this, msg->getInstanceReceiver(), owner)) 05001 return; 05002 } else { 05003 assert(msg->getReceiverKind() == ObjCMessageExpr::SuperInstance); 05004 owner.Variable = getCurMethodDecl()->getSelfDecl(); 05005 owner.Loc = msg->getSuperLoc(); 05006 owner.Range = msg->getSuperLoc(); 05007 } 05008 05009 // Check whether the receiver is captured by any of the arguments. 05010 for (unsigned i = 0, e = msg->getNumArgs(); i != e; ++i) 05011 if (Expr *capturer = findCapturingExpr(*this, msg->getArg(i), owner)) 05012 return diagnoseRetainCycle(*this, capturer, owner); 05013 } 05014 05015 /// Check a property assign to see if it's likely to cause a retain cycle. 05016 void Sema::checkRetainCycles(Expr *receiver, Expr *argument) { 05017 RetainCycleOwner owner; 05018 if (!findRetainCycleOwner(*this, receiver, owner)) 05019 return; 05020 05021 if (Expr *capturer = findCapturingExpr(*this, argument, owner)) 05022 diagnoseRetainCycle(*this, capturer, owner); 05023 } 05024 05025 bool Sema::checkUnsafeAssigns(SourceLocation Loc, 05026 QualType LHS, Expr *RHS) { 05027 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime(); 05028 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone) 05029 return false; 05030 // strip off any implicit cast added to get to the one arc-specific 05031 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 05032 if (cast->getCastKind() == CK_ARCConsumeObject) { 05033 Diag(Loc, diag::warn_arc_retained_assign) 05034 << (LT == Qualifiers::OCL_ExplicitNone) 05035 << RHS->getSourceRange(); 05036 return true; 05037 } 05038 RHS = cast->getSubExpr(); 05039 } 05040 return false; 05041 } 05042 05043 void Sema::checkUnsafeExprAssigns(SourceLocation Loc, 05044 Expr *LHS, Expr *RHS) { 05045 QualType LHSType; 05046 // PropertyRef on LHS type need be directly obtained from 05047 // its declaration as it has a PsuedoType. 05048 ObjCPropertyRefExpr *PRE 05049 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens()); 05050 if (PRE && !PRE->isImplicitProperty()) { 05051 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 05052 if (PD) 05053 LHSType = PD->getType(); 05054 } 05055 05056 if (LHSType.isNull()) 05057 LHSType = LHS->getType(); 05058 if (checkUnsafeAssigns(Loc, LHSType, RHS)) 05059 return; 05060 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime(); 05061 // FIXME. Check for other life times. 05062 if (LT != Qualifiers::OCL_None) 05063 return; 05064 05065 if (PRE) { 05066 if (PRE->isImplicitProperty()) 05067 return; 05068 const ObjCPropertyDecl *PD = PRE->getExplicitProperty(); 05069 if (!PD) 05070 return; 05071 05072 unsigned Attributes = PD->getPropertyAttributes(); 05073 if (Attributes & ObjCPropertyDecl::OBJC_PR_assign) { 05074 // when 'assign' attribute was not explicitly specified 05075 // by user, ignore it and rely on property type itself 05076 // for lifetime info. 05077 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten(); 05078 if (!(AsWrittenAttr & ObjCPropertyDecl::OBJC_PR_assign) && 05079 LHSType->isObjCRetainableType()) 05080 return; 05081 05082 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) { 05083 if (cast->getCastKind() == CK_ARCConsumeObject) { 05084 Diag(Loc, diag::warn_arc_retained_property_assign) 05085 << RHS->getSourceRange(); 05086 return; 05087 } 05088 RHS = cast->getSubExpr(); 05089 } 05090 } 05091 } 05092 } 05093 05094 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===// 05095 05096 namespace { 05097 bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr, 05098 SourceLocation StmtLoc, 05099 const NullStmt *Body) { 05100 // Do not warn if the body is a macro that expands to nothing, e.g: 05101 // 05102 // #define CALL(x) 05103 // if (condition) 05104 // CALL(0); 05105 // 05106 if (Body->hasLeadingEmptyMacro()) 05107 return false; 05108 05109 // Get line numbers of statement and body. 05110 bool StmtLineInvalid; 05111 unsigned StmtLine = SourceMgr.getSpellingLineNumber(StmtLoc, 05112 &StmtLineInvalid); 05113 if (StmtLineInvalid) 05114 return false; 05115 05116 bool BodyLineInvalid; 05117 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(), 05118 &BodyLineInvalid); 05119 if (BodyLineInvalid) 05120 return false; 05121 05122 // Warn if null statement and body are on the same line. 05123 if (StmtLine != BodyLine) 05124 return false; 05125 05126 return true; 05127 } 05128 } // Unnamed namespace 05129 05130 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc, 05131 const Stmt *Body, 05132 unsigned DiagID) { 05133 // Since this is a syntactic check, don't emit diagnostic for template 05134 // instantiations, this just adds noise. 05135 if (CurrentInstantiationScope) 05136 return; 05137 05138 // The body should be a null statement. 05139 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 05140 if (!NBody) 05141 return; 05142 05143 // Do the usual checks. 05144 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 05145 return; 05146 05147 Diag(NBody->getSemiLoc(), DiagID); 05148 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 05149 } 05150 05151 void Sema::DiagnoseEmptyLoopBody(const Stmt *S, 05152 const Stmt *PossibleBody) { 05153 assert(!CurrentInstantiationScope); // Ensured by caller 05154 05155 SourceLocation StmtLoc; 05156 const Stmt *Body; 05157 unsigned DiagID; 05158 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) { 05159 StmtLoc = FS->getRParenLoc(); 05160 Body = FS->getBody(); 05161 DiagID = diag::warn_empty_for_body; 05162 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) { 05163 StmtLoc = WS->getCond()->getSourceRange().getEnd(); 05164 Body = WS->getBody(); 05165 DiagID = diag::warn_empty_while_body; 05166 } else 05167 return; // Neither `for' nor `while'. 05168 05169 // The body should be a null statement. 05170 const NullStmt *NBody = dyn_cast<NullStmt>(Body); 05171 if (!NBody) 05172 return; 05173 05174 // Skip expensive checks if diagnostic is disabled. 05175 if (Diags.getDiagnosticLevel(DiagID, NBody->getSemiLoc()) == 05176 DiagnosticsEngine::Ignored) 05177 return; 05178 05179 // Do the usual checks. 05180 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody)) 05181 return; 05182 05183 // `for(...);' and `while(...);' are popular idioms, so in order to keep 05184 // noise level low, emit diagnostics only if for/while is followed by a 05185 // CompoundStmt, e.g.: 05186 // for (int i = 0; i < n; i++); 05187 // { 05188 // a(i); 05189 // } 05190 // or if for/while is followed by a statement with more indentation 05191 // than for/while itself: 05192 // for (int i = 0; i < n; i++); 05193 // a(i); 05194 bool ProbableTypo = isa<CompoundStmt>(PossibleBody); 05195 if (!ProbableTypo) { 05196 bool BodyColInvalid; 05197 unsigned BodyCol = SourceMgr.getPresumedColumnNumber( 05198 PossibleBody->getLocStart(), 05199 &BodyColInvalid); 05200 if (BodyColInvalid) 05201 return; 05202 05203 bool StmtColInvalid; 05204 unsigned StmtCol = SourceMgr.getPresumedColumnNumber( 05205 S->getLocStart(), 05206 &StmtColInvalid); 05207 if (StmtColInvalid) 05208 return; 05209 05210 if (BodyCol > StmtCol) 05211 ProbableTypo = true; 05212 } 05213 05214 if (ProbableTypo) { 05215 Diag(NBody->getSemiLoc(), DiagID); 05216 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line); 05217 } 05218 }